Hacker 10 – Security Hacker

Author: John Durret

  • Anonymous P2P encrypted messages with Bitmessage

    Anonymous P2P encrypted messages with Bitmessage

    Bitmessage is an open source P2P program utilizing a Bitcoin like protocol that instead of sending money sends anonymous encrypted messages to one or multiple people at once, the application has a portable mode that does not need installation, it uses 2048-bit RSA encryption keys stored inside a keys.dat file which can be opened with any text editor and OpenSSL for cryptographic functions. Bitmessage cryptic addresses closely resemble a Bitcoin address, the best part is that both keys are compatible, Bitmessage uses the other part public key to print their Bitcoin address in the console which can be used to send them money.

    Bitmessage sends data over its own P2P network, the nodes store messages for two days before erasing them, new nodes joining the network will download and broadcast the pool messages from the last two days. To stop spam the sender is required to spend computational processing power for each message he sends, modelled like the Hashash antispam scheme and the Bitcoin mining system, the protocol has been designed to be scalable as needed. I sent a small text message to a friend and it only took a few seconds of wait for it to be processed,  a “Doing work necessary to send message” warning will be displayed while you wait and your computer CPU works, I also subscribed to an open Bitmessage mailing list using the subscription tab by simply adding the address “BM-BbkPSZbzPwpVcYZpU4yHwf9ZPEapN5Zx

    Bitmessage anonymous encrypted messages
    Bitmessage anonymous encrypted messages

    Other tabs in the program allow you to blacklist and whitelist addresses, add contacts to your address book broadcasting to everyone listed there or selecting just one contact, the tabbed system makes Bitmessage usage spontaneously easy, you can also change the default listening port “8444” and network settings entering a Socks proxy, only the key management was very primitive, it opened up Bitmessage keys using Notepad.

    You can create as many Bitmessage addresses as you like, creating and abandoning them is encouraged, there is an “Identity” tab from where to manage your addresses, they can be labelled. Addresses can be generated using random numbers or a passphrase, called “deterministic address“, you can recreate this address on any computer from memory without having to back up your keys.dat file as long as you remember your passphrase but you will need to know the passphrase to recreate the keys if you lose them, you will also need to remember the address version and stream number, choosing a weak passphrase could result in a brute force attack and your identity stolen, deterministic addresses can be made one or two characters shorter spending a few extra minutes of computational processing power, these addresses are optional, I believe the random cryptic addresses to be more secure for those paranoid.

    Bitmessage encrypted mailing list
    Bitmessage encrypted mailing list

    Bitmesssages are first encrypted and then sent to a common message pool shared by all users to hide sender and receiver, only those listed in the receiving address will be able to decrypt and read them, the program has been designed to only send text without any attachments, I did not test it but theoretically it should be possible to send a jpeg photograph. After erasing a message there is no trash can to retrieve it but it will still be present in your hard drive to manually view it with a bit of work.

    I used Bitmessage with a VPN and I did not experience any problem besides a coloured network status code that turned yellow  indicating that my firewall or router couldn’t forward TCP connections, this is not a big problem, it only meant that my node was not relying messages to other nodes for other people but I could still receive and send them, as long as someone in the network has the green network status messages can be passed on in between peers.

    Note: The sofware is currently a beta release in testing.

    Visit Bitmessage homepage

  • iPhone anonymous Internet with the Onion Browser

    iPhone anonymous Internet with the Onion Browser

    The Onion Browser is an iPhone only browser for anonymous Internet browsing using your smartphone relying on  the untraceable tor proxy network to hide your real IP from websites you visit. The tor network can be slow at times due to the number of nodes relaying traffic and overall network load, for browsing without file downloads or video streaming speed should be sufficient, the Onion Browser also gets around firewalls if you are using a public Wifi access point that filters traffic and blocks websites and since communications in tor are encrypted with SSL any packet sniffers deployed by the Wifi network administrator will not be able to see what websites you visit, only that you are connected to tor.

    The app options include “Enable UA Spoofing” to fake the HTTP User Agent header sent to the websites you visit, it can be changed to iOS Safari to improve mobile website compatibility, or to a Windows 7 and Firefox string so that it will look like you are browsing using a desktop computer, “Cookies” can be set to Allow All / Block Third Party / Block All, a “New Identity” button will clears all cookies, history and cache requesting a new IP with a single tap, there is a way to set up bridges, unpublished tor proxy relays for those living in countries like China where tor is blocked by the ISP, setting up a bridge on this app takes some work, best if you can avoid having to apply them.

    iPhone Onion Broswer tor proxy
    iPhone Onion Broswer tor proxy

    I found the app lacked bookmarking but the startup page contains a list of well-known .onion sites that will take you where you want to go. For anyone concerned about built-in backdoors the Onion Browser source code can be downloaded from the open source platform GitHub along with technical details, the app will work in the iPad too.

    Note: The iPhone Onion Browser costs $1.50

    Visit iPhone Onion browser in iTunes

  • Hide data inside sound files with DeepSound

    Hide data inside sound files with DeepSound

    DeepSound is a steganography tool to hide any kind of data, from text to photos, inside sound files, for extra security everything can be encrypted using AES256-bit and only available with the correct password, the modified audio file will play as normal and nobody should notice it contains hidden data inside. The program interface is very simple, it comes with a file browser to manually peruse the directory where a suitable carrier sound file can be found, when password protecting the data you will not be asked to confirm the black dot covered password twice, if you make a typo you will not notice it until it is too late, it will be best if you test the file after creating it to make sure everything works as expected.

    Encoding or extracting data can be quickly executed using shortcuts, the program settings allow you to graduate output quality ratio from low to high. If you are going to create an audio CD with hidden data the developer advises to disable volume normalization in the CD burning software to prevent data corruption that would stop hidden files recovery, a one page help manual with screenshots is included, you are not likely to have to read it.

    DeepSound hides data inside audio files
    DeepSound hides data inside audio files

    This tool can only hide data inside Waveform Audio File Format .wav and Free Lossless Audio Codec .flac sound files, these are not very common files, .wav is normally uncompressed, perfect to hide files inside, but the files are very large and not usually used for music, only small sounds.

    FLAC is a royalty free open source alternative to proprietary .mp3, .flac files are compressed and suitable for music albums, supporting metadata and album covert art, if you are going to hide data it will probably look less suspicious inside a .flac than the inadequate .wav file format, and it will be easier to distribute a .flac file given its smaller size. This application could also be used to watermark copyrighted music and track down the source if it is later found leaked in file sharing networks, but converting the file audio format to something else would get rid of the hidden watermark.

    Visit DeepSound homepage

  • Al-Qaeda IM encryption plugin “Asrar Al-Dardashah “

    Al-Qaeda IM encryption plugin “Asrar Al-Dardashah “

    The Global Islamic Media Front, an underground propaganda division for Alqeda and other violent jihadist groups, has released what they call “The First Islamic Program for Encrypted Instant Messaging“, an instant messenger plugin  working alongside another jihadist encryption tool called Asrar al-Mujahideen, already reviewed in my Mojaheeden Secrets post, consisting of nothing else than a PGP like public/private key encryption tool. This new plugin works with Pidgin an open source instant messenger compatible with all major IM networks like Yahoo Messenger, Google Talk, Jabber, ICQ and others.

    The announcement includes a ten minutes video tutorial subtitled in English and hosted in Youtube, not containing any Alqeda branding to stop Youtube taking it down I presume. After watching the tutorial I can attest that the instructions were very accurate, whoever produced it was highly experienced in computer privacy tools and demonstrated how to use tor proxy to download Pidgin with Startpage set as their main search engine, which, unlike Google, does not keep IP records, other sophisticated anonymity technologies included configuring a Socks5 proxy so that not only the chat will be encrypted but the computer IP will be hidden from the other part.

    Asrar-Al-Dardashah encryption plugin Alqeda
    Asrar-Al-Dardashah encryption plugin Alqeda

    The tutorial advised jihadists to only download the plugin from a trusted source and  compare the public encryption key ID from the the person they are chatting with the key they have stored in Mojaheeden Secrets 2 to make sure nobody is stealing that person’s identity and replacing the encryption key with their own.

    At first glance it might seem impressive that Alqeda supporters have their own high quality branded encryption software, it must work great for propaganda purposes and reaffirmation, however, they are not reinventing the wheel, OpenPGP is open source, it can be checked for backdoors and it has around for a long time, the plugin they are releasing closely resembles the OTR (Off-The-Record) anonymity Pidgin plugin that has been around for years, this is not a new security tool and the only concerning part is that Alqeda supporters are learning how the technology works, but they are also drawing attention to themselves by using a tool that only jihad extremists have access to, the CiA just has to love how Asrar al-Mujahideen is introducing its own “#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit—” tag in every single encrypted message it sends. American secret services packet sniffers must be busy tracking down where in cyberspace is people sending messages with those tags.

    Global Islamic Media Front encryption tools only work in Windows, until jihadist discover the power of Linux or BSD they won’t do much damage in cyberwar since most companies and government servers normally run Linux, encryption will be also of little help to them if informers can be found inside the group.

    Visit Global Islamic Media Front homepage

  • Steganogaphy and hidden watermarks with OpenPuff

    Steganogaphy and hidden watermarks with OpenPuff

    OpenPuff is a portable steganography tool supporting images, audio, video and Flash Adobe animation carrier files, it can conceal up to 256MB of data splitting files in between multiple carriers. Before hiding data everything is securely encrypted with AES, scrambled, whitened and encoded, this reduces the chances of anything hidden being detected by specialist tools, you must always remember to erase the original carrier files. If a computer forensics expert has access to both files and can compare them he should be able to prove that one of them contains hidden data even if it can not extracted because everything inside the has been encrypted. OpenPuff has sixteen different encryption algorithms you can use, this makes extracting data even more difficult as only the creator will know what cipher has been used, the tool supports well known secure algorithms like AES, Serpent and Twofish and more obscure ones, like Mars, Anubis or Clefia, a high speed block cipher developed by Sony Corporation intended for use in Digital Rights Management.

    To stop steganalysis, the detection of hidden data, encrypted files are scrambled with a second layer using a pseudo random number generator (CSPRNG) seeded with a user chosen password with data shuffled using random indexes, a third security layer whitens scrambled data adding a high amount of ramdom noise with hardware entropy and the final fourth security layer encodes whitened data using a non-linear function. Very paranoid types can add a decoy file for deniable steganography, just like Truecrypt hidden container works, in OpenPuff you can reveal a password to an innocuous text and keep the real  hidden message from view with a second password. Another feature is the ability to hide a mark inside a video, audio or photograph, useful for when you privately distribute a confidential file to a selected group of people, if the file is later on found leaked on the internet you can check the mark and track down the leak source.

    OpenPuff steganography freeware
    OpenPuff steganography freeware

    The software interface is a little overwhelming for the steganography novice and drag and drop doesn’t work, you have to select everything manually, but security experts should appreciate things like a window with bit selection options showing a huge list of supported carrier files and the ideal data percentage that can be hidden in each different extension to avoid detection, with a third optional password seeding the scrambling CSPRNG, you can use up to three passwords to hide data inside a file, the other end will have to know all of them to decrypt it.

    Thanks to the support for a wide range of carrier files (.bmp, .jpg, .png, .mp3, .vob, .mp4, .3gp, .flv, .swf, .pdf, etc) the program makes it easy to embed hidden data anywhere on the Internet, from a blog to a photo sharing site like Flickr, saving you from having to personally contact a source, which could compromise his identity, but if you are hiding data in multiple files to decrypt them the other end will have to order the files in the right sequence. OpenPuff needs a little practise to get everything right but it is one of the most complete steganography tools I have seen and it has some unique features.

    Visit OpenPuff homepage

  • List of One Time Pad encryption programs

    List of One Time Pad encryption programs

    One Time Pad encryption, also known as the Vernam or perfect cipher, is the holy grail of encryption security, when used correctly it makes cryptanalysis nearly impossible because it is not possible to compare old messages. As long as the one time pad is perfectly random all the clues on what coding was used for encryption remain in a single message, it is not easy to accomplish because high quality random numbers are difficult to generate.

    This type of encryption was widely used by spy agencies during World War  II and the Cold War period, protecting diplomatic and military communications, the advantadge of one time pad encryption is that it can done by hand with pencil and paper, without the need to carry any special device compromising undercover operations. A downside for this type of encryption is that the password is made up of as many characters as the text you encrypt, resulting in extremely long passphrases difficult to disseminate. When all rules are followed this one time encryption method remains secure and unbreakable but in order to solve the key transmission problem one time pads have been replaced by symmetric block ciphers and public key encryption.

    I have only managed to find old one time pad encryption tools, most of them developed by a single hobbyist and could be listed as abandonware, you should not assume developer’s claims are truth just because he says so, without truly random numbers one time pad security will be compromised and reusing any part of the pad makes the cipher vulnerable to attack, there is no way to know for sure how secure these programs are but some of them provide the source code for you to look at it.

    CT-46 One Time Pad: An encryption tool that converts text into digits using a conversion table and completing the final group with zeros, the software is meant to be used to learn working with one-time pads and as a training resource, it comes with a complete help manual that tells you how to perform one time pad encryption with pencil and paper.

    CT-46 One Time Pad encryption
    CT-46 One Time Pad encryption

    OneTimePadJava: Written entirely in Java, it comes with the source code but no help manual although it appears to be easy to operate, the tool doesn’t need installation and works across platforms.

    Pidgin Paranoia: A Linux plug in for the Pidgin messenger, providing secure IM conversations using one time pad encryption, the secret message has the same length as the key and it is only used once.

    Solid Encryption($$): A commercial program claiming to be able to perform one time pad encryption, you can try it free for 30 days before being required to buy it. I found the interface to be outdated and not very easy to work with but it comes with a help page.

    One Time Pad Solid Encryption
    One Time Pad Solid Encryption

    Cryptomni: A program to encrypt files using the one time pad cipher, a key file is created using the random generator SecureRandom, the source code is open, this program has not been updated for many years.

    Cryptomni One Time Pad
    Cryptomni One Time Pad

    OneTimePad Net: A one time pad encryption implementation using Visual Basic, an object-oriented computer programming language that needs Microsoft .NET to work, I had to right click and run this program as administrator for it to work, there is no help file but the interface is pretty straight forward.

    One Time Pad .NET encryption
    One Time Pad .NET encryption

    Perfenc: A Unix program to perform one time pad encryption, documentation is included with the software typing man perfenc, you can install it from source with the usual build tools like cmake.

    Emus encryption tool: It uses polyalphabetic methods from the middle ages, texts are encrypted with random codes and fixed passwords but can also be used as one time pad with extreme long random passwords and codes.

    Emus encryption One Time Pad
    Emus encryption One Time Pad

    Fxor: A Unix command line open source tool released under the BSD license that can be used for key file or one time pad encryption. This program is for people comfortable using the command line as you will have to compile it before being able to use the program. A help file is included.

  • Android Truecrypt compatible app EDS Lite

    Android Truecrypt compatible app EDS Lite

    Encrypted Data Store Lite is an Android app that allows you to save files inside an encrypted container using AES256bit, it can also mount any Truecrypt compatible container from your phone, but to do that you will have to make sure that Truecrypt settings when creating a container are set to Encryption algorithm: AES256, Hash algorithm:SHA-512 and File system:FAT, these are not Truecrypt default settings which are set to Hash algorithm RIPEMD-160, if you use a different algorithms to create a Truecrypt container then EDS Lite will not be able to mount it.

    The app comes with a simple built-in image viewer  that can show pictures and thumbnails, files with the extension .edc, EDS own format, and .tc, Truecrypt file extension, can be associated with the app for easy opening, other options allow the app to prevent your phone or tablet from going into sleep mode to make sure that an encrypted container will not be left open unattended by mistake, EDS Lite can write to an external Secure Digital storage card modifying and deleting files stored inside.

    Android Encrypted Data Storage Lite
    Android Encrypted Data Storage Lite

    A “send to” link can quickly encrypt photos or videos from the gallery, but remember that anything you leave behind if it has not been securely wiped it could still be recovered, while the encryption can not be cracked, when you view a document stored inside the container there will be temporary traces left in the external reader you used, a compromising file name and perhaps a full copy of the confidential document might have been created outside the container by a third party viewer. A full paid for version of the EDS app allows you to play media files inside the container, not leaving temporary data behind, it comes with a search index to find files inside the encrypted container, it can synchronize data with Dropbox and allows for container security using a hand-drawn pattern in succession with a password.

    It is refreshing to see attempts to port Truecrypt compatible encryption to mobile devices, having a standard is very important for long term storage and data transmission, there is nothing more annoying than being forced to download multiple programs to do the same thing and not knowing if it will work in a different platform, I hope other developers come up with similar programs.

    Visit EDS Lite in Google Play