Tag Archives: privacy

Privacy Concerns Over New ICE Intel Database

The Department of Homeland Security has just released information concerning a new intelligence database which may impact individual privacy online. For readers concerned with online privacy issues, the FALCON-SA (Search & Analysis) System may be of great importance. While inter-agency cooperation is nothing new, inter-agency databases bring up important privacy concerns.

New ICE database enables federal agents from multiple agencies controlled by Homeland Security to upload information on individuals both domestic and abroad that is or may become a threat to national security. ICE agents can then use the data in FALCON to enforce customs and immigration law more effectively, putting them “in the know.”Combating terrorism by monitoring new immigrants seems to be a primary focus of FALCON. This may even serve to assist in the prosecution of narco-terrorists further down the line.

FALCON can also aggregate data from the public internet as well, populating its database with information gleaned by a seemingly unrelated source. This ability to quickly corolate data ensures that ICE makes informed enforcement decisions based on all available information. It is important to note that the Privacy Impact Assessments released by the DHS and mentioned here were supplied on the DHS mailing list to help mitigate concern among citizens.

Depending on your opinions regarding online safety, databases like FALCON may make you feel uneasy. Information is collected in an “ad hoc” way, as stated by the privacy DHS privacy documents. No information is collected directly from any one individual.

It is my opinion that FALCON is an achievement worthy of note because it could potentially be used to warn ICE of impending threats previously assessed by other government agencies. Of course, the potential for abuse is always present. I’ll reserve the right to pass judgment on the system since I don’t actually know how information gleaned from FALCON-SA will be used.

A positive note is that DHS has actually anticipated problems arising from the dissemination of classified information to unauthorized ICE personnel:

Privacy Risk: Because FALCON-SA aggregates data from multiple data systems, it is possible that its users may be able access records in FALCON-SA that they otherwise could not view in the source system and are inappropriate for them to access.
Mitigation: For data sets routinely ingested into FALCON-SA, ICE has established technical rules to ensure that the user privileges of the source system carry forward and apply to that user in FALCON-SA. As a result, a user’s access privileges to the data stored in FALCON-SA are identical to their access privileges to that same data in the source system. This prevents FALCON-SA from being used, intentionally or unintentionally, to undermine or defeat the role-based access controls established by the source system.”

(Taken from assessment titled “DHS/ICE/PIA-032(a).”)

Furthermore it foresees many concerns that individuals may have with their own privacy being violated. All database queries are logged and inspected routinely. ICE users are also limited to what they see by access controls imposed by ICE (DHS/ICE/PIA-032(a)). As to what “public information” is aggregated, FALCON’s Privacy Impact Assessments remain vague (presumably to adapt with the growing technological climate).

It should be noted that DHS does not need to inform individuals that their previously (legally) obtained information is accessible to ICE via FALCON:

“Because FALCON-SA is a data aggregation system that operates for law enforcement purposes, it is not feasible or advisable to provide notice to all individuals at the time their information is collected or input into FALCON-SA. With respect to information obtained from individuals through federal government forms or other means, such as information collected pursuant to seizures of property, notices on any such forms state that their information may be shared with law enforcement entities.”

(Taken from assessment titled “DHS/ICE/PIA-032(a).”)

Many other privacy concerns are brought up by the new DHS/ICE system. Such concerns are outlined in the DHS Privacy Impact Assessments linked below.  Whenever there are advancements in security there are always privacy issues being raised. Undoubtedly, We will hear more of FALCON in the days to come.

DHS Privacy Impact Assessments

DHS/ICE/PIA-032(a) (FALCON-SA Privacy Issues In-Depth)

DHS/ICE/PIA-033: Falcon Tipline

Related fork() Articles

Cyber Terrorism and the Election @ fork()

National Cyber Security Awareness Month (October)

Janet Napolitano on Cybersecurity @ ASIS 2012

Hamachi as a Private VPN For Secure Web Traffic

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete:

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”