DIGITAL
HIDE AND SEEK
How
to keep yourself hidden
By
Zachary
Standridge
Online
Network Security
Spring
2017
Copyright
2017
By
Zachary
Standridge
We
are a littering society. We belch out greenhouse gasses as we
breathe. We litter the earth just by driving down the road.
Archaeologist of today are doing their PhD research by sorting
through the trash piles of long forgotten cultures . There is no way
we can exist in this world without leaving a little bit of ourselves
behind. Our computers are the same way. Every time we just turn on a
terminal, we are leaving behind little bits of information on who we
are and what we do during the day to day existence of our lives. Your
phone is a mobile computer jumping from one cell tower to another and
logging your movements. Your browser is keeping a log of every single
thing which peeks your curiosity. Your email is keeping tabs on you
more than any other service which we depend on for our day to
function. But you already knew this right? What about the places you
don't know about. What about that box in the closet? What about the
server in your office back room? What is being left behind there
which you would never even know about. When you see the crazy person
on the street with a tin foil hat ranting and raving about the
hackers or the government reading your thoughts and disheartening in
the night undetected, they are not too far off. The industry of data
forensics is a quickly growing field and they are trying every day to
come up with more ways to locating you but the are of keeping them
busy is also becoming a business necessity. It is more than just
seeing that proper traffic is encrypted, it means not having to lock
down that router or creating that impressive DMZ for protecting your
infrastructure. There is no difference in whether you are wearing a
black hat or a white hat...or a gray, you have to understand that you
are leaving behind a trail which can be used against you. Each of the
following methodologies reducing your personal information is
available but no one method is full proof. They will remove at least
some of the little bits of data which are even now flowing over the
Internet. Lets say it again. They are not complete and full proof.
There are always new tech coming out which is designed to divert and
bypass the information. Cracks will always be created. All they can
do is just make it harder for the investigator to do his job or for
the black hat to move on to another easier target. There are almost
an infinite amount of methods, applications, and extensions so lets
be fair by using three from the white hat side of the coin and three
from the black,
Number
1: Cookie Management. Google is a search engine right? No. Its an
advertisement communication company which is in the business of
getting to know you and putting you in front of an advertiser which
will pay for your data. The search engine companies will say that
they are just giving us as consumers the best products, services, and
features available for making our lives easier while not putting an
ad for a purse designer in frornt of a middle age man. This is the flaw
in their plan. The sale of our information which are collected by
cookies may be a necessity evil for the use of the search engine's
little toys but what happens to the little bits of information after
they(google/yahoo....etc) has used them? They are stored on our
systems just waiting for the wrong reasons. The most common method of
tracking your cookies is built right into your browser by default.
Each time you come back to a site such as Facebook, the browser sends
the cookie from your last visit back to the serve where it links up
all your past visits into a profile. These little cookies are not
going anywhere. They are designed to only delete themselves if
previously configured to. Most of them time, they just sit in your
temp file forever unless you personally delete them. So how do we get
rid of them? Most all browsers have a method for removing cookies. It
is common practice to set up a scheduled event for removing them all
and there are many browser extensions which will delete the file as
soon as you close the page. There are more stubborn ways of cookie
tracking in the works however. Advertising companies across the board
hire more programmers than any other job market. With the
introduction of Super Cookies, the use of a simple deletion will not
work anymore. The user will become dependant on apps and extensions
for maintaining their visible footprints. One of these extensions,
Ghostery, watches the flow of data coming from each and every
website. Ghostery is designed to flag some of the most common little
tricks for installing a cookie such as single-pixel images. These
files are then either blocked or allowed by the user.
Number
2. Each and every machine, VM or physical, has an address. That
address is your Internet Protocol address (IP). Just as *69 did for
people in the 90's, your IP address can be tracked when you attach to
another machine or ask for connection. They do change, but by a vast
majority, they are static which is why hiding your IP address is so
important. With the creation of Tor, (The onion router) by the Office
of Naval Research which directs traffic through a free world wide
network which is made up of over 7000 relays to conceal a user's
location and usage from anyone or any program conducting network
surveillance or network traffic analysis, allowed for a healing
encrypted super network over all other networks on the Internet. How
is works is, when you machine starts a connection the network maps
out a path through the nodes in the subnet, your web page requests
then follow this path through the nodes to the server. The service
request is encrypted at each node again and again so that if your
traffic is intercepted, it would have to be decrypted at each node
back to you for any information to be usable. At the destination the
machine on the last node then submits the request as if you were
right there in front of it. When the traffic is coming back, the same
process happens over again. Every machine in the linked chain does
not know what is passing through but only what the node behind it
sends. This is the golden key, every thing is encrypted and thus
there is no chance of data seepage from a machine in the chain. So,
this is great but there are flaws in this system as well. This
process only works if the machine at the end works as your proxy but
it still can track the actions of the user. It doesn't know who you
are but it knows what you are putting out there onto the Internet where it will be disseminated to the masses. If you check your email from within a Tor
browser, it data may be safe on your side but you are still
activating it on the server side which is still easily read. For this
reason, it is still best to add on a layer of encryption to your
emails.
Number
3. SSL is one of the most simple and easy ways to protect your
content and data. When working with websites with the prefix HTTPS,
the data stream between yourself and the webserver is being
encrypted. While it is not standard yet, major online email providers
will request that you make sure that your address bar is started with
https by automatically adding it when connecting. The SSL connection
works by scrambling up the data from to and from the webpage server,
if configured correctly. The process also hides any of the links in
the chain from the server, through the area wide network and into
your LAN. This is especially useful when abroad and forced to use a
public wifi which may or may not be monitored for traffic capturing.
SSL has its flaws however. It only is able to protect the data as it
is moving between your terminal and the server. It does not have the
ability to control what the server does with your information. When
reading your favorite online news feed, the SSL service will block any
router between being victim of a man in the middle attack but it is
impossible for it to protect you from anyone seeing your feed
anywhere else. There are other ways of bypassing SSL security such as
poisoning the Certificate Authentication Process to bypass it but
since it is so complicated without the use of a script kiddie your
local wifi sniffer will break it.
Number
4. You have just successfully taken over or compromised a system
using a python os.system alias and have really put in the work
to get there. Now its time to make sure that you are not seen. As
soon as you connect, you are leaving traces and every activity which
you do from within is being recorded by the system itself just as if
the user was doing it. If your intention is to not be logged, it is
time to start covering your tracks. The first place to start is the
windows event log since that is also one of the most easily accessible to other users. The intruder would need to clear these
entries of his activities to minimize being traced by forensic
investigators. When the victim or target runs EventVWR,
it activated a window with a listed format of all security-oriented
logs available. The attacker would need to clear these logs
immediately. Using Ruby interpreter in meterpreter to clear the logs
would be your best, simplest, and quickest choice. Using Log.clear,
cleaning the log is almost instantly done. Now that they windows
system event logs are cleared, the attacker have the security,
application, DNS, and all the other logs to clear. That is done by
using scripts in Winenum.rb. The function is used to make sure that
all window event logs are cleared of the entry of the attacker. The
last step in clearing your tracks would be to re write the script
which is in /pentest/exploits/framework3/scripts/meterpreter and check
to make sure that every thing has worked.
Number
5. Since not everyone uses five VMs at a time or has the money to
work specifically with an IOS machine, the attacker most likely will
be attacking a windows machine. This means clearing out the event
logs. This time, without metasploit.
- Click the root node.
- On the action menu, click connect to another computer
- In the another computer box, type the name or IP address of the remote computer.
- Click OK.
With
the addition of a backdoor after compromising the system for use
later, this would be a very helpful way of keeping the attackers
activities hidden from the terminal owner while still being able to
spoof the identity of the owner.
White,
black, grey hat or no hat...we all need to keep ourselves from being
taken advantage of by the gathering and removal of the information we
leave behind on a computer. Since our field is still growing by leaps
and bounds, there are always going to be new ways for people to track
the little bits of information left behind but thanks to these new
ways of tracking, there will always be new ways of being hidden in
the shadows.
