Antiforensics Tor distribution Kodachi Linux

Kodachi is a Debian based Linux distribution that comes with Tor, a VPN and DNSCrypt. The desktop is a customized Gnome with custom scripts that let you manage everything using a good  looking graphical interface.

With the open source system monitor utility Conky you can see real time information about your live Internet connection. Assigned VPN IP, Tor country exit node, open ports,  CPU and RAM spikes as well as bandwidth consumption are all shown in the background as you surf the Internet.

Secure cloud providers are integrated with the distro, you can access Dropbox, SpiderOak or Wuala to upload files to the cloud. Very useful when running a live operating system and you need to save data without leaving tracks behind. I normally use my email Inbox to do that but a cloud account is more suitable for big files.

Anonymous Tor distribution Kodachi Linux
Anonymous Tor distribution Kodachi Linux

A couple of clicks can stop/restart the VPN tunnel or choose your preferred Tor country exit node. Popular encryption tools like Truecrypt and Keepass, as well as Gnu Privacy Assistant, a graphical interface for using public key GnuPG encryption, are all included in Kodachi, together with multiple wireless drivers so that everything works out of the box as soon as you boot the live DVD.

Other useful software found in Kodachi are FTP client FileZilla, VoIP Skype, remote desktop sharing TeamViewer, SSH client PuTTY, secure Instant Messenger Jitsi, PDF reader FoxIt, media player VLC, graphics editor The Gimp and office suite Libreoffice. It will be difficult to find something missing a home user needs and not there. In case you have to add packages the default username is Kodachi and root password r@@t00

Kodachi has a hard drive installer but it is not recommended you convert it into a desktop OS as the distribution would lose anti-forensics effectiveness by not running applications in RAM memory and touching the hard drive, even then, BleachBit comes with Kodachi to securely wipe Internet browser history and cache.

Anonymous operating system Kodachi Linux
Anonymous operating system Kodachi Linux

The active free VPN tunnel in Kodachi is paid for by taking 1% of your computer processing power (CPU) to mine the cryptocurrency LiteCoin (LTC). This is not noticeable and it can be easily turned off if you feel cheerless about it.

I loved this distribution. It has everything a privacy conscious person needs, but a gigantic worry I have is that Kodachi developers, Eagle Eye Digital Solutions, by their own admission are working for the Oman government and provide security to private agencies. As a result of this commercial relationship, my belief is that Kodachi developers could be open to blackmail from their employers in the form of contract awards, and they could be comfortably compelled into inserting a backdoor or intentional code bug if needed.

Visit Kodachi Linux homepage

Quantum resistant encryption CodeCrypt

CodeCrypt is an open source cryptography tool using quantum resistant algorithms based on the McEliece cryptosystem, an asymmetric encryption algorithm developed by mathematician Robert McEliece and candidate algorithm for the post-quantum cryptography world, using cryptographic primitives not breakable by quantum computers. The software works like GnuPG, you can digitally sign and encrypt data using a public and private encryption key scheme, anybody who knows his way around GnuPG will have very little learning curve.

Quantum encryption padlock
Quantum encryption padlock

CodeCrypt public encryption keys can be identified looking at the key header, with the random looking data comprised in between “——ccr begin publickeys  ——” and “——ccr end publickeys —–-“. The software only works in Unix based systems, handled from the command line and distributed in tar.gz packages. Usage is well documented with a help file included, operation resembles command line GPG, for example to sign a message you type “crc -s” or “crc –sign“, to encrypt afile you would type “crc -e” and to decrypt “crc -d“.

The paranoid should create a large key size to stop an attack with the quantum Grover’s algorithm attempting to crack your encryption key, the developer carried out speed tests in his thesis, comparing CodeCrypt with GnuPG and speed difference in between them was unnoticeable.

Note: Program is in beta and the author is a self-taught cryptographer, use with caution.

Visit CodeCrypt homepage

Set up your own encryption email server with Ciphermail

Ciphermail (formerly DJIGZO) is an open source email gateway to encrypt and decrypt email messages, it works with S/MIME X.509 digital certificates or PDF documents encrypted with AES128-bit, the software can be installed in most Unix servers there are packages for Debian, Ubuntu, Red Hat, CentOS and virtual images for VMWare and Hyper-V (Windows). Ciphermail will work like a normal SMTP server with the main difference being that all messages sent inside the network or to the Internet will be first encrypted and digitally signed.

PDF encryption was added so that the receiving part will not need to have your public decryption key to read email, any computer with a PDF reader can be used to decrypt a password protected PDF document, if you choose this option the software will convert your email message into a PDF document before sending it, the document will contain a reply link that takes the receiver to an online page on Ciphermail server where he can securely get back to you without having encryption installed on their end. There are various ways to encrypt a PDF document, with a predefined password that you have previously transmitted to the the receiver via a secure channel, e.g. verbally, with a random password that is sent via SMS to the receiver’s mobile phone or using a One Time Password algorithm that can be transmitted with an invite mechanism where the recipient has to log onto CipherMail server to read the message, that password will be unique for every single email.

DJIGZO email digitial certificates
Ciphermail email digital certificates

PDF email encryption is not as secure as public key encryption because the password could be compromised somehow but if the people you communicate with do not want or do not know how to use encryption, PDF is the best way to get around that, it would not be different from manually storing a message inside a password protected .rar file with the advantage that Ciphermail does all the encryption process in the server, there are not known vulnerabilities against an encrypted PDF file other than brute force attacks that can be thwarted choosing a long alphanumeric passphrase.

You can configure settings via a webadmin portal, specifying message attachment limit, mailbox size, SMTP helo name (hostname), a few mail transfer agent settings for Postfix, user permissions, digital certificate expiration date and much more, encrypted messages can be sent to a virus scanner for extra security. There is also a Ciphermail Android version compatible with any S/MIME clients like Outlook and Thunderbird, it encrypts HTML email and attachments using a public digital certificate downloadable from any LDAP server, the app has a step by step configuration wizard that guides you setting up an account and importing the encryption keys or generate your own self-signed digital certificate, there is another Ciphermail version for Blackberry.

You can download a very detailed help manual with screenshots guiding you setting up Ciphermail but it still requires advanced Unix knowledge to administer the server, this is a cheap way to secure all of your network emails with open source and minimum work after the initial set up has taken place.

Visit Ciphermail homepage

How to set up your own private proxy server for anonymous internet browsing

A Virtual Private Server can work well to set up your own anonymous Internet browsing proxy, a VPS can cost as little as $8 a month, which is roughly the same a private proxy or VPN provider would charge you, but with you being in full control over the logs and resources on the server which can be used for other things besides hiding your IP when browsing the Internet, like for example IRC chat through the shell with irssi or hosting a website with lighttpd.

You could also open this proxy for friends and even set up your own anonymous proxy business open to the public. You do not need a great knowledge of Unix to do this, I will write down an step by step tutorial, this was done on a Debian server.

Proxy server diagram
Proxy server diagram

1) You will need to install a proxy sever on your machine, this example uses  micro proxy,  a small Unix based HTTP/HTTPS proxy that runs from inetd.

privacydusk# apt-get install micro-proxy
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
micro-httpd micro-inetd
The following NEW packages will be installed:
micro-proxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9838B of archives.
After this operation, 65.5kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main micro-proxy 20021030+debian-5 [9838B]
Fetched 9838B in 0s (24.8kB/s)
Selecting previously deselected package micro-proxy.
(Reading database … 16543 files and directories currently installed.)
Unpacking micro-proxy (from …/micro-proxy_20021030+debian-5_amd64.deb) …
Processing triggers for man-db …
Setting up micro-proxy (20021030+debian-5) …

2) Install xinetd on your sever:

privacydusk# apt-get install xinetd
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
xinetd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 147kB of archives.
After this operation, 336kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main xinetd 1:2.3.14-7 [147kB]
Fetched 147kB in 1s (140kB/s)
Selecting previously deselected package xinetd.
(Reading database … 16548 files and directories currently installed.)
Unpacking xinetd (from …/xinetd_1%3a2.3.14-7_amd64.deb) …
Processing triggers for man-db …
Setting up xinetd (1:2.3.14-7) …
Stopping internet superserver: xinetd.
Starting internet superserver: xinetd.

Set micro proxy to run via xinetd (or inetd if you use that instead). Here goes my xinetd.conf file configured to use microproxy:

service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}

3) Force xinetd to start the service for you by adding the following snippet of code in your etc/services file:

microproxy 2280/tcp
microproxyssl 2243/tcp

Notice that I am using port 2280 for HTTP and port 2243 for HTTPS, you can use any ports you like but make sure they are open in your server. You will also need to comment out any existing entries in /etc/services that try to define the same service ports.

After you have modified etc/services you will need to restart xinetd for the changes to take effect:

/etc/init.d/xinetd restart

4) Make sure the ports you want to use are open on the server, there are various methods to achieve this:

a) Install  lsoft and then:

lsof -i -nN -P | grep 2280
xinetd 29568 root 5u IPv4 1152793 TCP 127.0.0.1:2280 (LISTEN)

As you can see the line returns listen, this means that port 2280 is open. Change the port in the grep statement  for the port you want to check.

b) You can use netstat to check for open ports:

netstat -vatn

privacydusk:/etc# netstat -vatn
Active Internet connections (servers and established)
Proto                        Recv-Q Send-Q Local Address                  Foreign                                 Address State
tcp                                  0 0 0.0.0.0:111 0.0.0.0:*                                                                      LISTEN
tcp                                  0 0 64.62.173.51:53 0.0.0.0:*                                                            LISTEN
tcp                                 0 0 127.0.0.1:53 0.0.0.0:*                                                                    LISTEN
tcp                                 0 0 127.0.0.1:982 0.0.0.0:*                                                                 LISTEN
tcp                                 0 0 0.0.0.0:22 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 0.0.0.0:25 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 127.0.0.1:953 0.0.0.0:*                                                                LISTEN
tcp6                             0 0 :::80 :::*                                                                                                LISTEN
tcp6                             0 0 :::53 :::*                                                                                                LISTEN
tcp6                             0 0 :::22 :::*                                                                                                LISTEN
tcp6                            0 0 ::1:953 :::*                                                                                           LISTEN


c) Another method to check for open ports on the server is to scan yourself with nmap:

privacydusk# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC

5) Once you have installed micro proxy, configured xinetd and edited etc/services you should be done on the server side, now it is time to configure your internet browser.

If you are using Opera 9.*, go to Tools>Preferences>Advanced>Network>Proxy Servers now enter 127.0.0.1 port 5000 in the HTTP box and 127.0.0.1 port 5043 in the HTTPS box.

If you are using Firefox 3.* you will need to go to Tools>Options>Advanced>Settings and do exactly the same.

You only have left setting up the tunnel from the shell. Before start surfing with your browser, type:

ssh -L 5000:127.0.0.1:2280 -L 5043:127.0.0.1:2243 username@machine.net

machine.net=your hostname, you will need to change the port numbers if you are using different ones.

To surf through the SSH tunnel on a Windows machine without shell you can use KiTTY

Firewall:
If you have IPtables installed, you will need to instruct your firewall to allow traffic through those ports, the following code will open port 2280 in IPTables:

iptables -A INPUT -p tcp -i eth0 –dport 2280 -j ACCEPT

To find out the list of open ports in the firewall use iptables -L:

privacydusk# iptables -L
Chain INPUT (policy ACCEPT)
target                 prot                         opt                     source                        destination
ACCEPT             tcp                             —                       anywhere                  anywhere                                      tcp dpt:2280
ACCEPT              tcp                            —                       anywhere                  anywhere                                      tcp dpt:2243

Newsgroup dealing with port forwarding: comp.security.ssh

Software to create an encrypted file system in Linux

This an old article from Linux Magazine, free to download, I found it to be an excellent and detailed review of the most common tools that exist to encrypt data in Unix systems, these different tools and methods are still valid and in use nowadays.

It provides some insights on encryption techniques, code quality, and the relative merits of the various solutions. The following encrypted file systems are examined:

Loop-AES

DM-Crypt

Truecrypt

Crypto-FS

Enc-FS

In addition to looking at technologies and techniques the performance parameters for these encryption options are also assessed.

Download link(pdf article):

http://www.linux-magazine.com/w3/issue/72/Encrypted_Filesystems_Review.pdf

List of cross platform password managers (Linux,Windows,Mac)

The reason why you should never reuse your password across sites is because if one of the sites gets hacked the attacker will try that same username and password across sites and gets in all of your accounts. It is impossible remember all the passwords one has, that is where these free password managers will help you, some of them are cross platform and can be used in Windows as well as Linux.

KeePassX: This password manager encrypted database can be passed along Linux, MAC and Windows computers, the software is compatible across all platforms, your database can be opened in any computer regardless of OS. KeePassX will save user names, passwords, urls, attachments and comments in one single database encrypted using AES 256bit.

Password Gorilla: It runs in Linux, MAC and Windows, if you decide to change your computer OS next year it will not be a problem, Password Gorilla encrypts the database with the solid TwoFish algorithm and SHA256 for password hashing, it makes for a good alternative to KeePassX, both of them have portable Windows version that can be used from within a memory card or USB thumbdrive.

Password Gorilla cross platform password manager
Password Gorilla cross platform password manager

Password Safe: Multilingual open source password manager for Linux and Windows, a U3 and portable version are also available, it uses Twofish and SHA-256 for encryption, other related projects implement Password Safe in Java, a command line utility called pwsafe and PwSafe for the iPod, iPad and iPhone Touch, you can get support for Password Safe on its website discussion forum.

Alternatives to the password managers mentioned above that work across platforms are web based password services like LastPass and PassPack, but I strongly discourage you from using those because anyone with access to your browser can have access to your passwords and because man in the middle attacks are also possible in web based password managers.

How to use eCryptfs for encryption in Linux

eCryptfs is a cryptographic file system embedded inside the Linux kernel (versions 2.6.19 and later), it is also a stacked file system, which means that eCryptfs is a layer that works on top of other standard, lower file systems, such as ext4, FAT32, XFS and ReiserFS.

Some of the great advantages of eCryptfs over other encryption methods such as LUKS are:

  1. Dynamic size of the encrypted tree: The size of the encrypted part does not need to be fixed in advance, you don’t have to pre-allocate a big chunk of your hard disk space to store your sensitive data that maybe only few megabytes.
  2. All the cryptographic metadata is stored in the header of the file. This means that the encrypted file can be copied and moved from one location to another not leaving any metadata behind.
  3. Files can be encrypted with multiple keys so that multiple different users can have access to encrypted but shared files. You can have different files encrypted by different users and each user can access only his files.

Disadvantages of using eCryptfs (it may change in future versions):

  1. eCryptfs does not encrypt filenames, only the content.
  2. Certain patterns, such as a typical distribution of file size in a directory, will always give a clear hint of what is being stored, even if it is encrypted.

eCryptfs should not be used if you want to hide the fact that something is stored! You will not be able to deny the existence of encrypted files!

To install eCryptfs in RPM based Linux (Fedora, Mandriva, OpenSuse, etc):

su -c ‘yum install ecrypt-utils’

To install eCryptfs  in DEB based linux (Debian, Knoppix, GRML, etc):

sudo aptitude install ecryptfs-utils

 

encryption eCryptfs kernel diagram
encryption eCryptfs kernel diagram

 

 First create a folder in your Home directory and name it secret:

mkdir ~/secret

 Now you need to change the folder permissions to make sure nobody else will access it:

chmod 700 ~/private

Then mount the ecryptfs to the private folder using the following command as root:

mount -t ecryptfs ~/private ~/private

eCryptfs will then prompt you to answer a few questions, see screenshot below:

 

eCryptfs Unix encryption
eCryptfs Unix encryption

 

After you have made your choices and mounted the encrypted folder you can add files inside.

To test the reliability of eCryptfs, unmount your encrypted folder and see if you can open the files inside the secret folder.

sudo umount ~/secret

If it is working properly, you should not be able to open any files inside the folder.

Warning: Once the encrypted data is accessed it will leave traces all over your operating system (swap, print spool, spell-checker, backups …). If you really care about your private data falling in the wrong hands then use whole disk encryption!