Tag Archives: security

Hamachi as a Private VPN For Secure Web Traffic

If you’ve ever set up a fake LAN for a pirated games you probably know all about Hamachi. The tool, now available through RAS-giant LogMeIn, allows you to flawlessly construct a VPN which in turn lets you and a set number of friends (5 using the free edition of Hamachi) join in and appear to be using the same network. For this reason Hamachi would seem like an ideal VPN solution for those looking to jury-rig their own homemade VPNs using additional proxy software.

This trend was started by Lifehacker, formerly a prominent DIY tech site that now focuses on providing articles on Instagram replacements and other pop consumer tech. One of the most notable Hamachi VPN articles from Lifehacker can be seen here by clicking here (“Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security” by Alan Henry). These articles all claim Hamachi in combination with Proxy software run off Windows machines are all viable security solutions. That song is now being sung on many tech blogs.

The most common configuration for such a VPN is Hamachi and Privoxy although Hamachi and Squid combinations are also making an appearance (Squid is actually much better in my opinion as it offers unparallelled customization).

The problem is that neither solution works to anonymize you and keep you safe and secure. At best, your Hamachi IP address would be visible in conjunction with your actual IP address. While the proxy will do its job, Hamachi will not properly route web traffic securely. Plus there are no ways to access your VPN via any mobile device despite outlandish claims to the contrary. Android ICS relies on PPTP and IPSec, neither native-supported function is accessible using a Hamachi solution.

What Hamachi is Good At and What It Isn’t

Hamachi is NOT a real VPN in the sense of routing web traffic even with proper proxy configuration. It’s more likely that those claiming success were confused and had limited exposure to actual VPNs and how proxies actually route traffic. Firefox’s web proxy settings – when configured with your Hamachi IP – may have the result of some websites receiving the VPN’s IP address, but in actuality, your actual IP is still very much visible.

If you don’t believe me, go ahead and check the numerous comments made by users in response to these DIY tips. Lifehacker has received a number of complaints about these articles but they haven’t modified their articles.

Real VPN+Proxy solutions conceal your true IP address entirely and route all proxied data through the VPN.

Hamachi is a VPN in that it facilitates secure networking with remote parties insofar as some types of traffic is concerned (most notably this service is great when it comes to gaming, chat servers, simple and secure VPN file sharing, etc). But it is not an anonymous VPN and can’t hide your IP address for web traffic. If that worked in the past, it doesn’t seem to apply any more.

Checking your IP address through services like whatismyip.com is also unreliable as many such sites have scripts that see through proxies. Sometimes the remote servers will say one IP address but log enough when connected (that occurred during my tests of a Hamachi+Proxy setup). Proxy detection is typically limited to basic header information and are typically wrong to begin with (as you’ll see below, with the proper squid.conf entries, you can mask that detection).

Poor Proxy Configuration

Supporters of a Hamachi+Proxy solution self-hosted on the individual’s own machine are bound to think there was something wrong with my proxy settings. But upon thorough testing with both Privoxy and Squid, I’ve determined that my conclusion is valid concerning Hamachi’s privacy.

First off, configuration in Privoxy is notably poor. Beginners pick Privoxy due to its ease of use and Windows-based interface. The better solution is Squid 2.7 Stable 8.

Some Known Issues

The results using WhatIsMyIP (and triple checked elsewhere) is as follows:

With squid.conf configured appropriately:

Your IP Address Is: [HAMACHI IP] Other IPs Detected: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

Huh. Must be registering server-side with my Hamachi IP but merely showing me my actual IP as well. But that’s not quite right. Looking at my normal website’s traffic logs, the Hamachi IP doesn’t actually show at all!

squid.conf with forwarded_for delete:

Your IP Address Is: [ACTUAL IP] Possible Proxy Detected: 1.1 [HOSTNAME]:3128 (squid/2.7.STABLE8)

forwarded_for delete and forwarded_for off yields the exact same results.

Trying to add http_access blocks, etc. will have a similar result. You can drop sites from noticing your proxy, only show your actual IP, or completely block various header identifiers (you can essentially cripple what you can see on websites or even get yourself banned), but nothing solves the problem of properly anonymizing yourself.

At one point this setup may have worked (hence all the positive feedback it receives across the internet), but to my knowledge, it doesn’t work any longer. Besides… if you want a VPN solution you owe it to yourself to either create your own OpenVPN Server and use Squid for proxying or purchase a VPN service. Cutting corners with your privacy is silly.

Better Solutions

OpenVPN running on a virtualized or stand-alone linux box with Squid is the absolute best way of creating your own Proxy server.

Keep in mind that beginners often download the OpenVPN Windows AS Client (Access Server) and run it in a virtual box thinking that such replaces the need for a an OpenVPN Server. It doesn’t. You need to configure an OpenVPN server yourself and get it working: there are no shortcuts here. Though you can check out the following guides to help you:

Official OpenVPN Documentation

Optionally, GZ on the TechIMO support forums also posted a great guide to configuring OpenVPN with Ubuntu, click here to access it.

Optionally you can create a Windows OpenVPN Server but it requires a little more work. To be honest, I’ve found that XP doesn’t work great with OpenVPN and Windows 7 works the best. But feel free to give it a try. This guide will help you install and appropriately configure your Windows OpenVPN Server: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ — you must also configure any firewall software and/or hardware you may have. If you are new to configuring your router’s firewall (port forwarding and changing your router’s subnet is extremely important), for example, OpenVPN may not be for you.

Another (slower) solution is to use the free edition of Hotspot Shield in combination with anti-popup add-ons in Firefox (keeping in mind that you are violating Anchor’s Terms of Service by blocking the ads). You can set the appropriate software to block the appropriate ads/frames. Adblock Plus and NoScript work wonders in that regard. Keep in mind that your speeds will be slow with the free edition!

The last solution is a paid one which involves getting a really good VPN service. Price, data throughput and accessibility on devices are the top priority. Log keeping on the server-side is also incredibly important to ensuring your anonymity online. Three top solutions for paid VPNs are: StrongVPN, VyperVPN, and BTGuard (for anonymous torrent use).

Configuring Squid as a Proxy

While you’ll want to get yourself a VPN if you’re trying to protect yourself against MITM attacks (be sure to read my blog post entitled “Public Wi-fi? Be Mindful of Session Hijacking“), once you’re ready to setup a Proxy, nothing works as well as Squid. Similarly check here for comprehensive guide to using squid.conf to enforce your anonymity online.

Resources of Note

LogMeIn Hamachi Homepage
OpenVPN Homepage
Squid Proxy Homepage
Privoxy Homepage
Hotspot Shield VPN

Sources

Henry, Alan (Lifehacker.com) “Build Your Own VPN to Pimp Out Your Gaming, Streaming, Remote Access, and Oh Yeah, Security.” Posted on April 11, 2012.

Quora’s page in support of Hamachi used as an “effective VPN.”

ASIS 2012 is coming!

The 58th Annual ASIS International Seminar will bring Philadelphia its countless vendor exhibits to learning sessions brought to you by top security companies from across the globe. The seminar and exhibits will be held from September 10th to the 13th.

Be sure to check the presentation on VIP security and protection to be given on the 11th by ARSEC co-founder, Mr. Oren Raz. I’ll also be in attendance providing technical assistance during the presentation. ARSEC is comprised of specialists at providing both government and private sector clients with in-depth security solutions and training. For more information on them, please visit their website here: http://www.arsec-corp.com/

Exhibition-only tickets are free to be sure to register soon, at the door they’re $75. Ticket costs for those wanting to attend the keynote speaker addresses and luncheons can be found on the ASIS homepage.

If you’d like to use the nifty mobile app for ASIS you can download one for your mobile device by clicking here. The mobile device will let you view photos & videos of the presentations, organize your contacts, check the schedule, access an interactive map of the event and more.

Check out the ASIS 2012 site here: http://www.asis2012.org

9/06 Edit: If you’re interested in Dignitaries Under Fire and its coverage of VIP protection, this is the schedule’s information:

Dignitaries Under Fire
Speaker: Mr. Oren Raz
ARSEC Co-Founder
Former Head of Security for Israeli Embassies
Tuesday, September 11, 2012 1:45 PM - 3:00 PM
Location: PCC 109-B

Apple’s Social Engineering Crisis

On 8/08 there was an interesting news article on Bloomberg’s website regarding the Apple password crisis surrounding journalist Mat Honan. Honan’s digital existence was ruined a few days ago when hackers used social engineering tactics against him (for those unfamiliar with the articles, I’ve linked them below).

Anyone who’s ever been to an Apple store knows that convenience is king.

You need help with something? There’s almost always some friendly hipster with a weird haircut to help you. You need your data migrated from one device to another? No problem for these blue shirt gurus! Want your password changed? Sure, answer just a few simple questions that anyone can get…

Wait… what?

Apple previously allowed users to change crucial account details such as one’s password over the phone. Typically most companies handle such changes online and merely talk the customer through a series of secure web pages after confirming their identity by a number of different means. (Recently I had to call Dell and was bumbarded by over 4 different identity-based questions.) Apple’s system allowed for sensitive account changes to be made with a few simple facts about a customer including the last 4 digits of the primary credit card and one’s address!

One with access to another user’s iTunes account, if cloud backups and syncs are enabled, could potentially delete data right out of the air or access important documents which could potentially allow an attacker to access other accounts the user owns.

Other security flaws included the ability to circumvent the AppleID associated with App and iTunes store purchases, compromise iCloud data and more.

That’s exactly what happened to Mat Honan of Wired Magazine. His dilemma is exactly what spawned Apple’s reaction regarding their security flaws: Honan’s entire life was ruined when a hacker – simply interested in taking his Twitter username and causing havoc – gained access to his AppleID, wiped his Apple devices remotely, accessed his other accounts on other services and more.

In response to this crisis, Apple has suspended the option of resetting one’s AppleID password over the telephone as stated in the Bloomberg article linked below. It’s unfortunate that lessons are learned on the backs of paying customers as Honan’s case also dealt with the security failings of Amazon as well as Apple (see links below for further details).

Hopefully these major tech players have learned that sometimes convenience cometh before the fall.

It really is a tragedy that these companies didn’t take security seriously. With more data being stored off-site, on cloud servers, Mat Honan’s story gives us a lot to think about going forward in the digital age.

Sources:
Satariano, Adam. Bloomberg Reporter
Giles, Tom. Bloomberg Editor
Article URL: http://www.bloomberg.com/news/2012-08-08/apple-to-beef-up-security-for-phone-password-resets-after-breach.html

Honan, Mat. Wired Magazine
Article: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/