Hacker10

Cold boot attack protection with YoNTMA

YoNTMA (You’ll Never Take Me Alive!) is an open source tool to enhance Windows Bitlocker and Mac FileVault full disk encryption. It has been designed to protect the user from cold boot attacks. A side channel attack where an intruder with physical access to a machine retrieves the encryption keys from RAM memory.

Cold boot attacks can be used to get access to a fully encrypted hard drive. They are very difficult to achieve once the computer has been shut down, data remanence lasts less than a minute after you power off your computer. In that time an attacker would have to open up the computer case, extract the RAM memory modules and cool them down with liquid nitrogen before extracting the keys.

Cold boot attacks are not normally carried out by law enforcement because of the complexity and timing needed, but a cold boot attack can be easily completed if a computer is only secured with a screen lock by a user that has gone for a quick bathroom break or cup of coffee, a self executable .bat forensics file, like Mandiant Memorize, could be executed to extract the RAM memory of a fully encrypted laptop plugging in a USB thumbdrive into the locked computer, YoNTMA aims to protect you from this.

cold boot attack RAM memory liquid nitrogen

You’ll Never Take Me Alive! runs in the background monitoring when your screen locks, if it detects that the power or Ethernet cable is disconnected while the machine is locked, YoNTMA immediately puts the computer into hibernation mode to remove the encryption keys from RAM, sending them to the page file on the hard drive to protect you from a thief stealing your fully encrypted laptop and extract the keys a while later. When a computer is hibernating it is not possible to execute a program from a CD drive USB port, it needs to wake up first.

I personally feel that, if your data is so important that you need full disk encryption, it doesn’t matter if you leave the computer for ten minutes or ten seconds, you should never leave it on with the screen lock and it should be you sending it to hibernation when you need a two minutes bathroom break. But if you are the forgetful kind of person, there is no harm running YoNTMA in your computer, small things sometimes save the day when you expect it less.

This tool will likely be the most useful for companies enforcing rules to lazy employees and not private citizens with discipline and attention to details when dealing with encrypted data.

Visit YoNTMA homepage

11 June, 2014
Decentralised Internet platform MaidSafe

Maidsafe is a decentralised Internet platform where users contribute computer storage space, CPU power and bandwidth to form an autonomous ecosystem, the more people join the network, the more resources are available. A denial of service attack or censorship attempt would be extremely arduous to carry out in such environment where there is no central server or DNS.

Maidsafe’s client application is called SAFE (Secure Access For Everyone), when you upload data everything is automatically shredded and encrypted using the uploaded files as part of the public key encryption scheme, the password is never transmitted to the network, there is no way for others to see what you uploaded. Data is distributed across multiple servers, replication and Distributed Hash Tables intercedes to deliver the files when part of the servers holding chunks of your data go offline. MaidSafe maintains 4 encrypted copies of your data and moves them around nodes as they are available.

MaidSafe decentralised network

If you would like to access more data than you have been allocated by the network and do not wish to donate more of computer resources you will have to pay for the access using Safecoins, MaidSafe’s own cryptocurrency that can be bought or exchanged by another currency at alternative cryptocurrency markets.

A project like Maidsafe has the potential to deliver apps, host websites or store films without fear of the server being subpoenaed or taken down by an abusive regime. With the files divided and stored encrypted in different locations, it is not feasible for state entities to wiretap a central server and track the downloaders.

The code is open source, developers have access to an open API to build apps on top of MaidSafe. Just be warned that when you donate storage space to the network, you have no way of knowing what it is being stored encrypted in your computer, this could create legal liabilities if anybody misuses the network, but until there is mass adoption it is hard to know what would happen in a case like that.

MaidSafe is a for profit company based in the UK, they make money with SafeCoins.

Visit MaidSafe homepage

9 June, 2014
Digital image forensics with Ghiro

Ghiro is an open source tool for image analysis and metadata extraction. You can install it in a dedicated server or download the .ova appliance for Virtualbox or VMware. Either way you get a web interface to upload images and observe a deep overview of the embedded metadata, like EXIF, IPTC , XMP, GPS coordinates, etc.

The default web interface username is ghiro and the password ghiromanager they should be changed straight away, specially as the appliance can be remotely accessed with SSH if you uploaded it to a server.

You can use this tool to compare two images that look the same to the human eye and find out if one of them has been modified by comparing digital signatures, the hashes tab shows the image MD5, SHA1, CRC32, SHA256, and SHA512 hashes. The Error Level Analysis will let you know if the image was edited and MIME information shows extended data about the file you are dealing with, for example, if a jpeg or png.

Ghiro image forensics appliance

You can extract metadata to find out what device was used to take the photo and if any GPS coordinates were automatically added, like many digital cameras do, in which case an embedded map in Ghiro shows you the exact location of where the picture was taken.

Other metadata that Ghiro can extract is photo resolution, focal length and name of the software used to edit the photo if any. A case management tab lets you group images and assign users and permissions to cases.

This is a scalable professional image forensics tool of benefit for amateurs and professionals alike, it can detect fake photos, and allows a team of people to work in complex cases with a multiple user dashboard, saving projects, searching for specific image hashes and displaying understandable reports.

Visit Ghiro homepage

6 June, 2014
Encrypted mobile phone chat, video and calls with PQChat

PQChat is a free private messaging app for iPhone (Android version coming soon), protecting data with the McEliece cryptosystem and a propietary Never-The-Same encryption algorithm from SRD Wireless, a UK company.

The app stores minimal user information, everything is encrypted before leaving the device. The user’s phone number, nickname and ID-image are stored as one way hash values, the app masterpassword and a 5 digit alphanumeric PIN are set by the user, PQChat developers don’t know what they are or read your data, if you lose your masterpassword you will lock yourself out of your account for ever, there is no backdoor.

User authentication to establish a video call or send a text message to one of your contacts employs PQChat own Man At The End patented algorithm.

PQChat mobile phone encrypted chat

The user keeps total control over the messages he sends, first by encrypting them on the phone, secondly by being able to remotely delete the messages from the server or set a timer for automatic erasing. You are protected from wire-tapping with a single use encryption algorithm, akin to perfect forward privacy. Deleting the encrypted messages strengthens your security by stopping future attempts to break the cipher and it can help you when sending a message to the wrong contact.

This is a zero knowledge app being marketed as resistant to quantum computer cipher breaking, with PQChat standing for Post-Quantum Chat. The company claims that most standard encryption will be broken in the future with yet to be made Quantum computers.

The app includes a personal locker where to store encrypted passwords and bank details, it is doubtless a much better option than WhatsApp and other popular insecure messaging apps but you need to trust that the closed source encryption algorithm is safe and as usual in this kind of apps, the receiver and the sender both need to have the app installed to be able to communicate.

If it worries you that this is a UK company that could be forced to spy on you by blanket surveillance government order, PQChat developers acknowledge that will have to comply with authorities requests to monitor a user but since they are unable to decrypt messages there wouldn’t be much they can provide.

Visit PQChat homepage

4 June, 2014
Android news reader with Tor,encryption and wiper

Courier Secure News Reader is a Guardian Project mobile phone app for secure and anonymous news reading. The app works with Orbot, a Tor proxy for Android phones from the same developers. It hides your computer IP when downloading RSS feeds, gets around ISP censorship in countries where they block websites and it encrypts what you download to thwart wire-tapping. The feeds can be synced automatically or manually, with the option of only syncing when on a Wi-fi network to stop expensive data roaming charges.

Download news and personal data are stored encrypted in your mobile phone, in case of emergency they can be wiped altogether with the app by swapping on the screen. A smart move if you expect arrest but bear in mind that most arrests are never expected and the chances of you being able to wipe evidence that you have accessed banned news sites will not be too successful unless you have forewarning of the arrest in which case disposing of the whole device would be safer.

Courier Secure News Reader Android

The menu is simple and easy to use, a button on top lets you know when you are connected to the Tor network, a “My Favourites” tab to bookmark sites and “Stories Received” tab can be tapped to read the news. Any data you receive from a friend will be listed separately in the “Receive a Share” tab.

People who have no Internet access can still read the news as long as one of their peers manages to get online and shares it with them P2P using Courier Secure News Reader via Bluetooth.

Courier Secure News Reader is open source, free and without any advertisements, the developers aim is to help those living in countries where news sites access is censored to be able to read them anonymously.

The app has been digitally signed with a 4096-bit key to verify that it really came from the developers and nobody has replaced it with a fake malware app that spies on the user.

Note: Courier Secure News Reader is currently in beta.

Visit Courier Secure News Reader

3 June, 2014
List of Truecrypt compatible encryption software

In light of recent news about Truecrypt being no longer developed, I compiled a list of other encryption programs that are compatible with it.

If you have data that was archived with Truecrypt for long term storage, you should be able to decrypt it with any of the following programs.

tcplay: Fully featured Truecrypt implementation to open and create Truecrypt compatible hidden containers with cascade ciphers and keyfiles. This is a command line utility that works in Linux and DragonflyBSD, you can add a front end graphical interface with zulucrypt or Luksus.

Luksus: A terminal program for Linux and BSD that lets you encrypt and decrypt data using Geli, LUKS, GnuPG or Truecrypt. A wrapper around tcplay, Geli and cryptsetup, with a front end graphical interface for those who find the command line too difficult.

Luksus encryption front end

RealCrypt: An open source forked version of Truecrypt for Fedora Linux, it comes as a RPM package and it can be easily installed in Fedora using the repositories. It has a graphical interface and the same capabilities that Truecrypt has, with a different name and logo as requested by Truecrypt licensing terms. There are no significant code differences in between them.

Encrypted Data Storage (EDS): Android app that can create and open any Truecrypt container but there is no on the fly mode and data will be decrypted to a temporary file, this could be a security risk if you believe that your smartphone can be stolen as temporary data written to solid state disks is recoverable with forensic tools.

EDS Android Truecrypt

TruPax: A Java based program that can open and create Truecrypt compatible encrypted containers. I will work on any operating system that has Java installed, Windows, Mac OS, BSD and Linux. It can be used with a graphical interface or in command line mode to automate tasks.The software is open source, portable and it was coded independently from Truecrypt.

Truecrypt compatible software TruPax

Cryptonite: Open source app that brings EncFS and Truecrypt to your Android phone, the program is still in development and intended for advanced users. Cryptonite can decrypt any Truecrypt container using your smartphone. If you want to run Android in your desktop, there is an open source project that has ported it to PCs and can be installed as if it was a Linux distribution. This will give you a bigger screen when decrypting data.

29 May, 2014
Penetration testing and ethical hacking distribution Matriux

Matrix is a penetration testing Linux distribution based on Debian with the GNOME window manager. The download is a huge 3GB and you can run it as a live DVD or install it in your computer or USB thumbdrive. The tools Matrix comes with have been specially created for ethical hackers, penetration testers and computer forensic experts. I can’t imagine anybody using Matrix as their every day desktop unless they work in this field.

The default username is matriux and password is toor. The only main stream software you will find is an archive manager to pack files, all of the other tools are computer security related. To install this distribution a “Matriux Disk Installer” shortcut in the desktop can be clicked on but it will not partition your hard drive, you will have to prepare the drive and create a Swap partition on your own with a different tool, I suggest GParted.

PEN testing distribution Matrix

Matriux comes with two browsers, Firefox, including the Adblock Plus and NoScript addons, and Epiphany, a lightweight GNOME desktop browser. The tools you need for hacking are all nicely classified inside the “Arsenal” tab. You can find multiple scanners to test cross site scripting exploits in websites, Nmap and Angry IP scanners to scan a whole network and search for open ports and services where to infiltrate.

The forensics sections of Matrix has every single piece of software you will possibly need for your job, orderly divided into “Acquisition“, “Analysis” and “Metadata extractors“, without leaving out tools to analyse Android mobile phones. Other crows in the jewel incorporate steganographic tools, Bluetooth hacking, VoIP hacking software, DNS attack tools, debuggers, hacking frameworks like MetaSploit, Mantra or Inguma. For those who don’t know, each framework contains further discovering, gathering, scanning, bruteforcing and exploit tools, you can spend months just learning about how to operate the software.

I liked that Matriux comes with my favourite zsh shell and a marvelous semi transparent terminal colouring scheme that makes you real look geeky when people look at the screen even if you haven’t got a clue of what you are doing. I could not see anything missing in the cyberarsenal, from the basic Truecrypt and Tor to the more dark open source intelligence and forensics application Maltego.

With over 300 hacking tools in a single DVD at the touch of your fingertips, Matriux is a good alternative to Kali Linux and should be a must have hacking distribution for all security professionals, students and hobbyists.

Visit Matriux homepage

24 May, 2014