Hacker 10 – Security Hacker

Author: John Durret

  • Code Talker Tunnel disguises tor traffic as Skype video calls

    Code Talker Tunnel disguises tor traffic as Skype video calls

    Countries like Iran and China routinely block public tor IP addresses, to get around this problem relays called tor bridges are not made public and only facilitated to users living in repressive countries after request. According  to recent research from Internet security firm Team Cymru, China’s Great Firewall can distinguish in between normal traffic and tor traffic using SSL deep packet inspection, one factor used by the Great Firewall of China to detect tor traffic is the tor proxy SSL cipher list, in between others. Communications can not be read because they are encrypted but a bot attempts to connect to the suspected tor server IP passing itself of as a user, when it confirms it is a tor bridge via a successful connection the tor server IP is added to the list of blocked IPs in the firewall.

    Iran has also been reported in the past for having an Internet censorship system able to identify the beginning of a tor proxy SSL handshake and interrupting the handshake.

    SkypeMorph disguises tor proxy traffic
    Code Talker Tunnel disguises tor proxy traffic

    SkypeMorh renamed Code Talker Tunnel uses traffic shaping to convert tor packets into UDP (User Datagram  Protocol) traffic preventing deep packet inspection of tor data from being recognized as such. Code Talker Tunnel traffic shaping mimics the sizes and packet timings of a normal Skype video call, the developers of this tool at the University of Waterloo in Canada chose a VoIP client to hide tor traffic because the flow of data packets, sending a request and waiting for a response with a long pause during transmission resembles how a tor proxy server works.

    SkypeMorph Code Talker Tunnel is a pluggable transport that will work with the own tor project developed obfsproxy a program for Mac, Windows and Linux users masking tor traffic as a different protocol specified using pluggable transports.

    Visit Code Talker Tunnel homepage

  • ArmorText Android app to encrypt SMS&MMS messages

    ArmorText Android app to encrypt SMS&MMS messages

    ArmorText is a free Android app to secure text messages, it uses RSA1024 and AES256bit to encrypt your SMS&MMS messages, the receiver will need to have the same app installed to be able to decrypt the messages. ArmorText will connect to the Internet after launching it for the first time to retrieve your friends public key encryption. Security can easily be enabled tapping an ON/OFF lock button, a Smart Predict option will detect when the app believes you need to encrypt your text messages (based on the last texts sent) and automatically turn security on unless you decide otherwise, the app can stop message forwarding by the recipient too.

    ArmorText is a pure text messaging solution, not a chat client, it only encrypts SMS and MMS messages with photos.

    ArmorText Android SMS encryption
    ArmorText Android SMS encryption

    With smart phones increasingly used for mobile payments, email and online banking they have become a prized asset for thieves, ArmorText will protect your data even when it is not stored in your phone but the person you are communicating with, messages are encrypted before sending, stopping middle man eavesdroppers, like your network provider. Planned features for the future include controlling how many times a text message can be viewed, how long the message is available for and non-repudiation.

    Update 2014: This app is no longer available in Google Play

    Visit ArmorText homepage

  • Share encrypted messages on social networks with Privly

    Share encrypted messages on social networks with Privly

    Priv.ly is an open source project that allows you to communicate with others using the site of your choice while denying that site access to your data, everything is encrypted and shared through a link, the site can not be forced to reveal data it doesn’t hold and data retention won’t matter, by posting your messages through a link Google+, Twitter or Facebook will never have access to your private data. The messages will  be automatically decrypted by people using the Privly browser addon making the process easy an automatic for everyone, only users whose public encryption key has been used to encrypt data will be able to read the message, it is possible to revoke access to a single user by not using his key and the content on the server can quickly be destroyed or changed.

    At the moment Privly servers host the encryption keys to automate decryption and  the extension pulls the encryption key and content off the server after your friend clicks on a Privly URL link, this makes the central server vulnerable to attack, there are future plans to change it by creating a P2P decentralized storage system making impossible even for Privly staff to read your messages, another vulnerability that the developers are working on is preventing the browser from caching encrypted messages.

    Social network encrypted messages Priv.ly
    Social network encrypted messages Priv.ly

    Privly is an asymmetric public/private encryption key system, you could do this yourself encrypting your messages with PGP/GPG before posting them to a social network, Privly advantage over manual encryption is that it saves people time and makes the process easy by only needing a browser addon, their central delivery server also makes it possible to change or destroy a message after posting. You could try to achieve the same result using a self destructing messaging system but few of those services, if any, is open source. Privly is a good initiative to stop abusive social networks data retention policies and to stop censorship from software scanning the Internet for keywords.

    The key for Privly to work is adopting a standard that everyone will understand as soon as they see it, in this case a URL, having too many ways of doing the same thing does not help spreading a technology, it all comes down to everyone agreeing on a system. You still have to solve the anonymity side of your messages as your computer IP is visible when you post a Privly link to a website.

    Visit Privly homepage

    Note: The project is still in development and might not be stable.

  • List of free speech and offshore hosting companies

    When choosing a free speech hosting company you should assess the kind of content you host, for example, in the USA although the 1st Amendment protects free speech a powerful multinational can try to get around it by launching a frivolous lawsuit that a small webmaster can’t fight in court due to lack of resources, and in China any pro Tibet website will be taken down by the Government.

    You will leave tracks behind when you upload your site and make payments, these companies are not truly anonymous even thought some advertise as such, to host controversial content anonymously use Tor hidden sites or i2P, but they will only be reachable by people using the appropriate software.

    Free speech hosting

    • DreamHost: Budget host offering shared and dedicated hosting, their terms and conditions allow for any content that is legal in the United States to be hosted, including pornography. DreamHost hosts the American Nazi Party website and refused to take down Prophet Muhammad cartoons even after a denial of service attack was launched against them by Alqeda sympathisers.

    Get $60 discount in Dreamhost entering code: HACKER10

    • Privex: Small hosting company operating out of Belize (yes there is a country called Belize, look it up). They have been in the free speech business for around ten years and I have confirmation from contacts that if what you want to host is legal they will not censor it, this includes controversial art, cryptocurrency payments allowed and they are happy to host Tor nodes too.
    • BuyVM: Also known as “Frantech Solutions”, affordable long standing free speech company they will host anything legal in the US as long as you pick a US server but they have servers in other parts of the World too.
    • NJalla: Provider of hosting, VPN and anonymous domain name registration, they register it under their name on your behalf and it can be paid anonymously with cryptocurrency. Staff had links to piracy sites, a couple of lowendtalk posts accuse them of being left leaning biased.
    • NearlyFreeSpeech: Webhost based in the US where you only pay for the amount of bandwidth and storage space consumed, it runs its own custom hosting panel, their terms and conditions state that the webmaster must register his real name and address, the company carries out random identity checks asking for a passport scan to be emailed.
    • PRQ.se: Servers and company located in Sweden, if your content is legal in Sweden they will host it, no questions asked. They maintain minimum information about their customers and very few logs, PRQ used to host Wikileaks and other highly controversial content, support for SQL databases, SSL certificates and DNS.
    • LiberationTek: Company owned, based and operated from the USA, they offer and all round service that includes hosting, domain name, e-mail address and others, they advertise as guaranteeing no censorship. They have partnerships with conservative websites.

     Offshore hosting

    The following hosts have a free speech policy that comes with restrictions, even if your content is legal they can refuse to host it, the only advantage over other traditional hosting is that their servers are offshore.

    • OrangeWebsite: Company and servers are all based in Iceland, they will ignore all complaints against legal websites with the exception of racist or pro-paedophilia content, which is not allowed.
    • CCiHosting: Operated and hosted in Panama, offering Linux and Windows servers, they advertise their services as anonymous webhosting. Support provided via live chat or phone.
    •  YoHost: Their terms and conditions claims that you can not use their servers to host any kind of porn, sites encouraging the destruction of property will also be removed as well as phishing scams. They only rent a VPS or full server and YoHost will collaborate with law enforcement if criminal content is found.
    • KatzGlobal: Offering hosting in multiple Asian locations (Singapore, China, India, Malaysia, Australia) as well as hosting in the US. They use cPanel and have standard features that come with it, like SQL database, FTP access and POP3 mail boxes. There is no support to host multiple domains on a single account.
    • SecureHost: Located in the Bahamas, it provides dedicated, shared and VPS hosting, they also provide a Bahamas based phone number and fax which messages can be retrieved from abroad. Their terms and conditions state that you can not host anything that SecureHost judges to be harmful to their reputation.

  • French Alqeda terrorist located thanks to his computer IP

    Mohamed Merah, a self-confessed Alqeda member of Algerian origin responsible for the murder of three off duty paratroopers, one Jewish Rabbi and three children going to school was found by French detectives after scrutinising how many people had visited an online advertisement offering a motorcycle for sale that was used to lure the first victim into a mortal trap where he was shot dead.

    Cypercops found 580 people had visited the advertisement, they narrowed it down to a list of computer IPs near the city where the first murder took place and its surroundings, then compiled an even shorter list with IPs registered to known terrorist sympathisers until they came across Mohamed Merah brother’s computer IP, whom was also a well known Islamic extremist.

    The police also had other leads like a mechanic reporting that someone (Mohamed Merah’s brother) had enquired on how to get rid of a motorcycle GPS tracking device which description coincided with that of the get away vehicle.

    Source: French newspaper LeMonde

  • HIPAA compliant email service Protected Trust

    HIPAA compliant email service Protected Trust

    Protected Trust email encryption allows for real time email traceability with auditing logs recording who read the email and what they did with it, messages can be set to expire after a certain date so that they are no longer available or cancelled if they have been sent to the wrong person. Emails are encrypted with a unique symmetric key using AES256 then sent to Protected Trust servers, data never leaves the organisation computers unencrypted. If you email anybody not using the Protected Trust email service they will receive a link to read the message securely stored in the server.

    The content is made available to the recipient until expiration, retrieved with a shared secret that can consist of a known password or receiving a PIN to your phone number. Cryptographic hashing makes sure that emails have not been tampered with or damaged in transit.

    Protected Trust email HIPAA compliant
    Protected Trust email HIPAA compliant

    This email service is directed towards companies that need to comply with data privacy laws, it will cover legal liabilities if anything goes wrong and allows for accurate message tracking in case of security incidents. You can keep your current email provider and address, emails are easily sent using a Microsoft Outlook plugin that adds an encryption button to the interface, via Protected Trust web based portal supporting all major browsers (IE, Chrome, Firefox) or from a mobile device (BlackBerry, Android, iPhone, Windows Mobile).

    Protected Trust complies with the Health Insurance Portability and Accountability Act (HIPAA) regulating how patient data must be protected, financial institutions also need to comply with Government regulations regarding non-public data. The free version of Protected Trust is limited to just a few messages per month and requires phone verification of your account.

    Visit Protected Trust homepage

  • Services to send self-destructing email and notes

    Services to send self-destructing email and notes

    Sending a self-destructing note or email is a good way to  to make it difficult for someone to forward your message, saving it to a hard drive or stop a third party email server from keeping the message archived for years. The only way around for someone to copy a self-destructing email would be taking a screenshot, the message would still have to be associated with the sender to compromise your privacy, some of the services below make it difficult to make a readable screen grab.

    OneShar.es: Allows you to compose a text only message on their servers via SSL, you are then given a unique URL that can be copied into any email message, IM or chatroom, after someone views the URL to read the message it will automatically self-destruct. i.e. erase itself from the server

    PrivNote: Web service using SSL to send secure self-destructing notes without any registration needed. The text message will be made unavailable through the link after someone reads it once, there are no configuration options other than leaving your email address to be notified when someone reads the note.

    QuickForget: Designed to compose an online note through a SSL connection from your browser to their severs and easily set it up to expire after a specific number of views or length of time after which your note will be purged from the database for ever.

    QuickForget secure online note
    QuickForget secure online note

    OneTimeSecret: After creating a self-destructing note you will be given two links, one that will display the message once and another link for you that will inform you if the message has been read when you visit it. Optionally you can set up a password to protect the message.

    BurnNote: Mobile phone app only for Android and iPhone, Burn Note displays a count down when the recipient opens a message and automatically destroys when it reaches zero, this guarantees that if someone only one person is able to read the data. You can send messages to other Burn Note users, an email address or get a link to your message that you can post or send via Instant Messenger.

    BurnNote self-destructing note
    BurnNote self-destructing note

    StealthNotes: Message can have a maximum of views before self-destructing or a date can be set up for the message to be erased. Messages can be composed using text or HTML code, there is no SSL.

    Crypt-A-Byte: Online dropbox that allows you to send PGP encrypted messages or send a self-destructing message that is erased after the recipient reads it. The message is encrypted in the browser and the passphrase never stored in the server, it is impossible for Crypt-A-Byte to read or decrypt your notes.