Strongbox is a The New Yorker magazine tool to anonymously submit files and messages to journalist using the tor network, the project was put together by political activist Aaron Swartz, who died a few months ago, and Kevin Poulsen. StrongBox code is called DeadDrop and eventually will be released as open source for news agencies and particulars to implement as they wish. DeadDrop software runs on a hardened Ubuntu environment, it includes set up instructions and scripts, the code is written in Python, accepting document submissions and encrypting them with GPG for storage it then creates a random codename to be able to get back to the submitter anonymously without using email, there are three servers to anonymize the submission process one of them is public containing the interface, another server stores the encrypted messages and the third server monitors the other two for security breaches.
StrongBox anonymous document leak DeadDropWiki
The New Yorker public server is also using a plugged in USB dongle to strenghen encryption entropy helping create a pool of random numbers, their journalists use a VPN to download the encrypted data on to a USB thumbdrive, the information is decrypted using a laptop that has no Internet access, to avoid malware infection, and running a live CD to keep temporary files out of the computer hard drive and make data recovery impossible, GPG private decryption keys are contained in a different USB thumbdrive also plugged in the same laptop prior to viewing the documents. It is a smart set up that makes it impossible for a New Yorker journalist to learn the submitter computer IP so they can not be compelled to reveal something they don’t know. The only missing thing is a metadata scrubber, if the documents you are passing on contain metadata, and most government and company files do, the original leak source could be found out, you should use BatchPurifier first to get rid of hidden data before submitting any file.
After the recent arrest of CIA agent Ryan Fogle by the Russian counter intelligence agency Federal Security Service one of items they found in his possession and leaked to the press was a letter advising his Russian informer how to conduct secure email communications, this post will scrutinize these instructions to learn why the CIA adopted those particular security measures.
CIA Tip 1:“To get back to us please use an Internet cafe that has Wi-fi”
The Central Intelligence Agency is advising Wi-Fi to make sure that their informer does not use someone’s else computer, when you use a public computer you agree to being monitored by the system administrator, it is impossible to known what kind of surveillance or viruses exist in that computer and any data left behind, like visited and written emails are recoverable from the Internet browser cache even after years.
They are also making sure that if the informer home Internet connection is under surveillance by his ISP and checked by keywords, it will not be a threat.
CIA Tip 2:“Open a Gmail account which you will use exclusively to contact us” ; “As you register do not provide any personal info”
They get their informer to use an American email company that can be easily accessible by the US government if needed, they make sure that he is not stupid enough to open the email account using his real name or address or other small details that could be linked to him like his phone number or a real password recovery email address belonging to him.
CIA secure email instructions for spies
As a side note, there must be something good about Gmail security because former CIA Director General David Petraeus also decided to use a Gmail account for cheating on his wife last year, something I can think of is that Gmail login is with SSL and username and password can not be captured over insecure Wifi.
CIA Tip 3: “Once you register send a message to unbacggdA@gmail.com“: “In exactly one week, check this mailbox for a response from us“
The CIA gets his informer to email to another Gmail address from the same company, with this they make sure that email content will not have to travel over the Internet from one provider to another, if you send an email from Gmail to Gmail, presumably data never leaves Gmail servers.
The confusing email address the CIA is using makes it very difficult for a similar one to exist, so even if their informer makes a typo, the email will not be sent to someone else by mistake, it should bounce to his inbox instead.
CIA Tip 4: “If you use a Netbook or any other device (i.e. tablet) to open the account at a coffee shop please don’t use a device with personal data on it”
The CIA wants to avoid cross contamination, if the tablet is lost, stolen or hacked and accessed without permission, a third party could link the email exchange with the informer’s real job exposing him as an American spy.
CIA Tip 5:“If possible buy a new device (paying in cash) which you will use to contact us”
The best way to avoid mixing real life data with underground activities is using a dedicated device for illegal actions that will not be touched by anything else, this greatly reduces chances of a mistake and the device can be quickly disposed of if needed. The CIA also makes sure that the informer’s credit card can not be linked to the purchase of a new tablet, if the informer is investigated someone could notice in the financial transactions that he has spent money buying a new tablet nowhere to be found.
Other spy items
Other seized items showed to the press include a couple of wigs, three pair of sunglasses and a baseball cap, all of those items make facial recognition difficult if the Russians have that kind of software installed in their CCTV network (public transportation, street cameras, etc) to automatically flag people of interest. The British government has trialled facial recognition software on CCTV street cameras and Germany is known to employ it in Frankfurt international airport.
Another interesting item found in his possession was an RFID shield that prevents reading of RFID chips embedded in passports and ID cards, this indicates that the CIA does not trust those chips otherwise there would be no need to protect them from unauthorized reading.
CIA money bundle 500 Euro bank notes
Allegedly the CIA spy was also carrying a large bundle of €500 Euro bank notes, these are ideal for money smuggling and corruption. China for example limits its bank notes value to small amounts to make bribery more difficult, to carry a very large amount of money in Yuan would have required the CIA agent a box full of bank notes instead of a bundle, this could explain why the CIA wanted to pay the informer’s bribe in Euros and not dollars or Russian roubles.
Computer savvy people will wonder why encryption and proxies are not mentioned at all, I am guessing here that the CIA instructions are addressed to someone who is a total computer knob and even an old grandma could follow.
Viproy is a tool for testing SIP servers security, the Session Initiation Protocol is widely used for voice and video calls over IP, the software comes with different modules performing specific tasks, all of the modules support debugging and verbose mode, this is a Linux only command line tool, instructions are included and it should not be difficult for a Linux beginner to understand them.
Software modules consist of options, register, invite, enumerator, brute force, trust analyzer and SIP proxy, you can set target networks and port numbers. Before carrying out any attack you should fingerprint and enumerate SIP services first, after that you should register with the server and start intercepting, making calls or create havoc at will.
Viproy VoIP penetration tests include targeting a local client address and port, discovering SIP services with valid credentials, setting username and password in Asterisk PBX, issuing direct invites and spoofing without credentials, enumerating all users, launching a denial of service to all valid users so that nobody can accept calls and brute forcing a target account or numeric range using a dictionary list to test users password strength.
Viproy VoIP penetration testing and hacking tool
Viproy homepage lists a vulnerable VoIP server where you can evaluate your hacking skills without harming anybody, in a real life scenario after successful hacking a VoIP server you can listen in or record inbound and outbound calls as well as setting up usernames and passwords, the damage that can be done will depend no how many vulnerabilities exist, not all of the modules will be necessary successful penetrating the server.
Another tool you might want to add to your VoIP hacking arsenal is SIPVicious suite you can use it to audit VoIP systems scanning SIP devices IP range and cracking SIP PBX. VPN services protect VoIP calls in transit but the first and last point remain vulnerable, it is possible to listen in to a VoIP encrypted call by hacking into a server before encryption takes place or when the call is decrypted at the end of the line.
HookME is a free open source Windows tool to intercept network communications hooking up desired processes and API calls, including SSL clear data, the unencrypted SSL headers.
The software download is initially tiny (125Kb), when you try to install it you will get a message saying it requires supplemental .dll and .db files to work, over 30MB of files will be automatically downloaded by HookME from a third party site, you will also be asked to register the new .dll dependencies giving administrative rights to Windows Command Processor, the installation process could make some people feel uneasy about this tool containing malware, the only guarantee you have is that HookME is developed by well known OSINT FOCA creators.
Every time you start the software you will be shown a small Netkra Deviare unregistered license splash screen, you don’t have to buy a license but it will get rid of the initial screen if you do.
TCP data tampering tool HookME
The software has a tabbed user interface that can be used to intercept any hooked API call and read the data that is being sent and received, you can change intercepted packets in real time, dropping or forwarding them, a Python plugin system allows for anyone to create their own custom addon, there are some templates for that. HookME developer showed in BlackHat Europe 2013 conference how to easily intercept MySQL data and inject a backdoor on the fly with a few clicks executing remote commands.
Real time intercepted data can be seen in the user interface Hex editor showing you hexadecimal numbers and their corresponding text meaning, you can highlight data packets and click on the “Drop” or “Forward” buttons, a small window below the program lets you know what process is hooked, for example it will show firefox.exe if you are eavesdropping on a Firefox browser session.
This tool can be used for penetration testing creating malware and backdoors in network protocols or to uncover rootkits hooking up API calls, the main challenge for an attacker to use HookME against you would be getting access to your network first.
The Multifarious On-demand Systems Cracker is a Perl application based on Aircrack-NG to crack wireless WPA keys using cluster computers, it can be deployed in Mosix, an operating system distributed across multiple Linux machines taking advantage of conglomerated computer processors or run in collective SSH nodes, clusters can be build up with any Unix operating system, including the iPhone, MacOSX, or Windows and Cygwin, it has also been tested on an Android phone running as a SSH node, best of all you can run Moscrack on the cheap from the Amazon EC2 cloud computing platform.
The program splits a word list into chunks and processes them in parallel in between all of the nodes. If you don’t have access to a computer cluster it is possible to use Moscrack with CUDA, an NVIDIA parallel computing platform implemented in graphics cards, you will need to install aircrack-ng-cuda and adjust moscrack.conf (configuration file).
Moscrack cloud wireless WPA cracking
Moscrack command line interface shows a word list progress expressed in percentage, estimated completion time, running time, server status, cluster speed and other very complete verbose data, GUI interface is optional, it will be more suitable that you run the command line version to feel comfortable from the shell helping you to understand how concepts work, the GUI is pretty basic.
The program has been designed to run for weeks or months, you can leave it on and forget about the program until the job is done, functions go beyond WPA cracking, adding the Dehasher plugin will compare SHA256/512, DES, MD5 and Blowfish hashes to crack them, if you don’t wish to install this tool in your computer, a Moscrack Live CD running Suse Linux is available for download.
ChatSecure is a free iOS app for end to end encrypted chat with the Off The Record messaging system able to communicate with any chat software based on XMPP, like Google Talk, Jabber, Facebook, Oscar IM and ChatSecure in Android, it will not work with Yahoo Messenger or Skype contacts.
The app settings are simple but effective, you can change chat font size, set to autodelete chats on disconnect and get a warning before automatic sign out, your friends (Buddy list) chat accounts are accessible with a single tab on the side bar, each account has a logo indicating the messaging system your they are using, when you first establish a connection you will be shown the encryption key fingerprint and ask to verify it, this stops man in the middle attacks where someone injects a fake encryption key in between you and the other end to be able to listen in.
ChatSecure encrypted iPad chat
With this app there is no central server to store or monitor your data and third party eavesdropping is not possible because ChatSecure encrypts communications but you would still need to make sure that your acquaintance mobile device has not been stolen and he is who he claims to be, you also need to be aware that you are not anonymous in ChatSecure, the app will encrypt messaging but not hide the IP behind them, for anonymity add a VPN provider before starting the chat.
ChatSecure offers perfect forward secrecy, this means that temporary private encryption keys are generated for each session so if you lose them the keys can not be used to decrypt past chat logs or linked to you.
Dirt is an open source project adding FiSH compatible chat encryption to any IRC client, it can be used as Socks4 proxy or bouncer. Dirt only allows localhost (127.0.0.1) connections, this is to make sure that encrypted text will not leak out of your machine, the listening port for Socks4 is 1088 and the 6666 port is used when acting as a bouncer, settings can be changed modifying “dirt.ini” with a text editor.
After installation you will notice a Dirt icon in your system tray, to use Dirt in mIRC, a popular Windows IRC chat client, you need to access Tools>Options>Connect>Firewall and enter the appropriate hostname (127.0.0.1) and port number. Once connected you can type /dirt to see a list of all possible commands,
mIRC dirt encryption IRC chat
For those not aware, FiSH is a widely available IRC plugin providing Blowfish encryption grade to IRC chat, you can find it in the Linux command line irssi IRC client and many others. If you use a Mac computer or Debian Linux you could try FiSHLiM, a plugin for FiSH IRC encryption working in XChat and HexChat IRC chat clients.
Dirt works in Windows, Linux and BSD but it is still in development, another alternative could be using psyBNC, an IRC bouncer that replaces your computer IP with a virtual host (vHost) and supports channel encryption with Blowfish and IDEA algorithm, you will need a shell account to manage psyBNC, there are many companies offering them at cut-prize with easy configuration instructions, they are normally used by channel administrators to handle abuse.
