Follow by Email

Thursday, April 17, 2014

Major Flaw in WhatsApp allows hackers and Service provider to trace Your location data. 

Researchers at UNH have discovered a major flaw in WhatsApp which puts the user location data at risk of being traced by hackers and Network provider.
Major Flaw in WhatsApp allows hackers and Service provider to trace Your location data.
WhatsApp is said to be using SSL encryption to secure its messaging service, however this year has not been so kind with WhatsApp security. about a month back Researchers discovered 4 gaping SSL security holes in the app which would have compromised its 430 million user ids and phone numbers  and now a unpatched flaw that puts the user location at risk of being traced by hackers or attacker over Rogue Access point.

According to the report, there is a major flaw in the way WhatsApp sends location data when it downloads the location from google maps. The main issue is that the location image is unencrypted, leaving it open for interception through either a Rouge AP, or any man-in-the middle attacks.

A feature in the WhatsApp allows user to share his current location, once the request is made by the user to share his location. whatsApp uses an unencrypted channel to access the present location of the user and then send a screenshot of the Google map location of the user. the flaw can work here and hackers can sniff the requested Image.

Considering the Condition of a Rogue Access point (network) how the bug can be exploited was explained by the Researcher,

The mobile traffic was captured using the Windows 7 virtual wifi miniport adapter feature. The host computer was connected to the Internet via an Ethernet cable so that the wireless card was not in use. The Ethernet connection was set to share its Internet access with the virtual wifi miniport adapter – this helped them to mimic a Rouge Access Point (AP). and allowed to capture the traffic over the wireless network using NetworkMiner and Wireshark.

A Video Demonstartion can be seen below:
video

Result of the Research: Researchers managed to reconstruct the location image with the source of the Image as Google maps and destination as the tested device.

The Vulnerability has already been reported to WhatsApp security team with a response Acknowledge message sent back as,

" Hello XXXXXX, Thank you for your report. We have already implemented this solution in the latest beta versions of our app. We will be rolling this fix out to the general public with the next release on each platform. If you have any other questions or concerns, please feel free to contact us. We would be happy to help!"

This could be noted that the latest beta version of the app is not vulnerable to the found bug, how ever all other versions are still to be patched.

 

Wednesday, April 16, 2014

Google Admits that It Reads your Emails


Google read your emails
Google has updated its privacy terms and conditions on Monday to offer more transparency regarding its email-scanning practices. One of the world’s biggest Web internet giant, Google, made it clear that the information its users submit and share with its systems is all analyzed.
Last year, Google was accused of its illegal interception of all electronic communications sent to Gmail account holders and using the gathering data to sell and place advertisements in order to serve related ads to its users. Practically, the more information you let Google collect about you, the more accurate its adverts become.

But Google has long insisted that its scanning practices are outlined in its terms of service.

So, finally admitting the accusation, Google has made some changes in its terms of service res a new paragraph that explains the manner in which its software automatically scans and analyzes the content of Gmail messages when they are sent, received, and stored.
"Our automated systems analyses your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection," reads Google's updated terms. "This analysis occurs as the content is sent, received, and when it is stored."
Google said the changes were purposed to make the company's privacy policy easier to understand by users. "Today's changes will give people even greater clarity and are based on feedback we've received over the last few months," the company said in a statement.
Google's terms of service clearly states, "When you upload, or otherwise submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."
Despite several accusations of violating privacy and wiretapping laws, Google won an important case last month when a federal judge dismiss most of a lawsuit against Google over accusations.

Lucy Koh, a United States District Court judge in San Jose, had consented to having their e-mail read for the purposes of targeted advertising, allowing for a potential class-action suit against the company.

Unfortunately there's no way to stop Google scanning your inbox to serve adverts.

Tuesday, April 15, 2014

GoGo Wireless Adds Surveillance Capabilities for Government

The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government.

Sunday, April 13, 2014

What Is the OpenSSL Heartbleed Bug and Why Should You Care?

As a regular Internet user, you expect the background of the Internet to just work. Everything that goes on behind the scenes, all the encryption, all of the handshakes, and every little transaction should be able to provide you with a safe way to communicate and do your business online without having to worry about hackers prowling at your every move. Unfortunately that’s not how the Internet works, and the OpenSSL “Heartbleed” bug is definitive proof of this. There are some things you should know about this bug because, in all likelihood, it pertains to you more than you think.
OK, so I mentioned OpenSSL twice and didn’t even explain it to you. Do you see the little lock icon next to the “https://” on your browser when you enter “secure” sites? It looks something like this on Google’s Chrome web browser:
opensslbug-paypal
When you see that, you’re using a special form of encryption known as secure socket layer (SSL) or transport layer security (TLS). To provide services with this encryption, you need an algorithm that will provide the encryption/decryption for the packets you exchange with the server. This means that they need to have a way to translate your text into unreadable gibberish and then translate it back from that into the readable form on their own end. Using this technology, if a hacker somehow manages to interfere with your connection to the server, all he’ll read is a long string of babble.
Now, we get to the part (finally) where we explain what OpenSSL is: It’s a free and open-source implementation of SSL/TLS protocols. With this technology, anyone can provide encrypted services to you. Many companies you have accounts with may use OpenSSL to encrypt your data.
But what if OpenSSL has a bug that completely defeats the purpose of encryption?
opensslbug-heartbleed
On April 10, 2014, the folks at PerfectCloud, an identity security company, have reported on a massive hole in OpenSSL’s coding known as the “Heartbleed” bug. For two years, we haven’t seen a new version of OpenSSL, and during that time it had a problem in its code which exposed a bit of server memory. This memory chunk could contain the private keys that are used to encrypt/decrypt data. Ouch!
What this means is that a hacker could discover the server’s cryptographic keys and simply decrypt everything you send to it, including your username, your password, and everything else that’s important and dear to you.
The bug was fixed on April 7th, 2014, but that doesn’t mean that everyone’s followed through with an update to their implementations of OpenSSL. Major Internet companies like Amazon and Yahoo have taken care of the issue, but that still doesn’t mean you’re in the clear! A hacker could have your username and password on a list right now ready to be used to try to access any other accounts you may have elsewhere.
So, even if a company upgrades to the latest OpenSSL implementation, you’re still at risk for previous exposures. However, if there are any further hacking attempts, they won’t succeed. What you can do in this situation is change your password everywhere. Don’t let it wait. Just change everything so that you’re prepared if a hacker ever decides to try out your accounts.
This bug simply shows how delicate and interwoven the Internet is. Despite its booming security awareness and unregulated awesomeness, the Internet is still the internet, and it will always be under siege. What recommendations do you have for companies that use OpenSSL? How did your understanding of security ecosystems change? Are you confused about something? Post your thoughts on anything related to OpenSSL in the comments area below!

Saturday, April 12, 2014

More on Heartbleed

This is an update to my earlier post.
Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack.
Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
The reasoning is complicated, and I suggest people read the post. What I have heard from people who actually ran the attack against a various servers is that what you get is a huge variety of cruft, ranging from indecipherable binary to useless log messages to peoples' passwords. The variability is huge.
This xkcd comic is a very good explanation of how the vulnerability works. And this post by Dan Kaminsky is worth reading.
I have a lot to say about the human aspects of this: auditing of open-source code, how the responsible disclosure process worked in this case, the ease with which anyone could weaponize this with just a few lines of script, how we explain vulnerabilities to the public -- and the role that impressive logo played in the process -- and our certificate issuance and revocation process. This may be a massive computer vulnerability, but all of the interesting aspects of it are human.

Police Disabling Their Own Voice Recorders

This is not a surprise:
The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year.
The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officer’s belt-worn transmitter. The transmitter is designed to capture an officer’s voice and transmit the recording to the car itself for storage. The voice recorders are part of a video camera system that is mounted in a front-facing camera on the patrol car. Both elements are activated any time the car’s emergency lights and sirens are turned on, but they can also be activated manually.
According to the Los Angeles Times, an LAPD investigation determined that around half of the 80 patrol cars in one South LA division were missing antennas as of last summer, and an additional 10 antennas were unaccounted for.
Surveillance of power is one of the most important ways to ensure that power does not abuse its status. But, of course, power does not like to be watched.

Friday, April 11, 2014

Heartbleed vulnerable websites on the Alexa top 10000, as of 0100 UTC 20140411. 278 total listings on 155 unique domains. Out of 20K attempted connections (±www), 9185 returned errors — presumably those sites either do not expose https or redirect to alternate servers:

55188.com:443 - VULNERABLE
adultbay.org:443 - VULNERABLE
akairan.com:443 - VULNERABLE
alfajertv.com:443 - VULNERABLE
all-union.com:443 - VULNERABLE
aremo.com.br:443 - VULNERABLE
arioo.com:443 - VULNERABLE
asiatech.ir:443 - VULNERABLE
banglanews24.com:443 - VULNERABLE
beliefnet.com:443 - VULNERABLE
cdn4711.net:443 - VULNERABLE
championat.com:443 - VULNERABLE
competitor.com:443 - VULNERABLE
cpasuperaffiliate.com:443 - VULNERABLE
datropy.com:443 - VULNERABLE
docnhat.net:443 - VULNERABLE
down1oads.com:443 - VULNERABLE
downloadab.com:443 - VULNERABLE
dressupgamesite.com:443 - VULNERABLE
ecosia.org:443 - VULNERABLE
edlen24.com:443 - VULNERABLE
escapistmagazine.com:443 - VULNERABLE
evsuite.com:443 - VULNERABLE
expatriates.com:443 - VULNERABLE
farnell.com:443 - VULNERABLE
fermasosedi.ru:443 - VULNERABLE
fide.com:443 - VULNERABLE
final.ir:443 - VULNERABLE
fontpalace.com:443 - VULNERABLE
foozine.com:443 - VULNERABLE
futbol24.com:443 - VULNERABLE
gazzetta.gr:443 - VULNERABLE
gi-akademie.com:443 - VULNERABLE
gi-backoffice.com:443 - VULNERABLE
globallshare.com:443 - VULNERABLE
gnetwork.biz:443 - VULNERABLE
gogetlinks.net:443 - VULNERABLE
goodfon.ru:443 - VULNERABLE
gordonua.com:443 - VULNERABLE
gorillavid.in:443 - VULNERABLE
graphixshare.com:443 - VULNERABLE
healthkart.com:443 - VULNERABLE
hobo-web.co.uk:443 - VULNERABLE
holidayiq.com:443 - VULNERABLE
hypebeast.com:443 - VULNERABLE
idwebgame.com:443 - VULNERABLE
im286.com:443 - VULNERABLE
imasters.com.br:443 - VULNERABLE
internetlifestylenetwork.com:443 - VULNERABLE
ireporterstv.co:443 - VULNERABLE
joomlaportal.de:443 - VULNERABLE
joxi.ru:443 - VULNERABLE
jquery4u.com:443 - VULNERABLE
juicyads.com:443 - VULNERABLE
lavozdelmuro.com:443 - VULNERABLE
longurl.it:443 - VULNERABLE
mamaclub.com:443 - VULNERABLE
marunadanmalayali.com:443 - VULNERABLE
mdir.ir:443 - VULNERABLE
mobeoffice.com:443 - VULNERABLE
mpnrs.com:443 - VULNERABLE
mp-success.com:443 - VULNERABLE
mttbsystem.com:443 - VULNERABLE
myegy.to:443 - VULNERABLE
myip.ms:443 - VULNERABLE
myus.com:443 - VULNERABLE
naukrigulf.com:443 - VULNERABLE
neurs.com:443 - VULNERABLE
neurs.net:443 - VULNERABLE
noulinx.com:443 - VULNERABLE
nsdl.co.in:443 - VULNERABLE
nukistream.com:443 - VULNERABLE
ocj.com.cn:443 - VULNERABLE
okitspace.com:443 - VULNERABLE
olx.co.th:443 - VULNERABLE
optimizehub.com:443 - VULNERABLE
optimizepress.com:443 - VULNERABLE
osclass.org:443 - VULNERABLE
paperblog.com:443 - VULNERABLE
peeplo.com:443 - VULNERABLE
perfectworld.eu:443 - VULNERABLE
playxn.com:443 - VULNERABLE
plius.lt:443 - VULNERABLE
polki.pl:443 - VULNERABLE
postjoint.com:443 - VULNERABLE
prezentacya.ru:443 - VULNERABLE
profitcentr.com:443 - VULNERABLE
protothema.gr:443 - VULNERABLE
ptcsolution.com:443 - VULNERABLE
pulptastic.com:443 - VULNERABLE
punchng.com:443 - VULNERABLE
quirktools.com:443 - VULNERABLE
ria.com:443 - VULNERABLE
roodo.com:443 - VULNERABLE
roskapital.biz:443 - VULNERABLE
savenkeep.com:443 - VULNERABLE
scamadviser.com:443 - VULNERABLE
seocentro.com:443 - VULNERABLE
seoclerk.com:443 - VULNERABLE
seoclerks.com:443 - VULNERABLE
seratnews.ir:443 - VULNERABLE
sixfigurefunnelformula.com:443 - VULNERABLE
spinding.com:443 - VULNERABLE
sportdog.gr:443 - VULNERABLE
studiopress.com:443 - VULNERABLE
sudaneseonline.com:443 - VULNERABLE
t24.com.tr:443 - VULNERABLE
tamilrockers.net:443 - VULNERABLE
telewebion.com:443 - VULNERABLE
telly.com:443 - VULNERABLE
text.ru:443 - VULNERABLE
theme.co:443 - VULNERABLE
themefuse.com:443 - VULNERABLE
theync.com:443 - VULNERABLE
tianji.com:443 - VULNERABLE
tomoson.com:443 - VULNERABLE
topnews.ru:443 - VULNERABLE
tractionize.com:443 - VULNERABLE
tradekorea.com:443 - VULNERABLE
turkcealtyazi.org:443 - VULNERABLE
twitpic.com:443 - VULNERABLE
tz4.com:443 - VULNERABLE
unian.net:443 - VULNERABLE
unian.ua:443 - VULNERABLE
uploadbaz.com:443 - VULNERABLE
uyan.cc:443 - VULNERABLE
wallstcheatsheet.com:443 - VULNERABLE
wannonce.com:443 - VULNERABLE
waseet.net:443 - VULNERABLE
watchcric.com:443 - VULNERABLE
watchtower.com:443 - VULNERABLE
weathernews.jp:443 - VULNERABLE
webbirga.net:443 - VULNERABLE
wisegeek.com:443 - VULNERABLE
wisegeek.org:443 - VULNERABLE
wordcounter.net:443 - VULNERABLE
worthytoshare.com:443 - VULNERABLE
worthytoshare.net:443 - VULNERABLE
wowkeren.com:443 - VULNERABLE
xtool.ru:443 - VULNERABLE
yatedo.com:443 - VULNERABLE
zbigz.com:443 - VULNERABLE
zigzig.ir:443 - VULNERABLE
www.55188.com:443 - VULNERABLE
www.adultbay.org:443 - VULNERABLE
www.akairan.com:443 - VULNERABLE
www.alfajertv.com:443 - VULNERABLE
www.all-union.com:443 - VULNERABLE
www.arioo.com:443 - VULNERABLE
www.asiatech.ir:443 - VULNERABLE
www.cdn4711.net:443 - VULNERABLE
www.championat.com:443 - VULNERABLE
www.classicrummy.com:443 - VULNERABLE
www.competitor.com:443 - VULNERABLE
www.cpasuperaffiliate.com:443 - VULNERABLE
www.cpmterra.com:443 - VULNERABLE
www.datropy.com:443 - VULNERABLE
www.djelfa.info:443 - VULNERABLE
www.docnhat.net:443 - VULNERABLE
www.down1oads.com:443 - VULNERABLE
www.downloadab.com:443 - VULNERABLE
www.dressupgamesite.com:443 - VULNERABLE
www.ecosia.org:443 - VULNERABLE
www.edlen24.com:443 - VULNERABLE
www.evsuite.com:443 - VULNERABLE
www.expatriates.com:443 - VULNERABLE
www.farnell.com:443 - VULNERABLE
www.fermasosedi.ru:443 - VULNERABLE
www.final.ir:443 - VULNERABLE
www.fixya.com:443 - VULNERABLE
www.fontpalace.com:443 - VULNERABLE
www.foozine.com:443 - VULNERABLE
www.futbol24.com:443 - VULNERABLE
www.gi-akademie.com:443 - VULNERABLE
www.gi-backoffice.com:443 - VULNERABLE
www.globallshare.com:443 - VULNERABLE
www.gnetwork.biz:443 - VULNERABLE
www.gogetlinks.net:443 - VULNERABLE
www.gordonua.com:443 - VULNERABLE
www.gorillavid.in:443 - VULNERABLE
www.graphixshare.com:443 - VULNERABLE
www.healthkart.com:443 - VULNERABLE
www.hobo-web.co.uk:443 - VULNERABLE
www.holidayiq.com:443 - VULNERABLE
www.hypebeast.com:443 - VULNERABLE
www.idwebgame.com:443 - VULNERABLE
www.imasters.com.br:443 - VULNERABLE
www.internetlifestylenetwork.com:443 - VULNERABLE
www.joomlaportal.de:443 - VULNERABLE
www.joxi.ru:443 - VULNERABLE
www.jquery4u.com:443 - VULNERABLE
www.juicyads.com:443 - VULNERABLE
www.lavozdelmuro.com:443 - VULNERABLE
www.mackolik.com:443 - VULNERABLE
www.mamaclub.com:443 - VULNERABLE
www.marunadanmalayali.com:443 - VULNERABLE
www.mdir.ir:443 - VULNERABLE
www.mobeoffice.com:443 - VULNERABLE
www.mpnrs.com:443 - VULNERABLE
www.mp-success.com:443 - VULNERABLE
www.mttbsystem.com:443 - VULNERABLE
www.myegy.to:443 - VULNERABLE
www.myip.ms:443 - VULNERABLE
www.noulinx.com:443 - VULNERABLE
www.nsdl.co.in:443 - VULNERABLE
www.nukistream.com:443 - VULNERABLE
www.ocj.com.cn:443 - VULNERABLE
www.okitspace.com:443 - VULNERABLE
www.olx.co.th:443 - VULNERABLE
www.optimizehub.com:443 - VULNERABLE
www.optimizepress.com:443 - VULNERABLE
www.osclass.org:443 - VULNERABLE
www.paipai.com:443 - VULNERABLE
www.paperblog.com:443 - VULNERABLE
www.peeplo.com:443 - VULNERABLE
www.playxn.com:443 - VULNERABLE
www.plius.lt:443 - VULNERABLE
www.polki.pl:443 - VULNERABLE
www.postjoint.com:443 - VULNERABLE
www.prezentacya.ru:443 - VULNERABLE
www.profitcentr.com:443 - VULNERABLE
www.ptcsolution.com:443 - VULNERABLE
www.pulptastic.com:443 - VULNERABLE
www.punchng.com:443 - VULNERABLE
www.quirktools.com:443 - VULNERABLE
www.ria.com:443 - VULNERABLE
www.roodo.com:443 - VULNERABLE
www.sahadan.com:443 - VULNERABLE
www.savenkeep.com:443 - VULNERABLE
www.scamadviser.com:443 - VULNERABLE
www.seocentro.com:443 - VULNERABLE
www.seoclerk.com:443 - VULNERABLE
www.seoclerks.com:443 - VULNERABLE
www.seratnews.ir:443 - VULNERABLE
www.sixfigurefunnelformula.com:443 - VULNERABLE
www.spinding.com:443 - VULNERABLE
www.studiopress.com:443 - VULNERABLE
www.sudaneseonline.com:443 - VULNERABLE
www.t24.com.tr:443 - VULNERABLE
www.tamilrockers.net:443 - VULNERABLE
www.telewebion.com:443 - VULNERABLE
www.telly.com:443 - VULNERABLE
www.text.ru:443 - VULNERABLE
www.theme.co:443 - VULNERABLE
www.themefuse.com:443 - VULNERABLE
www.theync.com:443 - VULNERABLE
www.tianji.com:443 - VULNERABLE
www.tomoson.com:443 - VULNERABLE
www.topnews.ru:443 - VULNERABLE
www.tqn.com:443 - VULNERABLE
www.tractionize.com:443 - VULNERABLE
www.tradekorea.com:443 - VULNERABLE
www.turkcealtyazi.org:443 - VULNERABLE
www.twitpic.com:443 - VULNERABLE
www.tz4.com:443 - VULNERABLE
www.unian.net:443 - VULNERABLE
www.unian.ua:443 - VULNERABLE
www.wallstcheatsheet.com:443 - VULNERABLE
www.wanggou.com:443 - VULNERABLE
www.wannonce.com:443 - VULNERABLE
www.waseet.net:443 - VULNERABLE
www.watchcric.com:443 - VULNERABLE
www.watchtower.com:443 - VULNERABLE
www.weathernews.jp:443 - VULNERABLE
www.webbirga.net:443 - VULNERABLE
www.wisegeek.com:443 - VULNERABLE
www.wisegeek.org:443 - VULNERABLE
www.wordcounter.net:443 - VULNERABLE
www.worthytoshare.com:443 - VULNERABLE
www.worthytoshare.net:443 - VULNERABLE
www.wowkeren.com:443 - VULNERABLE
www.wtvideo.com:443 - VULNERABLE
www.wunderweib.de:443 - VULNERABLE
www.xtool.ru:443 - VULNERABLE
www.yatedo.com:443 - VULNERABLE
www.youyuan.com:443 - VULNERABLE
www.zbigz.com:443 - VULNERABLE
www.zigzig.ir:443 - VULNERABLE