Hacker 10 – Security Hacker

Hacker10

  • List of the best online password managers

    List of the best online password managers

    Why should I use an online password manager?

    Most Internet users have at the very least a dozen Internet passwords, probably more, unless you are Einstein it is impossible to make a very hard to remember an ideal hard to crack password using special characters with small and capital letter cases and remembering all of them. Users end up creating an easy to guess password or reuse the same password across many websites.

    While online banks are normally secure, with their fair share of failures, the main pitfall is that an easy to hack website, such as an amateurish run forum in which you might have registered will have its database stolen, even if you don’t care about having that forum account stolen, a black hat hacker is likely to try if the stolen passwords and usernames have also been used for your Facebook or email account.

    Online password managers allow you to use unique extremely hard to crack passwords and remembering all of them, they also save you time by not having to type your username and password every time you login into a site, entering the pass and user automatically for you.

    Ten online password managers

    Note: Some of these password managers are only free for a certain length of time or have limited features in their free version.

    Xecrets: Online password manager from the makers of Axcrypt, a free open source encryption software, Xecrets will not store your master password on their servers, only briefly in memory during the time you are visiting.

    LastPass: Online password manager compatible with all browsers, it can also be synchronized across them. LastPass offers storage of encrypted secure notes in your account, all of the data is encrypted using 256-bit AES implemented in C++ and JavaScript to perform encryption locally on your computer, nothing in plain text is sent to their servers. There is support for USB keys, Yubikey, one time password and a mobile version of this password storage application.

    PassPack: An ideal online password manager to share secret passwords with your team, Passpack has special features enabling secure password sharing online, PassPack never sees your passwords on its unencrypted form. PassPack also offers a desktop password manager client available for Windows, Mac and Linux that syncs all of the passwords, online and offline data is encrypted using AES256-bit cryptography.

    PassPack online password manager
    PassPack

    Norton Identity Safe: Free online password manager that will save you time filling in forms, you can use Identity Safe to store passwords and credit card numbers. An incorporated toolbar will also tell you if a site is secure using a green and red button, this protects you from phishing sites

    DashLane: It stores addresses, phones, usernames and passwords, credit card info and more in a secure vault locally stored in your computer and syncs it across multiple devices. You can keep track of your online purchases, login is automatic with form filling, everything can be managed using a single dashboard. Data is encrypted in the server using AES-256, there is a technical paper on Dashlane site explaining their security implementation.

    Password Box: All passwords are encrypted using the standard AES-256 bit algorithm, with forms where to store you credit card details and sharing capabilities in between other Password Box members, data is synced across devices, you can use it on any Internet web browser no matter what operating system.

    StickyPassword: Paid for password manager with encrypted notes that can be used offline and synced on the cloud. If you don’t trust the cloud Sticky Password allows you to disable this feature and use it exclusively offline, autofill will save you time when entering usernames and passwords and you will be prompted to save new ones if they are not found in StickyPasswords, all major browsers and mobile devices are supported.

    Clipperz online password manager
    Clipperz online password manager

    OnlineCrypto: Android and iPhone password manager using AES 256bit encryption, everything is encrypted and synchronized online. OnlineCrypto uses a Google account for authentication and Google servers to host your encrypted data but it never transmits your masterpassword.

    Clipperz: A zero maintenance cross platform online password manager with nothing to install, Clipperz uses a bookmarklet or sidebar to create and use direct logins. There is also an offline password manager version of Clipperz to take the passwords with you if travelling. Password strength indicator, application locking, SSL secure connection, one time password and a password generator are some of the features this online password manager offers.

    How safe are online password managers?

    In order to make sure all of your online passwords are in good hands, you should look for these features in a good online password manager:

    • A safe sound cryptography algorithm is being used (i.e. AES, Blowfish, etc)
    • All of the encryption is performed on your computer before being sent to their servers
    • Your connection with the password manager is made using Secure Socket Layer (SSL) encryption at all times
    • No backdoors are included other than resetting your forgotten master password sending you an email
    • There is support available in case you have problems
    • Browser and operating system compatibility
  • Review free steganography software SilentEye

    Review free steganography software SilentEye

    Steganography, is the science of concealing information in such a way that the existence of the message will only be known to the sender and the recipient, anyone else looking at the message recipient will not suspect there is something hidden inside or it has a meaning, this kind of covert communication is also known as security through obscurity.

    Covert communications using Steganography can be traced back to 440 BC when Histiaeus shaved the head of  one of his most trusted messengers and and tattooed a message on it, waiting for his hair to grow back before sending him off to deliver the message.

    Computer software implementing steganography, aka stego, often uses encryption as a double safety net so that if the hidden message is ever discovered the opponent will still need a password to decrypt it.

    SilentEye steganography review

    This crossplatform open source free steganography software available for Windows, Mac and Linux offers a very simple and easy to use interface, SilentEye can hide messages or files inside images or sound files, at the moment restricted to .bmp images and .wav sound files but the developers plan to support data hiding inside .jpg and .mp3 files in their next release.

    It is important to understand that the data you hide inside a file must be considerable smaller than the innocuous carrier, there is no perfect science to know the proportion of data that can be hidden inside a carrier, many factors come to play like data compression efficiency.

    I normally hide files that take 10% of the space of the carrier file at most, after extensively using steganography to hide text messages inside images, 10%  is what I have found to be the size closer to the limit allowed, you need not to worry about attempting to hide a file too big inside the carrier as the stego software will warn you of this and you will not be able to carry out the operation until the data you want to hide is reduced or you choose a bigger carrier file.

    SilentEye allows you to use drag and drop to encode and decode data, the encoding window allows you to choose encoding format, output image’s quality, pixel colours used and other settings. You can type your secret message directly into the program prior to hiding it inside the file or have a .txt or any other file ready and merge it directly with the covert file.

    Besides the pretty interface this free steganographic software has a plug-in system to integrate new cryptographic algorithms, sound AES encryption being already available at present time and you can encrypt your data before hiding it.

    SilentEye free Steganography software
    SilentEye free Steganography software

    Conclusion open source stego SilentEye

    You can find more advanced steganographic software but few of them are as easy to use as SilentEye is, the best part of this free stego tool is that it is open source and it allows anyone with coding knowledge to write plugins for it. Source code is also available for download and you can compile SilentEye yourself.

    I do not think that hiding messages in .bmp and .wav files is good enough as these files are normally huge in size and very little used nowadays and it would suspicious for people to exchange songs as a .wav

    Once the developers release their planned plugins to hide data inside .jpg and .mp3 files, SilentEye will be one of the best and easier to use steganographic tools for people who want to get the job done with a point and click mouse, totally suitable for newbies with little computer knowledge.

    Visit SilentEye homepage

  • Free alternative to Windows Task Manager: CurrPorts

    Free alternative to Windows Task Manager: CurrPorts

    CurrPorts will show you a detailed list of all currently opened TCP/IP and UDP ports on your PC, it will tell you the process name, the protocol being used (TCP/UDP), local port, remote port, remote IP being connected to and much more.

    Currports is a very complete network monitoring software that easily beats Windows Task Manager, this free alternative to Windows Task Manager gives you exhaustive information about the applications running in your computer and allows you kill the processes that opened the ports as well as exporting all of the network activities data to a text or HTML file.

    CurrPorts free network monitoring software
    CurrPorts free network monitoring software

    Another feature of this port monitoring tool is that it will automatically highlight in pink colour suspicious TCP/UDP ports opened by unknown applications, filters and command line are also available.

    Visit CurrPorts network monitoring homepage

  • How to know if your website is blocked in China

    How to know if your website is blocked in China

    The Chinese government has had the Golden Shield Project , 金盾工程 (aka Great Firewall of China) since 1998. Officially Chinese Internet filtering blocks access to websites containing:

    • Anti-social opinions and activities (decided by China censors)
    • Organizations and commentaries which are a threat to national security (Tibet, Taiwan, etc)
    • Pornography
    • Organizations and commentaries undermining the government’s policies on religion (Falung Gong)
    • Websites helping to circumvent Internet censorship

    It is also possible that your website could be blocked in China by mistake, websites blocked by China ISPs are also likely to be deindexed from China based search engines and will not be shown in the results.

    How China blocks websites on the Internet

    It is not technically feasible for Chinese censors to examine all of the Internet content, the Chinese government blocks access to websites using firewalls and proxy servers at the Internet gateways of China’s ISPs.

    Researchers from the University of California, Davis and University of New Mexico found out that the Great Firewall of China is not a true firewall since banned material is sometimes able to pass through several routers or through the entire system without being blocked.

    Website filtering is done through and ad-hoc network without a centralized server it is possible for some web sites to be in one Chinese city and available accessing it from another region of China.

    When the Chinese Internet filtering system detects a banned word traveling across the network it sends a series of commands to break the connection and block the access to the website. Chinese internet filtering looks for the use of banned words, this will encourage a certain level of self-censorship from Chinese surfers since they know that certain words are taboo they will choose a different topic altogether.

    Filtering was particularly erratic at Internet peak times when more Chinese users were online.

    Website banned in China
    Website banned in China

     How to reduce the likelihood of your site being blocked in China

    1. Do not post political material considered sensitive by the Chinese Government: Some obvious content susceptible to be blocked by the Chinese authorities includes references to the Falung Gong spiritual movement, Tiananmen Square protests, democracy in China, Taiwan independence and the free Tibet movement in between others.
    2. Get a dedicated IP for your hosting: This will reduce the chances of your site being blocked by accident due to using a shared hosting account hosting content banned in China in a different domain.
    3. Do not publish pornography: Internet pornography is forbidden in China and the Internet police will block access to your site if they find out your website distributes it.
    4. Get a webhost located in China: Chinese webhosts are more expensive and downtime might be higher than in other locations but they are also less likely to be blocked by the Chinese Internet filter.

    Although administered by the Chinese government Hong Kong is not subjected to Internet censorship as it has special status.

    Test if a website is blocked in China

    • Site24x7: This service will ping a website from different locations across the world, including servers located inside China, if you notice a packet loss from those servers this could indicate that the site is not accessible in China.
    • ViewDNS China firewall test: This test checks for symptoms of DNS poisoning, one of the more common methods used by the Chinese government to block access to websites, the test uses test a number of servers from various locations in mainland China.
    • Watch Mouse: This service monitors your website access from various locations across the world, including tests using servers located inside China.
    • WebSite Pulse: This test will connect to your site and will download the complete HTML web page using various servers located across China, it will also report how long it takes to download.
    • GreatFirewallOfChina: Websites are tested used various servers located in mainland China, you will be informed whether the request has timed out, it failed (blocked) or it is reachable.

    If you need to perform frequent tests on website accessibility or SEO from inside China you can use China based VPN, this will mask your real IP and make you appear like you are Chinese Internet surfer.

  • Bypass Internet filters retrieving websites by email

    Bypass Internet filters retrieving websites by email

    Web2PDF is a free service to convert websites to PDF and it allows you to receive full websites in your email as a PDF files.

    It is being sold as a service for those with limited access to the Internet but it also works fantastic to bypass Internet filters, as long as you can access to your email you can ask Web2PDF to send you via email any website in the World, whether blocked by your ISP in your country or not, Web2PDF servers converting sites to PDF are located in the United States and that is the location that will matter when you request a blocked site is sent to you.

    I have tested Web2PDF requesting pornographic sites are sent to my email and it works very well with the service sending me via email a PDF that includes pictures and text.

    I tried to request single pictures or single files from a website and it returns a blank PDF, the request needs to be a full page and not a single file, the PDF that Web2PDF sends you is non clickable  you can not visit the links included, other than that this works perfectly well, it took 2 minutes for my banned website to be received in my email inbox, just make sure you can receive attachments.

    There is no Internet filter capable of blocking this page retrieval system, it would be necessary to block your access to all email services for that. You can also use a mobile device able to read PDF files and capable of receiving email and browse the Internet this way, however data bills must still be taken into consideration.

    Read websites without Internet access

    If you do not have Internet access at home and normally use a Library or Internet cafe for an hour a day you can ask Web2PDF to convert to PDF all of the websites you would like to browse, save the PDF converted sites on a USB memory stick and read them with time in the comfort of your home with an E-book or any other device able to read PDF files.

    If your College or workplace limits your Internet connection to only email, you can request Web2PDF the websites be sent to your email and get around the filter restrictions. Any network administrator looking at your activities will not be able to know that you are browsing the Internet and what sites you visit, at most they could see that some of your emails contain attachments and its size but not able to read the content if you use an email service with SSL encryption protecting you from from man in the middle attacks.

    Web2PDF tutorial: Click to picture enlarge

    Web2PDF tutorial
    Web2PDF tutorial

    To receive any website in your email as a PDF document send a message to: SUBMIT @ WEB2PDFCONVERT.COM simply write the URL you want to retrieve in the subject or body of the message and leave the rest of the message blank, you should receive a copy of the requested website in your inbox in a few minutes.

    Visit Web2PDF homepage

    Read a website anonymously without leaving logs

    You can use Web2PDF if you do not have a proxy server and want to anonymously visit a site without anyone knowing and leaving no logs on the server, if you request the site is sent to you via email the only IP logged by the site you are reading will be the Web2PDF computer IP address, I have checked this on my own server and Web2PDF bot identifies itself as ISP VolumeDrive located in Clarks Summit, Pennsylvania, United States.

    VolumeDrive is a data centre, I am assuming that is where their automated bot resides, although Web2PDF itself has its headquarters in Lithuania (Europe).

    I do not know the maximum number of websites you can request to be sent to your email but there is a cheap premium option that removes that limitation, allows you choose the paper quality and it removes their company logo from the PDFs sent to your email.

    Search the Internet using your Email

    If you are not sure of the website URL address you want to retrieve, you can use a service called Web2Mail that works like Web2PDF and has extra features, it will not send you PDF files it uses HTML files instead which reduces the size of the email.

    To use Web2Mail to search the internet via email you just input the search words in the email subject, send it to their address at WWW @ WEB2MAIL.COM and you will get a reply with your internet search results in your inbox in 5 minutes.

    Web2Mail also allows you to set up Email subscriptions to your favourite web pages, you don’t need to request them all the time, you can set up Web2Mail to send you a copy of certain website daily or weekly to your email inbox.

    Visit Web2Mail homepage

  • CryptoNAS to encrypt your Network Attached Storage data

    CryptoNAS to encrypt your Network Attached Storage data

    A Network Attached Storage, commonly known as NAS, is a centralized device dedicated to data storage used to share files over a network, either your own local home network or the wider Internet.

    Network Attached Storage devices contain one or more hard drives and are networked with other appliances, NAS units are configured for file sharing between multiple computers. If they contain more than one hard disk they can be configured as a JBOD (Just a Bunch Of Disks), or in RAID to facilitate data back up and quick file access.

    Small and remote offices and home networks they all normally use a NAS appliance for file sharing, NAS drives have software that can be set to automatically back up every computer on the network and they can also be used as a servers but very few of them include data encryption capabilities.

    The NAS operating system and other software on the NAS unit provides the configuration and management of the data storage and access functionality.

    Network Attached Storage device (NAS)
    Network Attached Storage device (NAS)

    CryptoNAS Network Attached Storage encryption introduction

    CryptoNAS is a multilingual Debian based Linux live CD with a web based front end that can be installed into a hard disk or USB stick. CryptoNAS has various choices of encryption algorithms, the default is AES, it encrypts disk partitions using LUKS (Linux Unified Key setup) which means that any Linux operating system can also access them without using CryptoNAS software.

    CryptoNAS configuration and settings

    CryptoNAS provides two packages: CryptoNAS-Server and CryptoNAS-CD

    The CryptoNAS-Server: Targeted at network administrators and it adds hard disk encryption to a file server (running Samba, NFS, DAV, etc.).

    The CryptoNAS-CD: Targeted at home users and it allows for easy NAS device encryption and browsing through a web interface.

    CryptoNAS default username and password are admin:admin you should change both as soon as you have it installed. The next step is to create a configuration partition for CryptoNAS settings to be stored, after that you can enable disk encryption, format the hard disk using your file system of choice and enter the passphrase to be used, CryptoNAS will start encrypting the hard disk straight away, you will be able to see the progress clicking on status.

    CryptoNAS interface
    CryptoNAS interface

    Your router will need to be in the same subnet, which means its IP needs to be 192.168.0.1. Check the default gateway address through the network connection details, log into your router and change the address in the LAN/network settings if necessary.

    To access CryptoNAS through your web browser use https://192.168.0.23 you will get a message warning you about a problem with the security certificate since CryptoNAS uses a self-signed certificate, ignore it and go ahead.

    If you switch off the computer where CryptoNAS is running the encrypted hard drives on your NAS will shut down and it will be inaccessible until you reopen it again entering the correct passphrase. You must remember that as long as CryptoNAS is running with the disks mounted the data is unencrypted and the encryption key held on RAM memory, only if someone disconnects your NAS device (i.e. NAS device gets stolen) or you turn it off encryption will secure your data.

    Alternatives to CryptoNAS

    1. Use stand alone free open source encryption software like Diskcryptor or Truecrypt to encrypt your NAS hard drive and mount them on request.
    2. Use a NAS device that comes with encryption integrated, QNAP, Seagate, and Synology all have AES256 encryption for some of its high end Network Attached Storage products.
    3. Use FreeNAS, a free open source NAS distribution based on FreeBSD that also allows for encryption of NAS hard drives.

      Visit CryptoNAS homepage

  • How to change your browser user agent headers

    How to change your browser user agent headers

    Every time you visit a website with your Internet browser through the HTTP header exchange the server will  know what your browser brand you are using as well as your settings and what plugins you have installed, this data will be used in order to give you the optimum experience to serve you the best content for your Internet browser settings.

    Typical information that the Internet browser transmits to the server of the visited website are the operating system, the Internet browser brand, browser version, local language settings (which can be used to determine what your native language is), if JavaScript is disabled or enabled, flash or Java plug-in presence and anything else to do with the browser environment, the combination of all of these settings together with data  like geolocation, can make your browser unique and enable someone to identify and track you through websites.

    Test your Internet browser uniqueness

    According to an study by the Electronic Frontiers Foundation only one person in about 1,500 will have the same User Agent as you, once you combine this data with geolocation and unique browser plugins you can see how your Internet browser can become so unique that it can be used to track you down.

    Test how unique and traceable your browser is at: Panopticlick EFF test

    Test your Internet browser privacy and security: Browserspy.dk

    Find out your Internet browser agent headers:  User Agent String

    Internet browser logos
    Internet browser logos

    Change your Internet browser user agent

    Before you do this be aware first that changing your identifying browser user agent can make a website to display tailor made content for a different browser brand and present you with a malfunctioning page, but not in every case, this is just the price for achieving high Internet privacy. You can always disable the browser User Agent fake ID for trustworthy websites you trust and only use for places that you believe could be tracking you down on the Internet.

    The fingerprinting of your Internet browser uses a combination of your computer IP, browser header and configuration information, one of the best things you can do to confuse websites tracking you down is to use a VPN to change your geolocation combined with a random browser user agent.