Hacker 10 – Security Hacker

Hacker10

  • Hide My Ass VPN service one year review

    Hide My Ass VPN service one year review

    I have been using Hide My Ass VPN service for a year now, during all this time I have seen some servers come and go, mostly come, there has been a considerable increase on server locations. One thing that makes HMA premium VPN service stand out from the crowd it is their vast number of servers and IPs available.

    I am based in Europe using a 10MB ADSL pipe and most of HMA VPN European, USA and Canadian servers almost match my original ISP speed, only the Singapore servers seem to be considerably slower all the time as well as having a huge ping rate (ie. lag). But your results will likely be different depending on where you live, choosing the location of your VPN as close as possible to your home considerably improves VPN speed and ping rate, if you are in Western Europe for example, and want to use a USA VPN, choosing a server on the East Coast of the US should improve performance a great deal.

    The only place where I have found some of Hide My Ass USA VPNs blocked is while watching Hulu, you can easily get around this block by choosing a different US server of the many others available.

    Hide My Ass company headquarters

    My biggest grudge against HMA VPN it is the way they hide where their headquarters are, they don’t seem willing to reveal in what country they are based and this is pretty important because when you use a VPN three country laws must be abide for, the laws of the country where the VPN server physically is, the laws of the country where the VPN company headquarters are and your own (user) local laws.

    The user local laws don’t really matter much because nobody knows where you are unless the VPN company reveals it, but the first two matter much more because it is trivial for a law enforcement agency or RIAA outlet to find that out and if HMA headquarters are located in, for example, China, then they must abide by Chinese law, it is not good enough to keep this secret. Users should be informed of where the VPN company headquarters are located.

    For all that is worth, I would place my bets that Hide My Ass company headquarters are in the United Kingdom because HMA website DNS servers are using ns1.zymic.com Zymic being a hosting company that uses the tagline UK/US on its Twitter account and contains a link to HMA VPN service on its homepage footer. The Zymic domain is also registered in the UK by Netco Solutions but it appears to be a privacy registration.

    The biggest give away is that HMA VPN affiliate program pays out using a British bank account, draw your own conclusions from that. I guess they must be paying their taxes somewhere.

    Hide My Ass Virtual Private Network service
    Hide My Ass Virtual Private Network service

     Hide My Ass VPN receives DMCA complaint

    Various people at HMA forums have posted that Hide My Ass sends out warnings when a complaint is filled due to illegal filesharing activities, HMA as it is their legal duty, complies with the law and hands out a notice so that the copyright infringing torrent is removed. This is a good example that if necessary Hide My Ass will track you down, like any other VPN service will, at least HMA will give you a chance to remove the offending file and not terminate your account straight away.

    You can still use HMA for filesharing as it is not against their terms and conditions but using a USA server for doing that is not too clever, specially since HMA has a server in Russia where filesharing of copyrighted movies does not break any local law, to be safe, make sure that whatever activity you do is legal in the server you are using so that no complaint can be filled.

    If you think that you can carry out illegal activities and get away with it because you are using Hide My Ass VPN, think again, according to their privacy policy, HMA keeps connection logs for up to two years, ,more than enough time to track you down.

    Many VPN services claim to not store any logs, but they will actually produce them when pressured by the authorities because all of the VPN activities get traced back to them. Using a VPN makes the job of tracking you down harder but not impossible, to make it impossible use a tor proxy.

    Hide My Ass VPN service advantages

    Hide My Ass has dozens of VPN servers and thousands of IP available all over the world, there is no bandwidth limit you can download as much as you like, torrents are allowed, their VPN speed is more than reasonable for the average user and it gets through geolocation based online TV blocks.

    Their email support has normally replied to all my queries  in around 24 hours, normally concerning servers that have stopped working, they eventually get fixed, not a big deal.

    Forget about the forums for support, you will not get real tech support there, in case of problems use Hide My Ass VPN export the logs and send them via email to HMA support.

    Hide My Ass VPN service disadvantages

    Your IP can be exposed if your VPN connection drops and you get no clear warning whatsoever, you can be surfing the Internet with your real IP after a VPN disconnection and you will not be aware of this. There is a secure IP binding feature in HMA VPN client but it did not work for me and even if it worked that feature does not support all Internet applications.

    Paying HMA VPN monthly is on the high side of prices and Hide My Ass homepage advert of a 60% discount saying “offer expires soon” is a total lie, that offer was there one year ago when I signed up for it and it is still there now, it has never gone offline at any moment, this does not say too much about HMA honesty.

    I am not a big fan of Hide My Ass VPN management software either, it seems clunky to me, but you can put that down to personal taste if you like, I am not into fancy graphics, I rather have simplicity.

    Conclusion Hide My Ass VPN review

    Assuming you pay yearly their VPN service is great value for money, you have numerous server locations to choose from, coverage is a little scarce for Asia but that is the norm at most VPN providers, something to do with bandwidth availability and expensive server prices in that part of the planet.

    HMA VPN support is fine and server reliability pretty good, with so many servers if one does not work just choose a different one, I am just not too happy the way they seem to hide where their headquarters are, I  like to know where my VPN provider company is and if possible who is behind it, and I am not too enthusiastic about a yearly commitment either, which is when HMA VPN prices become affordable, that is why I am not going to renew my yearly subscription when is up, I would like to try something else and see how it goes, I am always on time to go back to HMA, it hasn’t been a bad experience, they just have a little room for improvement.

    Visit Hide My Ass VPN homepage

  • Kryptos: Voice encryption mobile phone applet

    Kryptos is a premium iPhone applet to encrypt your phone calls, the company behind it is planing on launching Kryptos for Android in January 2011 and Kryptos for RIM (Blackberry) in February 2011. This encryption mobile phone applet is very easy to manage and it will provide you with sound secure voice communications for a very reasonable price, Kryptos will work over any network, including 3G, 4G and Wifi.

    After the user has downloaded the Kryptos iPhone applet from iTunes on their iPhone he needs to activate the account with Kryptos. Each user receives an individual ID, calls using the Kryptos applet will be secured using peer-to-peer encryption, the initial symmetric encryption keys exchange is made using 1024-RSA and after that calls are routed with AES256 encryption.

    Kryptos mobile phone call encryption
    Kryptos mobile phone call encryption

    There are no backdoors in this encryption applet, your encrypted conversation cannot be decrypted by anyone other than the two parties participating on the Kryptos call session and the company does not keep any logs of the calls made, your phone applet will keep a record of  call logs locally but they can be easily erased.

    Note: Kryptos is not free and it requires a monthly fee.

    Visit Kryptos Communications homepage

  • Hardware authentication systems: Swekey vs Yubikey

    Hardware authentication systems: Swekey vs Yubikey

    A double authentication login system using a hardware key is the best security system for people who travel and/or use public computers at Internet cafés and libraries, there is no absolute way to secure your personal data and privacy on a computer that isn’t yours, there are too many things that can wrong in a networked computer where you do not have administrator rights, outdated antivirus software, hardware keyloggers, network password sniffers, they are all dangers that could be there and you can not effectively protect against any of them.

    Using a hardware token to login into websites, together with a password, even if someone steals the passcode it will be useless for them, most passwords are stolen remotely without the user knowing about it, with a hardware authentication token you are likely to notice the pass key is missing and can then revoke it.

    Swekey double factor authentication system

    The Swekey is an authentication hardware token in the form of a USB thumbdrive, in order to access a web application such as webmail, Internet forum or online banking you need to have Swekey plugged in first and then enter the correct password for the service, this means that if anyone manages to steal your password they will not be able to login because they will still need to have your Swekey.

    The Swekey is not a regular USB key, it generates One Time Passwords, and it can’t be hacked because the private key that is used to generate the OTP scan not be read (physical protection).

    Swekey is operating system and browser independent, compatible with Windows, MacOS and Linux whether you use the Internet Explorer, Firefox or Opera browsers. For other more obscure operating systems like Solaris and FreeBSD, Swekey should also work if libusb is present.

    SweKey USB hardware token plugged in
    SweKey USB hardware token plugged in

    When you plug in the Swekey into the USB port your user name is automatically filled in and you are automatically logged out when you unplug your hardware token.

    Swekey is integrated in most popular open source projects like Drupal and Joomla, well known Content Management Systems that power community websites. Internet forums powered by vBulletin, phpBB also support it, and so do open source webmail platforms like RoundCube and Squirrel.

    There are specific plugins for Swekey but it can be used with any OpenID compliant web site, the main problem with hardware authentication tokens is that they need to be supported by the website you use, OpenID already has thousands of sites behind it.

    http://www.swekey.com

    Update 2015: Swekey is no longer in business, link erased.

    YubiKey double factor authentication system

    The YubiKey will calculate a new unique passcode each time it is used making it impossible to copy and illegitimately re-use a passcode.

    To use this hardware token you just plug it into a USB port and it will act like a USB keyboard compatible with Windows, MacOS and Linux. YubiKey has one button on it, that when you press it will generate a one time 44 character password.

     

    YubiKey hardware token plugged in
    YubiKey hardware token plugged in

    In order to log into a website you must have the physical Yubikey token plugged into your machine and press the button on it to generate a new One Time Password. The generated one time password and can’t be reused or copied and pasted, this prevents malicious hacking attacks if someone captures your login credential. This hardware authentication system can also be used at OpenID websites with YubiKey support enabled.

    Why use hardware authentication security

    All of these three hardware security tokens are low cost and highly secure USB authentication that I would consider buying if I had to use multiple shared computers, if you only use your home computer for Internet access, having your antivirus and firewall updated daily and configured correctly together with a good online password manager should suffice enough people.

    The most paranoid can add double authentication for an extra layer of security, I can see its utility for home users too, if someone hacks your favourite website database and gets your username and password out of it they will not be able to do anything with the password without the physical hardware authentication token to login.

    These hardware authentication devices all have a way to revoke the key in case you lose it, none of them uses a battery which makes them highly reliable and they all use a random One Time Password to login.

    I could not see any major differences between these three hardware based authentication systems, prices and security are much the same, probably the most important deciding factor when picking one of them is to make sure that the websites you normally visit have support for the specific hardware authentication token of your liking.

  • List of the best online password managers

    List of the best online password managers

    Why should I use an online password manager?

    Most Internet users have at the very least a dozen Internet passwords, probably more, unless you are Einstein it is impossible to make a very hard to remember an ideal hard to crack password using special characters with small and capital letter cases and remembering all of them. Users end up creating an easy to guess password or reuse the same password across many websites.

    While online banks are normally secure, with their fair share of failures, the main pitfall is that an easy to hack website, such as an amateurish run forum in which you might have registered will have its database stolen, even if you don’t care about having that forum account stolen, a black hat hacker is likely to try if the stolen passwords and usernames have also been used for your Facebook or email account.

    Online password managers allow you to use unique extremely hard to crack passwords and remembering all of them, they also save you time by not having to type your username and password every time you login into a site, entering the pass and user automatically for you.

    Ten online password managers

    Note: Some of these password managers are only free for a certain length of time or have limited features in their free version.

    Xecrets: Online password manager from the makers of Axcrypt, a free open source encryption software, Xecrets will not store your master password on their servers, only briefly in memory during the time you are visiting.

    LastPass: Online password manager compatible with all browsers, it can also be synchronized across them. LastPass offers storage of encrypted secure notes in your account, all of the data is encrypted using 256-bit AES implemented in C++ and JavaScript to perform encryption locally on your computer, nothing in plain text is sent to their servers. There is support for USB keys, Yubikey, one time password and a mobile version of this password storage application.

    PassPack: An ideal online password manager to share secret passwords with your team, Passpack has special features enabling secure password sharing online, PassPack never sees your passwords on its unencrypted form. PassPack also offers a desktop password manager client available for Windows, Mac and Linux that syncs all of the passwords, online and offline data is encrypted using AES256-bit cryptography.

    PassPack online password manager
    PassPack

    Norton Identity Safe: Free online password manager that will save you time filling in forms, you can use Identity Safe to store passwords and credit card numbers. An incorporated toolbar will also tell you if a site is secure using a green and red button, this protects you from phishing sites

    DashLane: It stores addresses, phones, usernames and passwords, credit card info and more in a secure vault locally stored in your computer and syncs it across multiple devices. You can keep track of your online purchases, login is automatic with form filling, everything can be managed using a single dashboard. Data is encrypted in the server using AES-256, there is a technical paper on Dashlane site explaining their security implementation.

    Password Box: All passwords are encrypted using the standard AES-256 bit algorithm, with forms where to store you credit card details and sharing capabilities in between other Password Box members, data is synced across devices, you can use it on any Internet web browser no matter what operating system.

    StickyPassword: Paid for password manager with encrypted notes that can be used offline and synced on the cloud. If you don’t trust the cloud Sticky Password allows you to disable this feature and use it exclusively offline, autofill will save you time when entering usernames and passwords and you will be prompted to save new ones if they are not found in StickyPasswords, all major browsers and mobile devices are supported.

    Clipperz online password manager
    Clipperz online password manager

    OnlineCrypto: Android and iPhone password manager using AES 256bit encryption, everything is encrypted and synchronized online. OnlineCrypto uses a Google account for authentication and Google servers to host your encrypted data but it never transmits your masterpassword.

    Clipperz: A zero maintenance cross platform online password manager with nothing to install, Clipperz uses a bookmarklet or sidebar to create and use direct logins. There is also an offline password manager version of Clipperz to take the passwords with you if travelling. Password strength indicator, application locking, SSL secure connection, one time password and a password generator are some of the features this online password manager offers.

    How safe are online password managers?

    In order to make sure all of your online passwords are in good hands, you should look for these features in a good online password manager:

    • A safe sound cryptography algorithm is being used (i.e. AES, Blowfish, etc)
    • All of the encryption is performed on your computer before being sent to their servers
    • Your connection with the password manager is made using Secure Socket Layer (SSL) encryption at all times
    • No backdoors are included other than resetting your forgotten master password sending you an email
    • There is support available in case you have problems
    • Browser and operating system compatibility
  • Review free steganography software SilentEye

    Review free steganography software SilentEye

    Steganography, is the science of concealing information in such a way that the existence of the message will only be known to the sender and the recipient, anyone else looking at the message recipient will not suspect there is something hidden inside or it has a meaning, this kind of covert communication is also known as security through obscurity.

    Covert communications using Steganography can be traced back to 440 BC when Histiaeus shaved the head of  one of his most trusted messengers and and tattooed a message on it, waiting for his hair to grow back before sending him off to deliver the message.

    Computer software implementing steganography, aka stego, often uses encryption as a double safety net so that if the hidden message is ever discovered the opponent will still need a password to decrypt it.

    SilentEye steganography review

    This crossplatform open source free steganography software available for Windows, Mac and Linux offers a very simple and easy to use interface, SilentEye can hide messages or files inside images or sound files, at the moment restricted to .bmp images and .wav sound files but the developers plan to support data hiding inside .jpg and .mp3 files in their next release.

    It is important to understand that the data you hide inside a file must be considerable smaller than the innocuous carrier, there is no perfect science to know the proportion of data that can be hidden inside a carrier, many factors come to play like data compression efficiency.

    I normally hide files that take 10% of the space of the carrier file at most, after extensively using steganography to hide text messages inside images, 10%  is what I have found to be the size closer to the limit allowed, you need not to worry about attempting to hide a file too big inside the carrier as the stego software will warn you of this and you will not be able to carry out the operation until the data you want to hide is reduced or you choose a bigger carrier file.

    SilentEye allows you to use drag and drop to encode and decode data, the encoding window allows you to choose encoding format, output image’s quality, pixel colours used and other settings. You can type your secret message directly into the program prior to hiding it inside the file or have a .txt or any other file ready and merge it directly with the covert file.

    Besides the pretty interface this free steganographic software has a plug-in system to integrate new cryptographic algorithms, sound AES encryption being already available at present time and you can encrypt your data before hiding it.

    SilentEye free Steganography software
    SilentEye free Steganography software

    Conclusion open source stego SilentEye

    You can find more advanced steganographic software but few of them are as easy to use as SilentEye is, the best part of this free stego tool is that it is open source and it allows anyone with coding knowledge to write plugins for it. Source code is also available for download and you can compile SilentEye yourself.

    I do not think that hiding messages in .bmp and .wav files is good enough as these files are normally huge in size and very little used nowadays and it would suspicious for people to exchange songs as a .wav

    Once the developers release their planned plugins to hide data inside .jpg and .mp3 files, SilentEye will be one of the best and easier to use steganographic tools for people who want to get the job done with a point and click mouse, totally suitable for newbies with little computer knowledge.

    Visit SilentEye homepage

  • Free alternative to Windows Task Manager: CurrPorts

    Free alternative to Windows Task Manager: CurrPorts

    CurrPorts will show you a detailed list of all currently opened TCP/IP and UDP ports on your PC, it will tell you the process name, the protocol being used (TCP/UDP), local port, remote port, remote IP being connected to and much more.

    Currports is a very complete network monitoring software that easily beats Windows Task Manager, this free alternative to Windows Task Manager gives you exhaustive information about the applications running in your computer and allows you kill the processes that opened the ports as well as exporting all of the network activities data to a text or HTML file.

    CurrPorts free network monitoring software
    CurrPorts free network monitoring software

    Another feature of this port monitoring tool is that it will automatically highlight in pink colour suspicious TCP/UDP ports opened by unknown applications, filters and command line are also available.

    Visit CurrPorts network monitoring homepage

  • How to know if your website is blocked in China

    How to know if your website is blocked in China

    The Chinese government has had the Golden Shield Project , 金盾工程 (aka Great Firewall of China) since 1998. Officially Chinese Internet filtering blocks access to websites containing:

    • Anti-social opinions and activities (decided by China censors)
    • Organizations and commentaries which are a threat to national security (Tibet, Taiwan, etc)
    • Pornography
    • Organizations and commentaries undermining the government’s policies on religion (Falung Gong)
    • Websites helping to circumvent Internet censorship

    It is also possible that your website could be blocked in China by mistake, websites blocked by China ISPs are also likely to be deindexed from China based search engines and will not be shown in the results.

    How China blocks websites on the Internet

    It is not technically feasible for Chinese censors to examine all of the Internet content, the Chinese government blocks access to websites using firewalls and proxy servers at the Internet gateways of China’s ISPs.

    Researchers from the University of California, Davis and University of New Mexico found out that the Great Firewall of China is not a true firewall since banned material is sometimes able to pass through several routers or through the entire system without being blocked.

    Website filtering is done through and ad-hoc network without a centralized server it is possible for some web sites to be in one Chinese city and available accessing it from another region of China.

    When the Chinese Internet filtering system detects a banned word traveling across the network it sends a series of commands to break the connection and block the access to the website. Chinese internet filtering looks for the use of banned words, this will encourage a certain level of self-censorship from Chinese surfers since they know that certain words are taboo they will choose a different topic altogether.

    Filtering was particularly erratic at Internet peak times when more Chinese users were online.

    Website banned in China
    Website banned in China

     How to reduce the likelihood of your site being blocked in China

    1. Do not post political material considered sensitive by the Chinese Government: Some obvious content susceptible to be blocked by the Chinese authorities includes references to the Falung Gong spiritual movement, Tiananmen Square protests, democracy in China, Taiwan independence and the free Tibet movement in between others.
    2. Get a dedicated IP for your hosting: This will reduce the chances of your site being blocked by accident due to using a shared hosting account hosting content banned in China in a different domain.
    3. Do not publish pornography: Internet pornography is forbidden in China and the Internet police will block access to your site if they find out your website distributes it.
    4. Get a webhost located in China: Chinese webhosts are more expensive and downtime might be higher than in other locations but they are also less likely to be blocked by the Chinese Internet filter.

    Although administered by the Chinese government Hong Kong is not subjected to Internet censorship as it has special status.

    Test if a website is blocked in China

    • Site24x7: This service will ping a website from different locations across the world, including servers located inside China, if you notice a packet loss from those servers this could indicate that the site is not accessible in China.
    • ViewDNS China firewall test: This test checks for symptoms of DNS poisoning, one of the more common methods used by the Chinese government to block access to websites, the test uses test a number of servers from various locations in mainland China.
    • Watch Mouse: This service monitors your website access from various locations across the world, including tests using servers located inside China.
    • WebSite Pulse: This test will connect to your site and will download the complete HTML web page using various servers located across China, it will also report how long it takes to download.
    • GreatFirewallOfChina: Websites are tested used various servers located in mainland China, you will be informed whether the request has timed out, it failed (blocked) or it is reachable.

    If you need to perform frequent tests on website accessibility or SEO from inside China you can use China based VPN, this will mask your real IP and make you appear like you are Chinese Internet surfer.