Review scam VPN provider IAPS intl-alliance

Taking advantage of a free three day trial for prospective customers that I found in Reddit self-edit, I decided to look into IAPS Security Services (intl-alliance) VPN provider. I was really looking forward to see for myself if IAPS claims of being able to provide VPN servers in places as unique and paradoxical as the Vatican Holy City and Mecca in Saudia Arabia were for real.

To start with, IAPS intl-alliance website could do with a redesign, you will find it confusing, not mobile friendly and messy, but what matters most is the quality of their services, so let’s not judge them for that alone. IAPS intl-alliance VPN monthly prices aren’t cheap but annual subscriptions work out at a reasonable rate if they really provided the over 140 worldwide countries and more than 190 VPN servers they say they have. IAPS also has dedicated packages to watch USA or Canadian TV from abroad and packages to be able to play poker with a VPN.

After signing up I quickly received a friendly email from Jared Twyler, IAPS Chief Executive Officer whose LinkedIn page lists education in the highly regarded Massachusetts Institute of Technology. I had previously informed Jared that I would be reviewing their VPN services on hacker10 blog and he was confident enough to say that “I’ve been a vpn supplier since 2007 and have been judged since then. Seeing another site pass judgement isn’t anything new.”

IAPS OpenVPN imaginary VPN Andorra server

IAPS OpenVPN VPN Andorra

The welcome email contained a username and password with 192 links to VPN servers in locations that no other VPN provider can give you. Iraq, Falkland Islands, Palestinian Territory, Qatar, Bhutan, Uganda, Uzbekistan, Algeria, Kuwait, nearly all European countries and at least a dozen USA servers. IAPS intl-alliance does not have any propietary VPN client, you are given a link to the official OpenVPN client, this makes it a little difficult to manage all of the over 190 servers but not a big deal. When you click on any of the links on the email an .ovpn certificate will be automatically downloaded to the OpenVPN folder and permanently added, it was very easy to set it up.

I decided to start the VPN testing with the server in Saudi Arabia, the first thing I noticed is that there was very little lagging and the speed was excellent. I checked my location using ip-score.com and a couple of other sites that check your computer IP online, sure enough they identified my computer as being in Saudi Arabia (Mecca), however Google advertisements were being shown in my local language. I then decided to visit an Israeli website, knowing that all Israeli pages are blocked by Saudi Arabia Internet filtering, I expected not to be able to access it but I had no trouble viewing the page. I decided to visit a porn website to see if it was blocked, and again, I had no problem looking at online porn with what it supposedly was a Saudi VPN in Mecca.

This was puzzling, I carried out similar testing with other servers, all with similar results, the whatismyip websites would indicate that I was in the location IAPS intl-alliance said the VPN was, and extraordinarily, my VPN connection did not have any kind of lagging or speed cutback while connected to far away countries like Bhutan or South Sudan.

I suspected something wasn’t right when I found no ping or speed differences in between the VPN in Italy and China. I also noticed that virtually all computer IPs assigned by the VPN started with 46.36.*.*.*, it just happenned that Saudi Arabia and the VPN in the Vatican had both assigned me computers IPs in the same range. After a few traceroutes and whois lookups I realised that IAPS was always listed as an Internet Service Provider in the whois and the contact address was always listed as a local address.

That is how I believe they fool the websites about your geolocation, by IAPS listing the network operator address as being in Mecca, the websites checking your location assume that your ISP is also in Mecca since that is where the network is theoretically being operated from. IAPS owns the 46.35.*.*.* IP range and they assign it as they see fit only changing the local address of the network operator to fool websites into believing the visitor comes from that particular country.

IAPS intl-alliance OpenVPN client

IAPS intl-alliance OpenVPN client

IAPS intl-alliance server provider is listed in the “mnt-by” records of the whois is IP as RackSRV, a United Kingdom based company selling VPS and dedicated servers, I am inclined to believe that Jared Twyler, listed as the server administrator based in the United States, has rented one or more servers with RackSRV and is masking them as being located in all of those exotic locations he is selling VPN services for when in reality he does not own any server in any of those countries.

I tried IAPS intl-alliance servers in the USA and they can fool Hulu and Pandora, if you wish to watch USA TV it will work, nothing wrong with that, but I am calling this company a scam because they are advertising their services as having physical servers in over 190 countries and in all likehood they only have a single server in the United Kingdom.

I gave IAPS Intl-alliance the opportunity to prove me wrong,  I asked IAPS Chief Officer Jared to name me the datacentre he is using in the Vatican city and in Saudi Arabia and his one line reply was “They are all private networks owned by IAPS.” I emailed back enquiring if IAPS really owned a VPN server in the Vatican and in Saudi Arabia and Jared’s response was a single word with a period “Multiple.” Fantastic explanation!

I don’t think it is wrong providing VPN servers the way they do except that they are lying to customers about how many servers they own and how they manage to achieve a Saudi computer IP without having any server in Saudi Arabia, and I would not feel confidence in trusting my valuable privacy to a lying and cheating company.

UPDATE: I sent a link about this post to IAPS Chief Officer Jared, mentioning that he is welcome to reply in the comments sections. It appears that IAPS does not wish to make any comment.

Visit intl-alliance homepage

Encrypted video calls, group chat, notes and files with VIPole

VIPole is a Windows, Linux, Mac and Android security suite providing encrypted file sharing, VoIP, video chat, notes, passwords and organizer. Installation is straight forward and it only requires you to provide a valid email address where you will receive a verification link, select the local folder where data should be stored and move your mouse around to generate entropy to create your private encryption key. You will have to cook up two passphrases, one to encrypt your data and another to encrypt your profile, the software makes sure that you do not reuse them but there is no strength meter. A virtual keyboard can be used to stop keyloggers.

To be able to encrypt files in your hard drive you will have to temporarily disable your antivirus and install some drivers, I also had to disable the antivirus to update VIPole software client, I am using AVG, most modern antivirus programs will allow you to disable it for only a few minutes, this should not be a big problem as long as you trust VIPole not to do anything unacceptable to your computer.

Encrypted messenger and video calls VIPole

Encrypted messenger and video calls VIPole

Encryption keys are managed exclusevly by the user, VIPole has no way to decrypt your data, calls and chats are end to end encryption with AES256/RSA 4096 bit keys and no central server that could be wire tapped, the company pledges that there is no backdoor. You can see an “History” tab in the program, chats logs can be accessed there but the data is only held in your computer and nowhere else, even then, that data is encrypted (premium version) when you close VIPole, losing the laptop will not reveal private logs without the proper password.

Another nice feature is being able to set up a fake passphrase in case you are forced to disclosure it. Helpful in countries like the United Kingdom where you must reveal your password to the police when requested or risk criminal prosecution, but giving to the police a password to a fake encrypted container would also break the law if they find out, so not really recommended. I just could not see any other applicability other than bypassing airport staff opening up your laptop.

I was really impressed with VIPole easy of use interface, the well organized tabs make it painless switching in between functions and information is clearly displayed in a nice clean layout with avatars that help you identify the caller and shift from the chat to notes or file manager window in no time.

VIPole encrypted calling options

VIPole encrypted calling options

The only thing that made me feel unease about VIPole, besides not being open source, is that although calls do not go through their servers, passwords, notes, reminders and files are kept in VIPole servers,the reason for this is to be able to sync the data with your mobile device. It would have been valuable to have the choice not to sync data and keep everything local for those paranoid about cloud security. The good news are that it is impossible for server administrators or anybody breaking into VIPole facilities, to have access to the data in plain text, everything is encrypted with your private encryption key before leaving your device, this means that VIPole can not be compelled to produce a copy of your data even if they wanted to.

This company security model really cares about users privacy and they should be praised for being very open about how data is stored and how they are protecting it, the company has plenty of information about their security model and businesses can get their own server to make sure that they are always in control of everything.

I found the free VIPole plan good enough for home users, the paid version buys you more features like auto logout when idle, extra file storage space, encrypted virtual drive on desktop client and other elements that are nice to have but not a must have.

Visit VIPole homepage

Encrypt data in Mac OS, iPhone and iPad with Krypton

Krypton is a Mac OS and iOS (iPhone, iPad) tool to securely encrypt your files using AES256-bit in Cipher Block Chaining mode (CBC). This program is able to encrypt any kind of file, from documents, to images, videos or MP3s and full folders. If you are familiar with Truecrypt you will notice that Krypton works in the same fashion creating an encrypted storage space, called vault, that holds any file you place inside it and makes the whole vault unreadable without entering the correct password.

In a Mac computer you can use Truecrypt for free but iOS mobile devices do not work with it, Krypton will minimize work when transferring encrypted data in between secure vaults from your iPad or iPhone to your desktop Mac OS.

iOS iPhone encryption Kryptos

iOS iPhone encryption Kryptos

When you copy text to the clipboard this can be automatically sent to Krypton for encryption, and if you select a file for encryption it is possible to tick a checkbox to shred it after it has been secured and make recovery of the original data left behind impossible.

The software menu has a shortcut to send encrypted documents to Dropbox cloud space, encrypting files before uploading them is a good way to protect yourself from NSA spying as Dropbox can access or be compelled to access your data. Another two shortcuts in Krypton’s menu let you decrypt a file or folder, export it outside the vault and delete it from the vault.

The developers claim that if you lose your password the encrypted data is not recoverable so there is no backdoor, this looks like a good security tool due to the developers using a standard strong encryption algorithm like AES256-bit and the cross compatibility in between mobile and desktop devices.

You need to be aware that once the data has been exported outside the vault and accessed by another application it will no longer be encrypted and that other application could create a temporary copy that will be stored unencrypted outside the secured space, like for example, Time Machine Mac OS backup could contain a copy of decrypted confidential files.

Krypton will be best used in conjunction with a data shredder to securely delete any files leaking out of the encrypted storage space while you edited or viewed with them.

Visit Krypton homepage

Stop Wifi tracking in Android with Pry-Fi

Pry-Fi is an Android app to stop advertisers from using your smartphone Wifi connection to track your movements. This app does not need you to switch off your Wifi, which is the only other way to accomplish this. Pry-Fi blocks broadcasting to Wifi networks while scanning in the background allowing you to connect to the network and randomizing your phone’s MAC address making you to appear unique to each access point.

Your phone’s MAC address, used by advertisers to track down your movements as you hop Wifi access points, will never be used twice to different networks. This privacy app will show your real MAC address on the screen for your own information and the random or wanted MAC address assigned to you by Pry-Fi visible to public access points.

Android Pry-fi stops Wifi tracking

Android Pry-fi stops Wifi tracking

Another Pry-Fi option called “Go to war!“, emulates dozen of smartphone MAC addresses poisoning the trackers database by listing the same MAC address in two different locations at the same time. This is an effective way to subvert trackers data mining, although this mode will quickly drain your battery life.

Smartphone Wifi tracking is not something out of science fiction. A few high street stores are already using it to find out how many people go inside the store, what path they walk, the stops they make and if they finally buy something or not. The stores can correlate Wifi movements with CCTV surveillance, the fantastic benefit of tracking people with their own smartphone Wifi connection is that, unlike CCTV, Wifi tracking can be used for mass surveillance with little effort, in CCTV you need to manually pinpoint each target.

Bear in mind that according to NSA documents leaked by Snowden spy agencies use cell towers to track people’s movements. Pry-Fi will protect you from advertisers but most likely not from spy agencies with access to the whole mobile phone network.

Note: This is a proof of concept app that needs a rooted device

Visit Pry-Fi GooglePlay page

Jam Wifi signals using your wireless card with wifijammer

Originally named wifijammer is a python script to interfere with Wifi access points and disrupt the network. This can be useful for penetration testing of your own network or if you suspect that spy wireless cams are around in your premises. There are online shops selling hardware wireless jammers too but they cost additional dollars, wifijammer is a simple application that anyone with a laptop and basic Linux knowledge can use. This kind of applications must be used with caution, you need to be careful not to interfere with a network that is not yours or risk arrest.

For this jammer program to work your wireless card needs to be able to inject packets to the network. You will have to learn your wireless card chipset, running the dmesg command in Linux will often show this information, or run lsusb if you are using a wireless USB dongle. With the obtained information you can then search on the Internet to find out if the card is suitable to run aircrack-ng or any other WPA cracking utility, if the wireless chipset can run a WPA cracking tool it means it is able to inject packets on a live network and it will work with wifijammer.

Wireless Access Point hacking

Wireless Access Point hacking

The jammer will automatically hop in between channels every second to determine all possible targets, after initial identification it will start jamming the signal sending constant deauthincation packets to the access point. This is a way to disassociate connected computers from the access point, cutting off their wireless access. wifijammer does not perform any denial service attack but a disconnection, the client is able to reconnect but as long as the attacks runs wifijammer keeps telling the access point to disconnect the client, with the same result than a denial of service attack without neededing that much bandwidth or resources. A benefit of getting a client to constantly re-authenticate to the access point is that it might be possible to capture the WPA2 handshake and gain access to the network.

There is another application to jam Wifi access points found in the WebSploit framework, wifijammer has the advantage of being a very small script that should run in any operating system where you can install Python.

If an access point has MAC filtering enabled you would have to spoof the MAC address of a client first before deauthentication packets are accepted. Having said that, expensive enterprise level wireless access points are able to detect continuous death requests and they will block you.

Visit wifijammer homepage

Smartphone encrypted messenger HushHushApp

HushHushApp is a secure Android messenger (iPhone planned), for encrypted chat and file sharing. This app will secure your conversations from eavesdropping but it will not make you anonymous, in fact, you have to register to open an account before you can use the messenger. For this you can use your phone number or an email address that will have to be confirmed with a registration code.

During the registration process you are asked what country you live in and the app makes it very easy sending a text message or email to your contacts, querying if they want to chat with you using HushHushApp. You should be careful not to carry out a mass mail by mistake as all contacts are checked by default, and most likely people will only want to suggest the encrypted chat to a couple of friends.

Smartphone encrypted chat HushHushApp

Smartphone encrypted chat HushHushApp

Once you have opened the account you will be assigned a HushHush ID, HID, and be able to manage your profile where you can upload an avatar. The HID is used for other people to find you in the network and add you to their list of contacts. You don’t need to hand over your phone number to chat with others, the short HID alphanumeric code will be your contact ID. Another option is to individually control if a contact will be allowed to be notified when you read a message and if your location can be revealed to them.

You can create a chat group from the interface where three or four people can chat securely at the same time. If files are sent, they will be encrypted and stored that way, only accessible through the application.

Security wise, you are only told that HushHushApp uses a scrambling algorithm with no additional knowledge of what algorithm is or how it works. HushHushApp mentions that messages are deleted from the server, this means your data flows across a central server, a potential weak spot if the server is compromised. The good points are that messages have a digital fingerprint, with local storage and users database being kept encrypted, but again, no mention of what encryption they are using, you are supposed to trust they are doing a good job but you know nothing about the company either, other than their website features section is unfinished and written all in Spanish.

After I used the “Delete Account” option and uninstalled this app, browsing the storage phone I noticed a folder named com.hushhushapp.android and a tiny file named hushushgirl.3gp left behind on my phone, this shows some sloppiness by the developers part.

HushHushApp interface is user friendly and easy to use but the lack of detailed information about what security measures HushHushApp deploys does not inspire trust. You can’t confide privacy on anybody saying that they will scramble your messages and hope that all will be fine. Using a central server to deliver your messages is also not ok, it adds an additional way to break your security. I would avoid this app for secure chat based on this but it should be fine for non privacy chatting, just like MSN or Yahoo.

Visit HushHushApp homepage

Exchange encrypted SMS messages with Tinfoil-SMS

Tinfoil-SMS is a free open source Android app to exchange encrypted SMS messages with other Tinfoil-SMS users. After installation you can import contacts from your phone and all future conversations will be handled by Tinfoil-SMS but communications with contacts will not be secure until a successful key exchange has been executed.

To stop man in the middle attacks, where encryption keys are replaced by an attacker and messages forwarded after logging them, a signed encryption keys exchange must take place first. In the app menu you will see two fields labelled Shared Secrets, there you need to input two secret passphrases and save them, Tinfoil-SMS advises a minimum of 8 characters for each shared secret, you have to transmit the secret to your contact by secure means (not your phone).

The receiver will get a notification showing your phone number next to “Pending key exchanges“, he will have to enter the passphrase you have given him and from then on any future message exchange will be encrypted.

Tinfoil-SMS encrypted Android SMS message

Tinfoil-SMS encrypted Android SMS message

Messages are secured using AES256-bit in CTR mode, in the SMS thread you will see a padlock attesting that encryption is on. Tinfoil-SMS settings allow you disable and enable SMS encryption, manage encryption keys and delete/adding contacts. It is similar to TextSecure, another encryption SMS app, the main differences in between both are that Tinfoil-SMS signs key exchange with the shared secret, encryption algorithms are slightly different, Tinfoil-SMS cipher is AES256bit and TextSecure AES128bit and Tinfoil-SMS will not encrypt messages locally in your phone whereas TextSecure does.

The reason Tinfoil-SMS developers give to support SMS instead of real time chat encryption is that many oppressive regimes are in third world countries where people does not have data plans and use SMS messages to communicate, this has the added benefit that the app would still work if the government shuts down Internet access.

Tinfoil-SMS future plans include incorporating steganography to hide that you are using encryption. There is also planned a detailed cryptanalysis of the application which will always be free and open source.

This is an app I would trust due to its open source nature and what it looks like a good security model, with the only inconvenience of having to exchange the shared secrets by secure means before encrypted communication can be established, which can be problematic and it is likely to force some people to transmit the secrets insecurely.

You can download Tinfoil-SMS from Google Play or F-Droid, an alternative Android marketplace made up entirely of free open source software and not controlled by Google.

Visit Tinfoil-SMS homepage