Hacker 10 – Security Hacker

Category: Security

Computer Security

  • Encrypted Instant Messenger FireFloo Communicator

    Encrypted Instant Messenger FireFloo Communicator

    Firefloo Communicator is a portable open source instant messenger that secures communications with public and private encryption keys. The program can interact with any other messenger using the standard Extensible Messaging and Presence Protocol (XMPP). Jabber based messengers like Pidgin, Trillian, Gmail Chat, Coccinella and Jitsi will all be able to exchange mesh in between. FireFloo Communicator will not connect with the proprietary Yahoo or Windows Live messengers. Since Yahoo messenger has been proved vulnerable to spying by leaked Snowden’s secret documents, there is nothing you will be missing anyway.

    One of the strengths of the XMPP network in which FireFloo Communicator flows is that there is no central server, anybody can run an XMPP server. Its decentralization makes it impossible to take the whole network down, if a public server is under attack you can connect to different server or roll down your own, this also makes wiretapping harder as the network is comprised of multiple nodes with no single point of failure, and the echo protocol for multi-encrypted messaging takes care of packet sniffing.

    Encrypted instant messenger FireFloo Communicator
    Encrypted instant messenger FireFloo Communicator

    FireFloo Communicator is one of the few instant messengers that does not require you to enter an email address to create an account, you only have to pick an username and password to start chatting with your friends. After extracting FireFloo Communicator files to a folder, clicking on the FireFloo.exe file will start the chat straight away, I wasn’t asked for administrator rights when running it in Windows Vista.

    During account creation security preferences can be tweaked changing your encryption key size from 2048bits to 15369bits, which is clearly an overkill, but paranoid types should welcome it. Other security configurations include changing the RSA default key to ElGamal and changing the AES256bit cipher to Serpent256, Camellia256 or Twofish. The default security options looked fine to me, I don’t think it is needed to modify anything but you will not break the program if you do, it might just change software performance, like a slighter lagging time.

    FireFloo Communicator server settings
    FireFloo Communicator server settings

    FireFloo Communicator interface is simple but functional, you have five tabs from where to access FriendsList, Group Chat, Add a friend, Settings and Cryptopad, an encryption notepad where you can copy and paste encrypted text to send via insecure means, like email. The Rosetta CryptoPad also has cipher and hashing configuration options for you to customize at will, I found this additional tool a genial extension as it only takes one extra tab and covers email encryption without needing another program for that.

    This is a program that has only been recently released, still in beta and it has some bumps to fix, the help manual is one of them, it doesn’t come with one. There is no mobile or Linux version but the source code is ready to compile and one can be created. A promising instant messenger to keep an eye for, the best part being its Jabber compatibility and security, with the low points being the lack of a help manual and basic chat features.

    Visit FireFloo homepage

    Warning 2006: Project not updated for more than 2 years, possibly dead.

  • Encrypted Voice over IP chat Mumble works with Tor

    Encrypted Voice over IP chat Mumble works with Tor

    Mumble is an open source VoIP program for group or P2P chat that runs in Windows, Mac and Linux, with iPhone and Android versions in beta. Mumble encryption is implemented with public/private key authentication and unlike Microsoft owned Skype, which supposedly also encrypts calls, in Mumble cryptography experts can scrutinise the code to make sure that the NSA has not inserted a backdoor or weakened the algorithm.

    Mumble is widely used by gamers due to its low latency and background noise reduction resulting in superb audio quality, but you can use it for any kind of communication. Ninety per cent of the public chatrooms I visited where gaming clans and I had to manually add activist related Mumble servers like occupytalk. For high privacy group calls you have got to manage everything yourself, including the server, otherwise a rogue operator could carry out a man-in-the-middle attack to eavesdrop on you.

    Mumble server encryption details
    Mumble server encryption details

    When you first install Mumble you will be prompted if you would like to run your own server (called Murmur) this will give you total control over who can access the chatroom but it requires staff and time. The other option is to join one of the dozens of public Mumble servers classified by countries and create there your own chatroom or rent a Mumble server from a specialist provider, they can be easily found with an Internet search for Mumble server hosting.

    The Mumble client Audio Tuning Wizard helps you correctly set input levels for your sound card with voice activity detection and sound quality as well as optional text to speech to read typed in messages. Messages are read with a metallic voice but you have the option of buying a professional text to speech package from a third party and add it if you are going to use the feature a lot. The second Mumble client step creates a digital certificate to authenticate with servers. The most likely is that the servers you visit will have a free self-signed digital certificate poping up a warning window that you will have to accept before joining, this is not a huge security risk if you examine the certificate before accepting it and it only has to be done once.

    Besides AES256-bit encryption Mumble has the edge over other VoIP tools because it can communicate with the TCP protocol, this is absolutely necessary for any program to be tunnelled in Tor and most VoIP programs only work with UDP, Mumble also has very low bandwidth needs, it will not clog Tor nodes and it works as Push to talk (PTT), you need to push a button to transmit voice, instead of an always on call connection.

    You can either connect directly to Tor running it in your computer and configure Mumble by going to Configuration>Network tick the checkbox that says “Force TCP Mode” and fill in the SOCKS5 proxy settings with localhost and 9050 for the port, or roll your own anonymous Mumble server for your friends renting a VPS, installing the Mumble server software in the VPS, configuring the server firewall to accept incoming connections in Mumble’s default port 64738, installing Tor in the VPS and from then on all voice calls made using that server will be encrypted and anonymous.

    Visit Mumble homepage

  • Jam Wifi signals using your wireless card with wifijammer

    Jam Wifi signals using your wireless card with wifijammer

    Originally named wifijammer is a python script to interfere with Wifi access points and disrupt the network. This can be useful for penetration testing of your own network or if you suspect that spy wireless cams are around in your premises. There are online shops selling hardware wireless jammers too but they cost additional dollars, wifijammer is a simple application that anyone with a laptop and basic Linux knowledge can use. This kind of applications must be used with caution, you need to be careful not to interfere with a network that is not yours or risk arrest.

    For this jammer program to work your wireless card needs to be able to inject packets to the network. You will have to learn your wireless card chipset, running the dmesg command in Linux will often show this information, or run lsusb if you are using a wireless USB dongle. With the obtained information you can then search on the Internet to find out if the card is suitable to run aircrack-ng or any other WPA cracking utility, if the wireless chipset can run a WPA cracking tool it means it is able to inject packets on a live network and it will work with wifijammer.

    Wireless Access Point hacking
    Wireless Access Point hacking

    The jammer will automatically hop in between channels every second to determine all possible targets, after initial identification it will start jamming the signal sending constant deauthincation packets to the access point. This is a way to disassociate connected computers from the access point, cutting off their wireless access. wifijammer does not perform any denial service attack but a disconnection, the client is able to reconnect but as long as the attacks runs wifijammer keeps telling the access point to disconnect the client, with the same result than a denial of service attack without neededing that much bandwidth or resources. A benefit of getting a client to constantly re-authenticate to the access point is that it might be possible to capture the WPA2 handshake and gain access to the network.

    There is another application to jam Wifi access points found in the WebSploit framework, wifijammer has the advantage of being a very small script that should run in any operating system where you can install Python.

    If an access point has MAC filtering enabled you would have to spoof the MAC address of a client first before deauthentication packets are accepted. Having said that, expensive enterprise level wireless access points are able to detect continuous death requests and they will block you.

    Visit wifijammer homepage

  • Anonymous encrypted communications with LEAP Bitmask

    Anonymous encrypted communications with LEAP Bitmask

    Bitmask is an open source cross platform bundle from the LEAP Encryption Access Project, a non profit group dedicated to protect the right of leaking information. Bitmask can be used to send anonymous email messages, hide your computer IP when visiting websites, circumvent Internet filters and encrypting your Internet activities to stop ISPs from logging them.

    You can either set up your own Bitmask server to tunnel your traffic or find a provider that supports the application. To open a Bitmask account you only have to cook up a username and password, no additional information is required. Currently Bitmask only works with LEAP own Bitmask server but activist privacy providers like Riseup and Calyx plan on implementing it soon.

    To anonymously send email with Bitmask a help guide explains how to manually set up SMTP and IMAP to proxy messages in any email client or you can download Bitmask Thunderbird addon with a wizard guiding you through the proxy set up process, the addon also prevents Bitmask account caching.

    LEAP Bitmask anonymous email configuration
    LEAP Bitmask anonymous email configuration

    Bitmask has been designed to automatize anonymity, it uses OpenPGP for email encryption but you don’t have to exchange encryption keys with anybody, the program does it for you. Encryption takes place in your computer and should stop Gmail or Outlook from handing over email contents to the NSA, emails are stored encrypted in your computer.

    One of Bitmask email downsides is that you can not use it with webmail, it only works with email clients, and in case you wonder, the difference in between Enigmail and the Bitmask Thunderbird addon is that Bitmask exchanges encryption keys automatically.

    Encrypted Internet activities and hiding your computer IP from websites is attained with a VPN tunnel, to mitigate the risk of a VPN provider eavesdropping on you Bitmask authenticates with the VPN using an anonymous digital certificate. What I could not see if any counter measure to stop a rogue VPN from logging computer connection IP and timestamps.

    Bitmask stated goal of bringing easy always on network encryption bets on safe technologies like OpenVPN and OpenPGP, some trust is placed on the VPN provider, and although it allows organisations to roll out their own server, so does OpenVPN. I did not find Bitmask any easier than downloading a VPN program and using webmail for pseudo anonymous encrypted Internet communications. The best points of LEAP Bitmask are that it is open source, it allows people to run their own server and has detailed technical documentation.

    Future plans include anonymous chat on top of XMPP, secure VoIP, LEAP Tor hidden services and creating a darknet in between all LEAP platform providers. Of all those things the most exciting feature for me is the Bitmask darknet, for those who don’t know, a darknet is a closed private network of computers that can only be accessed by approved members.

    Note: At the moment Bitmask Windows only works with 32bits OS, if you have a 64bit OS download the Thunderbird addon..

    Visit Bitmask homepage

  • Warrant divulges FBI high tech malware sent to suspected terrorist email

    In a very little publicised case of bomb threats that have been going on for months against US public buildings like universities, hotels and airports, an anonymous caller identifying himself as a friend of James Holmes, continuously warned the FBI that if the Colorado cinema shooter was not released a building full of people would be blown up using Ammonium Nitrate.

    An Emergency Discloure Request order sent to Google exposed that the caller was using Google Voice VoIP service to carry out the bomb threats while masking his computer IP with a free VPN service called HotSpotShield, also known as AnchorFree.

    Subsequent bomb threats included numerous email exchanges, a chat in between the suspect and an FBI agent using Yahoo Messenger and photographs the suspect sent of, supposedly, himself to the FBI, dressed wearing an Iranian camouflage military uniform.

    The FBI trojan horse is referred to in the search warrant application as Network Investigative Technique (NIT) and it was sent to the suspect’s Yahoo email address “texan.slayer@yahoo.com” in the form of a link, it should have been executed when the suspected terrorist logged into his email account, connecting to FBI servers and downloading malware to let law enforcement know the following:

    – Computer IP address, computer network card MAC address, list of open ports, a list of running programs, operating system and Windows serial number, web browser brand and version, computer’s language encoding and default language, computer time zone, previous visited websites and other identifying information that could be of assistance.

    The document shows that the trojan horse failed to execute correctly but not before revealing that the person making bomb threats was doing so from Iran.

    There is no specific information about how the FBI executed the malware but since a download link is mentioned, I will make a guess, without backing evidence, of how it could have been done, by saying that that the trojan horse could have been embedded in an HTML formatted email and executed with Javascript as soon as the suspect opened the email message.

  • List of non USA cloud storage services with client side encryption

    List of non USA cloud storage services with client side encryption

    To truly secure your data in the cloud it is necessary to encrypt it before it leaves your computer and not to trust others to do this for you. You can encrypt files yourself with something like Truecrypt, DiskCryptor or 7Zip but it requires time and extra work.

    This list contains cloud storage services that apply encryption before uploading it to their servers and give you full control of the decryption keys, making it impossible for the company to decrypt anything.

    TeamDrive: Company based in Germany, data is encrypted in the computer with AES256-bit using your own encryption key that the company has no access to. You can decide whether to store your files in Amazon EC2 USA, Ireland or Hong Kong servers, account data is only held in German servers.

    Mega: Based in New Zealand, all data is encrypted with AES128-bit before uploading it to the cloud, a RSA2048-bit key is used to share already encrypted files in between users, their FAQ is very complete explaining the security measures they use and what possible vulnerabilities exist against their business model.

    Mega cloud encryption file sharing
    Mega cloud encryption file sharing

    Powerfolder: German company, it can be used to store and share files in the cloud, they have no servers in the USA and everything is encrypted client side with the AES algorithm. You can password protect folders before sharing them with others.

    TresorIt: Hungarian company, they use AES256-bit to encrypt data before uploading it to the cloud. The company offered $US10.000 to whoever can break their security software. Data can accessed in your smarphone or desktop computer. There are free and paid for plans.

    TresorIt encrypted cloud storage
    TresorIt encrypted cloud storage

    Unseen.is: A full communications suite with encrypted cloud storage on top of email and instant messenger. With headquarters and servers in Iceland, encryption is end to end, the company does not have the key and can not read any messages. Unseen.is is transparent about their technological encryption set up and privacy policy. Have into account that online storage is limited, the service has been designed to only back up your most important files, not a whole computer.

    Notice: Even if the company is not based in the USA, they might be using American servers for storage unless specified.

  • List of USA cloud storage services with client side encryption

    List of USA cloud storage services with client side encryption

    Even with local encryption, it is not impossible for a government to subpoena a tech company and force them to introduce a backdoor in their software. A few of the US companies below allow you to download the security software source code to make it much harder for a government to tamper with it unnoticed.

    Another way to strengthen your security is to use third party cloud encryption programs like Viivo or BoxCryptor, they come with an easy to use interface that makes cloud encryption effortless. These programs can be used in conjunction with cloud services own encryption and it will add a second encryption layer that will have to be broken.

    If you use Linux, EncFS can create an encrypted version of your files inside a folder before syncing it online.

    iDrive: Data is secured with AES256-bit encryption before moving it to the cloud. The encryption key is provided by you and not stored anywhere in iDrive servers, or you can opt for their system based encryption scheme where the company holds the key.

    JungleDisk: Used to back up your computer files to Rackspace Cloud Files Service or Amazon S3. During installation you can create your own AES256-bit encryption key that nobody else will know with data being encrypted before leaving your computer.

    JungleDisk cloud encryption Android client
    JungleDisk cloud encryption Android client

    Cubby: Client side encryption with AES256-bit, any content added inside the Cubby software is automatically encrypted before syncing it with the cloud, there is an option to sync data in between your computers and avoid the cloud altogether.

    Elephant Drive: You are given a choice of using the company encryption keys or creating your own, if you create your own keys Elephant Drive will only store a hash value of them to compare it with the entered password when you ask for access. The company will not be able to access your data even if they are forced to at gunpoint.

    SpiderOak: It can be used to share and back up files, data is encrypted in your computer with AES256-bit in CFB mode and HMAC-SHA256, the company has no knowledge of what data is stored in their servers or what your password is. SpiderOak software works in smartphones and Linux as well as Windows.

    Bitcasa: They implement convergent encryption to remove duplicate files stored in their servers, a way to save space in cloud servers by not backing up duplicate files that exist in another user account. With this system the company does not have to decrypt or see the data which is kept ciphered with AES256-bit.

    Bitcasa cloud encryption software
    Bitcasa cloud encryption software

    TarSnap: Targeted at the open source community, Tarsnap works in Linux, BSD, Solaris and other Unix based operating systems. Command line interface or shell scripts will encrypt and sign your data before uploading it, the software source code is available for download.

    Make sure not to fall for Dropbox or Google Cloud Storage security marketing ploys. Those companies only encrypt data server side. They do not protect you against a subpoena forcing a company to hand over the encryption keys.

    The only way to be safe from NSA accessing your data stored in the cloud, is if if the cloud company never had access to the encryption key. In that case, the NSA could only try a brute force attack against hashed passwords and it would not get them too far if you have assembled a very long encryption passphrase.