Hacker 10 – Security Hacker

Author: John Durret

  • Learn cyberwar skills online playing CTF365

    Learn cyberwar skills online playing CTF365

    Capture The Flag CTF365 is a realistic cyberwar game built for hackers, system administrators, security specialists, programmers and anyone with an interest in computer security

    After signing up for the game you will be named a Combatant and asked to join the country you wish to fight for, each country can have many teams comprised of in between a minimum of five hackers and no more than ten. Teams can ally with each other to defend and attack a Fortress, members of the hacking team will have to safeguard their server while being on the offensive, when a user breaches another team Fortress the points go to the whole team. There will be a Hall of Fame with prizes for the most skilled hackers.

    In this Capture The Flag contest the team’s server will run all major Internet services like SMTP, IMAP, FTP, one Content Management System with plugins for social media, embedded video and others, two different Internet browsers, three web applications and two different databases, part of your job will be to secure all of them.

    Hacking game Capture The Flag CTF365
    Hacking game Capture The Flag CTF365

    The game first campaign will mimic a National Agency network where you can play offensive security attacking their servers, as part of the attack strategy, you can DDoS another players virtual servers if you wish so, just like in real life. There is a CTF365 IRC server accessible from within the game, you can use it to find other players and start building your team or join others. There are only two rules, one, do not use the infrastructure to carry out real hacking attacks against non players, and rule two is do not launch a distributed denial of service against the game servers, if you break any of those rules your account might be terminated.

    Capture The Flag is a superb way to get real hands on experience for penetration testers and sys admins defending their network, anyone with interest in computer security will benefit of this game emulating real life hacking scenarios, the aim is to have hundreds of targets in virtual machines that can be attacked at any time and for Capture The Flag to last a full year, there are future plans to offer Infosec companies the possibility to set up their own CTF contest to train students.

    Visit Capture The Flag CTF365

  • Encrypted Disk Detector for live computer forensics

    Encrypted Disk Detector for live computer forensics

    Encrypted Disk Detector is a free Windows command line tool for computer forensics that can detect Truecrypt, PGP, Bitlocker, Safeboot, Sophos Safeguard, Endpoint Security FDE, Symantec Endpoint FDE and Bestcrypt encrypted volumes. The software checks for encryption signatures in the Master Boot Record and Volume Boot Records, where encryption tools store the authentication hashing mechanism that decrypt data, it also displays OEM ID and volume label partition where applicable, when the encryption software hasn’t got any identifiable signature Encrypted Disk Detector scans for running processes indicative of disk encryption.

    This tool is useful to incident response practitioners to quickly determine if encryption is being used in any of the company or network computers before deciding what steps to take next, e.g. mirror drives, prior to pulling the plug. Encrypted Disk Detector runs in read mode and does not make any file changes, its intuitive coloured notification arrangement makes it effortless to interpret the results.

    Encrypted Disk Detector finds BestCrypt volume
    Encrypted Disk Detector finds BestCrypt volume

    Encrypted Disk Detector is not a threat to home users, the software does not attempt to guess what drives are encrypted, it only checks for volumes that are already mounted on live systems, it will not detect encryption in unmounted disks, TCHunt is more appropriate for that task, this is a time saving tool that can be deployed in a matter of seconds in a large network.

    Visit Encrypted Disk Detector homepage

  • Post self-destructing Twitter messages with Efemr

    Post self-destructing Twitter messages with Efemr

    Efemr is a free web and mobile app to post time limited messages on Twitter, it works by adding a timestamp hashtag at the end of your message, for example adding #8m at the end of a post would erase your Twitter message in eight minutes, time can be set to a few hours too but no more than that. The app backups all messages keepimng a private list of deleted posts next to a retweet button in case you change your mind and to remember you what you have posted in the past even if it is no longer visible.

    Efemr self-destructing Twitter messages
    Efemr self-destructing Twitter messages

    Being able to limit how long for something will remain on the Internet it is a step in the right direction to protect people’s privacy but it will not replace common sense, there is still the possibility of someone taking a screenshot of the Tweet, the time frame is not perfect either, Twitter feeds take longer than the specified limit to be erased and anyone could copy and paste or retweet your message, if you truly want to keep your Tweets private then encrypt them with AnonTwi  or any text encryption utility and make them only available to people you know, if anyone takes a screenshot it will only show cihphered text.

    Another way to achieve Twitter privacy is by never using your real name when opening an account, never post personal identifying data when posting and always use Tor or a VPN to log into Twitter.

    Visit Efemr homepage

  • Online password manager Intuitive Password

    Online password manager Intuitive Password

    Intuitive Password is a free cloud based password management service, communication in between your browser and their server is encrypted with SSL, the servers are hosted inside an enterprise grade data centre protected with a firewall, audited and constantly scanned with antivirus software to quickly detect security breaches. To open an account with Intuitive Password you only need an email address that has to be verified clicking on a link, and setting up a security question, any other personal details are optional.

    The security question is very important, I accessed the password manager using a VPN, that changed my computer IP and a message popped up saying that my current location had not been registered with the account and I was challenged to answer with the security question before I could log in, this will happen every time you change geolocation, i.e. travelling. Another security feature that is to be implemented soon is a two factor authentication, after marking a field with “Advanced Protection” you will be sent and asked for an SMS (Short Message Service) code before being able to view that field.

    Intuitive Password online password manager
    Intuitive Password online password manager

    The password manager has an easy to navigate clean lay out, with a single click you can switch from a wide screen desktop view to tablet or smartphone view,  it will work with any operating system and nearly all smartphones, data is synchronized on the cloud without the need to download any application.

    There are pre-made templates to store credit card and bank details, the fields include input boxes specific to the data, like Swift code and expiration date, if you need a particular box Intuitive Password lets you create your own template and customize all fields, passwords can be shared in between colleagues accessing a “Shared Items” tab from where securely send secret passwords and view those sent to you by other Intuitive Password users.

    The only thing that disappointed me is that the main page said it was compatible with the Opera browser but I could not manage to make it work with Opera and I had to switch to Firefox instead, overall, assuming server security is as good as they say, this could be a good alternative to more established online password manager services, Intuitive Password had one of the best user interfaces I have seen, it should help boost productive time.

    Visit Intuitive Password homepage

  • Encrypt smartphone calls with SeeCrypt

    Encrypt smartphone calls with SeeCrypt

    Seecrypt is a Voice over IP app to secure voice calls and text messages with end to end encryption using AES256 and the RC4 stream cipher, available for Android and iPhone with Blackberry and Windows phone versions coming soon. Data is encrypted in the device before transmission using a unique encryption key for each session, there is no central Public Key Infrastructure, messages are broadcast in real time just like WhatsApp but encrypted, the app can operate over 2G/3G/4G or Wifi networks, it only needs an Internet connection and you can not use it to dial emergency numbers. Voice compression reduces data consumption and with it your mobile phone company data charges, you do not have to pay for calls, but you have to pay $3/month to SeeCrypt and only calls to other SeeCrypt users are possible.

    After signing up you will be given a trial period and asked for your email address to register the application once it expires. SeeCrypt main screen shows you sections with your profile, contacts, messages, dialpad and help. The app does not allow multicalls, only two users can talk at the same time, you can easily send your friends a link to SeeCrypt if they don’t have it installed yet, technical requirements to operate the app are minimum.

    Encrypted mobile phone calls SeeCrypt
    Encrypted mobile phone calls SeeCrypt

    SeeCrypt is funded by a Dubai based investment firm called Porton Group, I was concerned about their privacy policy when I read on their press release that “Seecrypt will pro-actively assist law enforcement agencies to prevent criminal activity being carried out using this encryption service.“, this is not very convenient for those who don’t trust their government, and adding to that one of SeeCrypt’s advisor is Anthony Chapa, who used to work for the U.S. Secret Service, was quoted on a press release saying that “There are techniques that law enforcement and intelligence organizations have available, and with the help of Seecrypt would not impede their mission.

    I could not see the word backdoor written anywhere but I it was not mentioned that it did not have one either, and for that and because of their bizarre press release, I would stay out of this application.

    Visit SeeCrypt homepage

  • Get paid for ethical hacking at HackaServer

    Get paid for ethical hacking at HackaServer

    HackaServer is a security testing platform where companies can send their applications and apps for skilled hackers to find bugs and exploits, when a server vulnerability is found the hacker gets paid a reward. Big companies like Google and Facebook have their own security team to test code and online applications before they are released to the public, small companies can not afford the thousands of dollars that this costs, HackaServer crowd sources hundreds of hackers looking at code vulnerabilities and misconfiguration testing security and only paying if something is found, with a confidentiality clause protecting the company reputation and real production infrastructure.

    Any system administrator can deploy a custom testing server with the most popular operating systems hosting apps in just a few minutes, before you start hacking a virtual server there is a sandbox called “Training Arena” where people can get a feel of the platform and test their pen testing skills.

    HackaServer account creation
    HackaServer account creation

    There are two kind of hacking challenges, one called “Capture the Flag” where the hacker has to penetrate the server and capture all the details as evidence that he was inside, and another challenge where the hacker finds a flaw or vulnerability rating it as critical, medium or low and getting paid by the company for a full report with all the details. The report is the most important part and it will have to comply with standard penetration test reports, HackaServer only grants hacking rights to the “Playground Arena” after you have passed an IT test showing skills equivalent to a Certified Expert Penetration Tester (CEPT) exam but without being charged for it.

    A good way for penetration testing students to improve their skills on HackaServer and increase their income while learning as well as way for black hat hackers to make some money the legal way.

    Visit HackaServer homepage

  • The Active Defense Harbinger Distribution

    The Active Defense Harbinger Distribution

    The Active Defense Harbinger Distribution is a security Linux distribution based on Ubuntu 12.04 Long Term Support, Ubuntu LTS has 5 years support from Ubuntu developers Canonical, it is useful for enterprises and those who don’t need to run cutting edge software and are more interested in an stable operating system that will be supported for a long time without the need to constantly upgrade to another version to patch up security holes.

    ADHD announces itself as an active defence distribution with preconfigured strike back tools, able to interfere with an attacker’s system fingerprinting, the first reconnaissance stage previous to a hacking attack. Just like Ubuntu, you can run ADHD as a live DVD or install it in your computer, when you first boot you will be given the choice of logging in as adhd user or guest user, the login password is adhd. The default window manager is the lightweight XFCE, you could change it using Synaptic package manager, a package management tool for Debian that can be used to install, remove and upgrade software packages.

    The Active Defense Harbinger Distribution (ADHD)
    The Active Defense Harbinger Distribution (ADHD)

    On the surface you will not appreciate too many differences in between The Active Defense Harbinger Distribution and any other end user Linux distribution, it comes with The Gimp and gThumb for image editing, the full LibreOffice suite to work with documents, Thunderbird and Firefox, Catfish to search documents, basic network tools to ping, traceroute, port scan, finger and whois computer IPs, Xchat for IRC, Zenmap scanner, Gigolo, a front end to connect to remote file system, Parole Media player to watch videos, gmusic browser and Gwibber, an open source microblogging tool with access to the most popular social networking services like Twitter and Flickr. The most geeky tool included in ADHD is pgAdmin to edit PostgreSQL databases you will not find any hacking or penetration testing software on the list.

    The Active Defense Harbinger Distribution protects you deploying honeypots that waste an attacker’s time, alert the administrator of the attack while still harmless and gathers information on the sources of the attack.

    One of ADHD main defences is The Network Obfuscation and Virtualized Anti-Reconnaissance (Nova), it doesn’t use signature based detection for malware, instead it creates decoy systems for an attacker to interact with and alert the system administrator via email or logs that someone is attacking a dummy folder, port, etc. You can have infinite recursive directories so the attacker never really gets to his target or you can instruct Nova to automatically shut down a port when someone touches it.

    The Active Defense Harbinger Distribution system monitor
    The Active Defense Harbinger Distribution system monitor

    ADHD also comes with Honeybadger, able to create a webpage that looks like a Cisco administration interface or something interesting for an attacker to access, the dummy page can run a Java app on the attacker’s machine, gather his IP address and add it to a report page with Google API showing approximate information about an attacker’s computer IP location in the world.

    The best thing of The Active Defense Harbinger Distribution is that you should not notice it is there until something happens, on the minus side there are no offensive tools other than gathering attacker’s information but you could add more aggressive digital tools with the package manager.

    Visit ADHD homepage