Hacker 10 – Security Hacker

Category: Other

Other computing tips

  • Deceiving authorship detection with JStylo-AnonymouAuth

    Deceiving authorship detection with JStylo-AnonymouAuth

    Stylometry, the study of linguistic style, is a method used for authorship recognition, it has helped in numerous historical breakthroughs attributing documents of unknown authorship. The same technique can be used to identify an anonymous blogger or forum poster but a set of necessary conditions must be met for stylometry to succeed, like having a reduced number of suspects and a few hundred of available paragraphs that can be compared and analyzed by an algorithm.

    It is possible for a state sponsored agency to use their computers to scan similar forums to try and link a high target with his real identity by looking at the writing style alone, it is well known that spy agencies already have the capability of scanning Facebook for keywords, where people is using their real name, but due to the millions of users that Facebook has, an stylometry attack would not be feasible unless it is reduced to forums with just a few dozen users. Gathered evidence is still not a definite beyond reasonable doubt, but it can used as an extra intelligence tool pending confirmation.

    Adversarial stylometry JStylo-AnonymouAuth
    Adversarial stylometry JStylo-AnonymouAuth

    Manual adversarial stylometry techniques to circumvent authorship recognition:

    • Obfuscation: An author can deliberately camouflage his writing style, including punctuation and use the thesaurus to avoid being repetitive or briefly quoting someone’s else words.
    • Imitation: An author imitates someone’s writing style so that analysis will point towards that person or throw the algorithm off the trail with no conclusive result.
    • Translation: Automatic software can translate the text a couple of times to a different language and then back to the original.

    The Drexel University research team has also released an open source tool called Jstylo-Anonymouth, bundling together an authorship recognition analysis tool and authorship recognition evasion tool, the software is written in Java and will work in any operating system. When you use Anonymouth to circumvent authorship recognition you will be shown an analysis of text complexity, unique and sentence word count, average sentence length, letter space and reading ease score then you will be told if each feature is optimal for anonymity or it needs changing, this automated software is ideal to release long documents.

    Note: Software is an alpha release still in development.

    Visit JStylo-Anonymouth homepage

  • U.N. report reveals secret law enforcement techniques

    Buried inside a recent United Nations Office on Drugs and Crime report titled “Use of Internet for Terrorist Purposes” one can carve out details and examples of  law enforcement electronic surveillance techniques that are normally kept secret.

    The report includes real accounts of investigative techniques countering terrorist groups secure communication systems.

    Terrorist groups using computer security

    • Point 187: Members of the outlawed Turkish Revolutionary People’s Liberation Party-Front (DHKP-C) used steganography software called Camouflage to hide messages inside JPEG files and encrypted attachments with WinZip before emailing them. A joint Turkish and Italian police operation managed to decrypt the messages and arrest over a hundred people involved with the organization.
    • Point 194: An Alqeda affiliated webmaster managing a jihadist website from Brazil was specifically targeted by the police to grab him by surprise while he was still online to make sure that they would get his encryption keys thanks to which the investigators were able to open all relevant encrypted files.
    • Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with their counterparts hiding messages inside images with steganography and sending the emails disguised as spam, deleting Internet browsing cache afterwards to make sure that the authorities would not get hold of the data. Spanish and Colombian authorities cooperated to break the encryption keys and successfully deciphered the messages.
    • Point 374: German citizens members of a group called Islamic Jihad Union used the dead email inbox trick to communicate in between them, the suspects did not send the email  to prevent wire tipping in transit, saving the messages to the draft folder instead for the other part to read and reply, coupled with accessing the Internet using insecure wireless access points of unsuspecting citizens with one of the suspects using encryption which forensics expert tried to access and failed.

    • Point 198: It explains how an investigator can circumvent Truecrypt plausible deniability feature (hidden container), advising computer forensics investigators to take into consideration during the computer analysis to check if there is any missing volume of data.
    • Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept.
    • Point 210: Explains how Remote Administration Trojans (RATs) can be introduced into a suspects computer to collect data or control his computer and it makes reference to hardware and software keyloggers as well as packet sniffers.
    • Point 228: Talks about a honeypot jihadist website created by the CIA and the Saudi Government to attract and monitor terrorists, leading to the arrest of jihadists before they could carry out their operations but finally having to dismantle their own website when law enforcement realised that it was also being used to plan attacks against US troops in Iraq.
    • Point 378: Explains how during an Alqeda case in Belgium and after an informal request without any kind of warrant within two weeks the FBI managed to provide Belgian authorities with a CD containing relevant emails data held in US servers voluntarily provided by Yahoo and Microsoft.

    Full report:
    http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

  • Wipe files, folders and free space with Secure Eraser

    Wipe files, folders and free space with Secure Eraser

    Secure Eraser is a data wiping and cleaner program that makes files and folders impossible to recover overwriting them multiple times with standard data wiping algorithms. You can also use this program to completely wipe a partition or external storage device and overwrite free space in your hard drive where data that the user thinks was long gone is still recoverable with specialist tools if it hasn’t been written on with a new file.

    The program integrates within Windows right click context menu to  make it easy to wipe files and securely wipe Windows Recycle Bin content, or you can launch the program and manually select what file or folder you would like to wipe for good. Secure Eraser has a registry and system cleaning option to erase your Internet browsing tracks, only Internet Explorer and Firefox are supported. Another option is to securely wipe Windows temporary files, you should always run a Windows junk file cleaner once in a while even if you don’t care about your privacy you will possibly end up recovering lots of hard drive space. When I ran Secure Eraser in my computer it managed to find 4GB of temporary files that a software called Freemake Video Downloader had left inside the AppData/Local/Temp folder without me knowing about it.

    Secure Eraser file wiping software
    Secure Eraser file wiping software

    Five different wiping algorithms are supported, a low security and very quick data wiping method utilizing random data, a 3 pass US DoD 5220.22-M E, a 7 pass US DoD 5220.22-M ECE, a 7 pass data wiping with a German standard algorithm, and a 35 pass data wiping with Peter Gutmann algorithm. There is a log in the program that keeps a record of all erased files in .html format, this will open everytime you wipe something, it will show you the names of the files that have been wiped and it will highlight in red any possible error, program configuration options are minimum, limited to setting the logging report parameters and nothing else.

    The program is free for non commercial use, with a splash screen showing from time to time, the help manual is only available in German but I don’t think you will need to read it.

    Visit Secure Eraser homepage

  • Secure operating system Qubes OS

    Secure operating system Qubes OS

    Qubes OS is an open source desktop operating system from Polish security firm Invisible Things Lab, what makes this system more secure than other Linux distributions is that you can isolate components within disposable containers separating them from interaction with the rest of the OS. The distribution is based on Fedora Linux and runs virtualization software Xen Hypervisor to segregate applications assigning them to domains. The developers decided to use Xen over other virtualization software because its code is compact and easy to audit.

    The user can define temporary coloured virtual machines for specific applications, for example, your email (Thunderbird), terminal (xterm) and web browser (Firefox) can all be contained within a virtual box, with one or more tools running inside each sandbox (called domain), if malware infects any of them it won’t spread to the OS and the domain can be restored to its original form. Qubes comes with KDE desktop, after logging in you will be shown Qubes VM manager listing the dom0 virtual machine, a default privileged Xen domain, and other virtual domains managing your network like netvm and firewallvm. If your network card drivers were to be compromised it would not affect the rest of the system integrity because networking has been virtualized.

    Linux Qubes OS applications inside virtual machines
    Linux Qubes OS applications inside virtual machines

    Qubes OS is a new approach to fight malware through easy to audit code, application isolation through virtualization and an easy to use graphical interface to segment the OS based on personal needs. You could sandbox your Internet browser with Qemu yourself or use Linux chroot to contain malware infections, but Qubes OS goes further than that, it virtualizes the whole OS, including network connection, firewall and external storage devices, it allows for advanced networking set ups based on different domain policies and the OS has been optimized to run lightweight virtual machines, Qubes OS principle is security by isolation, not the applications but the domains where the application dwells. This is not a veritable Linux operating system because it uses virtualization as its foundation with applications all virtualized in different compartments.

    One downside to virtualization is that you will need a huge amount of RAM, Qubes OS developers advice a computer with a minimum of 4GB and a Solid State Disk which is faster to write and read than traditional drives albeit more expensive. Computer security is made up of layers and Quant OS does exactly that, it builds as many layers as possible to make an attacker’s life very difficult, this is a very powerful operating system for advanced users with a unique approach to computer security that should be implemented in any high security environment.

     Visit Qubes OS homepage

  • Computer forensics Linux distribution CAINE

    Computer forensics Linux distribution CAINE

    CAINE (Computer Aided INvestigative Environment) is an Ubuntu based Linux distribution targeted at computer forensic investigators, from law enforcement to private digital investigators. It comes with friendly graphical interfaces for most forensic tools making this OS a good choice for students and computer forensic amateurs, as well as professionals. There is a front end called XSteg for Stegdetect, a tool to detect messages hidden in  images (steganography), dd, a command tool to mirror and restore files can be used with a front end called AIR (Automated Image & Rescue) supporting dc3dd an enhanced dd version that includes features like hashing and zeroing files specially developed for digital forensics by the US Department of Defense Cyber Crime Center. The Sleuth Kit, a set of command line tools can be used in CAINE through Autopsy, a graphical front end that looks like a browser, a command based network scanner called nmap can be used with point and click thanks to zenmap.

    CAINE computer forensics distribution
    CAINE computer forensics distribution

    Once you have finished your work CAINE makes it easy to create a written report as .rtf or HTML. For those who don’t know, unlike .docx or .odf (Open Document Fortmat), .rtf (Rich Text Format), files, although Microsoft proprietary, they are widely supported by most software and do not include metadata.

    Computer forensics live CDs are widely used during investigations because they do not write anything to the host computer, however you should use a widely tested distribution to make sure that it works as expected and do not trust what a community or vendor distribution claims because only wide testing can find out unexpected bugs.

    When you boot this live CD you will be given the choice to install the OS in your hard drive, I would not advise you to use CAINE as your everyday operating system because it comes with very few applications that are not computer related and it won’t be of much for a home user daily entertainment activities. You should not confuse this distribution with a penetration testing operating system like BackTrack, there are no offensive tools included in CAINE and only a few network related tools (WireShark, Cryptcat and Zenmap), CAINE purpose is to perform a post-mortem of a machine after an incident and gather data.

    Home users can use this live DVD to reset a user’s password on a Windows machine with chntpw , recover corrupted data with ddrescue, partition a disk with Gparted, or monitor a hard drive health and temperature with HDSentinel.

    Visit CAINE homepage

  • Steganography and encryption with StegHide UI

    Steganography and encryption with StegHide UI

    StegHide UI is a GUI interface for Steghide, an open source steganography program to encrypt and hide data inside images (.jpeg, .bmp) and audio files (.wav, .au), it allows users to do everything Stegide can do with a point and click mouse saving you the command line learning curve. There is a tab where you can use this steganography tool in command line mode were you to feel inclined to do so, StegHide UI offers you the best of both worlds, a GUI and command line all in one program.

    There is no need for installation, administrator rights are only needed to change the program settings. You can change the default encryption method, an already secure AES128-bit in CBC mode, set the default output folder or change the command line background colour, font and font colour. The only included help manual consists of the command line tab where you can type “help” and get a list of possible commands. GUI operation is fairly easy, to hide and encrypt files go to the “Embed” tab, select the carrier image or sound where to hide the data and the file you would like to hide, enter a password and choose the encryption algorithm and method using a drop down menu.

    Steganography and encryption StegHide UI
    Steganography and encryption StegHide UI

    To decrypt an steganographic message reverse the process using the “Extract” tab, enter the password and choose the output file with resulting extension, you will need to know what type of file is hidden (.txt, .mp3, .jpg, etc) to get the extension right and be able to view it with the correct program. There is a wide range of encryption algorithms available, the safest are AES Rijndael 128/192/256, Blowfish, TripeDES, Twofish and Serpent, other low strength ciphers like Enigma, Gost, CAST128/256 and Arcfour are included too.

    If you would like to defeat steganalysis, the art of detecting hidden data inside files, make sure to securely erase the original file, comparing two files side by side and looking at their differences it is possible to see that data has been embedded in one of them making the extraction easier for an attacker, but encryption with a strong password should still stop adversaries.

    Visit StegHide UI homepage

  • Erase hidden data with the Metadata Anonymisation Toolkit

    Erase hidden data with the Metadata Anonymisation Toolkit

    Metadata embedded in a document or media file can tell a lot about its author, creation time and date, original file author and modifications, location on a computer network where data was created, standards used and custom metadata can all be included in text documents, images, PDFs, spreadsheets, video files, music and others, most people are not even aware that they are leaking information in the documents they publish on the Internet and free tools like Metagoofil, included with Backtrack, can easily extract this metadata and expose who is behind certain document or image and where and when it was taken.

    Supported file formats

    – Portable Network Graphics (PNG)
    – JPEG (.jpeg, .jpg, …)
    – Open Document (.odt, .odx, .ods, …)
    – Office Openxml (.docx, .pptx, .xlsx, …)
    – Portable Document Fileformat (.pdf)
    – Tape ARchive (.tar, .tar.bz2, .tar.gz)
    – ZIP (.zip)
    – MPEG Audio (.mp3, .mp2, .mp1, .mpa)
    – Ogg Vorbis (.ogg)
    – Free Lossless Audio Codec (.flac)
    – Torrent (.torrent)

    Tails Metadata Anonymisation Toolkit
    Tails Metadata Anonymisation Toolkit

    The Metadata Anonymisation Toolkit will remove all metadata in files leaving it empty, however watermarks or steganographic tags won’t be removed but unlike metadata being added by default by many utilities, like Microsoft Office adding author name and smartphones adding GPS coordinates in photographs, watermarks are not usually inadvertently added and the original author will likely be aware of their existence, often inserted to track down forbidden sharing of confidential documents or pre-release movie versions. Summing up, MAT will protect you from accidental metadata leakage but not from customized metadata specifically included to track down the author.

    This software can be found in Tails, JonDo Live-CD and Debian Linux, if you need a Windows or MAC tool check my list of programs to edit Exif data.

    Visit Metadata Anonymisation Toolkit homepage