Hacker 10 – Security Hacker

Author: John Durret

  • List of USA cloud storage services with client side encryption

    List of USA cloud storage services with client side encryption

    Even with local encryption, it is not impossible for a government to subpoena a tech company and force them to introduce a backdoor in their software. A few of the US companies below allow you to download the security software source code to make it much harder for a government to tamper with it unnoticed.

    Another way to strengthen your security is to use third party cloud encryption programs like Viivo or BoxCryptor, they come with an easy to use interface that makes cloud encryption effortless. These programs can be used in conjunction with cloud services own encryption and it will add a second encryption layer that will have to be broken.

    If you use Linux, EncFS can create an encrypted version of your files inside a folder before syncing it online.

    iDrive: Data is secured with AES256-bit encryption before moving it to the cloud. The encryption key is provided by you and not stored anywhere in iDrive servers, or you can opt for their system based encryption scheme where the company holds the key.

    JungleDisk: Used to back up your computer files to Rackspace Cloud Files Service or Amazon S3. During installation you can create your own AES256-bit encryption key that nobody else will know with data being encrypted before leaving your computer.

    JungleDisk cloud encryption Android client
    JungleDisk cloud encryption Android client

    Cubby: Client side encryption with AES256-bit, any content added inside the Cubby software is automatically encrypted before syncing it with the cloud, there is an option to sync data in between your computers and avoid the cloud altogether.

    Elephant Drive: You are given a choice of using the company encryption keys or creating your own, if you create your own keys Elephant Drive will only store a hash value of them to compare it with the entered password when you ask for access. The company will not be able to access your data even if they are forced to at gunpoint.

    SpiderOak: It can be used to share and back up files, data is encrypted in your computer with AES256-bit in CFB mode and HMAC-SHA256, the company has no knowledge of what data is stored in their servers or what your password is. SpiderOak software works in smartphones and Linux as well as Windows.

    Bitcasa: They implement convergent encryption to remove duplicate files stored in their servers, a way to save space in cloud servers by not backing up duplicate files that exist in another user account. With this system the company does not have to decrypt or see the data which is kept ciphered with AES256-bit.

    Bitcasa cloud encryption software
    Bitcasa cloud encryption software

    TarSnap: Targeted at the open source community, Tarsnap works in Linux, BSD, Solaris and other Unix based operating systems. Command line interface or shell scripts will encrypt and sign your data before uploading it, the software source code is available for download.

    Make sure not to fall for Dropbox or Google Cloud Storage security marketing ploys. Those companies only encrypt data server side. They do not protect you against a subpoena forcing a company to hand over the encryption keys.

    The only way to be safe from NSA accessing your data stored in the cloud, is if if the cloud company never had access to the encryption key. In that case, the NSA could only try a brute force attack against hashed passwords and it would not get them too far if you have assembled a very long encryption passphrase.

  • Islamic terrorists release Mobile Encryption Program for Android phones

    Islamic terrorists release Mobile Encryption Program for Android phones

    The Global Islamic Media Front, a Jihadist propaganda arm for Alqeda, Somalia’s al-Shabaab and the Pakistani Taliban, has released an encryption program for Android and Symbian smartphones.

    Originally named “Mobile Encryption Program” it is being advertised as being able to send encrypted SMS messages and files as a way for “fighters in the frontline” to securely communicate in between them. The program is using the Twofish algorithm in CBC (Cipher Block Chaining) mode, the program is based in public key encryption and digital fingerprints can be displayed to make sure that encryption keys have not been tampered with. Encrypted messages can be exchanged in Arabic and English using up to 400 characters, one of the settings allows you to enter SMTP and POP3 hostnames detailing port numbers to send encrypted files via SSL email, it will work with any SMTP email provider.

    Ballkan Islamik Media Front video
    Ballkan Islamik Media Front video

    Various terrorist groups, like Alqeda in Yemen, encourages its supporters to communicate with them using encryption programs produced by their propaganda arm.

    Global Islamic Media Front programmers have avoided the AES algorithm, a US government standard, but it is highly unlikely that a couple of guys in the bedroom can defeat the best mathematicians the NSA can hire and billions of dollars of budget available to crack it. With all of the available open source encryption program this is totally uncalled for, they could have easily saved themselves the effort, unless of course the CIA wanted them to release this tool.

    As soon as you spot that The Islamic Emirate of Afghanistan financial department is using a Gmail address and most terrorist related files are hosted in American servers, you can tell that everything is under control. However, the GIMF is highly skilled at creating amazing videos with beautiful background music and footage to recruit new members.

    The Global Islamic Media Front official download site is down at the moment but you can read the announcement at the usual jihadist terrorist NSA monitored forums, like Ansar1, Ballkan-Islamic or Shumukh al-Islam forum.

    Ansar1 announcement of Mobile Encryption Program (Jihadist forum gone)

  • How Egyptian police quickly cracked journalist’s computer password

    How Egyptian police quickly cracked journalist’s computer password

    According to Mike Giglio, a NewsWeek correspondent, Egyptian police got hold of his laptop during his coverage of the latest Egyptian protest in Tahrir Square against the ousting of Mohammed Morsi,  cracking his password protected computer on the street to check what was inside, with just a few seconds of time and very little cost in terms of software and training.

    See below screenshot of Mike Giglio Twitter account explaining Egyptian police password cracking quick method:

    Mike Giglio password cracking Egypt
    Mike Giglio password cracking Egypt
  • Tor service operator arrested, malware inserted in Tor sites

    Tor service operator arrested, malware inserted in Tor sites

    Freedom Host administrator has been arrested in Ireland, he is currently awaiting extradition to the US, being described by an FBI special agent as “the largest facilitator of child porn on the planet.” Freedom Host was a service inside the Tor network hosting anonymous content that could consist of anything, ranging from leaked documents to hacking tools and illegal images.

    Tor Project’s Executive Director has confirmed in his blog that Freedom Host servers were breached before going offline and it is claimed that hidden Tor sites in Freedom Host had been injecting a javascript exploit in an attempt to identify its users. The vulnerability only worked in Firefox 17, on which Tor Browser Bundle is based and is therefore vulnerable, the developers had recently turned on javascript by default in an attempt to make it more user friendly. People using the the NoScript addon or Tails live DVD to access Freedom Host hidden sites should have been protected from the exploit.

    Freedom Host Tor operator arrested
    Freedom Host Tor operator arrested

    OnionNews posters also link FreedomHost administrator with Tormail and a Bitcoin escrow service called OnionBank, those services should be considered compromised by law enforcement as well.

    It is important to remember that what has been seized are servers belonging to an individual running various Tor services, this is not a Tor network vulnerability, as long as you did not run the Tor Browser Bundle you should be safe. Hidden sites running on different servers should also be safe, but this sends a strong message that what has happened to one operator might happen to others. The lesson learnt here is that you should always disable javascript in your browser.

    More info: Tor Project official blog 

  • Bluetooth and Wi-fi hacking with WarCarrier

    Bluetooth and Wi-fi hacking with WarCarrier

    WarCarrier is a Linux ncurses tool to search for Wi-fi, and Bluetooth devices from a moving vehicle (wardriving) using a laptop or mobile device. WarCarrier GPS funcionality interfaces with a module that contains updated information on GPS satellites, Bluetooth supports Ubertooth Bluetooth, an open source 2.4 GHz wireless dongle.

    For those who don’t know ncurses (new curses) is programming library to write a text based interface, do not be afraid of this, WarCarrier has a very pleasant well structured and coloured interface easy to figure out. One of the main strengths of this software is instant data logging that can take snapshots with satellite data (latitude, longitude and altitude), access points Mac addresses, and what kind of Wi-fi encryption is in place (WEP, WPA, WPA2), data can be saved as .txt or .html.

    WarCarrier bluetooth and Wi-fi hacking
    WarCarrier bluetooth and Wi-fi hacking

    Logging will be of great use in a crowded city with multiple access points, you could drive around with your laptop behind the seat gathering data, stop for twenty minutes to look at the logs and go back to your desired target using the GPS coordinates listed in the logs. Or coordinates could be combined with Google maps to see a visual representation of Bluetooth and Wi-fi devices in the vicinity. If your target is not approachable by car it is possible to attach an antenna to your wardriving device and extend its range.

    The application will be included in a future hacking live DVD of the same name being developed. Advanced Linux users can already download WarCarrier tool code, you will need to have Airodump-ng installed for WiFi monitoring and logging.

    Visit WarCarrier homepage

  • Hide photos and videos in Android with Sectos

    Hide photos and videos in Android with Sectos

    Sectos is a free Android app to hide photos and videos, it is fairly easy to use. After launching the app you select the photos or albums you would like to hide and they will be moved, changing the file so that no app can recognize them as media. A camera mode will automatically hide any pictures you take right away without needing to manually hide them.

    The app unlocking code is stored as MD5 hash and photos are secured with what the developer calls a “high-secure algorithm“. I would be wary of using Sectos to hide very sensitive pictures from a resourceful attacker due to lack of app information about what encryption they are using if any. It is impossible to evaluate what they call a high secure algorithm, more specific information is obviously needed to trust something marketed as a security product.

    Sectos Android app to hide photos
    Sectos Android app to hide photos

    I liked from this app that it can hide its existence by removing Sectos logo from view and the app can be locked using a PIN or pattern. This stops noisy people from looking about after coming across a photo hiding app, which is very tempting to play with for one too many. Sectos PIN number prompt only becomes visible after dialling a preset number on the phone without that nobody should be aware it exists.

    You can back you up your hidden data using the app integrated cloud storage services, Dropbox at the moment and Google Drive support planned for the future. Cloud back up can be set to automatic. If you forget the passcode, it can be reset via email link going to Settings > Privacy settings.

    Visit Sectos in Google Play

  • Decentralized payment exchange network Ripple

    Decentralized payment exchange network Ripple

    Ripple is a peer to peer network to trade currencies, at the moment Bitcoins make up the bulk of trading but it can work with any currency and accept Dollars, Yen or Euros. Ripple also has its own native currency called ripples, represented by the letters XRP, ripples do not have to be necessarily used to trade with others, they are there to stop network abuse by imposing a ripple tax on transactions and they could be used for direct trading as a last resort.

    Ripples do not need mining, the founding company, OpenCoin, has already premined one hundred billion ripples, instead of creating more units, like the Bitcoin network does, Ripple works the other way around and reduces the fixed number of available ripples by distributing them to others.

    An example of a Ripple trade could consist in you loading Bitcoins to your Ripple address (they all start with r and look like a Bitcoin address, example of my public ripple: rpzoTc4YVnRig39MqZqYVM9ae1LhPAnMLj), transfer that money to a different Ripple account and convert it back to Dollars using a gateway. Ripple to Ripple transfer fees are tiny or free, but when you use an intermediary gateway to exchange different digital currencies, the intermediary will charge you for the service, in that sense is not any cheaper than a Bitcoin exchanger.

    The gateway software is open source and can be set up by anyone, you can choose which gateway to trust and avoid the nodes you don’t like. Gateways are all connected in between them in peer to peer fashion, transactions should be authorized within seconds.

    Advantages of using Ripple over Paypal are that opening an account requires no ID verification, transactions can not be reserved, fees are tiny and it can be used worldwide to buy anything you like without worrying about terms and conditions. The huge disadvantage over Paypal is that unless it takes off, it will not be easy to convert ripples into physical items or hard currency.

    A comparison of Ripple vs Bitcoin should not apply here because Bitcoin is a digital currency and Ripple a currency exchange network and payment processor more similar to Paypal or MtGox.

    Cryptocurrency Ripple wallet
    Cryptocurrency Ripple wallet

    There are Ripple detractors pointing out that Ripple founders, OpenCoin, keep 20% of the mined ripples for themselves, many Bitcoiners make profit too so I can’t really hold that against them, more worrying to me is Ripple being vulnerable to collapse if the authorities raid all of the trading gateways or they force the gateway operator to allow bugging equipment to be installed in the server. Unlike Bitcoin, where the customer can also be a miner, in Ripple you can’t do anything without a gateway administering transactions.

    It is good to have alternatives, and perhaps one could use Ripple to make money transactions harder to track but I don’t see too many reasons to use them over let’s say Bitcoin exchanger MtGox. Even with redundant P2P servers, Ripple is still vulnerable to server seizure, just not as much as a single server system.

    Visit Ripple homepage