WhatsApp Uses a Potentially Insecure Authentication Mechanism

WhatsApp has been criticized earlier for lax security on multiple occasions. In May last year, WhatsApp accounts could be hijacked without the user knowing, and another time in January this year, the status of a WhatsApp user could be changed remotely. Both these vulnerabilities were fixed soon. However, a concern that lived on was that WhatsApp sends communications in plaintext. This vulnerability was found in May 2011 and it was not fixed until May this year. However, the most insecure vulnerability on WhatsApp is simply in its authentication mechanism.


The Wikipedia page for WhatsApp outlines its Technical Specifics as,

WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).Upon installation, it creates a user account using one’s phone number as username (Jabber ID: [phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone’s IMEI as password.

An interesting analysis by Sam Granger points out how easy it is to leverage this information, and actually get access to a user account. Who would have thought that WhatsApp uses exactly the same mechanism as written on the Wikipedia page, no salting of the hash, no obfuscated MD5 variant; in short, no deviations from what is written down!

WhatsApp has to get its security straight. It is under constant criticism for over a year now, and it is time WhatsApp is the first to make a security related move, rather than someone pointing out flaws and it going ahead and patching them.

For an intriguing discussion on this topic, read this Hacker News thread.

Al-Jazeera Hacked by Syrian Hacker Group Al-Rashedon

Al-Rashedon, a Syrian hacker group has hacked a slew of Al-Jaeera websites for their reporting of the unrest in Syria. The hack affected Al-Jazeera’s English and Arabic websites, and left them defaced with this image on Tuesday.


The group posted a message to Al-Jazeera as seen in the image, saying,

In response to your stand against Syria (Government and the People) And your support to terrorist groups in addition to spreading lies and made up news.. We have hacked your website and this is our retaliation.

The Syrian hacker group accuses Al-Jazeera of spreading fabricated news and supporting armed terrorist groups. Although Syria has another known hacker group called the Syrian Electronic Army, there was no word from them on this hack. Al-Jazeera has not commented on the hack officially either.

Qatar based Al-Jazeera takes a lot of heat from dictatorial governments like Egypt, Syria and the Saudi kingdom for its aggressive coverage of the instability in the region. Al-Jazeera also saw an exodus of journalists over biased reporting of the situation in Syria. A few months ago, the official Twitter account of Al-Jazeera was hacked by Assad loyalists. The political scenario in the Middle East is quite tense and disturbing, and perhaps, Al Jazeera is being dominated by the Government to reflect its own foreign policy. However, this is a clear indication of what can happen in a modern day political war, where everything is driven by computer technology and is equally vulnerable.

Over a Million Apple Device UDIDs Leaked by Hackers as Part of AntiSec

Back in August this year, NSA general Keith Alexander addressed the DefCon crowd for the first time and called upon hackers to join the NSA and strengthen the cyber-security infrastructure of America. However, on being asked whether the government keeps profiles of Americans and spies on them, he went into the usual denial mode. However, William Binney, a former Technical Director at the NSA (also present at DefCon) assured that this spying was indeed happening and that is the reason he left NSA back in 2001.


Now, hacker groups have gotten hold of clear proof that the FBI is spying on people. They have released a huge announcement, as part of the #AntiSec movement, and the FBI is trumped. This Pastebin announcement has a long rant and a list of doxes that were obtained from the FBI laptop.

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS  devices including Unique Device Identifiers (UDID), user names, name of device,  type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The hack is so popular; it has become the most visited Pastebin paste ever, within 24 hours. However, it also raises questions. What is the FBI doing with 12 million Apple UDIDs? Why is the data lying on a laptop, unencrypted? There are too many unanswered questions here. Apple and the FBI should come out with a response.

Update: The FBI denied possessing any such file.

Twitter Based Earthquake Detection System Puts Behind Sensor Based Systems in Detection Time

The US Geological Survey (USGS) has created an earthquake detection system based on Twitter alerts. The system was being developed as a pet project by a student, and the USGS funded it later with funds from the American Recovery and Reinvestment Act. Clearly, the USGS saw a good future prospect in the project, and the funding is beginning to prove fruitful.

During the recent earthquakes in Philippines, the USGS’ Twitter Earthquake Detection (TED) system was able to give early warnings, much before any of the sensor-based systems in place. This is groundbreaking, as sensor-based systems take anything between 2 to 20 minutes to detect an earthquake, but the TED system is almost instant. The official page for TED describes it as,

@USGSted  (USGS Tweet Earthquake Dispatch) distributes alerts for earthquakes worldwide with magnitudes of 5.5 and above. We may modify this criteria in the future to tweet alerts for more earthquakes of potential interest. @USGSted earthquake tweets contain a magnitude descriptor, location, origin time, and a link to the USGS webpage with the most recent information about the event.

In the recent Philippines earthquake, the TED system detected tweets and the location of the earthquake in just one minutes and seven seconds. Systems like TED are good for augmenting traditional earthquake detection systems based on sensors. However, they also suffer the risk of being gamed by an overwhelming amount of tweets crying wolf.

This reminds me of an XKCD comic.


You can follow the TED twitter account for latest earthquake warnings. Also read how Twitter is being used for emergency calls in Japan.

Gnome Comes Back to Ubuntu, a GNOMEbuntu Flavor Planned for the Next Release

Gnome is not in as bad a shape as we thought earlier. Recently, there have been talks of Ubuntu considering a Gnome only edition, like we have Kubuntu or Xubuntu. There is no evidence for this news, but it seems apparent from this Ubuntu forum thread. From what started as a simple question, the thread attracted lots of interested people, developers came together and pretty soon, they were found discussing names for this distro. A true community indeed! there is no fix on the name yet, and the name GNOMEbuntu was dropped recently, as the Gnome Foundation does not permit this naming scheme. The last choice is between GNObuntu and Gnubuntu.

gnome_logoPCWorld discusses the software package for this new distro, saying,

Along with Compiz, the new GNOME Ubuntu will reportedly use the Rhythmbox music player as well as the Epiphany browser, Evolution for e-mail and workgroup functions, the Abiword word processor, and the Gnumeric spreadsheet package. Neither Firefox nor LibreOffice will be preinstalled, according to the report.

While on one hand, Canonical is touting Unity, this community effort brings back Gnome, an environment that most Ubuntu users are familiar with. Nonetheless, the customization offered by Gnome is miles ahead of Unity, and this is something Unity will not be able to match for some days. The development team for ubuntu Gnome edition is already in place, and there are seven members already working on this. The next challenge for GNOMEbuntu was to join the official distro party at Canonical and it has made it! If everything goes well from here, we will definitely see a Gnome version of ubuntu 12.10, due to release in October.

Facebook Personal Analytics Reports from Wolfram Alpha

Wolfram Alpha has made a name for itself during the past few years. It is an absolute favorite among programmers and science folks alike. Recently, it was found that over 25% of Wolfram Alpha queries are coming from Siri. Wolfram Alpha staff strength has gone up to 200, and perhaps, Apple is gearing up to drive Google out of the search business but that is another story.


A few days ago, Stephen Wolfram showcased automated data analysis capabilities released in Wolfram Alpha Pro, and used data from his personal life for analysis. The analysis told the story of his life from a new dimension, and it was exciting. Ever since, people have wanted to do the same, and Wolfram Alpha has brought yet another feature for them. Stephen Wolfram had collected an enormous amount of data from his life, which he put into this tool. For others, the next best source of data for your personal lives is the social network of your choice. Wolfram Alpha has a new feature that lets you analyze your personal life, using data from Facebook.

Stephen Wolfram announced the new Facebook personal analytics feature, saying,

And today I’m excited to announce that we’ve developed a first round of capabilities in Wolfram|Alpha to let anyone do personal analytics with Facebook data. Wolfram|Alpha knows about all kinds of knowledge domains; now it can know about you, and apply its powers of analysis to give you all sorts of personal analytics.

To use the feature, simply go ahead and search for “Facebook report” on Wolfram Alpha. Click on the “Analyze my Facebook data” button, and it will take you to an app. On the next screen, you can login to Wolfram Alpha, or create a free account. Within minutes, you will have over 60 reports to shuffle through, and know yourself better.

Japan is Considering Social Networks for Emergency Calls

The National Fire and Disaster Management Agency of Japan sat down for a three-part discussion on allowing social networks to be used for disaster recovery and emergency calls. Twitter Japan blogged on how to use the service for placing calls, or getting the word out about your safety.  A typical example included using the hash tag #survived if someone is safe. This is a bold measure, but at the same time, a wise one too.

twitter-bird-blue-on-whiteAn official at the National Fire and Disaster Management Agency in Japan says,

This is a discussion for when traditional voice-based infrastructure goes down during a natural disaster, to see if social networking can be used.

It was seen that voice networks clogged up under high volume of calls during the Tsunami last year. However, Twitter and other social networks survived their surge in usage. The use of social networks will take a lot of load off the traditional telephone infrastructure, creating a balanced usage of both the media.

Some people are apprehensive about the use of new-age media for something as critical as emergencies. A telephone line can be traced back in most cases. On the other hand, the reliability of a Twitter panic cannot be guaranteed. It is much easier to fake a Twitter account, or any other social networking account than to fake a phone call. However, they are overlooking the fact that the very essence of social networks is in being social. A fake account is quite easy to spot, from looking at the social interactions it makes. Moreover, it will be easier to verify the authenticity of supposed emergency through social networks, as more people from the same social circle pitch in and report the same events. This is a step forward in the evolution of society.

On a humorous note, this reminds me of an episode from the IT Crowd.

Kim Dotcom Planning on Bringing Back a Bigger and Better Megaupload

The US Government vs. Kim Dotcom showdown is turning in favor of Kim Dotcom slowly. Kim Dotcom is an internet celebrity with a notorious reputation. He rose to fame during the dot-com bubble, and had one successful venture after another. He was arrested for insider trading in 2003 and served two years in prison. After his prison time, Kim changed his name from Kim Schmitz to Kim Dotcom in 2005. He also founded Megaupload Limited around the same time. Megaupload ran successfully for the next six years, becoming the 13th most popular website worldwide. However, the US government shut down the Megaupload business on grounds of copyright infringement, and his house in New Zealand was raided and his property seized.


This is the second time Kim Dotcom has been intimidated by police authorities, and this time, his Megaupload venture has been shut down as well. Kim Dotcom is very upset, and he has embarked upon a journey to take revenge.

This time, he is planning to relaunch Megaupload, but with an infrastructure that cannot be taken down easily. He is calling it the new Mega.

Kim’s plans are moving fast, as he is already offering early access to the Mega API for developers. The new Mega will use encryption to protect data from prying eyes. Kim Dotcom’s hearing is due next year, and he has all the time in the world until then, to focus on the New Mega. Recently, he claimed another victory as his frozen funds were partially released by the New Zealand court.


Critical Zero Day Java Vulnerability Wreaking Havoc

Critical zero-day vulnerability in Java has caused worldwide panic and unrest. The flaw is being exploited wildly, and there is an array of available code for this exploit. Metasploit was the first one to provide a proof-of-concept that works on a variety of browsers. The vulnerability is still unpatched, and although there are no reported criminal cases yet, there is no guarantee that it is not happening already. The safest way to go is to disable the Java plugin in your browser until Oracle releases a fix for the vulnerability.

JavaThis security hole affects all Java versions under the 7.X branch. It works across all browsers, including the touted as unbreakable and secure Google Chrome. Apparently, Google Chrome’s sandbox runs only Adobe Flash as sandboxed by default. The Java plugin is not part of the Chrome sandbox. Java is platform independent, and this exploit rides on this factor spreading to all popular platforms (Windows, Linux and Mac) with little effort. Though the most dangerous fact is that the vulnerability lets malicious code disable the Java Security Manager altogether.

The exploit has been successful in installing a variant of the Poison Ivy trojan. It is originating from servers in China and Oracle has not yet released any statement on fixing this exploit. The NakedSecurity blog at Sophos writes,

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

Security experts are working on an unofficial patch for this vulnerability, as Oracle has the next scheduled Java update on 16 October.


Craigslist Testing Embedded Maps for Housing Ads

A few days ago, we covered the CLMapper extension for Google Chrome that lets you view maps for housing listings on Craigslist. Mapping with Craigslist house listings is getting serious by the day. There was an excellent service called PadMapper, which displayed maps against Craigslist house listings. However, Craigslist sent them a cease and desist letter, and put them out of the picture. Although not clear at that time, the move is making sense now as Craigslist is finally testing its own map integration with house listings.

craigslist_LogoCraigslist is testing its housing listing with maps from OpenStreetMaps at San Francisco, Oregon and Portland. The map view shows a simple map with a marker at the supposed house location. Compared to what PadMapper was offering, the Craigslist mapping test is quite bland and does not offer any advanced capabilities like searching in the neighborhood.

Craigslist, which is known for its openness and user-friendliness, took a detestable decision of filing a copyright infringement against PadMapper. It also sued 3Taps, the company providing data to PadMapper. When Craigslist learned that 3Taps gets its data from scraping Craigslist, it even went to the extent of declaring exclusive rights to user-posted listings. This meant that the same user could not put up a listing on Craigslist and any other classified website. This was a disastrous move and Craigslist backed down soon.

After this game of cat and mouse, Craigslist is finally testing its own mapping. Craigslist clearly saw the popularity of PadMapper and realized what it was missing. Perhaps, this whole episode was an eye-opener for Craigslist. Moreover, kudos to them for choosing OpenStreetMaps over Google Maps.