Category: Security

Computer Security

CryptoNAS to encrypt your Network Attached Storage data
A Network Attached Storage, commonly known as NAS, is a centralized device dedicated to data storage used to share files over a network, either your own local home network or the wider Internet.

Network Attached Storage devices contain one or more hard drives and are networked with other appliances, NAS units are configured for file sharing between multiple computers. If they contain more than one hard disk they can be configured as a JBOD (Just a Bunch Of Disks), or in RAID to facilitate data back up and quick file access.

Small and remote offices and home networks they all normally use a NAS appliance for file sharing, NAS drives have software that can be set to automatically back up every computer on the network and they can also be used as a servers but very few of them include data encryption capabilities.

The NAS operating system and other software on the NAS unit provides the configuration and management of the data storage and access functionality.

Network Attached Storage device (NAS)

CryptoNAS Network Attached Storage encryption introduction

CryptoNAS is a multilingual Debian based Linux live CD with a web based front end that can be installed into a hard disk or USB stick. CryptoNAS has various choices of encryption algorithms, the default is AES, it encrypts disk partitions using LUKS (Linux Unified Key setup) which means that any Linux operating system can also access them without using CryptoNAS software.

CryptoNAS configuration and settings

CryptoNAS provides two packages: CryptoNAS-Server and CryptoNAS-CD

The CryptoNAS-Server: Targeted at network administrators and it adds hard disk encryption to a file server (running Samba, NFS, DAV, etc.).

The CryptoNAS-CD: Targeted at home users and it allows for easy NAS device encryption and browsing through a web interface.

CryptoNAS default username and password are admin:admin you should change both as soon as you have it installed. The next step is to create a configuration partition for CryptoNAS settings to be stored, after that you can enable disk encryption, format the hard disk using your file system of choice and enter the passphrase to be used, CryptoNAS will start encrypting the hard disk straight away, you will be able to see the progress clicking on status.

CryptoNAS interface

Your router will need to be in the same subnet, which means its IP needs to be 192.168.0.1. Check the default gateway address through the network connection details, log into your router and change the address in the LAN/network settings if necessary.

To access CryptoNAS through your web browser use https://192.168.0.23 you will get a message warning you about a problem with the security certificate since CryptoNAS uses a self-signed certificate, ignore it and go ahead.

If you switch off the computer where CryptoNAS is running the encrypted hard drives on your NAS will shut down and it will be inaccessible until you reopen it again entering the correct passphrase. You must remember that as long as CryptoNAS is running with the disks mounted the data is unencrypted and the encryption key held on RAM memory, only if someone disconnects your NAS device (i.e. NAS device gets stolen) or you turn it off encryption will secure your data.

Alternatives to CryptoNAS
1. Use stand alone free open source encryption software like Diskcryptor or Truecrypt to encrypt your NAS hard drive and mount them on request.
2. Use a NAS device that comes with encryption integrated, QNAP, Seagate, and Synology all have AES256 encryption for some of its high end Network Attached Storage products.
3. Use FreeNAS, a free open source NAS distribution based on FreeBSD that also allows for encryption of NAS hard drives.
  Visit CryptoNAS homepage
30 October, 2010
How to stop your IP being exposed after VPN disconnection

Computer IP showing after VPN disconnection

It is inevitable that either because of a shaky ISP connection or some other network or software problem your Internet connection will drop at some point and if you happen to be using a Virtual Private Network proxy to browse the Internet when your VPN disconnects, you will not get a visible warning and you will carry on browsing or sharing files peer to peer as normal with your computer IP exposed for everyone to see.

The worst part of your VPN connection dropping out and not getting a warning is that you will not realize of this and your anonymous Internet surfing will have been compromised without you ever knowing, your OpenVPN software normally automatically reconnects after the VPN connection has dropped but by then your computer IP will have been compromised.

How to stop a VPN disconnection showing your computer IP?

Use an SSH tunnel for anonymous Internet surfing instead of a VPN

One option is to use an SSH tunnel instead of a VPN, when you have your browser configured to browse the Internet through an SSH tunnel when the Internet connection goes down for whatever reason the browser stops working, as simple as that.

The downside of using an SSH tunnel is that you will need to configure every single application to go through it but once you have done it once this is not difficult, your SSH tunnel provider should be able to provide you with instructions.

Most anonymity providers are jumping into the VPN bandwagon and there are not many SSH tunnels providers left, some of the ones I know of are Cotse, VPNSecure, and JTAN ProShell.

Another advantage of using an SSH tunnel for anonymous Internet browsing instead of a VPN is that it is very easy to make it work in all Unix systems, it does not matter if your main operating system is Linux, Solaris or NetBSD instead of Windows. When you use an SSH tunnel for anonymous Internet browsing you do not have to rely on the OpenVPN software given by VPN providers, which usually is closed source.

If you use an SSH tunnel for anonymous internet surfing you will also have two IPs at the same time, your real computer IP in one browser, not configured to go through the SSH tunnel, and your anonymous SSH tunnel IP to be used with a second browser to visit sensitive sites.

It is fairly easy to set up your own private SSH tunnel on a cheap shared Virtual Private Server if you know about Unix and are comfortable with the command line. Setting up your own private VPN server on the other hand normally requires a dedicated server which makes it much more expensive and not economically worthwhile for a single user.

Get a VPN provider that protects your privacy from VPN disconnections

Not all VPN providers are made equal and some of them have realised that there is a huge privacy problem when the VPN connection drops and your computer IP is exposed without warning, some VPN providers are starting to include a new feature to stop your browser from accessing the Internet unless it is through the VPN.

There are few VPN providers I know of that provide this at the moment, one of them is Hide My Ass which has a secure IP bind which forces your specified application to only work behind their encrypted VPN. Another VPN provider that will protect you against disconnections is IdealVPN it comes with software called VPNGuardian that shuts down your Internet when the connection breaks.

Always ask a VPN service if they have they have protection against disconnections revealing your real IP before buying their product.

VPNCheck

Use a software application to stop IP exposure after VPN disconnection

VPN LifeGuard: Open source freeware application that will cease all traffic (P2P, browser,etc) in case of VPN disconnection. It can automatically reconnect the VPN and there is a portable version available, it only works with PPTP.

VPNCheck: VPNCheck will disable your web browser or any other specified application to stop your real IP being exposed when your VPN connection breaks.

VPNetMon: VPNetMon prevents unsecured connections after your VPN connection goes down, VPNetMon will close down the specified applications when your Virtual Private Network disconnects.

Use a firewall to force all your applications through the VPN

Using a software firewall you can tell it to allow applications to connect only through the VPN, including your browser, the only downside to this is that firewalls all have very different configuration settings and you will probably need to read the documentation or ask at some computing forum about how to bind your browser with your VPN connection.

The firewall that comes with Windows has few configuration options, Comodo Firewall can be customized to your taste to stop all Internet browsing that does not follow your established rules like going through the VPN.

19 October, 2010
How to crack a .zip or .rar password protected file?

How secure is Winzip and Winrar encryption?

Both programs WinZip and WinRar use AES (Advanced Encryption Standard) for encryption, when implemented correctly and in conjunction with a long alphanumerical hard to guess passphrase, the AES cipher is impossible to crack in a reasonable amount of time, that means in your lifetime.

State sponsored agencies are also not able to crack a password protected Zip or Rar file if this has been encrypted with a hard to guess pass, the law of mathematics just like the law of physics, is equal for everyone.

Recovering a password protected .zip or .rar file

The only known method to recover a forgotten password from a password protected .zip or .rar file created using the latest WinZip and WinRar versions, is to use a brute force attack. In a brute force attack an automated software will use up all of the dictionary words and run all of them attempting to match the file password.

Knowing if special characters and numbers were used in the passphrase, as well as knowing the length of the password, is very helpful while setting up the program to launch a brute force attack against the encrypted .zip or .rar file.Cracking a .zip file protected with encryption can take minutes, months or a hundred years, depending on processing power and how hard to guess the password is.

Services to crack encrypted .zip files

CloudCracker: A cloud based service for cracking WPA/WPA2 keys, CloudCracker offers brute force dictionary attacks against password hashes, wireless network keys and password protected documents, you could do this yourself in your computer but this service gives you access to an online cluster speeding up the process.

PWCrack: This password cracking service covers .zip encrypted files and PKZip files. Normally they will test a dictionary attack and brute force passwords up to 7 characters long.Password Crackers Inc. also offers services to crack many more different kind of encrypted files.

ElComSoft distributed password recovery

Software to crack password protected .zip files

Advanced Archive Password Recovery: This commercial software from ElComSoft helps you crack .zip and .rar encrypted files. They claim cracking archives created with WinZip 8.0 and earlier is possible in under one hour by exploiting an implementation flaw. For.zip or .rar files encrypted using the AES algorithm a brute force attack will be launched.

Passware Kit Enterprise: This a professional solution and not targeted to end users. Password Kit Enterprise supports cracking of multiple different files, from encrypted .zip and .rar up to launching brute force attcks on fully encrypted disks using TrueCrypt. Passware Kit EnterPrice can use multiple core CPUs and nVidia GPUs to speed up the dictionary attacks.

LastBit: This company makes a full range of password recovery software to help you bring back forgotten passwords on ICQ, Skype, Firefox, PDF, PowerPoint, Zip and many more applications. Various Lastbit products support rainbow tables which considerably speeds up dictionary attacks.

Zip Password Tool: An easy to use password recovery tool that works launching dictionary attacks on encrypted ZIP compatible software. It supports AES file encryption cracking and you can customize the brute force attack with special characters and national symbols, there is also a password recovery progress bar.

Zip Password Tool cracking .zip password

Tips to help you recover passwords from encrypted files

The following information will be of great use when launching a brute force or dictionary attack against any kind of password protected file or disk.

Find all the other passwords you can from the PC, notes around the computer and things someone might have saved in their web browsers and the Windows password, many people use the same or similar passwords everywhere.

By collecting all of the user passwords you will be able to observe a password pattern, like how many characters are normally used to create a password, names of cities, pets or family members being used, capitalizing of the first letter, etc, you can then customize your cracking software and set it up to use the same password pattern that the user normally adopts.

WinZip does not hide the encrypted filenames, you should be able to list them, unless they packed an archive inside an archive, that might give you a clue about the contents and whether it is worth to try and crack it or not. Notice that WinRar however, has an option where the user can encrypt the filenames, although this is not active by default and a checkbox needs to be ticked.

Cracking Zip file encryption from versions earlier than WinZip9.0 is easy and there is no need for a brute force attack as there was an implementation flaw in the encryption. Since WinZip version 9 and above .zip files are protected using 128 or 256 bit AES and with a sufficiently complicated password finding it out will be impossible.

Dictionary attacks for a long password with characters outside of 0-9 and A-Z are very slow, when you plan a dictionary attack on an encrypted .zip or .rar file, limit the yourself to alphanumeric unless you are certain a special character was used to create the password.

Another approach is to scan the disk for all words and then try them in different upper and low case combinations against the encrypted file.

Conclusion about security of encrypted .zip and .rar files

The latest versions of WinZip and WinRar both use AES128 or 256 bit for encryption, this cipher is a security standard and safe from cracking as long as the password is sufficiently long and contains upper and lowercase letters, special characters and numbers.

The weakest link in .zip and .rar encrypted passwords is you, avoid reusing your passwords anywhere else and writing them down, with the exception maybe being a password manager you trust.

Make sure that you only encrypt .zip and .rar files with WinZip9.0 and above and Winrar3.0 and above as earlier versions have some vulnerability.

There are many companies out there promising to crack files encrypted with WinZip and WinRar, and they all rely on the same, either you using an old version of the file compression software, or you choosing a weak and easy to guess password, as long as you cover those two vulnerabilities, you are safe using WinZip or WinRar for encryption, my first choice would be WinRar since WinZip does not support file name encryption.

10 October, 2010
Free keylogger protection Neo’s SafeKeys

If are conscious about computer security or are using a public computer in an internet cafe or library, using some kind of protection against keyloggers is a must have.

A keylogger can easily capture your Yahoo mail and Gmail passwords as well as banking passwords, anything you type in your keyboard could be logged and stored by someone you don’t know.

Neo’s Safekeys keylogger protection is a virtual keyboard that works with the mouse and will protect you against malicious hardware and software keyloggers.

Do not be fooled by the Windows on-screen keyboard as it performs software key presses each time you click an on-screen key and even the most basic keylogger will capture everything you type using it.

Neo’s SafeKeys keylogger protection main features

Password drag and drop keylogger protection: This feature allows you to tansfer your password dragging and dropping the password from Neo’s SafeKeys to the destination program, there are no keyloggers at present that can capture a password while dragging and dropping it.

Keylogger screenshot protection: Neo’s SafeKeys keylogger protection protects you against screenshots being taken ofyour mouse movements, Neo’s SafeKeys introduces a protective transparent layer on the virtual keyboard, if any malware is taking screenshots they will only see the protective layer and not the virtual keyboard buttons, screenshots taken using Windows commands do not see the transparent Windows, Neo’s SafeKeys will always remain at least 1% transparent.

Field scrapping keylogger protection: Some commercial keyloggers can grab passwords from password fields using Windows API commands, Neo’s SafeKeys keylogger protection will keep your password away and it will never store it behind the asterisk mask in Windows fields.

Neo’s SafeKeys keylogger protection

Mouse positioning keylogger protection: Mouse position logging is often used to defeat people using the banking websites on-screen keyboards, each time you click the coordinates of your mouse are captured, since the virtual on-screen keyboard always has the same dimensions the malware can then learn what on-screen keys you clicked on.

Neo’s SafeKeys will always start in a different position on the screen and its height and width will also change. You can also use a button named Resize SafeKeys to reset your virtual keyboard dimensions.

Clipboard keylogger protection: Most malware is able to capture data copied to Widnows clipboard, that includes even passwords. Neo’s SafeKeys never uses the clipboard for anything, ever.

Neo’s SafeKeys keylogger protection extrea features

Neo’s SafeKeys allows for the creation of customized keyboard layouts, your settings (not the passwords) will be stored in a NSKconfig .ini file, you can copy it and edit to your own taste until you get the keyboard layout you want.

You can use Neo’s SafeKeys as a portable notepad, disabling the password mark you will be able to see anything you enter.

Hardware keylogger plugged in PS2 port

Hardware keyloggers like the one pictured above are notoriously hard to detect, antivirus will not find them and they work in all operating systems.

Visit Neo’s SafeKeys homepage

16 September, 2010
How long should my password be? Minimum password length suggested
We should start talking about passphrases and not passwords, according to one Georgia Institute of Technology study any a password shorter of 12 characters is vulnerable to attack, the length of your password, as well as quality, like using a combination of alphanumeric characters, does matter a lot when it comes to computer security.

A standard English keyboard has 95 letters and symbols and you should be taking advantage of them to write full sentences as your password. Knowledge about a user may suggest possible passwords (such as pet names, children’s names, etc), hence estimates of password strength must also take into account resistance to this attack as well.

Password box

The ideal password length is 12 characters

The Georgia Tech Research Institure study on brute forcing passwords suggests a 12 characters password length in order to strike the right balance between convenience and security. Assuming a hacker can try 1 trillion password combinations a second, it would take him 180 years to crack an 11 character pass, this number would increase to17,134 years to crack a 12 character password.

How to create a strong password?
- Include numbers, symbols, upper and lowercase letters in passwords.
- Avoid any password based on repetition, dictionary words, letter or number sequences.
- Use capital and lower-case letters.
- Password must be easy to remember for and not force insecure actions like writing it down on notes.
According to one of the study authors if an attacker wants to crack many passwords quickly, once he’s built a rainbow table it might then only take about 10 minutes per password rather than several days. A rainbow table encodes the hashes of the most common passwords and uses that database to quickly run it against your hidden password.

Solutions to create secure passwords

Instructions to create the best random password possible: Diceware

Store your passwords encrypted online: LastPass

Free secure password manager for desktop computer: KeePass
23 August, 2010
Use a VPN on a computer without admin rights

If you have to move around between computers, are using a college or work computer and have no admin rights and want to use a VPN to get around internet filtering you will find that OpenVPN needs administrator rights to be installed. There is a work around for this, simply use a portable VPN on a USB drive, which combined with a portable internet browser will also stop traces being left in the host computer.

You can bypass your workplace and library internet filtering with a virtual private network, as long as you can install a USB thumbdrive you will be able to launch the portable VPN or SSH tunnel, that will get around any logging, not even visited sites will be seen by the admin.

Portable VPN applications

OpenVPN portable (Free): OpenVpnPortable is openvpn and a modification of openvpn-gui as a portable app, so you can connect to your vpn on any computer. It is open source and free, for this portable VPN to work you will need to have your VPN provider digital certificates.

PortableVPN ($/€): This application allows to establish a VPN connection while using a computer without admin rights. You do not need to configure anything other that the portable VPN, it also allows for a portable PPTP. This application is also U3 capable for USB thumbdrives with U3.

Portable SSH tunnel

KiTTY: KiTTY is a fork of the well known SSH client PuTTY, KiTTY does not require any installation and you can use it easy with and SSH provider or your own SSH proxy server, place the portable SSH client on your thumbdrive and configure your browser to do all the surfing through the anonymous tunnel.

Remote SSH tunnel connection

5 July, 2010