Tuesday, May 28, 2013

How to send and receive emails securely?

Believe it or not, the email you are using (gmail, hotmail,yahoo etc)  is absolutely insecure. "Well," you might say, "my password is pretty long and gmail is pretty secure, no? Whats there to fear?"
Plenty! Your account can get hacked, someone may be sniffing your traffic through MITM attack, or intelligence agencies might be snooping.
In this day and age, it is very difficult to keep one's data safe online. Our communications are often intercepted. So, how do we send email securely over the internet? By encrypting our email communications.
 There is an amazing encryption technology called PGP (Pretty Good Privacy). PGP is free, open source, unbreakable and hack proof.  PGP is an asymmetric encryption algorithm. It means there is a public and private key system to secure your information. Although PGP was developed in the year 1991 it did not gather much public support despite its awesomeness  This is mainly because PGP is not very user friendly and implementing it requires extra few steps, which is not very convenient. But now things have changed. PGP has become much more easier to implement and use. PGP can be used to send and receive secure emails.

Note: Although this secure from of communication can be used by anyone, I doubt you will use it for your day to day email exchanges. Nevertheless,  I highly recommend you use it.  It is a must if you are handling confidential data such as government documents, corporate information, tax and accounts information, personal information etc. This is probably the most secure form of online communication today.


So, how do we implement PGP in Gmail or Yahoo?

There is an excellent extension in Chrome and Firefox called Mailvelope.  It uses a Browser based PGP system. You need to install the extension in your browser, and the person to whom you want to send the email also needs to have the same extension installed.  After you install, you have to generate a Public and Private key pair for yourself. This is very easy as you just have to navigate through the menu. There is an entire, easy to follow tutorial on the website.

Once you are done generating the public-private key pair, you need to give your public key to anyone who wants to communicate with you.

Public key looks like this-


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v.1.20121015
Comment: http://openpgpjs.org

xo0EUI5G5QEEAI7NxVI17OibiyMTAYcLEdForPt/46+4RrUk/DMRNetAV4Ve
UJaFPRLuWcZjq8BFV01nzGQd3NG8CDO8qI37fVUXVGe03mP8f8DB2GP/cmu3
mOzlEpTa4WsaKTgdx8E00qJZ6v66NQVRbm/7JG8Psj/didl2cQHeGCGCYsx9
OrfLABEBAAHNF0pvaG4gRG9lIDxqb2huQGRvZS5vcmc+wpwEEAECABAFAlCO
RuYJEBLyB87MrGtYAADcQgP/dVVIIldGaeozWFAcM94+uMfdbY9tpOK/0kHE
MDL5WqlHj865VloAdtk+rlDZ0NnW2gc92zMGW+a13zYHkvN8oE6UtUsG4uaQ
GqSbqWF5pUQ+KK/fJ49NaH2p+nahdI9IpvmKowXaARKVY8QqBLzaXjGg3/VL
BI86am8qJEULisI=
=5VIW
-----END PGP PUBLIC KEY BLOCK-----

The public key contains the name and email address of the owner.  You can distribute your public key by email, your blog, or register yourself in a Key server. My key is here. Feel free to drop me an email! The public key is absolutely safe to distribute anywhere. When someone sends you an email using your public key, your private key will be used to decrypt the message. 
If you want to send someone a PGP email, get hold of their public key by copying the entire text and importing/pasting into Mailvelope. 

Once again, the settings and tutorial for setting up mailvelope can be found here. If you have any doubts, feel free to ask in the comment section.



Monday, May 27, 2013

Hacking with Subterfuge to capture passwords


Subterfuge is a simple and easy to use tool in Linux. It performs man-in-the-middle attacks and sniffs passwords off the network. When I say password, it can mean Network proxy password, Firewall user authentication passwords, plain-text password of websites, even https websites like Facebook and Gmail. Subterfuge has sslstrip (a ssl hacking tool) inbuilt. That means it will also capture the passwords of websites using HTTPS.

Now, lets say you want to 'hack'the Facebook passwords of some people. You can use subterfuge to capture their passwords. This can also be necessary in a real life pen-test scenario. User credentials make it a lot easier to break in to organisations.

You need to have a Linux computer for this. It doesn't work on Windows, as of now. Ubuntu or Backtrack is fine. Also, the most important thing to remember is that you have to be within the same network subnet as your victim or target, connected by a switch or wifi.

How to set up subterfuge


Once download is complete, open a terminal, navigate to the folder where subterfuge is, and type this. tar fvxz SubterfugePublicBeta5.0.tar.gz
This will extract all the files from the tar archive. Make sure the name is properly typed.

To install, type python install.py –i
Once installed, goto any terminal and type subterfuge
  1. Now, open Firefox or any web browser and goto 127.0.0.1
    You will see the subterfuge interface. Click on the Start button on the top right. Now you have to wait for it to gather the passwords.
  2. The captured usernames and passwords will appear like this-


The usernames and passwords have been blurred out because these are actual credentials from my college wifi.

As you can see, subterfuge is an excellent (though not perfect) tool. It will easily capture the network and plain-text passwords, but when it comes to HTTPS, users will get a warning which says “Server Certificate Error, Proceed at your own risk”. People almost always ignore this warning and when they do, their passwords get captured. There is a lesson to be learnt here regarding HTTPS.

Cain&Abel can also perform the same task as subterfuge, but Cain is a bit old now, and doesn't harvest passwords properly on its own.
Please note that hacking is illegal.  If you do this within your organisation in any capacity, it is most certainly illegal. So, make sure you don't get caught. Smart hackers don't get caught, script kiddies do.

Thursday, May 9, 2013

How to: The most secure way to encrypt and hide your files

UPDATE: TrueCrypt is no longer secure.

We all have data that we'd rather not share with anyone else. How then, do we secure these data from prying eyes? What if somebody hacked your computer or stole your computer? What happens to your data? There are many methods to hide or lock folders. You can use many of the commercial Folder Lock applications available on the internet. Alternatively, if you have Windows 7 Ultimate, you can use BitLocker to encrypt your drive. However, all these techniques are either expensive, not secure or just not feasible.
Here, I am going to show you how to hide, encrypt and secure your data everywhere you go. We will be using a free and open source tool called Truecrypt.
Truecrypt is an incredible software which does an extremely good job of encrypting your data. Truecrypt encryption is thought to be unbreakable, even the FBI hackers can't break it. There are many ways to configure truecrypt, but here I will be discussing the simplest and most convenient way.

How to use truecrypt to encrypt your files and folders?
We will create a "file container" much like a secure vault. You can decide the size of this 'vault'.
This vault is a single file and can have any extension and you can transfer it anywhere you like. You can open the vault by opening it with truecrypt and entering the password.

So, lets get started
1. Open truecrypt and click on Create Volume


2. Leave the default and Click next 


3.  Leave the default and click Next


4. Click Select File


5. Anywhere in your hard drive, just type any file name you want your container to be. Here its myfile.txt
Note that .txt is just an extension, and it doesn't have any meaning in this regard. The idea is that people will think its a mere txt file.


6.  Leave the default and Click next


7. Enter the desired size of the container and click next. I've made mine 3GB.
Note that you cannot change the size of the container afterwards.


8. Create a strong password for your container.
Note that the only way to crack truecrypt is to brute-force it. So, if your password is at least 15 or 20 characters with all the special characters etc, it should theoretically be impossible to break.


9.  Move your mouse around a bit, and click Format. It may take some time depending on your CPU 
power. After the format is complete, close the window.



10. Next, click on any drive in the list. I've clicked  drive L:
   After that, select the file we created earlier, myfile.txt. And finally click on Mount.



11.  Once you press mount, it will ask for the password you set earlier. Click Ok and you are done.


Now, if you go to My Computer, you will find a new hard drive with the letter L:
You can store all your sensitive files here, and once you are done, just click on Dismount, and your drive will no longer be accessible. Next time you want to open or view your files, just mount your file again.
This process of mounting and unmounting again and again whenever you need to access your data may seem cumbersome at first, but you will realize in the long run that it is only for the good. You can transfer your container file anywhere, even in a Linux system and open it again using truecrypt.

Truecrypt is probably the most secure method available to the common man. It is a must have tool for anyone who is concerned about security and privacy. If you have any questions, you can always ask in the comment below.


Tuesday, May 7, 2013

What is VPN? How to setup VPN in Windows 7

Virtual Private Network or VPN is used mostly by corporate employees to connect to their office while travelling or  from their home or coffee shop. However, for students, there is an entirely different usage, and that is to bypass firewall restriction in schools and colleges. My friends keep on asking me how to bypass our college firewall as sites like youtube and facebook are blocked during working hours. There are many ways to bypass a firewall, depending on the blocking mechanisms used. VPNs are the best in my opinion.

So, how does VPN work?
Simply put, the wifi or internet you are currently using is not secure. Anyone can sniff data by a MITM attack. VPN creates an encrypted tunnel from your computer to a remote computer which will pass on your information the the websites you are viewing. Just remember that VPN ensures that your information is safe from prying eyes. Now, you might ask, what is that remote computer we are connecting to? It may be your office, or a free VPN server in this case.  The diagram shows VPN connection to a corporate server.

There are several kind of VPN protocols such as PPTP, L2TP, OpenVPN etc.  OpenVPN is the most secure and reliable type of VPN. However, we have to download the OpenVPN client, making it an extra step. In a corporate environment or in a situation where data confidentiality is of prime importance, you may use OpenVPN.  The most easy to setup is PPTP, which comes inbuilt in Microsoft Windows. That means no downloading is required. So, we will use this one. Please note that PPTP is not absolutely secure, but for normal browsing it should be fine.

1. Goto your free VPN providers website. My personal favourite is www.vpnbook.com
   Once there, scroll down, and you will see the IP address or domain or the VPN server, the username and password.

Since the VPN website itself may be blocked by the firewall, you may use GPRS or 3G on you mobile to first visit the site and obtain the VPN username and password. 
Note: These VPN providers periodically  change the passwords, so keep visiting the site to get updated passwords.

2. Goto Control Panel -> Internet Options -> Connections tab
  Click on Add VPN as shown.



A new window will pop up, asking for the Internet Address. This is the VPN site address which we saw earlier on vpnbook.com.  In this case, it is euro1.vpnbook.com. Leave the other fields as they are.


3. Click Next, and it will ask for username and password  Enter them as you saw on the website. Leave the domain blank.


Now, Click Connect and your VPN setup is done. Congratulations, you can now surf any website anonymously and without being logged or blocked.

This tutorial was for PPTP based VPN. PPTP can be blocked by your college or ISP, although it is unlikely. In that case, use OpenVPN. It is impossible to block OpenVPN as it can use any port.