Hacker 10 – Security Hacker

Hacker10

  • DropKey for MAC OS X to easily encrypt and email files

    DropKey for MAC OS X to easily encrypt and email files

    DropKey is a MAC OS X tool (Lion and above) to easily encrypt and share documents using public/private key encryption, you only have to drag and drop any file you want to encrypt on top of the DropKey icon that appears in the menu bar and it will automatically encrypted, specifying who to send the file to will create a new email message with the encrypted attachment, only the person whose public encryption key has been used will be able to view it.

    Your public encryption key is stored in your personal contact record in the Address Book and it can be safely attached to a vcard file (.vcard) to send to your contacts, any file encrypted by a sender using your public key can be opened by you without entering a password. The secret private key in your power decrypts it and makes sure that nobody else can access the file.

    It is possible to guard against man-in-the-middle attacks, where an adversary sends the wrong public encryption key making you believe that it is that of your friend so that you encrypt your personal files using it. DropKey can generate 4 random dictionary words with each encryption key, asking the person you are communicating with to verify those words, over the phone or Instant Messenger, will guarantee that it is his key. This is akin to a digital fingerprint, formed of random letters and numbers, DropKey has pursued to make the system easier for the average user by using pronounceable words instead of random characters.

    DropKey MAC OS X file encryption
    DropKey MAC OS X file encryption

    This program is very easy to use and it integrates with your address book, the private encryption key is kept in OS X’s built-in Keychain Access app, to see it you will be asked for the administrator password. DropKey can be used to keep personal files encrypted, they don’t have to be necessarily emailed, simply choose a place where to save the file after encryption, multiple files can be encrypted at once, the developer created this app with people wanting to email documents securely and not for those who need secure data archiving, functionality comes accordingly.

    No data ever leaves your computer unencrypted, the encryption and decryption process takes places locally, the recipient will need to have DropKey installed but doesn’t have to buy the software just to decrypt data, trial mode decryption never expires. I can foresee a big problem with this app, you won’t be able to communicate with friends using Windows or Linux computers, and for that reason I would advise you against it and go for GPGTools instead, which is compatible with any other OpenPGP software.

    Visit DropKey on iTunes

    Notice: Link updated to iTunes, original site is down, app is not free.

  • HotSpotShield alternative, free VPN SpotFlux

    HotSpotShield alternative, free VPN SpotFlux

    Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

    I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP,  Spotflux  provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

    During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

    Free VPN SpotFlux
    Free VPN SpotFlux

    Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

    Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it, never use a free VPN like them to check your email if you care about your online privacy.

    UPDATE December 2012: After using Spotflux again I noticed that the installer comes with sponsored software, you can refuse to install it unchecking a tickbox. SpotFlux is also blocked in Abc.com where I get a message saying that I have to disable add blocking programs before I can watch their videos.

    Visit SpotFlux homepage

  • GPGAuth logs into a website using GPG/PGP keys

    GPGAuth logs into a website using GPG/PGP keys

    GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

    Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

    Chrome GPG addon GPGAuth
    Chrome GPG addon GPGAuth

    The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only available for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

    Visit GPGAuth homepage

  • FBI seizes anonymous remailer from Rise Up Network facilities

    FBI seizes anonymous remailer from Rise Up Network facilities

    A server physically located in a collocation facility in New York shared by left leaning organizations Rise Up Networks&May First/People Link was seized two days ago, 18th April, by the FBI turning up with a search warrant. The server belonged to the “European Counter Network“, an Italian group defining itself as “antifascist“,  it provided email accounts, mailing lists, website hosting for activists and remailing to the public. It appears that an anonymous person sent more than 100 bomb threats over a period of months through the mixmaster remailer network to the University of Pittsburgh leading to numerous building evacuations while the police cleared all false alarms. No arrests have been made so far but the investigation remains open.

    Riseup press release calls the server seizure an attack on free speech that has left artists, historians, gay rights groups, feminists and others without mailing lists and email accounts, various websites have also been taken offline as a consequence of the seizure. Riseup claims that while sympathizing with the University of Pittsburgh community they do not understand why the FBI has taken the server when “authorities knew that the server contained no useful information that would help in their investigation“.

    Anonymous remailer
    Anonymous remailer

    Mixmaster remailers resemble the tor proxy network in that they do not log anything and work in chain mode, normally three servers in different jurisdictions are involved routing an email before being finally delivered to an inbox, however more servers could be involved if the sender specifies it in the settings. Mail servers running open source Mixmaster software remove header information to make it impossible finding out the sender, messages are deliberately held for some time to avoid time based attacks and it can take days or hours before an anonymous email is finally delivered.

    A Mixmaster remailing server has been designed to make it impossible to trace emails back to the original source for the system to fail it would be necessary to seize all of the servers involved sending a message and recovering erased logs, assuming they ever existed. A new protocol called Mixminion is in development and intended to replace Mixmaster in the future.

    More information: EFF article about remailer seizure

  • Hyperboria, censorship resistant darknet based on CJDNS

    Hyperboria, censorship resistant darknet based on CJDNS

    CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

    A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node,  if DNS is ever implemented it will be made decentralized and secure, at the moment  the user only needs to know the IPv6 address and paste it in the browser.

    Project MeshNet CJDNS flowchart
    Project MeshNet CJDNS flowchart

    Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network,  there isn’t any central infrastructure that can be attacked.

    Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

    The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

    Visit Hyperboria homepage

  • Code Talker Tunnel disguises tor traffic as Skype video calls

    Code Talker Tunnel disguises tor traffic as Skype video calls

    Countries like Iran and China routinely block public tor IP addresses, to get around this problem relays called tor bridges are not made public and only facilitated to users living in repressive countries after request. According  to recent research from Internet security firm Team Cymru, China’s Great Firewall can distinguish in between normal traffic and tor traffic using SSL deep packet inspection, one factor used by the Great Firewall of China to detect tor traffic is the tor proxy SSL cipher list, in between others. Communications can not be read because they are encrypted but a bot attempts to connect to the suspected tor server IP passing itself of as a user, when it confirms it is a tor bridge via a successful connection the tor server IP is added to the list of blocked IPs in the firewall.

    Iran has also been reported in the past for having an Internet censorship system able to identify the beginning of a tor proxy SSL handshake and interrupting the handshake.

    SkypeMorph disguises tor proxy traffic
    Code Talker Tunnel disguises tor proxy traffic

    SkypeMorh renamed Code Talker Tunnel uses traffic shaping to convert tor packets into UDP (User Datagram  Protocol) traffic preventing deep packet inspection of tor data from being recognized as such. Code Talker Tunnel traffic shaping mimics the sizes and packet timings of a normal Skype video call, the developers of this tool at the University of Waterloo in Canada chose a VoIP client to hide tor traffic because the flow of data packets, sending a request and waiting for a response with a long pause during transmission resembles how a tor proxy server works.

    SkypeMorph Code Talker Tunnel is a pluggable transport that will work with the own tor project developed obfsproxy a program for Mac, Windows and Linux users masking tor traffic as a different protocol specified using pluggable transports.

    Visit Code Talker Tunnel homepage

  • ArmorText Android app to encrypt SMS&MMS messages

    ArmorText Android app to encrypt SMS&MMS messages

    ArmorText is a free Android app to secure text messages, it uses RSA1024 and AES256bit to encrypt your SMS&MMS messages, the receiver will need to have the same app installed to be able to decrypt the messages. ArmorText will connect to the Internet after launching it for the first time to retrieve your friends public key encryption. Security can easily be enabled tapping an ON/OFF lock button, a Smart Predict option will detect when the app believes you need to encrypt your text messages (based on the last texts sent) and automatically turn security on unless you decide otherwise, the app can stop message forwarding by the recipient too.

    ArmorText is a pure text messaging solution, not a chat client, it only encrypts SMS and MMS messages with photos.

    ArmorText Android SMS encryption
    ArmorText Android SMS encryption

    With smart phones increasingly used for mobile payments, email and online banking they have become a prized asset for thieves, ArmorText will protect your data even when it is not stored in your phone but the person you are communicating with, messages are encrypted before sending, stopping middle man eavesdroppers, like your network provider. Planned features for the future include controlling how many times a text message can be viewed, how long the message is available for and non-repudiation.

    Update 2014: This app is no longer available in Google Play

    Visit ArmorText homepage