Hacker10

Run a SSH server in Android

SSH Server is a complete Secure Shell daemon, Secure FTP, Secure Copy and Telnet server Android app that doesn’t need rooting the device. After installing the app you will be able to enter an SSH server hostname and port, with optional public key encryption authentication instead of password and allowing X11 forwarding, a way to grant graphical information to pass through firewalls, giving you a graphical interface if the Unix server you are connecting to supports it.

Logging is very detailed, in verbose mode it includes filters and email logs, to save space it can be set to only record errors leaving connection logs out, the server is accessible from the Internet and you can whitelist IP addresses blocking everyone else.

Android SSH server app

The free version of SSH Server only allows for one server, it should be enough for most people, to connect to the server just use SSH command line from shell like you would do in Linux, in the form of:

ssh -v -l USERNAME ADDRESS -p PORT

With -v being for verbose -l for login and -p indicating the port, the server address should be the IP, the app supports dynamic DNS setting a permanent custom hostname that you can access, remaining always the same even if your device IP changes, companies like DynDNS can provide this service. There are other Android apps like Dropbear providing SSH capabilities to your phone but it requires root, and there is the connectbot app too but this SSH Server from Icecoldapps is the most complete, it comes with SFTP combined with SSH.

Visit SSH server in Google Play

10 February, 2013
Encrypt text and files with VSEncryptor

VSEncryptor is a free file encryption tool to secure messages and files, it comes with customization options allowing you to choose the cipher, AES128/192/256bit, RC2/RC4 stream encryption algorithm and DES or 3DES. During installation pay attention to avoid an adware toolbar from being introduced in your computer, you will also be asked if you would like to integrate VSEncryptor with Windows shell menu to quickly encrypt single files right clicking on them, this can be changed later on in options.

The software interface is very easy to understand, with just four buttons “Encrypt“, “Decrypt“, “Settings” and “Edit Data“, if you use it often you can manage all of the options with the shortcuts that come predefined in settings, the interface skin can be changed. After encrypting a file it will be recreated with the extension .encrypted but you can change the default extension to anything you want, optionally use the command line to manage VSEncryptor.

Free file encryption VSEncryptor

For high security encryption you should stick to the tried and tested AES256 cipher and set it as default in settings, the RC4 algorithm is normally utilized to encrypt streaming data in SSL and WPA, it can be vulnerable to attack when not used with a strong message authentication code (MAC). I was a little surprised that the developer referred to the RC4 algorithm by its original name, since it is trademarked by RSA Security and the encryption community often refers to it as ARCFOUR or ARC4 to avoid copyright problems. The DES algorithm is crackable using a brute force attack due to its poor 56bit keylength, TripleDES as the name suggests, triples DES keylength and there is no known way to crack it but AES has been much more widely analized by cryptographers and it is a US Department of Defence standard, it should be your first cipher choice.

If you need simple encryption and trust closed source software or have low security needs, VSEncryptor should do the job, just remember that people receiving your encrypted text of files will need to own the same software to decrypt the data.

Visit VSEncryptor homepage

9 February, 2013
Set up your own whistleblowing platform with Globaleaks

Globaleaks is an open source framework allowing any activist group to set up their own anonymous whistle-blowing platform, using Globaleaks software the whistle blower will be kept anonymous by default. The tool conceives a javascript HTML Globaleaks client that can be provided as a browser addon or invoked through a content delivery network. On the server side tor hidden services give protection against legal liabilities, not only for the sender but also the receiver who will not be able to find out who sent the documents.

You should not confuse this software platform with Wikileaks, Globaleaks does not provide a service, only the necessary software. When you set up a Globaleaks node you don’t become a part of any network, you own the node, with the responsibility of managing submitted leaked information falling on your side.

Globaleaks whistleblowing platform

Activists on the field can use a mobile phone to instantly submit photos, audio and video using GLDroid, a GlobaLeaks submission client for Android integrated with a tor proxy tool called Orbot.For those who can not use tor, Globaleaks allows Internet users to publish information via tor2web, a proxy service that can access hidden .onion sites through a web browser and does not require installing any extra software in the computer. Communication with the server is always encrypted end-to-end, a configurable time delay is introduced to stop a submission events being linked with an instant post on the website, document metadata clean up is optional and it will be up to each node administrator to turn it on.

A nifty feature I liked is the coloured badge that sites running Globaleaks display to the user, pointing out anonymity, encryption and browser security level. A downside to the high security tor layered proxy approach is that the server will manifest high latency issues and it will take several seconds or minutes for the site to respond, during that waiting period Globaleaks will provide information to the user about safe whistleblowing procedures, reassuring the submitter that everything is working.

Visit Globaleaks homepage

9 February, 2013
Encrypt and sync data in between folders with CryptSync

CryptSync is a free open source utility that synchronizes multiple files in between a pair of folders and encrypts the content of one of them with the aim to upload the encrypted data to the cloud keeping the original unencrypted files locally, synchronization works both ways, whenever there is a change in one of the folders it replicates into the other, the utility also encrypts file names as they sometimes reveal details, the files are all separately encrypted and have the extension .cryptsync. You could also store data inside an encrypted Truecrypt container and upload it to the cloud but you will have to update everything manually while CryptSync automates the process, the idea is to use this program to store encrypted data online with minimum effort, and it does a good job at that.

CryptSync encrypted folders

Encryption is implemented with 7-Zip, an open source archiving software that highly compresses files, saving space, if you need to open an individual encrypted file in the cloud you can save it to your hard drive and open it with 7-Zip together with your CryptSync password. Software features are minimal, a “Start with Windows” option, “Run in the background” and “Create a New Pair“, you have to be careful when you erase a folder pair because no confirmation is asked for, but no data will be lost even if you erase the pair by mistake, only the settings are erased, you can use this application from the command line too.

There is no help manual included but the author has a very complete explanation on how CryptSync works on his website. I would not use this tool if you already have an account with a specialist privacy focused cloud company like SpiderOak or Teamdrive since their software already encrypts your data locally before reaching their servers and they have no access to the encryption keys or backdoor. CrypSync will be useful in shady cloud storage services that have minimum security or built-in backdoors, like for example DropBox, where the company employees can access the encrypted servers where your data is stored, you could also use this utility in a network, securely storing backup files inside a NAS (Network Attached Storage) and keeping the original ones inside your fully encrypted computer.

Visit CryptSync homepage

9 February, 2013
Access Truecrypt and EncFS volumes in Android with Cryptonite

Cryptonite is an Android app that brings the FUSE based cryptographic filesystem EncFS and TrueCrypt to Android, you can link it to your Dropbox account with a single tap, after that you will be able to read and write on Dropbox EncFS volumes, exporting, viewing or uploading new files. Dropbox claims to keep data already encrypted in their servers but if anyone finds out your password account they will be able to read the files, encrypting them with Cryptonite you are placing a second security layer on top and block Dropbox built-in backdoor to your data.

To access your files offline sync them to a local folder with an app providing online storage synchronization, e.g. FolderSync. EncFS has a front end interface but Truecrypt is only available as a command line version, rooted phones that support the FUSE kernel, e.g. CyanogenMod, can mount an EncFS or Truecrypt volume, there is a Truecrypt work around to avoid having to use a rooted file browser, by typing “truecrypt –fs-options=”uid=1000,gid=1000,umask=0002″ volume.tc /sdcard/tc“. EncFS will use the encryption ciphers found in the system encryption libraries, Cryptonite allows you to select the encryption method, from a “Quick” Blowfish 128bit up to a “Paranoia” AES256bit with filename block encoding, other preferences include saving temporary files on an external SD card, setting up the mount storage point, clearing the cache and the “Chuck Norris mode” for experienced users that do not want to receive any security warning from the app.

Android Truecrypt compatible encryption Cryptonite

You can browse, export and open encrypted EncFS directories and files on your Dropbox and to your phone, when you open a file from a decrypted EncFS volume Cryptonite will produce a temporary copy in “/data/data/csh.cryptonite/app_open/path_to_your_file”, anyone with access to your phone could recover those files, the app includes a text viewer that works in memory and does not save any temporary copy, there are plans to add an image viewer in the future but right now there isn’t one and if you open an image a temporary copy could be made on the phone outside the encrypted container.

Note: App still in development and intended for advanced users.

Visit Cryptonite Android in Google Play

9 February, 2013
Facebook Privacy Watcher browser addon

Facebook Privacy Watcher is a Firefox addon to help you manage Facebook privacy settings using colour codes. Instead of having to pay attention to checkboxes and tiny text in Account Settings> Security hoping that you got everything right, Facebook Privacy Watcher will visualize public posts in green, friends only posts in orange, red posts only visible to you and blue coloured posts only visible to a subset of friends.

You can change any post privacy setting with a couple of clicks, colouring also works in your profile and photo albums. The addon runs in your browser no data is sent to the developer.

Facebook Privacy Watcher

This addon is not yet available in the official Mozilla addons repository but it is partly developed by the Technical Univeristy of Darmstadt which should give some peace of mind about malware.

Other security measures you might want to take to secure your Facebook account are linking it to a mobile device, enabling always on secure HTTPS browsing, choose a strong password and set up login notifications where Facebook warns you when your account is accessed from a device not previously used.

Visit Facebook Privacy Watcher homepage

5 February, 2013
Encrypted cloud storage with TeamDrive

TeamDrive is a cross platform (Windows, Mac, Linux) cloud storage service with uncrackable encryption, using AES256bit and RSA-2048 public/private key, data is encrypted in your computer before it reaches their cloud servers, Teamdrive has no way to access the files, limiting their legal liabilities since you can’t be compelled to decrypt something that you don’t have the key for, the encryption key remains in the user computer at all times.

To set up a Teamdrive account you are only required a valid email address, I liked that they have a portable version that can be carried in a USB thumbdrive or kept inside an encrypted virtual container (e.g. Truecrypt), but you will need to configure the default settings to make sure that there is no data leakage in the host computer, luckily Teamdrive software settings display the file path for data back ups and cache, a quick look will tell you where in the drive it is kept.

Encrypted cloud storage TeamDrive

The program is divided intro three tabs, “Spaces“, where you can create folders, organise your files and set access permissions for other members and with a right click send an invitation via email revealing the URL for the data you would like to share with others, optionally, spaces can be password protected. Another tab called “Members” lets you see who has access to a particular space and a third tab called “Activity” contains a very detailed log of file movements, like uploads and downloads with timestamps. To add files, manually select them or drag and drop inside the window, everything is quickly sync when there are changes, a trash can will save erased files that can be restored if you change your mind.

Inside settings you can configure a proxy if you are using it to access Teamdrive cloud storage space, the paid for version allows you to assign roles to other people, setting up administration rights, like being able to publish and delete files or remove other members from a shared space. There is support for smartphones, you can run the application in Android or iPhone The free version has limited storage space and bandwidth, indicated inside the application with a graph bar, enough for light file sharing.

Teamdrive is a decent alternative to SpiderOak and definitely better than Dropbox, where the company can decrypt your data, if you care about privacy drop Dropbox now.

Visit TeamDrive homepage

4 February, 2013