Hacker 10 – Security Hacker

Category: Encryption

Encryption Software

  • Encrypt data in Mac OS, iPhone and iPad with Krypton

    Encrypt data in Mac OS, iPhone and iPad with Krypton

    Krypton is a Mac OS and iOS (iPhone, iPad) tool to securely encrypt your files using AES256-bit in Cipher Block Chaining mode (CBC). This program is able to encrypt any kind of file, from documents, to images, videos or MP3s and full folders. If you are familiar with Truecrypt you will notice that Krypton works in the same fashion creating an encrypted storage space, called vault, that holds any file you place inside it and makes the whole vault unreadable without entering the correct password.

    In a Mac computer you can use Truecrypt for free but iOS mobile devices do not work with it, Krypton will minimize work when transferring encrypted data in between secure vaults from your iPad or iPhone to your desktop Mac OS.

    iOS iPhone encryption Kryptos
    iOS iPhone encryption Kryptos

    When you copy text to the clipboard this can be automatically sent to Krypton for encryption, and if you select a file for encryption it is possible to tick a checkbox to shred it after it has been secured and make recovery of the original data left behind impossible.

    The software menu has a shortcut to send encrypted documents to Dropbox cloud space, encrypting files before uploading them is a good way to protect yourself from NSA spying as Dropbox can access or be compelled to access your data. Another two shortcuts in Krypton’s menu let you decrypt a file or folder, export it outside the vault and delete it from the vault.

    The developers claim that if you lose your password the encrypted data is not recoverable so there is no backdoor, this looks like a good security tool due to the developers using a standard strong encryption algorithm like AES256-bit and the cross compatibility in between mobile and desktop devices.

    You need to be aware that once the data has been exported outside the vault and accessed by another application it will no longer be encrypted and that other application could create a temporary copy that will be stored unencrypted outside the secured space, like for example, Time Machine Mac OS backup could contain a copy of decrypted confidential files.

    Krypton will be best used in conjunction with a data shredder to securely delete any files leaking out of the encrypted storage space while you edited or viewed with them.

    Visit Krypton homepage

  • Al-Qaeda IM encryption plugin “Asrar Al-Dardashah “

    Al-Qaeda IM encryption plugin “Asrar Al-Dardashah “

    The Global Islamic Media Front, an underground propaganda division for Alqeda and other violent jihadist groups, has released what they call “The First Islamic Program for Encrypted Instant Messaging“, an instant messenger plugin  working alongside another jihadist encryption tool called Asrar al-Mujahideen, already reviewed in my Mojaheeden Secrets post, consisting of nothing else than a PGP like public/private key encryption tool. This new plugin works with Pidgin an open source instant messenger compatible with all major IM networks like Yahoo Messenger, Google Talk, Jabber, ICQ and others.

    The announcement includes a ten minutes video tutorial subtitled in English and hosted in Youtube, not containing any Alqeda branding to stop Youtube taking it down I presume. After watching the tutorial I can attest that the instructions were very accurate, whoever produced it was highly experienced in computer privacy tools and demonstrated how to use tor proxy to download Pidgin with Startpage set as their main search engine, which, unlike Google, does not keep IP records, other sophisticated anonymity technologies included configuring a Socks5 proxy so that not only the chat will be encrypted but the computer IP will be hidden from the other part.

    Asrar-Al-Dardashah encryption plugin Alqeda
    Asrar-Al-Dardashah encryption plugin Alqeda

    The tutorial advised jihadists to only download the plugin from a trusted source and  compare the public encryption key ID from the the person they are chatting with the key they have stored in Mojaheeden Secrets 2 to make sure nobody is stealing that person’s identity and replacing the encryption key with their own.

    At first glance it might seem impressive that Alqeda supporters have their own high quality branded encryption software, it must work great for propaganda purposes and reaffirmation, however, they are not reinventing the wheel, OpenPGP is open source, it can be checked for backdoors and it has around for a long time, the plugin they are releasing closely resembles the OTR (Off-The-Record) anonymity Pidgin plugin that has been around for years, this is not a new security tool and the only concerning part is that Alqeda supporters are learning how the technology works, but they are also drawing attention to themselves by using a tool that only jihad extremists have access to, the CiA just has to love how Asrar al-Mujahideen is introducing its own “#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit—” tag in every single encrypted message it sends. American secret services packet sniffers must be busy tracking down where in cyberspace is people sending messages with those tags.

    Global Islamic Media Front encryption tools only work in Windows, until jihadist discover the power of Linux or BSD they won’t do much damage in cyberwar since most companies and government servers normally run Linux, encryption will be also of little help to them if informers can be found inside the group.

    Visit Global Islamic Media Front homepage

  • List of One Time Pad encryption programs

    List of One Time Pad encryption programs

    One Time Pad encryption, also known as the Vernam or perfect cipher, is the holy grail of encryption security, when used correctly it makes cryptanalysis nearly impossible because it is not possible to compare old messages. As long as the one time pad is perfectly random all the clues on what coding was used for encryption remain in a single message, it is not easy to accomplish because high quality random numbers are difficult to generate.

    This type of encryption was widely used by spy agencies during World War  II and the Cold War period, protecting diplomatic and military communications, the advantadge of one time pad encryption is that it can done by hand with pencil and paper, without the need to carry any special device compromising undercover operations. A downside for this type of encryption is that the password is made up of as many characters as the text you encrypt, resulting in extremely long passphrases difficult to disseminate. When all rules are followed this one time encryption method remains secure and unbreakable but in order to solve the key transmission problem one time pads have been replaced by symmetric block ciphers and public key encryption.

    I have only managed to find old one time pad encryption tools, most of them developed by a single hobbyist and could be listed as abandonware, you should not assume developer’s claims are truth just because he says so, without truly random numbers one time pad security will be compromised and reusing any part of the pad makes the cipher vulnerable to attack, there is no way to know for sure how secure these programs are but some of them provide the source code for you to look at it.

    CT-46 One Time Pad: An encryption tool that converts text into digits using a conversion table and completing the final group with zeros, the software is meant to be used to learn working with one-time pads and as a training resource, it comes with a complete help manual that tells you how to perform one time pad encryption with pencil and paper.

    CT-46 One Time Pad encryption
    CT-46 One Time Pad encryption

    OneTimePadJava: Written entirely in Java, it comes with the source code but no help manual although it appears to be easy to operate, the tool doesn’t need installation and works across platforms.

    Pidgin Paranoia: A Linux plug in for the Pidgin messenger, providing secure IM conversations using one time pad encryption, the secret message has the same length as the key and it is only used once.

    Solid Encryption($$): A commercial program claiming to be able to perform one time pad encryption, you can try it free for 30 days before being required to buy it. I found the interface to be outdated and not very easy to work with but it comes with a help page.

    One Time Pad Solid Encryption
    One Time Pad Solid Encryption

    Cryptomni: A program to encrypt files using the one time pad cipher, a key file is created using the random generator SecureRandom, the source code is open, this program has not been updated for many years.

    Cryptomni One Time Pad
    Cryptomni One Time Pad

    OneTimePad Net: A one time pad encryption implementation using Visual Basic, an object-oriented computer programming language that needs Microsoft .NET to work, I had to right click and run this program as administrator for it to work, there is no help file but the interface is pretty straight forward.

    One Time Pad .NET encryption
    One Time Pad .NET encryption

    Perfenc: A Unix program to perform one time pad encryption, documentation is included with the software typing man perfenc, you can install it from source with the usual build tools like cmake.

    Emus encryption tool: It uses polyalphabetic methods from the middle ages, texts are encrypted with random codes and fixed passwords but can also be used as one time pad with extreme long random passwords and codes.

    Emus encryption One Time Pad
    Emus encryption One Time Pad

    Fxor: A Unix command line open source tool released under the BSD license that can be used for key file or one time pad encryption. This program is for people comfortable using the command line as you will have to compile it before being able to use the program. A help file is included.

  • Encrypt text and files with VSEncryptor

    Encrypt text and files with VSEncryptor

    VSEncryptor is a free file encryption tool to secure messages and files, it comes with customization options allowing you to choose the cipher, AES128/192/256bit, RC2/RC4 stream encryption algorithm and DES or 3DES. During installation pay attention to avoid an adware toolbar from being introduced in your computer, you will also be asked if you would like to integrate VSEncryptor with Windows shell menu to quickly encrypt single files right clicking on them, this can be changed later on in options.

    The software interface is very easy to understand, with just four buttons “Encrypt“, “Decrypt“, “Settings” and “Edit Data“, if you use it often you can manage all of the options with the shortcuts that come predefined in settings, the interface skin can be changed. After encrypting a file it will be recreated with the extension .encrypted but you can change the default extension to anything you want, optionally use the command line to manage VSEncryptor.

    Free file encryption VSEncryptor
    Free file encryption VSEncryptor

    For high security encryption you should stick to the tried and tested AES256 cipher and set it as default in settings, the RC4 algorithm is normally utilized to encrypt streaming data in SSL and WPA, it can be vulnerable to attack when not used with a strong message authentication code (MAC). I was a little surprised that the developer referred to the RC4 algorithm by its original name, since it is trademarked by RSA Security and the encryption community often refers to it as ARCFOUR or ARC4 to avoid copyright problems. The DES algorithm is crackable using a brute force attack due to its poor 56bit keylength, TripleDES as the name suggests, triples DES keylength and there is no known way to crack it but AES has been much more widely analized by cryptographers and it is a US Department of Defence standard, it should be your first cipher choice.

    If you need simple encryption and trust closed source software or have low security needs, VSEncryptor should do the job, just remember that people receiving your encrypted text of files will need to own the same software to decrypt the data.

    Visit VSEncryptor homepage

  • Encrypt and sync data in between folders with CryptSync

    Encrypt and sync data in between folders with CryptSync

    CryptSync is a free open source utility that synchronizes multiple files in between a pair of folders and encrypts the content of one of them with the aim to upload the encrypted data to the cloud keeping the original unencrypted files locally, synchronization works both ways, whenever there is a change in one of the folders it replicates into the other, the utility also encrypts file names as they sometimes reveal details, the files are all separately encrypted and have the extension .cryptsync. You could also store data inside an encrypted Truecrypt container and upload it to the cloud but you will have to update everything manually while CryptSync automates the process, the idea is to use this program to store encrypted data online with minimum effort, and it does a good job at that.

    CryptSync encrypted folders
    CryptSync encrypted folders

    Encryption is implemented with 7-Zip, an open source archiving software that highly compresses files, saving space, if you need to open an individual encrypted file in the cloud you can save it to your hard drive and open it with 7-Zip together with your CryptSync password. Software features are minimal, a “Start with Windows” option, “Run in the background” and “Create a New Pair“, you have to be careful when you erase a folder pair because no confirmation is asked for, but no data will be lost even if you erase the pair by mistake, only the settings are erased, you can use this application from the command line too.

    There is no help manual included but the author has a very complete explanation on how CryptSync works on his website. I would not use this tool if you already have an account with a specialist privacy focused cloud company like SpiderOak or Teamdrive since their software already encrypts your data locally before reaching their servers and they have no access to the encryption keys or backdoor. CrypSync will be useful in shady cloud storage services that have minimum security or built-in backdoors, like for example DropBox, where the company employees can access the encrypted servers where your data is stored, you could also use this utility in a network, securely storing backup files inside a NAS (Network Attached Storage) and keeping the original ones inside your fully encrypted computer.

    Visit CryptSync homepage

  • OpenPGP webmail encryption with MailVelope

    OpenPGP webmail encryption with MailVelope

    Mailvelope is a browser addon for Chrome and Firefox compatible with OpenPGP encryption standards, it will not only encrypt your webmail messages but also read any encrypted email you receive from people using different OpenPGP encryption software like Enigmail. The addon integrates directly into the browser and it comes preconfigured for use with the following email providers: Gmail, Yahoo Mail, Outlook.com and GMX. However it can be customized to work with any other webmail service and it also supports the RoundCube email software, frequently found in hosting companies offering email services with your domain name.

    After installation you will be able to handle your public and private encryption keys, importing, exporting and generating keys. The user is always in possession of his encryption keys, no third party can be compelled to give them up and encryption is performed in your browser using javascript, the data never leaves your computer unencrypted. Using MailVelope interface you can send your public encryption key by email with a single click, or alternatively you could distribute your encryption key manually uploading it to a public keyserver. Encrypted emails can be composed in HTML or plain text, the feature that I liked the most is being able to send an encrypted email message to multiple recipients at once, for that to happen all that is needed is that the public encryption key of those who receive the email is available in your keyring.

    MailVelope encrypted message
    MailVelope encrypted message

    When you receive an encrypted message the addon will try and find the encryption key used to cipher the message in the keyring and prompt you for a password. Anyone familiar with the public/private key encryption scheme will find this addon a very easy way to encrypt and decrypt messages, it could also be used to post encrypted messages on any forum or Facebook if you want to. Being a browser addon means that it will work on any operating system and it can be added to a portable browser.

    There are other free tools to encrypt webmail messages but this is one of the few that is not specific for a service and it will work with any webamil, together with the fact that MailVelope is an open source project using compliant OpenPGP standards makes this addon worthwhile to consider for those worrying about their personal messages travelling through the Internet like a postcard.

    Visit MailVelope homepage

  • US Army Encryption Wizard public edition

    US Army Encryption Wizard public edition

    Developed by the US Air Force Software Protection Initiative, a unit building cost effective cyberdefences against nation-state class threats, Encryption Wizard is a portable program to encrypt files using AES128-bit. Java allows this tool to work across operating systems (Windows, Linux, Mac, Solaris), there is no need for administrator rights to execute it, Encryption Wizard can be carried in a USB thumbdrive.

    Easy to use, dragging and dropping a file inside the window will start the wizard to secure your files, your password will be checked for dictionary words and you will be told how secure it is, a password generator showing the entropy bits is available in a different tab if you need it. After encryption the original files can be kept or securely wiped, additional options include encrypting your files with PKI/X509 digital certificates, or a smart card (CAC/ PIV) and you can choose to add metadata to an encrypted file which will help indexing software to locate it, right clicking on an encrypted file will also show its MD5 and SHA256 checksum hash, the developers claim that if anyone forgets the passphrase it is not possible to decrypt the file.

    US Army Encryption Wizard
    US Army Encryption Wizard

    If you are going to encrypt multiple files you can compress an encrypt them in a single archive that will result in the extension .wza, individual encrypted files use .wzd, encrypted archives work the same way a password protected .rar file would, storing multiple files inside one. The software comes with a brilliant pdf help manual full of screenshots and clear instructions, there is no mention in the manual of being able to use Encryption Wizard to secure top secret documents, the manual recommends its use to encrypt financial information, send emails to soldiers and sharing files in between organizations using incompatible encryption solutions, it gave me the impression that it has been created to encrypt the day to day business of the private soldier (rosters, wages, assignments).

    This tool is included in the US Army Lightweight Portable Security (LPS) secure Linux distribution and there is a Firefox addon to easily encrypt and decrypt files during upload/download. An Encryption Wizard Government Edition FIPS140-2 certified is available for US Federal Government employees and contractors.

    Visit Encryption Wizard homepage