Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • Free speech hosting in Iceland with OrangeWebsite

    Free speech hosting in Iceland with OrangeWebsite

    OrangeWebsite is a hosting company specialised in free speech hosting with its headquarters and servers based in Iceland, their terms and conditions allow you to host any controversial material with the only exception of neonazi websites because ethnic agitation is a crime in Iceland and sites that promote potential harm to minors or link to child pornography. You are also allowed to run a tor proxy or VPN using one of their servers, their range of services embrace private whois domain registration (outside the USA), shared hosting for small businesses or personal websites, virtual servers and dedicated servers. Customers can sign up for hosting, affiliate program and domain registration anonymously, you will only be asked for your email address and Bitcoins will be used for payments.

    I was given a package to test their services and I was quite pleased with everything, I have been using cPanel for years but I had not problem getting used to their ispCP (Internet Service Provider Control Panel) administration panel used to manage domains and files, it is more simple than cPanel and has less features but enough to get the job done, if you would like to install WordPress or a similar platform and do not know how to do it, you can request to have it installed for you at no extra cost when you order the hosting plan. The welcome email will include all the details you need to set your website, host IP to FTP files, DNS server for your domain and a URL to access webmail (RoundCube), one of the addresses is indicated as special access without leaving any logs.

    OrangeWebsite hosting control panel
    OrangeWebsite hosting control panel

    Backups are performed daily but the SQL database will have to be downloaded manually using using phpMyAdmin where the username is your database user and password is the database user password, one main difference to have into account in comparison with cPanel.

    OrangeWebsite should fulfill the needs of those longing for reasonably priced offshore free speech hosting and/or privacy email service (hosted or forwarded) located outside the EU and USA, the best part is that they accept Bitcoin payments making anonymity easier to achieve cutting payment processing companies and their silly terms and conditions out of the equation, this hosting company should also be suitable for people in need of personalised in-house support as opposed to big hosting companies where customers are just a ticket number to the staff. It should not be difficult for a customer to contact OrangeWebsite CEO if you have to.

    UPDATE 2013: OrangeWebsite is now using cPanel for webhosting.

    Visit OrangeWebsite hosting

  • Cain & Abel Windows password cracker

    Cain & Abel Windows password cracker

    Cain&Abel is a long standing password recovery tool that can sniff passwords from the network you are in, crack encrypted passwords using dictionary, brute force and cryptanalysis attacks, record VoIP conversations creating an MP3 audio file, reveal password boxes, analyse encrypted SSH and HTTPS connections and much more. The target public are security researchers, network administrators and IT teachers but it can also be exploited by the bad guys of course, the developer will not help in illegal activities.

    I downloaded this program from the official site and AVG antivirus gave me a warning that the software contained a trojan horse, due to how password crackers work it is possible your antivirus will trigger a security warning too, it is up to you to decide what to do, I also got a popup warning from Cain&Abel saying that I had Windows firewall enabled and this would stop some features, implying that I should disable it for everything to work. You will be asked to optionally install WinPCap a packet capture library, without it Cain&Abel wireless packet sniffing won’t work.

    Cain&Abel password cracker
    Cain&Abel password cracker

     How to record a VoIP call with Cain&Abel

    To record a VoIP call with Cain&Abel go to “Configure“, click the “Sniffer” tab, select the network interface card from the list and save the settings, now go to the “Sniffer” tab in the main window choose “VoIP” and “Start Sniffing“, from now on any voice over IP call that goes through the network will be encrypted and saved as MP3, you will have to wait until enough traffic has been generated before being able to listen to the audio file.

    The configuration window can also be used to create self-signed fake digital certificates, retrieve a digital certificate using a proxy with the “Certificates Collector” or launch an ARP (Arp Poison Routing) attack with a real or spoofed IP and MAC address. This free password cracker is one of the most complete available in the market and an excellent tool to learn about computer security, everything is easily classified in tabs “Decoders“, “Network“, “Sniffer“, “Cracker“, “Traceroute“, “CCDU“, “Wireless” and “Query“, each one of those tabs contains related extra options.

    To use Cain&Abel you should have some computer security background, this is not a tool for the complete beginner, the most basic tool Cain&Abel includes is a Base64 password decoder going up to a WPA PSK (Pre-Shared Key) calculator and an RSA SecurID Token calculator, this is an excellent tool to find out about passwords, it contains a password decoder, cracker and dumper as well as hash calculators with support for Wifi for network monitoring.

    Visit Cain&Abel homepage

  • Remove files metadata with BatchPurifier

    Remove files metadata with BatchPurifier

    Every time you create a document, take a digital photograph or edit a movie, hidden data called metadata will be embedded inside the file, that data can contain the author’s name,  date, software or camera used, copyright notices and even GPS Geolocation showing the exact location where a photograph was taken. BatchPurifier is a tool to remove metadata from dozens of different files, the Lite version reviewed here only works with .jpeg images.

    Metadata found on JPEG files  

     Camera manufacturers and image editing software companies can come up with their own proprietary metadata embedding system embodying anything the developer wants to your photographs, typically a digital JPEG image metadata will contain:

    • EXIF (Exchangeable Image File Format) data automatically added to photos by all digital cameras and some scanners, details stored in EXIF show the date and time a photo was taken, camera brand and model, hardware unique serial number, exact location if the camera had GPS enabled (i.e. iPhone), and a small thumbnail of the photo that sometimes is not updated by software after you edit the image leading to a possible recovery of the original file.
    • XMP (Extensible Metadata Platform) is added by software tools and it contains details given by the user, like keywords, notes, description and category.
    • ICC profile contains colour management data used to be able to view a photograph in another device with different specs.
    BatchPurifier image metadata removal
    BatchPurifier image metadata removal

    BatchPurifier Lite has a five step wizard interface guiding you through the metadata removing process giving substantial information on a side bar about what each acronym means, you can choose to only remove part of the hidden data ticking a checkbox next to each attribute, at the end you will be given the choice to save the image as new or overwrite the original file. It is possible to remove thousands of images metadata at once adding multiple jpegs or a whole folder including subfolders and even compressed .zip files with images inside.

    Optionally there is no need to open up the program to clear an image metadata, BatchPurifier integrates with Windows shell menu, advanced users can use BatchPurifier from command line integrating it with a script, this could be used for example to automatically get rid of all metadata in files stored inside a certain folder .

    Visit BatchPurifier homepage

  • Mymail-Crypt for Gmail GPG encryption (Chrome)

    Mymail-Crypt for Gmail GPG encryption (Chrome)

    Mymail-Crypt is a Chrome browser addon to encrypt messages with GPG operating within Gmail webmail interface, the project aims to be OpenPGP compatible to be able to communicate with anybody using public key encryption even if they have different PGP or GPG software. After installing Mymail-Crypt you will have to generate your encryption keys, this can be done with the addon, entering a password is optional and highly recommended, if you don’t use a password anyone breaking into your Gmail account will be able to decrypt sign and encrypt messages supplanting your identity. Encryption keys can and must be backed up.

    Mymail-Crypt is fairly easy to use, you will see a button in Gmail compose screen with the options “Encrypt and sign“, “Encrypt“, “Sign“. Received encrypted Gmail messages can be read using the drop down menu “Decrypt” option and entering your password.

    MyMail-Crypt GPG Chrome Gmail
    MyMail-Crypt GPG Chrome Gmail

    The project uses an OpenPGP open source library called Openpgp.js , it runs locally in JavaScript, messages are encrypted/decrypted in your browser. This addon will stop Google and others from reading your emails during transit but email drafts and decrypted autosaves will be saved in the clear to Gmail servers, encryption only takes places after you click on the “Encrypt” button, it will not protect you while you are composing the message, the developer also warns that it is possible for Gmail to get hold of the encryption password  monitoring the user when he types it in.

    Another way to encrypt Gmail messages with GPG is using Thunderbird and Enigmail but it won’t work for webmail, or obtaining a digital certificate for your email client.

    Visit Mymail-Crypt Chrome store homepage

  • SandCat browser for website penetration testing

    SandCat browser for website penetration testing

    SandCat is a free portable penetration testing browser based on Chromium, the rendering engine behind Chrome browser, thanks to extensions support you can quickly find out what server software is being used by a website, run javascript in the loaded page, view cookies and links, use a cgi scanner, HTTP brute force a page and much more. Three tabs at the bottom of the browser allow you to easily change view from normal to source code or logs.

    Coders can create their own browser extensions with HTML, CSS and Lua (a programming language), Syhunt, the browser developers, own RudaScript library allows you to execute any scripting language, like Ruby, Python, PHP, javascript, etc.

    SandCat browser penetration testing
    SandCat browser penetration testing

    Although the browser is directed towards system administrators to test their own web server security and people scrutinizing pages that contain malware, privacy activists could use SandCat to see in real time how they are being tracked on the Internet, the browser can split its main window in half to show all HTTP live headers in real time on top of it, it can also be used to teach people how websites work, looking at the HTTP headers as you browse a website shows all of the external elements being download, packet sizes, request methods (GET/POST), pings, advertising networks, redirects… It is much more clear than seeing a website activity using a packet sniffer full of binary numbers that have to be grouped together.

    The browser is too technical for the average user, unless you are a student, hardcore geek or professional PEN tester it wouldn’t make much sense for you to run SandCat.

    Visit SandCat browser homepage

  • SPDY, a quicker and safer HTTP browser protocol

    SPDY, a quicker and safer HTTP browser protocol

    SPDY, pronounced “speedy”, is a new experimental protocol developed by Google to speed up the Internet and make it safer. HTTP (Hypertext Transfer Protocol) was never designed to efficiently download a large number of small files, it was meant to attend a single request each time. As the Internet age advanced websites kept adding elements like CSS (Cascade Style Sheets), external javascript, XML and images, all of those multiple elements needed to be downloaded together for the user to be able to view a webpage, resulting in bottlenecks and delays.

    The ultramodern SPDY protocol ambition is to reduce website load, latency and increase security, it wants to replace parts of the old HTTP providing faster communication in between server and browser. SPDY uses less TCP connections wrapping up multiplexing in a single stream and manages TCP more efficiently prioritizing the resources needed to be send first, reducing upstream data and cutting down the number of handshakes, it also supports “server push” a technology that predicts what will be downloaded next, sending it to the browser before a request is made.

    SPDY protocol status in Chrome browser
    SPDY protocol status in Chrome browser

    SPDY is turned on by default in Google Chrome, see it by typing “chrome://net-internals” into the Omnibox, and Firefox will turn it on in their next Firefox 13 release, to enable it now, go to “about:config“, search for “network.http.spdy.enabled” and set it to “true“. An Apache server SPDY module exists and Nginx based servers (used by Facebook and Hulu) and Jetty web servers (Ubuntu, Zimbra) will support it soon making it easy for webmasters to deploy SPDY, the protocol won’t work unless server and browser both support it.

    Browsers that currently work with SDPY are Chrome, Firefox, SeaMonkey and Amazon Kindle Silk, the only websites I know of at this time supporting SDPY are Google services (Gmail, search,etc) and Twitter. Safari and Internet Explorer do not have immediate plans to support the protocol leaving half of the Internet population out and making it more difficult for the Internet Engineering Task Force ( IETF) in charge of the HTTP protocol to approve a backwards compatible neutral standard.

    Compulsory SSL connection 

    The SPDY protocol makes it mandatory to encrypt all connections with websites using SSL, webmasters must install a SSL certificate in their servers for this endeavor. As good as it seems, various webmasters have objected to the approach arguing that when you multiply millions of SSL encryption and decryption requests the server CPU hardware needs a hardware upgrade and extra arrangements for heat dissipation provoking costs to go up.

    The second problem is that  requiring all webmasters to have an SSL certificate will end up with many of them not bothering renewing the certificates and users will start to get used to see “expired digital certificate” warnings clicking on the ignore button without even reading it.

    Read Google’s SPDY white paper

  • HotSpotShield alternative, free VPN SpotFlux

    HotSpotShield alternative, free VPN SpotFlux

    Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

    I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP,  Spotflux  provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

    During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

    Free VPN SpotFlux
    Free VPN SpotFlux

    Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

    Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it, never use a free VPN like them to check your email if you care about your online privacy.

    UPDATE December 2012: After using Spotflux again I noticed that the installer comes with sponsored software, you can refuse to install it unchecking a tickbox. SpotFlux is also blocked in Abc.com where I get a message saying that I have to disable add blocking programs before I can watch their videos.

    Visit SpotFlux homepage