Monday, January 16, 2017

A semi-anonymous jump box Part I : Email

I am finally making another post.  Yeah there is a 3 year gap from my last post, but whatever.  Life happens.

This post is going to be part one on a series about setting up semi-anonymous, remote boxes.  Normally when I scan/probe cybercriminal servers and dropsites, routing through TOR on a VM is enough.  Lately, however, I've found that having a remote, VPS-type jump-box that can't easily be traced back to me would be useful.


Now I want to take a moment to make something very clear.  The reason I say "semi-anonymous" and "can't easily be traced" is because the goal here is to protect myself against an average cybercriminal, not a nation-state adversary.  These steps would not protect anyone from a nation-state investigation.  With that said, let's get started.


This is what we're starting with:
  • 25 dollars cash
  • the ability to surf TOR .onion sites
This is what we want:
  • an email address
  • a bitcoin wallet with a little satoshi in it
  • a PayPal account
  • a linux VPS
Where again, all those assets are semi-anonymous and not easily attributable to us.


These things will be acquired step-by-step, and along the way these three rules must be followed at all times:
  1. assets can only be connected to via TOR
  2. assets never communicate directly with any accounts we own (i.e. once we have our first email address, never send/receive an email to/from it with another account we own)
  3. assume all new assets are compromised and that you are being watched by your adversary, then verify what they can learn about us (to mentally check the assets ‘anonymity’ and to help maintain opsec)

First off is email.  Since we want an email that can be accessed via TOR, a quick google search for “tor email providers” is probably the best way to start.  At the time of writing, the top result was this reddit post listing several providers, with a bonus comment thread mentioning some good points about Sigaint.  We’ll go ahead with that option. 

[07/08/17 Update: Sigaint has since gone offline with no indication of return. Others are still available.]


Setting up a new Sigaint account is pretty normal; once that is done let’s do a quick check of our three rules:

  1. assets can only be connected to via TOR - Check. Sigaint only has the hidden service, so it can only be connected to via TOR. We're good here.
  2. assets never communicate directly with any accounts we own - Check. Since Sigaint does not require a pre-existing email address to be provided, this account is not tied to any other accounts we own. We just need to make sure not to send/receive any email between this account any accounts we own and we're good to go.
  3. assume all new assets are compromised and that you are being watched by your adversary, then verify what they can learn about us - So let's say our adversary is suddenly able to login to this new Sigaint accout or compromise the Sigaint servers. What can they learn about us? Well, if we are disciplined about rule 2, they cannot associate this account with any 'real' accounts we own. If they compromised the Sigaint servers and were watching network logs, because of rule 1 they could not get our home IP. At most, they could watch what times we login and try to deduce our timezone. There are various guard node attacks that could possible de-anonymize us, but those are (so far) nation-state capabilities.

So far, so good. Next up, we will see how we can turn 25 dollars cash into some bitcoins using our new TOR email address.