Category: Internet Security

The major problem in the Internet privacy protection is to hide your IP address.

What is IP address, and why is it so important to hide IP?

IP address is your computer address in the Internet. IP address makes possible for your computer to communicate with other computers, and every computer connected to the Internet has its own, unique IP address. It is always possible to determine both communicating parties by a pair of IP addresses. IP addresses are assigned by Internet Service Providers (ISP) to its customers dynamically (you get a new IP every time you connect to the Internet) or statically (you have been assigned a permanent IP address). And where does Internet Service Provider get all these IP addresses? There are international organizations responsible for allocation of IP addresses to ISPs, such as RIPE (http://www.ripe.net , Europe), ARIN (http://www.arin.net North & South America) and APNIC (http://www.apnic.net Asia & Pacific). These organizations are allocating IP addresses to an ISP and keeping records of addresses allocated. Also, the ISP will need to report these organizations how IP addresses are used, e.g. for DSL connected users, to provide Dial-Up service, etc. All this data will appear in the records as well. These records are open to public. Using WHOIS tool (you may check our Tools section for WHOIS tool) anybody can access this data any time. WHOIS response on IP address query will contain Internet Service Provider company name, geographic location (for example “Some str., Los Angeles, CA, US” or “Deli, IN”) and IP address pool purpose (for example “DSL IP pool”). Additionally, ISPs can set descriptive reverse DNS entry for the IP address – domain name corresponding to the IP address, e.g. dsl-sezam-st-losangeles-CA.someisp.com.

IP address points to your ISP, and the ISP has logs on the customer’s activities. The local phone company providing you line to connect to the ISP has its own logs. Logs are stored for billing and resource management purposes, as any ISP/phone company will tell you.

In other words, this information is a good starting point for the curious to find out your home address, phone number and other personal details.

Who can find out your IP address?

Anybody you communicate with through the Internet. Anybody having your email address, ICQ number, chat nickname, etc. You leave trails with your IP address in web server logs, chat room logs, peer-to-peer file sharing systems, newsgroups, mail servers, mailing lists, making it possible to track you. Actually your trail will begin in your ISP logs with the record of IP address assigned to you at the moment you establish dial-up connection or turn on your PC on the cable connection. From that moment every your move will leave more and more trails in the Internet.

Is there a way to change or remove an IP address?

Bad news: IP address cannot be simply changed in your PC settings or removed completely. Your Internet connection will stop working if you change or remove your IP. Also, there are no software tools, which would allow you to do this. Good news is that using special anonymizing services you can hide your IP address from the outside world. The main idea of such an anonymizing service is that you pass the traffic, you wish to make anonymous, to them, and they will pass it to the destination using their own IP address. For example, you would like to access website www.somecompany.com anonymously, using one of the anonymizing services. Your browser or special software (supplied by an anonymizing service) will pass the request for the web page to the anonymizing server, and this server will send the request to www.somecompany.com . Web server will reply with page text to the anonymizing server, which will pass that page to your browser. The www.somecompany.com web server will not be able to get your IP address, only anonymizing server IP address will appear in the log files. That’s how anonymizing services work. The same technique can be used to anonymize other Internet activities, not only web browsing.

When you are using an anonymizing service your IP and identity will be hidden from the remote party, e.g. webmasters, IRC channel visitors, etc. Unfortunately IP anonymity will not solve all the problems. There is one more side of the Internet privacy you should be aware of; it is called “Data interception”

There are many reasons to seek the Internet privacy and anonymity while running business. Many small and mid-size businesses are migrating now offshore (big guys always were there), taking advantages of low tax environment and liberal laws. Internet makes it possible to manage offshore business from any part of the world, covering all the aspects of company functioning: emails, faxes, phone calls diverting, voice mailboxes and autoresponders, online banking, web presence, etc. Because of today’s Internet technologies you can build 100% virtual presence in a chosen offshore jurisdiction, and no one will be able to determine where your actual office is located. Unless you will forget to take care of your Internet anonymity…
Before we explain the importance of Internet privacy for offshore company owners let us find out why the majority of open-minded entrepreneurs are going offshore. Here are some major reasons.

To get tax benefits and asset protection. Running Internet business through the offshore company will allow you to save on taxes. Most offshore jurisdictions have no tax on income, tax on sales, corporate and property taxes. Offshore companies are ideal vehicle for running Internet business, international trade, financial services, insurance business, software development, etc. It should be noted that tax avoidance is not the same as tax evasion. There are many ways to run an offshore company legally and save some part of taxes, offering better prices then competitors can offer. Also, offshore banking can provide strong asset protection and offer better investment options for your hard earned money.

To get protection from most of lawsuits. Locating your Internet business offshore will allow avoiding many annoying lawsuits, saving your time and money. It takes much more time and it is much more complicated and expensive to sue an offshore entity. Running business offshore provides protection against the “your-hot-dog-was-too-hot-and-I-will-sue-you-to-get-the-compensation” lawsuits, making them not profitable for the lawyers working on contingency. Also, when running business offshore your company is acting under the law of the offshore jurisdiction, in most cases far more liberal then in “onshore” jurisdictions.

To bypass domestic business regulations. Large part of profitable businesses like gambling, adult services, and financial advice services are restricted or require expensive licenses in most of “onshore” jurisdictions. You should remember, that what is not allowed or expensive in your home country can be legal and cheap in other countries. Obtaining gambling license in offshore jurisdiction takes less time and is less expensive, and some business activities do not require licensing at all.

To get better prices for products and to get more customers. Providing the information on where is your business located can affect product price, and even affect the amount of clients you may have. For example, you are in software development business and your developers and management staff are located in India. Most of your clients will not wish to pay US prices for the products developed in a country with low development costs, i.e. in the country with low prices on job market and low living standard. Many problems can arise because you business is of the African or Eastern European origin. Some clients do not wish to deal with companies registered in African countries or other “risky” countries.

And the last but not the least are privacy concerns. Offshore jurisdictions offer privacy protected by law both for business owners and their customers. Domestic law regulations and reporting rules can make it impossible to run business when the customer privacy is an issue. When your customers need privacy or it is required by nature of your business, you should consider using an offshore company.

Moving business offshore offers huge benefits for business owners. Unfortunately not all engaged into offshore business are realizing risks associated with it. We will leave the questions of privacy with registering offshore companies, opening offshore bank accounts and offshore merchant accounts to offshore professionals, and focus on online privacy issues. Quite often offshore business owners do not care about security and privacy of their Internet communications. And this can be the fatal mistake. A single email message with the real IP address or a single fax sent over the unencrypted connection can ruin the privacy of the offshore funds owner spending huge amounts into development of complicated schemes with offshore companies and offshore bank accounts.

Many offshore business owners have suffered serious damages when ignoring the online privacy issues. If you wish to protect your offshore business and yourself, you have to think about security of your Internet communications before it is too late. Below are the main points you should take into consideration when establishing your offshore company Internet presence or using Internet for communication.

1. Anonymous domain registration. Having own domain name is a must for a business. Using own domain in emails, having the web site you can refer to, will add credibility to your business and will add customers for you. But when registering a domain you will have to state clearly the domain owner, and this information will be available to public. Providing your real identity will break your privacy, since by running WHOIS query any curious can find out the domain owner’s name and address. To protect their online privacy some people are registering domain names on fictitious names. Right, registrars in most cases do not verify domain owner’s details, but it is unwise to register domain name on nonexistent person or company. There are cases in business practice when you will need to confirm that domain is yours: when you need the SSL certificate for your online store, or when you need to sell it for example. The only solution to gain privacy and to preserve your rights on the domain is to register new or transfer existing domains to the offshore company with nominee directors and shareholders. How anonymous is it? Offshore company registration agent will know the identity of the real shareholder (it is a general requirement in this industry), but government authorities in the offshore jurisdiction will have records with nominee’s personal details only. Unless you commit a serious crime indeed, you will be safe from tracing.
2. Offshore hosting, offshore dedicated hosting, offshore collocation services and offshore email hosting. When you already have your domain name registered anonymously on your offshore company, or you just planning to do so, it is time to think about offshore hosting for your domain. Offshore hosting can be the only option for many businesses limited by domestic legislation. Adult sites, gambling sites, offshore investment companies, international trading companies using tax saving schemas, all of them need offshore hosting. As a general rule, when you run an offshore business, you should consider using offshore hosting. Even of you do not need a web site for your domain, you can use offshore email hosting to secure your email correspondence. Companies providing services with intensive network and computer resources usage can take advantage of offshore dedicated hosting and offshore collocation services. When choosing a jurisdiction for your offshore hosting you should check for the established electronic privacy laws and modern network infrastructure. Some countries do not have laws that regulate ecommerce and Internet activities, and this can add some uncertainty in future for your business. A good example of jurisdictions with developed electronic privacy laws and network infrastructure can be Bahamas and Malaysia.
3. Protecting your Internet communications. Running offshore business requires performing various tasks online. This can be online banking, uploading files to the website, emailing to customers and business partners, sending/receiving faxes and voice messages, etc. Doing all this in privacy without providing your real IP address (e.g. identity) is of prime importance. Please read about the details, which can be determined from your IP address on our “Internet Privacy” page. As we have noted earlier on this page, revealing your real location can bring your business to success or failure. Other threat you should count with is data interception. Government agencies are widely using Internet monitoring systems like Carnivore or Echelon to locate the persons using online banking with offshore banks, offshore e-currency services or offshore investment companies. Once you are on a list of “suspected” in using offshore financial services, all your Internet communications will be monitored: emailing, browsing, ICQ, web pages uploading via FTP, etc. After they collect enough evidences they will visit and question you. We have covered Internet monitoring in deep on our “Data interception” page. Fortunately Internet data communications can be protected quite easily by using anonymizing services supporting encryption. You may learn more on how to protect your online activities on our Internet Security Solutions page. Here we will stress again that you should avoid using US based anonymizing services. They can be monitored by government agencies in the first place. Other important Internet service that is used extensively by offshore entrepreneurs is email. When you use “fax to email”, voice mailbox services, communicating with your offshore banker or offshore broker over the email you should take care of your email security. Government monitoring systems can monitor the email traffic by destination or by keywords, adding you to the “suspected” list. You may read our “Email Security and Anonymity” page to learn how to protect your confidential emailing. When choosing the anonymizing service you should avoid partial solutions or services not utilizing encryption. Only protecting all aspects of your Internet communications with strong encryption algorithms can give you peace of mind.
4. Using e-currency payment solutions. Most of e-currency providers are registered offshore and providing high financial privacy protection for both buyers and sellers. Although you should be ready to undergo the account due diligence if the account exceeds some turnover level. To pass the due diligence procedures the account should not be registered on fictitious names. If you have an offshore company, register e-currency account on it. Just to remember, always use anonymous web browsing techniques to manage e-currency accounts online. Even if you work with SSL protected pages, government agencies that perform data interception will be able to find out that you are using e-currency and ask the questions you would not like to answer.
5. Local computer security. Local computer protection is an integral part of the efforts to protect your online privacy. Failing to protect your computer from viruses and network attacks can result in serious damages for your business and privacy. Data loses, stolen confidential documents, stolen access details to your offshore bank account or offshore investment account – all these problems may arise if your computer protection is ignored. What measures you need to take to ensure protection for confidential data on your computer hard drive and removable media? Firstly, you should take care of your network security by installing a personal firewall on your computer. It will protect from network attacks, network worm viruses and some trojan viruses. Secondly, consider using good antiviral application. Antiviral software should be able to detect and remove not only known viruses, but also warn about suspicious activities and software on your computer. This ensures that viruses like “Magic Lantern”, an FBI program that can monitor keystrokes, can be detected. And thirdly, use encryption for all your hard drives and removable media used for backups (you are doing backups regularly to protect from data loses, don’t you?). Do not use “folder hiding” software, it can be cracked by kids with one month of computer experience. Do not relay on “boot protection” utilities. When disks with such a protection are removed and installed on other computer as a “slave” drive, data on it can be read like a morning newspaper. Do not relay on data wiping utilities. Using special technologies on examination remanent magnetism (this technologies are available to government agencies) even files wiped ten times can be restored. The only way to protect data when your computer is stolen or can be accessed without your knowledge is to encrypt it in whole including system areas, not only selected folders or drives. Only the person knowing the password will be able to boot the computer protected in this way and access data files. More details on choosing the right software to protect your computer can be found at our “Computer Security” page.

And a few last notes. Do not save on your online privacy and security. You should remember that a penny saved on this could make your business loose thousands. Always include the expenses on Internet anonymity into your offshore company business plan. Gaining Internet anonymity and protecting Internet communications from interception is much the same as protecting money both for the offshore company owners and average Internet users.

The main point in going offshore is to find the jurisdiction where you can run business legally (what is illegal in your country can be legal in some other countries) with minimal costs (cutting business running costs on taxes and license fees) and minimal regulation requirements (saving time and money on paperwork). But there are activities prohibited by law in all countries. Individuals and companies that are engaged in fraud, spamming or child pornography will never have peace. No anonymous services, offshore companies and offshore hosting will provide protection for the business of this kind. But when you run legitimate business in offshore jurisdiction and take all the measures to protect your Internet privacy, you may feel secure.

Here we will review most common solutions allowing you to hide IP address and to encrypt your data transfers. There are three general categories of anonymizing technologies: web-based redirectors, protocol dependent proxies, and VPN tunneling.

1. Web-based Redirector

Internet services protected: web browsing only, excluding secure (SSL) sites.
Anonymity: Yes
Protection from data interception: redirectors with SSL encrypted access only.

Redirectors work only for web browsing. This service works according to the following scenario: you go to the redirector web page, enter the site URL you wish to browse anonymously and press “go” button. The redirecting software will request the page using its own server IP and redirect the output to your browser window. The main disadvantage is that not all sites can be accessed through a redirector. Redirector will not work with secure sites (https) so you cannot use redirector for banking, shopping and other secure sites where SSL encryption is required. Some services allow working with secure sites, although it is not recommended to use this feature since data can be intercepted by persons running redirector service. Also, redirectors usually block java, cookies, and some other features required for browsing most of the sites. Actually all dangerous content can be blocked or allowed by yourself depending on the site, without using any third party services (e.g. you can allow java while browsing e-bay.com and disallow it on any other site). This will be described in details in our “Anonymous Surfing” page. Many free redirectors will block pop-ups only to show you their own pop-ups. Some redirectors can use SSL encryption to encrypt web traffic, although connection will be encrypted between your browser and the redirector web page only, not to the destination web site.

Conclusion: Redirectors are not convenient; they are ok if you are browsing from time to time, but they are not suitable for active Internet users. Not suitable for banking, online shopping and accessing any other SSL protected sites.

2. Proxy

Using a proxy is the most common method of anonymizing Internet activities. In most cases people are using protocol dependent proxies. Different types of proxies should be used for different activities: web proxy for browsing; remailer for emailing (well, remailer is NOT a proxy, but it functions in a very similar way). Also there are proxies for IRC and some other protocols. Some proxy types (like Socks proxy) are more universal and will allow working with several Internet protocols.
Main drawback of proxies is that they are protocol dependent. Example: you have configured your browser to use http proxy. When you click on “http://” link, connection will be passed through the proxy, and your IP will not be visible. But when you are visiting secure site (https:// link) your real IP will appear in the server logs. To anonymize secure connections you will need to use additional https proxy.

Another problem with proxies of any type is that your software should have proxy support. If your software cannot be configured to use proxy, you will not be able to use it.

Also, not all protocols can be used through a proxy, for example you never find a proxy solution for some online games or peer-to-peer file sharing applications.

2.1 web proxy

Internet services protected: web browsing only
Anonymity: Not all proxies provide anonymity. This should be checked before you use proxy
Protection from data interception: No

Using web proxy is easy. Find the open proxy IP address and set it in your browser settings. All web traffic will be passed through the proxy, hiding your real IP. But not all proxies are anonymous, e.g. some of them can reveal your real IP. You should always check the proxy for the anonymity before using it. You can find URL to proxy checkers at our “Links” page.
Avoid using so called “free open proxy” lists, or “open proxy scanning software”. Free proxy (in many cases simply misconfigured by system administrators), should be used with care. It is a common method for hackers to setup proxy with open access, place it in the “Free proxy lists” and wait for the victims. Everything that you do through a proxy and every password that you use can be logged and used by persons running free open proxy in their interests. And there is no guarantee that these proxies do not have user activity logs. Additionally, proxies in this list can be under the special attention of government agencies hunting terrorists and hackers.

Most commercial services providing web proxies are offering proxies from “open proxy” lists, checked for anonymity in best case. These companies do not have control over the proxy and cannot guarantee that there is no user activity logging. They cannot guarantee that there are no hacker proxies or proxies operated by government in this list.

Important note: a web proxy does not provide data encryption, e.g. your browsing can be intercepted easily.

Conclusion: Avoid using proxies from “open proxy“ lists, it is the same as providing all your passwords, email accounts to hackers or government agencies. Also, proxy connections are vulnerable to data interception. Commercial services can be used in case they provide access to their own proxies, and the proxies are operated by company staff.

2.2 Socks proxy

Internet services protected: depends on proxy type used
Anonymity: Yes
Protection from data interception: No
There are two types of Socks proxy protocols: Socks 4 and Socks 5. Socks 4 proxy will allow working with TCP protocols only, like HTTP (web browsing), NNTP newsgroup access, IRC. Socks 5 is more advanced, allowing to anonymize UDP protocols as well (ICQ for example). Only the applications having an appropriate Socks protocol support can be used with Socks proxy. For example, Internet Explorer has Socks 4 protocol support, and it cannot be used with Socks 5 proxies. If your application does not support Socks at all, or has only partial support, you will need the Socks client. Socks client is a special software residing in between the application you are using and the network. Socks client allows your application using Socks proxy. Most Socks client software is commercial, i.e. not free. The problem with Socks proxies is that Socks implementations do not support encryption (except for some commercial software) to protect data traffic. If you have set up to use Socks proxy in your browser or IRC client the connection will remain unencrypted.

Conclusion: Socks proxy provides anonymity for most of the Internet services. Applications you would like to use with Socks should have support for Socks protocol. Main disadvantage is lack of encryption making data transfers vulnerable to interception.

2.3 SSH tunneling

Internet services protected: depends on the proxy type used
Anonymity: Yes
Protection from data interception: Yes
Some companies provide additional service for the data security – SSH connection to the proxy. Using SSH will make your connection to the proxy encrypted thus making it impossible to intercept. Both web proxy and Socks proxy connections can be passed through the SSH encrypted tunnel. SSH cannot be used without the proxy for anonymizing.
Conclusion: SSH can be used with proxy only. It adds encryption for the proxy connection.

3. VPN Tunneling

Internet services protected: Any
Anonymity: Yes
Protection from data interception: Yes

VPN stands for Virtual Private Network. Actually it is the most comprehensive anonymity solution available on the market. VPN technology is widely used by large corporations, financial institutions and government agencies to secure data communications. VPN allows not only to secure communications with high-grade encryption algorithms, but also to anonymize all types of Internet traffic. VPN connection can be compared to anonymous “virtual” dialup service through the existing Internet connection. The scenario is as follows: you connect to the Internet through the ISP (Internet Service Provider) and launch the special VPN application (or built-in VPN adapter for Windows and MacOS operating systems). VPN application will establish an encrypted connection to the service provider. Once connected through the VPN all Internet traffic will be encrypted and a new IP will be allocated so that any Internet application installed on your computer will be using this new anonymous IP address. There are three VPN protocols used: PPTP, IPSec and L2TP. All of them use high encryption, and allow anonymizing any Internet activity. Quite often SSH used for proxy connection is considered as VPN although it is not the same. SSH allows to encrypt data connection and can be used in conjunction with a proxy to secure data transfers between your PC and proxy.

Conclusion: Most advanced anonymizing solution. Gives full anonymity and protection from data interception. Allows anonymizing any Internet activity.

What you should be aware of when choosing anonymizing service

Service provider jurisdiction

Always check where the servers used for anonymizing are located. Use WHOIS tool to find out the anonymizing servers location country behind the IP address. Avoid using the servers located in your home country since law enforcement or intelligence agency monitoring your activities will be able to monitor your anonymizing service provider traffic as well, or it can legally force them to give the information about your activities. It is recommended to use a service located outside your country, then the traffic monitoring would be impossible and law enforcement procedure would be much more complicated or even impossible (in some offshore jurisdictions). Avoid using anonymizing services located in countries with low Internet privacy standards like US or Australia. Remember, that in jurisdiction where data interception is used by government agencies “anonymous” services are monitored in a first place.

Anonymous payment options

If you are considering using commercial anonymizing service, check if anonymous payment options are available. Most popular anonymous payment options are: e-gold (see www.e-gold.com for details), traveler’s checks, etc. If there are no anonymous payment options, avoid this service.

Protocol dependent services

Since all Internet activities are related with each other, protocol dependent anonymizing services should be used with care. For example, you are using anonymous socks proxy for ICQ. You have received the message with a link to the web page from your chat mate. When you follow the link, your real IP address will appear in web log, and your chat mate will be able to track you if he/she has access to the web server logs. Another example: you are using anonymous email service, you have received HTML encoded message with linked images. After you open the message, your email software will automatically download linked images form a corresponding web site. This means that the message sender will be able to determine your real IP address. You should always remember the services you have had anonymized and the services you have had not anonymized to avoid the situation mentioned above, or consider using VPN tunneling services to anonymize all your activities.

Slowdown

The reverse side of any anonymizing technology is slowdown in traffic transfer. Any anonymizing service makes the data packets travel two times the same distance at least. The encryption (if any) adds the delay as well. There is no way to avoid this. In case you have decided to use some anonymizing service you should be prepared to get much slower data transfer speeds.

Paid versus Free anonymizing services

Running an anonymizing service (web proxy, Socks or VPN) is an expensive venture. It requires expensive network equipment (computers, routers) and lot of bandwidth resources. As you know there are no free lunches, so if somebody offers it for free it would be wise to think about the reasons for such generosity. Moreover one would not be in a position to require any privacy guarantee from a free service; usually there is no support either.

A reminder – always ask for anonymous payment options when purchasing anonymizing service.