Courier Secure News Reader is a Guardian Project mobile phone app for secure and anonymous news reading. The app works with Orbot, a Tor proxy for Android phones from the same developers. It hides your computer IP when downloading RSS feeds, gets around ISP censorship in countries where they block websites and it encrypts what you download to thwart wire-tapping. The feeds can be synced automatically or manually, with the option of only syncing when on a Wi-fi network to stop expensive data roaming charges.
Download news and personal data are stored encrypted in your mobile phone, in case of emergency they can be wiped altogether with the app by swapping on the screen. A smart move if you expect arrest but bear in mind that most arrests are never expected and the chances of you being able to wipe evidence that you have accessed banned news sites will not be too successful unless you have forewarning of the arrest in which case disposing of the whole device would be safer.
Courier Secure News Reader Android
The menu is simple and easy to use, a button on top lets you know when you are connected to the Tor network, a “My Favourites” tab to bookmark sites and “Stories Received” tab can be tapped to read the news. Any data you receive from a friend will be listed separately in the “Receive a Share” tab.
People who have no Internet access can still read the news as long as one of their peers manages to get online and shares it with them P2P using Courier Secure News Reader via Bluetooth.
Courier Secure News Reader is open source, free and without any advertisements, the developers aim is to help those living in countries where news sites access is censored to be able to read them anonymously.
The app has been digitally signed with a 4096-bit key to verify that it really came from the developers and nobody has replaced it with a fake malware app that spies on the user.
Note: Courier Secure News Reader is currently in beta.
In light of recent news about Truecrypt being no longer developed, I compiled a list of other encryption programs that are compatible with it.
If you have data that was archived with Truecrypt for long term storage, you should be able to decrypt it with any of the following programs.
tcplay: Fully featured Truecrypt implementation to open and create Truecrypt compatible hidden containers with cascade ciphers and keyfiles. This is a command line utility that works in Linux and DragonflyBSD, you can add a front end graphical interface with zulucrypt or Luksus.
Luksus: A terminal program for Linux and BSD that lets you encrypt and decrypt data using Geli, LUKS, GnuPG or Truecrypt. A wrapper around tcplay, Geli and cryptsetup, with a front end graphical interface for those who find the command line too difficult.
Luksus encryption front end
RealCrypt: An open source forked version of Truecrypt for Fedora Linux, it comes as a RPM package and it can be easily installed in Fedora using the repositories. It has a graphical interface and the same capabilities that Truecrypt has, with a different name and logo as requested by Truecrypt licensing terms. There are no significant code differences in between them.
Encrypted Data Storage (EDS): Android app that can create and open any Truecrypt container but there is no on the fly mode and data will be decrypted to a temporary file, this could be a security risk if you believe that your smartphone can be stolen as temporary data written to solid state disks is recoverable with forensic tools.
EDS Android Truecrypt
TruPax: A Java based program that can open and create Truecrypt compatible encrypted containers. I will work on any operating system that has Java installed, Windows, Mac OS, BSD and Linux. It can be used with a graphical interface or in command line mode to automate tasks.The software is open source, portable and it was coded independently from Truecrypt.
Truecrypt compatible software TruPax
Cryptonite: Open source app that brings EncFS and Truecrypt to your Android phone, the program is still in development and intended for advanced users. Cryptonite can decrypt any Truecrypt container using your smartphone. If you want to run Android in your desktop, there is an open source project that has ported it to PCs and can be installed as if it was a Linux distribution. This will give you a bigger screen when decrypting data.
Matrix is a penetration testing Linux distribution based on Debian with the GNOME window manager. The download is a huge 3GB and you can run it as a live DVD or install it in your computer or USB thumbdrive. The tools Matrix comes with have been specially created for ethical hackers, penetration testers and computer forensic experts. I can’t imagine anybody using Matrix as their every day desktop unless they work in this field.
The default username is matriux and password is toor. The only main stream software you will find is an archive manager to pack files, all of the other tools are computer security related. To install this distribution a “Matriux Disk Installer” shortcut in the desktop can be clicked on but it will not partition your hard drive, you will have to prepare the drive and create a Swap partition on your own with a different tool, I suggest GParted.
PEN testing distribution Matrix
Matriux comes with two browsers, Firefox, including the Adblock Plus and NoScript addons, and Epiphany, a lightweight GNOME desktop browser. The tools you need for hacking are all nicely classified inside the “Arsenal” tab. You can find multiple scanners to test cross site scripting exploits in websites, Nmap and Angry IP scanners to scan a whole network and search for open ports and services where to infiltrate.
The forensics sections of Matrix has every single piece of software you will possibly need for your job, orderly divided into “Acquisition“, “Analysis” and “Metadata extractors“, without leaving out tools to analyse Android mobile phones. Other crows in the jewel incorporate steganographic tools, Bluetooth hacking, VoIP hacking software, DNS attack tools, debuggers, hacking frameworks like MetaSploit, Mantra or Inguma. For those who don’t know, each framework contains further discovering, gathering, scanning, bruteforcing and exploit tools, you can spend months just learning about how to operate the software.
I liked that Matriux comes with my favourite zsh shell and a marvelous semi transparent terminal colouring scheme that makes you real look geeky when people look at the screen even if you haven’t got a clue of what you are doing. I could not see anything missing in the cyberarsenal, from the basic Truecrypt and Tor to the more dark open source intelligence and forensics application Maltego.
With over 300 hacking tools in a single DVD at the touch of your fingertips, Matriux is a good alternative to Kali Linux and should be a must have hacking distribution for all security professionals, students and hobbyists.
QuickCrypt is a small portable Windows program to encrypt and securely wipe your files, this freeware program is very easy to use, implementing an encryption algorithm that is uncrackable, AES256-bit, if you lose your password there is no way to get your file back. To run QuickCrypt you will need to have Microsoft .NET Framework installed in your computer.
One of its best features is being able to hookup the encrypted file with the computer where it was created by adding a System ID to the encrypted file unique to that computer, this makes it impossible for somebody to decrypt the proprietary .qcf encrypted file unless they are using your own machine. You can also create an automatic .zip file after encryption and add a comment visible to the person decrypting the file, the comment could be a hint to the decryption password or greeting.
Windows file encryption AES256 QuickCrypt
A QuickCrypt feature I have not seen anywhere else is being able to set an expire date to an encrypted file. After setting this up, if a file has not been decrypted within the specified number of days or months, it can no longer be decrypted. There isn’t any technical explanation with QuickCrypt but I am assuming that to accomplish it the decryption program checks for a date in the headers before decrypting the file.
This is a simple but powerful file encryption program. Most useful to send files to your friends via email but they will need to be using the same program to decrypt the data and the password will have to be transmitted in a secure way, not easy to do. You can also use QuickCrypt to wipe files, going into “Tools>Erase Files” opens up a new window where you can drag and drop anything that has to be securely shredded with up to 40 passes.
There are plenty of free file encryption programs out there, my favourite one is 7zip but choices are good and QuickCrypt could be one more option for your cyber arsenal if you trust closed source software and the developer skills of which very little is known.
Every time you enter a URL in your computer browser a DNS query takes places and asks your Internet Service Provider to translate the typed in letters into an IP address so that you can visit the website, this is what is called a DNS query and if you happen to be in a country that censors the Internet or practises mass surveillance the sites you visit can be watched in real time. It is also possible for a spy agency or malicious hacker to sit in the middle of DNS queries and show you a fake website when you try to visit certain URL, then proceed to capture your login and password or serve malware to your computer.
The most common use for DNS monitoring it is Internet filtering, schools and companies do this to fend off adult material and the Chinese Great Firewall does this to block news websites about the Tibet.
The programs below come preconfigured with dozens of free DNS servers, a few of them have built-in parental controls to protect your kids, others offer censorship free DNS queries and do not log any activity, with the most security conscious offering encrypted DNS queries. The advantage of using one of these programs to change your ISP DNS servers, over doing it manually, is that it only takes one click and you don’t have to search DuckDuckGo for free public DNS providers.
ChrisPC DNS Switch: It comes with more than two dozen free DNS providers, one drop down menu allows you to select the network adaptor and another drop down menu classifies the DNS providers into “Anonymous” (no logs), “Family Safe DNS” (URL filtering), “Secure DNS” (malware filtering), “Regular DNS” and “Custom DNS” where you can manually enter the name server you would like to use.
ChrisPC DNS Switch
DNSCrypt Windows Service Manager: A DNS encryption only DNS changer, it helps you configure your network adaptor with one of their supported DNS encryption providers. At the moment consisting of DNSCrypt.eu in Europe and claiming to keep no logs, OpenDNS in the USA, CloudNS in Australia and OpenNIC in Japan. You are also given the option to choose UDP/TCP and IPv4 or IPv6.
DNSCrypt Windows Service Manager
QuickSet DNS: A minimalist Windows utility to change the DNS settings of your computer or router. This is one of the few DNS changing utilities that allows you to change your router DNS using a graphical interface. Optionally you can also use QuickDNS from the command line.
QuickSetDNS
DNSJumper: Windows DNS graphical interface where you can select the DNS of your choice out of a long list of public DNS servers (Comodo DNS, Norton DNS, Google DNS, etc). To change DNS settings often the program lets you flush the previously applied name servers with the click of a button.Clicking on the “Fastest DNS” button will automatically find the most expeditious name servers for you.
Name Server changer DNSJumper
If you are using a VPN to encrypt your connection your ISP could still be able to see what sites you visit monitoring the DNS servers, this is know as DNS leak. To avoid this risk you should change the default DNS servers in your router or computer. For extra security you should select a DNS provider that encrypts queries, it is the equivalent of HTTPS for DNS.
Note: If the DNS program does not have a DNS flushing button you can flush your DNS cache manually in Windows with:ipconfig /flushdns
AirChat is a free open source program developed by the Anonymous hacking group to anonymously communicate with other people over the air waves. To be able to use it you will need a ham radio with the open source Fldigi modem controller connected to your laptop or desktop computer.
AirChat transmits data using a radio connection, there is no need for Internet infrastructure or mobile phone network coverage. Sending data over the air waves has been possible since the invention of radio, as the Morse code pulses over the airwaves proved. Amateur radio operators send each other data messages daily with just their radio equipment, the Anonymous collective is not devising any new technology, what they do is to add privacy and security to something that already existed.
AirChat encrypted ham communication
The main problem of sending data packets over the airwaves is lack of bandwidth, that makes this technology slow and only suitable for low bandwidth voice, text chat and low resolution photos, the developers admit that they have traded bandwidth for greater security.
AirChat encodes data inside air waves with Anonymous own Lulzpacket protocol handling integrity and encryption. Due that in some countries encrypted airwaves over specific frequencies are banned, you are given the choice of sending the data unencrypted to avoid breaking the law. Other legal considerations are that ham radio operators must be licensed to operate on amateur radio frequencies, that will put you on a government list but this is not necessary if you only plan on listening in.
When you transmit data with AirChat there is the option to send it to nearby contacts unencrypted or broadcast it encrypted with a public key encryption that only the receiver will be able to decrypt with his personal private key.
The reason for Airchat is to stop a government switching off the the Internet to stop a protest group, like it has happened in the past during the Arab Spring revolution. An added benefit is that, as far as the top secret documents leaked by Snowden reveal, the NSA spying scheme only monitors the flow of data over the Internet and not the airwaves.
There are other similar projects that allow you to exchange data with other people without an Internet connection, like Commotion Wireless, but their data transmission range is limited. AirChat developers claim to have used their software to send photos 180 miles away through the airwaves without any Internet connection. And you don’t have to worry about hardware MAC addresses identification, that ID is not passed on to any access point like it happens when you use Wi-Fi.
Something to know about amateur radio (aka ham radio), is that it is illegal to broadcast over licensed frequencies, if you did you could interfere with commercial radio stations, airports and emergency services. Broadcasting on licensed frequencies will attract the authorities attention, they will track you down like they do with pirate radio stations and charge you. Only use AirChat over unlicensed frequencies.
ProtonMail is a Switzerland based privacy email provider, the company stores your data encrypted in their servers and they claim that computer IPs used to connect to the account are not logged. I looked at the email headers sending myself a test message and I could see that ProtonMail does not include sender’s IP inside email metadata.
When you first open up and account (took me a few days to get an invite), you will be asked for two different passwords, one is the email login password and the second one, not known to ProtonMail, is the password used to encrypt email messages in your browser before uploading them to the server. There is no password length check or anything forcing people to use a complicated passphrase to stop new users from being negligent and making up a short guessable pass.
I also noticed that there is no automatic logout, you can easily forget about logging out of your account in a public computer and the person behind you could get access to your account two hours later.
Encrypted Swiss email service ProtonMail
If you correspond with other ProtonMail users, encryption is end to end, messages never leave the ProtonMail server network, they will not travel the Internet where encrypted messages could be intercepted by the NSA international fibre optic cable wire-tapping operation to attempt postliminary cracking with their supercomputers.
To interact with an external email account, like Gmail, you have the option to send the message in clear text, with no protection at all, or send a password protected link where the receiver will have to click on to read the message directly from ProtonMail encrypted servers. The link can be set to expire after just a few hours or two weeks, the message will no longer exist once the expiration date is reached.
There are a few weaknesses to sending emails in this fashion, one is that you will need to transmit the password to the other part, this will slow you down and is open to interception. Another security weakness is that there isn’t any kind of brute force protection, after somebody has read the message it will not be automatically self-destroyed as it should be. I could not see any counter on the page letting you know if the message has been previously displayed before you read it.
The good part of sending email messages with password protected links is that the receiver only needs javascript enabled in their browser to be able to read them and that the messages can’t be scanned en route.
ProtonMail settings and compose screen are simple but enough to get the job done. I appreciated a button to permanently delete all account and messages, regrettably this did not work for me when I tried it, it would do nothing when I clicked.
ProtonMail security model is based around owning their own hardware, storing it offshore outside USA and European Union laws, and fully encrypting their disks with the decryption keys split in between various individuals, with server integrity checks to detect illicit changes in the software, like somebody installing a key logger, but those checks can not stop a hardware keylogger in the data center, although since data is encrypted by the user browser, the most an unauthorised third party could do is to monitor computer IP connection logs.
This is an easy to use email service, perhaps the only free email service that claims to keep no user logs. The company implements well known open source cryptolibraries and they allege to be audited by computer security staff at CERN (European Center for Nuclear Research). The only problem I have with ProtonMail is that there isn’t a built-in system to send messages with your own PGP keys, this is the main reason why I can’t use them as my primary email provider.
PGP is the default standard for email encryption and I can’t ask anybody to stop using PGP encryption keys and switch to a ProtonMail account for javascript OpenPGP encryption, ideally, my perfect encrypted email provider must be able to import a PGP key from one of my friends and use it to secure data.
