Shodan may be the world’s most unique and scariest Search engine very unique to its kind. Shodan instead of looking for content on the web, goes through the back resources and tries to find assets like Servers, printers, webcams, routers and even iPhones connected to the internet.

(Shodan is experiencing heavy traffic may be slow at times)

Shodan, computer search engine

Shodan crawls the 500 million devices that are connected to the internet 24×7. Shodan can quickly list down all the security cameras, home automation systems, Traffic lights, spy cameras and even remote controlled heating systems connected to the internet. Although it only provides the IP addresses and open ports, but this information is enough for anyone with enough knowledge to eavesdrop their operation.

On Shodan, one can find anything from control systems in gas fuel stations, water supply, and even Nuclear power systems. This includes something as critical as Nuclear accelerator exposed to the public internet waiting to be abused from an international level.

Even though such devices have some sort of security built into them, but as per Cybersecurity researchers, theses are far from keeping such systems secure.

What Shodan can Find

Shodan showcases how discoverable such devices are, and how prone we are to all kinds of attacks from around the globe. to give you an example, if you search for “default password” on Shodan, it will reveal thousands of servers, system, printers and routers configured with default user “admin” and default password “password”. To access these resources, all you have to do is fire up your browser and open the IP address. And you can login with default credentials.

How to search on Shodan

Search results for Shodan exposing passwords

(click for full image)

Shodan is actively used by Security researchers and unethical hackers equally. They are able to quick look up for water heaters, automated door locks, temperature control, etc and take over them in minutes.

Shodan for Pentesters (from DEFCON 18)

It doesn’t stop here. In some countries  (name anonymous) the whole Traffic control system can be taken over and monitored from the web. Pentestesters have reported to have been successfully controlling over Traffic control system in such countries.

So Shodan sounds very scary isn’t it? Yes it is. but there’s a limit t it. By default it lists only 10 results. If you Sign-up, search results go upto 50. If you need to go further, Shodan would ask you for a justification and a fee that won’t fit everyone’s pocket.

When Josh Matherly, creator of Shodan, was asked how he feels about leaking this information to public hands, he confidently admitted that this information was already widely available but was harder to search. He just made it easier, but the whole intent is to raise the awareness so that these devices evolve and become more secure over time. Till then, you guard your boundaries yourself!

Learn more about Shodan searches.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer OR on Facebook Fanpage, Google+.

At 29C3, security researchers from Columbia university demoed what they call to have achieved Hacking Cisco VOIP phone to remotely listen to you all day long. They call this “just because you are paranoid doesn’t mean your phone isn’t listening to everything you say. Hackers were able to remotely turn on a phone’s microphone and eavesdrop from anywhere in the world.

Cisco is everywhere

Cisco is the no.1 VOIP provider, globally. There are millions and millions of Cisco VOIP phones in offices from small companies to most sensitive organizations. From Obama’s office to research centers in DARPA, all use Cisco VOIP phones, and this hack makes each one of them vulnerable.

Remember the scene in the Movie Dark Knight where Morgan Freeman (Lucious Fox) turns every single phone in the Gotham city into a Sonar device looking for audio signals? Well, this hack does almost that. Turns every VOIP phone into a potential voice bug living in offices, research centers, government agencies, you name it.

Why Hackers target Cisco? or Why Consumers choose Cisco

Why do all these offices use Cisco products? Well, Cisco assures its consumers with over 200 pages of a book that says how secure is the device. Cisco claims that their product runs only 100% signed binaries, checksums on data, use of secure admin console, random key challenges, secure os, blah blah.
Call it their marketing trap, everyone buys Cisco.

The Methodology: Hacking the Cisco VoIP phones

The hacker realized that most of the claims were simply not true. Cisco’s VoIP phones check for signed binaries only during boot. Once boot process completes, its fairly easy to add a user binary into IOS with standard user.

The hacker then talked about how he was able to find an exploit. They use a small wired device called a “thingp3wn3r” to plug into a RJ11 serial port of a Cisco phone and upload malicious code. Researchers then used an android smartphone to connect to the thingp3wn3r over a Bluetooth connection to remotely deliver the exploit.

They used syscall fuzzer to findout all different syscalls supported by the system. They found the syscalls which were able to crash the kernel and the whole system. In a case of Kernel-Panic, the system dumps the memory dump, thereby making it possible for the hackers to analyze what caused the crash .

On carefully analyzing the cause of crashes, they were able to create and execute a malicious code inside user space and direct a syscall that resulted in execution of an instruction to open a door to have Root access. And once you’ve the root, the potential is simply unlimited.  Using the hacked phone, hacker can then infect other phones on the same network and attack connected computers and devices such as printers.

Cisco phones have red colored LED that switches on before microphones are enabled. Somehow, even the Audio DSP has the pre-requisite. Hackers thought there is really no work around for this until they realized that there was a second microphone on the desk phone that was in the handset. This microphone is pretty sensitive to pickup surrounding voices, unlike one would expect it to. The way to turn it on is to lift the cradle which in turn completes the circuit. That was reprogrammable and hackers made it always connected.

Soon after the security analysts contacted Cisco, they worked on a fix that was found to be totally in-effective as per hackers. Cisco had put a one-line fix that would just not work. Cui said, “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Hacking Cisco VoIP [Full Video with Demo]

Cisco is finally taking this seriously. They have put down a task farce to work on a permanent fix. But researchers aren’t convinced. They claim that if the compromised Phone is injected with Rootkit, it can reprogram the ROM, which is actually a Flash memory. Once this is permanently written to this ROM, there’s no way you can fix the hacked microphone with any sort of software update fix.

Who is at Risk?

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications.”

Hacking Cisco Phones [PDF] Slide 210 states, “Cisco Unified IP Phone 7900 series, also referred to as Cisco TNP Phones contain an input validation vulnerability. A local authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.”

The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected:

• Cisco Unified IP Phone 7975G
• Cisco Unified IP Phone 7971G-GE
• Cisco Unified IP Phone 7970G
• Cisco Unified IP Phone 7965G
• Cisco Unified IP Phone 7962G
• Cisco Unified IP Phone 7961G
• Cisco Unified IP Phone 7961G-GE
• Cisco Unified IP Phone 7945G
• Cisco Unified IP Phone 7942G
• Cisco Unified IP Phone 7941G
• Cisco Unified IP Phone 7941G-GE
• Cisco Unified IP Phone 7931G
• Cisco Unified IP Phone 7911G
• Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only):

• Cisco Unified IP Phone 7971G-GE
• Cisco Unified IP Phone 7970G
• Cisco Unified IP Phone 7961G
• Cisco Unified IP Phone 7961G-GE
• Cisco Unified IP Phone 7941G
• Cisco Unified IP Phone 7941G-GE
• Cisco Unified IP Phone 7906

Fix for Cisco VoIP hacking

The concrete solution to this problem is a “new defense technology, called Software Symbiotes, that protects them from exploitation. The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars—systems that we all use every day.”

Symbiotes are a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement. “They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation and, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”

Workaround

Cisco is working on the patch “CSCuc83860 bug,” till then you’ve to settle down with workarounds. Thingp3wn3r  suggest “Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.”

Its time for Cisco to start caring for their customers.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer OR on Facebook Fanpage, Google+

dSploit is an Android based network analysis & penetration suite. It is a comprehensive toolchain which can be used by anyone in order to perform a number of advanced network analysis and Pentests. dSploit contains a number of powerful functions for IT security experts/geeks, but is easy enough for just about any one to perform exploits.

dSploit allows you to analyze, capture, and manipulate network packets. You can scan networks for connected devices like other smartphones, laptops, & identify the operating system, running services and open ports on each device. Once open ports are known, you can go further by checking open ports for vulnerabilities. These features together make dSploit the most complete and advanced professional toolkit to perform network security assesments on any mobile device, ever.

Other than analysis, dSploit even allows man in the middle attacks for a number of network protocols i.e. you can monitor and inject packets into the network and spoof your identity. In simpler words, it allows you to intercept wireless network traffic and mess it with in the way you want. You can poison the DNS, for example, so that your family members go to Google+ everytime they try open facebook, or replace all the images with a custom PWNed/funny image. The ideas are what limit you, possibilities of fun are endless.

You can also trigger a DoS attack (Denial of services) in which your family and friends would lose Internet connectivity. Everytime they try accessing a webpage, instead of loading the page, it would redirect to your custom webpage that displays a “You’ve be PWNEed” message. If you ain’t ethical enough, you can even indulge yourself in sniffing and capturing login passwords, web forms etc.

dSploit also allows you to create a Map of your Network, and then  fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack logon procedures of many tcp protocols, perform man in the middle attacks such as password sniffing (with protocol filters), real time traffic manipulation, etc.

dSploit is like Metaspl0it framework from desktop world as it is very pluggable. As of now app is in beta stages with few modules, expect more in the future.

dSploit Modules

• RouterPWN
  Launch the http://routerpwn.com/ service to pwn your router.
• Port Scanner
  A syn port scanner to find quickly open ports on a single target.
• Inspector
  Performs target operating system and services deep detection, slower than syn port scanner but more accurate.
• Vulnerability Finder
  Search for known vulnerabilities for target running services upon National Vulnerability Database.
• Login Cracker
  A very fast network logon cracker which supports many different services.
• Packet Forger
  Craft and send a custom TCP or UDP packet to the target.
• MITM
  A set of man-in-the-middle tools to command&conquer the whole network. 
  • Simple Sniff
    Only redirects target’s traffic through the device ( useful when using a network sniffer like ‘Sharp’ for Android ) and shows network stats.
  • Password Sniffer
    Sniff passwords of many protocols such as http, ftp, imap, imaps, irc, msn, etc from the target.
  • Kill Connections
    Kill connections preventing the target to reach any website or server.
  • Replace Images
    Replace all images on webpages with the specified one.
  • Replace Videos
    Replace all youtube videos on webpages with the specified one.
  • Script Injection
    Inject a javascript in every visited webpage.
  • Custom Filter
    Replace custom text on webpages with the specified one.

App requirements:

• At least Android 2.3 ( Gingerbread )
• The device must be rooted
• The device must have a BusyBox full install, this means with every utility installed ( not the partial installation ).

Download [github] App isn’t allowed on Play store.

checkout the XDA thread for updates.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer OR on Facebook Fanpage, Google+

Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM,  etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.

As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.

WhatsApp Encryption

You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.

The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report

WhatsApp API & Reverse Engineering

If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-on WhatsAPI, an API for WhatsApp messenger.

WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.

1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.

Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.

On Android, the password is a md5 hash of the reversed IMEI number:

$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS, the password is generated from the devices WLAN MAC address:

$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.

The JID is a concatenation between your country’s code and mobile number.

Initial login uses Digest Access Authentication. You can try this for yourself:

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei))

The response you would receive would be in XML, containing messages designated for your phone.

2. Text Message communication

Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).

Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.

WhatsApp Privacy Leak

WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4

The server response looks like:

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.

Verdict

WhatsApp is fastest growing IM service and yet, the most insecure. If you really care about your data privacy, stop using WhatsApp till its fixed. Rely on GTalk, facebook IM, which are proven to be secure by all means.

Related: Read, Extract WhatsApp Messages backup on Android, iPhone, Blackberry

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage

While Zero-day Exploits are critical and widespread, most users never have a clue about it. The awareness is important and that’s why Tech blogs take them seriously. One such recently discovered 0-day exploit was in intel processors.

Who is under Threat?

A new browser-based exploit for a Java vulnerability have been discovered that affects almost every PC on the internet that runs Java. The vulnerability allows attackers to execute arbitrary code on client systems has been spotted in the wild. So far there is no possible fix other than disabling Java plugin for browser itself.

The vulnerability is observed in the latest stable version of Java runtime, JRE 1.7. The problem doesn’t exist on previous versions like 1.6 or older.

Virtually, everyone is affected. Every platform: Windows, Mac OS X, Linux.

All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

The Vulnerability detailed

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. The virus was observed as an windows executable, but it can be distributed as a binary for any platform including Linux, Mac OSX.

The exploit has been numbered CVE-2012-4681.

It was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

The exploit code is available via the popular security suite, Metasploit. Full code for the exploit is available openly via pastie, here is the code snippet that disables your security and makes you vulnerable:

public void disableSecurity() throws Throwable
    {
        Statement localStatement = new Statement(
               System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(
             new CodeSource(
                new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext =
            new AccessControlContext(new ProtectionDomain[] {
                   localProtectionDomain
            });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }

and once security has been turned off, hacker can download a binary & execute the binary like usual:

Process localProcess = Runtime.getRuntime().exec("calc.exe");
localProcess.waitFor();

Should I downgrade to JRE 1.6?

No, that would only make things worse. Even though earlier versions aren’t vulnerable to this particular exploit, they contain other bugs that expose still other vulnerabilities which may be even more widespread, and known to more hackers.

How to Prevent Java Zero-day Exploit Vulnerabilities?

There are ways by which you can prevent payload injection using advanced techniques.

But for individual users, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.

Corporate users: Atif Mushtaq from FireEye covered the payload part of the exploit, which is helpful and something to look out for if you are protecting your network or your customers. We should note that attackers are not limited to .net addresses and already used other domains and  IP addresses.

How to Disable Java in Chrome, Firefox, Opera, Safari

In Firefox: Press Firefox button -> Add-ons, go to Plugins and click the “Disable” button next to anything named “Java”.

In Chrome: Type in: “chrome://plugins/” into the address bar (no speech marks). Scroll down to Java and click disable.

In Opera: Type in “opera:plugins” into the address bar (no speech marks). Scroll down to:

• Java(TM) Platform <click on> Disable.
• Java Deployment Toolkit <click on> Disable.

In Safari: Safari > Preferences > Security

Stay safe!

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

Most office doors employ magnetic sensors that require a access card to be swiped across to unlock. These magnetic cards have unique magnetic pattern underneath the plastic, which when scanned is matched against a person’s identity.

Among the most popular lineup of Office door lock, Kaba Ilco Simplex lineup has been there for more than 3 decades, and had been pretty much unhackable till 2010. But if you have a strong  magnet, it opens up effortlessly in under 3 seconds.

You devise the Hack, you need powerful rare-earth magnets, which formulates the state-of-the-art attack.

Worst part is,  most other locks that use a combination chamber are equally vulnerable.

How it Works

Normally, these door locks need to capture weak magnetic fields generated in vicinity of a access card or a specific combination of buttons  have to be pressed to make the bolt withdraw. However, when a strong magnet is presented,  it messes with the magnetic field inside the combination chamber, the system scrambles making the bolt withdraw even if no buttons are pressed/ no card is presented.

Kaba, being the industry leader, has fixed the problem with a new combination chamber design in the latest models of its lock, but that won’t change the existing locks that have lying world over in offices since last 3 decades.

The rare earth (lanthanide) elements are metals that are ferromagnetic, meaning that like iron they can be magnetized, but their Curie temperatures are below room temperature, so in pure form their magnetism only appears at low temperatures. However, they form compounds with the transition metals such as iron, nickel, and cobalt, and some of these have Curie temperatures well above room temperature. Rare earth magnets are made from these compounds.

You can buy one of these neodymium magnet for about $10, no experience required.

Warning: This is just for educational purposes, do not hack into someone’s office, you and alone you would be responsible for any consequences.

Alternatively, you can design a a card writer that can hack magnetic locks:

In the above demo, hacker used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader’s cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it’s supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a ‘replay’ card that tells Gecko to re-send that saved signal, and the doors unlock. What’s more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

The replay card isn’t anything special, and could be any card. It’s just one that Gecko knows about beforehand. When it sees that card’s code – because the card reader passes it along – Gecko knows to send its saved signal in response.

The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognized replay card can unlock the door. Every other card, authorized or not, will fail.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

What if an Exploit is found deep down in the Processor design and it affects every single OS that runs on that processor architecture. If those aren’t accelerating enough, how about adding scope of spreading via ANY web browser? Such exploits which are unpatched and previously unknown are called Zero-day exploits.

A new zero-day Exploit has been discovered in Intel’s Core 2 Duo and Intel Atom processors which exploits cache control mechanism in the processor’s core.

This demo consists of actually two programs. A test loop, which gets exploited and the malicious code. The test loop needs to run until patched. It is completely running from the cache. When the exploit runs, it modifies the 4 first bytes of the cached loop into 4 NOPs via the cache exploit. When the change happens, the exploit is successful.

The test code published to public is safe for Intel Core 2 duo users to try. It just checks, if the cache modification is possible. To bring it to practical scenarios, it will combine this with other exploitation code and would change the machine code of the test loop into a jump or a call.
The real scary part of this is, that it is possible to patch code despite of access rights. If the loop is really changed, this can be made into an effective exploit.

In others words, it’s a partially-obfuscated piece of malware, which claims to demonstrate a zero-day, security vulnerability affecting Intel Core 2 Duo and Intel Atom processors, allowing privilege escalation from inside a Javascript interpreter up to kernel memory. I don’t know whether it actually works, since I’m not brave enough to experiment with it, but it’s likely that it does.

As one developer explains it, the CPU is trying to optimize an infinite loop from the firefox interpreter, but there is a CPU bug where some address is not aligned properly, which allows them to overwrite other memory.

// the infinite loop will be patched on the fly because of the Intel CPU bug

// addr of the test() func should be aligned by 4Kb boundary,

// 1st dword will be changed to NOP, NOP, NOP, NOP

// it’s possible to change the kernel memory as well,

If this works as advertised, then if you have an affected CPU, it is a zero-day exploit affecting every web browser on every operating system, both desktop and mobile, as long as you have Javascript enabled. Until a workaround has been found, any site which serves you Javascript or any of its advertising networks could use it to give you malware.

Some hackers claim that this Exploit is unreal and others claim such CPU bugs are nothing new and couple of such exploits have been discovered long ago.

Are you safe?
Since it affects every single browser and platform running javascript, there’s a little you can do to prevent it till its officially patched on all PCs. One way is to turn off Javascript, but thats virtually impossible. Safer way is to go with script blockers that block malicious code and malware.

Second, you should use only the most security hardened browser, which is Google Chrome; it’s not clear whether Chrome’s hardening will actually help, but it’s likely that it will.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+or on Facebook Fanpage:

Using only $1000 worth of equipment, one can easy exploit vulnerabilities of unencrypted GPS signals.

While the powerful military drones used overseas use encrypted GPS signals, the ones in the United States rely on signals from open civilian GPS, which makes them vulnerable to GPS “spoofing.”

By Spoofing GPS signals, it is possible to gather enough information that makes it possible to take over the Drone. To elaborate, by the transmission of matched-GPS-signal-structure interference in an attempt to commandeer the tracking loops of a victim receiver and thereby manipulate the receiver’s timing or navigation solution, hackers can transmit its counterfeit signals from a stand-off distance of several hundred meters or it can be co-located with its victim.

Hacking the Drone

To commence the attack, the spoofer transmits its counterfeit signals in code-phase alignment with the authentic signals but at power level below the noise floor. The spoofer then increases the power of the spoofed signals so that they are slightly greater than the power of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it.

Once the spoofed signals have moved more than 600 meters in position or 2 microseconds in time away from the authentic signals, the receiver can be considered completely owned by the spoofer.

Although our spoofer fooled all of the receivers tested in our laboratory, there are significant differences between receivers’ dynamic responses to spoofing attacks.

Are we Under Threat?

After the research experiment was conducted, it was noticed immediately by the U.S. government:

“DHS is attempting to identify and mitigate GPS interference through its new ‘Patriot Watch’ (pdf) and ‘Patriot Shield’ (pdf) programs, but the effort is poorly funded, still in its infancy, and is mostly geared toward finding people using jammers, not spoofers.”

The only way out is to work for hardening of GPS systems used in drones before they expand further into our worlds.

To be honest, this GPS flaw affects almost anything that flies ove head: Aircraft, ship, or vehicle navigation systems that feature unencrypted GPS systems. This technique may even be able to bring down a smart grid (pdf) or financial market.

Securing the UAVs

AUVSI is the world’s largest non-profit organization devoted exclusively to advancing the unmanned systems and robotics community. The provie following statements for Ensuring the Safe Use of Unmanned Aircraft:

“The unmanned aircraft systems industry is committed to the safe and responsible integration of unmanned systems into the national airspace. We are already in communication with a variety of stakeholders to ensure unmanned aircraft are integrated safely so we can unlock the tremendous potential of this technology to enhance public safety, advance scientific research and otherwise benefit society, all while potentially creating thousands of jobs.

“‘Spoofing’ or otherwise tampering with GPS has dangerous implications for any technology which depends on it for guidance, whether it is manned or unmanned aircraft, your cell phone or your car. In fact, commercial airliners are relying more and more heavily on GPS signals to locate the runways at airports and, with the advent of the next generation air traffic control system, all aircraft – manned and unmanned – will rely on GPS for navigation.

“The industry is well-aware of so-called ‘spoofing’ and is already advancing technologies, such as SAASM – Selective Availability Anti-Spoofing Module – to prevent it. This technology is already in use by the military to thwart GPS spoofing abroad and we expect it will transition to civilian unmanned aircraft in the coming years to protect aircraft flying in the national airspace. Meanwhile, some unmanned aircraft also have alternate navigation systems, such as radio links and backup inertial systems, which provide redundancy to GPS.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

The hackers had been threatening Symantec in a series of e-mail negotiations with what they thought were representatives of Symantec. The group is known as Yamatough, Indian hacker force operating under the umbrella of Anonymous, had been demanding a $50,000 payoff from Symantec to keep the source code private. Emails are published to Pastebin. Hackers tell Reuters that their intention was never to get the money but to release the code.

“All the Symantec source codes are now on sale! PcAnywhere, System Works, Internet Security and Norton GoBack with Utilities, NAV”, hacker said in one of his tweets. Source code is now available on Pirate bay.

Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since January 23 to protect our users against known vulnerabilities.

“At this time, Symantec recommends disabling the product until we release a final set of software updates that resolve currently known vulnerability risks.”

“We have been conducting direct outreach to our customers since January 23 to reiterate that in addition to applying all relevant patches that have been released, customers should also ensure that PCAnywhere version 12.5 is installed, and follow general security best practices.”

On January 23, Symantec released a patch to secure PCAnywhere 12.5. And then on January 27, the company rolled out another patch directed toward PCAnywhere versions 12.0 and 12.1. The hackers, who call themselves The Lords of Dharmaraja, originally claimed they found the code after breaking into servers run by Indian military intelligence. But Symantec later revealed that the group had captured the code for PCAnywhere and other products by breaking into the security vendor’s own network in 2006.

But Symantec has insisted that since all the source code dates back to 2006, customers of the current versions of these products are at no risk. Though that may be true, the entire incident does raise the question of how a security vendor, of all companies, would be so vulnerable that its key source code could be stolen.

“As the extortion attempt by Anonymous indicates, we’re working with law enforcement right now, Therefore, given the active investigation, we’re not in a position to provide specifics on the incident at this time.”

Symantec is of course sitting silent, they are working on a number of things in order to prevent such mistakes in future:
Improved Network Defenses, Compartmentalized Access to Information, Improved Source Code Security, Improved Process Controls, Employee Education.

Anonymous believed that companies like Symantec had been creating scareware, malwares and spreading them to networks in order to scare users and promote it’s security products. What do you think, is that what Symantec and other security companies do?

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage, Google+:

Note: This app is just for fun, it doesn’t cause any damages to anyone other than annoyance. Use it with precaution.

The project is similar to the Upside-down-ternet project: from the phone you can flip pictures on someone’s computer upside down. There are couple of fun things you can do with this app. It lets you:

• Flip pictures on someone’s PC.
• Change Google searches keywords,
• redirect websites to some other sites,
• and many more features to come.

App works well in combination with Shark for Android – combined they allow you to capture packets when logged onto wifi networks.

Simply install from the Android Market (on a rooted device running >2.2), and download the setup files from the application. This requires about 600MB free SD card space. The program needs the phone to be rooted, and have busybox (most custom firmwares have this).

Developers can contribute at Launchpad (main project) and Sourceforge.

Download the App from Market.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage, Google+:
 

Such security is really consumer grade, its secure in the real world but may not be secure enough for driving Top most secret tasks like the ones Government agencies like NSA is involved with.

The National Security Agency (NSA) released the first version of their custom build of Google’s popular OS, called Security Enhanced Android. The system is designed to minimize the impact of security holes on Android. The SEAndroid project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps.

SEAndroid is born with robust support for:

• Per-file security labeling support for yaffs2,
• Filesystem images (yaffs2 and ext4) labeled at build time,
• Kernel permission checks controlling Binder IPC,
• Labeling of service sockets and socket files created by init,
• Labeling of device nodes created by ueventd,
• Flexible, configurable labeling of apps and app data directories,
• Userspace permission checks controlling use of the Zygote socket commands,
• Minimal port of SELinux userspace,
• SELinux support for the Android toolbox,
• Small TE policy written from scratch for Android,
• Confined domains for system services and apps,
• Use of MLS categories to isolate apps.

You can integrate SEAndroid into your own Custom ROM. First, you should make sure that you are able to successfully download, build and run the Android Open Source Project (AOSP) source code by following the instructions starting from http://source.android.com/source/initializing.html

Once you have successfully built and run AOSP, you can obtain a local manifest specifying the SE Android git trees from http://selinuxproject.org/~seandroid/local_manifest.xml. Copy this file to the .repo subdirectory of your AOSP clone, and then run repo sync. Your tree should now include the SE Android modifications. For further dev info, visit the official Wiki.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage, Google+:

Captcha stands for Completely Automated Public Turing Test to differentiate between Computers and Humans. It was invented by Carnegie Mellon University computer science graduate student in 2000 as a security tool to safeguard web sites from automated bot attacks and spammers.

Team of researchers at Stanford have outsmarted the Captcha codes. Their anti-spam tool-breaker was able to kill off captcha’s protective cover.

“As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme… approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.”

Decaptcha is capable of isolating the text from noise in the captcha image. From the clean text image, it then runs a smart OCR (optical character recognition) to translate image to text.Each text character is identified individually.

To prototype was able to break into Real world websites with Captcha. Decaptcha worked successfully on Visa’s Authorize.net payment gateway was defeated 66 per cent of the time. eBay’s captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two that beat out the Stanford team’s automated tool–no gotchas for either one.

More details: PDF

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

Michigan police was already found to do that last month, but if sources are to be trusted, they are going nationwide in US and soon in several other countries. The device used is the CelleBrite UFED, which is able to copy most of the data on over 2500 different mobile devices. It does all that in under 2 minutes. UFED brochure claims:

The UFED system extracts vital information from 95% of all cellular phones on the market today, including smartphones and PDA devices (Palm OS, Microsoft, Blackberry, Symbian, iPhone, and Google Android). Simple to use even in the field with no PC required, the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive.

And technical description:

The UFED hardware with Physical Extraction module, used to create Physical and/or Logical dumps from mobile devices, which can then be saved to a USB disk drive, SD memory card, or directly to your PC.ƒ The UFED Physical Analyzer (PA) PC application, which provides an in-depth physical memory analysis of the extracted mobile phone data (phonebook contents, SMS messages, call logs, image files, video files, audio files, and more) The Physical Analyzer also serves to generate comprehensive and verified evidence reports of relevant data extracted and analyzed from the mobile device.

The UFED Physical Analyzer software allows the investigator to perform in-depth analysis of the extracted data
and generate reports. The UFED PA application provides the following key features:

• ƒ Analysis of the hex dump with a layered view of memory content
• Provides a detailed view of the hex dump
• Reconstructs the phone file system
• Decodes contact lists, SMS messages, call logs, phone information (IMSI, ICCID, user codes) and more
• Provides a view of data files – images, videos, etc.
• Provides access to both current and deleted data
• Retrieves phone passwords
• Simple viewing and user friendly browsing of information

ƒ Powerful search tools

• Instantly search for project content
• Search the hex dump or file system

Search by various parameters such as strings, bytes, numbers, dates

• Use GREP search (regular expressions) to look for specific data strings
• Bookmarking memory locations for indexing of key areas for later review

The ACLU fears that the next time you get stopped for speeding in Michigan, you’ll be handing over your cell phone, and your entire mobile history, to the nice officers. Of course, you have no idea into what all they can grab. Of course, you don’t have an option.

There’s something thats more scary than being able to extract your information — Being able to inject information into the phone like fake call logs, gps logs, text messages, calendar appointments. It would open your call log SQLLite DB (in the case of an iPhone, Android) and write a new entry. e.g. If my intake information says I received the phone at 15:20:00 but there is a write to phonecalls.sql at 16:22:00 User better have a logical explanation.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone, Android and latest in Tech @geeknizer on Twitter or by subscribing below:

Microsoft is gathering data from Windows Phone 7 handsets that connect to wi-fi networks, along with cars that go around sniffing out hotspots, and logging it all here. I don’t know why by anyone can get access to the data. Cnet did a self test of various MAC address of its Windows devices and found themselves with complete location history.

How it Works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google’s database doesn’t include the MAC address 02:1A:11:F2:12:FF. But Microsoft’s does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Ugly Part: Since you might have used your smartphone’s Tether Wifi hotspot,  its highly possible that your data has been captured by Microsoft and available to public. If an attacker knows your MAC address, he already knows your mobile activity on the map. Story doesn’t end here, Microsoft still doesn’t comment on whether they collect additional data on the WP7 devices  like the devices connected to the network. What this means is that they might have also captured all phones, laptops connected to those Wifi networks. So If you’ve ever connected to a Wifi (which you often do), your location might be already public to everyone.

Microsoft’s statement:

“To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses.”

Ugliest part of the whole story is that  there’s no way to “Opt-out”, you can’t prevent your MAC address from being added.

How to check if your location is Public or not

Go to this website and enter your mac address, if you see your location info, go and fight with them.

Update: 31st July – Microsoft seemed to have fixed the problem [via]

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Lulzsec hacker group have been on a hacking rampage since a while now. They have been taking down sites of the CIA, Sony, FBI and a bulk of other large and small companies. Motive behind the hacks has rather been dicey, is it for fun or something else. The document is available on Pastebin and their activities are visible via their Twitter account.

Very recently they hacked released 62,000 username and passwords of a popular porn site. However, the ugly part of the story is that users tend to have similar passwords for all their accounts: mail, facebook and even paypal. Hackers and script buggies have been scanning the password list and discovered that this is actually the case for most users whose username/passwords have been shared in the leak.

If you analyze the password list, its not hard to figure out that a lot of users registered on the porn site are actually people from government organizations. Other than that Google, Yahoo, facebook have already out the accounts corresponding to those ids on hold till user verifies the ownership to prevent all kinds of misuses. However, hotmail and other unpopular email providers are still vulnerable.

What You can do: Staying secure online

Go through the password list and if you are on it, you are probably already in trouble. Going further, make it a habit to have different user/password combos for different sites. Doing so can be hard but if you follow a pattern for passwords, remembering them could be piece of a cake. e.g. you can change the first or last digit of the password based on the domain name. A password that was “pA$$w0rdG” on gmail would become  “pA$$w0rdf” on facebook. Do something similar, but purely your own idea.

What is the Future of LulzSec

Lulzsec would continue to hack down the internet with almost no clear intent. The press release states that for the past month or so they have been causing chaos throughout the internet by attacking several targets and they’re going to bring down more internet laws by continuing their public shenanigans, and that their actions are causing clowns with pens to write new rules for users.

They say that releasing data is just as ‘evil’; however they mock by saying, “This is the Lulz lizard era, where we do things just because we find it entertaining.”

They conclude by saying, “We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be.“

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage:

Government has shifted its older ways of monitoring traditional landlines, phone calls, to cell phones and email, while they try to hunt down the criminals and terrorists.

We don’t care about this, coz its for our own safety at the cost of privacy that remains in the hands of officials behind closed doors. But the truth is, giving backdoor access to governments make a business’ data more vulnerable to the bad guys as well.

Which Countries spy on citizens?

Governments in US, UK and EU already monitor citizen’s mode of communications.

How do they do it?

Government may not peek into everything, but the most relevant data like: Email subject lines, mobile phone GPS locations, call histories. Trust me, this data dtogether makes up piles of data that is sent for monitoring to governments.

Julian Assange, head of WikiLeaks,  stated that tech companies, such as Facebook, are so accessible to US intelligence agencies that they act as de facto information gathering sources. You would be surprised to knwo the facts shown in the video below:

EU is working with several telecom giants to assist them in establishing automated data mining for mobiles, email, social networks, etc. This data, however, is not accessible to any human, a unless required. Mostly smart algorithms would determine suspicious activity before they are put under scrutiny.

Backdoors that grant access to the FBI or NSA also serve as tempting targets for everyone else. Whether they are exploited for identity theft, or used to coordinate concentrated cyber attacks from other nations, wiretapping access is a proven weak point in telecommunication security.

Here’s another news video on the topic:

How secure is your online information? Depends on how much attention you’ve gained by posting an update to the web.

via NYtimes

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

In August 2010, they found their home in Abbottabad, a suburb which is less than 40 miles from the Islamabad, the capital of Pakistan. Everything about Osama’s compound was extraordinarily unique which brought more and more attention. It was not just 8 times larger than the other homes in the area, it had a lot of physical security in place with 12 to 18 feet walls, guarded by two giant security gates.

Strangely enough, there was barely any communication between this compound and the outer world. There were little to no social activity and had strange forensics. It preferred burning its trash, and there were no open windows for fresh air to come in. Despite the gigantic and costly architecture, it had no means of communications: No internet, no phones.

The secret agencies and the army had no concrete proof, but everything leaded to the same conclusion. No one could afford and match the semantics of this place other than the man himself. Whole of this information was not shared with anyone, and was limited to a small group of people, which made the attack possible.

Background Intelligence (Technology Used to Track Osama)

All of this has a longer history. Joint Special Operations Command or JSOC had been in command for years trying to find tits and bits of information and compile them into something more concrete.

The way JSOC solved this problem still remains a top secret, but it is said that commandos learned basic criminal forensic techniques and then used highly advanced and still-classified technology to transform bits of information into actionable intelligence. One way they did this was to create forward-deployed fusion cells, where JSOC units were paired with intelligence analysts from the NSA and the NGA. Such analysis helped the CIA to establish, with a high degree of probability, that Osama bin Laden and his family were hiding in that particular compound.

These technicians could “exploit and analyze” data obtained from the battlefield instantly, using their access to the government’s various biometric, facial-recognition, and voice-print databases. These cells also used highly advanced surveillance technology and computer-based pattern analysis to layer predictive models of insurgent behavior onto real-time observations.

The military has begun to incorporate such techniques across the services and improvements are on their way in areas where intelligence is gathered, analyzed, and utilized.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

Security researchers have comeup with a new tool that can verify email account existance/genuineness for people at businesses, even if the address hasn’t been published online and lies in a closed private company.

Peepmail assures the delivery of emails to everyone from Apple’s Steve Jobs and Microsoft’s Steve Ballmer to the random guy whose business card you lost. It uses the knowledge of the mail protocol to verify email delivery. Simply stated, its based on the fact that many email servers will inform the email sender whether the address is valid, even before the message is actually sent.

Peepmail does a great job at finding the email address for any person in the world using his first, second name. Peepmail tests permutations of the name until the company’s email server responds with a message that indicates the address is valid. However, peepmail tricks the server, and doesn’t actually sends the email, so the person being looked up has no idea about it.

We tried peepmail to actually locate email addresses of business corporates. With our tests, the app did a good job by giving the right email 50 percent of the time.

For cetain searches, the tool failed to return any email address, thats because some mail servers don’t actually reply back whether an address is valid before getting the email. They just digest every incoming email and later send back an error message only after the offending email is sent.

The developer of the tool claims that the tools is not intended to hurt privacy of the corporates, but its a Proof of concept that shows how vulnerable our email servers are, and how bad our Email security is,  “I created the tool to demonstrate what has been possible for years but very few people know,” he said.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

So far, tech nonprofit MITRE has made a lot of progress on the project and the prototype is ready under the name ” the Joint Battle Command-Platform”. It is now under some testing in the simulated battelfields, before it steps into the real army battlefields. The SDK used to develop apps for the Joint battle command platform is called the Mobile/Handheld Computing Environment, and army would releasing the sdk in June 2011 for app developers.

There will be lots of different apps that would empower the soldiers in the fields. There would be app that would provide mapping function that displays location and movements of all the soldiers and help them communicate the strategy better (Blue Force Tracker program). There will be some cloud to phone data exchange rebranded as “Critical messaging” to exchange crucial data like medevac requests and on the ground reporting.

“I was just shown a quick, little, five-minute brief on it – that’s all it took and we were ready to use them,” said Spc. Randy Fite, who like Bui experimented with the JBC-P Handheld prototype during a recent training exercise at Fort Bragg, N.C. He said the app’s blue icons indicating the GPS locations of his fellow Soldiers helped them navigate and coordinate actions during the capture.
“We can know where each unit is in our platoon, and how they’re moving,” Fite said. “It makes the job a lot easier.”

The army would face lots of challenges especially for areas with low or no signal coverage, which is something very common for battlefields.  Also, the army has high hopes on designing a phone hardware that is rugged enough to withstand wears and tears of all sorts.

This android based tablet/smartphone platform would help them phase out the current generation communication system: Nett Warrior – a suite of sensors, other functions which smartphones do much more easily. The complete system of Joint battle command platform would weigh less than 2 pounds, making it way better than Nett warrior.

Army’s aim is to build a core framework that can run on a large number of hardwares and form factors, obviously Android is the best (and only?) option they could have thought about. iOS is way too restrictive as per the officials, among which there are several iPhone lovers.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

Apple has integrated this malicious behavior into iOS 4 and its so dirty that it takes automatic backups every time it’s connected to iTunes, then pulls out a lifelong list of your locations, timestamps included. This data can be visualized using iPhoneTracker, showing you complete location history.

Apple uses Cellular tower triangulation and that’s why it always works no matter your GPS is off or out of range. This location data is available to any person (or app) that knows where to look.

How to Disable iPhone location Tracking

Thanks to the Jailbroken app in Cydia, its now possible to escape this apple’s blunder. The app is called “Untrackerd” and it continuously watches and deletes the database that is used by apple to store location data. The app is available for free on Cydia under BigBoss repository, simply search for Untrackerd on Cydia and install it to prevent your iPhone from tracking your location.

The package [will install a] daemon (process that can run in the background) to clean consolidated.db file. No new icons are added to your homescreen. There are no options to configure.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

Read more about how to Jailbreak your iPhone: http://geeknizer.com/untethered-jailbreak-ios-4-3-2-iphone-ipad-ipod-touch

Researchers at UaC & University of Washington have spent years trying to fin security flaws in modern cars which are controlled via mini-computer systems and so far they have identified a bunch of security flaws in cars.

The most interesting attacks were triggered via car’s Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops.

The one that interested us was on the Car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on P2P file-sharing networks without arousing suspicion.

“It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.

The same team had achieved wide Car hacks in experiments in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car of 2009. In that experiment, they had to plug a laptop into the car’s internal diagnostic system in order to install their malicious code. In 2010, team also hacked Cars from wireless tyre sensors.

But the latest research, is about remotely controlling cars. The attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. “The easiest way remains what we did in our first paper: Plug into the car and do it,” he said.

Car Hacking: Possibilities & Future

Now, thieves could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server. “An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a service to other thieves,” Savage said. A thief looking for certain kinds of cars in a given area could ask to have them identified and unlocked, he said.

With the high technical barrier to entry, the researchers believe that hacker attacks on cars will be very difficult to pull off, but they say they want to make the auto industry aware of potential problems before they become pervasive.

Another problem for would-be car thieves is the fact that there are significant differences among the electronic control units in cars. Even though an attack might work on one year and model of vehicle, it’s unlikely to work on another. ”

So far, carmakers have been very receptive to the university researchers’ work and appear to be taking the security issues they’ve raised very seriously.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android, Open Source, Latest in Tech, subscribe to us @taranfx on Twitter OR on Facebook Fanpage:

GSM Security is inherently weak and that’s why it was made possible to Hack GSM Security (GSM’s 64-bit A5/1 encryption), last year. However, governments own devices that are worth $50,000, which essentially monitor phone activities for National security.

“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.”

Every aspect of the GSM Hack was demonstrated from start to end including scenarios in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple Internet query, to the level of city or general rural area. Once a phone’s City is known, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.

GSM Network Sniffer

Researchers replaced the firmware of a simple Motorola GSM phone with their own, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Modifying the USB interface, helped them send this data in real time to a computer, which captured every bit of the information.

By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network. After that, the next step is essentially decrypting the information. ITs not that easy, but was made possible by the way operator networks exchange system information with their phones.

As part of this background communication, GSM networks send out identifying information, as well as “keepalive” messages and empty spaces are filled with buffered bytes. Truth be told, a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard. Sticking to older standards enabled hackers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a 2 terabyte table of pre-computed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds. (Rainbow tables are usually used in all kinds of Brute-force password hacking).

Many GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call, minimizing the need for recomputation.

The process was demonstrated using their software to sniff the headers being used by a phone, extract and crack a session-encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes.

Can something be done about GSM’s security?

Any geek can make such devices and with the help of the open source software, can mimic these hacks. So can we really do something to prevent these kinds of hacks from happening?

“Much of this vulnerability could be addressed relatively easily”, Nohl said. “Operators could make sure that their network routing information was not so simply available through the Internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs”.

“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” he said. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”

Worst part is, all the current 3G phones are NOT shielded from this hack. Knowing that 3G is primarily used for Data, its now easy to capture any 3G user’s online activity including their passwords and credit card numbers.

Maybe its high time for GSM consortium to wakeup and address these issues, or atleast learn few things from CDMA networks, which are inherently secure.

Resources:

Rainbow tables, Airprobe, Kraken  srlabs.de
OsmocomBB firmware osmocom.or

PDF Presentation

The Video Presentation can be downloaded here: Part1, Part2.

We write about Security,  Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

The vulnerability is actually found in the technology that works on trackerless torrents (DHT). Its now possible for someone to trick downloaders of popular files into send thousands of requests to a webserver of choice, taking it down as a result. Effectively turning BitTorrent into a very effective DDoS tool.

BitTorrent have lived over the years because of their reliability and effectiveness. Unlike a server centric model, where the dependency is on a one server (or distributed servers), its distributed and directly available through individual nodes that auto-discover each other, resulting in faster and more reliable data transfers. This is the reason why, everyday, millions of people (Swarm) use bittorrents to download Terabytes of data.

Hackers have now used the popular DHT technology to abuse BitTorrent downloaders to DDoS a webserver of choice. DHT, under normal operation, discovers peers who are downloading the same files, without communicating with a central BitTorrent tracker. If there are enough peers downloading the same file, this could easily take down medium to large websites. The worrying part is that the downloaders who are participating in the DDoS will not be aware of what’s going on.

“The core problem are the random NodeIDs. The address hashing and verification scheme works for scenarios like the old Internet, but becomes almost useless in the big address space of IPv6,” Astro told TorrentFreak in a comment. As a result, any BitTorrent swarm can be abused to target specific websites and potentially take them down.

These days,  DDoS attacks have been in the news regularly, mostly carried out under the flag of Anonymous “Operation Payback”. Initially anti-piracy targets such as the MPAA and RIAA were taken offline, and last month the focus switched to organizations that acted against Wikileaks, including Mastercard, then Visa and Paypal.

“Not connecting to privileged ports (< 1024) where most critical services reside,” is one ad-hoc solution, but Astro says that since it’s a design error, the protocol has to be redefined eventually.

The idea of using BitTorrent as a DDoS tool is not entirely new. In fact, researchers have previously shown that adding a webserver’s IP address as a BitTorrent tracker could result in a similar DDoS. The downside of this method is, however, that it requires a torrent file to become popular, while the DHT method can simply exploit existing torrents that are already being downloaded by thousands of people.

Over the next few years, it may actually be able to create non-blockable Torrents. Even today, there are ways of Bypassing torrent blocking, throttling. Now, what remains to be seen is that will BitTorrent developers do enough to fix DDoS vulnerability or will it remain open and cause havoc.

You can find the Slides of the presentation here.
Update: Download Video Presentation here

For latest Security, iPhone, android, Tech news @taranfx on Twitter and you can also subscribe to use below:

BluePlanet Apps has been laying down efforts for the cause and has made good progress so far. They are now ready for their Beta release of the application. BioLock is a truly futuristic concept brought to life by scanning either your iris, recognizing your face, or using a password to unlock your phone.

The app uses “Army-grade algorithms” for face modeling when doing facial recognition and even has blink detection and pupil dilation to prevent someone from merely using a photo of you.  The apps works flawlessly to protect the complete phone or specific apps or data you intend on hiding. And whenever you try to access that app, BioLock would open up first, holding the gates.

Blueplanet develops apps not just for Android, but WP7 as well. But the founder has said that this type of app is actually possible only on Android, as Braverman explains:

BioLock requires a certain degree of access in order to unlock a phone with your iris. When talking to Google and Microsoft, Blue Planet Apps was able to have a very open and frank conversation on this topic. When it came to speaking with Apple, they just said there was no way to access such functionality in their operating system.

BioLock being tested on a Samsung Galaxy Tab:

The plan is to have both a consumer version and a corporate version, making it truly a powerful security available for everyone.

“As for BioLock, it has many possibilities.  We have ideas for a consumer and enterprise model, the consumer model will replace the lock screen, allow users to lock as much of the phone as possible, contacts, dialer, phone numbers, apps, etc.

The enterprise model is a whole another beast, it connects to Microsoft Azure cloud, and does the authentication off the device, so the scan is taken, sent to the cloud, authenticated and sent back.  It is currently designed to use a 1024bit Polymorphic Cipher which, should by some miracle someone intercepts the encrypted hash, is uncrackable.  This is designed to be adapted into the end users applications, for example, a Banking app, or government email app that can encrypt messages before sending them (wikileaks would never have happened).  Healthcare, etc. the list goes on and on.

We have some other ideas for this technology, as off shoots of BioLock, using the FFC (Front Facing camera) to scan a users face while playing a game and send targeted marketing, or for social media communication during gaming.

The end result is that with our smartphones and tablets rapidly replacing our desktops and laptops, most of our future financial and other secure transactions will be over mobile/wireless networks and will need much more robust security.  Nothing is more secure or reliable than YOU.  Iris being the MOST accurate, then Face.  We are also going to add Voice verification in the consumer model of BioLock and users will have the option to choose one or a combination of options to lock down their device.

Blue Planet Apps is currently working very closely with Samsung to develop BioLock on Samsung devices, with the possible result being that Samsung will deploy it on all its devices as part of the AndroidOS.  We have also been talking to Nokia for deployment of BioLock on the upcoming Meego platform and other platforms as well.”

Now that would be another Killer app for Android.

We write about Android, Apple, iPhone, iPad, Android, Open Source and latest in Tech @taranfx (Twitter) or subscribe below: