{"id":2688,"date":"2024-11-26T19:18:54","date_gmt":"2024-11-27T00:18:54","guid":{"rendered":"http:\/\/sudlatnid.com\/?p=2688"},"modified":"2024-11-27T20:30:22","modified_gmt":"2024-11-28T01:30:22","slug":"diy-for-a-spy-cybersecurity-techniques-for-the-secret-agent","status":"publish","type":"post","link":"https:\/\/www.sudlatnid.com\/?p=2688","title":{"rendered":"DIY for a Spy: Cybersecurity Techniques for the Secret Agent"},"content":{"rendered":"

Follow these simple steps to shield your privacy with a few essential tricks from the\u00a0White Hats<\/strong>\u00a0and experts in Information Security.<\/p>\n

\n
\n
\"\"<\/picture><\/div>\n<\/div>
Fedora Security Lab<\/a>\u00a0distributive with a few simple tricks<\/figcaption><\/figure>\n

You are here, and I assume you have likely already read one of my previous articles,\u00a0\u2018No Such Agency\u2019 and \u2018The Machine\u2019<\/a>, where I explained the components of the\u00a0global surveillance complex<\/strong>\u00a0known as\u00a0The Machine<\/em><\/strong>. In subsequent articles, I delved into the simple approaches which can be used to create your own surveillance features for your private missions without constructing a complex infrastructure. I believe you have already tried them, at least out of curiosity.<\/p>\n

In this article, I will guide you through the simple techniques to help you protect your computer during your most critical missions,\u00a0akin to those of a secret agent<\/em>, when\u00a0privacy<\/em>\u00a0is not just a word but a crucial necessity that can even save the life and keep you out of problems.<\/p>\n

Why might you need a shield?<\/h2>\n

The majority of techniques and tools available for\u00a0surveillance on individuals in the office<\/a>,\u00a0police<\/a>,\u00a0emergency services<\/a>, or\u00a0even aircraft monitoring<\/a>\u00a0are entirely legal and require no additional permits.\u00a0However, there are situations where you may need to operate outside of legal boundaries abroad on behalf of your government or such federal contractor, or even for military purposes against your country\u2019s enemies<\/em>. In such cases, obtaining enhanced privacy and protection for the computer environment becomes crucial for your mission. It is essential to protect both yourself and the environment you operate in from the potential penetration and hacking.<\/p>\n

\n

Try to avoid violating the law while using these approaches, which\u00a0have a dual nature<\/strong>\u00a0and can be employed on both sides:\u00a0White and Black<\/strong>.<\/p>\n<\/blockquote>\n

In some cases, when you serve as a\u00a0lawyer for individuals involved in criminal<\/em>, shielding communications between you and your clients also becomes important and builds a defensive barrier from \u2018The<\/em>\u00a0Machine\u2019<\/em>.<\/p>\n

There are numerous other cases I could list, however, avoiding surveillance is not a simple task, and here is why.<\/mark><\/p>\n

General note<\/h2>\n

The issue lies in the digital trail that devices create while operating and communicating with each other, even unintentionally. Every online action you undertake leaves a digital footprint, typically stored as data on the servers of your internet or service provider. This data can then be analyzed to understand user behavior and preferences.<\/p>\n

However, such a trail can compromise your security. As we\u2019ve learned from previous articles, systems like \u2018The Machine<\/em>\u2019 operate using a term called a\u00a0Selector<\/strong>, which can search under various criteria, including all aspects of individual activities\/actions.<\/p>\n

For example: if a device with a certain MAC address was registered on a router or in the logs of an internet provider at a particular location, and later this device was implicated in criminal activities, the system could trace its trail based on the digital footprint. In many cases, it\u2019s not even necessary for the MAC address to appear in both locations. Simply having that device logged into such a router with another one that leads to your actual location can make it easy for the system to track you.<\/p>\n

It means that even if both your secured computer and your cell phone are connected to the same internet router at your home, your privacy and actual location could be compromised thereafter.<\/p>\n

The most effective way to evade tracking is operating from the designated location(s), or each time in a new one, for your special missions, ensuring that\u00a0devices from your civilian life remain unconnected (switched off) in the dedicated network<\/strong>. Furthermore, avoid to connect your secured computer to your home network and let\u2019s explore the list of simple tricks I call the\u00a0Enhanced Security Module<\/em>, designed to shield your special warrior computer.<\/p>\n

Also, I want to emphasize that you might need to implement all of these techniques just if you want to totally avoid tracking. However, employing any of these tricks individually will also boost privacy on any computer.<\/p>\n

Warrior\u2019s Workstation<\/h2>\n

Let\u2019s think as a guy who wants to\u00a0get hidden from the matrix<\/strong>, in our case from \u2018The Machine<\/em>\u2019 which is ubiquitous.<\/p>\n

\n

Unfortunately, no one can be told what the Matrix is. You have to see it for yourself. This is your last chance. After this, there is no turning back. You take the blue pill \u2014 the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill \u2014 you stay in Wonderland and I show you how deep the rabbit-hole goes.\u201d<\/p>\n

Morpheus, from \u2018The Matrix\u2019 film.<\/p>\n<\/blockquote>\n

Initially, when you\u2019ve just bought your computer, ensure to make the purchase with cash, avoiding credit cards or electronic payments.\u00a0Upon powering it on for the first time<\/em>, it\u2019s crucial to make adjustments in the BIOS to prevent making electronic trail. You will need to\u00a0deactivate internal components such as Bluetooth, Wi-Fi, LAN, and the video camera<\/em>, as illustrated on the picture below.<\/p>\n

\n
\n
\"\"<\/picture><\/div>\n<\/div>
BIOS changes in Buit-in Device Configuration<\/figcaption><\/figure>\n

We will refrain from using these components. However, for establishing an internet connection, we will utilize a USB Wi-Fi device such as\u00a0TP-LINK TL-WN823N<\/a>\u00a0and dispose it by burning if it\u2019s suspected of being tracked during the certain mission.<\/p>\n

Firstly, install the operating system (Fedora Security Lab<\/a>), using for instance, your micro SD card, prepared for installation with\u00a0Fedora Media Writer<\/em>. Then, you will configure our\u00a0software tricks<\/strong>\u00a0to prevent tracking before initiating the Wi-Fi connection for the first time.<\/p>\n

Let\u2019s begin.<\/p>\n

Hide your MAC address<\/h2>\n

The\u00a0MAC address<\/em>\u00a0is a unique identifier assigned to all network interfaces. Since the MAC address is unique to each device, it can be used to track the device\u2019s movements and activities across different networks. We enhance our privacy by spoofing the actual MAC address.<\/p>\n

To accomplish this, we will utilize the\u00a0systemd service<\/em>\u00a0on Linux. Go to the directory\u00a0\/etc\/systemd\/system<\/code>\u00a0and proceed to create two files:\u00a0hide_mac.sh<\/code>\u00a0and\u00a0hide_mac.service<\/code>, as outlined below.<\/p>\n

The\u00a0hide_mac.sh<\/code>\u00a0script utilizes the\u00a0macchanger<\/em>\u00a0program to update the MAC address with a new one. You can specify any desired MAC address within the\u00a0mac_new\u00a0<\/code>variable.<\/p>\n

#!\/bin\/bash<\/span>\r\n\r\nmac_new=\"d0:57:7b:11:39:c2\"<\/span>\r\nnet_interface=\"wlp2s0f3u2\"<\/span>\r\n\r\nsudo macchanger --mac=$mac_new<\/span> $net_interface<\/span><\/span><\/pre>\n
Don\u2019t forget to update the variable\u00a0net_interface<\/code>\u00a0with the actual name of your Wi-Fi USB module, which you can find using the \u2018ifconfig<\/em>\u2019 command.<\/p>\n
The file\u00a0hide_mac.service<\/code>\u00a0provides a declarative description of the service and should be placed in the same folder without any modifications.<\/p>\n
[Unit]\r\nDescription=Hide MAC\r\n\r\n[Service]\r\nType=oneshot\r\nExecStart=\/etc\/systemd\/system\/hide_mac.sh\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/span><\/pre>\n
After you have finished creating these files, you have to execute the following commands in the\u00a0Linux console<\/em>.<\/p>\n
sudo systemctl enable<\/span> hide_mac.service\r\nreboot<\/span><\/pre>\n
After doing so, you should be able to see the\u00a0updated MAC address (d0:57:7b:11:39:c2)\u00a0<\/em>for your\u00a0network interface (wlp2s0f3u2)\u00a0<\/em>in \u2018ifconfig<\/em>\u2019, as shown on the screenshot bellow.<\/p>\n
\n
\n
\"\"<\/picture><\/div>\n<\/div>
d0:57:7b:11:39:c2 as a\u00a0new MAC address<\/strong>\u00a0for interface wlp2s0f3u2<\/figcaption><\/figure>\n
According to the service description in the file\u00a0hide_mac.service<\/code>, changing the MAC address should occur each time the user\u00a0powers on the computer<\/em>. This is level zero in enhancing your security.<\/p>\n
Did you know that on an\u00a0iPhone<\/em>, the\u00a0actual MAC address<\/em>\u00a0is hidden by default? When the device connects to the Wi-Fi network, iOS generates a\u00a0random MAC address<\/em>, known as a\u00a0private address<\/em><\/strong>, for each Wi-Fi network the device connects to. It appears that\u00a0iPhones<\/em>\u00a0are on the right side for enhancing the privacy and security of its customers.<\/p>\n
Hide your DNS location<\/h2>\n
Hiding your DNS location is crucial for shielding your privacy. Avoid using your service provider\u2019s DNS servers, as they can potentially lead to DNS leaks. Instead, always configure your own list of DNS servers. By doing so, you prevent anyone from determining your provider\u2019s location and consequently, your own address.<\/p>\n
To setup this, we will use the same as in the previous step\u00a0systemd service<\/em>\u00a0on Linux. Go again to the directory\u00a0\/etc\/systemd\/system<\/code>\u00a0and proceed to create three files:\u00a0hide_location.sh<\/code>,\u00a0hide_location.service<\/code>and\u00a0hide_location.timer<\/code>, as shown below.<\/p>\n
#!\/bin\/bash<\/span>\r\n\r\ndns_default=\"192.168.0.1\"<\/span>\r\ndns_opendns=\"208.67.222.222 208.67.220.220\"<\/span>\r\nnet_interface=\"wlp2s0f3u2\"<\/span>\r\n\r\nif<\/span> sudo resolvectl status | grep -q $dns_default<\/span>; then<\/span>\r\n    sudo resolvectl dns $net_interface<\/span> $dns_opendns<\/span>\r\nfi<\/span><\/span><\/pre>\n
As you may see in the listing above, the script checks if the\u00a0default DNS server<\/em>\u00a0is set up to your router\u2019s and in this case changes it to the list of\u00a0OpenDNS servers<\/em>, which are more secure.<\/p>\n
The file\u00a0hide_location.service<\/code>\u00a0simply defines the service.<\/p>\n
[Unit]\r\nDescription=Hide location DNS\r\n\r\n[Service]\r\nType=oneshot\r\nExecStart=\/etc\/systemd\/system\/hide_location.sh<\/span><\/pre>\n
Besides of that, the file\u00a0hide_location.timer<\/code>\u00a0specifies the conditions for launching the service. In our scenario, it triggers the service to start one minute after the computer boots up and then repeats every minute thereafter while you are using your workstation.<\/p>\n
We may need it in case something goes wrong with your network interface and settings revert back to their initial state.<\/p>\n
[Unit]\r\nDescription=Hide location DNS timer\r\n\r\n[Timer]\r\nOnBootSec=1m\r\nOnUnitActiveSec=1m\r\nUnit=hide_location.service\r\n\r\n[Install]\r\nWantedBy=timers.target<\/span><\/pre>\n
After creating these three files, you need to initiate your timer by executing the following commands in the\u00a0Linux console<\/em>.<\/p>\n
sudo systemctl enable<\/span> hide_location.timer\r\nreboot<\/span><\/pre>\n
After rebooting, verify the changes by executing \u2018resolvectl status<\/em>\u2019 in the\u00a0Bash-terminal<\/em>\u00a0as shown on the picture below. If everything is ok, you will see that the\u00a0current DNS server<\/em>\u00a0matches one of the\u00a0OpenDNS servers<\/em>\u00a0208.67.222.222<\/code>\u00a0instead of the default DNS\u00a0192.168.0.1<\/code><\/p>\n
\n
\n
\"\"<\/picture><\/div>\n<\/div>
DNS location is hidden and can\u2019t be determined in\u00a0DNS Leak<\/a><\/figcaption><\/figure>\n
This is really cool and with this simple trick, you have just enhanced your privacy on the\u00a0warrior computer<\/em>. In fact, you are now prepared to conduct your\u00a0DNS leak test<\/strong>. Simply navigate to the website\u00a0dnsleaktest.com<\/a>\u00a0and follow check your DNS privacy by clicking on the \u2018Standard test<\/em>\u2019 option.
\nIt should lead to the foreign country, not to yours.<\/p>\n
But your IP is in trouble. Let\u2019s fix it now.<\/p>\n
Use SSL-based OpenVPN<\/h2>\n
As you are aware from the\u00a0DNS leak test<\/em>, we did in the previous chapter, your DNS is secure now. However, the same cannot be said for your actual\u00a0public IP address<\/em>, which is currently unsecured, as you have likely observed on the main page of the\u00a0DNS Leak Test website<\/em>.<\/p>\n
Now, we are going to use a tunnel known as a VPN (Virtual Private Network). This creates a secure tunnel through which all your traffic passes. With this setup, nobody can determine your current location, and even your provider remains unaware of the destinations of the HTTP packages in your communications, as your traffic is encrypted.<\/p>\n
VPN over SSL (Secure Sockets Layer) works on port 443 which is used for HTTPS traffic and is encrypted using SSL\/TLS protocol. Using this configuration, VPN traffic can even bypass firewalls or other network restrictions that may be blocked by other VPN protocols.<\/p>\n
So that, we will use this third part as well adding\u00a0systemd service<\/em>\u00a0on Linux. As erlier, in the directory\u00a0\/etc\/systemd\/system<\/code>\u00a0we have to create file\u00a0open_vpn.sh<\/code>as shown below.<\/p>\n
#!\/bin\/bash<\/span>\r\n\r\nsystem_path=\"\/etc\/systemd\/system\"<\/span>\r\n\r\nmac_address=\"74:da:38:8b:a5:c2\"<\/span>\r\nping_server=\"208.67.220.220\"<\/span>\r\ndns_default=\"192.168.0.1\"<\/span>\r\n\r\n# Check if MAC is not hidden<\/span>\r\nif<\/span> sudo ifconfig | grep -q $mac_address<\/span>; then<\/span>\r\n    exit<\/span> 1\r\nfi<\/span>\r\n\r\n# Check ping to OpenDNS server<\/span>\r\nif<\/span> ! sudo ping -c 4 $ping_server<\/span> >\/dev\/null 2>&1; then<\/span>\r\n    exit<\/span> 1\r\nfi<\/span>\r\n\r\n# Check if DNS is not secured<\/span>\r\nif<\/span> sudo resolvectl status | grep -q $dns_default<\/span>; then<\/span>\r\n    exit<\/span> 1\r\nfi<\/span>\r\n\r\n# Check if VPN connection is not established <\/span>\r\nif<\/span> ! sudo ifconfig | grep -q \"tun1\"<\/span>; then<\/span>\r\n    vpn_config=$(shuf<\/span> \"$system_path<\/span>\/open_vpn.config\"<\/span> | head<\/span> -n 1)\r\n    sudo openvpn --config \"$system_path<\/span>\/$vpn_config<\/span>\"<\/span> --auth-user-pass \"$system_path<\/span>\/vpnbook-password-tcp443.txt\"<\/span>\r\nfi<\/span><\/span><\/pre>\n
As you may see from the listing above, initially, we verify whether the\u00a0MAC address<\/em>\u00a0has been hidden. Then, we confirm whether the\u00a0DNS leak<\/em>\u00a0has been resolved and the internet connection persists. After that, we examine if the\u00a0VPN tunnel (tun1)<\/em>\u00a0is not yet established. If it has not been established yet, we initiate the VPN connection by randomly selecting one of the\u00a0VPN configuration files<\/em>\u00a0listed in the\u00a0open_vpn.config<\/code>\u00a0file.<\/p>\n
The\u00a0open_vpn.config<\/code>\u00a0file consist names for\u00a0*.ovpn<\/strong>\u00a0files with OpenVPN settings as a plain text. In our case just a list of three files.<\/p>\n
The files\u00a0open_vpn.service<\/code>and\u00a0open_vpn.timer<\/code>\u00a0share a similar structure to what we discussed in the previous trick with\u00a0hide_location.timer<\/code>, and it is not necessary to explain that again.<\/p>\n
However, I\u2019d like to describe a few another files available for download from the repository towards this article. The files\u00a0vpnbook-de220-tcp443.ovpn<\/code>,\u00a0vpnbook-fr231-tcp443.ovpn<\/code>, and\u00a0vpnbook-uk68-tcp443.ovpn<\/code>\u00a0contain settings for the\u00a0OpenVPN program<\/em>. At the same time, the file\u00a0vpnbook-password-tcp443.txt<\/code>includes the credentials for accessing the\u00a0VPN service<\/em>. I have downloaded all these files and credentials from the\u00a0VPN Book<\/a>\u00a0website absolutely for free and you can do the same to update VPN settings to your own list, each time different.<\/p>\n
As usually, after doing so, you need to initiate your VPN service timer by executing the following commands in the\u00a0Linux console<\/em>.<\/p>\n
sudo systemctl enable<\/span> open_vpn.timer\r\nreboot<\/span><\/pre>\n
After rebooting, confirm the changes by running \u2018ifconfig<\/em>\u2019 command in the Bash terminal, as illustrated in the picture below. If everything is correct, you will see the presence of\u00a0tun1<\/code>\u00a0in the list, indicating that the VPN connection is active.<\/p>\n
\n
\n
\"\"<\/picture><\/div>\n<\/div>
VPN (tun1)<\/strong>\u00a0is established<\/figcaption><\/figure>\n
Great, we have just finished the building of the third level of privacy on our warrior workstation, which is truly remarkable. However, what if, during the mission, something goes wrong, and some of the shields become compromised due to adversary actions, penetration, or active hacking?<\/p>\n
Establish your own Security Guard<\/h2>\n
As mentioned above, there is a possibility that the computer could be compromised during your mission. In such a scenario, it\u2019s crucial to be promptly alerted to mitigate the breach swiftly. To fix this issue, we will set up an additional\u00a0Linux service<\/em>\u00a0tasked with monitoring for breaches while you are working on the workstation.<\/p>\n
Let\u2019s continue, go to the directory\u00a0\/etc\/systemd\/system<\/code>\u00a0as we did earlier and create there the following files.<\/p>\n
#!\/bin\/bash<\/span>\r\n\r\nagent=\"GUARD\"<\/span>\r\nmac_address=\"74:da:38:8b:a5:c2\"<\/span>\r\nping_server=\"208.67.220.220\"<\/span>\r\ndns_default=\"192.168.0.1\"<\/span>\r\n\r\nsend_message<\/span><\/span>()\r\n{\r\n   sudo -u under0 DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=\/run\/user\/1000\/bus notify-send $agent<\/span> \"$1<\/span>\"<\/span>\r\n}\r\n\r\n# Check if MAC is hidden<\/span>\r\nif<\/span> sudo ifconfig | grep -q $mac_address<\/span>; then<\/span>\r\n    send_message \"MAC is not secured\"<\/span>\r\nfi<\/span>\r\n\r\n# Check ping to OpenDNS server<\/span>\r\nif<\/span> ! sudo ping -c 4 $ping_server<\/span> >\/dev\/null 2>&1; then<\/span>\r\n    send_message \"Internet connection lost\"<\/span>\r\nfi<\/span>\r\n\r\n# Check DNS<\/span>\r\nif<\/span> sudo resolvectl status | grep -q $dns_default<\/span>; then<\/span>\r\n    send_message \"DNS is not secured\"<\/span>\r\nfi<\/span>\r\n\r\n# Check if VPN connection is not established <\/span>\r\nif<\/span> ! sudo ifconfig | grep -q \"tun1\"<\/span>; then<\/span>\r\n    send_message \"VPN is not established\"<\/span>\r\nfi<\/span><\/span><\/pre>\n
Similar to the previous script, this one conducts checks on all aspects of security: whether the MAC address has been changed, whether the DNS leak has been resolved, whether the internet connection persists, and whether the VPN connection is established.<\/p>\n
If any of these conditions are not met, you will receive an\u00a0appropriate message<\/em>\u00a0in the top right corner of the desktop, as shown below.<\/p>\n
\n
\n
\"\"<\/picture><\/div>\n<\/div>
Enhanced Security Guard is alerting you<\/figcaption><\/figure>\n
Therefore, with this\u00a0Enhanced Security Guard<\/em>, which you can actually name as you prefer (place it in the variable\u00a0agent<\/code>\u00a0when you have your idea), you are fully protected and shielded, as was intended.<\/p>\n
Fedora Linux Troubleshooting<\/h2>\n
In the latest\u00a0distributions of Linux<\/em>, you may encounter an issue where your services fail to function properly after being enabled. You can easily check the service status and health, as well as errors, by executing the following command\u00a0sudo systemctl status hide_mac.service<\/code>.<\/p>\n
In most cases, this issue arises from the\u00a0SELinux policy subsystem<\/em>. If you are the only user of the computer, you likely don\u2019t need this subsystem. Let\u2019s explore a hotfix for this problem.<\/p>\n
Go to\u00a0Bash-terminal<\/em>\u00a0and execute the following:<\/p>\n
sudo nano \/etc\/selinux\/config\r\n\r\n# find the line that says SELINUX=enforcing and change it to SELINUX=disabled.<\/span>\r\n\r\n# save the modifications.<\/span>\r\n\r\nreboot<\/span><\/pre>\n
After disabling\u00a0SELINUX=disabled<\/code>, you will not encounter such problems, and your computer will be shielded and protected at the same time.<\/p>\n
What is next?<\/h2>\n
The general tricks have been established across all the services we created above. However, I would like to offer a few additional recommendations to further enhance your privacy on any computer, regardless of whether you use these techniques or not.<\/p>\n
Implementing these suggestions will boost your privacy. Take your time to at least learn about them:<\/p>\n