Man in the middle attack?

[galilao 2]

Hello: I have noticed that no matter what VPN server I am connected to, and run a DNS leak test, the DNS servers do not change, with the VPN on or off. I called my ISP and was told that the addresses of the ISP's DNS servers are 72.235.80.12 and 72.235.80.4. However, what I always see are 66.233.234.27 and 64.13.115.27, whether the VPN is on or off and it makes no difference what AirVPN server I am connected to. Both my DSL modem and separate router are set to 72.235.80.12 for the DNS servers. In the Apple Leopard control panel I have 72.235.80.12 typed in. I do not have 66.233.234.27 ad 64.13.115.27 typed in.

Back in 2007 I was hit by a man in the middle attack by the American National Security Agency. Is this another man in the middle attack?

[Staff 9770]

Hello: I have noticed that no matter what VPN server I am connected to, and run a DNS leak test, the DNS servers do not change, with the VPN on or off. I called my ISP and was told that the addresses of the ISP's DNS servers are 72.235.80.12 and 72.235.80.4. However, what I always see are 66.233.234.27 and 64.13.115.27, whether the VPN is on or off and it makes no difference what AirVPN server I am connected to. Both my DSL modem and separate router are set to 72.235.80.12 for the DNS servers. In the Apple Leopard control panel I have 72.235.80.12 typed in. I do not have 66.233.234.27 ad 64.13.115.27 typed in.

Back in 2007 I was hit by a man in the middle attack by the American National Security Agency. Is this another man in the middle attack?

Hello!

Would you like (if you can) elaborate about the MITM attack you claim from the NSA?

66.233.234.27 and 64.13.115.27 appear to be servers of Clearwire, an american provider of 4G services. MITM attacks are extremely difficult (impossible?) with OpenVPN, even for the NSA. Their quickest solution to wiretap someone who's using OpenVPN would be the injection of some spyware directly on his/her devices, so that he/she would not be even aware of their "interest" and they should not bother about any encryption.

Can you please try to secure your connection with the indications given in the following link and perform the DNS leak test again?

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

We're looking forward to hearing from you.

Kind regards

[galilao 2]

Hello: Which message are you referring to? I cannot find #1732. Also what is a good spyware checker for OS X? There is very feasibly spyware on my drive A because when I boot off of drive B, the problem goes away, but returns if I again boot off of drive A.

[galilao 2]

I am still on drive B and cannot connect to AirVPN. What is wrong? Here is the Tunnelblick log.

2012-07-25 07:05:50 *Tunnelblick: OS X 10.5.8; Tunnelblick 3.2.2 (build 2891.2917)

2012-07-25 07:05:51 *Tunnelblick: Attempting connection with UKDelphiniUDPk; Set nameserver = 1; monitoring connection

2012-07-25 07:05:51 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start UKDelphiniUDPk.ovpn 1339 1 0 0 0 49 -atDASNGWrdasngw

2012-07-25 07:05:51 *Tunnelblick: kextload: /Applications/Tunnelblick.app/Contents/Resources/tun-20090913.kext loaded successfully

2012-07-25 07:05:51 *Tunnelblick: openvpnstart message: Loading tun-20090913.kext

2012-07-25 07:05:51 *Tunnelblick: Established communication with OpenVPN

2012-07-25 07:05:51 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [sSL] [LZO2] [PKCS11] [eurephia] built on Jan 8 2012

2012-07-25 07:05:51 MANAGEMENT: TCP Socket listening on 127.0.0.1:1339

2012-07-25 07:05:51 Need hold release from management interface, waiting...

2012-07-25 07:05:51 MANAGEMENT: Client connected from 127.0.0.1:1339

2012-07-25 07:05:51 MANAGEMENT: CMD 'pid'

2012-07-25 07:05:51 MANAGEMENT: CMD 'state on'

2012-07-25 07:05:51 MANAGEMENT: CMD 'state'

2012-07-25 07:05:51 MANAGEMENT: CMD 'hold release'

2012-07-25 07:05:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2012-07-25 07:05:51 WARNING: file 'user.key' is group or others accessible

2012-07-25 07:05:51 LZO compression initialized

2012-07-25 07:05:51 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]

2012-07-25 07:05:51 Socket Buffers: R=[42080->65536] S=[9216->65536]

2012-07-25 07:05:51 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]

2012-07-25 07:05:51 Local Options hash (VER=V4): '22188c5b'

2012-07-25 07:05:51 Expected Remote Options hash (VER=V4): 'a8f55717'

2012-07-25 07:05:51 UDPv4 link local: [undef]

2012-07-25 07:05:51 UDPv4 link remote: 146.185.25.170:443

2012-07-25 07:05:51 MANAGEMENT: >STATE:1343235951,WAIT,,,

2012-07-25 07:05:51 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/imanonymous/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1339 --config /Users/imanonymous/Library/Application Support/Tunnelblick/Configurations/UKDelphiniUDPk.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Simanonymous-SLibrary-SApplication Support-STunnelblick-SConfigurations-SUKDelphiniUDPk.ovpn.1_0_0_0_49.1339.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart

2012-07-25 07:05:53 MANAGEMENT: >STATE:1343235953,AUTH,,,

2012-07-25 07:05:53 TLS: Initial packet from 146.185.25.170:443, sid=30aea6ab c9eb3cc5

2012-07-25 07:05:54 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

2012-07-25 07:05:54 VERIFY OK: nsCertType=SERVER

2012-07-25 07:05:54 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

2012-07-25 07:05:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-07-25 07:05:58 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-07-25 07:05:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

2012-07-25 07:05:58 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

2012-07-25 07:05:58 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

2012-07-25 07:05:58 [server] Peer Connection Initiated with 146.185.25.170:443

2012-07-25 07:05:59 MANAGEMENT: >STATE:1343235959,GET_CONFIG,,,

2012-07-25 07:06:00 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2012-07-25 07:06:00 AUTH: Received AUTH_FAILED control message

2012-07-25 07:06:00 SIGTERM received, sending exit notification to peer

2012-07-25 07:06:03 event_wait : Interrupted system call (code=4)

2012-07-25 07:06:03 TCP/UDP: Closing socket

2012-07-25 07:06:03 SIGTERM[hard,] received, process exiting

2012-07-25 07:06:03 MANAGEMENT: >STATE:1343235963,EXITING,SIGTERM,,

2012-07-25 07:06:03 *Tunnelblick: Flushed the DNS cache

[Staff 9770]

Hello: Which message are you referring to? I cannot find #1732. Also what is a good spyware checker for OS X? There is very feasibly spyware on my drive A because when I boot off of drive B, the problem goes away, but returns if I again boot off of drive A.

Hello!

According to various sources, MacScan is a good software against malware, including spyware. However, if the spyware has been designed specifically against you and your system, MacScan (or any other product) will fail to detect it. A careful examination of your system and your connections, for example with the help of LittleSnitch (which will inform you about any connection attempt from any task/process), may help. Of course, one might think that your adversary has already thought about LittleSnitch too, so the only secure solution would be starting over with a completely clean system and install on it all the security measures before anything else.

Here you can find MacScan and LittleSnitch:

http://macscan.securemac.com/

http://www.obdev.at/products/littlesnitch/index.html

Kind regards

[Staff 9770]

I am still on drive B and cannot connect to AirVPN. What is wrong? Here is the Tunnelblick log.

Hello!

Did you give your personal key to anyone? Please note that if someone has your certificates and keys and wiretaps your line, he/she can NOT decrypt your communications with our servers (unless you have some spyware/keylogger in your system, but that's another matter), but he/she CAN connect with your account.

Kind regards

[galilao 2]

Hello,

The NSA spliced in its copy of F-Secure encryption software. I thought I was connecting to anonymizer.com's F-Secure, but it was actually the NSA's copy, so the NSA saw everything in the clear.

Cordially,

Galilao

[galilao 2]

Hello,

I ran MacScan for about an hour and it hasn't found anything yet. It is probably as you said, the likely spyware is written to evade MacScan and Little Snitch.

Thank you,

Galilao

[galilao 2]

Hello,

I have not given my keys to anyone. I have no control over what that hypothetical person might do that can get me into serious trouble.

However, while trouble shooting the DNS problem last night, my ISP's support technician asked me to log on with a different computer. I forgot I was still connected to AirVPN with my apparently infected desktop and tried to log on with my laptop so if AirVPN saw my laptop's connection attempt last night, shortly before I logged into this forum, that was me. Anyway, after logging my desktop off of the AirVPN server, I found that my laptop doesn't have the DNS problem - yet.

Question: If the probable cracker has written the spyware to evade MacScan and Little Snitch, what else can I do for protection?

Cordially,

Galilao

[galilao 2]

Hello,

If the DNS problem I am having is the result of a cracker injecting spyware into my system, does that mean that the cracker has defeated my OpenVPN connection and is seeing my surfing in the clear?

Cordially,

Galilao

[Staff 9770]

Hello,

I have not given my keys to anyone. I have no control over what that hypothetical person might do that can get me into serious trouble.

However, while trouble shooting the DNS problem last night, my ISP's support technician asked me to log on with a different computer. I forgot I was still connected to AirVPN with my apparently infected desktop and tried to log on with my laptop so if AirVPN saw my laptop's connection attempt last night, shortly before I logged into this forum, that was me. Anyway, after logging my desktop off of the AirVPN server, I found that my laptop doesn't have the DNS problem - yet.

Hello!

We have no way to check it, we don't keep logs.

Question: If the probable cracker has written the spyware to evade MacScan and Little Snitch, what else can I do for protection?

Start with a surely clean system. Do not connect it to the Internet. Install LittleSnitch on it (from a physical source, do not yet connect the system to the Internet). Connect to your router (but not to the Internet yet) and make sure that all ports are closed.

Once LittleSnitch is installed, create a Virtual Machine if you're able to do so. Connect your system, from your virtual machine guest if available, to the Internet. Keep your host clean.

Never allow any program you don't know to connect to the Internet, and never allow any incoming connection you are unsure to your system.

Do not install any program you are not sure of, and when you download a program, even from a trusted source, always check the MD5, SHA-1 and SHA-256 sums for any given file, if available from the source and from independent reviews. Install the TOR browser bundle (check that the bundle is the real bundle). In case even of the slightest doubt, always sandbox an application.

Start TOR. Browse to https://airvpn.org with the TOR browser bundle and check the certificate, so you are sure you are really on our website. Our SSL/TLS certificate fingerprints:

SHA-256 fingerprint: 7F C6 1C D8 97 F9 51 EC 3B D5 84 F0 4F BD E3 2D DB 3D F8 12 16 C8 86 BB A0 EA 26 31 36 35 21 8E

SHA-1 fingerprint: EE 54 D8 0A E5 68 DB 61 69 51 E7 0B BF C6 E8 D1 0C EC 86 3F

The fingerprints of the SSL certificate from now on will be published on Twitter at random intervals with our account "airvpn". Browse to Twitter with the TOR browser and search for the tweets from "airvpn" (no Twitter login is necessary) to double-check the fingerprints. Fingerprints on the forum you read, on Twitter and on your browser MUST match.

Once you are 100% sure that you are really on our website, download certificates, key and configuration.

Decompress and protect from access those files. Never give away your key, as usual. Finally connect to our VPN. Do not forward any port, as long as you don't need listening services behind our servers. Close those ports when your service (if any) is not required. Do not forward any port on your router.

Always remember that a VPN secures your connection and that any closed-source OS like Windows and Mac OSX pose serious security issues. In case you suspect that your VM has been compromised, freeze it and do your best to discover the causes.

Kind regards

[Staff 9770]

Hello,

If the DNS problem I am having is the result of a cracker injecting spyware into my system, does that mean that the cracker has defeated my OpenVPN connection and is seeing my surfing in the clear?

Cordially,

Galilao

Hello!

If you have some spyware, the cracker has not defeated OpenVPN, but can see anyway your activities because the spyware might connect to a cracker's server and send the data you send out before they are encrypted and the data you receive after they are decrypted. A VPN secures your connection up to our servers, not your computer or your behavior.

Kind regards

[galilao 2]

Hello,

What is a secure open source OS that can run on my Mac?

Cordially,

Galilao

[Staff 9770]

Hello,

What is a secure open source OS that can run on my Mac?

Cordially,

Galilao

Hello!

OpenBSD and some Linux distros are considered very robust. You might run them as guests in your Mac so you can get practice with them. FreeBSD deserves consideration as well. It's not an easy choice, you should gather on your own as many info as you can and then decide.

Kind regards