Portable hardware VPN device Färist Micro

Posted on 7 May, 2013 by Hacker10

Färist Micro from Swedish company Tutus is a tiny VPN device that fits in the palm of your hand and sits in between your computer and Internet connection. The A100 model has a shock resistant case made of aluminium and carbon fibre, with two Ethernet RJ45 ports, the standard port for a wired Internet connection, Färist Micro can be powered with an USB cable or via a separate power supply, both included, the A200 model is slightly bigger but it has better performance and status LED indicators showing VPN activity, the product security core is based on other evaluated Färist products and compatible with their suite of network security solutions, like a firewall.

The user interface has basic administrative functions accessible via web browser, with this tiny portable VPN device company employees can safely communicate over untrusted networks in hotels and airport Wifi access points, of course for real security a company fully encrypted laptop would have to be used at all times, using a portable VPN like Färist Micro on someone’s else computer would nullify all security since it won’t protect you against key-loggers and malware.

Portable VPN Färist Micro

Once Färist Micro has been configured it requires no interaction from the end user, plugging it in will secure all communications routing traffic over the company VPN, this portable VPN has been jointly developed by Tutus, the Swedish Armed Forces and Swedish Defence Administration, it has been approved by the European Union to protect classified EU information up to the EU Restricted level, Tutus products are also sold under other brands like SecuriGateway, with the same specs, it only changes the brand name.

The VPN case looks extremely resistant, I wish there was something like this for home users configurable with a consumer grade VPN like IPVanish, Färist Micro is targeted at companies and government agencies, I don’t know how easy it would be to buy a single unit through a reseller, the ones I visited do not list price and ask interested parts to contact them instead.

Visit Färist Micro homepage

Moscrack wireless WPA cracking with cluster computers

Posted on 28 April, 2013 by Hacker10

The Multifarious On-demand Systems Cracker is a Perl application based on Aircrack-NG to crack wireless WPA keys using cluster computers, it can be deployed in Mosix, an operating system distributed across multiple Linux machines taking advantage of conglomerated computer processors or run in collective SSH nodes, clusters can be build up with any Unix operating system, including the iPhone, MacOSX, or Windows and Cygwin, it has also been tested on an Android phone running as a SSH node, best of all you can run Moscrack on the cheap from the Amazon EC2 cloud computing platform.

The program splits a word list into chunks and processes them in parallel in between all of the nodes. If you don’t have access to a computer cluster it is possible to use Moscrack with CUDA, an NVIDIA parallel computing platform implemented in graphics cards, you will need to install aircrack-ng-cuda and adjust moscrack.conf (configuration file).

Moscrack cloud wireless WPA cracking

Moscrack command line interface shows a word list progress expressed in percentage, estimated completion time, running time, server status, cluster speed and other very complete verbose data, GUI interface is optional, it will be more suitable that you run the command line version to feel comfortable from the shell helping you to understand how concepts work, the GUI is pretty basic.

The program has been designed to run for weeks or months, you can leave it on and forget about the program until the job is done, functions go beyond WPA cracking, adding the Dehasher plugin will compare SHA256/512, DES, MD5 and Blowfish hashes to crack them, if you don’t wish to install this tool in your computer, a Moscrack Live CD running Suse Linux is available for download.

Visit Moscrack homepage

Encrypted chat for iPhone and iPad with ChatSecure

Posted on 20 April, 2013 by Hacker10

ChatSecure is a free iOS app for end to end encrypted chat with the Off The Record messaging system able to communicate with any chat software based on XMPP, like Google Talk, Jabber, Facebook, Oscar IM and Gibberbot in Android, it will not work with Yahoo Messenger or Skype contacts.

The app settings are simple but effective, you can change chat font size, set to autodelete chats on disconnect and get a warning before automatic sign out, your friends (Buddy list) chat accounts are accessible with a single tab on the side bar, each account has a logo indicating the messaging system your they are using, when you first establish a connection you will be shown the encryption key fingerprint and ask to verify it, this stops man in the middle attacks where someone injects a fake encryption key in between you and the other end to be able to listen in.

ChatSecure encrypted iPad chat

With this app there is no central server to store or monitor your data and third party eavesdropping is not possible because ChatSecure encrypts communications but you would still need to make sure that your acquaintance mobile device has not been stolen and he is who he claims to be, you also need to be aware that you are not anonymous in ChatSecure, the app will encrypt messaging but not hide the IP behind them, for anonymity add a VPN provider before starting the chat.

ChatSecure offers perfect forward secrecy, this means that temporary private encryption keys are generated for each session so if you lose them the keys can not be used to decrypt past chat logs or linked to you.

Visit ChatSecure iTunes homepage

Internet Relay Chat encryption with Dirt

Posted on 1 April, 2013 by Hacker10

Dirt is an open source project adding FiSH compatible chat encryption to any IRC client, it can be used as Socks4 proxy or bouncer. Dirt only allows localhost (127.0.0.1) connections, this is to make sure that encrypted text will not leak out of your machine, the listening port for Socks4 is 1088 and the 6666 port is used when acting as a bouncer, settings can be changed modifying “dirt.ini” with a text editor.

After installation you will notice a Dirt icon in your system tray, to use Dirt in mIRC, a popular Windows IRC chat client, you need to access Tools>Options>Connect>Firewall and enter the appropriate hostname (127.0.0.1) and port number. Once connected you can type /dirt to see a list of all possible commands,

mIRC dirt encryption IRC chat

For those not aware, FiSH is a widely available IRC plugin providing Blowfish encryption grade to IRC chat, you can find it in the Linux command line irssi IRC client and many others. If you use a Mac computer or Debian Linux you could try FiSHLiM, a plugin for FiSH IRC encryption working in XChat and HexChat IRC chat clients.

Dirt works in Windows, Linux and BSD but it is still in development, another alternative could be using psyBNC, an IRC bouncer that replaces your computer IP with a virtual host (vHost) and supports channel encryption with Blowfish and IDEA algorithm, you will need a shell account to manage psyBNC, there are many companies offering them at cut-prize with easy configuration instructions, they are normally used by channel administrators to handle abuse.

Visit Dirt IRC encryption homepage

Android and iPhone Radio Police Scanner

Posted on 20 March, 2013 by Hacker10

Radio Police Scanner Lite is a free app preconfigured with a list of emergency services radio frequencies, it can listen in to firefighters, ham radio, aircraft and live police radio, each feed comes from a person owning a police scanner in that geographical zone and sharing it via the Internet. Stations are classified by region and country with a built-in emergency services code to interpret what they are talking about, you can add any radio frequency broadcasted over the web in the RSS feeds link, it will automatically reconnect to the feed if it loses connection, favourites can be pinned to the front screen and accessible with a single tap.

There is only a delay of a couple of seconds in between the real talking and the broadcasting, you can browse the Internet while listening to a feed in the background, the only thing not guaranteed is that your country will be covered but the app is continuously expanding radio feeds, the paid for version of this app comes with thousands more of radio frequencies.

Radio Police Scanner smartphone

Many of the radio frequencies will be silent, the best way to spot what are the most active channels is by looking at the popularity of each feed, the more listeners the more likely it is that there is something going on or talking.

Investigation departments use encrypted radios to communicate during surveillance operations you won’t be able to listen to those, the radio will broadcast a routine police or firefighters working day. Police radio scanners are legal in many US states but is best that you check your local laws before using it as there are some restrictions like for example using a police scanner to impersonate a police officer, alternatively you can also listen to live emergency services online via your browser at Broadcastify.

Visit Radio Police Scanner Lite in GooglePlay

Visit Radio Police Scanner Lite in iTunes

Linux distribution for wireless hacking Xiaopan OS

Posted on 12 March, 2013 by Hacker10

Xiaopan OS is a small Tiny Core Linux based operating system specific for wireless penetration testing, it comes with the XFE desktop environment, a very lightweight graphical front end, the distribution can run as a live CD, from a USB thumbdrive with Unetbootin or used inside a virtual machine. Numerous wireless card controllers are supported, including Atheros and Broadcom, the most widely used chipsets. As a result of the distribution being based on Tiny Core Linux all of the .tcz precompiled packages available for Tiny Core can be installed in Xiopan using the TCL Appbrowser, non hacking utilities like games, media player, CD burner, VoIP software and Truecrypt can all be optionally added to Xiopan OS.

To crack WPA/WPA2 encryption keys a tool called Reaver-wps is used , the software attacks a router Wifi Protected Setup registrar PINs, this feature comes in many routers for easy set up and it has a hard coded Personal Identification Number tied to the device, by exploiting this Reaver can find out the WPA/WPA2 password, dictionary lists in multiple languages can be downloaded from Xiopan forums.

Wifi hacking Linux distribution Xiaopan

After first scanning for the target wireless access point and gathering information like SSID, encryption mode and channel you can launch Reaver brute force attack, the screen will show you real time cracking in progress, it can take up to ten hours to find out the wireless password, or much less depending on how complex encryption and password are, factors for hacking success will involve if your wireless network card supports injection and distance to the attacked Wifi access point, some routers are more vulnerable to injection than others. You can protect your network against brute force attacks with Mac filtering, however the distribution includes other hacking tools like Inflator, Mindiwep, Aircrack-ng and Feeding Bottle, Mac spoofing is possible.

This Linux live CD is first class penetration testing tool to audit wireless access points security and replaces Beini, a very similar distribution no longer active. Xiaopan is easy to use for beginners thanks to its graphical interface, much lighter than Backtrack, the main problem you can come across with this distribution is that your wireless network card might not be recognised, if that happens it can help troubleshooting looking at what drivers are being loaded inside the tce and cde folders and knowing your network card chipset.

Xiaopan Linux WPA2 hacking

If you want to protect against Reaver attacks you should disable Wifi Protected Setup in your router, unfortunately many of them do not allow you to do this manually, the other option is to use an open source router firmware like DD-WRT, it does not support WPS and Reaver can do nothing against it.

Visit Xiaopan OS homepage

Hide it Pro hides photos and videos in Android and iPhone

Posted on 4 March, 2013 by Hacker10

Hide it Pro is a free app for Android and iPhone to hide pictures, videos, audio files and others. The app is disguised as a functional audio manager, anyone playing with your phone will not realise you have a privacy app installed, the icon looks like a music sound logo, tapping it will launch a menu to adjust the phone ring tone volume.

When you run the app for the first time you will be asked to enter a numeric pin code or password to lock your screen, an email address can be linked to your account to reset your password if you forget it, it is not compulsory you do that. Using Hide it Pro interface you can select the files you would like to hide vanishing them from gallery view, encrypting the data with AES256-bit and password protecting everything, you can email files from inside the app or view a custom photo slideshow without having to move the photos outside the encrypted folder.

Hide it Pro hides Android&iPhone photos

Hide it Pro can set up a second escape password, leading the user to a different encrypted container that you can show to people if anyone discovers that you own encrypted data and are forced to reveal the password under threats, the escape password works like Truecrypt hidden container feature but I don’t know how safe this is from a thorough investigation, you just have to trust the developer did everything right.

If you share your mobile phone with family members or work colleagues Hide it Pro will prevent them from discovering private images stored in your mobile phone, the app is self-explanatory, it can also be used to hide and lock other apps.

Android Hide it Pro in Google Play

iPhone Hide it Pro in iTunes

Free online image forensic analysis at Fotoforensics

Posted on 4 March, 2013 by Hacker10

Fotoforensics is a website for advance photo analysis, you can check whether a photo has been modified or not and see embedded metadata that could contain private details, the photos can be uploaded from your PC or directly linked from a URL, there is an optional Firefox browser plugin to make image forensic analysis easier, any image that can be displayed on your browser can be analysed, the plugin gets around sites like Facebook requiring login to view a photograph.

The service supports .jpeg and .png image formats, the most common image file extensions found on the Internet, the metadata analysis can find out if a graphics editor has been used to modify the image, ACD See for example will embed the program name on the photos it saves, metadata also shows how many times the image has been edited, identity attributes and how the image was managed.

Image computer forensics Fotoforensics

To determine if a photograph has been forged Fotoforensics will use Error Level Analysis to see the image modification percentage, the image will be saved at different compression levels and then compared with a computational algorithm to see the amount of change, this is not an 100% accurate method to detect fake photos, it is possible to defeat image computer forensics algorithms looking at high frequency decomposition by reducing colour, brightness or contrast but there are other photo attributes that can be analysed.

The website has a very detailed tutorial and FAQ explaining what results you can expect and how to interpret them, you should read it to understand what you are seeing, this is not a tool that will tell you a “Yes” or “No” answer, it is up to you to interpret the results which could turn up to be inconclusive.

You could use this tool to check that your EXIF image cleaner is working properly but do not upload anything private because the results are saved in a public URL on the server, uploading pornography is not allowed, to check if an X-rated celebrity photo is real or not you will need to find another place or they will ban your computer IP.

Visit Fotoforensics homepage

Anonymous P2P encrypted messages with Bitmessage

Posted on 2 March, 2013 by Hacker10

Bitmessage is an open source P2P program utilizing a Bitcoin like protocol that instead of sending money sends anonymous encrypted messages to one or multiple people at once, the application has a portable mode that does not need installation, it uses 2048-bit RSA encryption keys stored inside a keys.dat file which can be opened with any text editor and OpenSSL for cryptographic functions. Bitmessage cryptic addresses closely resemble a Bitcoin address, the best part is that both keys are compatible, Bitmessage uses the other part public key to print their Bitcoin address in the console which can be used to send them money.

Bitmessage sends data over its own P2P network, the nodes store messages for two days before erasing them, new nodes joining the network will download and broadcast the pool messages from the last two days. To stop spam the sender is required to spend computational processing power for each message he sends, modelled like the Hashash antispam scheme and the Bitcoin mining system, the protocol has been designed to be scalable as needed. I sent a small text message to a friend and it only took a few seconds of wait for it to be processed, a “Doing work necessary to send message” warning will be displayed while you wait and your computer CPU works, I also subscribed to an open Bitmessage mailing list using the subscription tab by simply adding the address “BM-BbkPSZbzPwpVcYZpU4yHwf9ZPEapN5Zx”

Bitmessage anonymous encrypted messages

Other tabs in the program allow you to blacklist and whitelist addresses, add contacts to your address book broadcasting to everyone listed there or selecting just one contact, the tabbed system makes Bitmessage usage spontaneously easy, you can also change the default listening port “8444″ and network settings entering a Socks proxy, only the key management was very primitive, it opened up Bitmessage keys using Notepad.

You can create as many Bitmessage addresses as you like, creating and abandoning them is encouraged, there is an “Identity” tab from where to manage your addresses, they can be labelled. Addresses can be generated using random numbers or a passphrase, called “deterministic address“, you can recreate this address on any computer from memory without having to back up your keys.dat file as long as you remember your passphrase but you will need to know the passphrase to recreate the keys if you lose them, you will also need to remember the address version and stream number, choosing a weak passphrase could result in a brute force attack and your identity stolen, deterministic addresses can be made one or two characters shorter spending a few extra minutes of computational processing power, these addresses are optional, I believe the random cryptic addresses to be more secure for those paranoid.

Bitmessage encrypted mailing list

Bitmesssages are first encrypted and then sent to a common message pool shared by all users to hide sender and receiver, only those listed in the receiving address will be able to decrypt and read them, the program has been designed to only send text without any attachments, I did not test it but theoretically it should be possible to send a jpeg photograph. After erasing a message there is no trash can to retrieve it but it will still be present in your hard drive to manually view it with a bit of work.

I used Bitmessage with a VPN and I did not experience any problem besides a coloured network status code that turned yellow indicating that my firewall or router couldn’t forward TCP connections, this is not a big problem, it only meant that my node was not relying messages to other nodes for other people but I could still receive and send them, as long as someone in the network has the green network status messages can be passed on in between peers.

Note: The sofware is currently a beta release in testing.

Visit Bitmessage homepage

iPhone anonymous Internet with the Onion Browser

Posted on 28 February, 2013 by Hacker10

The Onion Browser is an iPhone only browser for anonymous Internet browsing using your smartphone relying on the untraceable tor proxy network to hide your real IP from websites you visit. The tor network can be slow at times due to the number of nodes relaying traffic and overall network load, for browsing without file downloads or video streaming speed should be sufficient, the Onion Browser also gets around firewalls if you are using a public Wifi access point that filters traffic and blocks websites and since communications in tor are encrypted with SSL any packet sniffers deployed by the Wifi network administrator will not be able to see what websites you visit, only that you are connected to tor.

The app options include “Enable UA Spoofing” to fake the HTTP User Agent header sent to the websites you visit, it can be changed to iOS Safari to improve mobile website compatibility, or to a Windows 7 and Firefox string so that it will look like you are browsing using a desktop computer, “Cookies” can be set to Allow All / Block Third Party / Block All, a “New Identity” button will clears all cookies, history and cache requesting a new IP with a single tap, there is a way to set up bridges, unpublished tor proxy relays for those living in countries like China where tor is blocked by the ISP, setting up a bridge on this app takes some work, best if you can avoid having to apply them.

iPhone Onion Broswer tor proxy

I found the app lacked bookmarking but the startup page contains a list of well-known .onion sites that will take you where you want to go. For anyone concerned about built-in backdoors the Onion Browser source code can be downloaded from the open source platform GitHub along with technical details, the app will work in the iPad too.

Note: The iPhone Onion Browser costs $1.

Visit iPhone Onion browser in iTunes

Hacker 10 – Security Hacker

Computer security