Hacker 10 – Security Hacker

Author: John Durret

  • Encrypt data in Mac OS, iPhone and iPad with Krypton

    Encrypt data in Mac OS, iPhone and iPad with Krypton

    Krypton is a Mac OS and iOS (iPhone, iPad) tool to securely encrypt your files using AES256-bit in Cipher Block Chaining mode (CBC). This program is able to encrypt any kind of file, from documents, to images, videos or MP3s and full folders. If you are familiar with Truecrypt you will notice that Krypton works in the same fashion creating an encrypted storage space, called vault, that holds any file you place inside it and makes the whole vault unreadable without entering the correct password.

    In a Mac computer you can use Truecrypt for free but iOS mobile devices do not work with it, Krypton will minimize work when transferring encrypted data in between secure vaults from your iPad or iPhone to your desktop Mac OS.

    iOS iPhone encryption Kryptos
    iOS iPhone encryption Kryptos

    When you copy text to the clipboard this can be automatically sent to Krypton for encryption, and if you select a file for encryption it is possible to tick a checkbox to shred it after it has been secured and make recovery of the original data left behind impossible.

    The software menu has a shortcut to send encrypted documents to Dropbox cloud space, encrypting files before uploading them is a good way to protect yourself from NSA spying as Dropbox can access or be compelled to access your data. Another two shortcuts in Krypton’s menu let you decrypt a file or folder, export it outside the vault and delete it from the vault.

    The developers claim that if you lose your password the encrypted data is not recoverable so there is no backdoor, this looks like a good security tool due to the developers using a standard strong encryption algorithm like AES256-bit and the cross compatibility in between mobile and desktop devices.

    You need to be aware that once the data has been exported outside the vault and accessed by another application it will no longer be encrypted and that other application could create a temporary copy that will be stored unencrypted outside the secured space, like for example, Time Machine Mac OS backup could contain a copy of decrypted confidential files.

    Krypton will be best used in conjunction with a data shredder to securely delete any files leaking out of the encrypted storage space while you edited or viewed with them.

    Visit Krypton homepage

  • Stop Wifi tracking in Android with Pry-Fi

    Stop Wifi tracking in Android with Pry-Fi

    Pry-Fi is an Android app to stop advertisers from using your smartphone Wifi connection to track your movements. This app does not need you to switch off your Wifi, which is the only other way to accomplish this. Pry-Fi blocks broadcasting to Wifi networks while scanning in the background allowing you to connect to the network and randomizing your phone’s MAC address making you to appear unique to each access point.

    Your phone’s MAC address, used by advertisers to track down your movements as you hop Wifi access points, will never be used twice to different networks. This privacy app will show your real MAC address on the screen for your own information and the random or wanted MAC address assigned to you by Pry-Fi visible to public access points.

    Android Pry-fi stops Wifi tracking
    Android Pry-fi stops Wifi tracking

    Another Pry-Fi option called “Go to war!“, emulates dozen of smartphone MAC addresses poisoning the trackers database by listing the same MAC address in two different locations at the same time. This is an effective way to subvert trackers data mining, although this mode will quickly drain your battery life.

    Smartphone Wifi tracking is not something out of science fiction. A few high street stores are already using it to find out how many people go inside the store, what path they walk, the stops they make and if they finally buy something or not. The stores can correlate Wifi movements with CCTV surveillance, the fantastic benefit of tracking people with their own smartphone Wifi connection is that, unlike CCTV, Wifi tracking can be used for mass surveillance with little effort, in CCTV you need to manually pinpoint each target.

    Bear in mind that according to NSA documents leaked by Snowden spy agencies use cell towers to track people’s movements. Pry-Fi will protect you from advertisers but most likely not from spy agencies with access to the whole mobile phone network.

    Note: This is a proof of concept app that needs a rooted device

    Visit Pry-Fi GooglePlay page

  • Jam Wifi signals using your wireless card with wifijammer

    Jam Wifi signals using your wireless card with wifijammer

    Originally named wifijammer is a python script to interfere with Wifi access points and disrupt the network. This can be useful for penetration testing of your own network or if you suspect that spy wireless cams are around in your premises. There are online shops selling hardware wireless jammers too but they cost additional dollars, wifijammer is a simple application that anyone with a laptop and basic Linux knowledge can use. This kind of applications must be used with caution, you need to be careful not to interfere with a network that is not yours or risk arrest.

    For this jammer program to work your wireless card needs to be able to inject packets to the network. You will have to learn your wireless card chipset, running the dmesg command in Linux will often show this information, or run lsusb if you are using a wireless USB dongle. With the obtained information you can then search on the Internet to find out if the card is suitable to run aircrack-ng or any other WPA cracking utility, if the wireless chipset can run a WPA cracking tool it means it is able to inject packets on a live network and it will work with wifijammer.

    Wireless Access Point hacking
    Wireless Access Point hacking

    The jammer will automatically hop in between channels every second to determine all possible targets, after initial identification it will start jamming the signal sending constant deauthincation packets to the access point. This is a way to disassociate connected computers from the access point, cutting off their wireless access. wifijammer does not perform any denial service attack but a disconnection, the client is able to reconnect but as long as the attacks runs wifijammer keeps telling the access point to disconnect the client, with the same result than a denial of service attack without neededing that much bandwidth or resources. A benefit of getting a client to constantly re-authenticate to the access point is that it might be possible to capture the WPA2 handshake and gain access to the network.

    There is another application to jam Wifi access points found in the WebSploit framework, wifijammer has the advantage of being a very small script that should run in any operating system where you can install Python.

    If an access point has MAC filtering enabled you would have to spoof the MAC address of a client first before deauthentication packets are accepted. Having said that, expensive enterprise level wireless access points are able to detect continuous death requests and they will block you.

    Visit wifijammer homepage

  • Smartphone encrypted messenger HushHushApp

    Smartphone encrypted messenger HushHushApp

    HushHushApp is a secure Android messenger (iPhone planned), for encrypted chat and file sharing. This app will secure your conversations from eavesdropping but it will not make you anonymous, in fact, you have to register to open an account before you can use the messenger. For this you can use your phone number or an email address that will have to be confirmed with a registration code.

    During the registration process you are asked what country you live in and the app makes it very easy sending a text message or email to your contacts, querying if they want to chat with you using HushHushApp. You should be careful not to carry out a mass mail by mistake as all contacts are checked by default, and most likely people will only want to suggest the encrypted chat to a couple of friends.

    Smartphone encrypted chat HushHushApp
    Smartphone encrypted chat HushHushApp

    Once you have opened the account you will be assigned a HushHush ID, HID, and be able to manage your profile where you can upload an avatar. The HID is used for other people to find you in the network and add you to their list of contacts. You don’t need to hand over your phone number to chat with others, the short HID alphanumeric code will be your contact ID. Another option is to individually control if a contact will be allowed to be notified when you read a message and if your location can be revealed to them.

    You can create a chat group from the interface where three or four people can chat securely at the same time. If files are sent, they will be encrypted and stored that way, only accessible through the application.

    Security wise, you are only told that HushHushApp uses a scrambling algorithm with no additional knowledge of what algorithm is or how it works. HushHushApp mentions that messages are deleted from the server, this means your data flows across a central server, a potential weak spot if the server is compromised. The good points are that messages have a digital fingerprint, with local storage and users database being kept encrypted, but again, no mention of what encryption they are using, you are supposed to trust they are doing a good job but you know nothing about the company either, other than their website features section is unfinished and written all in Spanish.

    After I used the “Delete Account” option and uninstalled this app, browsing the storage phone I noticed a folder named com.hushhushapp.android and a tiny file named hushushgirl.3gp left behind on my phone, this shows some sloppiness by the developers part.

    HushHushApp interface is user friendly and easy to use but the lack of detailed information about what security measures HushHushApp deploys does not inspire trust. You can’t confide privacy on anybody saying that they will scramble your messages and hope that all will be fine. Using a central server to deliver your messages is also not ok, it adds an additional way to break your security. I would avoid this app for secure chat based on this but it should be fine for non privacy chatting, just like MSN or Yahoo.

    Visit HushHushApp homepage

  • Exchange encrypted SMS messages with Tinfoil-SMS

    Exchange encrypted SMS messages with Tinfoil-SMS

    Tinfoil-SMS is a free open source Android app to exchange encrypted SMS messages with other Tinfoil-SMS users. After installation you can import contacts from your phone and all future conversations will be handled by Tinfoil-SMS but communications with contacts will not be secure until a successful key exchange has been executed.

    To stop man in the middle attacks, where encryption keys are replaced by an attacker and messages forwarded after logging them, a signed encryption keys exchange must take place first. In the app menu you will see two fields labelled Shared Secrets, there you need to input two secret passphrases and save them, Tinfoil-SMS advises a minimum of 8 characters for each shared secret, you have to transmit the secret to your contact by secure means (not your phone).

    The receiver will get a notification showing your phone number next to “Pending key exchanges“, he will have to enter the passphrase you have given him and from then on any future message exchange will be encrypted.

    Tinfoil-SMS encrypted Android SMS message
    Tinfoil-SMS encrypted Android SMS message

    Messages are secured using AES256-bit in CTR mode, in the SMS thread you will see a padlock attesting that encryption is on. Tinfoil-SMS settings allow you disable and enable SMS encryption, manage encryption keys and delete/adding contacts. It is similar to TextSecure, another encryption SMS app, the main differences in between both are that Tinfoil-SMS signs key exchange with the shared secret, encryption algorithms are slightly different, Tinfoil-SMS cipher is AES256bit and TextSecure AES128bit and Tinfoil-SMS will not encrypt messages locally in your phone whereas TextSecure does.

    The reason Tinfoil-SMS developers give to support SMS instead of real time chat encryption is that many oppressive regimes are in third world countries where people does not have data plans and use SMS messages to communicate, this has the added benefit that the app would still work if the government shuts down Internet access.

    Tinfoil-SMS future plans include incorporating steganography to hide that you are using encryption. There is also planned a detailed cryptanalysis of the application which will always be free and open source.

    This is an app I would trust due to its open source nature and what it looks like a good security model, with the only inconvenience of having to exchange the shared secrets by secure means before encrypted communication can be established, which can be problematic and it is likely to force some people to transmit the secrets insecurely.

    You can download Tinfoil-SMS from Google Play or F-Droid, an alternative Android marketplace made up entirely of free open source software and not controlled by Google.

    Visit Tinfoil-SMS homepage

  • Anonymous encrypted communications with LEAP Bitmask

    Anonymous encrypted communications with LEAP Bitmask

    Bitmask is an open source cross platform bundle from the LEAP Encryption Access Project, a non profit group dedicated to protect the right of leaking information. Bitmask can be used to send anonymous email messages, hide your computer IP when visiting websites, circumvent Internet filters and encrypting your Internet activities to stop ISPs from logging them.

    You can either set up your own Bitmask server to tunnel your traffic or find a provider that supports the application. To open a Bitmask account you only have to cook up a username and password, no additional information is required. Currently Bitmask only works with LEAP own Bitmask server but activist privacy providers like Riseup and Calyx plan on implementing it soon.

    To anonymously send email with Bitmask a help guide explains how to manually set up SMTP and IMAP to proxy messages in any email client or you can download Bitmask Thunderbird addon with a wizard guiding you through the proxy set up process, the addon also prevents Bitmask account caching.

    LEAP Bitmask anonymous email configuration
    LEAP Bitmask anonymous email configuration

    Bitmask has been designed to automatize anonymity, it uses OpenPGP for email encryption but you don’t have to exchange encryption keys with anybody, the program does it for you. Encryption takes place in your computer and should stop Gmail or Outlook from handing over email contents to the NSA, emails are stored encrypted in your computer.

    One of Bitmask email downsides is that you can not use it with webmail, it only works with email clients, and in case you wonder, the difference in between Enigmail and the Bitmask Thunderbird addon is that Bitmask exchanges encryption keys automatically.

    Encrypted Internet activities and hiding your computer IP from websites is attained with a VPN tunnel, to mitigate the risk of a VPN provider eavesdropping on you Bitmask authenticates with the VPN using an anonymous digital certificate. What I could not see if any counter measure to stop a rogue VPN from logging computer connection IP and timestamps.

    Bitmask stated goal of bringing easy always on network encryption bets on safe technologies like OpenVPN and OpenPGP, some trust is placed on the VPN provider, and although it allows organisations to roll out their own server, so does OpenVPN. I did not find Bitmask any easier than downloading a VPN program and using webmail for pseudo anonymous encrypted Internet communications. The best points of LEAP Bitmask are that it is open source, it allows people to run their own server and has detailed technical documentation.

    Future plans include anonymous chat on top of XMPP, secure VoIP, LEAP Tor hidden services and creating a darknet in between all LEAP platform providers. Of all those things the most exciting feature for me is the Bitmask darknet, for those who don’t know, a darknet is a closed private network of computers that can only be accessed by approved members.

    Note: At the moment Bitmask Windows only works with 32bits OS, if you have a 64bit OS download the Thunderbird addon..

    Visit Bitmask homepage

  • Anonymous Tor browser Snowden Tribute released

    Anonymous Tor browser Snowden Tribute released

    Snowden Tribute is a stand alone browser inside a bootable Linux USB thumbdrive designed for anonymous Internet browsing. Inside the distribution you will not any find any text editor, picture viewer, video player or tools that come with desktop operating systems. Snowden Tribute concocts a simple Internet browser with Tor and Vidalia, it can only be used from a USB thumbdrive and not as a live CD.

    To burn the .img file to a bootable USB thumbdrive in Windows you will need to download Win32DiskImager, there are clear instructions in Snowden’s Tribute homepage about how to do this, it is not difficult, it took me a minute to do it.

    To launch the browser you will need to instruct the BIOS or UEFI to boot from a USB, menu boot up is accessed in my computer clicking F11, it is not the same for everybody, enter into your own BIOS or UEFI to learn how to do this. Furthermore, Windows 8 computers will need to disable UEFI Secure Boot to be able to boot Linux from a USB.

    After booting Snowden Tribute you will be presented with a network configuration screen that auto detects wired and wireless routers, you have to enter the password for the wireless network and you will see Tor establishing a connection and Firefox ESR (Extended Support Release) will take the full screen in Kiosk mode, you can then start browsing the Internet anonymously with Tor.

    Anonymous Internet browsing Snowden Tribute
    Anonymous Internet browsing Snowden Tribute

    Digging into the browser configuration options it shows that it has NoScript enabled, blocking browser plugins like Flash and third parties cookies, with Startpage set as the default search engine. The browser has also been set up to run in Private browsing mode to avoid leaving history and cache in the thumbdrive, with HTTPS Everywhere forcing pages to serve you an HTTPS version of the website where it exists.

    Clicking on the Escape key will take you to Vidalia where Tor configurations can be tweaked and information about consumed bandwidth, logs and Tor nodes can be seen, just like anybody else who has Vidalia installed.

    This is not a very sophisticated distribution, it can all be summed up with having the Tor browser bundle running from inside a USB thumbdrive, I found it unnecessary when you have distributions like Tails that can do the same thing and have a community supporting the project.

    I hold issue with Snowden Tribute for riding on the back of Snowden’s name, I did not think it was right as it might look as if he endorses the project which he obviously doesn’t. I also have a problem with the browser running on a thumbdrive, even in Privacy mode, I am not convinced that your Tor browsing session held in RAM could not be dumped to the thumbdrive  memory in case of a computer crash.

    Best to avoid this distribution and stick to Tails, Parrot OS or iPredia. I would only consider Snowden Tribute as an alternative if it could be booted from a live CD, the uncertainty of data leaking out to the thumbdrive is too high for me to trust it.

    Visit Snowden Tribute homepage