Category Archives: encryption

Dropbox the encrypted online data storage with FBI access

Posted on by

Dropbox caught red handed

While Dropbox textually said on its website (now changed):

Dropbox employees aren’t able to access user files and when troubleshooting an account they only have access to file metadata’

They now admit in their Dropbox updated terms and conditions that they can and will decrypt your private files for law enforcement and textually say :

Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement

Is Dropbox lying to customers?

They have sent out an statement to the Business Insider saying that they are not lying because:

“…In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission…”

Dropbox can access AES256-bit encryption

This online data storage uses one of the strongest encryption algorithm out there, AES256, but because they hold the encryption keys it is perfectly possible for them to decrypt everything if needed.

There is nothing new with a company admitting that they will help out law enforcement if subpoenaed, what it is new is that they first tell you their employees can’t access the data and after they are caught red handed changing their terms and conditions they now say that it has all been a misunderstanding and they will change the wording on their site.

National Security Agency (NSA)

National Security Agency logo

Even if you were to live in cuckoo land and trust the authorities not to abuse their powers to access people’s data without a valid reason, you might want to read about Derek Newton’s article on Dropbox insecure design and Christopher Soghoian article on how Dropbox sacrifices users privacy for cost savings.

How to secure online data from eavesdropping

If you are going to store data online always encrypt it locally first in your computer, never trust a third party service like Dropbox or Hushmail with your data even if they tell you they can’t access it and that everything is fine, the bottom line here is that they have access to the decryption key.

Besides the chances of  encryption implementations being flawed by your online storage service, they can do anything they like with the decryption keys, if you send the data already encrypted to your online storage space you will be the only one who can decide when and how to decrypt your confidential files, you will also protect yourself from a rogue employee tempted to look at your confidential files.

PS: I am adding Dropbox to my shit list.

FBI asks for help breaking encryption code in murder case

Posted on by

The FBI is not trying to break the mighty PGP or Truecrypt, they have been trying to crack a home-brew encryption code and have not succeed, this can only indicate that they haven’t got that many means to break encryption as they like people to believe, being this a murder case one can assume that it is a high priority case and if after 12 years they are asking the public for help one can assume that they are at a dead end road.

Encrypted note FBI murder case

Encrypted note FBI murder case

The encrypted notes were written by the victim and it is the only clue to solve the murder, his family claims that he had used such encrypted notes since he was a boy, but no one in his family knows how to decipher the code. The American Cryptogram Association has been helping out in this case and unable to crack the code too.

FBI cryptanalysts are asking for other encrypted notes using the same code in order for them to compare and move their theories for cracking the code forward.

PRIVACY WARNING! LINK LEADS TO THE FBI WEBSITE:
- http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911/cryptanalysis_032911

Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

Posted on by

Truecrypt domain registed with a false address

The domain name “truecrypt.org” was originally registered to a false address (“NAVAS Station, Antarctica”), and was later concealed behind a Network Solutions private registration.

Truecrypt developers identity hidden

The TrueCrypt developers used the aliases “ennead” and “syncon”, but later replaced all references to these aliases on their website with “The TrueCrypt Foundation” in 2010. The TrueCrypt trademark was registered in the Czech Republic under name of “David Tesařík”.

Nobody knows anything about the developers, they do not want to identify themselves. Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it.

Truecrypt developers working for free

Closed source full disk encryption competitors like WinMagic, DriveCrypt (Securstar) and PGP Corporation have a full time team of software developers working in their products, creating such a product is not an easy feat as any of them will tell you.

Meanwhile two unpaid Truecrypt developers manage to work on Linux, MAC and Windows versions, on 32 and 64 versions and support the next Windows 7 as soon as it has been released, at the same time, presumably, these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages .

Are closed source full disk encryption software developers overpaid lazy bastards and Truecrypt developers the finest, most hard working and charitable software developers on Earth?

Compiling Truecrypt source code increasingly difficult

Very few people compile the Windows binaries from source; it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt (due to compiler options, etc.)

This would be very convenient for a CIA mole, they are more likely to attack the software implementation other than the algorithm and the best way to do that is to insert some hard to find vulnerability during packaging. If someone else compiled the source code their plan would not work.

Truecrypt license contains distribution restrictions

Truecrypt is released under its own “Truecrypt license”, it is open source but it contains distribution and copyright-liability restrictions, most major Linux distributions do not want to know anything about it, Fedora has included TrueCrypt in its forbidden items list and forked it to RealCrypt instead.

Reference: http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt

UPDATE 2011: Truecrypt removed from The Amnesic Incognito Live system

The developers of the anonymous live CD called Tails have now decided to remove Truecrypt from their distribution claiming that development is done in a closed fashion, the licensing is restrictive and it is not being reviewed by too many people.

Reference: http://tails.boum.org/support/truecrypt/index.en.html

Truecrypt open source code has never been reviewed

Truecrypt’s source code has never been the subject of a thorough review, nor is there any reason to rely on the credentials of the developers, since they remain anonymous.

Good thorough code review and testing is hard, tedious and painstaking work, very few people have the skills to do it, and Truecrypt hasn’t been validated through a comprehensive review by any qualified cryptographer.

Censorship at Truecrypt forums

As per Truecrypt forum rule 3 you are not allowed to discuss about other encryption software, as per Truecrypt forum rule 8 you can’t discuss Truecrypt forks, as per Truecrypt forum rule 9 you can’t discuss software that decrypts Truecrypt.

You can’t say anything about their competitors and you are not even allowed to say anything about software that decrypts Truecrypt. If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear.

Truecrypt forum rules: http://forums.truecrypt.org/viewtopic.php?t=1651

Can the FBI crack Truecrypt?

The CIA would never share their intelligence with their FBI puppies unless it is a real national security matter, terrorism, et al. And they would not want to kill the cow that produces their milk in a public trial where their capabilities are revealed.

Furthermore, there has been recently a case of a corrupt Brazilian banker who has escaped prosecution after the FBI failed to break his fully encrypted disk, he was using Truecrypt.

Reference: https://secure.wikimedia.org/wikipedia/en/wiki/Daniel_Dantas

Given those news I do not believe the FBI can crack Truecrypt and unless your name is Bin Laden you are probably still safe with Truecrypt, even if it has a backdoor and the FBI seizes your computer.

Alternatives to Truecrypt forums

Computer security and privacy newsgroups such as alt.privacy.anon-serveralt.security.pgp , alt.privacy and alt.scramdisk

Computer and security internet forums such as Wilders Security Forums.

Alternatives to Truecrypt

The only free full disk encryption open source software that I have found and can rival Truecrypt is Diskcryptor.

Conclusion about Truecrypt reliability

Don’t get paranoid, even if you are using Truecrypt I could as well be wrong on my analysis and it is highly unlikely the CIA will ever come after you anyway.

Everyone has something to hide, but take it easy,you will need to trust some encryption product in the end and nobody out there knows 100% sure which one is safe, because what is safe today might not be tomorrow.

Just use the best encryption product according to your opinion and relax, there is no point in keeping in your head what could happen to you if you got it wrong, hopefully you did not, and as long as you did your best research on it, that is all that is needed.

For the record, I still recommend Truecrypt, they are my second choice of full disk encryption software after DiskCryptor. I am just raising what I believe are some fair points, because in security, you TRUST NOBODY.

German Privacy Foundation releases CryptoStick

Posted on by

The GPF Crypto Stick is a USB stick in a small form factor containing an integrated OpenPGP smart card to allow easy and high-secure encryption e.g. of e-mail or for authentication in network environments. As opposed to ordinary software solutions, private keys are always inside the Crypto Stick.

All cryptographic operations (decryption and signature because of public key cryptography) are executed on the PIN-protected Crypto Stick.

The GPF Crypto Stick is compatible with various software applications like GnuPG, Mozilla Thunderbird + Enigmail, OpenSSH, Linux PAM, OpenVPN and Mozilla Firefox and it works in Linux, Windows and MAC.

Crypto Key

Crypto Key

The Crypto Stick is developed as a non-profit open source project, between other things, the German Privacy Foundation runs various tor nodes, a mixmaster remailer and two i2P routers.

You can find more information about the CryptoStick at:

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/

Unfortunately right now the online shop is only in German, if you are interested in purchasing a CryptoStick and do not understand German you can email: cryptostick @ privacyfoundation.de

Review: OpenPGP encryption software cGeep Pro v4.07a

Posted on by

By default e­mail is insecure, there are many risks to e­mail messages, unauthorized modification or viewing and sender impersonation of a message is something that Governments and crooks carry out on a daily basis.

PGP/GnuPG encryption of emails provides confidentiality and allows for digitally signing a message giving the recipient a method of verifying the identity of the sender as well as making sure the message has not been tampered with.


PGP encryption stopping spy agencies

Open PGP encryption stopping spy agencies

PGP/GnuPG solutions for securing e­mail are typically geeky which makes difficult widespread deployment to non technical people. There are some free utilities for Windows to be able to use PGP/GnuPG encryption, such as GPG4Win, Enigmail or FireGPG, but cGeep is by far the most user friendly OpenPGP software I have come accross.

I was glad to receive a free license from cGeep makers, Safelogic, to review its product and I am so pleased with their software that this is what I intend to use in the foreseeable future to encrypt all of my email messages.

cGeep PGP encryption interface

cGeep PGP encryption interface

Once installation is complete a cGeep wizard helps you to create your cGeep key pairs in just a few steps.

cGeep Pro ships with a plug-in for Outlook Office which offers total integration in the workflow of Outlook Office 2000/XP/2003/2007 users.

One click in Outlook is all you need to encrypt  and sign your emails and attachments, making this one of the easiest and most practical email encryption tools.

Through the Manage cGeep Keys window you can import a PGP key pair in .asc format directly and publish or retrieve a public key from any key server.

Encryption of email attachments of any format is possible, using asymmetrical or symmetrical keys with standard AES cryptography but you are not limited to email encryption, you can also use cGeep for file encryption before uploading it directly from cGeep to your FTP server.

This seems like a good feature for backing up sensitive files as it is the integrated file zipping feature.

The Good Stuff

Access to cGeep full source code is available for review, this is the best guarantee you can have against backdoors.

cGeep is based on OpenPGP, a non-proprietary protocol for encrypting email using public key cryptography, this makes cGeep broadly compatible and you can send encrypted files to people who use other OpenPGP software (PGP Corp, GnuPG, Hushmail, etc.)

Encryption can be done dragging a file and dropping it into the cGeep main window. It will also securely wipe files to make its recovery impossible and the software comes with different interchangeable skins/looks.

You can encrypt data and send it directly to an FTP server, you can also configure cGeep Pro to use a proxy for this.

Documentation is complete and comes in the form of a PDF file and tool tips, available in French as well as in English.

The Bad Stuff

There is no Linux or MAC version, cGeep email integration seems to be highly focused on Microsoft Outlook Office, leaving out dozens of other email clients.

Expert users may find cGeep lacks some customization in its options, for example you can not choose where to store the decrypted files and it will always place them in the same folder where the original files resides.

Although the data you upload to your FTP server is already encrypted, it would be good practise to let people use SFTP or FTP over SSL (FTPS), as FTP is a well known unsecure protocol that sends passwords in the clear.

Although not as simple to use, there are free OpenPGP encryption alternatives to cGeep.

cGeep file encryption interface

cGeep file encryption interface

Conclusion

cGeep is an excellent uncomplicated way to encrypt all of your emails, if you struggle to understand all the ins and outs of PGP encryption cGeep will guide you through all the process with easy to understand instructions and it specially integrates very well with Microsoft Outlook Office.

The fact that its source code is open to review adds peace of mind to those wary of backdoors.

If you can’t afford cGeep, you can still use some of the free email encryption alternatives mentioned above.

Visit cGeep OpenPGP Encryption

UPDATE  2012: THIS COMPANY DOES NOT EXIST ANYMORE!! 

Review: Full disk encryption DiskCryptor v0.7.435.90

Posted on by

Most of you will have heard of Truecrypt, a free an open source hard disk encryption product, there are only another free and open source software for full disk encryption in Windows that I am aware of, DiskCryptor. You can download a 32bit or 64bit version of Diskcryptor depending on your OS.

I tested DiskCryptor using it for full disk encryption of my netbook, an Asus PC901 with a 12GB HDD divided in between two solid state disks of 8GB and 4GB. DiskCryptor is an ideal alternative to encrypt a netbook because netbooks do not have a CD drive and Truecrypt will force you to burn a CD to use system encryption, which DiskCryptor does not.

DiskCryptor cascade algortyhms
DiskCryptor cascade algortyhms

The first thing that impressed me of DiskCryptor is how small it is in size, a little over 500KB, but this comes at a price since the software manual does not come along and you get a link to their website instead.

I was pleased to see DiskCryptor offering a wide choice of encryption algorythms, AES-256, Twofish or Serpent algorithms in XTS mode, all of them seem to be pretty sound algorythms to me, and they can be used on cascade mode as well, VIA Padlock hardware accelaration for encryption and hashing is supported too.

The built-in benchmark shows the top speed with which cryptographic algorithms can perform, but I have to tell you that even on a netbook with a single core Intel Atom processor, regardless of the encryption algortyhm used I noticed no perfomance difference while using the netbook.

DiskCryptor encryption of partition
DiskCryptor encryption of partition

DiskCryptor allows wipe while encrypting, with three, seven or thirty five passes (Guttman method), but wiping a solid state disk like the one Asus Eee PC901 has is not safe, since solid state disks, like thumb drives, use wear levelling technology and the wiping passes are spread evenly accross the disk and not on the same sectors. If you are using a solid state disk, make sure it does not contain any confidential data that an electrons microscope could recover(very expensive to do right now), the only way to do this is by using a new disk, wiping it may fail to sanitize de disk.

With DiskCryptor you also can encrypt an ISO file and then burn it to CD-R/DVD/BD-R , after that you  will only be able to mount the image with DiskCryptor and the correct password/keyfile.

You can also set up a hot key to cause a blue screen of death, if you need to urgently shut down your computer when someone busts into your home unexpectedly this seems the way to go, it is quicker than clicking on the power off button.

The Good Stuff

DiskCryptor works with RAID volumes, you get a wide choice of algorythms, DiskCryptor is easy to use and unlike Truecrypt, it works on netbooks out of the box. DiskCryptor is open source, you can check for backdoors if you have the skills.

The software does not cost you any money, you can customize the boot loader widely, DiskCryptor boot loader customization is far better than Truecrypt, you can choose to install the bootloader on a CD/DVD, set up timeouts, choose if you want to use a QUERTY or DVORAK keyboard, and there is also a Windows live CD BartPE plugin for DiskCryptor.

The Bad Stuff

DiskCryptor should include some basic documentation at the very least, the GUI is easy to use and intuitive but encryption products need to come with instructions, a newbie could easily feel overwhelmed. DiskCriptor is only available for Windows, and there is no choice of hashing algorythms other than the default SHA-512.

There is also no choice of burning a recovery CD in case the boot loader gets corrupted (although you can backup the headers).

DiskCryptor password enter box
DiskCryptor password box

Conclusion

DiskCryptor is an excellent free and open source full disk encryption  alternative to Truecrypt, with a wide choice of encryption algorythms and easy to use, but they need to improve their poor documentation.

Their FAQ states that they are planning to implement a hidden OS in future versions, I think Diskcryptor looks promising and Truecrypt has a worthy competitor.

http://www.diskcryptor.net

Video: Off-the-Record Messaging, privacy for IM

Posted on by

Off-the-Record is an open source plugin to use with Pidgin, an instant messenger software compatible with IRC, MSN, SILC, ICQ, Yahoo! and lots of other chat software that come with no privacy measures whatsoever.

Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing encryption, authentication, deniability and perfect forward secrecy.

You can watch this Stanford University lecture video explaining how Off the record works and what it can do to help you keep your privacy and anonymity while chatting through instant messenger.

- Off-the-Record Messaging

Video: Crash course in full disk encryption

Posted on by

This video is a talk held in December 2008 at the 25th Chaos Communication Congress, under the title Nothing to hide.

It is a crash course in full disk encryption concepts, products and implementation aspects. An overview of both commercial and open-source offerings for Windows, Linux, and MacOS X is given. A  programmer’s  look at the open-source solutions concludes the presentation.

If you are not encrypting your whole hard disk remember that opening and viewing files will leave recoverable traces in your operating system. If you care about privacy you should be using full disk encryption, Truecrypt is the way to go in Windows.

Click this link to download the crash course in full disk encryption papers.

I would say this is a video for intermediate/advanced computer users.

Video: How to, encryption with PGP 9 Desktop

Posted on by

This is an introduction video for begginers, if you have never seen or heard of PGP Desktop, this video explains briefly in 5 minutes what it can do for your privacy.

If you want to keep all your computer data encrypted, including the OS, after Truecrypt and Drivecrypt Plus Pack , PGP Desktop would be my third choice. As far as I know all three of them are uncrackable, even by the highest powers out there. But bear in mind that it is illegal in the United Kingdom not to reveal your password to your encrypted files when requested by the authorities.

PGP 9 will not protect you against a Government forcing you to give away the password for your personal secrets, you should be using Truecrypt or Drivecrypt Plus Pack if you think this may happen to you. Both of those encryption schemes provide for a hidden operating system which existence can not be proven, you can not be asked to provide what can not be proven to exist.

If you are comparing encryption software you can read my past  review of Drivecrypt Plus Pack v3.94

Review: Drivecrypt Plus Pack v3.95, full disk encryption

Posted on by

Some people out there are antagonistic to encryption software that is not open source and can not be reviewed for backdoors. Drivecrypt Plus Pack is one such proprietary encryption product.

There maybe some reason why you may want to use it, for example some special feature of compatibility issues. I decided to download Drivecrypt Plus Pack after Truecrypt 6.1a started to give me problems at boot up time.

DriveCrypt Plus Pack full disk encryption has very few things in common with Truecrypt in relation to usability and functions, if you are a former Truecrypt user you will need to read the DCPP manual to understand some terms and features not present in Truecrypt.

DriveCrypt Plus Pack v3.94 Install

DriveCrypt Plus Pack v3.94 Install

DriveCrypt Plus Pack allows you to secure your disk, including removable media, with a powerful and proven encryption algorithm (AES-256), AES-256 is a FIPS approved symmetric encryption algorithm.

DriveCrypt Plus Pack main features:

- Full disk encryption, encrypts 100% of your hard disk including the operating system.

- Pre-boot authentication, before the machines boots a password is requested to decrypt the disk and start your machine.

- It can create an encrypted hidden operating system which existence can be denied, this is useful if you are ever forced to give out your password.

- Strong 256bit AES encryption

- Optional USB-Token authentication at pre-boot level

Before you start encrypting your disk you must install what DCPP calls BootAuth, this is the Master Boot Record, if you attempt to encrypt the disk without BootAuth you will be stopped and a message will warn you.

The Good Stuff

Once you are registered with Securstar website you will have access to video tutorials online about how to use DriveCrypt Plus Pack.

DCPP allows the use of a USB key as a password, but if you think that the Stasi or any other repressive government agency can raid your home, you will be better off memorasing your passphrase.

Drivecrypt Plus Pack has specific administator/user rights, ideal for corporations and multiuser computers.

The master password to access the encryption keys held in your keystore can be hidden in pictures (.bmp) or sounds (.wav) using steganography.

You can set up a logon password that when entered will destroy the BootAuth, deleting the bootloader and making the disk unbootable. To use this against a repressive regime avoiding being accussed of obstruction to justice you can write the destruction password down next to your computer with the word “password” on it, and the Stasi will enter it for you in their computer forensics laboratory, destroying the bootloader themselves.

DriveCrypt Plus Pack comes with various BootAuth, this is how DCPP names the logon screen, one of them consists of a black BootAuth with the message “Hard disk failure”. It will not fool a computer forensics expert but can be optimal to fool your noisy flatmate.

DriveCrypt Plus Pack manual also explains how you can create your own customized logon screen with an image editor.

Securstar, the company selling Drivecrypt Plus Pack, accepts payments by check, Paypal, credit card or bank transfer. There is a Windows Vista 64 bit version available as well as the most widely used 32 bit.

You can test the integrity of the encryption method with a small utility included in Drive Crypt Plus Pack.

You can assign a hotkey to lock your computer if you have to go away from your computer for a few moments, this will activate a password protected screensaver.

If you have any problem or query Securstar provides support via email.

DriveCrypt Plus Pack Keystorage

DriveCrypt Plus Pack Keystorage

The Bad Stuff

The software is propietary, nobody can access the source code and it only works in Windows.

Drive Crypt Plus Pack help file and instuctions are poor and not detailed enough,  the Red Screen and BootAuth destruction features in particular are poorly documented.

Their official online support team, although replying quickly, in my experience, are not too knowledgeable of the product.

Raid and dynamic disks are not supported, normally this should not be a problem for home users, only for businesses, it may still work but Securstar does not support it.

You can not use the non hidden operating system normally, only have it created in case you are forced to reveal the password.

A computer forensics investigator will be able to find out the last time you accessed that non hidden operating sytem by looking at the file timestamps.

Notice that Truecrypt hidden operating system feature also has the same problem, as the predicament arises from Windows itself,  download Mr. Bruce Schneir Defeating Deniable Encrypted File Systems research paper for more info on this.

You will need internet access to register the software.

Conclusion

Assuming you trust closed source full disk encryption software DriveCrypt will be a great choice. Unlike other similar commercial software like PGP whole disk encryption, DCPP has some features ideal for home users.

Some examples are: Creating an operating system which existance can not be proved, capability to destroy BootAuth entering a determined password to make the disk unbootable, use of steganography to hide your encryption keys inside a picture or sound file, realistic hard disk failure logon black screen and the possibility of creating your own preboot screen with a simple photo editor.

Truecrypt vs. DriveCrypt Plus Pack:

DriveCrypt Plus Pack is a commercial venture and can not compete in price against Truecrypt, which is free.

Truecrypt source code can be checked for backdoors and reliability (although to the best of my knowledge nobody qualified has looked into its source code yet and said it is safe).

DriveCrypt Plus Pack has a support team that will help you in case of problems, Truecrypt has not.

DriveCrypt Plus Pack has some extra features like customizing of boot up screen, hiding of encryption keys for the keystore through steganography and USB authentication token support.

Truecrypt works in Linux as well as Windows, if you encrypt an external hard disk with Truecrypt in Windows you can then open that encrypted disk with your Linux computer.

DriveCrypt Plus Pack does not force you to burn a CD before you install the software, this is my greatest grunge against Truecrypt developers. See my work around to install Truecrypt on a computer without CD drive if you want to install Truecrypt on your netbook.

Truecrypt instructions manual is first rate, and I think everyone should read it even if they do not use Truecrypt. Not only it contains help about their product but it also explains how you should tweak Windows to avoid data leaks. Truecrypt also has a wider choice of encryption algorythms than DriveCrypt Plus Pack, but DCPP AES256 is considered a standard and this is the one I would use with any encryption program.

DriveCrypt Plus Pack BootAuth in hidden mode

DriveCrypt Plus Pack BootAuth in hidden mode

PS:

Whole disk encryption booting up problem solved!

I have experienced this with Truecrypt and DriveCrypt Plus Pack, this is not a software issue, it can happen with ANY whole disk encryption program.

Your computer hard disk will spin non stop and you will see this message on the screen while booting up your computer:

>Verifying DMI pool data…
>Boot from CD:
>Disk boot failure, insert system disk and press enter

This is a BIOS problem, as far as I know there is no easy solution other than getting into the BIOS and disabling the booting from CD option, you should be able to do this on any modern BIOS. If you then one day need to boot from a CD-Rom you will need to enable this option again.