DIGITAL HIDE AND SEEK

How to keep yourself hidden

By

Zachary Standridge

Online Network Security

Spring 2017

Copyright 2017

By

Zachary Standridge

We are a littering society. We belch out greenhouse gasses as we breathe. We litter the earth just by driving down the road. Archaeologist of today are doing their PhD research by sorting through the trash piles of long forgotten cultures . There is no way we can exist in this world without leaving a little bit of ourselves behind. Our computers are the same way. Every time we just turn on a terminal, we are leaving behind little bits of information on who we are and what we do during the day to day existence of our lives. Your phone is a mobile computer jumping from one cell tower to another and logging your movements. Your browser is keeping a log of every single thing which peeks your curiosity. Your email is keeping tabs on you more than any other service which we depend on for our day to function. But you already knew this right? What about the places you don't know about. What about that box in the closet? What about the server in your office back room? What is being left behind there which you would never even know about. When you see the crazy person on the street with a tin foil hat ranting and raving about the hackers or the government reading your thoughts and disheartening in the night undetected, they are not too far off. The industry of data forensics is a quickly growing field and they are trying every day to come up with more ways to locating you but the are of keeping them busy is also becoming a business necessity. It is more than just seeing that proper traffic is encrypted, it means not having to lock down that router or creating that impressive DMZ for protecting your infrastructure. There is no difference in whether you are wearing a black hat or a white hat...or a gray, you have to understand that you are leaving behind a trail which can be used against you. Each of the following methodologies reducing your personal information is available but no one method is full proof. They will remove at least some of the little bits of data which are even now flowing over the Internet. Lets say it again. They are not complete and full proof. There are always new tech coming out which is designed to divert and bypass the information. Cracks will always be created. All they can do is just make it harder for the investigator to do his job or for the black hat to move on to another easier target. There are almost an infinite amount of methods, applications, and extensions so lets be fair by using three from the white hat side of the coin and three from the black,

Number 1: Cookie Management. Google is a search engine right? No. Its an advertisement communication company which is in the business of getting to know you and putting you in front of an advertiser which will pay for your data. The search engine companies will say that they are just giving us as consumers the best products, services, and features available for making our lives easier while not putting an ad for a purse designer in frornt of a middle age man. This is the flaw in their plan. The sale of our information which are collected by cookies may be a necessity evil for the use of the search engine's little toys but what happens to the little bits of information after they(google/yahoo....etc) has used them? They are stored on our systems just waiting for the wrong reasons. The most common method of tracking your cookies is built right into your browser by default. Each time you come back to a site such as Facebook, the browser sends the cookie from your last visit back to the serve where it links up all your past visits into a profile. These little cookies are not going anywhere. They are designed to only delete themselves if previously configured to. Most of them time, they just sit in your temp file forever unless you personally delete them. So how do we get rid of them? Most all browsers have a method for removing cookies. It is common practice to set up a scheduled event for removing them all and there are many browser extensions which will delete the file as soon as you close the page. There are more stubborn ways of cookie tracking in the works however. Advertising companies across the board hire more programmers than any other job market. With the introduction of Super Cookies, the use of a simple deletion will not work anymore. The user will become dependant on apps and extensions for maintaining their visible footprints. One of these extensions, Ghostery, watches the flow of data coming from each and every website. Ghostery is designed to flag some of the most common little tricks for installing a cookie such as single-pixel images. These files are then either blocked or allowed by the user.

Number 2. Each and every machine, VM or physical, has an address. That address is your Internet Protocol address (IP). Just as *69 did for people in the 90's, your IP address can be tracked when you attach to another machine or ask for connection. They do change, but by a vast majority, they are static which is why hiding your IP address is so important. With the creation of Tor, (The onion router) by the Office of Naval Research which directs traffic through a free world wide network which is made up of over 7000 relays to conceal a user's location and usage from anyone or any program conducting network surveillance or network traffic analysis, allowed for a healing encrypted super network over all other networks on the Internet. How is works is, when you machine starts a connection the network maps out a path through the nodes in the subnet, your web page requests then follow this path through the nodes to the server. The service request is encrypted at each node again and again so that if your traffic is intercepted, it would have to be decrypted at each node back to you for any information to be usable. At the destination the machine on the last node then submits the request as if you were right there in front of it. When the traffic is coming back, the same process happens over again. Every machine in the linked chain does not know what is passing through but only what the node behind it sends. This is the golden key, every thing is encrypted and thus there is no chance of data seepage from a machine in the chain. So, this is great but there are flaws in this system as well. This process only works if the machine at the end works as your proxy but it still can track the actions of the user. It doesn't know who you are but it knows what you are putting out there onto the Internet where it will be disseminated to the masses. If you check your email from within a Tor browser, it data may be safe on your side but you are still activating it on the server side which is still easily read. For this reason, it is still best to add on a layer of encryption to your emails.

Number 3. SSL is one of the most simple and easy ways to protect your content and data. When working with websites with the prefix HTTPS, the data stream between yourself and the webserver is being encrypted. While it is not standard yet, major online email providers will request that you make sure that your address bar is started with https by automatically adding it when connecting. The SSL connection works by scrambling up the data from to and from the webpage server, if configured correctly. The process also hides any of the links in the chain from the server, through the area wide network and into your LAN. This is especially useful when abroad and forced to use a public wifi which may or may not be monitored for traffic capturing. SSL has its flaws however. It only is able to protect the data as it is moving between your terminal and the server. It does not have the ability to control what the server does with your information. When reading your favorite online news feed, the SSL service will block any router between being victim of a man in the middle attack but it is impossible for it to protect you from anyone seeing your feed anywhere else. There are other ways of bypassing SSL security such as poisoning the Certificate Authentication Process to bypass it but since it is so complicated without the use of a script kiddie your local wifi sniffer will break it.

Number 4. You have just successfully taken over or compromised a system using a python os.system alias and have really put in the work to get there. Now its time to make sure that you are not seen. As soon as you connect, you are leaving traces and every activity which you do from within is being recorded by the system itself just as if the user was doing it. If your intention is to not be logged, it is time to start covering your tracks. The first place to start is the windows event log since that is also one of the most easily accessible to other users. The intruder would need to clear these entries of his activities to minimize being traced by forensic investigators. When the victim or target runs EventVWR, it activated a window with a listed format of all security-oriented logs available. The attacker would need to clear these logs immediately. Using Ruby interpreter in meterpreter to clear the logs would be your best, simplest, and quickest choice. Using Log.clear, cleaning the log is almost instantly done. Now that they windows system event logs are cleared, the attacker have the security, application, DNS, and all the other logs to clear. That is done by using scripts in Winenum.rb. The function is used to make sure that all window event logs are cleared of the entry of the attacker. The last step in clearing your tracks would be to re write the script which is in /pentest/exploits/framework3/scripts/meterpreter and check to make sure that every thing has worked.

Number 5. Since not everyone uses five VMs at a time or has the money to work specifically with an IOS machine, the attacker most likely will be attacking a windows machine. This means clearing out the event logs. This time, without metasploit.

1. Click the root node.
2. On the action menu, click connect to another computer
3. In the another computer box, type the name or IP address of the remote computer.
4. Click OK.

With the addition of a backdoor after compromising the system for use later, this would be a very helpful way of keeping the attackers activities hidden from the terminal owner while still being able to spoof the identity of the owner.

White, black, grey hat or no hat...we all need to keep ourselves from being taken advantage of by the gathering and removal of the information we leave behind on a computer. Since our field is still growing by leaps and bounds, there are always going to be new ways for people to track the little bits of information left behind but thanks to these new ways of tracking, there will always be new ways of being hidden in the shadows.