Hacker 10 – Security Hacker

Hacker10

  • PirateBox wireless network for private file sharing

    PirateBox wireless network for private file sharing

    Piratebox is a self-contained hardware device providing file sharing services to anyone who connects to the network, it includes shoutbox for communication in between users. A Piratebox is not connected to the Internet, it creates an ad-hoc wireless network acting as access point broadcasting its signal to anyone around to share files, there is no need to login, for privacy reasons activities aren’t logged. The software can run on any router supporting Openwrt and dd-wrt Linux firmware,or a laptop, there are initiatives to run Piratebox on an Android phone.

    When a Piratebox is switched on it will broadcast the wireless SSID (Service Set Identifier) “Pirate Box- Share Freely” after someone connects to the network the Internet browser is launched with a minimalistic interface allowing people to upload/download files, browse available files or chat over the network.

    Piratebox anonymous filesharing hardware
    Piratebox  file sharing hardware

    By not being connected to the Internet the number of users are reduced to Piratebox’s broadcasting range, around 30 meters, on the other hand this tool can not be taken down like a server, it is portable, easy to set up, and it only needs an Internet browser to work, there is no need to download any software, smartphones with Wi-fi can access it too.

    Tools like the Piratebox can be useful in countries where there is no Internet due to a Government cutting it off or lack of material resources, but the location of a Piratebox could be pinpointed using radio triangulation and there is no encryption making it possible to eavesdrop on users, besides the fact that someone could set up a rogue Piratebox to entrap people, the greatness of Piratebox resides on its portability and not needing an Internet connection. It is a good tool to share low level risk files and to quickly set up a filesharing network without Internet access, but not a a serious privacy tool that will protect you from state sponsored opponents.

    Visit Piratebox DIY homepage

  • Unlock and delete blocked files with LockHunter

    Unlock and delete blocked files with LockHunter

    Lockhunter can unblock and erase files or folders blocked for no reason, like malware protecting files against user deletion. LockHunter can be used through the interface or with the integrated Windows right click context menu, after selecting a file you will see a choice reading “What is blocking this file?” that will give you information on the process that is holding it up, instantly knowing if the file is in use or it is maliciously prevented from deletion.

    It is not necessary to erase a blocked file, you can choose to unlock and rename or unlock and copy it somewhere else, the program can be used from the command line, useful in case you can’t launch software due to computer problems. LockHunter can unload DLLs (Dynamic Link Library) from processes without terminating the process, a DLL is a  a Windows executable shared library with the extension .dll , .ocx , .cpl or .drv and can cause files to lock.

    Lockhunter unlocks blocked files
    Lockhunter unlocks blocked files

    In my experience specialist data wiping tools like Eraser can also get rid of blocked files or folders, but LockHunter adds many more options, it gives you information on what process is using the file or folder and it sends it to the Recycle Bin making it possible to restore it if necessary, greatly reducing the possibilities of erasing something by mistake, just because a file is locked it doesn’t mean it is malware. A portable version of Lockhunter is planned for the future.

    Visit LockHunter homepage

  • GPG Tools Windows Privacy Tray review

    GPG Tools Windows Privacy Tray review

    WinPT is an open source graphical front end for GnuPG, a compatible OpenPGP software that allows people to exchange encrypted messages and files with other PGP users, without WinPT you would only be able to use GnuPG from the command line which requires a long learning curve, GnuPG is included in the download. After installing Windows Privacy Tray you will be asked to create or import your public encryption keys and associate the program with .asc, .gpg and .sig files. The default extension for encrypted messages is .gpg but this can changed to .pgp in preferences.

    All of the needed GPG/PGP functions are available, setting up your preferred keyserver, importing and exporting keys, setting ownertrust, revoking keys, digitally signing messages or files and others. Hotkeys can be used to quickly encrypt and decrypt messages.

    public key GPG encryption WinPT
    public key GPG encryption WinPT

    The software includes plugins for Euroda and Outlook Express, key management, and encryption and decryption of text in Windows clipboard. WinPT is a good alternative to GPG4Win, another free OpenPGP compatible tool, I did not notice too many differences in between them, WinPT is lighter and a smaller download, and GPG4Win has a few more features like Claws Mail and a bigger community. You will still need to learn how public key encryption works, this software is not as automated as Enigmail, a GPG Thunderbird plugin, but it can be used to encrypt files and text outside of your email client to store them online for example, so it has more functions. To protect against brute force attacks it is much safer using an encryption key and a password than just a password.

    If you are looking for a free alternative to the expensive Symantec PGP Desktop, more suitable for businesses, WinPT will get the job done, an easy and simple way to send encrypted messages or attachments by email with the power of OpenPGP.

    Visit GnuPT homepage

  • FBI software specifications to monitor social networks

    The Federal Bureau of Investigation is calling on IT companies to submit a “white paper” on how to build a software tool to monitor social networks like Facebook and Twitter, they want to use the information collected to predict and respond to crisis. The system should be able to work in real time, with search capabilities of social networks and news sites like the CNN and MSNBC, using keywords and parameters defined by FBI agents, with automated filtering of collected data. Other specifications include instant notifications of breaking events triggered by keywords and the alerts being shown colour coded on a geospatial map with the ability to save and archive warnings, they even mention their preferred maps, which are Google Maps, Google 3D Maps and Yahoo Maps.

    The application should help view domestic terrorist threats and worldwide, classifying terror groups, being able to quickly locate US embassies and Government installations around the globe including details like the weather forecast and displaying video feeds of traffic cameras in real time to spot traffic patterns like bottlenecks, obstructions and flash mobs. Twitter is specifically mentioned and the FBI asks for the ability to instantly search and monitor all publicly available tweets across the whole Twitter site, the application must be able to translate foreign language tweets into English, using a minimum of 12 different languages, attaching a reference document of “tweet” lingo for officers to be able to understand the data. Vendors able to build that kind of mass surveillance software must include their estimated pricing to the FBI.

    A quick reminder that if you don’t want your Facebook postings to be read and stored by the FBI, the only privacy workarounds are not to use a social network, use something more anonymous like Unseen.is, or to only post in private not allowing public view. Besides the Government, employers and enemies alike can find the information you post in Facebook useful too.

    Reference: Federal Business Opportunities (fbo.gov)

  • Private hosting in Iceland with 1984 hosting

    Private hosting in Iceland with 1984 hosting

    Powered by free software and green energy with their headquarters and equipment in Iceland, 1984 hosting offers private hosting, VPS, domain registration, email and free DNS services, the company claims that they will go the extra mile to protect their customers right of freedom of speech, privacy and anonymity, they will not reply to threatening emails and will only obey a valid Icelandic court order, if they become aware of any investigation by the authorities 1984 hosting will warn the customer unless there is a gagging order, one of the two founders is a member of the Icelandic IMM (International Modern Media Institute), a foundation working for free speech.

    Control panel 1984 hosting
    Control panel 1984 hosting

    I was given a test account to see what their services are like, 1984 shared hosting has a custom hosting panel based on ispCP, simple and easy to use, you will not get lost or wonder where things are, functions can be accessed within a couple of clicks, the panel default language is Icelandic, it can be changed to English, Hungarian, Spanish, Danish and others. On the main tab there are statistics about space and bandwidth, number of SQL databases, FTP accounts and subdomains, backups are perfomed daily and they can be restored using the control panel, custom 404, 401, etc pages can be created too, websites status, like number of visitors, can be measured with awstats. Files can be uploaded using FTP or FTPS (FTP Over Explicit TLS/SSL) with SFTP support being planned for the future, alternatively you can use net2ftp, web based FTP, to upload files via browser, with the hosting account you also get an IMAP/POP3 email account, email can be retrieved with an email client or webmail (SquirrelMail).

    If you go for a VPS there is a list of the most common Linux and BSD distros to choose from or you can ask 1984 hosting to install a particular distribution that isn’t there, payments are made with Paypal or credit card.

    1984 hosting net2FTP
    1984 hosting net2FTP

    The Icelandic Parliament will soon introduce a new legislative freedom of expression framework enshrining protection for whistle blowers, information sources, communications, publication restraint orders and others, this makes the hosting company location ideal, but I was baffled by their free speech policy, while claiming to go the extra mile to protect customers civil rights, and hosting many politically sensitive websites they apparently have speech limits, set by what they called in the email exchange “sense of decency“, and made it clear to me that disagreeing with a website will not have an account terminated but they will not allow racist propaganda or pro-pedophile websites on their network as they say they would not sleep at night if they were serving them, and as for warez and copyrighted material, Iceland has the same laws than any other western country and they have to comply with them.

    My impression is that 1984 hosting could be a good place to publish whistle-blowing or corporate data leaks and count with strong investigative journalism protection out of the reach of US trigger happy libel laws, or you could use it as an offshore webmail account since their hosting prices are reasonable, but don’t push it too hard towards extreme websites not covered by this host so called “free speech” sense of decency.

    Visit 1984 hosting homepage

  • US judge orders woman to decrypt laptop or face contempt of court

    In a case that could set a legal precedent, a Federal US judge has ruled today on a long standing case that the defendant Ramona Fricosu, involved in a multimillion bank fraud, must decrypt her Toshiba laptop hard drive of face contempt of court, the woman had argued that exposing the laptop contents to law enforcement by entering her password would violate the Fifth Amendment, right not to self-incriminate, the judge ruling in a 10 page verdict says that the defendant isn’t protected because the  1789 All Writs Act  has been used to require telephone companies to aid in surveillance and can be invoked in forcing decryption of hard drives as well.

    Her solicitor, Phil Dubois, has asked for a stay of execution so that they can appeal and has announced that his client may not be able to decrypt the laptop for any number of reasons although the defendant was recorded in a jailhouse conversation with her ex-husband admitting to having access to the laptop and it will be hard to claim that she doesn’t know the password.

    It looks like the US could become a country like the United Kingdom where refusing to reveal your password to the authorities is already a criminal offence, but while UK laws sets a maximum prison sentence of 2 years (5 years if the case is related to terrorism), in the US people could be held in contempt of court which means an indefinite prison sentence.

    This is not the end of it yet as hopefully the appeal will be granted and could overturn this verdict, once the legal fight has exhausted all possible recourse, US law should soon be clear about if citizens have the right to refuse to reveal the password to their encrypted files or not, at the moment is best to be cautious and assume that sticking a finger up the cops and saying that you won’t reveal the password might not work as expected.

    Note: According to an article in Popular Science, the defendant was using Symantec PGP Desktop full disk encryption.

    UPDATE March 2012: According to an article in Wired, the FBI has now decrypted the disk, they did not disclosure how they did it but the woman’s solicitors points out that possibly the co-defendant has given the password to the police.

  • Android phone encrypted IM chat with ChatSecure

    Android phone encrypted IM chat with ChatSecure

    Gibberbot renamed ChatSecure is a secure Instant Messenger app for Android phones, it works with any Jabber or XMPP compatible chat software (Facebook chat, GTalk, Ovi, Openfire, etc) this open source messenger developed by the Guardian Project uses end to end encryption with Off-the-Record messaging (OTR) standard, it will keep your service provider out of the equation making it impossible for an eavesdropper to read the messages.

    Optionally ChatSecure can be used with Orbot (tor on Android app) to chat over the tor network, adding anonymity to an already private chat and circumventing censorship firewalls. Before signing into the chat you will be asked if you would like to save your password, you shouldn’t do this as anyone with access to your phone would be able to impersonate you.

    Android secure IM Gibberbot
    Android secure IM ChatSecure

    Off-the-Record encryption needs both parties to be using it, the people you are chatting with must have ChatSecure installed or be using a desktop computer with an instant messenger that has the plugin installed, Pidgin (Windows&Linux) and Adium (Mac) can all use Off-the-Record (OTR).

    You should swap digital fingerprints first to make sure he/she is the right person behind the keyboard, ChatSecure allows you create a scannable QR (Quick Response) code out of a digital fingerprint making it easy to exchange in person, after verifying fingerprints with your partner the chatbox will be shown green indicating that encryption and identity have all been authenticated, if you can not verify your partner’s identity the chatbox will be coloured orange indicating that encryption is working but identification failed, if encryption doesn’t work because the other end hasn’t got ChatSecure installed the chatbox will be shown in red colour and can still be used.

    Visit ChatSecure Google Play page