I was looking at the server logs when I detected multiple visitors coming from the HM Customs And Excise HQ Network, the UK government agency in charge of collecting custom duties at the border. I became mistrustful of so many visits from the same government department, using IPs 163.172.209.46, 163.172.145.100, 163.175.5.218 and others in the same range.
The first thing I did was a traceroute and I found out that 163.172.209.46 was in fact not located in the UK but in France, I then looked at the host name, as you can see in the picture it reads watchme.tor-exit.network, at the URL there is a message displayed saying that they are Tor Exit Router.
Additionaly I reaserched open data with DuckDuckGo and I uncovered a customer of a VPN company complaining in a blog that his OpenVPN French node was being identified on the Internet as belonging to UK Customs and Excise. Futhermore, I have discovered numerous warez and porn websites like Yellowasians identifying themselves as being hosted by Her Majesty Customs and Excise HQ.
Fake ISP Customs And Excise UK
What happened here? I suspect the network administraror entered as an IP owner HM Customs and Excise HQ when in reality their hosting company is Online.net, a subsidiary of the Iliad Group, a French company renting dedicated servers in France, also being marketed as Dedibox.
Likely they are doing this to avoid being blocked, many data centers out there block Tor exit nodes and this way it makes them harder to spot, the hostname is not always labelled you would need a traceroute to know this is not a UK IP, another benefit is that with this French IP you should be able to watch online TV restricted to UK viewers like the BBC iPlayer, but malicious bots can also use the craft to gather information before a hacking attack or spam.
I don’t know if it is legal impersonating a government agency in the IP, that is for lawyers to say and it will likely differ from country to country. I am only posting the information to help out other webmasters seeing multiple visits from a UK government to their site, no, they are not monitoring you, it is a fake ID.
Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.
The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.
The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.
Yubikey Neo and Edge
Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.
Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.
Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything a manufacturer says when they are trying to sell a product is not clever.
Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.
Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.
The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.
I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.
The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.
Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.
Yubikey Edge and Yubikey Nano with NFC
Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.
Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.
Conclusion Yubikey review
I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.
The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.
Promising project, too bad it can’t be used as intended anywhere meaningful.
A judge from Galveston County named Chris Dupuy has been forced out of office after being charged with online harassment for placing fake hooker advertisements with the photographs and phone numbers of two former girlfriends in the escorts section of a classifieds ads website.
Harris County Sheriff’s investigator Scott Hardcastle subpoenad Backstage.com to find out who had placed the adverts and found out that the IP had been masked with offshore proxy servers. Houston Press reports that the affidavit of the lead detective says that he “had worked backwards from the ads to trace masked IP addresses in Venezuela, Colombia and Germany.” and the articles goes into making fun of the software name “hidemyass.com“
If Chris Dupuy was using software to hide his computer IP, it could not have been Hide My Ass free online proxy as it is web based and there is no need for software, the article also mentions masked IPs in Venezuela and Colombia, servers that are not available to free users, only somebody with a paid account can access those proxies. Based on this Chris Dupuy was possibly using HideMyAss VPN and not the online proxy.
Click to enlarge Chris Dupoy HideMyAss
There are no further details on how the detective “traced masked IP addresses” from HideMyAss but the VPN provider logging policy page states that HideMyAss keeps logs of:
a time stamp when you connect and disconnect to our VPN service;
the amount data transmitted (upload and download) during your session;
the IP address used by you to connect to our VPN; and
the IP address of the individual VPN server used by you
The data is more enough to identify a customer if necessary and it is stored for in “between 2 and 3 months“, or “longer if required by law”, HideMyAss parent company Privax LTD operates from England and was recently acquired by AVG Technologies.
Futhermore, HMA terms and conditions do not allow using the VPN for filesharing, if you are found doing this “then we may store your VPN data for an extended period of time beyond the normal 3 month maximum“, and HMA online proxy is even more detailed than VPN logs, they record the address of every single website you visit and files you view, keeping it for 30 days.
If HideMyAss has handed over the logs for one of his users, which is not confirmed as there are no specific details on how the detective traced back the IP, this would not be the first time they help out the law enforcement, in 2011 Cody Kretsinger, was arrested thanks to HideMyAss handing over logs proving that he was responsable for hacking Sony.
Despite all the FBI talk against encryption software, public records show that Radio Free Asia, a broadcaster funded by the United States Congress to help advance their foreign policy in East Asia, in 2012 created the Open Technology Fund, which in turn gave over a million dollars to Open Whisper Systems, the company responsible for developing the iOS and Android encryption apps Signal, Redphone and TextSecure, apps recommended in Twitter by various Islamic State members.
It is very bizarre that American taxpayers are financing development of the same encryption software that American officials say are helping terrorists evade surveillance and supposedly threatening intelligence services of “going dark“.
Some cybersecurity experts suggest that the NSA could be behind the funding to try to stay one step ahead of the game, presumably by influencing the development of the apps or gaining internal knowledge.
Open Technology Fund diagram
Just because the USA government is funding a privacy project it doesn’t automatically mean that the technology is not safe, it is also the US taxpayer who is footing the bill for developing Tor. A network used by drug dealers, terrorists and Chinese dissidents alike, and so far, the only arrests in Tor have been the result of zero day browser vulnerabilities, FBI identity theft in forums, Bitcoin tracing or other user related mistake, like, using the same nickname in the open Internet and the darknet.
There isn’t any known arrest due to the Tor network being broken in the same way that Freenet has been infiltrated by law enforcement.
Email for the security paranoid
If you don’t wish the NSA and GCHQ to illegally read your communications, the method below should allow you to bypass Internet wiretapping from intelligence services:
Open an account with an email provider that has encrypted servers (Tutanota,ProtonMail,Countermail).
Share the password of that account with your contact.
Write an email and don’t send it, save it in the drafts folder.
Your contact reads the draft email, erases it and replies writing another email that is never sent, only saved in the drafts folder.
Method Weaknesses
Email provider you have chosen is not as secure as they claim to be. Fix: Encrypt the message with a second layer using PGP or 7zip.
ISP middle in the man attack, breaks SSL connection to the email account and sees anything you upload Fix: Same as above, apply second encryption layer.
ISP sees metadata, sites you visit. Fix: Use Tor or a no logs VPN to connect to the email account.
Islamic State member Twitter account
The downside of the method above is that it is only be useful to communicate with somebody you already know.
For an open chat where you can post your address in public, you can open a Tor Email account and access it in your smartphone using Orbot or any other mobile app that allows you to connect to the Tor network, or as advised by the Islamic State Twitter account above, ChatSecure is the best form of anonymous communication using a smartphone.
The country where these Islamic terrorists are based, Syria, doesn’t have wide Internet access, it makes sense that a smartphone app is their preferred method of communication.
A user sharing child porn in Hyphanet, the rebranded Freenet, has been arrested by law enforcement in the US. According to the news article linked below authorities identified his IP in Hyphanet but this time they are not revealing how they did it.
Freenet, a P2P network routing traffic across multiple nodes to hide people’s IP when filesharing, and often cited by the media as part of the dark web has been broken by law enforcement.
Court records related to Paul Bradley Meagher, a University of North Dakota police officer arrested for downloading child porn from the “anonymous” peer to peer network Freenet, reveal that the North Dakota Bureau of Criminal Investigation had been running an undercover operation in the network since 2011, planting their own nodes inside Freenet to be able to log people’s IPs and trace the final destination of users downloading illegal material.
The Dakota student news site relates how Investigating Officer Jesse Smith managed to get hold of Paul Bradley’s laptop still switched on and running Freenet on the Wifi network, law enforcement discovered child porn images during the preview before seizing the laptop, arresting the suspect, whom, at that point refused to talk with the investigators. Paul Bradley has now been charged with 10 counts of possession of child pornography and can be sentenced to up to 5 years in prison for each count, facing a possible 50 years in jail.
Freenet network jSite
The Grand Forks Herald from North Dakota cites detective Jesse Smith in the affidavit as admitting to her department running nodes in Freenet to be able to track people downloading files included in a list of known child porn file hashes from the police database.
Unsurprisingly, when a journalist contacted the Bureau of Criminal Investigation of North Dakota they declined to make any comment about the story, so little is known about how they track people. It could be because Freenet has far less nodes than Tor, or because Freenet code has some bug (it requires Java to run).
With further research I found that the ICAC Internet Crimes Against Children Task Force, in 2014 ran a Freenet workshop for law enforcement to present what they called the “Black Ice Project“. Quoted on their website as “This session will describe the basic functioning of Freenet, how persons exchanging child abuse material, the system’s vulnerabilities and how the Black Ice project exploits them.“
References:
“Child predators use technology, but law enforcement does too“
According to the RCMP newsletter, after two and half years of trying to get in, Canadian police in Saskatchewan has managed to crack a hardware encrypted device storing child porn inside, this is the first time the police has managed to crack this particular device.
An article in “The Star Phoenix” also mentions that two Datalocker external hard drives were cracked, the brand of the drive is further confirmed by “Gazzete“, the Royal Canadian Mounted Police magazine (link below), their article about this case does not name the company but the photo in the article clearly shows a Datalocker device.
Datalocker encrypted drive
According to the police magazine, Datalocker destroys the encryption key after 10 failed attempts but the forensic team overcame this challenge. Sgt. Joel Bautista figured out that given the maximum password length and variable characters that DataLocker allows for, the police computer cluster could brute force the password in around 10 years at most, so they kept trying.
Datalocker key entry does not support upper case letters, only small case and special characters are allowed, this limits passphrase strength.
Datalocker CEO, Jay W King, has contacted me acknowledging that Canadian police asked Datalocker for assistance in this case and he claims that the company only disclosed “publicly available information in regards to our password rules“. He also claims that the device had no brute force protection and asked me to remove what he says is wrong information and not to use the word “cracked”.
I agreed to change the picture of the post as it was featuring a model that did not exist at the time, the post now displays the correct model, but I will not change the text.
The police forensics team says that they had to overcome brute force protection, I have no reason to believe the police is lying or wrong. And to avoid misunderstandings, I am going to quote in bold what the Canadian police magazine says word by word:
“The forensic team had several challenges to overcome, including defeating the brute force counter, a feature on the device that would be initiated after exceeding a number of failed password attempts.”
Datalocker CEO also claims that the model pictured in the police magazine does not come with brute force protection, but another article in “The Star Phoenix“, says that there were two Datalocker drives involved in this case, it is possible that the police newsletter photo is not showing both of them.
The CEO has also sent me an old prospectus, and he is correct that the Datalocker Personal and Pro are advertised as not having self-destruct mode, but, a third column in the same prospectus, reproduced below, shows a model called Datalocker Enterprise, encrypted using AES256bit, listed as having self-destruct mode.
Datalocker encryption modes
I am not going to argue about what device was involved in this case, because I honestly don’t know, but I can say for certain that the police claims that they had to “defeat the brute force counter“, textual words.
I am sorry man, but that is what the police says, I can’t change it. I invited Datalocker CEO to post whatever he likes in the comments section if so he wishes.
New top secret documents leaked by Snowden (link below) reveal that GCHQ, Britain’s spy agency, has a team to reverse engineering popular encryption software and they routinely collaborate with British police when they come across encrypted data during the course of an investigation. Since it is not needed to explain in court how law enforcement has managed to access the encrypted data, it can remain secret when GCHQ finds a vulnerability in an specific program.
In one particular case, GCHQ assisted the National Technical Assistance Centre, a domestic law enforcement agency, to decrypt child pornography stored inside a virtual encrypted container created with Crypticdisk and in another case, GCHQ cracked Acer eDataSecurity Personal Secure Disk for an undetermined “high profile police case“.
Acer eDataSecurity is a free file encryption utility that comes with Acer laptops. I was not able to find out what algorithm Acer is using for encryption but I learned reading the laptop manual that the user can choose a bit strength of in between 128bit and 256bit, the manual textually says that “If you lose your password, there will be no way to decrypt your encrypted file!“, it has not been designed with a backdoor, deducing that GCHQ cracked it on its own without assistance from Acer.
Exlade CryptDisk encrypted container
The other cracked software, CrypticDisk, from Canadian company Exlade, has thousands of companies and government agencies as customers. CrypticDisk can create a virtual encrypted disk or encrypt and external device, like a USB memory stick, where you can store data or programs, once the container has been closed, it is meant to be inaccessible, it works like Truecrypt and the company page mentions that CrypticDisk encryption keys can be made of up to 2944-bits in strength, with built-in support to open Truecrypt containers.
CrypticDisk containers can use multiple encryption algorithms in cascade, there is a selection of AES, Twofish, Serpent, Blowfish and CAST6. The encryption wizard advises that the more algorithms you choose in cascade, the higher the cryptographic strength.
There isn’t any clue in the leaked papers about how GCHQ cracked this software, I will make a guess of a bad implementation because the encryption algorithms are all open and AES has been widely reviewed by expert cryptographers. I am discounting the possibility of a user mistake choosing a weak password because British police is known to have a computer cluster where they can try thousands of dictionary words per minute, theoretically there should be no need for the UK secret services to help out law enforcement brute forcing a passphrase.
The same secret documents reveal that GCHQ has obtained a warrant from the Foreign Secretary so that they can not be prosecuted for breaching copyright law from proprietary software companies. The agency is also targeting antivirus companies to be able to send trojan horses to targets without being detected. KasperSky, a Russian antivirus company, is named in the documents as being a challenge to them.
