Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • SandCat browser for website penetration testing

    SandCat browser for website penetration testing

    SandCat is a free portable penetration testing browser based on Chromium, the rendering engine behind Chrome browser, thanks to extensions support you can quickly find out what server software is being used by a website, run javascript in the loaded page, view cookies and links, use a cgi scanner, HTTP brute force a page and much more. Three tabs at the bottom of the browser allow you to easily change view from normal to source code or logs.

    Coders can create their own browser extensions with HTML, CSS and Lua (a programming language), Syhunt, the browser developers, own RudaScript library allows you to execute any scripting language, like Ruby, Python, PHP, javascript, etc.

    SandCat browser penetration testing
    SandCat browser penetration testing

    Although the browser is directed towards system administrators to test their own web server security and people scrutinizing pages that contain malware, privacy activists could use SandCat to see in real time how they are being tracked on the Internet, the browser can split its main window in half to show all HTTP live headers in real time on top of it, it can also be used to teach people how websites work, looking at the HTTP headers as you browse a website shows all of the external elements being download, packet sizes, request methods (GET/POST), pings, advertising networks, redirects… It is much more clear than seeing a website activity using a packet sniffer full of binary numbers that have to be grouped together.

    The browser is too technical for the average user, unless you are a student, hardcore geek or professional PEN tester it wouldn’t make much sense for you to run SandCat.

    Visit SandCat browser homepage

  • SPDY, a quicker and safer HTTP browser protocol

    SPDY, a quicker and safer HTTP browser protocol

    SPDY, pronounced “speedy”, is a new experimental protocol developed by Google to speed up the Internet and make it safer. HTTP (Hypertext Transfer Protocol) was never designed to efficiently download a large number of small files, it was meant to attend a single request each time. As the Internet age advanced websites kept adding elements like CSS (Cascade Style Sheets), external javascript, XML and images, all of those multiple elements needed to be downloaded together for the user to be able to view a webpage, resulting in bottlenecks and delays.

    The ultramodern SPDY protocol ambition is to reduce website load, latency and increase security, it wants to replace parts of the old HTTP providing faster communication in between server and browser. SPDY uses less TCP connections wrapping up multiplexing in a single stream and manages TCP more efficiently prioritizing the resources needed to be send first, reducing upstream data and cutting down the number of handshakes, it also supports “server push” a technology that predicts what will be downloaded next, sending it to the browser before a request is made.

    SPDY protocol status in Chrome browser
    SPDY protocol status in Chrome browser

    SPDY is turned on by default in Google Chrome, see it by typing “chrome://net-internals” into the Omnibox, and Firefox will turn it on in their next Firefox 13 release, to enable it now, go to “about:config“, search for “network.http.spdy.enabled” and set it to “true“. An Apache server SPDY module exists and Nginx based servers (used by Facebook and Hulu) and Jetty web servers (Ubuntu, Zimbra) will support it soon making it easy for webmasters to deploy SPDY, the protocol won’t work unless server and browser both support it.

    Browsers that currently work with SDPY are Chrome, Firefox, SeaMonkey and Amazon Kindle Silk, the only websites I know of at this time supporting SDPY are Google services (Gmail, search,etc) and Twitter. Safari and Internet Explorer do not have immediate plans to support the protocol leaving half of the Internet population out and making it more difficult for the Internet Engineering Task Force ( IETF) in charge of the HTTP protocol to approve a backwards compatible neutral standard.

    Compulsory SSL connection 

    The SPDY protocol makes it mandatory to encrypt all connections with websites using SSL, webmasters must install a SSL certificate in their servers for this endeavor. As good as it seems, various webmasters have objected to the approach arguing that when you multiply millions of SSL encryption and decryption requests the server CPU hardware needs a hardware upgrade and extra arrangements for heat dissipation provoking costs to go up.

    The second problem is that  requiring all webmasters to have an SSL certificate will end up with many of them not bothering renewing the certificates and users will start to get used to see “expired digital certificate” warnings clicking on the ignore button without even reading it.

    Read Google’s SPDY white paper

  • HotSpotShield alternative, free VPN SpotFlux

    HotSpotShield alternative, free VPN SpotFlux

    Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

    I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP,  Spotflux  provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

    During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

    Free VPN SpotFlux
    Free VPN SpotFlux

    Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

    Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it, never use a free VPN like them to check your email if you care about your online privacy.

    UPDATE December 2012: After using Spotflux again I noticed that the installer comes with sponsored software, you can refuse to install it unchecking a tickbox. SpotFlux is also blocked in Abc.com where I get a message saying that I have to disable add blocking programs before I can watch their videos.

    Visit SpotFlux homepage

  • GPGAuth logs into a website using GPG/PGP keys

    GPGAuth logs into a website using GPG/PGP keys

    GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

    Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

    Chrome GPG addon GPGAuth
    Chrome GPG addon GPGAuth

    The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only available for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

    Visit GPGAuth homepage

  • Hyperboria, censorship resistant darknet based on CJDNS

    Hyperboria, censorship resistant darknet based on CJDNS

    CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

    A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node,  if DNS is ever implemented it will be made decentralized and secure, at the moment  the user only needs to know the IPv6 address and paste it in the browser.

    Project MeshNet CJDNS flowchart
    Project MeshNet CJDNS flowchart

    Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network,  there isn’t any central infrastructure that can be attacked.

    Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

    The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

    Visit Hyperboria homepage

  • List of free speech and offshore hosting companies

    When choosing a free speech hosting company you should assess the kind of content you host, for example, in the USA although the 1st Amendment protects free speech a powerful multinational can try to get around it by launching a frivolous lawsuit that a small webmaster can’t fight in court due to lack of resources, and in China any pro Tibet website will be taken down by the Government.

    You will leave tracks behind when you upload your site and make payments, these companies are not truly anonymous even thought some advertise as such, to host controversial content anonymously use Tor hidden sites or i2P, but they will only be reachable by people using the appropriate software.

    Free speech hosting

    • DreamHost: Budget host offering shared and dedicated hosting, their terms and conditions allow for any content that is legal in the United States to be hosted, including pornography. DreamHost hosts the American Nazi Party website and refused to take down Prophet Muhammad cartoons even after a denial of service attack was launched against them by Alqeda sympathisers.

    Get $60 discount in Dreamhost entering code: HACKER10

    • Privex: Small hosting company operating out of Belize (yes there is a country called Belize, look it up). They have been in the free speech business for around ten years and I have confirmation from contacts that if what you want to host is legal they will not censor it, this includes controversial art, cryptocurrency payments allowed and they are happy to host Tor nodes too.
    • BuyVM: Also known as “Frantech Solutions”, affordable long standing free speech company they will host anything legal in the US as long as you pick a US server but they have servers in other parts of the World too.
    • NJalla: Provider of hosting, VPN and anonymous domain name registration, they register it under their name on your behalf and it can be paid anonymously with cryptocurrency. Staff had links to piracy sites, a couple of lowendtalk posts accuse them of being left leaning biased.
    • NearlyFreeSpeech: Webhost based in the US where you only pay for the amount of bandwidth and storage space consumed, it runs its own custom hosting panel, their terms and conditions state that the webmaster must register his real name and address, the company carries out random identity checks asking for a passport scan to be emailed.
    • PRQ.se: Servers and company located in Sweden, if your content is legal in Sweden they will host it, no questions asked. They maintain minimum information about their customers and very few logs, PRQ used to host Wikileaks and other highly controversial content, support for SQL databases, SSL certificates and DNS.
    • LiberationTek: Company owned, based and operated from the USA, they offer and all round service that includes hosting, domain name, e-mail address and others, they advertise as guaranteeing no censorship. They have partnerships with conservative websites.

     Offshore hosting

    The following hosts have a free speech policy that comes with restrictions, even if your content is legal they can refuse to host it, the only advantage over other traditional hosting is that their servers are offshore.

    • OrangeWebsite: Company and servers are all based in Iceland, they will ignore all complaints against legal websites with the exception of racist or pro-paedophilia content, which is not allowed.
    • CCiHosting: Operated and hosted in Panama, offering Linux and Windows servers, they advertise their services as anonymous webhosting. Support provided via live chat or phone.
    •  YoHost: Their terms and conditions claims that you can not use their servers to host any kind of porn, sites encouraging the destruction of property will also be removed as well as phishing scams. They only rent a VPS or full server and YoHost will collaborate with law enforcement if criminal content is found.
    • KatzGlobal: Offering hosting in multiple Asian locations (Singapore, China, India, Malaysia, Australia) as well as hosting in the US. They use cPanel and have standard features that come with it, like SQL database, FTP access and POP3 mail boxes. There is no support to host multiple domains on a single account.
    • SecureHost: Located in the Bahamas, it provides dedicated, shared and VPS hosting, they also provide a Bahamas based phone number and fax which messages can be retrieved from abroad. Their terms and conditions state that you can not host anything that SecureHost judges to be harmful to their reputation.

  • French Alqeda terrorist located thanks to his computer IP

    Mohamed Merah, a self-confessed Alqeda member of Algerian origin responsible for the murder of three off duty paratroopers, one Jewish Rabbi and three children going to school was found by French detectives after scrutinising how many people had visited an online advertisement offering a motorcycle for sale that was used to lure the first victim into a mortal trap where he was shot dead.

    Cypercops found 580 people had visited the advertisement, they narrowed it down to a list of computer IPs near the city where the first murder took place and its surroundings, then compiled an even shorter list with IPs registered to known terrorist sympathisers until they came across Mohamed Merah brother’s computer IP, whom was also a well known Islamic extremist.

    The police also had other leads like a mechanic reporting that someone (Mohamed Merah’s brother) had enquired on how to get rid of a motorcycle GPS tracking device which description coincided with that of the get away vehicle.

    Source: French newspaper LeMonde