Privacy | Хакер, що біжить

Algo VPN: Personal DIY VPN. For normals.

In this post, I walk you through the process of creating your own self-managed do-it-yourself VPN server running Algo VPN.

I have spent some time teaching normal non-tech people how to use Algo VPN and other Do-It-Yourself VPN solutions, and there are several issues that we encountered each time. So I wanted to put up a manual that everyone could use and that helps remove those issues. If you still find problems along the way, please let me know.

First, a few words about the solution: Algo is not the easiest way to set up a personal VPN, but I think it is the best. Using Algo VPN alternatives, such as Outline or OpenVPN AS, might be simpler but far from better. I will not discuss the drawbacks here; I will say that I tried them and used them and many more for a while. After that, I have found Algo the best possible solution for my overall setup, which ensures a) top speed, b) native OS support on all clients, c) open design, and d) minimal overall potential for user tracking.

Read this manual carefully before you start. It will save you a lot of pain.

There is one thing you will need before we start. It is an active Amazon account with a payment method linked to it, as we will use Amazon LightSail as a cloud engine for the virtual hosts we create. LightSail provides the first month of free usage, but you will still need a credit card to activate the service.

Step 0. Create a deployment user account in IAM

First, let’s create a user account that we will need during the installation. We will create it in Amazon IAM, assign a policy to it, and then input its access keys to Algo when asked.

Go to IAM users configuration console to create a new user: https://console.aws.amazon.com/iam/home#/users$new?step=details. Give the user a unique name and mark its access type as programmatic.

Next step, select “Attach existing policies directly” and then press the “Create policy” button.

A new browser tab will open for policy creation. Edit the policy using JSON mode.

Copy and paste the JSON content below to the policy editor. You can find the original policy in Algo documentation: https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#lightsail.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LightsailDeployment",
            "Effect": "Allow",
            "Action": [
                "lightsail:GetRegions",
                "lightsail:GetInstance",
                "lightsail:CreateInstances",
                "lightsail:OpenInstancePublicPorts"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

When the JSON content is there, preview the policy.

Give it a name and then hit “Create”.

Go back to the IAM session and hit the refresh button to see your newly created policy in the list.

Select the new policy by checking the box next to it and proceed.

Skip the next step — don’t assign any tags — and go straight to Review your new user. After reviewing, hit “Create user.”

If everything went well, you would see your new user and its access key parameters.

Copy these parameters somewhere safe and keep them until Algo asks you for them.

Step 1. Create a jump host

Now, let’s create a temporary jump host that we will use to run Algo. Running Algo could be hard if you are not running Linux or macOS on your desktop, so I found it more convenient to create a jump host for that. If you already have a Linux machine, you can skip this step.

Login to Amazon and go to https://lightsail.aws.amazon.com/ls/webapp/home/instances. There, manually create a new Ubuntu virtual host in any region.

Make sure you create an “OS only” Linux host running Ubuntu 18.04 LTS.

The most economical plan should be fine. Give the instance a unique name.

After the instance has been deployed, hit the terminal button. It will open an SSH session window.

Step 2. Install and configure Algo VPN

In the console window, run the following commands. You can copy and paste them to the terminal. When asked, “Restart services during package upgrades without asking?” answer “Yes.”

git clone https://github.com/trailofbits/algo
sudo apt update
sudo apt install -y python3-virtualenv
cd algo
python3 -m virtualenv — python=”$(command -v python3)” .env &&
  source .env/bin/activate &&
  python3 -m pip install -U pip virtualenv &&
  python3 -m pip install -r requirements.txt

If you did everything correctly, you will see something like this in the end.

Clone Algo and install Python virtual environment

Next, you will need to edit the config file with nano or any other console-based text editor. If you are new to nano and the Linux command line, make a copy of the config file before editing it.

cp config.cfg config.bak
nano config.cfg

Once the editor is open, go to the “users” section and change it to reflect your user plan. Make sure there is a line for every device you are planning to put through the VPN server. It is important to note that adding as many users as there will be people using VPN is not enough. In this case, they might experience networking problems while simultaneously using VPN on different devices.

After you have finished editing the file, exit and save by pressing Ctrl+X, choosing “Yes,” and pressing Enter.

Step 3. Run Algo to deploy your VPN server

Now, run the Algo script and follow the instructions below to set up the VPN service correctly. If you make mistakes, don’t worry: you can abort the script by pressing Ctrl+C, typing “A,” and restart it anytime.

./algo

The first thing Algo will ask you is the cloud provider to use. We will stay with Amazon LightSail for the sake of this manual.

Next, give your VPN server a unique name.

When asked “Do you want macOS/iOS IPsec clients to enable “Connect On Demand” when connected to cellular networks?” and “Do you want macOS/iOS IPsec clients to enable “Connect On Demand” when connected to Wi-Fi?” answer “Yes”: type “y” and press Enter. This will allow you to configure your clients to route all traffic through the VPN server at all times.
When asked, “List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use “Connect On Demand,” don’t answer anything. You will be able to configure it later at the client-side if required.

When asked “Do you want to retain the keys (PKI)?” your answer will depend on whether you have plans to add more VPN users in the future. In this manual, we will answer “Yes” and demonstrate how to retain the PKI keys and Algo configurations for future use. But it is important to understand that if someone gets ahold of your PKI keys, they would be able to fully compromise your VPN server and all your network communications through it as a result.

When asked “Do you want to enable DNS ad blocking on this VPN server?” I recommend answering “Yes.” We are going to change this configuration later manually. If you are lazy, it will allow you to skip that part and fall back to the Algo default adblocking mechanism. However, it is worth noting that in this case allowing access to particular resources you would like to whitelist will be much more complicated, and we are not going to cover it in this manual.

When asked “Do you want each user to have their own account for SSH tunneling?” answer “No.” If you have reasons to do otherwise, you probably do not really need this manual.

Now, you will have to use the access key credentials of the technical user we have previously created in IAM. Copy “Access key ID” and paste it to the Algo input in your jump host SSH window as “aws_access_key.” Then, copy the “Secret access key” and paste it to Algo as “aws_secret_key” at the next step. To ensure your content is pasted correctly, use the built-in clipboard editor instead of just pasting the data into the window.

Once the keys are inserted correctly, Algo will proceed to region selection.

You can choose a region of your liking based on your preference of jurisdiction and privacy regime. Also, keep in mind that it will affect the websites’ behavior (e.g., default language) as you will be seen as a resident of the selected region. For instance, if you speak French, I assume Paris is the location of your choice.

If everything went well, there would be no more questions, and Algo will start deploying your new VPN server. At this point, you clearly understand why I have recommended you to read through the manual and collect the keys before you run Algo. You have probably disconnected a few times from your jump host console and had to start the process from scratch. So, while you are waiting for Algo to complete, make sure you generate some action in the console window — just press Enter once in a while to prevent disconnection.

Once the Algo script is complete, you will see the following picture. Copy the full text of the congratulations message and put it somewhere safe. The last 3 lines are the most important.

Step 4. Download your VPN configurations

Next, zip and download the Algo directory. Run the following commands in the console.

cd ..
sudo apt -y install zip
zip -e -x “algo/.env/*” -r algo.zip algo/

Zip utility will ask you for a password. Select a strong one. Then, create a new directory “www,” move the zip file there, enter it, and fire up a simple web server.

mkdir www
mv algo.zip www/
cd www
sudo python3 -m http.server 80

Now, open the public IP address of your jump host in a new browser window. You can find the IP in the LightSail console.

Just download the archive to your local disk and unzip it. Make sure you stop the webserver after that.

Check if all the config files are present in the archive.

If you see the directory named by IP address and a bunch of config files in it, this means that everything went well, and you can shut down or kill your jump host now. In the LightSail console, you should see the newly created VPN server with the name you gave it during the Algo execution and the IP address the same as in the “configs” subdirectory name.

You can start using your VPN by configuring the client devices. I recommend using native WireGuard software wherever possible. Otherwise, use IPSec/IKE2.

Next, I will show you how to configure DNS-based anti-tracking mechanisms in your new VPN service. For now, play around with it and tell me if you had any trouble configuring it.

Як ввмінкнути DNS over HTTPS у вашому браузері

та заборонити вашому інтернет-провайдеру слідкувати за вами

brave://flags/#dns-over-https
chrome://flags/#dns-over-https
edge://flags/#dns-over-https
opera://flags/opera-doh
vivaldi://flags/#dns-over-https

Firefox: `Preferences/Network Settings/Enable DNS over HTTPS`

Safari: як завжди, гальмує 🙂 Брудний хак для macOS (продовжуйте лише якщо розумієте, що далі відбувається):

% brew install cloudflare/cloudflare/cloudflared
% mkdir -p /usr/local/etc/cloudflared/
% cat <<EOT >/usr/local/etc/cloudflared/config.yaml
proxy-dns: true
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query
EOT
% sudo cloudflared service install
% dig +short @52.59.201.192 github.com AA

Якщо тест в останньому рядку пройшов успішно, можете змінити системний DNS (`System Preferences/Network/Advanced/DNS`) на 127.0.0.1. Якщо щось не працює, дивіться друге посилання нижче.

Джерела:
– https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/
– https://gist.github.com/soderlind/6a440cd3c8e017444097cf2c89cc301d

Instant Messengers and URLs

What happens when you send a link?

Various stories about malware spreading over SVG files sent on Facebook were circulating over the interwebs lately. You can read more about this vector and the methods used by malicious hackers in this post, but what caught my interest was not the attack itself.

As you probably know, SVG is a vector image format that is, in fact, an XML file containing various drawing instructions and, surprisingly to some, capable of containing and running JavaScript code. For example, when opening in most modern browsers, this SVG will show you a blue circle and run an external script loaded from the redacted host.

SVG XML file — SVG file containing external JavaScript code.

This will work only when the browser is explicitly pointed to the SVG file URL or if the file is open from the disk; <img src= does not work anymore for obvious reasons.

So, when this SVG topic has popped up again, this time in the context of poor content filtering in Facebook Messenger, I instinctively thought about privacy implications introduced by this (apparently inefficient) security measure. I thought it could be a good idea to use JavaScript code delivered in SVG to check how modern instant messengers process this file format.

After a series of messages sent to my wife and colleagues, I feel a subtle hope that I will not be banned from using the messengers I’ve tested. And, of course, I have some results to share.

The good news is that Signal, Viber, WhatsApp, and both Facebook Messenger and Telegram in their “secret” modes, all five claiming end-to-end encrypted communications, were not caught cheating. Although in WhatsApp and Telegram, pasted URLs resulted in some activity originating from the client, no one else appeared in the web-server logs.

Bad news is that that’s pretty much all good news.

Starting from expected obvious: Slack does an active preview of the linked content to show it in the GUI. That’s cool; we all know that, so I use it as an example of how this kind of activity looks like for this post. So, when you send a link, the web-server serving it registers this request in the log:

54.89.92.4 — — [21/Nov/2016:16:02:31 +0000] “GET /avakl.js HTTP/1.1” 404 152 “-” “Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)"

Where 54.89.92.4 of course is a Slack instance in Amazon AWS:

$ whois 54.89.92.4 | grep Organization
Organization: Amazon Technologies Inc. (AT-88-Z)

Let’s take a look how other messengers deal with the links.

Skype sends 6 requests from 2 hosts, both belonging to Microsoft directly. A rich company can afford that.

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

104.45.18.178 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

104.45.18.178 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

Telegram fetches the image once, form it’s directly owned network.

149.154.167.163 — — [21/Nov/2016:15:35:18 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “TelegramBot (like TwitterBot)”

$ whois 149.154.167.163 | grep -E ‘^descr|^person|^address’
descr: Telegram Messenger Network
person: Nikolai Durov
address: P.O. Box 146, Road Town, Tortola, British Virgin Islands
descr: Telegram Messenger Amsterdam Network

The URL sent via Facebook Messenger on mobile results in four requests from different addresses.

31.13.102.98 — — [21/Nov/2016:19:44:51 +0000] “GET /avakl.svg HTTP/1.1” 206 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.120.119 — — [21/Nov/2016:19:44:52 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.123.130 — — [21/Nov/2016:19:44:53 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 — — [21/Nov/2016:19:45:12 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"

Facebook kindly explains its behavior by provided URL.

However, when the link is sent via Facebook web-site, look what happens:

31.13.113.194 — — [21/Nov/2016:15:11:58 +0000] “GET /avakl.svg HTTP/1.1” 206 328 “-” “facebookexternalhit/1.1”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “https://l.facebook.com/lsr.php?u=https%3A%2F%2F*******%2Favakl.svg&ext=1479741420&hash=AcnhtJ5F7tKqGD-kIHGSbCF0-TflNMaiR9WNCxHznoOqJw" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /kl.js HTTP/1.1” 200 283 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /favicon.ico HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:03 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:04 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:05 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:06 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:07 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:08 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

As you can see, first, some Facebook-owned host fetches the SVG, and after that, there is a series of requests to “embedded” script URL, which demonstrates that the script is actually run at some “browser.”

Strangely enough, Google Hangouts haven’t shown any sign of interest in my links.

This leaves a lot of questions open. However, one thing is obvious: privacy policies are correct, and we don’t really own the stuff we send over Instant Messengers unless our comms are encrypted end-to-end.

During these tests I used awesome JavaScript keylogger by John Leitch.

Personal infosec tips for 2016

(This post has been originally posted on LinkedIn on Dec 31, 2015).

It’s no secret that the computer security threat landscape changes constantly for both private individuals and corporations. Wannabe cybercriminals, as well as the real ones, compete with nation state sponsored intelligence agencies to get the most of our sensitive data. Their toolkits and modus operandi aren’t static and neither should be ours.

Considering the ever changing personal security agenda, I have decided to update my advise on personal computer security, or personal cybersecurity if you like (however, I assume this term is irrelevant in a private setting). It may look like I am biased towards Apple stuff at several points below, but there are at least two reasons for that. First, the company has made huge progress in protecting their customers privacy lately; and second, I am a long term Apple user myself so these things are just closer to my experience. So, let’s go shopping 🙂

1. Use less software and regularly update what you use

The principal idea here is that the more software you use the more vulnerable you are. If you don’t need it or start it once a year just to remind yourself what’s it doing on your computer, remove it now. If you still use Java or Flash you should consider removing them right now. There is no reasonable explanation for keeping Flash in your system and Java is getting there too. So, unless your employer still runs some piece of enterprise crapware that requires Java for workstation clients, remove it as well. And if you can’t at least consider forbidding it from running in your browser. A lot’s been said about keeping all your code up to date, so just do it. Pay most attention to your OS and web browser and review the possibility to automate third party apps updates by using Secunia PSI or MacInformer. (Most Linux users are lucky since software updating is an essential function of all modern distros.)

2. Use a VPN service or setup your own

VPNs are getting cheaper each day because you know… NSA has made it a highly competitive market lately. You can get a single subscription for all your devices from FreedomeVPN by F-Secure or PrivateVPNAccess. Both are affordable if connection privacy is of importance to you. You can even setup your own server on Amazon or DigitalOcean and run it for the cost of one virtual instance (DO price is $5 per month + $1 if you want backups). OpenVPN AS is much easier to install and configure than a true opensource openvpn, and it has a free license for 2 concurrent users and easy to use client software for all contemporary environments (no WinMobile though).

3. Use secure communications software

There are plenty of means for secure talks and messaging nowadays. On your smartphone, OpenWhisperSystems Signal does its job of protecting your VoIP calls and text messages. It’s free and runs smoothly on iOS and Android (no luck for those three WinMobile fans I can think of). If you decide to use something else, make sure its architecture is server-less, meaning your messages are encrypted peer-to-peer and not stored anywhere in between. iMessage, although limited to Apple users, is one of plausible examples and Facebook Messenger is not.

For email, use good old PGP. GPGTools allows using it with Apple Mail easily and transparently. I am sure there is a way of installing GnuPG with your email client on Windows and Linux has been providing its users with this capability for years. GMail fans who still rely on webmail interface can do it too. So it looks like there is no excuse left for those who say email crypto is hard: it’s absolutely not for quite a while now. GPGTools is free but I’m sure you’re going to donate once you see its value.

4. Use a password manager

There is no need to remember more than a few passphrases these days. Get a password manager that synchronizes between your devices, protect it with a strong password, and generate unique, random, virtually unbreakable authentication keys for everything else. Personally I recommend using 1Password if Apple ecosystem is your friend, otherwise you can take a look at Keepass. 1Password can be free unless you need iCloud sync, and Keepass is free and opensource.

5. Encrypt your files before putting them into the cloud

Boxcryptor encrypts your stuff before your Dropbox, iCloud, Google Drive etc. synchronizes it to their servers and gets ahold of your content. There is no reason to share your precious files with someone you don’t even know personally, so encrypt them before you upload them. Boxcryptor allows you to share files securely too by adding other users to encrypted shares and granularly managing their permissions. I suppose there are other services like that, just make sure they don’t have easy access to your keys and encrypt files locally before uploading. Boxcryptor is free to use with just one cloud storage.

6. Backup everything and backup frequently

Offline storage space gets less and less expansive each year. Buy a 1 or 2 TB USB hard drive and backup your valuable files at least once a month. Most importantly, encrypt your backups and backup your encryption keys, such as PGP keys and password database. Again, Apple users are the luckiest ones since the platform allows for seamless full and incremental backups protected by contemporary crypto.

That’s it for now. Be safe in 2016.

Updated 7/01/16 — This is a really nice guide on how you can make your work with OS X more secure. It collides with some points I’ve highlighted in my post and I believe every Mac user can find lots of good advice in there.