Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • GPGAuth logs into a website using GPG/PGP keys

    GPGAuth logs into a website using GPG/PGP keys

    GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

    Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

    Chrome GPG addon GPGAuth
    Chrome GPG addon GPGAuth

    The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only available for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

    Visit GPGAuth homepage

  • Hyperboria, censorship resistant darknet based on CJDNS

    Hyperboria, censorship resistant darknet based on CJDNS

    CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

    A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node,  if DNS is ever implemented it will be made decentralized and secure, at the moment  the user only needs to know the IPv6 address and paste it in the browser.

    Project MeshNet CJDNS flowchart
    Project MeshNet CJDNS flowchart

    Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network,  there isn’t any central infrastructure that can be attacked.

    Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

    The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

    Visit Hyperboria homepage

  • List of free speech and offshore hosting companies

    When choosing a free speech hosting company you should assess the kind of content you host, for example, in the USA although the 1st Amendment protects free speech a powerful multinational can try to get around it by launching a frivolous lawsuit that a small webmaster can’t fight in court due to lack of resources, and in China any pro Tibet website will be taken down by the Government.

    You will leave tracks behind when you upload your site and make payments, these companies are not truly anonymous even thought some advertise as such, to host controversial content anonymously use Tor hidden sites or i2P, but they will only be reachable by people using the appropriate software.

    Free speech hosting

    • DreamHost: Budget host offering shared and dedicated hosting, their terms and conditions allow for any content that is legal in the United States to be hosted, including pornography. DreamHost hosts the American Nazi Party website and refused to take down Prophet Muhammad cartoons even after a denial of service attack was launched against them by Alqeda sympathisers.

    Get $60 discount in Dreamhost entering code: HACKER10

    • Anonymous Speech: Servers located in Asia, it can be paid using cash, Paypal or credit card, this company also provides anonymous domain name registration and encrypted email services that do not keep logs. They offer shared and dedicated hosting, it allows for the creation of sub domains and comes with a free secure email account.
    • NearlyFreeSpeech: Webhost based in the US where you only pay for the amount of bandwidth and storage space consumed, it runs its own custom hosting panel, their terms and conditions state that the webmaster must register his real name and address, the company carries out random identity checks asking for a passport scan to be emailed.
    • PRQ.se: Servers and company located in Sweden, if your content is legal in Sweden they will host it, no questions asked. They maintain minimum information about their customers and very few logs, PRQ used to host Wikileaks and other highly controversial content, support for SQL databases, SSL certificates and DNS.

     Offshore hosting

    The following hosts have a free speech policy that comes with restrictions, even if your content is legal they can refuse to host it, the only advantage over other traditional hosting is that their servers are offshore.

    • ZenSurfrei: Specialist in offering hosting for neonazi websites in a USA server, where, unlike some European countries, they allow this kind of material. Everything is paid with cash inside an envelope, including the domain name, this guarantees webmaster anonymity.
    • OrangeWebsite: Company and servers are all based in Iceland, they will ignore all complaints against legal websites with the exception of racist or pro-paedophilia content, which is not allowed.
    • CCiHosting: Operated and hosted in Panama, offering Linux and Windows servers, they advertise their services as anonymous webhosting. Support provided via live chat or phone.
    • Ctyme: Based in the USA, they do not allow hosting of content like fiction child sex stories, even thought they are legal in the US, not sure about how their “free speech” policy is any better than HostGator or any other major US.
    • AnonymousHosting.in:  The company is registered in privacy friendly Seychelles and has a no information exchange policy with complaints, the servers are located in the Netherlands. Pharmaceutical sites are welcome, racist, any type of child porn, hacking and warez are all banned.
    •  YoHost: Their terms and conditions claims that you can not use their servers to host any kind of porn, sites encouraging the destruction of property will also be removed as well as phishing scams. They only rent a VPS or full server and YoHost will collaborate with law enforcement if criminal content is found.
    • KatzGlobal: Offering hosting in multiple Asian locations (Singapore, China, India, Malaysia, Australia) as well as hosting in the US. They use cPanel and have standard features that come with it, like SQL database, FTP access and POP3 mail boxes. There is no support to host multiple domains on a single account.
    • SecureHost: Located in the Bahamas, it provides dedicated, shared and VPS hosting, they also provide a Bahamas based phone number and fax which messages can be retrieved from abroad. Their terms and conditions state that you can not host anything that SecureHost judges to be harmful to their reputation.
    • Cinipac: Based in Panama, they claim they will not cooperate with authorities or institutions without a proper warrant. Hosting servers are available in the USA, Asia and Europe. The usual phishing, spam and terrorist groups hosting is banned. Backups are encrypted with AES256.

  • French Alqeda terrorist located thanks to his computer IP

    Mohamed Merah, a self-confessed Alqeda member of Algerian origin responsible for the murder of three off duty paratroopers, one Jewish Rabbi and three children going to school was found by French detectives after scrutinising how many people had visited an online advertisement offering a motorcycle for sale that was used to lure the first victim into a mortal trap where he was shot dead.

    Cypercops found 580 people had visited the advertisement, they narrowed it down to a list of computer IPs near the city where the first murder took place and its surroundings, then compiled an even shorter list with IPs registered to known terrorist sympathisers until they came across Mohamed Merah brother’s computer IP, whom was also a well known Islamic extremist.

    The police also had other leads like a mechanic reporting that someone (Mohamed Merah’s brother) had enquired on how to get rid of a motorcycle GPS tracking device which description coincided with that of the get away vehicle.

    Source: French newspaper LeMonde

  • HIPAA compliant email service Protected Trust

    HIPAA compliant email service Protected Trust

    Protected Trust email encryption allows for real time email traceability with auditing logs recording who read the email and what they did with it, messages can be set to expire after a certain date so that they are no longer available or cancelled if they have been sent to the wrong person. Emails are encrypted with a unique symmetric key using AES256 then sent to Protected Trust servers, data never leaves the organisation computers unencrypted. If you email anybody not using the Protected Trust email service they will receive a link to read the message securely stored in the server.

    The content is made available to the recipient until expiration, retrieved with a shared secret that can consist of a known password or receiving a PIN to your phone number. Cryptographic hashing makes sure that emails have not been tampered with or damaged in transit.

    Protected Trust email HIPAA compliant
    Protected Trust email HIPAA compliant

    This email service is directed towards companies that need to comply with data privacy laws, it will cover legal liabilities if anything goes wrong and allows for accurate message tracking in case of security incidents. You can keep your current email provider and address, emails are easily sent using a Microsoft Outlook plugin that adds an encryption button to the interface, via Protected Trust web based portal supporting all major browsers (IE, Chrome, Firefox) or from a mobile device (BlackBerry, Android, iPhone, Windows Mobile).

    Protected Trust complies with the Health Insurance Portability and Accountability Act (HIPAA) regulating how patient data must be protected, financial institutions also need to comply with Government regulations regarding non-public data. The free version of Protected Trust is limited to just a few messages per month and requires phone verification of your account.

    Visit Protected Trust homepage

  • How the FBI used computer MAC addresses against Lulzsec hackers

    Five people connected with LulzSec (Lulz Security), a hacking group loosely affiliated with Anonymous responsible for defacing websites and stealing credit card details from numerous companies have been arrested today thanks to one of their leaders turning FBI informant.

    Their ringleader, Hector Xavier Monsegur, aka “Sabu“, was raided by the police last year and has been working for them since then. According to Fox news Monsegur was tracked down after he logged into an IRC chat server using his home IP by mistake (he normally used tor), it just happened once, enough for the FBI to track him down get a court order and convince him to work for law enforcement gathering evidence against the other members of his malicious hacking group.

    LulzSec had security mechanisms to detect if a member’s identity was being usurped by law enforcement after arrest, they would ask personal questions over Jabber or IRC from past activities only known by them, not of much use when one of your own is voluntarily working for the FBI.

    According to the complaint against Jeremy Hammond, aka “sup_g” his physical residence in Chicago (US), was under continuous surveillance after being identified as a LulzSec member, FBI agents measured his wireless router signal strength and determined that it was located towards the rear of his home.They then applied for a court order to monitor all traffic coming in and out of that router with a trap and trace device identifying all unique MAC addresses connected to the router, an FBI expert then linked the suspect’s computer MAC address with an IP connected to the tor network (first node).

    Although the FBI was unable to read traffic over tor, e.g. visited sites, thanks to physically surveillance of the suspect home they observed that activity in between the MAC address belonging to the suspect’s computer and the tor network only occurred while Jeremy Hammond was inside the house. The FBI used connection times to link him with IRC online chats conducted behind a tor proxy with their informant, “Sabu“, on IRC channels at that very same time.

    Combined with personal information the suspect willingly gave away on the chat, the FBI managed to establish that a bunch different aliases like “yohoho“, “credibethreat“, “POW“, “burn“, “tylerknowsthis” or “Anarchaos” all belonged to the same person.

  • Encrypted chat software Bitwise IM

    Encrypted chat software Bitwise IM

    Bitwise Instant Messenger offers encrypted P2P chat communications, you can use this tool for voice over IP chat, group tab conversations, talking with multiple people at once, whitelisting users able to contact you and offline messaging where everything is forwarded to your email (accessible with a mobile phone?), skinning, emoticons and even a whiteboard that can be shared in between users to draw and paint diagrams in real time, the whiteboard will automatically open up when someone starts drawing.

    Encryption can not be turned off, this is good practise as it stops irresponsible users, when creating the password Bitwise will reject it if someone chooses a common dictionary word, often used by password crackers. Encryption consists of 128bit Blowfish and a RSA key of 512bits in the free version, the paid version adds key strength, people with serious opponents will have to upgrade, encryption defaults are a little poor. File transfers and voice over IP calls are also encrypted, VoIP works on dial-up thanks to a compression algorithm called Speex reducing bandwidth usage. Calls are not routed through any third party server they run via a direct connection, you can create conferences for multiple people, they will be able to join by invitation only and the chat can be logged to your hard drive.

    Bitwise IM settings
    Bitwise IM settings

    The part I would watch out for privacy wise is that you are using Bitwise own server to login, this means access logs (no contents), and the people you are talking with can get your IP address, you can’t have a P2P chat without an IP as the software wouldn’t know where to send the data, you will need a valid email address to open an account with Bitwise. This tool is not an anonymous IM but a private one. All other mainstream messengers also fall foul of these problems with central server logs recording who is logging in with timestamps and exposing the user IP in P2P. The main advantage of this messenger is encryption stopping third party eavesdroppers, the paid version allows you to use your own RSA encryption keys.

    The software is available in multiple languages for Windows, Mac and Linux, there isn’t a portable version of Bitwise IM but there are instructions on the help pages on how to easily create it by copying settings and Windows files to an external memory card or drive. There are no public chatrooms, you can only communicate with people you already know or those who have chosen to make their information public in the directory, there is no webcam support either and you won’t be able to chat with MSN, ICQ or Yahoo messenger users, Bitwise has its own protocol.

    I can see this IM being fine for a small business setting up a no distractions secure messenger, specially indicated for those who only want an IM for sensitive work and do not need anonymity in between members. If you would like to rescind from a third party central server for IM then use Hamachi or Comodo Unite.

    Visit Bitwise IM homepage