Hacker 10 – Security Hacker

Hacker10

  • GPG email encryption hardware device Kinko

    GPG email encryption hardware device Kinko

    Kinko is an crowd funded project building an external hardware device for email encryption and decryption that will work in the background with any operating system using well established open source technologies like GnuPG and OpenSSH.

    The Kinko Project supports Intel and ARM architectures, translated into plain English this means desktop and single board devices like the BeagleBoard. A pocket sized Kinko prototype already exists and it has a microSD slot for data storage, 512 DDR3 RAM and a fanless design with a Rhombus Tech ARM A10 Cortex-A8 CPU.

    Kinko comes with a front end to manage GnuPG keys, a simple to use webmailer running Dovecot, offline IMAP and SSH. It is like running your own small email service at home with support for up to 10 people. Kinko is compatible with any email client but it will not work with webmail services, the only way to send email through a web interface is by means of Kinko’s build in webmailer.

    Kinko GPG hardware email encryption
    Kinko GPG hardware email encryption

    There is no central server with access to your encryption keys, when you receive an encrypted PGP email Kinko will automatically decrypt it using the keys manually added to the box, detecting public keys attached in the email message or fetching them from a keyserver. User intervention is kept to a minimum, you will only be asked if a recognized public PGP key should be accepted or not.

    What Kinko can not do for you is to encrypt email metadata, this is impossible due to OpenPGP specifications but you have the option to replace email subjects with a standard innocuous phrase.

    Email messages are sync in between your computer and the Kinko box with IMAP, the connection is secured with TLS and a private encryption key that only Kinko knows. To access your email outside your home Kinko can be tunnelled to the public Internet with OpenSSH and accessed with any email client supporting IMAP or a web browser.

    The price of the Kinko box is not yet known but I am elated with the specs and initial presentation. I only see two downsides, one is having to plugin yet another device to my collection of computer hardware, and the other one is storing my email messages at home.

    PGP email encryption Kinko Project
    PGP email encryption Kinko Project

    All data is encrypted and password protected when you first set up Kinko, but that will not stop physical threats to hand over the password from anybody breaking into my house, adding that in some countries it is illegal to withhold your password from law enforcement.

    I think that the device is extremely user friendly and time saving but something Kinko will not do for you is convincing or training your friends and colleagues about the importance of email encryption. Until people is willing to use PGP for email, it won’t matter how comfortably you can encrypt and decrypt messages, there will be no mass adoption.

    Kinko is something that small businesses might want to look into, private users will have to consider first what are the chances of abusive law enforcement breaking into their home and demanding the password for their encrypted Kinko email box.

    Visit Kinko Project homepage

  • Send large files securely with Binfer

    Send large files securely with Binfer

    Binfer is a program to share large files without having to upload and download them like in FTP or a cloud online storage space. Binfer uses P2P technology, it only requires you to drag and drop the desired file on Binfer’s window and you will not have to encrypt or password protect the data, everything is automatically encrypted with AES128-bit, encryption keys are changed for each file transfer and there is no central server that could be compromised.

    The software is written in Java, it works in any operating system, Windows, Mac or Linux, with an Android and Internet browser app to share files with others on your mobile device without having to install anything. But you will speed up the process if you have Binfer in your computer.

    Sharing big files with Binfer
    Sharing big files with Binfer

    When you first install Binfer you will be prompted to create an account using a valid email address, if the welcome email they send you bounces, your account will be automatically deleted.

    The interface various tabs look like the P2P program utorrent. In them you can monitor in and out file transfers, reports, see contacts and access a built in email client attaching files of any size to send to your friends for them to download clicking on the received link, but they will need to be using the same program to download it.

    Binfer is a good solution for those who often share big files, similar Peerio to but with more functions.The only thing is that the free mode has a file size limit, you should look into Bittorrent Sync before parting with your money for Binfer.

    Visit Binfer homepage

    Update: I have had a spammer in this blog linking to Binfer. I can’t prove who is behind this, other than to say all fake comments (now deleted) were made by IP 71.194.2.92 using different nicks.

  • Freeware text encryption program BCTextEncoder

    Freeware text encryption program BCTextEncoder

    BCTextEncoder from Jetico is a free small portable application to encode and decode text, password protecting it with AES256-bit symmetric encryption or public encryption keys that can be either imported from a file or generated for you with the included BestCrypt Key Manager from where you can manage key pairs with the standard PKCS-12/X.509 format.

    Encrypted text can be easily copied to the clipboard or saved as .txt file, the toolbar also has an envelope logo to directly send encrypted text by email opening your email client, but during my test this function did not work for me and clicking on “Send encoded text by email now” would pop up an error window. I could not fix this problem but you can still copy and paste the text anywhere you like, from Usenet clients to webmail. The only detail is that encrypted text will be appended with the line “Version: BCTextEncoder Utility“, giving away the software and version that you have used to scramble the text but it is not a security risk if the encryption is sound.

    Text encryption program BCTextEncoder
    Text encryption program BCTextEncoder

    The program comes with a help file and it is very well documented at user and technical level, with a diagram explaining the encryption process. First the text is compressed with zlib, a software library for data compression, then you decide whether to use symmetric AES256 or asymmetric RSA for encryption, a third step converts the text to readable Base64, an encoding scheme to represent binary data as text, and after that you are ready to securely send the ciphered message wherever you like. Just note that BCTextEncoder only works for text, if you would like to cipher files, like images or videos, you will need a different program.

    It is impressive that such a tiny program packs so many powerful features and although it is closed source, Jetico is a Finnish company that has been around for many years developing security products, which gives more peace of mind than a one man hobby program.

    As usual the only challenge will be to convince the receiver to download BCTextEncoder to be able to decrypt the messages you send, this can be done with your best friend but when you have a group of people with a different operating system you are not very close to, it gets harder to agree on an encryption standard. BCTextEncoder only works in Windows.

    Visit BCTextEncoder homepage

  • ETHICmail, the legal resistant email service

    ETHICmail, the legal resistant email service

    ETHICmail is a secure email service that aims at stopping massive and illegal surveillance orders. ETHICmail secures your connection to their servers with SSL Perfect Forward Secrecy, 4096-bit digital certificates and their proprietary SecureStorage AES 192-bit encryption engine for data storage.

    One unique ETHICmail feature not found elsewhere is emergency remote full data wipe of your email messages by sending a mobile phone SMS code to your account. ETHICmail also has a specialist legal team that reviews and challenges unfounded surveillance orders, Gmail claims to have that too so I would not call the last feature unique but ETHICmail notifies the individual when they receive a warrant against him whenever it is possible.

    ETHICmail legal resistant email
    ETHICmail legal resistant email

    ETHICmail email login interface has a banner on top listing a help phone number in Switzerland and displaying how many surveillance warrants have been served to them up to date, divided by interception and data seizure warrants.

    Their email interface is clearly a customized cPanel UI, offering you Horde, RoundCube, SquirrelMail and ETHICmail logins, each one with a different layout, if you have used cPanel before you feel comfortable using it. If you wish, you can use your own domain name, it is easy to add, ETHICmail customer panel is based on WHM, a standard administrative web host manager deployed by most hosting companies.

    Your emails are kept encrypted with ETHICmail SecureStorage but you have to encrypt messages before sending them out, this is not done by ETHICmail for you like Hushmail or Countermail do, you need to be familiar with PGP encryption and manage the whole process.

    ETHICmail headquarters are in the Seychelles, a very privacy friendly jurisdiction, but I found out that part of their staff is is based in Gibaltrar, a territory ruled by British law. Being Britain NSA best buddy and a country where mass surveillance is routinely carried out with full government support, I wasn’t exactly thrilled. I am not sure how it affects legal subpoenas having the distribution centre offices in the United Kingdom.

    A disturbing problem with ETHICmail is that the company claims that they only accept 10 type of surveillance orders, ranging from terrorism to copyright infringement. The accepted interception orders cover every single kind of crime, from the most severe to the most minor.

    ETHICmail SecureStorage IP restriction
    ETHICmail SecureStorage IP restriction

    I don’t believe that any email service should help break the law, but when you start accepting surveillance orders for crimes that do not even carry a prison sentence, what is the point of paying extra for a self-proclaimed “legally resistant email service“. Not surprisingly law enforcement has been know to lie, there is no way ETHICmail can know if the copyright infringement really occurred or if it is something made up by a spy agency to get hold of the data.

    Positive ETHICmail points are that emails are stored encrypted with your own private key to which the company has no access and they claim to be unable to recover encrypted data, you can wipe your account remotely with an SMS message and there is computer IP control restriction to whitelist account access.

    Negative ETHICmail points are having part of their business in British soil, not providing automatic OpenPGP encryption when you send email like some of their competitors do and very expensive prices. ETHICmail legal assistance addon worth thousands of dollars is only affordable to big corporations.

    If you are an individual, you can find better price and features in Countermail, Hushmail or AnonymousSpeech. If you are corporation with a huge budget maybe you want to consider ETHICmail but not managing OpenPGP keys would bother me because the average employee does not have a clue about PGP and without it you are open to illegal in transit email wiretapping, another big blunder is that I could not see the interface being mobile device friendly

    Visit ETHICmail homepage

  • Intrusion Detection Linux distribution Security Onion

    Intrusion Detection Linux distribution Security Onion

    Security Onion is a Ubuntu based Intrusion Detection and Network Security Linux distribution for professionals. It can run as a live DVD or installed in your hard drive with just a few clicks. The distribution comes with well known offensive and defensive digital tools that are not very beginner friendly, you need to have a computer security background to understand what the tools do.

    Fortunately Security Onion developers have uploaded a series of YouTube tutorials explaining how to search DNS traffic, how to use Sguil, Squert, Snorby and tcpreplay, there is also a well documented Wiki, a mailing list and Freenode IRC channel where you can post questions. If you wish to learn about digital forensics and hacking this will be a good place to start.

    Intrusion Detection Linux distribution Security Oniion
    Intrusion Detection Linux distribution Security Onion

    Security Onion default window manager is XFCE, a minimalist lightweight desktop environment. You will find a basic Xubuntu software base, like the Synaptic package manager, text editor Abiword, graphic editor the Gimp and a couple of Solitaire games with a considerable bundle of network inspection software, the expected WireShark packet sniffer, Suricata, Xplico and Network Miner for network forensic analysis, Snorby, ELSA, Snort and a long etc of tools that security professionals will quickly recognise.

    There is no root password in Security Onion, a default Ubuntu based distribution setting. Your account already has sudo permissions and you can add a new user with sudo adduser

    This is an actively supported distribution, one of the developers is a SANS Institute GSE Community Instructor and other seasoned security professionals are also involved, a two training class about Security Onion has already taken place, with enough demand there is no reason why this should not happen more often.

    Security Onion is a proper alternative to BackTrack that has all the tools a pen tester and digital forensics professional needs to detect network intrusion and test network defences before and attack happens. Security Onion is well documented with community based online support.

    Definitely a distribution to look at if you work in the IDS field or if you would like to learn more about real computer security that actually needs some skill and it is not a point and click script kiddie cyberweapon.

    Visit Security Onion homepage

  • Secure chat communications suite GoldBug

    Secure chat communications suite GoldBug

    GoldBug is an open source secure Instant Messenger with cascade encryption, a way to secure your messages using multiple ciphers, also known as multiencryption. The program main features are encrypted groupchat, sending of encryption keys encrypting them, end to end encryption, public IRC channels with encryption, integrated BitMail, chat over Tor, forward secrecy, sending of random fake messages to confuse eavesdroppers, authenticated chat and many others.

    This program constitutes a full suite of chat utilities using encryption with the advantage that you will be able to interact with your friends in multiple different ways without having to install new software, and the disadvantage being that so many buttons and technical terms can be confusing.

    Encrypted Instant Messenger GoldBug
    Encrypted Instant Messenger GoldBug

    Documentation is clear and comprehensive, you can read every single feature detail in GodlBug website or download a .pdf help manual. GoldBug interface is fairly workable, with tabs quickly switching in between features, one click takes you to the IRC chat window and another click to the StarBeam filesharing and another click to the Instant Messenger chat.

    After installation you will be asked to create a username and password with a minimum of 16 characters before generating the public encryption keys. GoldBug uses end to tend encryption with multiple layers implementing trusted open source cryptology like GnuPG and OpenSSL, you can set your own encryption components with RSA, EL Gamal and DSA, customizing key size, cipher, hash and iteration. Tailored integrals that should not significantly increase your security level, but nice to have anyway, the more security variables, the more an attacker will need to fingerprint you before launching an attack on the scheme you are using.

    This program looks and security resembles my previously reviewed FireFloo Communicator, both programs appear to share part of the code but GoldBug has many more elements like the IRC chat, Tor and file sharing, and it is fully documented, I liked it much more because of this.

    I liked that the messenger is open source and it adopts known encryption algorithms and technologies. I would feel reasonably safe behind this program, favouring it over others because third party data retention is not possible in GoldBug as there is no central server and all of the different ways it has to securely communicate with each other peer to peer, it comes out as a well thought messenger.

    I wish other developers would stress user documentation as much as GoldBug has done, this is a first class secure communications program.

    Visit GoldBug IM homepage

  • Bypass ISP Internet censorship with ShadowSocks

    Bypass ISP Internet censorship with ShadowSocks

    ShadowSocks is a cross platform socks 5 proxy available for Windows, Mac, Linux, Android and iPhone, the proxy can pierce corporate or ISP firewalls and access censored sites. If you find yourself in a situation where OpenVPN traffic is blocked or throttled, ShadowSocks is a good alternative to a VPN and it can be installed in OpenWRT routers to tunnel the entire network traffic.

    The software tunnels and encrypts your Internet browsing, if you want to use an Instant Messenger or BitTorrent, you will have to configure those programs settings to use the applicable Socks 5 proxy and port.

    Socks 5 proxy ShadowSocks
    Socks 5 proxy ShadowSocks

    The program comes with a graphical interface from where to select a server IP, if you have your own server, or choose one of the available ShadowSocks public server IPs, port, password if needed, socks 5 proxy, encryption method and time out for requests.  It would be moderately difficult for somebody who is not familiar with proxies to use ShadowSocks, the online help manual is clear but it contains technical terminology.

    ShadowSocks Android version has a configuration option to bypass tunnelling for all sites located in China so that the proxy is only used for foreign sites which are the ones blocked by the Great Firewall of China. Unfortunately you need a rooted device to use ShadowSocks in Android and it only works with Wi-fi, the developers aim to add G4/LTE support in the future.

    ShadowSocks asynchronous I/O technology makes browsing the Internet faster than OpenVPN but that in the end speed will depend on the server load and ping even if the protocol is light on resources. The greatest benefit of using ShadowSocks is that it is easy to set up your own ShadowSocks server on a cheap VPS, I personally would prefer surfing the Internet with OpenVPN or an SSH tunnel unless OpenVPN did not work and SSH ports were blocked.

    Notice that this program has been designed as an anticensorship tool and not to make you anonymous on the Internet.

    Visit ShadowSocks homepage