Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • Decentralised group communications with matrix

    Decentralised group communications with matrix

    Matrix is a new open source standard for secure real time communications using end to end encryption, it can be used for video calls, voice, text, file transfers and anything that developers want to build on top of it. Matrix server infrastructure is made up of multiple nodes talking to each other, it ends with the current fragmentation of messaging apps forcing people to have the same software installed to be able to talk with each other.

    Unlike WhatsApp/Viber/LINE/Kik and similar apps needing sovereign installation, matrix is identity agnostic, the ecosystem runs an open federation model where anybody can run their own matrix server and join the network.

    Identity servers track which emails and messages belong to which matrix ID, chat rooms do not exist on any single server, they are shared across multiple participating servers and each participating server can choose to publish their own alias, several different aliases can lead to the same room depending on what server you are using.

    Decentralised private chatroom Matrix
    Decentralised private chatroom matrix

     

    I joined a matrix test server, it was only necessary to pick a username and a password, there is no obligation to provide any email address, although specifying one lets other users find you on Matrix more easily and gives you a way to reset your password in the future. If you opt for email registration a verification code is sent to your address, the registration process took me less than a minute.

    After logging in you can see multiple public chat rooms, this is nothing like IRC, matrix is more multimedia centric and it lets you call and post inline photos to the whole chatroom, you can have an avatar, notification settings that are triggered when somebody types a keyword in the chatroom and sending SMS messages to a phone number using the web gateway, currently free during beta testing but a Paypal account must be linked for security to stop abuse.

    The interface was fairly easy to use and it certainly looks better than the old IRC but I am just happy using a jabber instant messenger to communicate, I don’t see a special need for a matrix network. I favour the idea of not having to adopt multiple providers to communicate with other people and not relying on a single cloud server for communications but as a user I don’t care if it is a matrix or XMPP server, I couldn’t see that many differences in between them, most of things that matrix can do can also be achieved with a jabber client.

    Visit matrix homepage

  • Encrypt and hide messages in pictures with SecretLayer

    Encrypt and hide messages in pictures with SecretLayer

    SecretLayer is a Windows program to encrypt and hide messages inside a photograph (jpg, png, gif, bmp), this is known as steganography. The program tweaks photo pixels and embeds tiny pieces of extra information in them without changing how the pictures look to the human eye.

    The tests I performed made the carrier photos indistinguishable from the original files except for being slightly bigger in size, a few Kilobytes more, depending on the size of the secret message. You will be told by SecretLayer how much data you can hide inside each photograph, a progression bar indicates how many bytes you can hide as you type. Or if you add an attachment, you are told what the maxium size can be. This is the kind of program that computer beginners can use, it comes with a video tutorial and a wizard allowing you to learn how all works in under 5 minutes.

    With SecretLayer you can send covert messages sidestepping email by uploading images with hidden data to a personal photo album or website, the receiver will only have to visit the website and save the photo. With one small caveat, the person decrypting the message has to know what encryption algorithm and key length were used, you will have to transmit this one way or another, just once if you don’t change the arrangement.

    SecretLayer steganography program with encryption
    SecretLayer steganography program with encryption

    This is a very easy to use program with a wizard guiding novices step by step and an advanced function that lets you choose encryption algorithm of in between AES, Blowfish, IDEA, CAST, DES and RC5. Secret Layer displays information about the security level of each encryption method and keybit length, there are also security tips in the password window so that you do not enter anything that could be guessed or easily broken. A small improvement I feel the developer could make is adding a password strength meter.

    After encrypting a file you can choose where to save the image, ticking a box tells SecretLayer that you would like to shred the original picture, something I would advice you to do. Wiping the original picture will make it nearly impossible for somebody to find out if the resulting photograph contains hidden data inside or not. To discover steganography in a digital photo the original is needed to make a comparison.

    SecretLayer can also wipe the data you are hiding when you are done. The integrated file wiping utility is much appreciated, eliminating secret messages in plain text considerably increases your security. 

    Steganography software Secret Layer
    Steganography software Secret Layer

    I always liked steganography because it is very hard to detect and if you add to that encryption, mass surveillance loses capabilities, the powers that be can’t scan every single picture on the Internet looking for hidden data. Of course I would have preferred an open source tool, other than that, I liked SecretLayer and I am convinced that if PGP was as easy to use there would be many more users.

    To your attention, the free version of Secret Layer, called Light, does not encrypt data, it only hides it, if you want encryption and be able to split and hide data in between multiple photos, which allows for bigger files to be hidden, you will have to buy this program and, steganography without encryption might fool your room mate but not somebody who has the right tools to extract data. For a, not so easy to use free alternative check out OpenPuff Steganography.

    As it is usual in these programs, the person you communicate with will need to have it installed too.

    Visit SecretLayer homepage

  • List of the best encrypted chatroom services

    List of the best encrypted chatroom services

    When your access to secure communication tools is limited in a shared environment or your are on the go, the services below can be used to set up a makeshift secure chat without any technical knowledge

    These websites can create an encrypted chatroom with minimal registration details and they can be accessed by anybody with a web browser in their computer or mobile device, but the websites also require you to trust the server operator, hence, you should not use them for high security unless you host the chat software.

    I have used a few of the sites below with a VPN proxy to hide my computer IP and I didn’t have any kind of problem to do this, the only condition is that javascript always has to be enabled since this is what is used to encrypt the messages in your browser.

    Otr: Peer to peer chat in your browser with no central server and no need to register or install anything, you simply open a chatroom and send or post the link somewhere for your contacts to access it, but remember that once everybody leaves the chatroom it ceases to exist.

    Cyph: Encrypted group messenger and video calling that works in the browser and smartphone with encrypted cloud storage. Cypth uses quantum resistant cyphers and has been independently audited by Cure 53 a German cybersecurity firm.

    Teleguard: Swiss based instant messenger that does not require you to register a phone number to use ti, Teleguard can be used in smartphones, Linux, Windows and Mac computers but you have to download their application it won´t work in the browser.

    Brave Talk: From the makers of the privacy focused Brave browser, Brave talk allows you for free encrypted video chats right in your browser, one of the callers needs to be using the Brave browser to create the chatroom but the others can use any browser they want and connect by clicking on a link.

    ChatCrypt: It allows you to create an encrypted chatroom entering a name for the room, a username and a password. People who want to join in will have to visit ChatCrypt and enter the room name and password you have given them. ChatCrypt rooms are not listed anywhere, they can only be found if you let other people know that they have been created. All messages are encrypted in your browser with AES256 bit in CTR mode before transmission.

    ChatCrypt is funded with advertising and you will see a banner on top of the chatroom, Google and their NSA friends, perhaps can’t read the messages but they should still be able to track the IP of people in the chatroom using the advertising banner.

  • Encrypted cloud storage with messaging Peerio

    Encrypted cloud storage with messaging Peerio

    Peerio is a company providing encrypted file storage with integrated instant messager in the cloud. Available for Windows, Mac and Linux (if using the Chrome browser), smartphone apps are on the way, it is being developed by the makers of Cryptocat and miniLock, two other cloud based encryption utilities.

    Before you can use Peerio you will have to register for an account selecting a username, the email address you provide will receive a verification link for you to click on, after that you can create a short PIN code to pair devices with Peerio. A long passphrase is generated during account creation to stop users from picking a weak one, this is very important as encryption keys are derived from that passphrase.

    Although I see why the developers do this, I am not a fervent supporter of having something as important as the passphrase picked by a third party app instead of my trusted offline password manager, and most likely people without a password manager will write it down anyway.

    encrypted file storage Peerio
    encrypted file storage Peerio

    Peerio interface is clean and easy to use, you will see three tabs “Messages“, “Files” and “Contacts“, and a column allowing you to classify uploaded documents by file type (Photos, Videos, PDF, etc), everything is automatically synchronizing.  After you have added a contact, that person will be able to talk with you in real time, to send him a large file, drag and drop the files you wish to share inside the window to upload them to the cloud, another button lets you destroy those files from your account and the account of the people it is being shared with.

    This platform is comparable to Mega, a more established encrypted cloud storage with messenger that offers far more space. Peerio developers have no way to know what you are sharing, only users hold the private key to decrypt data downloaded from Peerio Canadian cloud servers, the company can’t read anything but they admit that timestamps and login IPs are kept, that is all they can hand over if they are forced to.

    A substitute method to send large files with end to end encryption is using an instant messenger and encrypting the files with PeaZip before the transfer. Peerio’s main leverage is that it does all the encryption work in the background but it also has the disadvantage that to send big files you will be asked to upgrade to their upcoming paid for plans, and, the part that bugs me the most, is that you have to convince your friends to open an account with Peerio.

    Peerio erasing shared cloud files
    Peerio erasing shared cloud files

    If you are small company and your employees need to share files often, perhaps Peerio will work, but for the individual, it is best that you encrypt a file and upload it with a proxy to a cyberlocker or use NeoRouter to avoid the metada treasure trove that cloud servers are, with the extra benefit of always having the data available in your hard drive.

    Other secure ways to share large files without a cloud server involved are Bittorrent Sync and Infinit.

    Visit Peerio homepage

  • Wireless anti surveillance device Cyborg Unplug

    Wireless anti surveillance device Cyborg Unplug

    Cyborg Unplug is a hardware device that scans your WiFi network, detects unauthorised gadgets connected to the network spying on you, like a wireless cam or microphone, and disconnects them.

    There are two models available, one that works with the 2.4GHz band and detects and disconnects gadgets like Google Glass, warning you with a blinking LED light or sending an alert to a smartphone app, and a more expensive model that works in the 5GHz band, normally used by businesses, emits and audio alert and can monitor Bluetooth connections in addition to WiFi.

    The hardware is nothing out of the ordinary, a simple WiFi router with an Atheros chipset, the magic is the firmware powering Cyborg Unplug, it runs a modified Linux based OpenWRT for embedded devices that blocks appliances from getting to the Internet. The code is open source, available for download, it can be installed in compatible hardware if you are a tech able to make your own.

    Anti spy device Cyborg Unplug
    Anti spy device Cyborg Unplug

    Unlike WiFi jamming, this device detects specific MAC addresses of surveillance gadgets like Google Glass or drones and disconnects them from your wireless network sending a de-authentication packet. The Cyborg Unplug owner gets to decide what kind of gadget can and can not be connected to WiFi, white listing them with a check box. Since the device relies on knowing the spying devices MAC addresses, Cyborg Unplug will be updated as new ones hit the market, with lists downloaded to Cyborg Unplug using the Tor network to avoid exposing your WiFi IP anywhere.

    This device can only be legally used in your own WiFi network, using it somewhere you are not authorised would get you in serious trouble. The developer recommends you to only turn the “Territory Mode” on, this mode blacklists targeted gadgets and allows access to everything else, a more restrictive “All Out Mode” kicks off the wireless network all devices in range, including paired smartphones. This can be illegal in some jurisdictions and you are the only person responsible for illegitimate usage.

    The biggest downfall of this device is that it will not prevent a recording, it only prevents streaming over WiFi, the second problem is that if the spying device is sending out data using a 4G mobile phone network it gets away with it, but not many do that because 4G it is still expensive for video.

    Home users worried about their own WiFi network being exploited should configure their router filtering MAC addresses. The substantial use I see in Cyborg Unplug is for businesses like restaurants or offices providing WiFi access. I liked how easily this devices can kick out drones, webcams or Google Glass while allowing laptops and tablets in with very little work.

    Cyborg Unplug can be handy as part of a  security layer administering wireless Internet services, but not as a stand alone bullet that will prevent WiFi abuse.

    Visit Cyborg Unplug homepage

  • A look at the evidence alleging that Giganews is an FBI operation

    A look at the evidence alleging that Giganews is an FBI operation

    As recently reported by Cryptome, a Giganews ex-employee has leaked to them what he claims is evidence that Usenet provider Giganews, with subsidiaries PowerUsenet, Usenet.net, RhinoNewsgroups and VPN company VyprVPN are logging customers downloads and work for the FBI. I downloaded all of the evidence Nick Caputo presented and I researched it to find out how substantive his accusations are. Assume nothing, believe nothing, allow the evidence to speak by itself.

    Nick Caputo first claim is that he used to work as a system administrator for Giganews, to prove this he sent Cryptome photos of his employee badge and payslips, both look authentic and a recent post in Giganews blog admits that he is indeed an ex-employee. Based on this, it is out of question that Nick Caputo is a former Giganews system administrator, nobody disputes that.

    The second claim Nick Caputo makes is that due to a misunderstanding with GigaNews CEO, Ron Yokubaitis, he removed three groups carrying child pornography from Giganews list and that he was subsequently disciplined by Giganews/Data Foundry administrators for doing that, with subtle references to an FBI investigation in progress, the child porn groups were later on restored by one of the administrators from Data Foundry back ups. There is no hard evidence supporting any of the facts, you have to take Nick Caputo’s word at face value.

    FBI agent Scott Kibbey and Charles Riley
    FBI agent Scott Kibbey and Charles Riley

    The ex-employee, claiming to be upset over what he believed was Giganews facilitating child porn downloads, decided to contact the FBI a few months later. Special Agent Scott Kibbey and FBI agent Charles Riley had a meeting with him in unlisted FBI Austin offices located at 12515 Research Blvd, Building 7, Suite 400, during that meeting Nick Caputo was told that the agents were friends with Giganews CEO and they would give him his old job back under a new identity, Nick Caputo also claims that both FBI agents worked at Giganews data center undercover and as evidence of all this he attachs various text files with email headers of the email exchange he had with them as well as a scanned copy of both FBI agents contact card.

    I did a whois on the computer IP that shows in the email headers and the IP 153.31.119.142 is listed as being part of the “FBI Criminal Justice Information Systems”, I also searched in DuckDuckGo for “Charles Riley FBI” and a LinkedIn page comes up listing him as a Detective for the City of Austin working in the Digital Forensics Unit. Based on this, I believe that Chris Caputo had a real meeting with these two FBI agents but what was said in that meeting is another matter that can not be proven. Something that does not make sense is that the FBI would offer Nick Caputo his job back in Giganews under a new identity, surely, his co-workers would know his face even when using a different name.

    Another bizarre claim of Nick Caputo, with no supporting evidence, is that the Chinese government has access to VyprVPN Hong Kong server and it was brought down by a Chinese employee the day of Tiananmen Square anniversary. All I can say, is that he gives zero proof of this claim and it is weird.

    There is an equally weird Giganews blog post saying that the company doesn’t work for the FBI and they pretend to prove it by saying that Giganews has SSL for Usenet downloads and a VPN. That means nothing, owning the servers they can see what goes on, and Giganews forgets to mention something very important of which there is ample evidence. Giganews is the only Usenet provider that is a member of the Internet Watch Foundation, for those who don’t know, the IWF is a British organisation that works for the police trying to remove child pornography from the Internet and tells Internet Service Providers what pages to block.

    I don’t believe it has been proven that Giganews is an FBI honeypot, the evidence given by Nick Caputo shows that he used to work for Giganews and that he had a meeting with FBI agents to discuss something, but beyond that,  it is impossible to know what was spoken or said at the workplace and in the meeting with the FBI agents, and both parts, Giganews and Nick Caputo, have a personal interest in descrediting each other.

    I am a Usenet downloader myself and I don’t use Giganews, they are clearly overpriced and after the Snowden leaks I try to reduce my reliance of USA based companies. If anybody cares to know, I am currently using Tweaknews.eu in the Netherlands, and Altopia in the USA, one is offshore, and the other one is too small to be of interest for a global gagging order, and they both have their own hardware, don’t censor groups, and are not resellers.

    Read more in Cryptome

  • Encrypted radio frequency communications with goTenna

    Encrypted radio frequency communications with goTenna

    Designed to be able to communicate without any Internet service provider, WiFi or mobile phone network, goTenna is a small autonomous hardware device that fits in your pocket and can be plugged into an iOS or Android smartphone to transmit low frequency 151-154 MHz radio waves to other goTenna users, pairing with them via Bluetooth LE (Low Energy). The device can not be used to make voice calls, but you can send text messages and share your location.

    Possible utilities for goTenna are communications in disaster zones with destroyed infrastructure, sending an emergency message if you are lost in the middle of a mountain that has no mobile network coverage, and, private communications. This device should get around Internet mass surveillance frameworks set up to monitor Internet and mobile phone networks, unless an operative is within goTenna radiowave range with bulky wiretapping equipment, they better forget about intercepting or detecting goTenna data transmissions, not to mention that you do not have to pay for a subscription to use it.

    goTenna radio frequency communications
    goTenna radio frequency communications

    With the device you get a custom goTenna app preloaded with offline maps to see your friend’s location without needing Google maps or an Internet connection,  however, if you don’t remove the mobile phone SIM card, your GPS coordinates and that of your associates will be revealed to the network provider even when you are not placing a call.

    Radio frequencies can be easily intercepted, to stop this goTenna secures your messages with 224-bit elliptic curve end to end encryption. There is no central server, messages are stored inside goTenna’s internal flash memory, it can hold 1000 messages. You communicate P2P with your friends, in group or individually, and it is possible to send self destructing messages to only one person, the message will be erased straight away after it has been read and not stored in the memory.

    Communications range is an awesome 1 to 50 miles, depending on obstacles and geography, according to one of the founders, Daniela Perdomo, the maximum 50 miles range is only achievable if you are on top of a mountain, on the ground in an open space you get around 9 miles communications range and in the city, without line of sight and many obstacles around, you should get from 0.5 up to 1 mile range. Data transmission at 9600 bps is too slow for sending rich media like selfies, but enough for text messages.

    Due to radio frequency regulations goTenna is not allowed to daisy chain a network in mesh, communications are point to point, but you can send a “shout” to all goTenna users in your vicinity or set up a private group chat.

    goTenna mobile app
    goTenna mobile app

    Other similar self-ruling communication schemes that don’t need of a provider are existing mobile phone apps that communicate with other users P2P but their range is very low, bounded by Bluetooth, a couple of dozen meters. And of course you have the walkie talkie, it doesn’t need of an Internet service provider or satellite to operate but it does not encrypt radio waves like goTenna, unless it is a very high end device of the kind used by law enforcement and emergency services.

    goTenna battery lasts up to 72 hours with low usage, the enclosure is weather and dust proof for you to take hiking inside your pocket or clipped to a rucksack band. I liked the small size, relatively long battery, it works autonomously without any state or corporation oversight of the data being transmitted, and the radio waves are encrypted with strong algorithms, the price is not so attractive. This device can work anywhere in the world, legally it needs a transmission license and right now it is only available in the US where they have FCC approval.

    Visit goTenna homepage