Link – In the News: Chinese Attackers Hit White House

Posted by on October 4, 2012 No comments

Darknet recently covered an interesting article written by The Register (UK) involving a phishing attack conducted against the White House on the 1st of this month. Since it’s National Cyber Awareness Month, I figured this issue is timely and relevant. The pieces can be found here:

Hackers break onto White House military network @ The Register

Hackers Break Into White House Military Network @ Darknet.co.uk

A spear phishing attack is like any phishing attack but executed through the use of email. The attacker poses as a trusted party and obtains credentials from his/her victims in order to exploit them and the systems they have control over. As mentioned in the Neuralhub piece entitled “DNS Threats and Security Solutions,” one can can also employ other forms of social engineering attacks, such as a Credential Harvester attack, to gain sensitive information in this manner.

Another form of credential-stealing attack mentioned on the blog would be Session Hijacking which I mentioned in mentioned in this neuralhub piece.

This spear phishing attack, conducted via a Chinese network, was successful in accessing a highly sensitive network (the White House Military Office) which does everything from arrange hospitality services to “send and authenticate nuclear strike commands” (The Register, not me, I can’t claim to know whether or not this is true but it sounds unrealistic since they also mention that the network is “unclassified”). Apparently some form of attachment and/or malware was used to prep the system in question for the attacker.

Apparently no sensitive information was obtained by the attacker and that attack was halted before anything of note was accomplished.

As always with posted links, I highly encourage you to read about the issue directly from the sources cited above for greater depth.

National Cyber Security Awareness Month

Posted by on October 2, 2012 No comments

Did you know that October is the National Cyber Security Awareness Month? Well you may not have known prior to this September but, due to the heavy press coverage of the event this year, you do now!

The National Cyber Security Awareness Month is celebrating its 9th year of existence with online talks and lectures to help spread public awareness of online safety issues. The event is hosted by the Department of Homeland Security (DHS), National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC; an organization that exists to provide governments worldwide in an advisory role).

MS-ISAC and their parent organization, the Center for Internet Security, is also offering a large number of IT security jobs covering project management, analysis and tech work. They also feature a pretty neat dashboard for sharing information gleaned from cyber attacks including common ports and IP addresses under attack, check the MS-ISAC Dashboard App for more information (while it doesn’t seem very extensive at the moment, it may be updated as time goes on).

NCSAM events are being hosted by a number of organizations and companies across the globe. Already we’ve seen some cool Facebook activity in the form of interactive lectures. For more official evvents check out the NCSAM calender here (note that many of the online events aren’t listed. For those be sure to check Twitter #NCSAM or watch related hashtags and tweets on Twitterfall).

For more information from the Department of Homeland Security please visit this website:

http://www.dhs.gov/national-cyber-security-awareness-month

In the spirit of NCSAM, security & compliance firm InfoSight Inc. just posted a link to one of their interesting YouTube videos on their Twitter account. The video debunks popular computer safety myths. Feel free to check out that video below:

https://www.youtube.com/watch?v=V2rBbmQOCTI

(All rights for the video belong to InfoSight Inc. and were provided for your viewing pleasure by embedding as is allowed by the Standard YouTube License regarding published public videos. I highly recommend checking InfoSight’s other Youtube videos if you’re new to internet security.)

As always you can check the Neuralhub’s navigation system or the blog’s tag cloud to find topics of interest to you. Also visit the Neuralhub post entitled “Computer Security Resources” for a list of security links to sites I find interesting.

World is Too Slow to Adopt Two-Factor Authentication

Posted by on September 25, 2012 No comments

Here’s the deal: you do a lot of business online. Amazon purchases, you check your X-Box account, access social networking sites and so on. And as I’ve said time and again, man in the middle attacks are at an all time high. So you needed a way of securing your online accounts beside using just a password.

While some sites like Facebook, Google and Dropbox have implemented forms of two-factor authentication, many sites do not (to my knowledge Apple and  Amazon have not implemented TFA security). SSL alone doesn’t protect customers from online threats.  Amazon AWS does support multi-factor authentication but, at the time of writing this, their user accounts do not have this feature (upon asking their technical support why they didn’t use TFA, I was told “SSL was secure” and not to worry).

For those left out of the loop, TFA relies on either texting you an ever changing security key or displaying one using a token generator (such as the great Google Authenticator for Android). Logging into a website from an unknown computer (one where a former cached login could not be found) results in a page asking you to confirm a key displayed on your token generator.

The way it works now if you don’t remember your password? A reset email can be mailed to you… not such great security. It sends an email to the account you registered with. If your email account is compromised to begin with, your other accounts can be too. All the SSL in the world doesn’t amount to a hill of beans if you don’t have better security practices for users that want to make use of them.

Social engineering attacks can also be used to get companies to change your passwords by phone. Apple and Amazon have already been caught doing this. For more information see my post entitled “Apple’s Social Engineering Crisis.

So why don’t sites adopt TFA? They don’t want to be bothered implementing it. Really. That’s the only excuse I can think of since, if companies follow Google’s example, you have to manually opt in to using it in the first place.

So enough is enough. Start telling the companies that you do business with online to enact TFA now.

Related Articles (Better than this rant)

Please Turn on Two-Factor Authentication.” Curts, Matt @ Lifehacker.

Two-Factor Authentication: The Big List Of Everywhere You Should Enable It Right Now.” Gordon, Whitson @ Lifehacker Australia.

“XBox GM Talks Xbox Live Security.” Frederiksen, Eric. July 19,2012. See: http://www.technobuffalo.com/gaming/platform-gaming/xbox-upgrading-security/

Products of Note

Google Authenticator for Android

Google Authenticator for iOS

SolidPass Two-Factor Authentication Token (Used in many places)

Related Blog Posts

Public Wi-Fi? Be Mindful of Session Hijacking

Links – Application of Elliptic Curve Crypto

Posted by on September 18, 2012 No comments

With the NSA/CSS’s support of RSA dwindling, they’ve adopted the public key ECC method with open arms with their Suite B. This is in part due to the fact that small sized RSA keys have been cracked to some degree and that the associated contracts with the NSA have ended (keys over 1,024 bits are still safe at the time this post was created). This post will give some information on ECC’s adoption and cellular cryptography.

Since I just started using secure voice apps on my Android, I thought I’d provide you with a list reference material regarding ECC’s increased usage in every day technology. Feel free to check out the solutions mentioned below as well (I do not endorse any of them; find a solution that works best for you and your needs).

We now find ECC used in nearly every aspect of secure computing from chat servers to cell phone voice encryption. And yet ECC’s primary goal is to utilize PKCS by providing a secure means of authentication and digital signature management as opposed to whole document encryption. The algorithm is best utilized in actual data streams flowing from one network to another in conjunction with other well established algorithms to encrypt the contents themselves.

Secure SIP providers around the globe have started producing secure VoIP tools that use ZRTP to transport data using key encryption and SRTP to actively encrypt that data. This is a really good way of thwarting cellular eavesdropping.

For example, VoIP provider S.M.A.R.T.S. Technology designed HushCrypt on Android to encrypt voice calls handset-to-handset using AES-256 based on the ZRTP utilizing the ECDH-38 elliptic curve. Their competition, RedPhone by Whisper Systems, uses ZRTP and its encrypting component, SRTP. Experiment with them as you see fit and determine which is best for you.

Similarly, my favorite secure texting app on Android (also provided by Whisper Systems), is TextSecure, as it relies on ECC in transit and AES-128. Keys are generated on a session-to-session basis and remain “alive” until either party cancels the session (this is complaint with NSA Suite B, for more information see the related link below).

Pretty heavy encryption, huh? But as Henry Kissinger once said, “Just because you’re paranoid don’t mean they’re not after you.” And in this world of increased threats: a little security goes a long way.

ECC & Cellular Crypto Resources

If you’re interested in learning more about the encryption standards used in commonly accepted technologies, please feel free to visit the links below (think I missed a cool link? feel free to share and I’ll pop it up on the list).

Also feel free to check out the WordPress recommended links throughout the post as I’ve approved some good Wikipedia entries!

NSA Suite B on the combined use of AES, ECC and SHA Hashes  (includes Whitepapers for interested Math majors)
ECC to replace RSA,” Blogspot’s In God I Trust blog
The Case for Elliptic Curve Cryptography,” NSA/CSS Homepage.
HushCrypt Secure Phone on Google Play Android Store
Whisper Systems Security Products
WhisperSystems/TextSecure Wiki on the Protocols Used
WhisperSystems/RedPhone Wiki on the Protocols Used
Voice Encryption Basics on Wikipedia
SRTP Protocol Whitepaper
NSA Watch,” Schneier, Bruce.  September 30, 2005. Schneier on Security blog. *

* Note: If you aren’t subscribed to his blog, read his articles or read his books (and you’re interested in computer security), you don’t know what you’re missing. This Schneier blog post has everything you need to know about ECC including links to some great resources that go well beyond this shallow post. Bruce Schneier is a name you can trust.

Related Posts

I mentioned using PK and ECC in my blog posts entitled “Encrypted Messaging Using OpenPGP and Psi,” “DNS Threats and Security Solutions,” and “Links – PGP Security.”

Encrypted Messaging using OpenPGP and Psi

Posted by on September 16, 2012 No comments

The simplest way to enable encrypted chat messaging with services like Google Talk, AIM, Yahoo, IRC and other messengers/protocols is to use a GNU Privacy Guard enabled-Jabber client. If you’ve never set one up before, you’ll want to follow these directions. I’ve included the configuration I prefer for Windows though my Linux setup was nearly identical.

In Windows I prefer using Gpg4win as it’s extremely easy to use and light weight. So go ahead and pick up a copy of the Windows binaries here: http://gpg4win.org/ — optionally, if you’re interested in another GnuPG you can pick one up over at http://www.gnupg.org (please keep in mind that the Miranda IM client works poorly with gpg2 packaged with Gpg4win which is why Psi is the easier alternative).

Kleopatra makes creating OpenPGP keypairs a quick and painless process. So from within the key manager create the key you’ll use with Psi. Kleo supports RSA & DSA though I prefer RSA keys 2,048 bits and larger (keeping in mind that the larger the key the longer it’ll take to encrypt and decrypt messages though with a modern system you’re not likely to notice; a larger key is obviously more secure). Export the certificate (your public key) to a location of your choice, it’ll use ASCII armor by default.

Now that you have a public key to use with a XMPP client, again, I use Psi because it’s extremely light weight and known to work well with every type of OpenPGP program out there. To download Psi visit go here: http://psi-im.org/

While you could make your own XMPP server in the future, we’ll use a pre-existing server in this article (the main reason is that it happens to have gateways to other popular chat servers).

JaIM has an amazing server which happens to be an excellent AIM Gateway. It also features a number of transports such as: AIM, Yahoo, IRC, ICQ and MSN. JaIM also features XMPP server acces (Google Talk/Misc. Jabber) in addition to its own chatrooms, SOCKS5 Bytestreams, and Prosody Lua-based servers.

JaIM Public XMPP Server

To use JaIM, be sure to check Register as JaIM supports in-client registration. Enter jaim.at as a server, turn off log message history if you want, under Details you’ll see an area for OpenPGP. Find and select your key. Under Connection enable compression, keep alive, any proxy or proxy chain information you may have, enable probe legacy SSL port, allow plaintext authentication over encrypted connections only and set encrypt connection to Always.

Upon connecting it’ll ask you for a username and password to create. Once you connect to a server you can enable encryption by clicking on the gray unlocked logo. It’ll ask for your secret passphrase, upon entering it successfully you’ll see a yellow lock logo appear next to the server of your choice.

You can find commonly used Transports (such as AIM or MSN) by clicking on the Psi Greek symbol and checking the Service Directory on the JaIM.at server. You’ll be required to set your username and password and any account profile details you desire. Some Transports work better than others. If you’re an AIM and Google Talk user, for example, you’ll find this setup to your liking. Psi will automatically import your contacts from each of the Transports you choose.

Messages you send will usually be unencrypted by default unless you choose otherwise. On the top of the message box toward the right hand side of the window you’ll see a gray lock. To enable encryption, please select the lock logo. Note that you’ll need to import other user’s public keys in order to send them messages they can decrypt (obvious but I thought it was worth noting).

Google Talk

You can either use the XMPP option using JaIM’s server (a bit out of the way for my tastes) or you can simply connect to Google Talk’s server directly. To connect directly in addition to using JaIM for your other accounts (or instead of using JaIM), go to Account Setup and add an entry for talk.google.com under Jabber ID it should read:

your.username@gmail.com

Google mistakenly doesn’t mention entering your password in the Account Setup field. If you have 2-step verification enabled on your Google account, you’ll want to enter your one time application specific password here. If you use Google with a regular password, feel free to enter that here as well so it doesn’t ask you your password every time you connect to Google Talk.

Assigning PGP Keys to Others

Simply right click on a person’s name and select Assign OpenPGP Key and enter their key accordingly.

Using the setup above you’ll be able to use Psi to video, voice and text chat with encryption enabled.

DNS Threats and Security Solutions

Posted by on September 15, 2012 No comments

DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.

IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)

Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!

Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).

Credential Harvester

One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.

Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.

Further Reading on SET’s Credential Harvester

Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack

Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.

History Repeating: The DNSChanger Scare

Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.

The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet

Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.

Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).

Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.

Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.

As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.

So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind  that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.

DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/

Further Reading on DNSChanger

Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694

Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036

DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350

Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.

Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.

DNS Cache Poisoning/Spoofing Attacks

The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).

More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison

Alternative DNS Solutions

There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.

OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.

This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).

For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”

DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.

DNSSEC Protection: Why It Isn’t Enough

DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.

DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)

Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.

Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.

It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.

Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.

In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?

As a great American Hero once said, “Only You Can Prevent Forest Fires.”

Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”

Janet Napolitano on Cybersecurity @ ASIS 2012

Posted by on September 14, 2012 No comments

Awesome keynote speech by Janet Napolitano, Secretary of Homeland Security, at ASIS 2012 in PA on the importance of cyber security.

Video embedded here for your viewing pleasure. Originally posted publicly on YouTube by ASIS International. For more videos please see the  ASIS YouTube page.

Poll – iPhone 5 Released. Will You Get It?

Posted by on September 13, 2012 No comments

The specs are in for the new iPhone 5. Compare them now with a few new Androids on the market on Mashable here:

https://mashable.com/2012/09/12/iphone-5-compared/

Details on the iPhone 5 can be found on the following sites:

Mashable Review iPhone 5 Review
Tech Radar Review iPhone 5 Review
NY Times Review by David Pogue

Concerned with battery life? Check out the Cult of Mac article discussing it. Yet the truth is that, although the iPhone 5 iPhone  boasts 8 hours for 4G (LTE) web browsing (or 10 hours for video play back without web browsing, or 8 hours of just talk time), the Motorola Razr Maxx still boasts a 3,300mAh battery capable of providing up to 17.6 hours of talk time! The new Motorola Razr HD features an impressive 21 hours talk time/data use over 3G.

Court rivals can still be friends right? Check out how the iPhone 5 stacks up against its biggest rival, the Samsung Galaxy S III here.

Does the fact that the iPhone 5 still doesn’t have an SD card slot while the new Samsung Galaxy S III has a 2 TB capacity for multimedia? Any other gripes? Feel free to chime in on the poll and/or comment let me know what you think!

Hamachi as a Private VPN For Secure Web Traffic

Posted by on September 13, 2012 No comments

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete: 

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”