Hacker10

Best online hacking wargames

The following websites offer you a free and legal way to acquire practical hacking skills. If you are going to stop the bad guys, you need to know how they act to protect your own servers and wargames are the best way to be one of the bad guys without worrying about the FBI knocking at your door or harming anybody.

The computers you will be hacking in wargames are virtual machines that can be easily reset, and if you get lost, a community of white hackers will be willing to help you out teaming up with you or sharing experiences.

Exploit Exercises: A site giving you access to various virtual machines to hack, you will be given challenges, like scanning a network to find what vulnerabilities exist and how to exploit them. This site is admirably structured with the servers separated in between different hacking skills and levels. You can download a .iso or .ova (Open Virtual Application) and run it locally in your computer to hack it as if it was online.

Hacking Lab: An IT security portal with various hacking tests, it has its own custom live CD with a VPN connection that you can use for hacking. Just like in real life, where you have to scan a server to fingerprint them before launching an exploit, in hacking lab you will have to find the IP or DNS of the vulnerable server before a hacking attack can take place.

Online hacking game hacking lab

Pen Tester Lab: Full of penetration training exercises for people interested in becoming a PEN tester. You are given weekly computer security exercises in the boot camp section, lessons will get more and more difficult as you complete them. Tasks are clearly explained with links to the files you have to download if necessary.

HackThisSite: One of the wargame sites that has been the longest around, with a great hacking community that will help you expand your skills, you can chat with like minded people in HackThisSite forums or in the old school hacker’s communication tool IRC. This site stands out from the crowd with their extensive amount of free learning resources.

cyberwar game HackThisSite

Hacker Project: A fictional hacking game set in the future where governments have gone bankrupt and multinationals take over the World stopping free flow of information. Your job will be to return power to the people by infiltrating corporations and use their information technology network against them. This site is for entertainment, you don’t hack anything for real, but the game is realistic.

HackerForEver: Text based browser game revolving around the dark world of hackers, from the good white hackers up to the bad black hacker guys. You can choose what side you would like to be on, the game has various clans you can join and a community. You will not do real hacking here, just a simulation, games like this serve as introduction to the hacking slang world, suitable for people of any level.

2 September, 2014
Open source P2P EMP encrypted messaging

Recently released for testing, EMP, is a multi-platform P2P open source messaging system with encryption. There is no central server, everything runs in your computer and the technology is similar to that of Bitmessage.

EMP has a clean tabbed interface that opens in your Internet browser, the toolbar address is http://localhost:8080 (yourmachine:port), you will see tabs named Inbox, Outbox, Sent, MyAddresses. The Inbox tab contains a list of the messages you have sent with the timestamp and the cryptic EMP receiving address with a Status column indicating if the message has been read.

EMP Encrypted Messaging Protocol

I downloaded the Windows version of EMP in Windows Vista and I was only able to install it after right clicking on the program and running it as administrator, then you click on the desktop shortcut and your Internet browser launches asking you to enter username and password RPC credentials that “should be located” in ~/.config/emp/msg.conf .

The notice seems tailored to Linux users, after tinkering around Windows the real place where I found the msg.conf file was inside Program Files (x86)/EMP and editing it with Notepad shows “user = “rpcUser” pass = “rpcPass”. Another thing is that you will have to remove the software from your computer manually, I could not see any EMP uninstall in Windows control panel, if you want to delete this program from your computer go to /Program Files (x86) and erase the full EMP folder.

The main difference in between EMP and Bitmessage appears to be that EMP has been built for performance, the client has been written with Go, also called golang, a programming language designed for simplicity and EMP purges the network of read messages, EMP is also modular, it can be embedded with other applications as part of a communication suite. Bitmessage has on its favour that they hide metadata, I can’t tell if EMP also does it, at the moment they have no documentation.

Security wise, AES256 is used for encryption and being open source means that others can review the code to find bugs, it don’t think is a bad platform but I can’t recognize any substantial reason why an average person would want to switch from Bitmessage to this new platform.

Visit Encrypted Messaging Protocol

31 August, 2014

Email providers connection logs table

Last week I emailed 14 different email providers and identifying myself as a blogger I asked them about their connection logs retention policy, here are the answers:

Would it be possible for you to let me know for how long does your email service keep customer connection logs? (By connection logs I mean timestamp logs that contain computer IPs used to connect to the account)

Email provider	Connection logs retention
Countermail.com	We keep a traffic log for 24h, the incoming external server IP-addresses are stored in this log, but the countermail users IP-addresses are never stored in this log
Protonmail.ch	The answer to your questions is fairly simple: we do not have connection logs where ip’s are matched with accounts and tracked
Inbox.com	We are sorry but we can not share this info with you because it is not considered a public information
Hushmail.com	They told me to read their privacy policy, I did and it says that Hushmail keeps connection logs for 18 months
AnonymousSpeech.com	For trial user we keep a connection log for 5 days. After this 5 days we delete them. For paid memberships we do not keep ANY log information
Mailbox.org	The specific logs you asked about are deleted after 7 days
NeoMailbox.com	Updated: It took them ONE MONTH to reply. “We keep email logs for 7 days after which they are securely wiped.”
Cotse.net	Did not reply
MyKolab.com	Unfortunately, I am not in the position to give you a concrete time frame for this. For example, deleted mails are not purged from our storage immediately but at regular intervals, usually every day at night time when there are less users on the systems. In addition to that, we keep backups for disaster recovery, but we only keep them for a limited amount of time and not forever
Unseen.is	We keep email server access logs for seven days. This is only to prevent abuse and spamming using our system
OpenMailbox.org	We keep logs 1 year to comply to local laws
Posteo.de	We only save IP addresses when an account is accessed using an external email client and in the process of sending or receiving emails. When an account is accessed via the webmail interface we generally do not save IP addresses. This data is automatically deleted after seven days. The data is only used to diagnose problems and can not be requested by authorities. Only in response to a judicial ruling in the case of a serious crime can this data be accessed.
CryptoHeaven.org	The logs are kept for anywhere from 8 to 48 hours, and that is only on the web server and not the mail system
Fastmail.fm	We normally keep logs of email and server activity for up to 6 months. This is for the purposes of diagnosing and fixing problems, which are often reported to us weeks or months after they occur. Backups and logs may be kept longer in special circumstances. For example, if a problem is taking a long time to resolve, logs relevant to that investigation may be retained. Or if a server that contains backups or logs is temporarily offline because of a fault, then those backups or logs may not be deleted until the server is brought back up. These situations are unusual, however, and when they do occur, they are temporary

29 August, 2014

Islamic State guide to remain anonymous online

Posted in Twitter by an Islamic State ideological supporter with thousands of followers using the handle @AmreekiWitness, a new online guide explains to jihadists how to remain anonymous online. The manual comes with intercalated Quranic verses in between and a quotation of General’s Sunt-Zu that reads “War is deceipt“, found in the ancient book “The Art of War“, a mandatory reading for CIA intelligence officers, and also a quotation of the Islamic Hadith.

The anonymity manual is linked to a JustPasteIt page, one of the tools of choice for Islamic State supporters to post their propaganda. Online jihadist are using JustPasteIt to spread their ideas because you don’t have to register or open any account to upload photos and documents and it can be quickly done with Tor even if many of the pages are taken down by the company when someone reports them.

The manual recommended VPN provider is CyberGhostVPN (referred to as Ghost VPN). Trying to guess why this would be a good VPN for a jihadist I would say that it is free to use, no payment details can be traced back, the company claims no logs are kept and CyberGhost headquarters are located offshore in Romania. For extra security another security measure advised in the manual is to combine Tor and CyberGhostVPN at the same time. An excellent choice, it will slow down your Internet browsing but it adds an extra security layer, something that it is worth to do when your enemy is a country with lots of resources at their disposal to track you down. One more great tip given in the manual is to never check your real Facebook page or email account with the VPN or Tor, doing that would expose your real identity to anybody monitoring the traffic.

The live operating system Tails is also advised for online anonymity, Tails being my favourite tool for posting comments against the NSA on various forums, I believe it to be an accomplished tool. Specially as it leaves no recoverable traces on the hard drive, other than the BIOS being set up to boot from a CD first, and all settings in Tails are good to go by default, even people who don’t understand much about technology should be safe with it.

For email communications the anonymity manual suggests Bitmessage, a P2P email system that has no central server, optionally accessed using a Tor hidden node and which account can be nuked if it is compromised.

For instant messenger the manual recommends, Cryptocat and ChatSecure, I would agree with ChatSecure, an open source mobile app with Off The Record. Cryptocat doesn’t appear to be a bad but I don’t feel it is suitable for paranoid privacy because they have a central server. I would only feel safe with Cryptocat if I am behind Tor, and they warn you of this on their website.

The last part of the manual covers legal advice and it cautions people that if they use social media to avoid arrest a disclaimer should be added saying that they do not support violence and “study the radical Muslim community for recreational purposes“.

This Jihadist guide to remain anonymous online is fairly good. I could only see minor mistakes, the first one is that the manual capitalizes The Onion Router acronym, naming it TOR. This denotes that the author does not follow Tor development too close because the official name is Tor and everybody on the Tor mailing list knows this.

One big hole is that there is no mention of full disk or file encryption at all, DiskCryptor or similar software is very useful for anybody who wants to keep files locked out from unauthorized eyes, and they should have also mentioned steganography. As leaked Snowden’s document reveal, the use of encryption and Tor raises red flags in the security services, steganography on the other hand needs to be found first, it is extremely difficult to detect a hidden message inside a photo or MP3 posted on plain view in Flickr, unless it is known that the target is using steganography, they won’t search for it, and spy agencies would have to extract the data before decryption,it adds to their troubles.

Islamic State fighters

The manual also does not include any warning about the trojan horses that security agencies are known to email or force download in target computers using Flash, Windows and Adobe updates, trojan horses that are not detected by any antivirus software. The only way around is being cautious, not using Windows if possible, or, the best choice, to only browse the Internet with a live CD for activism.

What the USA has in its favour is that Muslim terrorists are using USA companies like Twitter for their propaganda, giving the NSA easy monitoring of their accounts, knowing who their contacts are, what PMs they send to each other, what email addresses they have used to register, this facilitates wire-tapping and trying to download a trojan horse in the user’s computer to know more about them (it could thwarted if they use a live CD).

Other good news for the USA government is that a quick search of real life news show that although anonymity technologies have been around for over a decade, the number of terrorists and child pornographers bothering to learn about them are a rare exception. Apparently, although Tor and encryption can keep their asses out of 20 years in prison,targets are extremely foolish and don’t learn about computer security, if they did they would not post photos with blurred faces, they can be unblurred, this has been done in the past by German law enforcement, it is necessary to use opaque black colour squares to hide faces and stop experts from making them visible again.

27 August, 2014
Dividing encryption keys with Secret Sharp Shamir Secret

Secret Sharp is a free Windows program based on the Shamir Secret Sharing scheme, a way to divide the decryption key to distribute it in between multiple participants. Data decryption is not possible without more than one share, if one of the keys were to be compromised it would be useless to decrypt anything on its own. The only way to unlock encrypted data in a Shamir Secret scheme is with multiple keys, named shares, in Secret Sharp you can set up a minimum of 2 shares and a maximum of 100 shares.

The software can only encrypt text messages and it needs .NET installed for it to work in Windows. After launching Secret Sharp a wizard will ask you whether you want to Combine Shares to decrypt a message or Share A Secret to encrypt data.

When you create a new secret you will be asked how many parts you would like to create and how many of the shares will be needed to reconstruct the secret. As it might not be always possible to get all of the participants shares, you can create a secret made up of, for example, 10 shares, with only 4 of those shares needed to decrypt the data. This allows for members of the group to be away on holiday, deceased, etc, and the others will still be able to access the secret with any of the 4 keys structuring the 10 shares secret.

Secret Sharp rebuild Shamir shares

The person that creates the secret gets to view all of the shares before distributing them to the participants, it is imperative that the secret creator has a secure computer with no trojan horse and can not be unsettled, there is nothing stopping that person from making a copy of the shares before distributing them instead of securely wiping the shares.

To rebuild an encrypted secret you will need to be in possession of the necessary shares and stipulate to Secret Sharp how many shares are needed to reconstruct it, the latter can be told to everybody in the group without endangering the secret and should be written down somewhere during share distribution.

Secret Sharp is the Windows version of ssss (Shamir Secret Sharing Scheme), a command line program for UNIX machines that does the same thing and there are also Java implementations around that will work on any machine, like Mac computers.

You could find a Shamir Secret encryption program like Secret Sharp useful to leave written instructions to be opened if you die, instructions to be opened if you are captured by the enemy or just to make sure what there are at least two people reading the message and trust is not placed on a single person alone.

Visit Secret Sharp homepage

19 August, 2014
Public key encryption with CyberSafe Top Secret

CyberSafe Top Secret is a commercial program made in Russia to encrypt files, folders and partitions, it can be used to create virtual encrypted drives or encrypt a full partition or removable media (USB thumbdrive) where everything stored is automatically ciphered. The program’s source code is available for download from the company website to reassure you that there is no backdoor.

The free edition of CyberSafe Top Secret should be considered trial software, the password length limit of 4 characters and DES algorithm make it very easy crack, it is only after buying the program that you get full protection with encryption algorithms that no law enforcement or sophisticated spies can penetrate.

I found the program very versatile, it has so many options that if you have not used encryption before learning how to use digital certificates for encryption and signing files could take a few days to learn for newbies but a PDF manual explains in detail how everything works, it is not difficult, it simply takes time.

I welcomed the addition of being able to encrypt files in your computer before uploading them to Dropbox, Google Drive and other cloud services. Google Drive, like Gmail, scans your data to find out if you have uploaded child pornography photos by matching the unique hashes of those files with the ones given to them by law enforcement. You have no guarantee that the NSA will not order Google to also scan your files to find X, once built-in scanning exists,nothing stops the NSA from abusing that capability for their own purposes. Anybody storing files in the cloud would be insane not to encrypt their files first and CyberSafe Top Secret allows you to do that easily dragging and dropping folders inside a window.

CyberSafe Top Secret encryption software

When creating a virtual encrypted drive (.dvf) you are given the choice of encrypting it with the USA Department of Defense approved AES algorithm or the Russian government standard GOST symmetric block cipher. Be careful when entering the password because you will not be asked for confirmation. This was bizarre, it is one of the few times that I come across an encryption program that does not ask you to confirm your password twice when creating an encrypted container that is meant to be uncrackable.

CyberSafe Top Secret Ultimate comes with a few business friendly features, like the optional Google Authenticator that can be activated in settings, a one time password mobile app that has to be used together with a user password before you can launch the program.

The heavy reliance on public key encryption to secure files suggests CyberSoft Top Secret has businesses in mind. It is easier to manage a central registry of digital certificates that can be revoked over the network than managing dozens of passwords, the program allows you to access a public key server and import or export a public encryption key without having to open your web browser.

CyberSafe Top Secret file encryption

My main criticism of this software is pricing, I obtained a license for the high end CyberSafe Top Secret Ultimate edition during a give away not connected to this review, otherwise, I would not have paid the €100 it costs. For slightly more money I can buy BestCrypt, WinMagic SecurDoc or SecurStar DriveCrypt Plus Pack full disk encryption.

There is a cheaper version of CyberSafe Top Secret but it comes with a maximum password length of 16 characters, I don’t think that is long enough to secure your data from an adversary with high resources and it seems unfair that security software you have paid for can come with a limit that weakens your security unless you buy their most expensive package.

CyberSafe Top Secret pricing can only be justified because it can manage and create encryption keys and it makes it easy to email to other people in a secure manner with a proven standard, but disk encryption wise, full disk encryption is much better.

CyberSafe Top Secret should be praised for making the source code available for download. This does not guarantee that the program is bullet proof but it guarantees that experts can look at how encryption works and detect changes if somebody forces the company to modify the code.

Perhaps if the price was cheaper for the Ultimate edition or if I needed support I would consider this program to encrypt my data. I see this software most suitable for a company with many employees after an easy solution to manage multiple encryption keys, home users in need of hard drive encryption might be better off looking at the other options mentioned above or with DiskCryptor (free), but if all you want is a solution to encrypt emails maybe it is worth to check out this software.

Visit CyberSafe homepage

PS: After writing the review I noticed that the uninstaller is only in Russian, clicking on the default options erased everything properly. There is no malware, but it is not very professional not translating the uninstaller.

17 August, 2014
The best XMPP/Jabber servers for anonymous chat

Jabber/XMPP is a decentralised instant messenger using the open source XMPP protocol, there is no central server that could be compromised, the multiple nodes construct a resilient and hard to monitor infrastructure. Dozens of XMPP servers, encryption and its open source nature make XMPP much harder to wiretap or shut down than cloud based Google Hangouts, Yahoo Messenger or Skype, all USA companies known to have a NSA backdoor.

One of Jabber/XMPP main vulnerabilities is that the server you are connected to is not trustworthy, this is a list of XMPP servers with the best privacy policies:

5th July XMPP: Swedish privacy foundation promoting free speech worldwide, in between other services they provide an open XMPP server with Off-The-Record Messaging (OTR) support, hosted in Sweden and with logs tuned off. They warn you that file transfers are not encrypted, only text conversations are.

Calyx Institute: A not for profit privacy and cyber-security foundation running a public Jabber/XMPP server that does not create any records of who you communicate with or keep logs of the content of any communications, this server forces you to use OTR, Off-the-Record Messaging, a cryptographic plugin that stops the server administrator from accessing plain text of your communications.

Dismail.de: Free public server located in Germany, you can register for an account using the web interface or your Jabber client. The privacy policy is very clear about how long for each one of your details are stored, metadata has to be saved for Jabber to work, it would be impossible to communicate with your contacts without saving who they are and your Jabber ID is of course also saved. Personal details like the IP address used to create the account and the files you upload are erased after a month.

Pidgin Jabber XMPP setup

Neko IM: Running a public XMPP server located in Norway, they claim that no more information is collected and stored than what is absolutely necessary, TLS everywhere is enforced and Jabber clients need to support a strong cipher or they will not be able to connect to the network. Being a free volunteer run project, this server uptime comes accordingly to this and no guarantees are made about uptime other than “as much as possible“.

XMPP Gajim Jabber chat

Countermail: This is a paid for service from a Sweden based email privacy company that provides the XMPP server xmpp.counternet.com with TLS and SSL encryption only available to email account holders. The username and password are randomly generated, you can not create your own, however, all XMPP clients supports “alias” or “display name” that you can manually set up and this is what other Jabber users will see.

SystemLi: Jabber server managed by an anti-capitalist tech collective. They do not retain any kind of data and a .onion link is available for those using Tor. To avoid spam accounts registration is only possible with an Internet browser.

About Jabber/XMPP security

Any IM client that supports the XMPP protocol can interact with other Jabber users, a few of the best know Jabber compatible clients are Pidgin, Thunderbird and Jitsi, they can be used for videocalls and sending files, but always remember that encryption and end to end does not mean that your computer IP is hidden. Jabber will help you protect from wiretapping with encryption but the server you use could log what you do and your contact could find out your home IP if you are not on a proxy or VPN.

Another benefit of Jabber is that the same username and password can be used to connect with the social network Jappix, unlike Facebook, you don’t have to provide your real identity to take part in Jappix. Another way to protect your online privacy is running your own Jabber/XMPP server with a custom logs policy, it is not hard to set up an XMPP server with basic understanding of Unix, search for Prosody or Tigase to find XMPP server software to run.

I included XMPP servers with a clear privacy policy of minimum logging or being offshore, those are the claims that the server administrators make, there is no way to verify any of them. If you are social activist RiseUp and Austici provide anonymous Jabber chat servers for people fighting for world change but they are not on the list because they are strictly for political activists.

Sometimes privacy minded individuals set up their own XMPP server and open them to everybody, due to the nature of one man operations, instead of including here privacy servers that have little backing and less chances of long term survival it is best that you check out an updated list of all public XMMP servers at https://list.jabber.at/

10 August, 2014