Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • Anonymous torrent downloads with Tribler

    Anonymous torrent downloads with Tribler

    Tribler is an open source bitTorrent client developed by the Delft University of Technology, TU Delft, in the Netherlands. What makes this program different from the other dozen file sharing clients is that it includes a unique built-in peer proxy bouncing technology routing data across multiple peers before reaching its final destination. Just like in Tor, three different random nodes are used to stop a rogue node operator from finding out who is downloading a file.

    The first peer proxy encrypts data to block other nodes from seeing the content of what it is being forwarded, only the person requesting that file is able to decrypt it. The peer proxies don’t keep logs of anything, seizing them will be of no help to determine past usage.

    Another Tribler anti-censorship feature is that you don’t have to visit torrent sites to find files, the software is currently using central trackers and indexers but if they are ever taken down, Tribler can search the network to find user submitted .torrent files that don’t have to be uploaded to sites like The Pirate Bay or Demonoid.

    Tribler torrent channels
    Tribler torrent channels

    Besides security, Tribler has dozens of attributes to help you manage torrent files. You can locate torrents using Tribler integrated search box or in what they call “Channels“, a collection of user generated files that can contain movies, ebooks, photos, games or music, anybody can create them. I was able to find new movie releases and TV series in no time and without any spam.  The program crowd sources filtering, channels have a “Spam” button next to them, when enough people are annoyed and click on the button, the channel gets buried, meanwhile good quality content can be boosted in search results clicking on a “Favorite” button next to the channel.

    You can give a descriptive name to Tribler channels you create, sadly many people are not bothered with this or don’t know how to do it and I found channels named “Grandma PC” or “ElderScrolls“. To know if the content is worthwhile watch out for the star rating next to each channel, it  lets you know how popular it is, saving you time by not having to click on each folder to see what is inside.

    Important things to be aware of: When you first start Tribler you will not see any channel, it took me ten minutes for the first 30 user generated channels with content to show up, this increased to 50 channels in another ten minutes, the longer you stay on the network, the more content will appear. Another thing is that the software will automatically create a folder with your Windows username on your desktop to store downloads, make sure that your Windows username is not your real name or change the folder name in settings.

    Tribler channel creation
    Tribler channel creation

    If you are browsing the Internet at the same time as you download a torrent in the background, right click on the torrent and change the default unlimited bandwidth allocation to avoid slowing down your browsing, and before downloading a big movie, it is best to stream part of it with Trible integrated VLC media player. Tribler also allows you to copy the magnet link, see the number of seeders, list the trackers announcing the torrent and it has a family filter that will not stop you from seeing porn thumbnails in Tribler main window. I read in Tribler forums about other users having the same porn problem, the developers seem to be aware of this and are working to fix it.

    Regarding anonymous downloading, be extremely careful, the technology is in testing mode, not all downloads are anonymous. You can see a column next to the torrent file where it says “Anonymous yes/no“. My main concern is that I don’t know how willing are going to be the authorities to arrest somebody forwarding encrypted data in Tribler that happens to contain something illegal.

    Tribler proxy bouncing is too new to know for sure if it can stop abusive DMCA notices from landing at the door of those forwarding traffic, but anything that makes it more difficult to find a downloader’s computer IP should be welcome.

    Visit Tribler homepage

  • Best online hacking wargames

    Best online hacking wargames

    The following websites offer you a free and legal way to acquire practical hacking skills. If you are going to stop the bad guys, you need to know how they act to protect your own servers and wargames are the best way to be one of the bad guys without worrying about the FBI knocking at your door or harming anybody.

    The computers you will be hacking in wargames are virtual machines that can be easily reset, and if you get lost,  a community of white hackers will be willing to help you out teaming up with you or sharing experiences.

    Exploit Exercises: A site giving you access to various virtual machines to hack, you will be given challenges, like scanning a network to find what vulnerabilities exist and how to exploit them. This site is admirably structured with the servers separated in between different hacking skills and levels. You can download a .iso or .ova (Open Virtual Application) and run it locally in your computer to hack it as if it was online.

    Hacking Lab: An IT security portal with various hacking tests, it has its own custom live CD with a VPN connection that you can use for hacking. Just like in real life, where you have to scan a server to fingerprint them before launching an exploit, in hacking lab you will have to find the IP or DNS of the vulnerable server before a hacking attack can take place.

    Online hacking game hacking lab
    Online hacking game hacking lab

    Pen Tester Lab: Full of penetration training exercises for people interested in becoming a PEN tester. You are given weekly computer security exercises in the boot camp section, lessons will get more and more difficult as you complete them. Tasks are clearly explained with links to the files you have to download if necessary.

    HackThisSite: One of the wargame sites that has been the longest around, with a great hacking community that will help you expand your skills, you can chat with like minded people in HackThisSite forums or in the old school hacker’s communication tool IRC. This site stands out from the crowd with their extensive amount of free learning resources.

    cyberwar game HackThisSite
    cyberwar game HackThisSite

    Hacker Project: A fictional hacking game set in the future where governments have gone bankrupt and multinationals take over the World stopping free flow of information. Your job will be to return power to the people by infiltrating corporations and use their information technology network against them. This site is  for entertainment, you don’t hack anything for real, but the game is realistic.

    HackerForEver: Text based browser game revolving around the dark world of hackers, from the good white hackers up to the bad black hacker guys. You can choose what side you would like to be on, the game has various clans you can join and a community. You will not do real hacking here, just a simulation, games like this serve as introduction to the hacking slang world, suitable for people of any level.

     

  • Email providers connection logs table

    Email providers connection logs table

    Last week I emailed 14 different email providers and identifying myself as a blogger I asked them about their connection logs retention policy, here are the answers:

    Would it be possible for you to let me know for how long does your email service keep customer connection logs? (By connection logs I mean timestamp logs that contain computer IPs used to connect to the account) 

    Email provider Connection logs retention
    Countermail.com We keep a traffic log for 24h, the incoming external server IP-addresses are stored in this log, but the countermail users IP-addresses are never stored in this log
    Protonmail.ch The answer to your questions is fairly simple: we do not have connection logs where ip’s are matched with accounts and tracked
    Inbox.com We are sorry but we can not share this info with you because it is not considered a public information
    Hushmail.com They told me to read their privacy policy, I did and it says that Hushmail keeps connection logs for 18 months
    AnonymousSpeech.com For trial user we keep a connection log for 5 days. After this 5 days we delete them. For paid memberships we do not keep ANY log information
    Mailbox.org The specific logs you asked about are deleted after 7 days
    NeoMailbox.com Updated: It took them ONE MONTH to reply. “We keep email logs for 7 days after which they are securely wiped.”
    Cotse.net Did not reply
    MyKolab.com Unfortunately, I am not in the position to give you a concrete time frame for this. For example, deleted mails are not purged from our storage immediately but at regular intervals, usually every day at night time when there are less users on the systems. In addition to that, we keep backups for disaster recovery, but we only keep them for a limited amount of time and not forever
    Unseen.is We keep email server access logs for seven days. This is only to prevent abuse and spamming using our system
    OpenMailbox.org We keep logs 1 year to comply to local laws
    Posteo.de

    We only save IP addresses when an account is accessed using an external email client and in the process of sending or receiving emails. When an account is accessed via the webmail interface we generally do not save IP addresses.

    This data is automatically deleted after seven days. The data is only used to diagnose problems and can not be requested by authorities. Only in response to a judicial ruling in the case of a serious crime can this data be accessed.
    CryptoHeaven.org The logs are kept for anywhere from 8 to 48 hours, and that is only on the web server and not the mail system
    Fastmail.fm We normally keep logs of email and server activity for up to 6 months. This is for the purposes of diagnosing and fixing problems, which are often reported to us weeks or months after they occur. Backups and logs may be kept longer in special circumstances. For example, if a problem is taking a long time to resolve, logs relevant to that investigation may be retained. Or if a server that contains backups or logs is temporarily offline because of a fault, then those backups or logs may not be deleted until the server is brought back up. These situations are unusual, however, and when they do occur, they are temporary
  • Decentralised Internet platform MaidSafe

    Decentralised Internet platform MaidSafe

    Maidsafe is a decentralised Internet platform where users contribute computer storage space, CPU power and bandwidth to form an autonomous ecosystem, the more people join the network, the more resources are available. A denial of service attack or censorship attempt would be extremely arduous to carry out in such environment where there is no central server or DNS.

    Maidsafe’s client application is called SAFE (Secure Access For Everyone), when you upload data everything is automatically shredded and encrypted using the uploaded files as part of the public key encryption scheme, the password is never transmitted to the network, there is no way for others to see what you uploaded. Data is distributed across multiple servers, replication and  Distributed Hash Tables intercedes to deliver the files when part of the servers holding chunks of your data go offline. MaidSafe maintains 4 encrypted copies of your data and moves them around nodes as they are available.

    MaidSafe decentralised network
    MaidSafe decentralised network

    If you would like to access more data than you have been allocated  by the network and do not wish to donate more of computer resources you will have to pay for the access using Safecoins, MaidSafe’s own cryptocurrency that can be bought or exchanged by another currency at alternative cryptocurrency markets.

    A project like Maidsafe has the potential to deliver apps, host websites or store films  without fear of the server being subpoenaed or taken down by an abusive regime. With the files divided and stored encrypted in different locations, it is not feasible for state entities to wiretap a central server and track the downloaders.

    The code is open source, developers have access to an open API to build apps on top of MaidSafe. Just be warned that when you donate storage space to the network, you have no way of knowing what it is being stored encrypted in your computer, this could create legal liabilities if anybody misuses the network, but until there is mass adoption it is hard to know what would happen in a case like that.

    MaidSafe is a for profit company based in the UK, they make money with SafeCoins.

    Visit MaidSafe homepage

  • Digital image forensics with Ghiro

    Digital image forensics with Ghiro

    Ghiro is an open source tool for image analysis and metadata extraction.  You can install it in a dedicated server or download the .ova appliance for Virtualbox or VMware. Either way you get a web interface to upload images and observe a deep overview of the embedded metadata, like EXIF, IPTC , XMP, GPS coordinates, etc.

    The default web interface username is ghiro and the password ghiromanager they should be changed straight away, specially as the appliance can be remotely accessed with SSH if you uploaded it to a server.

    You can use this tool to compare two images that look the same to the human eye and find out if one of them has been modified by comparing digital signatures, the hashes tab shows the image MD5, SHA1, CRC32, SHA256, and SHA512 hashes. The Error Level Analysis will let you know if the image was edited and MIME information shows extended data about the file you are dealing with, for example, if a jpeg or png.

    Ghiro image forensics appliance
    Ghiro image forensics appliance

    You can extract metadata to find out what device was used to take the photo and if any GPS coordinates were automatically added, like many digital cameras do, in which case an embedded map in Ghiro shows you the exact location of where the picture was taken.

    Other metadata that Ghiro can extract is photo resolution,  focal length and name of the software used to edit the photo if any. A case management tab lets you group images and assign users and permissions to cases.

    This is a scalable professional image forensics tool of benefit for amateurs and professionals alike, it can  detect fake photos, and allows a team of people to work in complex cases with a multiple user dashboard, saving projects, searching for specific image hashes and displaying understandable reports.

    Visit Ghiro homepage

  • Penetration testing and ethical hacking distribution Matriux

    Penetration testing and ethical hacking distribution Matriux

    Matrix is a penetration testing Linux distribution based on Debian with the GNOME window manager. The download is a huge 3GB and you can run it as a live DVD or install it in your computer or USB thumbdrive. The tools Matrix comes with have been specially created for ethical hackers, penetration testers and computer forensic experts. I can’t imagine anybody using Matrix as their every day desktop unless they work in this field.

    The default username is matriux and password is toor. The only main stream software you will find is an archive manager to pack files, all of the other tools are computer security related. To install this distribution a “Matriux Disk Installer” shortcut in the desktop can be clicked on but it will not partition your hard drive, you will have to prepare the drive and create a Swap partition on your own with a different tool, I suggest GParted.

    PEN testing distribution Matrix
    PEN testing distribution Matrix

    Matriux comes with two browsers, Firefox, including the Adblock Plus and NoScript addons, and Epiphany, a lightweight GNOME desktop browser. The tools you need for hacking are all nicely classified inside the “Arsenal” tab. You can find multiple scanners to test cross site scripting exploits in websites, Nmap and Angry IP scanners to scan a whole network and search for open ports and services where to infiltrate.

    The forensics sections of Matrix has every single piece of software you will possibly need for your job, orderly divided into “Acquisition“, “Analysis” and “Metadata extractors“, without leaving out tools to analyse Android mobile phones. Other crows in the jewel incorporate steganographic tools, Bluetooth hacking, VoIP hacking software, DNS attack tools, debuggers, hacking frameworks like MetaSploit, Mantra or Inguma. For those who don’t know, each framework contains further discovering, gathering, scanning, bruteforcing and exploit tools, you can spend months just learning about how to operate the software.

    I liked that Matriux comes with my favourite zsh shell and a marvelous semi transparent terminal colouring scheme that makes you real look geeky when people look at the screen even if you haven’t got a clue of what you are doing. I could not see anything missing in the cyberarsenal, from the basic Truecrypt and Tor to the more dark open source intelligence and forensics application Maltego.

    With over 300 hacking tools in a single DVD at the touch of your fingertips, Matriux is a good alternative to Kali Linux and should be a must have hacking distribution for all security professionals, students and hobbyists.

    Visit Matriux homepage

  • Share messages anonymously with KwikDesk

    Share messages anonymously with KwikDesk

    KwikDesk is a self-destructing social messaging platform to share short Twitter like messages with hash tags and a limit of 300 characters. Unlike Twitter, to use KwikDesk you will not be asked to fill in a form, you don’t have to pick any username or password, KwikDesk connection is encrypted with SSL and the website claims not to track IP addresses.

    In exchange for this anonymity, you will lose functionality, you won’t be able to create a profile and following one to one conversations will be more difficult than it is in Twitter.

    KwikDesk web app is fairly elementary, you type in a message, select after how many days the message should be self-destructed and add a hashtag so that others can find it, without people knowing what hashtag to type in the message will remain hidden. After somebody reads the message they can quickly reply using the same interface or publicise it in Twitter with their own Twitter account

    Twitter alternative KwikDesk
    Twitter alternative KwikDesk

    The main difference in between KwikDesk and a self-destructing notes site is the hashtags. You don’t have to send a link to your hidden messages, people only has to go to KwikDesk type in a hash tag and all of the messages classified under it will appear.

    There is a Chinese version of KwikDesk and as proof of concept it is great but if the website becomes a nuisance it could be blocked by a government or denied access with a distributed denial of service attack. Maybe the upcoming KwikDesk powered OneOne iPhone app will solve those flaws.

    Visit KwikDesk homepage