Hacker 10 – Security Hacker

Author: John Durret

  • Encrypt and sync data in between folders with CryptSync

    Encrypt and sync data in between folders with CryptSync

    CryptSync is a free open source utility that synchronizes multiple files in between a pair of folders and encrypts the content of one of them with the aim to upload the encrypted data to the cloud keeping the original unencrypted files locally, synchronization works both ways, whenever there is a change in one of the folders it replicates into the other, the utility also encrypts file names as they sometimes reveal details, the files are all separately encrypted and have the extension .cryptsync. You could also store data inside an encrypted Truecrypt container and upload it to the cloud but you will have to update everything manually while CryptSync automates the process, the idea is to use this program to store encrypted data online with minimum effort, and it does a good job at that.

    CryptSync encrypted folders
    CryptSync encrypted folders

    Encryption is implemented with 7-Zip, an open source archiving software that highly compresses files, saving space, if you need to open an individual encrypted file in the cloud you can save it to your hard drive and open it with 7-Zip together with your CryptSync password. Software features are minimal, a “Start with Windows” option, “Run in the background” and “Create a New Pair“, you have to be careful when you erase a folder pair because no confirmation is asked for, but no data will be lost even if you erase the pair by mistake, only the settings are erased, you can use this application from the command line too.

    There is no help manual included but the author has a very complete explanation on how CryptSync works on his website. I would not use this tool if you already have an account with a specialist privacy focused cloud company like SpiderOak or Teamdrive since their software already encrypts your data locally before reaching their servers and they have no access to the encryption keys or backdoor. CrypSync will be useful in shady cloud storage services that have minimum security or built-in backdoors, like for example DropBox, where the company employees can access the encrypted servers where your data is stored, you could also use this utility in a network, securely storing backup files inside a NAS (Network Attached Storage) and keeping the original ones inside your fully encrypted computer.

    Visit CryptSync homepage

  • Access Truecrypt and EncFS volumes in Android with Cryptonite

    Access Truecrypt and EncFS volumes in Android with Cryptonite

    Cryptonite is an Android app that brings the FUSE based cryptographic filesystem EncFS and TrueCrypt to Android, you can link it to your Dropbox account with a single tap, after that you will be able to read and write on Dropbox EncFS volumes, exporting, viewing or uploading new files. Dropbox claims to keep data already encrypted in their servers but if anyone finds out your password account they will be able to read the files, encrypting them with Cryptonite you are placing a second security layer on top and block Dropbox built-in backdoor to your data.

    To access your files offline sync them to a local folder with an app providing online storage synchronization, e.g. FolderSync. EncFS has a front end interface but Truecrypt is only available as a command line version, rooted phones that support the FUSE kernel, e.g. CyanogenMod, can mount an EncFS or Truecrypt volume, there is a Truecrypt work around to avoid having to use a rooted file browser, by typing “truecrypt –fs-options=”uid=1000,gid=1000,umask=0002″ volume.tc /sdcard/tc“. EncFS will use the encryption ciphers found in the system encryption libraries, Cryptonite allows you to select the encryption method, from a “Quick” Blowfish 128bit up to a “Paranoia” AES256bit with filename block encoding, other preferences include saving temporary files on an external SD card, setting up the mount storage point, clearing the cache and the “Chuck Norris mode” for experienced users that do not want to receive any security warning from the app.

    Android Truecrypt compatible encryption Cryptonite
    Android Truecrypt compatible encryption Cryptonite

    You can browse, export and open encrypted EncFS directories and files on your Dropbox and to your phone, when you open a file from a decrypted EncFS volume Cryptonite will produce a temporary copy in “/data/data/csh.cryptonite/app_open/path_to_your_file”, anyone with access to your phone could recover those files, the app includes a text viewer that works in memory and does not save any temporary copy, there are plans to add an image viewer in the future but right now there isn’t one and if you open an image a temporary copy could be made on the phone outside the encrypted container.

    Note: App still in development and intended for advanced users.

    Visit Cryptonite Android in Google Play

  • Facebook Privacy Watcher browser addon

    Facebook Privacy Watcher browser addon

    Facebook Privacy Watcher is a Firefox addon to help you manage Facebook privacy settings using colour codes. Instead of having to pay attention to checkboxes and tiny text in Account Settings> Security hoping that you got everything right, Facebook Privacy Watcher will visualize public posts in green, friends only posts in orange, red posts only visible to you and blue coloured posts only visible to a subset of friends.

    You can change any post privacy setting with a couple of clicks, colouring also works in your profile and photo albums. The addon runs in your browser no data is sent to the developer.

    Facebook Privacy Watcher
    Facebook Privacy Watcher

    This addon is not yet available in the official Mozilla addons repository but it is partly developed by the Technical Univeristy of Darmstadt which should give some peace of mind about malware.

    Other security measures you might want to take to secure your Facebook account are linking it to a mobile device, enabling always on secure HTTPS browsing, choose a strong password and set up login notifications where Facebook warns you when your account is accessed from a device not previously used.

    Visit Facebook Privacy Watcher homepage

  • Encrypted cloud storage with TeamDrive

    Encrypted cloud storage with TeamDrive

    TeamDrive is a cross platform (Windows, Mac, Linux) cloud storage service with uncrackable encryption, using AES256bit and RSA-2048 public/private key, data is encrypted in your computer before it reaches their cloud servers, Teamdrive has no way to access the files, limiting their legal liabilities since you can’t be compelled to decrypt something that you don’t have the key for, the encryption key remains in the user computer at all times.

    To set up a Teamdrive account you are only required a valid email address, I liked that they have a portable version that can be carried in a USB thumbdrive or kept inside an encrypted virtual container (e.g. Truecrypt), but you will need to configure the default settings to make sure that there is no data leakage in the host computer, luckily Teamdrive software settings display the file path for data back ups and cache, a quick look will tell you where in the drive it is kept.

    Encrypted cloud storage TeamDrive
    Encrypted cloud storage TeamDrive

    The program is divided intro three tabs, “Spaces“, where you can create folders, organise your files and set access permissions for other members and with a right click send an invitation via email revealing the URL for the data you would like to share with others, optionally, spaces can be password protected. Another tab called “Members” lets you see who has access to a particular space and a third tab called “Activity” contains a very detailed log of file movements, like uploads and downloads with timestamps. To add files, manually select them or drag and drop inside the window, everything is quickly sync when there are changes, a trash can will save erased files that can be restored if you change your mind.

    Inside settings you can configure a proxy if you are using it to access Teamdrive cloud storage space, the paid for version allows you to assign roles to other people, setting up administration rights, like being able to publish and delete files or remove other members from a shared space. There is support for smartphones, you can run the application in  Android or iPhone  The free version has limited storage space and bandwidth, indicated inside the application with a graph bar, enough for light file sharing.

    Teamdrive is a decent alternative to SpiderOak and definitely better than Dropbox, where the company can decrypt your data, if you care about privacy drop Dropbox now.

    Visit TeamDrive homepage

  • OnlineVNC: Remotely access your computer on the browser

    OnlineVNC: Remotely access your computer on the browser

    OnlineVNC is a service that allows you to remotely control a computer using a web browser running on any operating sytem, wherever you are, work, hotels, etc. The service can also be used tor provide online IT support, the only thing needed for it to work is installing the Windows only software on the server side and that Adobe Flash is present on the client side. The application can also grant access to your home computer to friends or work colleages to share huge files with the built-in FTP client or show presentations.

    The server control panel allows you to see who is connected and what they are doing in real time, being able to restrict or give viewing, keyboard or mouse access. There is no limit to the number of people who can connect to the computer, communication takes place using the Remote Framebuffer (RFB)  protocol, compatible with offline Virtual Network Computing viewers like TightVNC, RealVNC and UltraVNC, you can log off or lock the remote computer without breaking the connection, the remote desktop picture can be scaled, with a fit to screen mode and the network speed can be changed to slow, reducing the quality of graphics optimizing bandwidth in slow networks.

    Remote desktop access OnlineVPN
    Remote desktop access OnlineVPN

    The connection port number can be configured, this should help getting around firewalls and making your server harder to spot on the Internet by adopting a non usual port, if you notice anyone scanning your computer adding their IP to the Host Filter will blacklist it.

    There are trust based downsides to this uncomplicated solution for remote computer access, if you are not using your own computer it would be a security risk accessing OnlineVNC because you have no guarantee against keyloggers in an Internet cafe, but with your own tablet or laptop it is not a problem. Another downside is that the RFB protocol is not very secure and it is possible to crack the password if someone on the network captures the encryption key, but you can tunnel OnlineVNC over a VPN adding an extra security layer with strong encryption, a third downside is that you have to trust the company managing the service to respect your privacy and be responsable, beyond that, OnlineVNC is acceptable for those looking for an effortless way to remotely access computer files.

    Visit OnlineVNC homepage

  • SilverShielD, a free SSH/SFTP server for Windows

    SilverShielD, a free SSH/SFTP server for Windows

    This Secure Shell server/client Windows program provides secure encrypted communications in between two hosts, the custom installation allows you to choose an exclusive install of an SSH/SFTP server and/or included management tools. SilverShieldD implements a server side technology called SafeUP to protect file uploads when the client doesn’t protect them.

    Secure SFTP clients like WinSCP upload files with a fake name and renames them in the server after successfully upload, this system stops accidental overwriting of the server file if the connection breaks before the upload is finished, SilverShielD SafeUp technology does exactly the same thing but on the server side. The software comes with an easy to understand help manual full of screenshots, and a command line version called SilverCLI that can be integrated in third party management tools.

    Free Windows SSH/SFTP server SilverShielD
    Free Windows SSH/SFTP server SilverShielD

    Each SilverShielD user has its own set of public encryption keys to connect to the server, a keyring with multiple keys can be used too, there is a public key management window where to add, generate or remove encryption keys setting parameters like key length and key description, the latter will be kept in logs when a user connects to the server, you can also use PuTTYGen to create your own SSH keys and import them into SilverShielD.

    Server administrators can apply individual user and folder permissions, ticking a simple checkbox a user ability to upload, download, delete, list files and much more can be managed and decide what kind of authentication mechanism can be accepted, public encryption key based, only password or both, while restricting connections to a single IP or network. An event handler can execute scrips for a specific user, when there are multiple scripts the initiation order can be established by order. File uploading can be set with Z compression on, a  a lossless compression scheme called zlib that works across platforms and saves bandwidth and increases transfer rates during file uploading.

    SilverShielD is easy to use with options containing all you need divided into tabs , from choosing what encryption algorithms are allowed, inside the “Expert Settings” tab, up to entering an SMTP server for when a script needs to call SendMail or Postfix. The “Security Settings” tab lets you customize tarpit timeouts to stop port scanning, a very common occurrence carried out by bots trying to find an open port in a server before a malicious hacking attack takes place, tarpit can ban attackers IP addresses if they keep sending unasked server probes.

    This is a highly customizable SSH/SFTP server that advanced IT users should like, the free edition can be deployed for non commercial purposes, allowing for up to 3 concurrent connections at a time, businesses need to purchase a license.SilverShielD is fitting for people who are not comfortable with the command line and need an advanced SSH/SFTP server that can be set up at home in a matter of minutes in any old spare computer.

    Visit SilverShielD homepage

  • Password protect notes with Secret Notes

    Password protect notes with Secret Notes

    Secret Notes is a free program to write and keep password protected notes, during installation you will be asked if you would like to install adware called “cleanmypc“, this can be skipped if you pay attention and uncheck a tickbox, but it is compulsory to enter a registration email address for the program to be activated over the Internet. After launching this tool you will be asked to enter a masterpassword twice, you will need to launch the program and unlock the Secret Notes to add or edit new information.

    The program is very eye candy with a nice interface that looks like real yellow Post-it notes, the background can not be changed but the font colour can be modified to over a dozen different hues, made bold, italic or underlined, with a basic do and undo arrow buttons and a trash can symbol next to the date and timestamp. All pretty basic but enough for taking notes and they are all beautifully organised in rows.

    Password protect notes with Secret Notes
    Password protect notes with Secret Notes

    A “Lock Notes” button will close down the software and make it inaccessible without a password. I was unable to find any information in the developers page about what kind of encryption it is used to secure the notes, assuming that is what they use, I would treat this tool as a very light guarantee program until more information it is given about the employed defence system, I don’t think it is proper for a security product to omit it.

    Visit Secret Notes homepage