Hacker 10 – Security Hacker

Hacker10

  • HMA VPN user arrested after IP handed over to the FBI

    Cody Andrew Kretsinger, a 23 year old from Phoenix, Arizona (USA) is now facing 15 years in prison after being arrested by the FBI, an alleged member of malicious hacker group LulzSec in which he used the moniker “recursion”, he is believed to be involved in the hacking of Sony Pictures Entertainment servers using a SQL injection to obtain confidential information and post it on the Internet, British based Hide My Ass VPN  handed over his home IP on receiving a court order, according to the indictment Cody Kretsinger Hide My Ass VPN username was “recursion“, the same nickname he used in the hacking group, allegedly he also completely wiped clean his computer hard disk after hacking Sony Pictures.

    On a side note, for LulzSec to launch a denial of service attack against the UK Serious Organised Crime Agency (SOCA) website and use a British based VPN service does not come across as the kind of idea that the brightest candle in the shop would have.

    All VPNs keep connection logs 

    Anyone believing a VPN can be used for criminal activities and get away with it, is living in cuckoo land, all VPNs keep logs, if they didn’t they would not be in business for long, law enforcement or their dedicated server provider would shut down their business, you need to cover your ass and so do VPN companies, legally VPNs do not have to keep any logs but if a VPN is continuously used to commit crimes and they do not take any action to stop it they could be the ones facing court, HMA can track you down if you break the law.

    It is a common misconception that when a VPN claims “we do not keep logs” people assume they can not be tracked down, many users do not realize that there is no need for a VPN to know what sites they visit to track them down, all a VPN needs to protect their own ass is to know the user’s connection and disconnection time, for example if user A has been using IP 1.2.3.4 on Monday 25th Sept. at midnight and a company or LEA claims that IP 1.2.3.4 was used to carry out an illegal action on Monday 25th at midnight, all that the VPN needs to do is to look up who was using the IP at the time, the logs detailing the user bad deeds can be taken by the company owning the server where the hacking/posting occurred.

    What a law enforcement agency, aka LEA, can not do is to pursue a VPN company and ask them what websites have been visited by user A, VPNs do not normally keep that data, it is impossible for the FBI to go on a  fishing expedition asking for a user Internet activities hoping to find something illegal, if the FBI asks for a VPN company logs, they already have evidence that a crime was committed otherwise no subpoena could be issued.

    The next time you see a VPN claiming that they do not keep logs, always assume they are talking about visited websites logs, connection logs, the ones used to track you down, are always created on the VPN otherwise it wouldn’t work, privacy is a matter of how long do they keep connection logs for, in HMA VPN case, this can be found in their tiny terms and conditions, it used to be one week, then they changed it to 30 days (without notifying users of this change), then it changed a second time (without notifying users once again) and now it is at 30 days connections logs but do not be surprised if tomorrow this changes without notifying anyone like it has been done in the past.

  • Test for intrusion detection with Patriot NG

    Test for intrusion detection with Patriot NG

    Patriot NG is a real time monitoring tool keeping an eye on changes in your Windows operating system and network, the program warns you of registry changes, new files in the Startup directory, new users being added, new services, changes in Windows host file, new scheduled jobs, Internet Explorer alteration(toolbars,configuration changes), changes in the ARP table (used for man in the middle attacks), opening of ports by new processes and anomalous network traffic.

    This is a good tool to catch zero day threats, Patriot NG relies on software behaviour to predict if malware is changing files instead of using signature files like antivirus software without heuristics does.

    Patriot NG IDS system
    Patriot NG IDS system

    If you suspect your computer has been infected by a trojan the first thing to do should be detaching your router to stop all Internet access, if someone has managed to infect your computer they can disable intrusion detection tools and send you updated malware via the Internet. After you have disconnected your router an antivirus, anti-spyware and anti-rootkit software should be run in the computer until something is found.

    An Intrusion Detection System (IDS) tool is best used by people with good computer knowledge, newbies might not realise that they are giving access to a trojan horse since malware is normally disguised and named as something else, the user will need to know some basic operating system files (locations&names) to understand what is going on.

    Visit Patriot NG homepage

  • Cloud forensics tool OWADE pulls online services data

    Cloud forensics tool OWADE pulls online services data

    One of the problems that traditional computer forensics has is that lots of information is stored on the cloud, MSN, Yahoo, Skype, Dropbox, GoogleDocs, Facebook, etc, online data is accessible with a court order but that involves lots of paperwork making the investigation more complex with the physical data still unsecured and in some cases with the server located offshore out of local authorities jurisdiction. OWADE (Offline Windows Analysis and Data Extraction), is an open source cloud forensics tool developed by a Stanford University team and launched at the BlackHat 2011 security conference able to extract information from cloud services that a user has accessed in his computer.

    Cloud computer forensics diagram
    Cloud computer forensics diagram

    OWADE can reconstruct Internet activities and search for the online identities that have been used, Encase and FTK (The Forensics ToolKit) can already do this, OWADE advantage is its ability to decrypt files ciphered using the various Microsoft built-in encryption schemes, like Syskey and DPAPI (Data Protection API), OWADE combines its ability to decrypt Microsoft encryption algorithm with traditional data extracting techniques in order to access Skype chat history, decrypt Internet Explorer stored logins & passwords, by cracking the Windows user password, or access  historical Wi-Fi location data stored by Windows, providing a list of access points with dates and times.

    Traditional computer forensics software has a hard time reconstructing cloud services data stored in the hard disk due to Windows scattering everything across multiple files and encrypting some portions. OWADE does not pull data from the servers, the data was downloaded on the hard disk when the user accessed the service, what OWADE does is to search, decrypt and put together all of the cloud personal accounts, logs, logins and passwords that have been accessed.

    This tool is still being developed, an Alpha version (not stable) has been released, and it can only analyse the Windows operating system.

    Visit OWADE homepage

  • Jitsi the encrypted chat software with VoIP and video

    Jitsi the encrypted chat software with VoIP and video

    Jitsi is an instant messenger with VoIP and videochat compatible with any other IM software supporting SIP (Session Initiation Protocol), an application layer protocol for voice over IP, XMMP/Jabber (Extensible Messaging and Presence Protocol), an open standard communications protocol used by Google Talk and most open source instant messengers, MSN/Windows Live Messenger, AIM, Bonjour, ICQ, Yahoo Messenger and Facebook chat, one of the few not supported IM is Skype.

    Call encryption is implemented with SRTP (Secure Real-time Transport Protocol), a protocol with no effect on voice quality providing encryption using the AES cipher as default, authentication and message integrity, together with ZRTP, an open source protocol from Zfone for public key encryption in VoIP chats that can also be found in secure Linux instant messengers like SFLphone.

    Jitsi encryption chat software
    Jitsi encryption instant messenger

    Jitsi IM main features

    • Encrypted audio and video calls
    • Support for most instant messenger software
    • Call recording in SIP and XMPP (MSN in progress)
    • File transfer preview, small photo thumbnail preview before accepting file

    This secure instant messenger will encrypt video and voice calls across all services, including group chats, besides that, feature wise is pretty basic with little to show other than emoticons, text formatting, file transfer preview and avatars, this is a useful chat software with IPv6 support for those who care about privacy and security in VoIP and video conferences with no interest in playing songs while chatting or changing the IM skin/looks, a great IM for businesses due to its security and lack of bells and whistles that tend to reduce productivity while chatting, the messenger itself can be password protected and passwords are stored encrypted.

    Visit Jitsi IM homepage

  • Lock a computer screen with ClearLock

    Lock a computer screen with ClearLock

    If you have a user password set up in Windows clicking on “Windows key +L” on the keyboard will quickly lock your computer but you will not see what is going on behind the screen lock. Clearlock is a free Windows utility to lock Windows while you are away, using a transparent layer that allows you to see what is going on in the background with just a quick look without the need to unlock the computer, ClearLock has a nice 3D like GUI and there is no need to install it.

    ClearLock a transparent computer screen lock
    ClearLock a transparent computer screen lock

    After entering the wrong password three times there will be a five minutes delay before granting another attempt, the number of  invalid password entries are logged, you would be aware of them once you come back to your computer. If you forget your password while the screen is unlocked delete the .ini file inside the program folder to reset it, if the screen is locked you will have to reboot your computer.

    This screen locker is a low level protector designed to stop low skilled adversaries, like children, from accessing your computer while you are away, determined serious opponents could plug in a USB thumbdrive in your computer and use Windows autorun feature to run a malicious script to pull your RAM memory and your screenlock password with it or even image the whole hard disk without you knowing.

    Visit ClearLock homepage

  • How to obtain a digital certificate for free

    How to obtain a digital certificate for free

    A digital or SSL certificate consists of two encryption keys, one public and one private, a very common use for digital certificates is to encrypt data exchanges in between a user Internet browser and any e-commerce website but it can also be used to sign documents, encrypt and digitally sign email messages and identify yourself online. Once a digital certificate has been installed in your Internet browser or email client, it is easier to use than encryption software, many users are not even aware they are using it, if the SSL certificate is personalized a password might be asked before using it.

    Typical digital certificates will contain a serial number, signature algorithm, issuing authority, valid from and expiry date, public key and a hashed number to guarantee that the key has not been tampered with.

    Places to obtain a free digital certificate

    CAcert: To be issued an SSL  X.509 standard certificate you are asked you to join the CAcert community filling in an online form, in between others you can use CAcert certificates to secure websites, digitally signing or encrypting emails and files.

    GetaCert: Not a Certificate Authority (CA), GetaCert appears to be a website using OpenSSL to create a digital certificates online, they can be issued for use with email and websites, all of their certificates are valid for 10 years and wildcards are supported.

    StartSSL: Issuing free Class 1 (for individuals) SSL certificates valid for one year, renewable after expiration, security is as good as StartSSL paid for digital certificates but with some limitations like no wildcards allowed and it doesn’t hold identification details.

    InstantSSL: Fast and easy to obtain digital certificate from Comodo, it only takes seconds to install and can be used to encrypt and digitally sign your email messages. The private encryption key can be chosen in between high or medium grade depending on needs.

    Types of basic digital certificates

    • Personal certificate: It works as a digital ID guaranteeing that the person is not someone else, a personal certificate can be used to identify yourself over the Internet with a company or Government agency, digitally sign an email message or a PDF file, a password will normally be asked when carrying out these tasks, using the something you have and something you know security model.

    Diagram digital certificate encryption
    Diagram digital certificate encryption

    • Server certificate: It identifies a user when establishing a connection before transmitting any information, email and Usenet servers use a server certificate when authentication takes place via SSL.
    • Software certificate: It verifies software before installing it in your computer by checking the code digital signature making sure the program has not been replaced by malware having been signed by a genuine developer, useful when downloading software from the Internet.

    Unrecognised digital certificates warnings 

    All Internet browsers come with digital certificates installed, these are issued by certification authorities like VeriSign or GeoTrust, when the browser comes across a website using a digital certificate which public key is not found in the browser you will get a not recognized certificate warning, this does not mean the site is not safe, it only means one of the key pairs has not been stored in the browser.

    It is impossible to have every single company SSL certificate stored in the browser, when you get this kind of warning you should check the digital certificate making sure it is not a man in the middle attack by looking at its properties, when satisfied that everything looks correct, install it, after that you will not get any more security warnings when visiting that site.

    Digital certificate security warning
    Digital certificate security warning

    When you install software you could find Windows warning you that the driver has not been digitally signed, Microsoft charges a huge amount for this ‘”privilege” and not all developers can’t afford it, it doesn’t necessarily mean the software is dangerous, it only means it has not been approved by Microsoft.

    How to make your own SSL certificate 

    An alternative to companies issuing free SSL certificates is to create your own Certificate Authority or self-signed digital certificate using OpenSSL, an open source implementation of SSL and TLS, any decent Linux distribution will come with OpenSSL installed, you will need some basic Unix knowledge, go to the command line generate an RSA private key, generate a Certificate Signing Request (CSR) and generate a self-signed certificate, for the necessary commands to do this type man openssl at the Linux command prompt.

    You can use OpenSSL and other Unix utilities in Windows using Cygwin, a Unix framework for Windows, it is beyond the scope of this article to explain how Cygwin works.

  • The best emergency antivirus recovery live CDs

    The best emergency antivirus recovery live CDs

    If a computer has been infected with a virus and refuses to boot or when it does malware kicks in stopping you from running a virus scanner,using an antivirus live CD will bypass the need to boot the operating system helping you to remove any callous rootkit. There are various Linux based live CDs that allow for data recovery, the antivirus live CDs below have specifically been designed to remove persistent viruses and they are user friendly, meant to be used as a last resort when everything else fails or to save you time if you are a computer administrator.

    To use an emergency recovery disk all you have to do is to burn the .iso to blank media, insert the CD rom inside the optical drive, reboot your computer making sure CD-drive is the first booting device in the BIOS and you are in, the live CD will scan your computer for viruses once it boots.

    Dr Web live CD: When you boot the CD it detects all disk drives automatically without the need to mount them, you can select a folder or disk to be scanned, the included Midnight Commander file browser allows you to copy any file to an external device and help is available from Dr. Web by email. This live CD lets you check your RAM memory for errors with the Memtest86+ utility making sure that your problem is not a hardware fault.

    AVG Rescue CD: It comes with antivirus and antispyware, it defines itself as a portable version of AVG antivirus inside a Linux distribution, you can use it to move files to an external device, test RAM memory, edit registry keys and ping network devices to see if they are reachable, everything is free and it comes with the latest virus signatures database.

    AVG antivirus live CD
    AVG antivirus live CD

    PCTools live CD: Officially named Alternate Operating System Scanner, this antivirus live CD will detect and remove rootkits and other difficult to delete malware, it uses the Spyware Doctor antivirus engine to scan your files and Windows registry, if it finds something it cleans it up warning you of the location and the virus name.

    F-Secure Rescue CD: A customized Knoppix Linux distribution made by F-Secure to remove persistent malware, any virus you have in your operating system will be useless against F-Secure Rescue CD, first of all because it runs on Linux and secondly because the operating system in your main hard drive will not be active, the live CD can be used for data recovery too.

    F-Secure emergency recovery live CD
    F-Secure emergency recovery live CD

    Avira Rescue System: Linux based live CD to scan your computer for viruses, Avira antivirus database is updated several times a day, this is a good live antivirus CD to catch the latest exploit, once malware has been detected the live CD will automatically remove it saving yourself  time reinstalling the whole operating system.