Using PortableTor on a USB for Anonymized Browsing

Back in January, I wrote about Anonymization and mentioned PortableTor from a USB stick. The Easter break allowed me to try it on a USB I just got from CD-R King (Php 480 for 4GB ain’t bad). Long story short, Tor was originally made by the US Naval Research Lab and has been said to be used by some three letter US Agencies to shadow people on the net. It works by bouncing your packets around a distributed network of relays run by volunteers all over the world. However, its also been used by some hackers to keep their anonymity even though Wikipedia describes its limitations as:

“Tor cannot (and doesn’t try to) protect against an attacker who can monitor both traffic going into the Tor network and also traffic coming out of the Tor network, such as the United States government which has the capability to monitor any broadband internet traffic under the Communications Assistance For Law Enforcement Act and can therefore see both ends of the Tor connection. Tor tries to protect against traffic analysis, but Tor does not have the ability to prevent traffic confirmation (also called ‘end-to-end correlation’).”

Being in Manila, I wonder what capability the Philippine government has with regard to monitoring broadband traffic. I know they have some, I’m just not sure about the extent.

You can check out the Tor Project site here.

I’ll be re-doing it from scratch for this article and will be giving step by step instructions. I recommend running from a USB for people who frequent Net Cafe’s. For this article I’ll just be using Portable Firefox and not the whole suite available at Portable Apps and will be using an old 512MB drive on L:

Typical caveat: I have no idea if this will work for you and please do back up before you try this.

Step 1
Get Mozilla Firefox Portable then download it to your USB drive (Around 8 MB)

Step 2
Download the PortableTor Application to your USB drive (Around 7.8 MB)

Step 3
Click on the Portable Tor App executable on your USB drive and extract it to your USB drive

Step 4
Do the same for Mozilla Firefox Portable (I had to point to my USB drive letter which in this case is drive L:)

Step 5 (Optional)
Delete the Installer Files (NOT the folders).

Step 6
Go into the PortableTor folder and click on PortableTor.exe
You should then see additional icons on your system tray (typically on the lower right which contains the clock), and if you have a an application firewall (and you should), it will prompt you if you want to allow the applications (yes its plural) access to the Internet

Step 7
Go back to your Firefox Portable folder and click on FirefoxPortable.exe (You are then prompted whether or not to store your session on your USB stick)

Step 8
Once Firefox is running from your USB, go to Tools>Options>Advanced>Network
Then click on Settings and check if you are using local host and port 8118 (You can change this port but I won’t be discussing that here) which is the default port of PortableTor

Tools>Options>Advanced>Network>Settings

Step 9
Head over to What Is My IP Address? to check if it works.

What is My IP Address?

Step 10
You can then check where your assigned IP is by clicking on the number, in this case, Stockholm… yes I’m in Stockholm because I couldn’t stand the summer heat of Manila… NOT.

So that’s it, you can run more anonymously on the net using PortableTor, albeit much slower than usual (also dependent upon the particular proxy you’re using). In my limited, unscientific testing, my download speeds varied from 1/5th to 4/5th’s its usual speed. The Tor network also encourages you to run a relay (the bandwidth of which you can limit) so that the overall speed of their network becomes a bit faster.

I haven’t tried this out for Instant Messaging, but I soon will.

If you found the above do it yourself USB for Anonymized Browsing interesting, you might also want to check out the XeroBank Browser which its site says to be, “the most popular free and open-source anonymous web browser in the world, with over 9 million downloads.”

---

Info Sec News
(BusinessWorld Online) BSP urges tighter e-banking security
(Computerworld Ph) CICT: Timetable for 2010 automated polls tight
(Inquirer.net) COMELEC Chief Says, ‘No more debates on poll automation’
(PhilStar.com) UP Diliman holds first campus-wide automated polls
(IT Matters.com.ph) Online filing system bogs down one day before April deadline
(IT Matters.com.ph) BPO office builders ditch expansion plans
(IT Matters.com.ph) Ayala outsourcing unit bullish of prospects amid downturn
(IT Matters.com.ph) Convergys opening three more contact centers, to hire 3,100

(Reuters) Facebook, YouTube at work make better employees: study

The H Security Conficker Information Site
(The H Security) Conficker test
(The H Security) Simple Conficker test for end users (Description)
(University of Bonn) Conficker Online Infection Indicator

(Computerworld UK) Police e-crime unit teams with banks for first arrest
(SearchSecurity) RSA panel to discuss surveillance, privacy concerns
(Wash Post Security Fix Blog) Report: China, Russia Top Sources of Power Grid Probes
(The Register) Student sentenced for F-ucked up grade hack

(SecurityFocus) Microsoft patches a passel of flaws
(SecurityFocus) Twitter targeted by XSS worms
(SearchSecurity) Oracle issues 43 updates, fixes serious database flaws
(Reuters Video) Symantec sees more malicious threats (approx 2 mins)
(Inquirer.net) Book a bed and breakfast, catch a ‘virus’

(SC Mag US) Despite downturn, IT security spending to increase
(Computerworld) Privacy rules hamper adoption of electronic medical records, study says
(Computerworld) ‘Mafiaboy’ spills the beans at IT360 on underground hackers
(Computerworld) 1 in 5 Windows PCs still hackable by Conficker
(Computerworld) Botnet operators may be able to profit from Conficker update
(Trend Micro News) Trend Micro Discovers New Variant of Conficker: WORM_DOWNAD.E

---

Site News
Updated the following links pages:
“Software Vulnerabilities” links to “Software Vulnerabilities and Dataloss” and included DatalossDB;
“Security Policy and Best Practices” links to include Information Security Policy World, Windows Security.com’s PDF, Princeton University’s PDF;
“Web App Security” to “Secure Coding and Web App Security” and included US Homeland Security’s Build Security In website

Seminars and Conventions

The Center for Global Best Practices will be giving a one day seminar on “Best Practices in IT Audit” on Apr 24, 2009 at the Edsa-Shangrila Hotel, Mandaluyong City. It will be conducted by Patrick Dailey, CFE, GCFA, CISSP, EnCE, who is the founder and managing director of DigiThreat Solutions. Early bird offer is until Mar 24, 2009. Seminar cost is P7,800.00. For more info call (+63-2) 842-7148 or 59, email:jessica@cgbp.org, or check out their website.

---

Microsoft Philippines will be giving a two hour seminar on the “Advantages of Microsoft Certification”. The next dates are on Mar 20 and 26 to be held at the dB Wizards Office, 28/F 88 Corporate center Sedeno cor Valero Streets, Salcedo Village, Makati City. Check out the Microsoft Events Philippines site for more details.

---

ECCI will be giving a staggered three day seminar on “Accelerated Six Sigma Greenbelt – Striving for Quality Excellence and Transformation” on Apr 16-17 & 20, 2009. ECCI will also be giving a one day seminar on “Enterprise Risk Management (ISO 31000)” on Mar 26, 2009. For more info call (63-2) 750-5671 to 73 or email:faith@eccinternational.com.

---

There are a lot of presentations that are available from the APRICOT Manila Convention late last month. Most focus on IPv6, while there are others on malware, rogue dns’ and general security. Check out the presentations here.

---

Site News
The site may not get updated much this week since I will be conducting an Introduction to ISMS Seminar (ISO 27001:2005) and will be focusing on that.

InfoSec News, March 11, 2009

Browser Security
(SC Magazine US) Firefox 3.07 update addresses multiple security issues
(H-online) Firefox: most vulnerabilities, but quickly patched
(Security Focus) Mozilla, Opera plug security holes

---

Malware
(SC Magazine US) Conficker worm variant kills security processes
(H-online) Conficker modified for more mayhem

---

Cyberwarfare
(ZDNet.com) Russia kinda-sorta owns up to Estonia cyberwar
(The Register) Russian politician: ‘My assistant started Estonian cyberwar’

---

Patches
(The Register) Critical kernel fix stars in Patch Tuesday updates
(Computerworld) Microsoft patches ‘evil’ Windows kernel bug
(Computerworld) Microsoft patches Windows DNS, kernel flaws
(The Register) The long road to Adobe Reader and Flash security Nirvana
(Computerworld) Adobe patches zero-day PDF bug, mum on details
(Computerworld) Bad Symantec update leads to trouble
(H-online) Norton causes alarm and despondency

---

Social Networking
(H-online) Twitter closes SMS spoofing hole – Updated
(H-online) Spam from compromised Twitter accounts

---

Other InfoSec News
(SC Magazine US) Gartner: Data breaches hit 7.5 percent of all U.S. adults
(H-online) Version 3 of Microsoft’s Threat Modeling Tool released
(Computerworld) Gmail down; outage could last 36 hours for some
(H-online) Windows Defender: False alarm triggered by hosts file
(The Register) Court rules airline secret security list is stupid
(Techworld) Security needs to be ‘baked in’ say experts
(GCN) Securing cyberspace requires a new attitude
(Stuff.co.nz) Student wiped data worth thousands
(The Register) Feds file new felonies against alleged Palin hacker

---

Tips
(Computerworld) Biometrics: three tips for success

---

Webcasts
(LogLogic) Unleashing your log power to do more with less
Date: Wednesday, March 18, 2009
Time: 2:00 p.m. EST/11:00 a.m. PST

---

Whitepapers
(HID) Username and Password: A Dying Security Model
(Computerworld) Social Elements of Security Policy and Messaging

---

Info Sec News, Feb 5, 2009

Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.

---

Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.

(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster

---

Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.

(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits

---

Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.

(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?

Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.”

---

Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?

And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.

A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.

Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.

---

Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.

Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.

---

New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.

---

Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.

(Computerworld Blog) Security businesses move ahead in this economy

(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs

(Computerworld) Microsoft denies Windows 7 security feature contains bug

(Computerworld) Banks, customers feel the fallout of the Heartland breach

(Computerworld) Study: Data breaches continue to get more costly for businesses

(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns

Microsoft Issues Patch to Close Zero Day Hole

Microsoft has issued an unscheduled patch to close the security hole in IE in its MS08-078 Security Bulletin.

---

A Security Park report states that according to Panda Security, there has been as much malware in the first months of ’08 as the last 17 years combined.

Related links:
SANS published a 61 page whitepaper by Mark Baggett, GCIH, on the Effectiveness of Anti-Virus vs Metasploit Payloads
Anti-Virus Rants Blog

---

Computerworld Security lists 3 simple ways to protect from Social Networking Malware: 1. Have a stronger password, 2. Be wary of 3rd party apps 3. Beware of user generated SPAM.

Now I’m wondering if there are tips out there regarding Friendster since they obviously have a problem with the SPAM I’ve been getting from a couple of users.

---

CDW has a 2 page whitepaper on Making the Case for Security Spending

---

UPI.com Homeland and National Security Editor Shaun Waterman wrote about the questionable effectiveness of FISMA in real world use. The article states that the US Justice Dept got a grade of A-, because FISMA is primarily concerned with “ensuring that all agencies ‘have policies and procedures to enhance the security of information in their IT systems. [however FISMA does] ‘not assess whether the Department has actually implemented these processes, nor did it assess the actual security of the Department’s IT systems.'”

---

The US Center for Strategic and International Studies (CSIS) recommends a Cybersecurity model based on Nuclear Nonproliferation. This is because of the seriousness and complexity of cyberthreats, which require a coordinated approach that spans agency jurisdictions, borders and sectors.

See earlier Post for the CSIS report

---

Update on Browser Password Management Security

In the test by Chapin Information Services (CIS) Opera and Firefox each passed seven of 21 tests, IE passed five tests, and Safari and Chrome each passed two tests.

(The Register) Browser Password Security Test
(Chapin Info Services) Google Chrome receives lowest Password Security Score

---

Other Security News.
(Bank Info Security) Where the Jobs Are: 5 Hot Career Tips for 2009
(Bank Info Security) Top Certifications for Industry Pros

Info Sec News, Dec 8, 2008 Updated

Upcoming details for this month’s Patch Tuesday can be found in Heise Online’s Microsoft wants to close six critical holes and PC World’s Microsoft readies Eight New Security Patches.

A Secunia blog states that 98% of all PC’s aren’t fully patched as was also reported in The Register and SCMag UK. No doubt this contributes to the millions of PC’s out there that are used as zombies unbeknownst to their owners. This happens mostly because people have too much confidence in their Anti Virus in stopping all threats. I’ll write about this more in another post, as for now, you might want to check out Secunia’s freely available Personal Software Inspector to check for patches their PCs may need.

Trend Micro researchers though, say that vulnerabilities only play a minor role (5%) in attacks. And that most attacks (53%) come in the form of Social Engineering attacks wherein the user is duped into downloading malware. An example of this would be fake anti-virus products that take up the top three positions in BitDefender’s Top e-threats (Heise Security also gives the list here). Which reminds me of what Zot O’Conner said in his talk at the Renaissance Makati in late October… that you cannot design a security product to defend against a user that just clicks and accepts anything.

In related news, Security Park reports that Human error continues to be the top cause of IT security breaches primarily because individuals are given the option to bypass them.

---

Other Security News
Center for Strategic and International Studies publishes report on Securing Cyberspace
Distributed SSH attacks bypass blacklists
New variant of DNSChanger in mass DNS hijack
The debate resumes over Mac Security
Identity Theft breaches on the increase in the US
(Security Focus) US Commission calls for Cybersecurity Czar
(Security Park) Free malware search tool helps financial institutions identify web attacks targeting their websites
SANS Webcast on December Threat Update
SANS Webcast on What Works in Security Information and Event Management
(Linux Security) New Wireshark Packages fix Vulnerabilities
(Linux Security) Never Installed a Firewall on Ubuntu? Try Firestarter
(Linux Security) Debian: New Linux 2.6.24 packages fix several vulnerabilities
(NY Times) Thieves Winning Online War, Maybe Even in Your Computer
(Translated by Google) 21 Million German Citizen’s Account Numbers in Circulation