Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Hello all,
    Im looking to get a better understanding of how to make my XP system more secure by dealing with privacy breaches and other snooping activities. Input to this end would be appreciated. It is also hoped that this will serve as something beneficial to all who are on a similar venture.

    Noone_particular, has recently said something that raised my interest in that this is the last windows OS you can tweak to make secure, for example, after XP you cant close (some?) ports. I have no reason to doubt this and looking at other things in general, to me it makes sense.

    ON my XP SP3 Computer, I want to know how to better set up, Kerio 2.1.5, Proxomitron, TOR, Sandboxie and FF 28.0. and I'm open to other utilities or tools to add in. I realize this will entail that I take pause at times to dig further, gain concepts and ask questions as I go.

    Where I'm at presently is: So far Ive downloaded and very briefly tried out Proxomitron, using the default settings. All I did was enter the port number in Manual Proxy Config field in FF and some websites worked to a degree and some didn't. I haven't been confident using TBB since the major breach. Used Kerio for years, which seems to have just worked for me. The only reason I know that is simply, nothing has got on my system. Obviously that knowledge level needs improving.

    I'll start with this:

    What are the first steps I should take to properly link or chain these utilities together so there's no leaks?

    EDIT: To help alleviate the fragmentized nature of this thread, I’ve kick started an index of topics discussed with references to posts. Both are incomplete and far from exhaustive but the goal is to have a go to list that’s functional enough to point to the most relevant content without becoming too unwieldy.

    This is a work in progress. With some topics there’s an unavoidable overlap where they should appear in the categories, and what importance they hold in a post. There’s bound to be errors so PM me or mention in the thread if you find anything. The same if you think something needs clarifying/changing or anything else that might be of benefit. I’m working on hot-linking the posts.

    -------------------------------------------------------------------------

    The Main Categories are:
    1/OS
    2/Firewalls
    3/HIPS
    4/Browsers
    5/Anonymity Software / Services
    6/Other Programs and utilities and tools
    7/Search Engine
    8/Certificates & digital signatures
    9/MISC Concepts Methods Protocols
    10/ Vulnerabilities and potential sources of attack


    OS

    - Windows 98(SE): 34 109 149 180>181
    - Windows 2000: 579
    - Windows XP: 16 23 40 184 188 431 514
    - Windows Vista/7: 16 42 429 431

    Pertaining to any or all of the above Windows OSes
    - Activation and Keys: 559 572 579
    - Add / Remove Windows Components: 547 550 573 576 585 600 612 614 624>628
    - Advanced TCP/IP Settings: 506
    - Computer Management: 47
    - Favourites: 130>131
    - Firewall ICS: 448 450
    - Group Policy Editor: 46 52>54 322
    - IE and WExplorer: 95>96 101 118 184 187 189 190 193 195 200>204 520 524>525 538> 539 541 576>577 580>581 584 629
    - IE HTML Rendering Engine: 601
    - Indexing Service: 604 606
    - LUA: 108 222
    - Network Settings: 40 370 411
    ... Local Area Connection Properties: 63
    - PageFile: 96
    - Registry: 93 594 598
    - Run as: 227
    - Search Companion: 115 118
    - Services: 23 76 241 433>434 436 438 464 614
    - System Restore: 27 604 606 608
    - Tweaks (KeyPerForLife's List): 84 93
    - Windows File Protection: 591 593

    Firewalls
    - General: 4 23 34 35 238
    - Software and Hardware FWs: 238
    Kerio2.1.5: 23 34 238 494 >495 499
    ... Arbitary code via Load button: 291
    ... General configuration: 63 117 364 443 581
    ... Global rules: 39 76 364
    ... IP’s / ranges/groups: 9
    ... Kerio termination vulnerabilty: 298 300 325
    ... Kerio Learning thread: 9 23 29 42
    ... Loopback/localhost: 6 235 308 310 333>335 337>338 353>354 357 364
    ... Network /mask: 238 247 343
    ... Password protection: 261>269 292 296>297
    ... Popups / alerts /errors: 23 78 335 501>502
    ... Rule placement / order: 39 73 87 101 309>310 317 319>321 324 350 364
    ... Rulesets /filter rules: 22 29 31 55 65 73 76 101 199 239 241>244 303>306 337 345 348>349 359 491
    ... Stop all traffic: 138>139 313>314
    ... TinyLogger:
    ... Zero octet rule: 361>363 366
    PC Tools Firewall Plus: 336
    Sunbelt: 390 496 523 526

    HIPS
    General : 238 302 520>521
    - SSM (System Safety Monitor): 46>54 238 295 302 315 331 378 380 381 384>389 391 497 510>511 522
    - Malware Defender: 440 496

    Browsers
    General : 6 16 421
    -Firefox: 4 128 130 132 143 192 196 205 221
    -Palemoon: 146 150 179 244 340 415
    -SeaMonkey: 14 42 143 156 158 163 179 607

    Pertaining to any or all of the above
    About:config : 143 150 177 179 418
    Browser Extensions: 42 (overlap)
    ...ABP:
    ...AutoProxy:
    ...Better Privacy: 6 12 14 16 182 215
    ...DataManager: 143 147 153
    ...... Permissions Manager: 153>155 157 160>163
    ...FEBE Firefox Environment Backup Extension: 167
    ...Flashblock: 12 216>217
    ...Ghostery: 6 206>207 209>210 212 215>217
    ...NoScript: 172
    ...Prefbar: 12 14 85 137 215
    ...Request Policy: 6 85 134>135 137 199 216 554
    ...Self Destructing Cookies: 210
    ...Versions: 14
    ...World IP: 16

    Anonymity Software / Services
    -TBB: 16 110 172 188 212
    -Tor (Vidalia relay bundle): 6 11 12 13 16 23 42 44 45 63 65 67 110 171>172 192 196 326 364 567
    ...Privoxy: 16
    -VPNs: 11 567

    Other Programs and utilities and tools
    -Autoruns:
    -BurnAtOnce: 232
    -CCleaner: 93 527>528 532>533 535
    -CKT packages: 634
    -COA2 (Paid):
    -DCOMbobulator: 425 435
    -Drop My Rights: 16 26 28 46 >47 540
    -Email
    ...Thunderbird: 596
    ...SeaMonkey: 626 632
    -Erunt: 26 42 425
    -HashTab: 9
    -HMPA (HitManProAlert): 359
    -Hostman app: 305
    -Imgburn: 227 231
    -Inctrl5: 433 600
    -Last Activity View: 433 435
    -MVPS hosts file: 511
    -NDN: 186
    -Nlite: 96>97 541
    -Open NIC: 73
    -PCAudit2: 6 37 42
    -PrivaZer 433
    -Proxomitron: 6 9 11 14 16 65 67 106 119 121>124 132>133 135>137 141 148>149 198>199 206 213 244
    ...Filter/sets: 9 88 110>114 177
    ...Proxblox: 88 110 122 124 127 136 149 151 210 216
    ...ProxHTTPSProxyMII: 199 210
    -Pserv 2.7 : 42
    -Sam Spade: 91 317
    -Sandboxie: 16 73 96 221 239 248>249 402 404 406 508 511 514>516 525 535>536 544 551>553 555>556
    -Scramdisk: 632
    -Seconfig XP: 444 475 488 504
    -SocksCap: 6 11 14 30 65
    -SoftPerfect Ram Disk: 536
    -Splinterware Task Scheduler: 438
    -System Internal Tools: 56
    ...ProcessExplorer: 16 26 42 46>47
    ...TCPView: 39 42 91 317
    -Truecrypt: 632
    -Tweak UI: 28
    -UnPlug n' Pray: 76 425
    -Wireshark: 4
    -WWDC (Windows Worms Doors Cleaner): 43 76 425
    -X-Setup Pro: 447
    -XPLite (trialV): 97 187 542>543 547 549 587

    SearchEngine
    - Startpage: 123>124

    Certificates & digital signatures
    General: 125>126 141 148>150 198>199 380 593
    - Self signed: 149 199
    - HTTPS limitations: 199
    - SSL: 199

    MISC Concepts Methods Protocols
    - Anonymity and Blending in: 171
    - App configurations: 65 335
    - BIOS Passwords / Setup PW: 271 273 276 281>282 285>288 293
    - Browsing sessions: 9
    - Chaining apps together: 11 67 73 199
    - Child/parent: 502
    - Connection Status errors: 480 482>483
    - Creating dummy files: 181
    - Default-deny/permit: 6 215 382>383 405
    - DHCP: 35 40 60 66 68 80 83 86>87 369 371 409 413
    - DNS: 6 11 23 35 39 63 214 219 248 335 476 478 480
    - Encrypted Containers: 626
    - Hooks: 405 407
    - IGMP: 76 425 493 498 500>501
    - Imaging: 567 570
    - Integrity Checkers: 304
    - IP addresses: 16 80 567
    - IPv4: 34
    - Limited or no connectivity: 366
    - LiveCDs and Pendrives: 184 233 236
    - Loopback /Local host 6 15 17 18 39 63 65
    - MRUs: 109
    - Traffic monitoring/ inspection: 4 6
    - NETBIOS: 73
    - Netstat: 507
    - Open SSL: 173
    - Portable apps; making: 231
    - Port Forwarding: 76
    - Ports - closing: 221 425 430
    - Privileges: 300
    - RAM drives: 97 178 510>511 514
    - Renaming files: 598>599
    - Routers and Protocols: 60 62 75 80>83
    - Secure boot / UEFI: 276
    - Stand alone programs vs suites: 235 237
    - SVCHOST.EXE: 76
    - Task Schedulers: 302>303
    - Testing: 39 180 219
    - TCP: 23 35
    - UDP: 23 35
    - UPnP: 76 551
    - Updating OS & Software: 177 189>191 234>235

    Vulnerabilities and potential sources of attack
    - Attack surface, minimizing: 16 238 603 629
    - Cache tracking: 270
    - Cache DNS: 23
    - Cell phone software: 428 432
    - Computrace: 173
    - Cookieless cookies: 284
    - Data Leaks: 21 23
    - Data mining: 9
    - Etags: 9 274 277
    - Fingerprinting: 11 167
    - Finspy: 16
    - FlashPlayer & Flash Cookies: 9 182 217>218
    - Google Facebook etc: 10 39 85 91 192
    - HTTP/HTTPS: 143 154 174 206 210
    - Index.dat: 22 92 180 183>186 191>192 198 290 609
    - Integrated components: 584
    - Javascript: 16 79 222
    - Net framework: 4 221 431
    - NTFS vs FAT32: 102
    - Permissions database: 155
    - Phoning home: 341>342 421
    - Ports (unclosed/opened): 16 35 42
    - Recreating files/folders: 609
    - Referrers: 6
    - Routers/modems: 23 40 78>79 507
    - Rundll32.exe: 101 103>104
    - Shellbags: 84 435
    - Smartmeters: 472>474
    - SMB flaw: 425>427
    - SSDP: 76
    - Symantec: 15 16 19 21 22 28 30
    - System Restore: 42 550
    - Usage tracks: 109 182 192
    - Updating: 215
    - UPnP: 76
    - User Agent: 6 198
    - Whitelists: 6 137
    - Wireless: 436 471 484>486
     
    Last edited: Jul 12, 2015
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Be able to look for and identify "leaks".

    Are you comfortable reviewing a browser's dump of network requests? Comfortable with Wireshark or a similar packet capture tool? Do you have a second computer with dual networking interfaces, a hub, a router with port mirror, whatever to be able to monitor network traffic on the wire and external to the computer under test?
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thanks for your prompt response.
    No I don't know how to do those things. As I don't do online transactions it ruled out Wireshark when I looked at that website. Not sure what you mean by dual networking interfaces or what a port mirror is. My 2nd computer is a Mac DP G4 OS Leopard, which doesn't go online.
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Wireshark is a tool for inspecting network traffic that flows through network interfaces (LAN adapter, wireless adapter, ...). You can run it on a computer to see what is coming in and going out of that computer's interface(s). Which should be good enough for most tasks, and many would find it the easier and more convenient way to begin. Alternatively, you can run Wireshark on a second computer and arrange for that second computer to see all of the traffic going to and coming from the first computer. If the second computer has two network interfaces, one of the ways you could do that is this:

    Computer1 ---- Computer2 ---- Router/Modem ---- Internet

    By using a second computer to do the sniffing you can see what is *really* coming out of and going into the first computer (or SmartTV or router or whatever it is you are trying to watch over).

    Another approach to observing network activity is through a software firewall that is configured to prompt on and/or log activity. Usually, you won't see as much detail because the software firewall isn't inspecting higher layer protocols such as HTTP.

    Some applications, such as browsers, can display the higher layer protocols they are using. The Web Console and Browser Console in Firefox, for example, can be used and adjusted to show net/network activity. If there are local proxies (Proxomitron, AV, whatever) between the application and the software firewall or interface... things which can intercept/change/block certain types of traffic... they too should have the ability to display what they see.

    Being familiar and comfortable with these inspection mechanisms... being able to properly interpret the activity, protocols, etc and determine what is good vs what is bad... those are essential skills. So much to learn, so much to do, so little time, I know. Even if one doesn't have, or want to spend, the time to become proficient in these areas, I think they would still benefit by spending some amount of time on it. There is a big difference between "I have absolutely no idea how to do that or what the stuff means" and "OK, now I have some idea how to do that and what some of the stuff means".
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thanks for your input. As I find my way with this, there will be things I may find I can't do, and I won't know that until I try it out, or I may find it's going to entail too much time. The strategy is not to throw everything out if I hit a brick wall....It's more seeing it as a work in progress by lessening my chances of privacy/security compromises.

    I went to Wiresharks Website, and it looks like it's a free utility afterall. Anyway Ive DL'd the portable version. I'm going to peruse through the menus and see how I go with it. I just saw a youtube video and this is an amazing utility. It's very complex though.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This is going to include a lot of separate but related subjects. Trying to put it all into some kind of reasonable order will be quite a task. All of the applications you mentioned can have strong roles in defeating fingerprinting, tracking, and data mining. Several browser extensions also deserve coverage here. My package also includes the Request Policy extension, the earlier version that doesn't include the default-permit option. Other useful extension for privacy packages include Prefbar for its ability to enable and disable flash, java, javascript, plugins, to clear the cache (or everything) on demand, along with modifying the referrer and user agent on demand. If you use flash, the FlashBlock extension allows you to individually choose which flash content can play instead of allowing or blocking them all. The Better Privacy extension lets you easily remove individual flash "cookies" in addition to clearing them all on demand. IMO, extensions like Better Privacy let the user build their own whitelists instead of depending on someone elses idea of what you should allow. For some users, this is a big asset. For others, it's more work and inconvenience. In many ways, Ghostery and Request Policy (used without the whitelists) perform the same task but use opposite security policies. Ghostery uses a list of what to block. Request Policy, used without the original whitelists blocks all other connections except those the user allows. Default-permit based extensions, those that use someone elses blocklists are more convenient. Default-deny based extensions are more work, especially during the early stages of building the whitelists. In exchange, they give you complete control over who and what your browser connects to.

    Adding to what TheWindBringeth mentioned regarding traffic inspection and finding leaks.
    Proxomitron includes a log window that displays the network activity passing through it. The display is color coded and numbered. Below is a partial screenshot of it taken when I selected "more options" for this post.
    Prox log window.gif
    The color code is explained in the log window help file. When the web content matches a filter, the log window displays the text in violet. Strangely enough, the entries for removing ETags are shown in light blue. The documentation explains how to use this log window and the filter matches it displays to fix problems with how web pages look and function. It makes it sound straight forward but it takes practice.

    In your original post, you mentioned a package with Proxomitron and Tor. Most any browser will work with Proxomitron, but Proxomitron does not work directly with Tor. Browsers connect to Tor using the Socks protocol which Proxomitron doesn't understand. In order to connect Proxomitron to the Tor socks proxy port, you need a utility that converts the traffic to the socks protocol. SocksCap 2.4 is such a utility. It is freeware for non commercial use. If I recall, its original site is gone but it is available through various download sites. If needed, I can upload a copy to a sharing site. The file hashes for the SocksCap installer are
    MD5 e29a014ea0a236f81393e617cd50adac
    SHA-256 f381cae0f28d72bd1380159ca80b09e5526aa53d49d8dc963f7eace0c8f32d97
    It works on 98 through XP. I don't know if it will work on Vista onwards. Sockscap is only needed if you're connecting Proxomitron to Tor or another service that requires the socks protocol.

    The proxy address to enter in the browser is 127.0.0.1. This is referred to as a local address or localhost. The default proxy port for Proxomitron is 8080. This can be changed if that port is used by something else. The browsers outbound traffic is Proxomitron inbound traffic. It's network traffic that never leaves the PC and is often referred to as loopback or localhost traffic. Many firewalls do not control this type of traffic. Some have hard coded rules permitting it. Kerio 2.1.5 does handle loopback traffic correctly. Uncontrolled loopback traffic can bypass firewalls and filtering proxies. An old leaktest called PCAudit 2 demonstrated this quite well. The test used DLL injection to inject its code into every running process. Afterwards, each running process attempted to establish a loopback connection on the PC to bypass the firewall. Any decent HIPS, with or without a firewall could block the DLL injection and prevent the test from running. When the test is allowed to run it will test your localhost rules and your firewalls ability to correctly handle loopback traffic. IMO, this is one of the few leaktests that can serve a legitimate purpose. I'll make a separate post regarding the specific firewall rules for Kerio.

    A few other things to consider. Code that's designed to extract information from the browser, no matter how good or devious it is, can only obtain data that the browser stores in the first place. If your browser doesn't store history, no exploit can extract it. No code can read a cache that isn't used. It can't steal passwords that the browser doesn't have. These are all things to consider when configuring your browser. Like everything else, each is a tradeoff that the user has to weigh. Another often overlooked item is the DNS service. It can be an asset to speed but a liability to privacy, especially if you use Tor. With the DNS service running, the user can't control which applications have access to DNS. For non-Tor users, even if they use SandBoxie to eliminate usage tracks, the DNS cache still contains a record of where you've been. Consider disabling the DNS service and let the browser, filtering proxy, or Tor perform their own DNS lookups.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That screenshot I posted looks bad. The original doesn't look like that. Does the forum software have trouble with GIFs or am I missing something else?
     
  8. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thanks for your response. There's a lot of ground to cover. I will need to come back to these posts as I work my way through. Ok, first:

    I use these Extensions: Request Policy, HTTPS Everywhere, Better Privacy, NoScript, FoxBleed, Self Destructing Cookies and AdblockPlus

    Do you guys recommend against using any of these?

    Proxomitron doesn't handle HTTPS right?

    Some time ago I toyed around some with ABP and No Script but I can't remember what settings Ive changed in these, and pretty much the rest are run in default mode.


    Prefbar - Thanks, never heard of that one.
    FlashBlock - Or that.
    SocksCap 2.4 - If it is preferable to use Proxomitron with TOR then I will keep this one on my to do list.

    noone, I saw somewhere you saying you do use youtube a little. I use youtube and very occasionally google maps but thats about it. I wont join anything google where you have to log in or make an account. What specifically do you set in your extensions or browser regarding locking out the google monster? I thought it was very risky using flash content through TOR. I have blacklisted google.com and google.mycountry in FF tools > options > privacy > exceptions but if there's anything more I can do ......

    Other questions
    1/What are etags?
    2/ How do I check the hashes before installation?
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I've never used ABP, FoxBleed, or self destructing cookies. There's a lot of overlap and duplication between NoScript and Proxomitron. Using both could make it very difficult to determine what the problem is when pages don't render properly.
    Proxomitron filters HTTPS just fine when the required SSL libraries are present in its folder. It's problem is with verifying the certificates.

    Regarding my using flash with Tor, I do this more to mess up Googles tracking than anything else. When I do watch YouTube, that's all that I do during that browser session. Any other time, flash is disabled. If I'm visiting sites or searching for content that might make me a "person of interest", all plugins are disabled including flash. I'll use a new browser session and a new path through Tor.

    Regarding the blocking of Google (and Facebook, Twitter, LinkedIn, and a few others) I block these by IP range with Kerio using the custom address group. Several of the IP ranges used by Google, Facebook, and others are posted in this thread, post #21. If you're going to use Kerio to block ranges of IP addresses, make sure that you use the IP range specification. Kerio has a problem at times with rules that use IP mask. See the later parts of the Kerio learning thread for more info on this.
    ETags are another form of data storage browsers can use. They're often used for storing unique identifiers, session identifiers, etc. They're sent in the browser headers and stored in the cache. Until fairly recently, most privacy extensions didn't address them. If the cache isn't cleared, ETags survived through separate browser sessions and system reboots. At the Unofficial Proxomitron Forum, they wrote a filter to remove ETags back in 2011.
    There's several utilities available for this, varying from command line tools and utilities that add a new tab to the properties menu to full file integrity checkers. HashTab is one mentioned here often. Febooti hash verification utility is another.
     
  10. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thanks noone_particular for your input.

    I've got Prefbar and it will be so handy to disable Flash. Great idea, as well as those options to change the UA. Ive also downloaded HashTab but haven't looked at that yet. I had a little look around in FF web console to see what I make of that.

    OK so it seems to be making more sense to me for the need to close browser between YT sessions and other web stuff. I'm having a hard time getting my head around having to do it after every site I go to though. Other things I've done in FF is under that "data choices" tab, I don't have any of those checked. I have now set cache to 0.

    Thanks for that link to the "How Google is tracking you, and how to avoid it" thread. I had actually forgotten what Id done in Kerio and that I'd entered in some of those ranges. I have to go back and have a "refresher" on exactly what I did. If I remember rightly, there were some ips I entered that caused some issues and I just deleted some.

    I'm a bit confused about this: Recently I downloaded the latest TBB but is there another package to use for those who want better control? Sort of like we used to have to do with privoxy and install separate components. What package are you using? I know if you're running an exit, you have to have a different package.

    Edited spelling mistakes
     
    Last edited: Aug 8, 2014
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This is basically a 2 part process. The first is configuring the apps so that one applications traffic is routed to the next application in the chain. If that chain includes Tor or VPNs, the traffic includes the DNS. The 2nd part is configuring the firewall so that the chain you've created is the only path the traffic can follow. The TBB for example has its components configured as a short chain, FireFox>Tor>internet. Other than its configuration and NoScript protecting it from malicious scripts, it has no mechanism that physically prevents FireFox from connecting directly to the web. If an exploit is discovered that can change its settings, there is nothing to prevent it from connecting directly instead of using Tor.

    A user assembled package can have as few as 2 components or more than 4 if it uses Tor and/or VPNs. For direct browsing, I use the browser>Proxomitron>internet. For anonymous browsing it's the browser>Proxomitron>SocksCap>Tor>internet. For most users, separate browsers are recommended for direct and anonymous browsing in order to defeat most browser fingerprinting methods. Proxomitron can also defeat most fingerprinting methods by modifying the browser headers and killing the more nosy scripts. By using 2 differently configured filter sets, it can also make a browser and operating system appear to be a completely different package that has nothing in common with how it looked with the first filterset. The simplest way to achieve this is to have 2 copies of Proxomitron, each with its own folder in Program Files, each with its own default configuration file. The name of the Proxomitron executable to be used with Tor should be renamed to make its use clear, as should its containing folder. Calling it TorProx would make it obvious. This will also make it easy to keep tract of the firewall rules for each. The user can change the appearance of each so that it's obvious at a glance which is in use. While outside the scope of this thread, the user could modify the tray icons for one of them so that they look different in the tray as well. Only one instance of Proxomitron can run on a system at a time, even if they're named differently and in different folders. This eliminates the possibility of creating 2 data paths by accidentally running both. The exception to this is SandBoxie. A user can run 2 instances of Proxomitron if one of them is in a sandbox. When run in a sandbox, the user has to save the sandbox contents in order to make any changes to Proxomitrons filters and blocklists permanent.

    In order for Proxomitron to work with Tor, its outbound traffic needs to be converted to the socks protocol, then routed to the socks proxy port of Tor. 9050 is the default socks port for Tor. This conversion is accomplished by launching Proxomitron with SocksCap. After installing, SocksCap needs to be configured as shown below in order to work with Tor. If Sockscap is being used to convert traffic for a VPN that requires the socks protocol, the port number will probably be different.
    Sockscapsettings.gif
    Make certain to select Socks 5 and the "resolve all names remotely" option. If you don't, it will attempt to resolve DNS using your regular DNS servers, breaking your anonymity. This is one of many possible leaks that must be made impossible. After configuring SocksCap itself as show above, open the SocksCap Control interface from the tray icon and select "New". Browse to the copy of Proxomitron that you'll be using with Tor. Choose a name for it and select OK. Make certain that neither instance of Proxomitron is running, then launch the "socksified" copy from the interface. If it launches correctly, you can drag the icon from the control interface to your desktop, startup folder, or where ever you want it. Once this shortcut is created, there will be no need to launch SocksCap separately. The connection from the socksified instance of Proxomitron to 127.0.0.1 port 9050, the Tor socks proxy port is a loopback or localhost connection. It's a network connection that doesn't leave the PC. The browser also uses a loopback connection when connecting to Proxomitron. Same address, different port. Many firewalls don't control this type of traffic properly. Sygate is one of them, a major hole in an otherwise good firewall.

    All of the browsers executables need to be restricted to the chain you've created. If a plugin can connect directly, all of your work is for nothing. Both the firewall rules and the configuration of the individual components apply here. Your browser should be allowed to connect only to Proxomitron, normal and socksified use. Below are screenshots for the proxy settings on SeaMonkey and the HTTP settings for Proxomitron. Most browsers are similar.
    SeaMonkeyproxyset.gif
    Proxomitron HTTP settings.gif.png
    If you plan on using separate instances of Proxomitron for normal browsing and Tor use, set both to the same proxy port. Since only one can run at a time, there's no conflict for the use of that port and no need to change the browser proxy settings, ever.
    I'll address firewall rules for Kerio in the next post, probably tomorrow. Users of other firewalls are invited to post the appropriate configurations for them.
     
    Last edited: Aug 8, 2014
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A bit of miscommunication. I don't close the browser between each site. I only restart the browser and change relays when I'm viewing something that I don't want associated with anything else I've been doing. I do regularly use the "Clear All" option in PrefBar during sessions. Regarding PrefBar, in case you haven't spotted it yet, go to the customize Prefbar option, navigate to the "Clear All" button and select edit. You can choose what it clears. Also take a look at the extra buttons available for it on their website. Some very useful additions there. When I'm browsing YouTube and other video sites via Tor, I keep FlashBlock enabled, making each video click to play. This way, the video I want can play but the flash ads don't. I also use the delete options in Better Privacy to remove flash usage tracks between sites.
    Once you get away from the browser bundle, the only real difference between the different packages is how they're configured. The relay, bridge, and exit bundles are basically the same. The exception there is the expert bundle, which is not a bundle at all. It's Tor itself and the files it needs. Privoxy is similar to Proxomitron except that it's configured via text files. It's also socks compatible and didn't require SocksCap. It's even harder for the average user than Proxomitron to understand. In the security vs user friendly conflict, it was one of the casualties. I use Proxomitron and SocksCap in its place. I've avoided the TBB primarily because I dislike FireFox. IMO, thanks to their constant updating, Australis, and the other feature creep that has Google written all over it, it's fast becoming the wrong choice. Mozilla has been making it quite clear that corporate profits are more important than the needs of the users who made their existence possible. A big part of the TBB maintainers job anymore is stripping out the undesirable and privacy hostile features in FireFox. For myself, I've liked SeaMonkey since its days as the Mozilla Suite and have stayed with it. I tried using PaleMoon, both as the default and as the Tor browser. Every time I did, I wanted SeaMonkey back. IMO, its behavior is more privacy friendly and it's easier to get rid of its undesirable behaviors. Beyond that, I just use Tor itself. For me, Vidalia serves no purpose because Tor is always running. If I need to change the configuration of the relay, I edit the configuration file manually.
     
  13. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Pretty annoying... I had a post ready late last night, hit the wrong "something" and into cyberland it went... :(

    Anyway, thankyou AGAIN for these amazing tutorial posts, which are jammed packed with instructions. IN a lot of places nearly every sentence needs a new line and I'll copy and paste them into a Word document to that end and for clarity. Easier to follow that way.

    For separate browsing situations Ive struggled to picture in my mind what you would do to set this up securely. What you've written makes its much clearer. Thankyou for that.
    I pretty much have to install anything new onto my non system drive. I have FF and numerous utilities installed on another partition, including Proxomitron. Just thought I'd ask, there won't be any issues with not having it/both (2 installs) on the system drive?

    I dug around for quite some time for SocksCap 2.4 and found a couple of places. One was confusing as to what you should download or if it was shareware or what, and the other, when I looked for a review of that site didn't look safe. I'll PM you about getting a copy.

    I think before I go any further, I need to have all the necessary components at hand. The biggest thing I think is ditching Firefox, not because I feel any loyalty to it (anything but, actually) but just getting used to a new browser. I too have had my doubts about it and that its getting far too close to Google for comfort. Therefore again, what you're saying makes sense and on the strength of that I'm prepared to give SeaMonkey a try. Should I dive right in and do that now, or for the sake of making the learning exercise a little less steep all at once, can I leave that till later?

    If I don't use TBB what is the package I should download?

    The "Clear all" button (Edit was found on right click menu) says not to edit that button, but you can copy it. OK I copied it. Some Questions
    1/ How do I (un)comment some thing, just delete that whole line?
    2/ What is clear offline apps?
    3/ What Is clear location bar?
    4/ What is cleared if you clear sessions? (assuming session cookies are included under the clear cookies entry)

    Was just off to check out FlashBlock.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I just did the same thing. Normally I copy a longer post to a temporary text file for just this reason. This time I hadn't.

    Regarding Proxomitron, it doesn't seem to care where it's put as long as your system doesn't have any policies that restrict where something can execute. It keeps all of its files in a single folder. It doesn't use any services or the registry. I've run it from a folder on the desktop. When I created the 2nd copy in Program Files, I just created a new folder, named it ProxSocks, and copied everything from the original Proxomitron folder to it. Then I altered the name of the new copy of Proxomitron.exe, mainly to make it easier to see it in the firewall rules. When you start either copy of Proxomitron, it will load default.cfg from the same folder. I've never seen either affect the other copys configuration. For those who use DropMyRights, Proxomitron will run in either normal or constrained mode.

    Regarding SocksCap, Brothersoft has it here. The installer inside the zip file matches the file hashes I posted earlier. The installer is 1MB in size. I PM'd you the direct link.

    Regarding switching browsers, that's up to you. There's no reason that you can't have both as long as you have room. There's no real learning curve involved. Functionally they're very similar. SeaMonkey has an old style appearance. The menus and options are a bit different. The main difference is that SeaMonkey includes a mail handler, an address book, an IRC chat component, and a web page composer. It can use many of the same extensions as FireFox, not necessarily the same versions. For FlashBlock, I'm using 1.3.18. For Request Policy, I've stayed with version 0.5.22. Better Privacy is version 1.67. Too many extensions are getting caught up in the feature creep trend. Others are slipping in spyware and data mining. They've all worked great so I have no reason to update them and risk getting something that I don't want.

    Regarding PrefBar and editing the "clear all" button. Lines that begin with // are commented out. To enable that line, just remove the //.
    I've never had an offline app. I thin they're applications that use the browser as their display component. I don't know if that option removes the application entirely or just the records of what has been done on them.
    The location bar is the address bar. This clears everything listed in its drop-down.
    Sessions. When you have a group of tabs open and close the browser, it asks if you want to save that session to be opened later. This clears the records of those sessions. Another feature that I've never used.
    I assume that you'll be using Tor as a client, not running a relay, bridge or exit? The Vidalia bundles are all the same. Only their settings change. With Vidalia, it's easy to switch from relay to client. The screenshot below is from an older version. It might have changed some since then.
    Tor exit policies.gif
    With the expert bundle, which is Tor only, you have to edit the configuration file (torrc) manually. Learning the variables and correct syntax will add to the learning curve. I don't know what the extent of your abilities are or your time constraints. The firewall rules and Proxomitron itself are a substantial amount to learn. IMO, if you're not planning to run a Tor relay or exit in the immediate future, there's no need to go into Tor that deep at this time. If you change your mind later, Vidalia can be removed separately.

    When you first start Tor/Vidalia, you will get firewall alerts, a lot of them. Both the expert and Vidalia bundles start Tor as a relay. Depending on how your network is set up, you might see inbound connection requests to Tor. This is normal for a relay. If you install one of the Vidalia bundles, Vidalia will also need a localhost connection to Tor. I've started a post for the firewall rules but didn't have time to get to it today.
     
  15. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Sounds OH so familiar. Lets hope I learn all this quicker than the text file trick which I'm still learning!

    Ive just gone through some posts again to refresh and get into the "privacy mode". Onward.

    Yes, I will be looking to use TOR as a client. Have I got this right.... you don't need to use SocksCap 4.2 if you're using Vidalia? I remember the name Vidalia from way back as well as the torcc file, but not what Vidalia actually is except that it has that onion icon (Privoxy) in the taskbar. Does Vidalia have other components or just Privoxy?

    Speaking of SocksCap 2.4 thanks for the link. I tried to install it and got this error message. ( I can't believe all the dregs Symantec leaves on a system YEARS after you think you've ditched them all.) Any suggestions what I should do about this?

    Error message.png

    Do you have a recommended version for XP?

    I've got Flashblock- I tried it out and got the click button as you described. I noticed though as below, you can't use it if you have No Script installed. Mine seems to work even though Ive got NoScript installed, so I'm not sure what they mean by this.
    What setting do you use for this? I've just entered a "LSO delete shortcut" I just happened to notice a bit of strange behaviour under options and help menu. I could enable/disable the fields even by clicking to the far right but on the same horizontal line of the window. Don't know if it's a bug or what but one needs to be careful not to inadvertently disable/enable what they don't want.

    Speaking of DropMyRights - Sandboxie has a "drop my rights" option in its configuration area. Is that what you are referring to or is that a separate utility/filter run in Proxomitron?

    How amazing you said that. As an aside, I would LOVE to modify Proxomitrons icon. I'm not big on the all seeing eye in the triangle.

    Regarding Loopback, I would love to see a simple outlay diagram/flowchart representing the data movement and how it works within the system. Conceptual aids like that I think would be beneficial, if anyone has a resource or a willing pen.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    No. You don't need SocksCap if you use Privoxy. Privoxy is similar to Proxomitron in function but its configured via a text file. If I recall, it's no longer in the bundle. Vidalia is a control and monitoring program for Tor. With it, you can start and stop Tor, change settings, monitor traffic volume, etc. Vidalia is not part of the traffic flow. It's more of a convenience than anything else. The Vidalia bundle used to contain Polipo, which is a web caching proxy. I don't think it's part of the bundle any more. Never used it.
    Ouch. Just to be clear, you are not using any Symantec or Norton products any more? Ideally, I'd suggest reformatting and starting over with a clean OS. It's quite possible that this isn't the only thing that's been left behind. If starting over isn't an option, I strongly suggest a system backup before going any further, just in case this doesn't work as expected. First, look to see if that file, S32EVNT1.DLL still exists on your system. Symantec puts that file in 2 places.
    C:\Program Files\Symantec\
    \Windows\System32\
    If the Symantec folder still exists in program files, is it exists, does it still contain files? If it's still populated, you'll need a removal tool designed for Symantec. I've heard of them but never used one.
    If the file doesn't exist, follow the instructions on this page, through step 4 only. Step 5 onwards is only needed if you're reinstalling or keeping Symantec. If this doesn't fix the problem, I suggest reformatting. Removing the registry entry should work even if the file exists. It would prevent the driver from loading. Even so, if that component is still on your system, there's probably more, possibly a lot more that may cause other problems later.
    I'd use the current version for now.
    Regarding NoScript with FlashBlock and other extensions, many extensions use javascript to function. If NoScript disables or restricts it too much, the extensions won't function. Malicious or nosy javascript doesn't have to originate at a website. That's another advantage of controlling and filtering javascript with a separate proxy such as Proxomitron. It can restrict javascript from websites without interfering with extensions ability to function. It can also allow the extensions to function and prevent them from sending data to a website via the same javascript. Some time ago, I used an extension called WorldIP. It would display the IP address, country of origin, and other data on every site that you visited, data it obtained from places like ARIN. When configured to do so, it would also display your IP. While I didn't examine it in detail, it appeared that this extension used javascript to obtain your internet IP as well, which meant that the browser had my real IP as well. If the browser could obtain my real IP, it could also send that info to another site, a very usable way to deanonymize a Tor user. By forcing the browser to run all traffic through Proxomitron, the queries used to obtain my real IP were filtered out. The only local IP that my browser knows is 127.0.0.1.
    worldIP.gif
    The visual behavior you describe with Better Privacy is common to a lot of applications. Quite often a checkbox and the text referring to it are all the same object in the interface. If you start looking, you'll find a lot of apps and extensions behave that way. I never bothered with a quick delete shortcut. I've got too many now that use CTRL+ALT+something. As for settings, I use delete on exit. From the 2nd section onwards, I've enabled everything except portable mode. I don't protect any specific files. If you have a specific configuration file that you maintain, you might want to protect it using the edit protection list option.

    Regarding DropMyRights, it's a separate utility that removes many system privileges from any application it launches. There's a lot of threads on it here. The SandBoxie option does much the same thing for apps started in the sandbox. Some apps run fine with its restrictions. Others don't. You can see how it restricts system privilege with Process Explorer. Compare the security tab for a process when launched normally and launched with DropMyRights with both the normal and constrained settings. Applications launched via DropMyRights have far less system access and if exploited, are far less useful to an attacker. Many would consider this overkill, paranoid, or a waste of time with statements like "Who's going to waste time exploiting Proxomitron. No one uses it." Some will say that about the subject of this entire thread. Consider who your potential adversaries are. Depending on where you live, just saying the wrong thing is all that's required to target you. Look at the recent exploitation of TBB by the FBI. It's a very safe bet that this isn't the first time and won't be the last. Governments and 3 letter agencies will focus most of their efforts on the standard packages, like the TBB. If they find a weakness and you're using it, you're almost guaranteed vulnerable. The information available to us shows that the browser component is the most vulnerable and most often compromised component. If you're using an alternate package that still portrays itself as the TBB, an attack against might not work properly or not work at all. By itself, obscurity is not a substitute for security, but a little misrepresentation can go a long way. There's a big difference between attacking a known browser with NoScript and attacking Proxomitron pretending to be that same browser. The first could be automated by a 3 letter agency. The 2nd will require a real person to figure out exactly what you've done. With a properly constructed and enforced chain, any attack on the browser has to go through Proxomitron. Killing it won't work as that would break the chain, putting the browser out of reach and alerting the user in the process. Combine that with severe restrictions on Proxomitrons access to the system, and (if your configuration files are finished) write protection on its containing folder, you're well past what can be done with an automated attack.

    Slightly OT, but it fits here, and I would hope that others have noticed this as well. In the revelation regarding the FinFisher hack:
    farther down we find:
    I couldn't help but notice Some exploits for XP are also available. I'd be willing to bet that some of the 0 day exploits they use target the open ports on Vista and newer systems that can't be closed. Hopefully that 40GB torrent contains the info needed to answer that suspicion.

    As for the tray icon, there are some skins available from Proxomitron. I haven't looked at them. The biggest thing I changed is that default color scheme. That's enough to make your eyes hurt. Look into Resource Hacker. It lets you replace icons in an executable. Make sure that you experiment on a copy of the executable.

    Regarding loopback and a visual aid, I've been working on a post that details the rules. Unfortunately, real life has been taking most of my time the last several days. I need a 48 hour day, and the ambition to use it. As for a flow chart, I'll see what I can do.
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    At the ancient time of this screenshot, I was using Eset NOD, ekrn process, which used loopback on local port 30606. Avast and Avira worked the same, just different ports.
    Pic shows you what Kerio and TCPview saw for flow of just one packet - from Opera out to that audit site.
    I hope noone_particular doesn't mind me meddling in the interesting thread, but I think I got it right to show you. If not, I'm sure NP will correct.
    PktFlowThruProxy.jpg
    SeaMonkey will look the same, but you will also see just loopback from local port to local port+1.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Not at all. That screenshot was better than the ones I had available.
    @Reality
    In the screenshot act8192 posted, if you check the option "Don't Resolve Domain Names" in the status screen settings, 127.0.0.1 will be displayed instead of localhost.
     
  19. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Answering 1st part of noone_particular's post
    Your help, time and effort that's gone into this tutorial thread has been amazing. Anytime you want to take time out, that's fine. There's no point in hurrying this as its time consuming to answer these types of threads anyway, with variables that might pop up which none of us can know in advance. You, because you can't possibly know my system and what I might (naively) "spring on you next" and me, because I don't know the deep workings thereof. There's going to be a lot for me to do which I knew was very likely to be the case. It is what it is, I'm happy to go slow.

    No. Absolutely ZERO. I had Norton AV only. I had a free subscription for a year included when I had my computer custom made. I'm pretty sure I didn't pay for another year, but if I did it was only one. That was over 11 years ago. As for it being free? NOT.

    My XP computer is getting pretty old. Other than legalized spyware such as we've just discussed, and a very slow "help and support" issue, its still going very well and OS has never been re-installed. It's been VERY forgiving as Ive tweaked poked looked and explored albeit as carefully as possible. Needless to say starting over is definitely an option, as I have the authentic XP Pro disks and I still have my SP3 disk, and I think SP2 as well......it's going to take quite some time as I prepare for it. - I've got to organize what I need to do about drivers, - I have to gather and sort a heap of utility installers. - Take screenshots of various configuration settings that matter to me. - I need an external HDD to move some data off my 80 gig Internal drive which has 3 partitions. (If I go this route I'd reformat and make that C drive bigger.) - I have to get a 2nd external as the last time I connected my WD 2TB there were a few glitches. Probably nothing but I'm not taking any chances. The next time I connect it I want it to be to copy it's contents. - Last but not least I need to think of what I KNOW I haven't thought of yet and guaranteed, there'll be something!

    One thing for sure, with a clean install, drivers good to go and networking set up, a fresh image > install utilities > another fresh image, makes a lot of sense.

    Another option in the meantime is I have enough room on one of my partitions to do an Image backup of system drive 10GB about 7.5GB used. Recently I downloaded AOMEI Backupper Standard Ed. It seems to be well spoken of. If there's no caveats you guys have about that, I'll proceed.

    Also I have a 40 GIG Thumb drive I could also put the Image on.

    It exists in \Windows\System32\ but not in Program files. No Folder, nothing. I can't remember how the Symantec Folder got ditched. I may have just deleted it since I didn't want Symantec products and I'd heard how it left a lot of dregs on your system.
    So do I still need the Symantec tool or shall I just delete that instance or...

    In times past now and then Id see something from Symantec pop up on my system like when going through various menus of utilities like Spybot Search & Destroy. I've just looked through and see I've used it to disable (unchecked the box) this below, under "system Startup".

    Symantec disabled SB S&D.jpg

    Looks like its just as you said.... more excess baggage.
     
    Last edited: Aug 11, 2014
  20. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thankyou act8192. You're not meddling at all and input like this is well appreciated.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It was somewhere around that time that I ran Norton Internet Security for a short time. It was the first and last security suite I've used and definitely the last Norton product I'll ever use. It let a virus right through when the entire suite crashed. It also allowed something to connect out, grant itself access through its firewall, and send out a large amount of data, an amount that corresponded to a Blowfish encrypted Scramdisk container. It kept an excellent log of the entire incident but did nothing to prevent it. The only thing it was consistent at was alerting me to every random port scan, referring to them as WinCrash attacks, at least 20 times a day, popping up in the middle of everything I was doing at the time. That and giving me constant renewal reminders 6 months in advance. IMO, garbage protection like that is worse than no protection at all.

    The tool mentioned in that page I linked to is for reinstalling Symantec. I've heard there are separate tools for removing all of the leftovers but never tried one. Are you sure that you actually uninstalled Symantec as opposed to just deleting its folders? As for that error message, I'd delete the registry entry mentioned on that page, reboot the system and see if that error disappears. If it does, then you can delete the file as well.

    I'm not familiar with the backup tool you've mentioned. If it works and does what you need, that's all that matters. I've been using the rescue CD from Acronis 8 for system partitions and 7zip for the data partitions. You mentioned a 10GB system partition with 7.5GB used. Is that all operating system and applications or does it include data, documents, desktop, etc? If it does, you might consider moving all of that to a data partition. If you're running more than one operating system, a shared swap partition might be an option as well. The system backups will be smaller and you won't lose data if you have to use a system backup. 7.5GB seems a bit large to me for just the OS and installed apps. In the long run, reformatting and starting over would probably be beneficial, but if you're short on space, it might be more work than it's worth right now, unless you can borrow or get a used hard drive cheap. I know how it is to be short on hard drive space. I'd like to download a copy of that FinFisher hack but don't have 40GB available for it.

    Moving back to the actual subject of this thread.
    There are a few basic ways an anonymity package can leak data that may de-anonymize the user.
    1, The data can be sent through undesired connections. Examples:
    A browser obtaining the DNS information locally instead of routing the query through the anonymity network.
    The browser connects directly to a site instead of routing the traffic through the anonymity network.

    2, The browser launches or sends data via another internet capable application which connects directly and de-anonymizes the user.

    3, The data can be obtained using nosy scripts, plugins, poorly designed, nosy, or compromised extensions, browser features that call home, and code that attacks or exploits the browser directly. Data leaks of this type are often sent over allowed connections. These are often connections to ads and trackers initiated by code in the web pages.

    The leaks described in the first instance can be eliminated with good firewall rules. Example number 2 is best addressed by not integrating other applications with the browser and by HIPS rules that restrict what apps a browser can launch or inject code into. The third group is content control. This is done with browser settings, extensions, and filtering proxies.

    Details about all of these are available all over the web. What's missing is the information users need to assemble these pieces into a complete package in a way that make the package superior to the sum of its parts. There's definitely enough talent on this forum to do the job. Mirimir's VPN-Tor packages is an example. We need to bring the pieces together with information showing how the components can support, protect, and complement each other so that the package behaves like a unit.
     
  22. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Excellent and informative post. I'll quickly answer some things now and come back tomorrow.
    Too long ago noone. Not sure what I did. I'll wait til tomorrow as it's a very long time since Ive done reg editing and that was someone walking me through over the phone. Want to be wide awake for that job, in fact I'll do an image back up 1st.
    The System drive includes XP Pro and M$ Small Business Edition (Word Excel Publisher Outlook). That would account for the larger usage. I make sure there's minimal files on the desktop using shortcuts instead. There's almost no personal data files on Syst Drive but you get some from the likes of Camera drivers which insist on putting a few there even though you install to another partition. Other than the above, I have put pretty much all data files, utility/programs software I could on a second and third partition.

    It is surprising how things add up like those index .dat files for example. They are tucked away in SOOO many places. I constantly watch that my C drive doesn't go less than 25% free and I sweep junk out frequently like temp files etc.

    That's a very helpful explanation on data leaks.

    Very well put.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This post addresses the first group, leaks that are prevented by firewall rules. I'll start with rules for the operating system itself, its services and components. Much of this will be about bringing your system configuration, firewall rules, and security package into agreement with each other. Controlling the traffic and eliminating the leaks/open doors on a system level has to come first. How good or well configured an anonymity package is won't matter if the operating system it runs on isn't equally well configured.

    Creating rules that allow an application to work is fairly easy. Writing those rules so that the application gets only the amount of access it needs takes more attention to detail and an understanding of the needs of that application. A poorly written rule can effectively bypass a firewall. You mentioned that you're using Kerio 2.1.5. Kerio includes a fairly decent help file. One part of the help file, Introduction to TCP/IP is especially valuable. It explains the basics of the common protocols. Also read the packet filtering rules section. It explains what the different options for each rule are for. There's also a Kerio learning thread that contains a lot of good info, including making rules for XPs services.
    A couple points regarding Kerio. You need to use the "Ask Me First" setting. The "Permit Unknown" setting is worthless. It's basically a bypass that makes the firewall ineffective. The "Deny Unknown" setting will block all traffic that the existing rules don't already allow and does it silently. If you have a "block everything" rule at the end of your ruleset, it needs to be disabled (unchecked).Keep in mind that Kerio reads its ruleset from the top, downwards and uses the first rule that applies. This makes the order that the rules are in just as important as the rules themselves. When Kerio creates a new rule from a prompt, it will be placed at the bottom of the ruleset. One more point to keep in mind. On the interface for editing individual rules, under remote endpoint, you'll see a drop down box for address type. In it you'll find:
    any address
    single address
    network/mask
    network/range
    custom address group
    Kerio does not process network/mask rules correctly. Do not use it. If you need to make a rule for a range of addresses, use network/range.

    I don't know if you used Kerio's default rules as a starting point, the BlitzenZeus ruleset, or if you deleted the startup rules and began with no rules at all. Ideally, the best way to create a tight ruleset is to start from scratch with the default rules deleted. For most people, this isn't practical. I'll try to approach this with the idea of integrating these into an existing ruleset. The firewall rules aspect of this would be simpler if they're created for a separate browser. This way your existing browser will continue to work the same. Most likely it will be necessary to edit several of your existing rules. Did you use Kerios default rules as your starting point or did you create all of your own rules? Did you download and import the BlitzenZeus ruleset? If you haven't made a system backup that includes your existing firewall rules, you should do so before we make any changes. I also suggest saving a copy of your existing firewall rules to a data partition.
    [​IMG]
    The image above is borrowed from the Kerio learning thread. It shows the default rules that Kerio 2.1.5 creates when launched on XP for the first time. The rules circled in the image are for services and core system components which need attention. The first 6 circled rules, from LSA Shell (Kerberos) through the Microsoft Discovery Service are not usually needed on a home PC, especially if it's not sharing files with other PCs. Start with disabling (unchecking) these rules and reboot. If your system doesn't prompt you for any of those named services, leave them disabled.
    The last circled rule, "Generic Host Process for Win32 Services" (SVCHOST.EXE) has to go. As it's written, this rule allows unrestricted outbound access for any system component or application that runs as a service on Windows, including any malware that runs as a service. SVCHOST.EXE runs many services, very few of which need any internet access on a home PC. This is covered in detail in the Kerio learning thread, which includes information on how to disable most of the services that create listening open ports. On XP, it's completely possible to close every open port and still have a fully functional PC. One of the few services that need internet access on a PC is the DNS service. The DNS service takes over the task of resolving sites, internet links, etc into IP addresses. It caches the results and makes them available to all internet applications. Like many things, this is a tradeoff. By running as a service and caching the lookups, it reduces the number of DNS queries and slightly speeds up page loading. With an anonymity package, this presents 2 problems. Part of the purpose of the socks protocol with Tor is to assure that all DNS lookups are done by the exit node. The best way to make certain that all DNS requests go through Tor is to eliminate all other paths through which DNS can be obtained by those components. The DNS service creates an alternate path that can't be properly controlled by firewall rules. The 2nd problem is the DNS cache. The lookups stored in the DNS cache are almost as revealing as the browsers history records. As far as is known, there's no way to access the cached data from the web. Hopefully that holds true for the NSA as well. Even so, if the PC is seized or compromised, those DNS records are there for the taking. If you clear all of the browsers records but not the DNS cache, it becomes obvious that you did try to delete your tracks. I don't know if Privazer covers the DNS cache or not. Internet applications like browsers, Proxomitron, etc are completely capable of performing their own DNS lookups. Disabling the DNS service not only eliminates the cached DNS records, it allows the user control which applications have access to the local DNS servers with firewall rules.

    In the above screenshot, the rule for DNS is at the top. As it's written in the default ruleset, the only restrictions in the rule is the remote port, 53, and that the rule is for UDP protocol. For malware configured to use port 53 and the UDP protocol, it's an open door, in and out. Most modems and routers whose configuration has not been tightened down will pass this traffic. This rule should be replaced by individual DNS rules using the IP address of each of your DNS servers. Those should be followed by another rule that blocks all other traffic to/from port 53 and alerts the user when such connection attempts are detected. The screenshots below show how these rules are configured. The items circled are the ones that need to be matched to your system.
    DNS-permit.png DNS-block.png
    The DNS permit rules are for a single IP address. You need one of these for each DNS server. On the blocking rule, note that it's for both UDP and TCP. TCP is the standard data packet used by most internet applications. Web pages are delivered via TCP. Also note at the bottom that " Display alert box when this rule matches" is enabled. If anything tries to change your DNS settings, tries to make an application use another (possibly malicious) DNS service, or tries to route its traffic through the DNS port, you'll be notified immediately.
     
  24. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Backing up from your last post noone, Ive done a system BU using Aomei Backupper and the data integrity was checked by the program as OK. Image gone on 2nd Partition. Tried doing a copy (of the copy) onto my 40GB thumb but kept saying not enough room when there was. Nevermind. If I need to use System Restore for any reason, I have a restore point yesterday. Not sure if that backs up the Registry. I *thought* you mentioned a Reg backup utility in this thread and searched and searched and couldn't for the life of me find find anything .....Then I went and did the 4 steps you told me to do in the Reg, and rebooted. Tried to install SocksCap 2.4 again and this time I get ...... ( I haven't yet tried to delete the dll file in \Windows\System32\ )

    Error installing SocksCAp.jpg

    I haven't done anything about SeaMonkey yet either. I also want to get that Drop My Rights utility.

    A long time ago I went right through the help file, and more than once. I did find some things hard to understand, mainly concepts which wasn't conducive to making it stick in the memory. Some of these things fall into place as you gain knowledge over time. When I can I'll go back again and "do some homework" and hopefully some more things have fallen into place.
    As I've mentioned, a lot of things I did are from years ago and a lot of it's hazy. One of the first things I realized, was for me, I'd get the most value on setting Kerio to "ask me first". When it gave me the option to make a choice to be remembered, I gathered that made a rule. Mostly those were the only ways I made rules rather than mucking around in Kerios main interface which looked pretty scary at the time.
    Thanks for explaining that.
    I used someones template, and yes I think it was a BlitzenZeus ruleset, which I think I got from the Kerio section on the dslreport website.
    I'll let you decide noone if it's preferable to tidy up that Symantec issue first or just proceed on with Kerio settings. In any event I either have to get SeaMonkey or make a separate profile for FF which I've never done before.
    I still have various backups from years gone by and I'd be embarrassed to show anyone my current messy ruleset which sure needs an overhaul. Nevertheless I'll back it up as soon as I'm done here.

    Just an aside...I haven't been without issues with Kerio. A year or two ago Kerio crashed my system if I had it loading the driver while booting. I HAD to fire the Program up from the desktop. Not ideal, but it gives you that option. Then I couldn't access the logfile. (Yes it was somewhat large) It would cause Kerio to lockup. One day it was glitchy so I just reinstalled Kerio imported the latest ruleset and it was OK again. It wasn't until recently I tried loading at boot. All good! In the meantime I found a great utility Tinylogger which is better than Kerios log screen anyway.
     
  25. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Ive downloaded SeaMonkey and Drop My Rights. Done a little looking around in SeaMonkey and ran it Sandboxed. No Add Ons yet. Know Zero about DMR except double clicking it gives you a command prompt like window that flashes on and off again, which upon doing a quick search revealed that was supposed to happen. That's where I'm up to with that.
     
Loading...