Archive for Encryption

Protect your freedom of speech over MSN msgr

Posted in Tools with tags , , , , , on April 21, 2011 by Xacker

If you are worried that someone picks up your conversation over MSN, and interpret it in the wrong way against you (:P) then be no more.

ChatX is a script for Messenger Plus that encrypts/encodes your conversations both ways (if your contact is using it too) before your message is sent.

The encryption contains the following symmetric algorithms (definition for dummies: “Shared password is used, used to encrypt/decrypt the message”):

AES (128, 192, 256 bits), DES, Okto3, Zara, Ezip

The encoding contains the following encoding schemes:

Binary, Hexadecimal, Feron, Reverse, Base64

What is nice about ChatX is that you can still read your message in plaintext in the chat window, when it is *actually* being sent encrypted/encoded to your contact.

Here is a screenshot of an MSN conversation sniffer before ChatX is used:

Plaintext conversation is captured

and here it is after:

Encrypted conversation is captured

Download ChatX – Download Messenger Plus for MSN Messenger

~ Xacker

Advertisements

When “Encryption” can be bad for sysadmins?

Posted in Security with tags , on February 1, 2011 by Xacker

Encryption has always been a man’s best friend, but is it really true for sysadmins with encrypted applications?

Imagine this scenario, and allow me not to be – so – brief in order for non-technical people to understand the security issue.

– A PHP programmer distributes a web application.

– To protect his property from snooping eyes, he decided to encode his PHP files with something like Zend Guard, IonCube, etc.

– Unfortunately, the poor programmer missed a security vulnerability in his application.

– An attacker finds the vulnerability, of course, remember… no matter that the application is encoded, we’re talking runtime here.

– The attacker gains access to the PHP files source-code one way or another.

– The attacker is capable of decoding the encrypted content thanks to tens of freeware tools on the Internet that targets such encryption (Google: “dezend”, “zend decoder online”, …)

– The attacker needs to inject a backdoor in the system for future use to gain access in case the security vulnerability has been fixed.

This is were the security behind encryption fails.

All the attacker needs now is to decode one of the original files (for example), insert his evil shellcode among the original code, encrypt the file again and replace it on affected website.

If I’m a sysadmin (and I am :P), I would get VERY suspicious about encrypted content in one of my website pages, but that is not going to be the case if all my website content were originally encrypted by the programmer and I’m aware of that from the beginning.

How do you even trust an encrypted content on your website in the first place? What if the programmer himself originally placed a backdoor among the safe source-code? How can you tell then?

I think web masters should run this thought in their heads and think long before they accept running any encrypted stuff on their websites.

That being said, my coffee is getting cold.

Let me know what you think.

Enjoy.