Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • Build a VPN-Tor proxy on Amazon cloud servers with Lahana

    Build a VPN-Tor proxy on Amazon cloud servers with Lahana

    Lahana is a set of scripts that can quickly create a VPN on Amazon EC2 cloud servers using Linux instances and tunnel everything through the Tor proxy network. It defeats state level Internet censorship, thwarting DNS poisoning used in the Great Firewall of China and blocking of websites by ISPs blacklisting URLs. The only way to stop Lahana is by barring access to all of Amazon EC2 servers which would leave the whole country without a cloud platform used by many companies providing different services or censors could block a single node and play a whack-a-mole game where the user gets access to a new Lahana proxy node from someone else everytime one of them is blocked.

    There is no need to install any software for the user, Lahana can be used in Mac OS X, Windows, iPhone and  Android, it should work on any device with  a built in IPSEC client able to set up an L2TP VPN tunnel,. VPN node credentials can be publicly shared or only given to trusted individuals. The developer’s explanation to use Tor as exit node instead of Amazon servers IP is to protect the operator running a VPN on Amazon EC2 from abuse, if anyone commits a crime with the a Lahana VPN it would lead back to a Tor IP address and not the VPN operator. Lahana VPN sits in the middle in between the user and Tor in the form of User>>Lahana VPN>>Tor>>Website.

    Lahana VPN Tor proxy on Android phone
    Lahana VPN Tor proxy on Android phone

    Lahana nodes also serve as bridges and can be used to access hidden Tor websites, the more Lahana VPN nodes there are up, the faster the Tor network gets. This tool solves the Internet censorship problem but not privacy or anonymity, it would very easy for a Lahana VPN operator to log your computer IP and see what sites you visit and capture usernames and passwords, for high Internet anonymity you should only use Tor.

    Visit Lahana homepage

  • Portable Private Browsing by PortableApps

    Portable Private Browsing by PortableApps

    Private Browsing is an open source portable app that works in conjuction with your portable Firefox copy. While Firefox already has a private browsing mode that will not save what sites you have visited, cookies, passwords, downloaded items or search entries and run completely in RAM memory not caching files in the hard disk, Private Browsing by Portableapps comes preconfigured with all of that and a couple of privacy plugins, FlashBlock and AdBlock Plus using the EasyPrivacy tracking list to block scripts and invasive sites.

    Firefox Portable Private Browsing PortableApps
    Firefox Portable Private Browsing PortableAppsfox

    After trying Portableapps Private Browsing app I found few advantages over configuring your Portable Firefox browser yourself, other than saving time. The app could also be improved disabling the default setting of sending data to Mozilla about your browsing “so that they can improve your experience“, with the actual configuration you will be prompted about what you want to do, another setting that should have been changed are the default Google and Yahoo search engines, the app would be better off unfolding non tracking search engines like StartPage or DuckDuckGo, you can change them yourself but it fails Private Browsing aim of reducing privacy configuration to zero.

    The only unique features this app appear to have are that it will ignore local plugins, for example, if the computer you are working on has Java and Flash installed, the plugins will not work with your portable browser, and Firefox portable will not store a profile listing what sites you visited. Check out my list of the best Firefox addons for computer privacy if you need ideas to set up a custom private browser and add them yourself manually.

    Visit Private Browsing by Portableapps

  • Self-erasing chat conversations with OTR browser extension

    Self-erasing chat conversations with OTR browser extension

    Off The Record messaging is a browser addon for Chrome (Firefox and Internet Explorer coming soon), to automatically erase messages you send to your friends or co-workers after they have been viewed. When someone receives or views a photo sent with OTR they have five seconds before it self-destructs, this default setting can be changed to a longer period of time if you wish so. You have to register your email address and a password to install the plugin, then you will see a bright OTR button on the top right corner of the browser, you need to add contacts or send invites by email before you can communicate, only other OTR users in your contact list and with he same plugin installed will be able to read the messages.

    A small window opens when you click on the OTR button, big enough to write a few hundred words, photos can not be attached, they have to be taken with the computer camera.

    Off The Record browser plugin self-erasing messages
    Off The Record browser plugin self-erasing messages

    This is a very basic plugin in features and security, not suitable for high privacy, anyone can take a screenshot or photo of the message and preserve it, it will only be of real benefit to avoid exposing personal messages by accident by keeping them off email services that archive all conversations, e.g. Gmail. Off The Record browser plugin target public are company workers who don’t want the boss to learn what they are gossiping about in the office, it could do the trick for that purpose, but it will not keep a very determined boss or IT administrator from learning what messages are being exchanged, a packet sniffer is all someone would need to spy on you since there is no mention of encryption anywhere in OTR specifications.

    You should not confuse this plugin with the excellent Pidgin OTR plugin for Instant Messenger, they both have the same name but are very different.

    Visit Off-The-Record homepage

  • Learn cyberwar skills online playing CTF365

    Learn cyberwar skills online playing CTF365

    Capture The Flag CTF365 is a realistic cyberwar game built for hackers, system administrators, security specialists, programmers and anyone with an interest in computer security

    After signing up for the game you will be named a Combatant and asked to join the country you wish to fight for, each country can have many teams comprised of in between a minimum of five hackers and no more than ten. Teams can ally with each other to defend and attack a Fortress, members of the hacking team will have to safeguard their server while being on the offensive, when a user breaches another team Fortress the points go to the whole team. There will be a Hall of Fame with prizes for the most skilled hackers.

    In this Capture The Flag contest the team’s server will run all major Internet services like SMTP, IMAP, FTP, one Content Management System with plugins for social media, embedded video and others, two different Internet browsers, three web applications and two different databases, part of your job will be to secure all of them.

    Hacking game Capture The Flag CTF365
    Hacking game Capture The Flag CTF365

    The game first campaign will mimic a National Agency network where you can play offensive security attacking their servers, as part of the attack strategy, you can DDoS another players virtual servers if you wish so, just like in real life. There is a CTF365 IRC server accessible from within the game, you can use it to find other players and start building your team or join others. There are only two rules, one, do not use the infrastructure to carry out real hacking attacks against non players, and rule two is do not launch a distributed denial of service against the game servers, if you break any of those rules your account might be terminated.

    Capture The Flag is a superb way to get real hands on experience for penetration testers and sys admins defending their network, anyone with interest in computer security will benefit of this game emulating real life hacking scenarios, the aim is to have hundreds of targets in virtual machines that can be attacked at any time and for Capture The Flag to last a full year, there are future plans to offer Infosec companies the possibility to set up their own CTF contest to train students.

    Visit Capture The Flag CTF365

  • Encrypted Disk Detector for live computer forensics

    Encrypted Disk Detector for live computer forensics

    Encrypted Disk Detector is a free Windows command line tool for computer forensics that can detect Truecrypt, PGP, Bitlocker, Safeboot, Sophos Safeguard, Endpoint Security FDE, Symantec Endpoint FDE and Bestcrypt encrypted volumes. The software checks for encryption signatures in the Master Boot Record and Volume Boot Records, where encryption tools store the authentication hashing mechanism that decrypt data, it also displays OEM ID and volume label partition where applicable, when the encryption software hasn’t got any identifiable signature Encrypted Disk Detector scans for running processes indicative of disk encryption.

    This tool is useful to incident response practitioners to quickly determine if encryption is being used in any of the company or network computers before deciding what steps to take next, e.g. mirror drives, prior to pulling the plug. Encrypted Disk Detector runs in read mode and does not make any file changes, its intuitive coloured notification arrangement makes it effortless to interpret the results.

    Encrypted Disk Detector finds BestCrypt volume
    Encrypted Disk Detector finds BestCrypt volume

    Encrypted Disk Detector is not a threat to home users, the software does not attempt to guess what drives are encrypted, it only checks for volumes that are already mounted on live systems, it will not detect encryption in unmounted disks, TCHunt is more appropriate for that task, this is a time saving tool that can be deployed in a matter of seconds in a large network.

    Visit Encrypted Disk Detector homepage

  • Post self-destructing Twitter messages with Efemr

    Post self-destructing Twitter messages with Efemr

    Efemr is a free web and mobile app to post time limited messages on Twitter, it works by adding a timestamp hashtag at the end of your message, for example adding #8m at the end of a post would erase your Twitter message in eight minutes, time can be set to a few hours too but no more than that. The app backups all messages keepimng a private list of deleted posts next to a retweet button in case you change your mind and to remember you what you have posted in the past even if it is no longer visible.

    Efemr self-destructing Twitter messages
    Efemr self-destructing Twitter messages

    Being able to limit how long for something will remain on the Internet it is a step in the right direction to protect people’s privacy but it will not replace common sense, there is still the possibility of someone taking a screenshot of the Tweet, the time frame is not perfect either, Twitter feeds take longer than the specified limit to be erased and anyone could copy and paste or retweet your message, if you truly want to keep your Tweets private then encrypt them with AnonTwi  or any text encryption utility and make them only available to people you know, if anyone takes a screenshot it will only show cihphered text.

    Another way to achieve Twitter privacy is by never using your real name when opening an account, never post personal identifying data when posting and always use Tor or a VPN to log into Twitter.

    Visit Efemr homepage

  • Get paid for ethical hacking at HackaServer

    Get paid for ethical hacking at HackaServer

    HackaServer is a security testing platform where companies can send their applications and apps for skilled hackers to find bugs and exploits, when a server vulnerability is found the hacker gets paid a reward. Big companies like Google and Facebook have their own security team to test code and online applications before they are released to the public, small companies can not afford the thousands of dollars that this costs, HackaServer crowd sources hundreds of hackers looking at code vulnerabilities and misconfiguration testing security and only paying if something is found, with a confidentiality clause protecting the company reputation and real production infrastructure.

    Any system administrator can deploy a custom testing server with the most popular operating systems hosting apps in just a few minutes, before you start hacking a virtual server there is a sandbox called “Training Arena” where people can get a feel of the platform and test their pen testing skills.

    HackaServer account creation
    HackaServer account creation

    There are two kind of hacking challenges, one called “Capture the Flag” where the hacker has to penetrate the server and capture all the details as evidence that he was inside, and another challenge where the hacker finds a flaw or vulnerability rating it as critical, medium or low and getting paid by the company for a full report with all the details. The report is the most important part and it will have to comply with standard penetration test reports, HackaServer only grants hacking rights to the “Playground Arena” after you have passed an IT test showing skills equivalent to a Certified Expert Penetration Tester (CEPT) exam but without being charged for it.

    A good way for penetration testing students to improve their skills on HackaServer and increase their income while learning as well as way for black hat hackers to make some money the legal way.

    Visit HackaServer homepage