Safe and Anonymous Web Browsing

1

Safe and Anonymous Web Browsing

Nuno Mateus Coelho


ISEP GILT 4249-015, Porto Portugal [email protected]

Abstract

José Joaquim Moreira ISLA - IPGT Escola Superior de Técnologia 4430-646, Vila Nova de Gaia Portugal [email protected]

António Vieira de Castro ISEP GILT 4249-015, Porto Portugal [email protected]

The Web was the mean to shorten the distance between Men to an unprecedented level. With this facility also came cybercrime, terrorism and other phenomena of a moving society, fully computerized and where the land borders are of little importance in limiting the active agents, harmful or not, to this system. Recently the world knew by the media, that its leading nations follow closely their citizens, disregarding any moral and technological threshold, that internal and external security agencies in the United States closely follow telephone conversations, e-mail, Web traffic of their counterparts, using powerful monitoring and surveillance programs. In other corners of the globe, nations in turmoil or wrapped in the cloak of censorship persecute and deny uncontrolled Web access without armful repercussions to their citizens. Worldlier, pears coerce and invade the privacy of acquaintances and family, searching every corner of their computers and surfing habits, enforcing violence as vendetta. This work analyzed the technologies that control the usage of Web consumers, solutions that enable and grant some anonymity and security in Web traffic. To support this study, an analysis of platforms that allow for anonymous Web browsing, technologies and programs with potential computer intrusion and violation of privacy by high-profile nations, was made. This study aimed to analyze the computer monitoring and surveillance technologies and identify the available countermeasure technologies. It scope relied on the deliver a multimedia tool developed in Linux, providing a LiveDVD (Linux OS that runs from DVD without installation). Resources were integrated in the prototype, developed in order to provide the user with a flexible and lay way to surf the Web in a secure and anonymous environment. It was prepared to operate from the DVD player or inside a virtual machine, both in a computer. The prototype was tested and evaluated by a group of citizens to check its potentiality and effectiveness. The work was finished with the conclusions and the work to be develop in the future.

Keywords

security, private browsing, tor network, linux, open source, violence, hacking

1. Introduction We live in a time when society is challenged by the sudden change in social, political, economic all of then with heavy environmental costs. This strong volatility implies consequences in terms of (in)security of societies and organizations. The speed at which succeeding events, new technology offerings, new trends, products, problems and solutions, create a disarray that has already today, and despite the efforts of those who regulates, impacts virtually impossible to contain or hide. Research and massive use of information and social sharing of this information were created by the advent of Web 2.0, or 2nd generation of the Web, a term introduced by Tim O'Reilly [Tim O'Reilly, 2009], which associated with the new generation, Web 3.0 characterized by the Semantic Web, a term introduced by John Markoff [Sam Murugesan, 2009], has created a unique singularity, comparable only to the human ecological footprint. The human digital footprint means that everything that is shared and exposed in the Web, be filed somewhere in it, allowing a third party access and store this information in computer clusters with an estimated useful life impossible to calculate, thus accessible to others for many, many generations. By relying on Cloud platforms (data storage in virtualized computing platforms) and to publish personal information on social networks, it opened the door to cybercrime (crimes committed using

© 2100 Projects Association

www.2100projects.org

2


information technology) which for years was located and oriented to the information systems of organizations.

2. Context In 2014, according to Internet Live Stats [Internet Live Stats, 2015], about 3 billion users were connected to the Web and shared data. The Web is extremely conducive to all kinds of harmful acts committed by strangers. Because it is a living entity (in the broad sense of the word), this globalization, this network made up of people and machines, is also a source of misinformation directed to nations that compete with each other, where, who first holds the validated information has in fact the lead and to achieve it. Whether this is economic or strategic, it creates mechanisms that advocate the computer insecurity through decoding, modification and interception in order to retain private information for their own benefit. The computer security is put to the test constantly. According to Paulo Santos, [Paulo Santos, 2008] from information pirates, commonly known as hackers to government security agencies, everyone wants a piece of the El Dorado. Computer systems connected by network and, above all, the broad network that is the Web, are used to store and manipulate information daily by millions of people and organizations. According to Herman Walker [Hermann Walker, 2009] schools, universities, doctors' offices, students or teachers, all of them and all these entities exchange information using computer networks; now, it is safe to say that the information is in circulation, and therefore it is critical that this information is safe. The computer security is increasingly a social problem and a technical problem. Technical because the variety of systems, standards, architectures, methodologies such as ITIL (Information Technology Infrastructure Library), COBIT (Control Objectives for Information and Related Technology), TOGAF (The Open Group Architecture Framework), SOA (Software Oriented Architecture), new versions of operating systems, hardware and its requirements, software requirements, among many examples, make the task of implementing measures and safety standards, risk mitigation circuits and development of computer master plans that anticipate and respond to unexpected questions, a real daunting task. Thus resulting in the inability to create or complete coverage of effective security policies. Just add to the equation the connection to distributed systems and to the Web to really become an almost impossible task [Javier Lopez et al., 2015]. Social problem, because the non-technical users of these systems don’t have a sense of the existing security problems. For these, according to Brian Shea [Brian Shea, 2002], is transparent all the effort and systems behind the screen, disregarding great attention to detail because they feel safe by having an antivirus, or a firewall that sends graphic alerts in the GUI (Graphical User Interface). They also rely in the, in-the-house (company support technicians) to implement measures and support them in daily difficulties. Applications aimed at the exploitation and the lack of attention from the general public or system administrators are developed on a daily basis. Also reputed companies develop and launch to market applications to allow avoidance to mechanisms that insist on violating computer privacy. Time over time software was created with the propose of maintain the security of information and their users. Entities such as Symantec (software and computer security company) daily release updates to their antivirus programs in response to new threats. Companies like Microsoft creates updates regularly to fix bugs and software vulnerability. Companies such as CISCO develop network appliances (equipment) that are subject to adjustments, with other features that are not adjustable in order to standardize concepts of security and defense mechanisms [Shelly Gary and Jennifer Campbell, 2012]. Despite this panorama, these measures are not more than reactive to daily challenges and unfortunately are not preventive.

2.1. The Problem According to Symantec, in the report of Insecurity of Internet of Things, in 2015 it is estimated that will be connected to the Web approximately 4.9 billion devices [Mario Barcena, 2014]. Many of these devices are devices that concentrate itself few active and passive safety mechanisms, as is the case of mobile phones, tablets and smartphones. Regardless of this outlook, every day millions and millions of users share information and data through these devices. Currently organizations have ceased to be the direct target of those dedicated to theft and misuse of information. The average user has become a target because the amount of information shared online, without having a sense of their digital footprint. Also attacks on systems that provide services such as Web Servers that store information about users are under fire. in May 2015 the alleged attack on the




3

online Portuguese lottery platform EuroMillions, was reported by pplware.sapo.pt website in [Pplware, 2015]. According to them, data from 20,000 users had been compromised. The attack shape was not disclosed, having been exposed data that may be used for future attacks. The information revealed was consisted of username, hash, MD5 (Message Digest 5), salt, email (email) and birth dates. Although these data may seem unimportant, these elements allow intrusion attempts into email accounts that have birth dates as password, and the possibility to retrieve a new password from the Euromillions website, after using the security mechanism that uses security measures like questions, like confirmation of date of birth. The year 2013 was rich in revelation of events and activities of North American security principals. According to revelations of Julien Assange [Julien Assange, 2013] on Wikileaks (online platform for sharing information), secure Web browsing does not exist and even the location of users is not safeguarded. According to him, several countries could access the user data and extract relevant information. There are countries for its political characteristics employ tight control of access to content available over the Web. According to [Ronald Deibert et al., 2008], countries like North Korea limits access to the physical and to the technological level, e.g., only certain people may have access to devices that allow access to the Web, and still has to go through a barrier imposed by the ISP (Internet Service Provider(s), e.g. Portugal Telecom). This prevent them to view content from certain sites, countries, religions, etc. The most notorious case of this is the Great Firewall of China, also known as Golden Shield Project.

2 Threats and Countermeasures As the expansion of worldwide networks advances in a very fast rate, information security and privacy begin to be seen differently. Keep safe the information and telecommunication systems plays a vital role in the day-today actors of this panorama, may them be users, systems administrators in domestic, business or government environment.

2.1. Threats According to Paul O'Day in the Journal of Education at Pacific University [Paul O'Day, 2013], the North American Government controls the Web since its appearance. Its military Genesis puts government institutions in a privileged position in relation to others. The most effective way to compromise the security is listening and penetration to the ISP before the data arrive at the destination computer. If communications are not encrypted, or even if the connections are, it’s possible to find out the location, content, information about the computer and above all, with the connection and data junctions know who specifically is the user [Fabio Locati 2015]. Until recently it was not known that the NSA was spying on Internet users at national and international level. Threats are not only from governmental source or about secret societies. It is also a harmful and lucrative criminal activity, a reminder to existing computer problems on platforms or systems, a source of information that allows third parties to obtain a relevant position on the use of this information and many other activities. According to Eric Raymond [Eric Raymond, 1997], and according to Robert Moore [Robert Moore, 2010], there is a group of people who, recurring to the use of high computer skills, with very specific goals, are dedicated to increase their skills exploring, modifying or accessing systems that they normally don’t have access to. Censorship to content in large scale. The Golden Shield project and others like so, according to Sarosh Kuruvilla, [Sarosh Kuruvilla et al., 2011], appeared after the arrival of the Internet in 1994 to China. The Chinese government in 1997 set in motion the first control measures, issuing regulations on the use and appropriate penalties. In 1998, the Communist Party, for fear of losing control of the country, instructed to be created and implemented a system able to control the entire Web traffic network. Nicknamed the Great Firewall of China in 97, employs more than 45,000 policemen and is a network of complex proxy servers to prevent the IP of Chinese origin to get out by one of the six Chinese gateways, thus controlling who accesses and what is available to access.

2.2. Countermeasures Effective security is expensive and evaluate it is an arduous task, out of reach of those who normally have the ability to unlock funds for those who decide the implementation of security measures tasks. In computer



4


science there are two areas where there are no solutions that respond to 100% of the problematic: computer security and software testing [Fernando Boavida et al, 2013]. There are multiple operating systems that give more or less security to the user. There are more commercial systems, commonly seen in x86 and x64, which stand out for their beauty and leave the computer security in charge of third parties who sell applications for these systems. While this is the reality when it comes to the prestige of a software, the manufacturers brands rush to launch corrective and preventive packages. Currently, most secure operating systems are Linux based and are known worldwide for their quality because they are equipped with the latest software that every day is analyzed, so that user safety is always in the first position. In fact, the best countermeasures to the identified issues are available to the public in the form of secure operative systems. Systems developed by entities that aim to be in the front row of security for personal users and companies, also known as Paranoid Systems. These consist in Operative Systems (OS) that do not collect or keep user’s data, do not need a common hardware platform, and run over a virtual machine or Live DVD at startup of the hardware from the DVD bay (drive). Some of this platforms are completely open source and others not, but, generally they are good and under the scrutiny of the most knowledge users worldwide. The most acceptable can be analyzed in the following table: Table 1. Safe operative systems. Name

Architecture

Tails – The Amnesic Incognito Live System

Linux Debian LiveDVD 86x and 64x

JohnDo Live DVD

Linux Debian Live DVD 86x and 64x

UPR-Ubuntu Privacy Remix

Ubuntu Live DVD 86x and 64x

IprediaOS

Ubuntu Live DVD 86x and 64x

C3PIV Portuguese Unique Initiative

Portable APPS Windows environment only

What is common in most of the OS described above is the use of secure networks that operate as a safe relay to access the internet. Despite the characteristics of the OS, they all have in common the use of TOR Network of I2P, which is similar to the tor network differencing only the the identity of the outgoing traffic nodes. In TOR they are randomly and public, in I2P they are held by an identified “someone”. Tor is a network of VPN tunnels, over the unsecure web where users' computers are common routers thereof, making workable the entire computer network. Users who only use the Tor browser or another, provided it contains a plugin to allow use of the network, will only be customers of this anonymous network, which is based on .onion domain. Its operation is quite simple and layered (hence the connection with the analogy of onion). Using a client program (Tor Bundle) previously installed on any user computer, it will act as a proxy socks 5, which is a known Internet protocol developed by David Koblas in 1992 [Elizabeth Zwicky, 2000]. This will forward all data packets between client server. The I2P is similar to the concept of the Tor network, communication layers, this differs in that all nodes in the network are properly identified in the network distributed database. To access all features a fee is applied to the user. The distinguishing element of the Tor network is precisely the fact that the entire network can be possibly related to someone or some entity. Each customer has their I2P router, which allows the creation of tunnels for inbound and outbound traffic. A sequences of random two tunnels is created to give way to pass communications between client-server and server-client. All communications are encrypted point-to-point, using an encryption method four layers composed of a pair of public-key. Data packets are divided by two tunnels and the receiver, which is listening with another set of two tunnels, receives data packets for these entries.



5


In the picture that follows, we can observe the secure communication model by pairs of I2P tunnels.

Figure 1. Architecture of I2P routing protocol

3 Proposed Solution - Prototype The prototype is a virtual operating system, differing from the options discussed above, such as, prevent possible installation on a physical drive. The aim of this prototype is to run from the RAM memory of the computer. The prototype does not require multiple solutions for it need and doesn’t include some production software such as LibreOffice. However, this and other software can be safely download from and available app. When to proceed to the shutdown of the prototype, its content will be irretrievably discarded. The system operates independently of any hardware installed and will be fully functional on any computer. Antagonistically to Windows, that needs to maintain hardware-based architecture to run [Tom Carpenter, 2011] the prototype operates without limits and with acceptable performance regardless of architecture or virtual machine. In the following image its presented the conceptual diagram of the prototype and two possible methods of use, downloaded from the Web for direct use in virtual machine, or direct use from an USB drive or CD/DVD:

Figure 2. Conceptual Diagram



6


Product of a hard analysis, the prototype was developed using the Ubuntu 14.04 TLS because its continuously improvement showed to be the most effective over the time, providing the community with hundreds of websites of people discussing Ubuntu technology and solutions. After the initial tests with Linux From Scratch and Ubuntu Server, the decision was done when the armory of objectives and available technology was found. The Ubuntu 14.04 LTS offers a comfortable experience of operative system usage, and capability with the tweaks needed to make the prototype a reliable option. All software was removed from the system to be used as source, in order to install firs all necessary software and core configurations. After installing the TOR Protocol all software providers where adjusted to ensure that only trough the use of TOR protocol it’s possible to download software in a safe way. This is achieved by configuring a Socks 5 Proxy to channel all communications trough it. This is a routine that is always available and initiates with the prototype startup. deb http://deb.torproject.org/torproject.org isepsafe main deb-src http://deb.torproject.org/torproject.org isepsafe main gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add – tar xzf tor-0.2.6.10.tar.gz; cd tor-0.2.6.10 ./configure && make $ apt-get update $ apt-get install tor deb.torproject.org-keyring etc/apt/sources.list gedit /etc/apt/sources.list deb http://deb.torproject.org/torproject.org isepsafe main deb-src http://deb.torproject.org/torproject.org isepsafe main gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add sudo apt-get update sudo apt-get install tor deb.torproject.org-keyring sudo apt-get install apt-transport-tor

After all configurations steps where concluded, the software that makes the prototypes useful was added. This tools mean to facilitate the interaction with the ultimate goal of the prototype which is to prevent the user’s identity and location to ben disclosure. Beside the Bleachbleed that securely cleans any folder or USB device connect to it, the Electron Bitcoin Wallet that ensures the safe use of Bitcoins in a specific wallet, the ClamTK that provides to the user an always updated antivirus, the anonymous chat systems like Pidgin and Torchat, this prototype can dissimulate every time it is stared, its MAC Address, reducing the possibility of tracking someone’s MAC Address. At the end, was necessary to create a Live DVD of this configured system to conclude the prototype. Recurring to available instructions in the Ubuntu website, was possible to create an end result with the following structure: (CD ROOT) |-------+casper | |-------filesystem.${FORMAT} | |-------filesystem.manifest | |-------filesystem.manifest-desktop | |-------vmlinuz | |-------initrd.img | |-------+boot | |--------+grub | | | | |--------grub.cfg | | |-------memtest86+ | |--------md5sum.txt




7

3. Conclusions This work had as initial objective to provide a prototype that could be able to overcome the problem of online insecurity for the capture of private information and block access by censorship mechanisms. In the chapter Threats and Countermeasures, the most common solutions in the marketplace were identified. Some are completely open source and others, that to ensure better security, ask the user to override a premium account with an amount payable for the services. In the prototype development has always been a concern the development of a unique solution among those that can be observed in the chapter Threats and Countermeasures, was not doomed to failure and lack of evolution. This is undoubtedly a project that has potential for success. The differentiator element between similar products is the impossibility to install it in a hard dis and not being available on a USB stick, exposed to attacks and infections, and finally, a redundant system of anonymity to surf the Web. The prototype can securely hide all usage given by a specific user. Its doesn’t store or keep any information regarding its use or users. It safely shows that its location is other than the real one, the one where the physical host is. By using the Tor Browser in the prototype, it opens a secondary route within the Tor Network, thus 1. creating a network inside a network. This is also known as the second layer of the Deepweb As we can observe in the following two images, the location is different from each other. The physical location of the prototype was Lisbon with the public IP 37.189.165.195 and the other was not.

Figure 3. Physical Location

The following image shows the prototype dissimulated location when using it to access the web. As it is possible to observe, the location is Switzerland, under a different IP address.

Figure 4. Prototype Location

After tests with 60 users was possible to conclude that the prototype responds positively to the problematic. Tests were made to ensure that the location always changed and that the usage of the apps maintain the anonymity of its users. It was possible to conclude that the usage of the prototype gives to the test users a sense of security upon usage. The results of the statistical work and specific charts can be accessed in the following location: https://docs.google.com/forms/d/1ooH2Ia4JJ4sD40Xd9zKFEjx_I2qV1a99sV9YGVNnRLc/viewanalytics#start=pu blishanalytics 1

Term given to the web that its only accessible using TOR technology or I2P.



8


4. Future Work This work was immensely fruitful as it allowed to know in great detail all the problems related to the security of information systems and the challenges faced by its users on the Web. Throughout this work, we developed two possibilities of continuing this project. A Linux From Scratch version and a Ubuntu Server version that need to be completed and made available to third parties for testing. Another possibility is also the continuation of this project by the methods described above, as part of a dissertation of a master’s degree by another student. In the future, the author identifies the intention of creating a department of computer security studies, similar to that existing in other higher education institutions in Portugal, that developed the only Portuguese origin tool on the market today, the C3PIV the University of Porto. The author is a doctorate degree (PhD) student in computer sciences at the University of Tras-os-Montes and Alto Douro in Portugal researching the security issues in the use of technology.

References Assange J. (2013). The Spy Files, https://twitter.com/wikileaks/status/342812446534283264. Barcena M. (2014). Wueest C., Insecurity of the Internet of Things, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-theinternet-of-things.pdf. Boavida F. (2013). Bernardes M., Vapi P., Administração de Redes Informáticas, 2ª edição, FCA. Carpenter T. (2011). Microsoft Windows Operating System Essentials, John Wiley & Sons Deibert R. (2008). Palfrey J., Rohozinski R., Zittrain J., Stain ., Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press Internet Live Stats (2015). Data referent to internet usage in 2015 - http://www.Internetlivestats.com/Internet-users. Kuruvilla S. (2011). Lee C., Gallegher M., From Iron Rice Bowl to Informalization: Markets, Workers, and the State in a Changing China, Cornell Univertity Press Locati F. (2015). OpenStack Cloud Security, Packt Publishing Ltd. Lopez, J., Ray I., Crispo B. (2014). Risks and Security of Internet and Systems: 9th International Conference, CRiSIS 2014, Trento, Italy, August 27-29, 2014, Revised Selected Papers, Springer Moore R. (2010). Cibercrime Investigating High-Technology Computer Crime, 1st edition, Routledg Murugesan S. (2009). Handbook of Research on Web 2.0, 3.0, and X.0. O’Day P. (2013). NSA Surveillance: How it’s happening and why you should care, http://commons.pacificu.edu/cgi/viewcontent.cgi?article=1026&context=inter13. O’Reilly T. (2009). What is Web 2.0, O’Reilly Media Inc. Raymond E. (1997). New Hacker’s Dictionary, Library of Congress. Deibert R., Palfrey J., Rohozinski R., Zittrain J., Stain . (2008). Access Denied: The Practice and Policy of Global Internet Filtering, MIT Press Santos P., Bessa R., Pimentel C. (2008). CyberWar – O Fenómeno, as tecnologias e os atores, FC. Shea B. (2002). Have You Locked the Castle Gate?: Home and Small Business Computer Security, Addison-Wesley Professional Shelly G. (2012). Campbell J., Discovering the Internet: Complete, Cengage Learning. Simões P. (2015). Dados dos utilizadores do euromilhões.com roubados, http://pplware.sapo.pt/informacao/alertadados-dos-utilizadores-do-euromilhoes-com-roubados. Walker H. (2009). Improving Internet Access to Help Small Business Compete in a Global Economy, Nova Science Publishers. Zwicky E. (2000). Cooper S., Chapman D., Building Internet Firewalls, O’Reilly Media Inc.

