Hacker10

Review Yubikey two factor authenticaion (2FA)

Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.

The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.

The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.

Yubikey Neo and Edge

Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.

Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.

Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything a manufacturer says when they are trying to sell a product is not clever.

Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.

Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.

The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.

I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.

The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.

Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.

Yubikey Edge and Yubikey Nano with NFC

Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.

Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.

Conclusion Yubikey review

I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.

The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.

Promising project, too bad it can’t be used as intended anywhere meaningful.

Visit Yubico homepage

5 May, 2016
Man using HideMyAss to harass ex-girlfriend arrested
A judge from Galveston County named Chris Dupuy has been forced out of office after being charged with online harassment for placing fake hooker advertisements with the photographs and phone numbers of two former girlfriends in the escorts section of a classifieds ads website.

Harris County Sheriff’s investigator Scott Hardcastle subpoenad Backstage.com to find out who had placed the adverts and found out that the IP had been masked with offshore proxy servers. Houston Press reports that the affidavit of the lead detective says that he “had worked backwards from the ads to trace masked IP addresses in Venezuela, Colombia and Germany.” and the articles goes into making fun of the software name “hidemyass.com“

If Chris Dupuy was using software to hide his computer IP, it could not have been Hide My Ass free online proxy as it is web based and there is no need for software, the article also mentions masked IPs in Venezuela and Colombia, servers that are not available to free users, only somebody with a paid account can access those proxies. Based on this Chris Dupuy was possibly using HideMyAss VPN and not the online proxy.

Click to enlarge Chris Dupoy HideMyAss

There are no further details on how the detective “traced masked IP addresses” from HideMyAss but the VPN provider logging policy page states that HideMyAss keeps logs of:
- a time stamp when you connect and disconnect to our VPN service;
- the amount data transmitted (upload and download) during your session;
- the IP address used by you to connect to our VPN; and
- the IP address of the individual VPN server used by you
The data is more enough to identify a customer if necessary and it is stored for in “between 2 and 3 months“, or “longer if required by law”, HideMyAss parent company Privax LTD operates from England and was recently acquired by AVG Technologies.

Futhermore, HMA terms and conditions do not allow using the VPN for filesharing, if you are found doing this “then we may store your VPN data for an extended period of time beyond the normal 3 month maximum“, and HMA online proxy is even more detailed than VPN logs, they record the address of every single website you visit and files you view, keeping it for 30 days.

If HideMyAss has handed over the logs for one of his users, which is not confirmed as there are no specific details on how the detective traced back the IP, this would not be the first time they help out the law enforcement, in 2011 Cody Kretsinger, was arrested thanks to HideMyAss handing over logs proving that he was responsable for hacking Sony.
13 April, 2016
U.S. government funding encryption apps used by the Islamic State
Despite all the FBI talk against encryption software, public records show that Radio Free Asia, a broadcaster funded by the United States Congress to help advance their foreign policy in East Asia, in 2012 created the Open Technology Fund, which in turn gave over a million dollars to Open Whisper Systems, the company responsible for developing the iOS and Android encryption apps Signal, Redphone and TextSecure, apps recommended in Twitter by various Islamic State members.

It is very bizarre that American taxpayers are financing development of the same encryption software that American officials say are helping terrorists evade surveillance and supposedly threatening intelligence services of “going dark“.

Some cybersecurity experts suggest that the NSA could be behind the funding to try to stay one step ahead of the game, presumably by influencing the development of the apps or gaining internal knowledge.

Open Technology Fund diagram

Just because the USA government is funding a privacy project it doesn’t automatically mean that the technology is not safe, it is also the US taxpayer who is footing the bill for developing Tor. A network used by drug dealers, terrorists and Chinese dissidents alike, and so far, the only arrests in Tor have been the result of zero day browser vulnerabilities, FBI identity theft in forums, Bitcoin tracing or other user related mistake, like, using the same nickname in the open Internet and the darknet.

There isn’t any known arrest due to the Tor network being broken in the same way that Freenet has been infiltrated by law enforcement.

Email for the security paranoid

If you don’t wish the NSA and GCHQ to illegally read your communications, the method below should allow you to bypass Internet wiretapping from intelligence services:
1. Open an account with an email provider that has encrypted servers (Tutanota,ProtonMail,Countermail).
2. Share the password of that account with your contact.
3. Write an email and don’t send it, save it in the drafts folder.
4. Your contact reads the draft email, erases it and replies writing another email that is never sent, only saved in the drafts folder.
Method Weaknesses
1. Email provider you have chosen is not as secure as they claim to be. Fix: Encrypt the message with a second layer using PGP or 7zip.
2. ISP middle in the man attack, breaks SSL connection to the email account and sees anything you upload Fix: Same as above, apply second encryption layer.
3. ISP sees metadata, sites you visit. Fix: Use Tor or a no logs VPN to connect to the email account.
Islamic State member Twitter account

The downside of the method above is that it is only be useful to communicate with somebody you already know.

For an open chat where you can post your address in public, you can open a Tor Email account and access it in your smartphone using Orbot or any other mobile app that allows you to connect to the Tor network, or as advised by the Islamic State Twitter account above, ChatSecure is the best form of anonymous communication using a smartphone.

The country where these Islamic terrorists are based, Syria, doesn’t have wide Internet access, it makes sense that a smartphone app is their preferred method of communication.

Open Whisper Systems financial details:

https://www.opentech.fund/project/open-whisper-systems
28 November, 2015
Police plants own computers in Freenet, log IPs, makes arrest

Freenet, a P2P network routing traffic across multiple nodes to hide people’s IP when filesharing, and often cited by the media as part of the dark web, appears to have been broken by law enforcement.

Court records related to Paul Bradley Meagher, a University of North Dakota police officer arrested for downloading child porn from the “anonymous” peer to peer network Freenet, reveal that the North Dakota Bureau of Criminal Investigation had been running an undercover operation in the network since 2011, planting their own nodes inside Freenet to be able to log people’s IPs and trace the final destination of users downloading illegal material.

The Dakota student news site relates how Investigating Officer Jesse Smith managed to get hold of Paul Bradley’s laptop still switched on and running Freenet on the Wifi network, law enforcement discovered child porn images during the preview before seizing the laptop, arresting the suspect, whom, at that point refused to talk with the investigators. Paul Bradley has now been charged with 10 counts of possession of child pornography and can be sentenced to up to 5 years in prison for each count, facing a possible 50 years in jail.

Freenet network jSite

The Grand Forks Herald from North Dakota cites detective Jesse Smith in the affidavit as admitting to her department running nodes in Freenet to be able to track people downloading files included in a list of known child porn file hashes from the police database.

Unsurprisingly, when a journalist contacted the Bureau of Criminal Investigation of North Dakota they declined to make any comment about the story, so little is known about how they track people. It could be because Freenet has far less nodes than Tor, or because Freenet code has some bug (it requires Java to run).

With further research I found that the ICAC Internet Crimes Against Children Task Force, in 2014 ran a Freenet workshop for law enforcement to present what they called the “Black Ice Project“. Quoted on their website as “This session will describe the basic functioning of Freenet, how persons exchanging child abuse material, the system’s vulnerabilities and how the Black Ice project exploits them.”

References:

“Child predators use technology, but law enforcement does too”

http://www.grandforksherald.com/news/crime-and-courts/3885134-child-predators-use-technology-law-enforcement-does-too

“Bail set for UPD officer”

http://dakotastudent.com/7191/news/bail-set-for-upd-officer/

23 November, 2015
Canadian police cracks Datalocker encrypted drive

According to the RCMP newsletter, after two and half years of trying to get in, Canadian police in Saskatchewan has managed to crack a hardware encrypted device storing child porn inside, this is the first time the police has managed to crack this particular device.

An article in “The Star Phoenix” also mentions that two Datalocker external hard drives were cracked, the brand of the drive is further confirmed by “Gazzete“, the Royal Canadian Mounted Police magazine (link below), their article about this case does not name the company but the photo in the article clearly shows a Datalocker device.

Datalocker encrypted drive

According to the police magazine, Datalocker destroys the encryption key after 10 failed attempts but the forensic team overcame this challenge. Sgt. Joel Bautista figured out that given the maximum password length and variable characters that DataLocker allows for, the police computer cluster could brute force the password in around 10 years at most, so they kept trying.

Datalocker key entry does not support upper case letters, only small case and special characters are allowed, this limits passphrase strength.

Datalocker CEO, Jay W King, has contacted me acknowledging that Canadian police asked Datalocker for assistance in this case and he claims that the company only disclosed “publicly available information in regards to our password rules“. He also claims that the device had no brute force protection and asked me to remove what he says is wrong information and not to use the word “cracked”.

I agreed to change the picture of the post as it was featuring a model that did not exist at the time, the post now displays the correct model, but I will not change the text.

The police forensics team says that they had to overcome brute force protection, I have no reason to believe the police is lying or wrong. And to avoid misunderstandings, I am going to quote in bold what the Canadian police magazine says word by word:

“The forensic team had several challenges to overcome, including defeating the brute force counter, a feature on the device that would be initiated after exceeding a number of failed password attempts.”

Datalocker CEO also claims that the model pictured in the police magazine does not come with brute force protection, but another article in “The Star Phoenix“, says that there were two Datalocker drives involved in this case, it is possible that the police newsletter photo is not showing both of them.

The CEO has also sent me an old prospectus, and he is correct that the Datalocker Personal and Pro are advertised as not having self-destruct mode, but, a third column in the same prospectus, reproduced below, shows a model called Datalocker Enterprise, encrypted using AES256bit, listed as having self-destruct mode.

Datalocker encryption modes

I am not going to argue about what device was involved in this case, because I honestly don’t know, but I can say for certain that the police claims that they had to “defeat the brute force counter“, textual words.

I am sorry man, but that is what the police says, I can’t change it. I invited Datalocker CEO to post whatever he likes in the comments section if so he wishes.

Sources:

RCMP police magazine: http://publications.gc.ca/collections/collection_2015/grc-rcmp/JS62-126-77-1-eng.pdf

Star Phoenix Story: http://www.thestarphoenix.com/technology/police+should+have+found+more+child+porn+evidence+gryba/11408124/story.html

6 November, 2015
Police cracks encryption software CrypticDisk and Acer

New top secret documents leaked by Snowden (link below) reveal that GCHQ, Britain’s spy agency, has a team to reverse engineering popular encryption software and they routinely collaborate with British police when they come across encrypted data during the course of an investigation. Since it is not needed to explain in court how law enforcement has managed to access the encrypted data, it can remain secret when GCHQ finds a vulnerability in an specific program.

In one particular case, GCHQ assisted the National Technical Assistance Centre, a domestic law enforcement agency, to decrypt child pornography stored inside a virtual encrypted container created with Crypticdisk and in another case, GCHQ cracked Acer eDataSecurity Personal Secure Disk for an undetermined “high profile police case“.

Acer eDataSecurity is a free file encryption utility that comes with Acer laptops. I was not able to find out what algorithm Acer is using for encryption but I learned reading the laptop manual that the user can choose a bit strength of in between 128bit and 256bit, the manual textually says that “If you lose your password, there will be no way to decrypt your encrypted file!“, it has not been designed with a backdoor, deducing that GCHQ cracked it on its own without assistance from Acer.

Exlade CryptDisk encrypted container

The other cracked software, CrypticDisk, from Canadian company Exlade, has thousands of companies and government agencies as customers. CrypticDisk can create a virtual encrypted disk or encrypt and external device, like a USB memory stick, where you can store data or programs, once the container has been closed, it is meant to be inaccessible, it works like Truecrypt and the company page mentions that CrypticDisk encryption keys can be made of up to 2944-bits in strength, with built-in support to open Truecrypt containers.

CrypticDisk containers can use multiple encryption algorithms in cascade, there is a selection of AES, Twofish, Serpent, Blowfish and CAST6. The encryption wizard advises that the more algorithms you choose in cascade, the higher the cryptographic strength.

There isn’t any clue in the leaked papers about how GCHQ cracked this software, I will make a guess of a bad implementation because the encryption algorithms are all open and AES has been widely reviewed by expert cryptographers. I am discounting the possibility of a user mistake choosing a weak password because British police is known to have a computer cluster where they can try thousands of dictionary words per minute, theoretically there should be no need for the UK secret services to help out law enforcement brute forcing a passphrase.

The same secret documents reveal that GCHQ has obtained a warrant from the Foreign Secretary so that they can not be prosecuted for breaching copyright law from proprietary software companies. The agency is also targeting antivirus companies to be able to send trojan horses to targets without being detected. KasperSky, a Russian antivirus company, is named in the documents as being a challenge to them.

Snowden documents: https://firstlook.org/theintercept/2015/06/22/gchq-reverse-engineering-warrants/

11 July, 2015
Censorship resistant hosting platform Zeronet

Zeronet is an open source decentralized peer to peer webhosting platform using cryptographic hashes and torrents to distribute websites and files. Any computer with an Internet browser and the software installed can access websites hosted in Zeronet. When you first launch your browser you will not see any IP in the toolbar, a Zeronet website is served from your own computer after downloading the files, your browser toolbar will show localhost:43110 and a cryptic address, supporting .bit domains, a peer to peer top level domain name managed by a decentralized registrar called Namecoin.

To make a website available in Zeronet you only have to host it in a single machine, visitors to the site will help distribute the content from their own computers when they view the pages, the more nodes/visitors a website has, the quicker it will be for others to download it, scalability is easy, when a site becomes very popular files are available from multiple sources.

Decentralised P2P webhost Zeronet

Zeronet users can see in the interface what websites they are seeding, how many peers it has and right click on one of the sites to update, pause or delete it from their system. Cryptographic hashes verify the integrity of the files in the website, it tells Zeronet what to download and protects from man in the middle attacks. When you upload a website to the network you will be handed over a private encryption key for when you wish to modify and update the content, visitors automatically use the public encryption key to verify that the files have been changed by the rightful owner.

The network is not truly anonymous, but their websites are quicker to download than hidden Tor sites, optionally you can run Zeronet over Tor to hide your computer IP from anybody tracking file downloads although this will slow it down. Zeronet also comes with a guestbook and forum where to debate and post links to internal websites that are not accessible using the regular Internet, only people with the software installed can access websites.

Zeronet should work very well for Chinese surfers craving for information about the national liberation struggle in Tibet, but if the content is banned worldwide, this network isn’t going to cut it. Since it is possible to find out what computers are hosting the content, authorities can knock on the door of people distributing those files until not a single one of them is left.

Personally, I don’t believe in censorship resistant networks that don’t provide anonymity by default and I am skeptical of the need for this project when Iranian or Chinese users can download a VPN proxy to access banned information instead of using Zeronet with access to a limited range of websites.

Visit ZeroNet homepage

10 June, 2015