Author: John Durret

Steganogaphy and hidden watermarks with OpenPuff

OpenPuff is a portable steganography tool supporting images, audio, video and Flash Adobe animation carrier files, it can conceal up to 256MB of data splitting files in between multiple carriers. Before hiding data everything is securely encrypted with AES, scrambled, whitened and encoded, this reduces the chances of anything hidden being detected by specialist tools, you must always remember to erase the original carrier files. If a computer forensics expert has access to both files and can compare them he should be able to prove that one of them contains hidden data even if it can not extracted because everything inside the has been encrypted. OpenPuff has sixteen different encryption algorithms you can use, this makes extracting data even more difficult as only the creator will know what cipher has been used, the tool supports well known secure algorithms like AES, Serpent and Twofish and more obscure ones, like Mars, Anubis or Clefia, a high speed block cipher developed by Sony Corporation intended for use in Digital Rights Management.

To stop steganalysis, the detection of hidden data, encrypted files are scrambled with a second layer using a pseudo random number generator (CSPRNG) seeded with a user chosen password with data shuffled using random indexes, a third security layer whitens scrambled data adding a high amount of ramdom noise with hardware entropy and the final fourth security layer encodes whitened data using a non-linear function. Very paranoid types can add a decoy file for deniable steganography, just like Truecrypt hidden container works, in OpenPuff you can reveal a password to an innocuous text and keep the real hidden message from view with a second password. Another feature is the ability to hide a mark inside a video, audio or photograph, useful for when you privately distribute a confidential file to a selected group of people, if the file is later on found leaked on the internet you can check the mark and track down the leak source.

OpenPuff steganography freeware

The software interface is a little overwhelming for the steganography novice and drag and drop doesn’t work, you have to select everything manually, but security experts should appreciate things like a window with bit selection options showing a huge list of supported carrier files and the ideal data percentage that can be hidden in each different extension to avoid detection, with a third optional password seeding the scrambling CSPRNG, you can use up to three passwords to hide data inside a file, the other end will have to know all of them to decrypt it.

Thanks to the support for a wide range of carrier files (.bmp, .jpg, .png, .mp3, .vob, .mp4, .3gp, .flv, .swf, .pdf, etc) the program makes it easy to embed hidden data anywhere on the Internet, from a blog to a photo sharing site like Flickr, saving you from having to personally contact a source, which could compromise his identity, but if you are hiding data in multiple files to decrypt them the other end will have to order the files in the right sequence. OpenPuff needs a little practise to get everything right but it is one of the most complete steganography tools I have seen and it has some unique features.

Visit OpenPuff homepage

10 February, 2013
List of One Time Pad encryption programs

One Time Pad encryption, also known as the Vernam or perfect cipher, is the holy grail of encryption security, when used correctly it makes cryptanalysis nearly impossible because it is not possible to compare old messages. As long as the one time pad is perfectly random all the clues on what coding was used for encryption remain in a single message, it is not easy to accomplish because high quality random numbers are difficult to generate.

This type of encryption was widely used by spy agencies during World War II and the Cold War period, protecting diplomatic and military communications, the advantadge of one time pad encryption is that it can done by hand with pencil and paper, without the need to carry any special device compromising undercover operations. A downside for this type of encryption is that the password is made up of as many characters as the text you encrypt, resulting in extremely long passphrases difficult to disseminate. When all rules are followed this one time encryption method remains secure and unbreakable but in order to solve the key transmission problem one time pads have been replaced by symmetric block ciphers and public key encryption.

I have only managed to find old one time pad encryption tools, most of them developed by a single hobbyist and could be listed as abandonware, you should not assume developer’s claims are truth just because he says so, without truly random numbers one time pad security will be compromised and reusing any part of the pad makes the cipher vulnerable to attack, there is no way to know for sure how secure these programs are but some of them provide the source code for you to look at it.

CT-46 One Time Pad: An encryption tool that converts text into digits using a conversion table and completing the final group with zeros, the software is meant to be used to learn working with one-time pads and as a training resource, it comes with a complete help manual that tells you how to perform one time pad encryption with pencil and paper.

CT-46 One Time Pad encryption

OneTimePadJava: Written entirely in Java, it comes with the source code but no help manual although it appears to be easy to operate, the tool doesn’t need installation and works across platforms.

Pidgin Paranoia: A Linux plug in for the Pidgin messenger, providing secure IM conversations using one time pad encryption, the secret message has the same length as the key and it is only used once.

Solid Encryption($$): A commercial program claiming to be able to perform one time pad encryption, you can try it free for 30 days before being required to buy it. I found the interface to be outdated and not very easy to work with but it comes with a help page.

One Time Pad Solid Encryption

Cryptomni: A program to encrypt files using the one time pad cipher, a key file is created using the random generator SecureRandom, the source code is open, this program has not been updated for many years.

Cryptomni One Time Pad

OneTimePad Net: A one time pad encryption implementation using Visual Basic, an object-oriented computer programming language that needs Microsoft .NET to work, I had to right click and run this program as administrator for it to work, there is no help file but the interface is pretty straight forward.

One Time Pad .NET encryption

Perfenc: A Unix program to perform one time pad encryption, documentation is included with the software typing man perfenc, you can install it from source with the usual build tools like cmake.

Emus encryption tool: It uses polyalphabetic methods from the middle ages, texts are encrypted with random codes and fixed passwords but can also be used as one time pad with extreme long random passwords and codes.

Emus encryption One Time Pad

Fxor: A Unix command line open source tool released under the BSD license that can be used for key file or one time pad encryption. This program is for people comfortable using the command line as you will have to compile it before being able to use the program. A help file is included.

10 February, 2013
Android Truecrypt compatible app EDS Lite

Encrypted Data Store Lite is an Android app that allows you to save files inside an encrypted container using AES256bit, it can also mount any Truecrypt compatible container from your phone, but to do that you will have to make sure that Truecrypt settings when creating a container are set to Encryption algorithm: AES256, Hash algorithm:SHA-512 and File system:FAT, these are not Truecrypt default settings which are set to Hash algorithm RIPEMD-160, if you use a different algorithms to create a Truecrypt container then EDS Lite will not be able to mount it.

The app comes with a simple built-in image viewer that can show pictures and thumbnails, files with the extension .edc, EDS own format, and .tc, Truecrypt file extension, can be associated with the app for easy opening, other options allow the app to prevent your phone or tablet from going into sleep mode to make sure that an encrypted container will not be left open unattended by mistake, EDS Lite can write to an external Secure Digital storage card modifying and deleting files stored inside.

Android Encrypted Data Storage Lite

A “send to” link can quickly encrypt photos or videos from the gallery, but remember that anything you leave behind if it has not been securely wiped it could still be recovered, while the encryption can not be cracked, when you view a document stored inside the container there will be temporary traces left in the external reader you used, a compromising file name and perhaps a full copy of the confidential document might have been created outside the container by a third party viewer. A full paid for version of the EDS app allows you to play media files inside the container, not leaving temporary data behind, it comes with a search index to find files inside the encrypted container, it can synchronize data with Dropbox and allows for container security using a hand-drawn pattern in succession with a password.

It is refreshing to see attempts to port Truecrypt compatible encryption to mobile devices, having a standard is very important for long term storage and data transmission, there is nothing more annoying than being forced to download multiple programs to do the same thing and not knowing if it will work in a different platform, I hope other developers come up with similar programs.

Visit EDS Lite in Google Play

10 February, 2013
Run a SSH server in Android

SSH Server is a complete Secure Shell daemon, Secure FTP, Secure Copy and Telnet server Android app that doesn’t need rooting the device. After installing the app you will be able to enter an SSH server hostname and port, with optional public key encryption authentication instead of password and allowing X11 forwarding, a way to grant graphical information to pass through firewalls, giving you a graphical interface if the Unix server you are connecting to supports it.

Logging is very detailed, in verbose mode it includes filters and email logs, to save space it can be set to only record errors leaving connection logs out, the server is accessible from the Internet and you can whitelist IP addresses blocking everyone else.

Android SSH server app

The free version of SSH Server only allows for one server, it should be enough for most people, to connect to the server just use SSH command line from shell like you would do in Linux, in the form of:

ssh -v -l USERNAME ADDRESS -p PORT

With -v being for verbose -l for login and -p indicating the port, the server address should be the IP, the app supports dynamic DNS setting a permanent custom hostname that you can access, remaining always the same even if your device IP changes, companies like DynDNS can provide this service. There are other Android apps like Dropbear providing SSH capabilities to your phone but it requires root, and there is the connectbot app too but this SSH Server from Icecoldapps is the most complete, it comes with SFTP combined with SSH.

Visit SSH server in Google Play

10 February, 2013
Encrypt text and files with VSEncryptor

VSEncryptor is a free file encryption tool to secure messages and files, it comes with customization options allowing you to choose the cipher, AES128/192/256bit, RC2/RC4 stream encryption algorithm and DES or 3DES. During installation pay attention to avoid an adware toolbar from being introduced in your computer, you will also be asked if you would like to integrate VSEncryptor with Windows shell menu to quickly encrypt single files right clicking on them, this can be changed later on in options.

The software interface is very easy to understand, with just four buttons “Encrypt“, “Decrypt“, “Settings” and “Edit Data“, if you use it often you can manage all of the options with the shortcuts that come predefined in settings, the interface skin can be changed. After encrypting a file it will be recreated with the extension .encrypted but you can change the default extension to anything you want, optionally use the command line to manage VSEncryptor.

Free file encryption VSEncryptor

For high security encryption you should stick to the tried and tested AES256 cipher and set it as default in settings, the RC4 algorithm is normally utilized to encrypt streaming data in SSL and WPA, it can be vulnerable to attack when not used with a strong message authentication code (MAC). I was a little surprised that the developer referred to the RC4 algorithm by its original name, since it is trademarked by RSA Security and the encryption community often refers to it as ARCFOUR or ARC4 to avoid copyright problems. The DES algorithm is crackable using a brute force attack due to its poor 56bit keylength, TripleDES as the name suggests, triples DES keylength and there is no known way to crack it but AES has been much more widely analized by cryptographers and it is a US Department of Defence standard, it should be your first cipher choice.

If you need simple encryption and trust closed source software or have low security needs, VSEncryptor should do the job, just remember that people receiving your encrypted text of files will need to own the same software to decrypt the data.

Visit VSEncryptor homepage

9 February, 2013
Set up your own whistleblowing platform with Globaleaks

Globaleaks is an open source framework allowing any activist group to set up their own anonymous whistle-blowing platform, using Globaleaks software the whistle blower will be kept anonymous by default. The tool conceives a javascript HTML Globaleaks client that can be provided as a browser addon or invoked through a content delivery network. On the server side tor hidden services give protection against legal liabilities, not only for the sender but also the receiver who will not be able to find out who sent the documents.

You should not confuse this software platform with Wikileaks, Globaleaks does not provide a service, only the necessary software. When you set up a Globaleaks node you don’t become a part of any network, you own the node, with the responsibility of managing submitted leaked information falling on your side.

Globaleaks whistleblowing platform

Activists on the field can use a mobile phone to instantly submit photos, audio and video using GLDroid, a GlobaLeaks submission client for Android integrated with a tor proxy tool called Orbot.For those who can not use tor, Globaleaks allows Internet users to publish information via tor2web, a proxy service that can access hidden .onion sites through a web browser and does not require installing any extra software in the computer. Communication with the server is always encrypted end-to-end, a configurable time delay is introduced to stop a submission events being linked with an instant post on the website, document metadata clean up is optional and it will be up to each node administrator to turn it on.

A nifty feature I liked is the coloured badge that sites running Globaleaks display to the user, pointing out anonymity, encryption and browser security level. A downside to the high security tor layered proxy approach is that the server will manifest high latency issues and it will take several seconds or minutes for the site to respond, during that waiting period Globaleaks will provide information to the user about safe whistleblowing procedures, reassuring the submitter that everything is working.

Visit Globaleaks homepage

9 February, 2013
Encrypt and sync data in between folders with CryptSync

CryptSync is a free open source utility that synchronizes multiple files in between a pair of folders and encrypts the content of one of them with the aim to upload the encrypted data to the cloud keeping the original unencrypted files locally, synchronization works both ways, whenever there is a change in one of the folders it replicates into the other, the utility also encrypts file names as they sometimes reveal details, the files are all separately encrypted and have the extension .cryptsync. You could also store data inside an encrypted Truecrypt container and upload it to the cloud but you will have to update everything manually while CryptSync automates the process, the idea is to use this program to store encrypted data online with minimum effort, and it does a good job at that.

CryptSync encrypted folders

Encryption is implemented with 7-Zip, an open source archiving software that highly compresses files, saving space, if you need to open an individual encrypted file in the cloud you can save it to your hard drive and open it with 7-Zip together with your CryptSync password. Software features are minimal, a “Start with Windows” option, “Run in the background” and “Create a New Pair“, you have to be careful when you erase a folder pair because no confirmation is asked for, but no data will be lost even if you erase the pair by mistake, only the settings are erased, you can use this application from the command line too.

There is no help manual included but the author has a very complete explanation on how CryptSync works on his website. I would not use this tool if you already have an account with a specialist privacy focused cloud company like SpiderOak or Teamdrive since their software already encrypts your data locally before reaching their servers and they have no access to the encryption keys or backdoor. CrypSync will be useful in shady cloud storage services that have minimum security or built-in backdoors, like for example DropBox, where the company employees can access the encrypted servers where your data is stored, you could also use this utility in a network, securely storing backup files inside a NAS (Network Attached Storage) and keeping the original ones inside your fully encrypted computer.

Visit CryptSync homepage

9 February, 2013