Geeknizer » Security http://geeknizer.com iPhone, Android, mobile, Technology news Thu, 02 Apr 2015 09:07:15 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.4 Top 5 USB Hacks that PWN You http://geeknizer.com/top-usb-hacks-pwn/ http://geeknizer.com/top-usb-hacks-pwn/#comments Fri, 13 Mar 2015 17:13:12 +0000 http://geeknizer.com/?p=13373 Read more »]]> A USB based dongle can go long way in terms of screwing you, your data, and even your life. Every other day we come across a new device that exposes a new type of vulnerability, enabling hackers to go wilder.

Let’s take a look at Top 5 Best USB Hacks that can PWN you:

1. BadUSB

BadUSB reprograms embedded firmware to give USB devices new, covert capabilities. A USB devices takes on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive can be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. Similar hacks work against Android phones when attached to targeted computers. Hackers claim that the technique works with Web cams, keyboards, and most other types of USB-enabled devices.

bad_USB

The Black Hat presentation, titled BadUSB—on accessories that turn evil, provided 4 demonstrations, three of which targeted controller chips manufactured by Phison Electronics. These are:

– Transforming a brand-name USB stick into a computer keyboard that opens a command window on an attached computer and enters commands that cause it to download and install malicious software. The technique can easily work around the standard user access control in Windows since the protection requires only that users click OK.

– Transforming a brand-name USB stick into a network card. Once active, the network card causes the computer to use a domain name system server that causes computers to connect to malicious sites impersonating legitimate destinations.

– Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file. The file is loaded onto the drive when attached to one computer. The tampering happens only after it is plugged into a separate computer that has no operating system present on it. The demo underscores how even using a trusted computer to verify the cryptographic hash of a file isn’t adequate protection against the attack.

– Transforming an Android phone into a malicious network card.

2. USB Killer

As the name says, it can kill your computer and in worse case even you. It can physically destroy your computer by blasting a load of voltage to the USB controller with negative voltage.

usb-killer

How?

The basic idea of the USB Killer is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down. Those familiar with the electronics have already guessed why we use negative voltage here. I‘ll explain to others that negative voltage is easier to commutate, as we need the N-channel field resistor, which, unlike the P-channel one, can have larger current for the same dimensions.

Put simply, the bits inside the USB drive draws max amount of current from the port to charges the battery (capactor) inside. When a certain level of potential is reached, it returns the power to the source, i.e. your USB controller on your PC’s motherboard. The amount of power returned overloads the circuits, blowing it into smoke. In worst cases, it can blow up the motherboard with loud flames hurting the user.

3. USBdriveby

USB-Driveby is interesting. USB-powered microcontroller-on-a-chain, rigged to exploit the inherently awful security flaws lurking in your computer’s USB ports. In about 60 seconds, it can pull off a nasty list of nasty tricks:

  • It starts by pretending to be a keyboard/mouse.
  • If you have a network monitor app like Little Snitch running, it uses a series of keystrokes to tell LittleSnitch that everything is okay and to silence all warnings.
  • It disables OS X’s built-in firewall.
  • It pops into your DNS settings and tweaks them to something under the hacker’s control, allowing them to replace pretty much any website you try to visit with one of their own creation.
  • It opens up a backdoor, then establishes an outbound connection to a remote server which can send remote commands. Since the connection is outbound, it eliminates the need to tinker with the user’s router port forwarding settings.
  • It closes any windows and settings screens it opened up, sweeping up its footprints as it heads for the door.

usb-driveby

So in 30-60 seconds, this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed. And you thought it was just a USB dongle!

4. Pwn Plug

Pwn Plug works on the idea of being able to use a USB stick to carry a command ‘payload’ that would get automatically executed upon being plugged into the Pwn Plug. Now the hacker can run commands such as ifconfig, kick off an nmap scan, whatever he needs to find a backdoor into your system; and all the results are output back onto the USB stick.

How it works
1. This hack uses autofs to perform auto-mounting of the USB drive, and udev to launch an execution script when the USB drive is plugged in.

2.  udev is configured to run hacker’s auto-execution script.

5. KeySweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

KeySweeper has the capability to send SMS alerts upon certain keystrokes being typed, e.g. “www.bank.com”. If KeySweeper is removed from AC power, it appears to shut off, however it continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.

keysweeper

KeySweeper extends the work of Travis Goodspeed on the goodfet.nrf project and of Thorsten Schröder and Max Moser of the KeyKeriki v2.0 project.

6. USB password Stealer

Simple idea, clean implementation for windows. Steals all your passwords in Windows.

What you can do to Secure your PC?

USBs can be naughtier than you think. There is no one clear solution to this. In general, disable USB ports on public PCs, and in corporations. That might not work everywhere, so take care of who gets physical access to your running machine.

Know more USB PWNs? Let us know in comments

We write Latest in Tech, subscribe to us @geeknizer OR on Facebook Fanpage, Google+

]]>
http://geeknizer.com/top-usb-hacks-pwn/feed/ 0
Wirelessly Hack unlock Car without Key Fob http://geeknizer.com/wirelessly-hack-unlock-car-without-key-fob/ http://geeknizer.com/wirelessly-hack-unlock-car-without-key-fob/#comments Tue, 05 Aug 2014 15:28:59 +0000 http://geeknizer.com/?p=13220 Read more »]]> Its time for revelation of various hacks from your home security system to cars which rely on wireless key locks, as the BlackHat 2014 conference kicks-off.

At this year’s BlackHat conference, various hacks in security systems have been unveiled. The most shocking being an eavesdropper unlocking your car, without having any prior knowledge about your car or you.

car-lock-hack

Silvio Cesare, an Australian wireless researcher, has developed a way to spoof a wireless key fob that works well with popular cars. With off-the-shelf wireless radio tools costing $1000, he can hack wireless security system of cars. So what this means is that your keyless car entry is going to have a big toll on you. He has said to have tested the hack against his own 10-year old car, which he claims is among the best selling cars in his country. But he claims that car makers tend to source keyfobs from common manufacturers (like Amtel, TRW), making most make/model vulnerable to this kind of security attack.

Cesare uses a Software-defined radio, a software controlled radio device that can be programmed to work with wide set of frequency bands from Mhz (FM, GSM) to Ghz (Bluetooth, Wifi, etc). This mini radio setup is capable of operating as FM transmitter, GSM cell tower, or even bluetooth sender, and Wifi AP/client.

Step 1. Acquisition

With the hardware attached to his laptop, he can capture the frequency range in which keyfob operates and analyze the frequency modulation it uses for communication. With his tests he found most of these keyfobs operating in mhz bands using FM (frequency modulation).

Car security lock keyfobs generate different frequencies on each press. This is a time variant function, a set of frequency will only be used once and it will generate an entirely random set of frequencies next time to unlock the car. All these random generation of keys is based on a seed value (often known as private key) which is unique and embedded into key fob.

Step 2. Brute force

The very next step after knowing about frequency bands is to start the attack with a good old Brute-force method. To get started, you of course need a laptop with the right algorithms programmed (the secret sauce). This  when connected to the Software-radio hardware along with antenna and cheap antenna amplifier, is ready to hack any wireless system.

hackrf

Brute-force attack involves cycling millions of code guesses at a rate of two to three a second until he found the one which successfully unlocked the car. Usually, it only takes less than 2 hours, but it varies from car to car.

Step 3. Optimize the bruteforce attacks (optional)

One doesn’t always have all the available time, and Brute force attacks can be filtered from millions to thousands, accelerating the whole process. However, this optimization requires pre-access to key fob.

Cesare created a hardware automation device to emulate large number of button presses at several key-presses per second and listened to the radio codes it transmitted. The solenoid based robot helped him assemble enough data to find patterns in the seemingly-random numbers, cutting the number of possible unlock codes from around 43 million to around 12,500.

Step 4. Discovering Backdoors

Like described earlier, the frequency codes are unique each time. But there are exceptions to this. There are service codes, intentionally designed by the manufacturer, to help unlock car in case they lost access to original key, or for other maintenance/emergency cases. This is essentially a backdoor a hacker can exploit. During brute-force, there are chances that you find such frequency codes which can be used repeatedly, without trouble. These codes provide a permanent backdoor to the hacker.

With hacker’s testing, the backdoor code worked as much as dozen times before it seized to work. There’s one more pre-requisite to making backdoor codes to work — The attacker must first identify a portion of the unlocking code that’s different for every vehicle. That means the hacker would need to eavesdrop on one lock or unlock command sent from the victim’s key fob, which is already described in step 3.

What it means for You and Your Car

Do you get to know if you got Hacked?

Of course, you probably lost your car or belongings. In case you’re lucky enough to not lose those, your key fob doesn’t work on the next use, and takes two or three button presses to again synch up with the car’s locking system.

What is the scale of the Car unlock Hack?

Imagine cars parked in a parking area where a hacker plans to run a full brute-force attack on the available wireless spectrum. With the calculated attack, hacker can create a unlock mania, unlocking several hours every few minutes. Imagine the possibilities and the scale. We’re not trying to scare you or anything but criminals could hire researchers to replicate the attack. And if that happens, the scale is too large to imagine.

The Hacker used sophisticate hardware which costed him over a grand but with newer hardware like HackRF, one can build similar hardware for under $200, making it more accessible to everyone.

Is your car vulnerable?

Honestly, no one, other than Cesare knows what makes and models are vulnerable. Even though researcher believes newer key fobs are way less vulnerable coz they use better algorithms. But there’s no guarantee you’re safe. Someone somewhere could develop algorithm to break it, some day.

Hacker has already reported the incident to CERT (Computer Emergency Response Team), which is working to alert the manufacturers of potential victims.

This is not the first time wireless unlocking systems have been hacked. They have become better with time and with HackRF, its only about to get worse.

Subscribe to us @geeknizerFacebook FanpageGoogle+.

]]>
http://geeknizer.com/wirelessly-hack-unlock-car-without-key-fob/feed/ 0
What Google Can’t Find, Shodan Can [Search Connected Devices] http://geeknizer.com/what-google-cant-find/ http://geeknizer.com/what-google-cant-find/#comments Tue, 09 Apr 2013 14:25:02 +0000 http://geeknizer.com/?p=12269 Read more »]]> When we don’t find it on Google, we declare it doesn’t exist. But as per Founder Shodan, that statement is not essentially true. He believes that when something is not searchable on Google, that’s when probability of finding it on Shodan is much higher than usual.

Shodan may be the world’s most unique and scariest Search engine very unique to its kind. Shodan instead of looking for content on the web, goes through the back resources and tries to find assets like Servers, printers, webcams, routers and even iPhones connected to the internet.

(Shodan is experiencing heavy traffic may be slow at times)

Shodan, computer search engine

Shodan crawls the 500 million devices that are connected to the internet 24×7. Shodan can quickly list down all the security cameras, home automation systems, Traffic lights, spy cameras and even remote controlled heating systems connected to the internet. Although it only provides the IP addresses and open ports, but this information is enough for anyone with enough knowledge to eavesdrop their operation.

On Shodan, one can find anything from control systems in gas fuel stations, water supply, and even Nuclear power systems. This includes something as critical as Nuclear accelerator exposed to the public internet waiting to be abused from an international level.

Even though such devices have some sort of security built into them, but as per Cybersecurity researchers, theses are far from keeping such systems secure.

What Shodan can Find

Shodan showcases how discoverable such devices are, and how prone we are to all kinds of attacks from around the globe. to give you an example, if you search for “default password” on Shodan, it will reveal thousands of servers, system, printers and routers configured with default user “admin” and default password “password”. To access these resources, all you have to do is fire up your browser and open the IP address. And you can login with default credentials.

How to search on Shodan

Search results for Shodan exposing passwords

(click for full image)

Shodan is actively used by Security researchers and unethical hackers equally. They are able to quick look up for water heaters, automated door locks, temperature control, etc and take over them in minutes.

Shodan for Pentesters (from DEFCON 18)

It doesn’t stop here. In some countries  (name anonymous) the whole Traffic control system can be taken over and monitored from the web. Pentestesters have reported to have been successfully controlling over Traffic control system in such countries.

So Shodan sounds very scary isn’t it? Yes it is. but there’s a limit t it. By default it lists only 10 results. If you Sign-up, search results go upto 50. If you need to go further, Shodan would ask you for a justification and a fee that won’t fit everyone’s pocket.

When Josh Matherly, creator of Shodan, was asked how he feels about leaking this information to public hands, he confidently admitted that this information was already widely available but was harder to search. He just made it easier, but the whole intent is to raise the awareness so that these devices evolve and become more secure over time. Till then, you guard your boundaries yourself!

Learn more about Shodan searches.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer OR on Facebook FanpageGoogle+.

]]>
http://geeknizer.com/what-google-cant-find/feed/ 0
Remotely Hack any Cisco VoIP Phone http://geeknizer.com/hack-any-cisco-voip-phone/ http://geeknizer.com/hack-any-cisco-voip-phone/#comments Fri, 11 Jan 2013 16:49:44 +0000 http://geeknizer.com/?p=11861 Read more »]]> Ever year hackers research and reverse engineer mainstream electronics and commercial products in the market.

At 29C3, security researchers from Columbia university demoed what they call to have achieved Hacking Cisco VOIP phone to remotely listen to you all day long. They call this “just because you are paranoid doesn’t mean your phone isn’t listening to everything you say. Hackers were able to remotely turn on a phone’s microphone and eavesdrop from anywhere in the world.

Cisco is everywhere

Cisco is the no.1 VOIP provider, globally. There are millions and millions of Cisco VOIP phones in offices from small companies to most sensitive organizations. From Obama’s office to research centers in DARPA, all use Cisco VOIP phones, and this hack makes each one of them vulnerable.

Remember the scene in the Movie Dark Knight where Morgan Freeman (Lucious Fox) turns every single phone in the Gotham city into a Sonar device looking for audio signals? Well, this hack does almost that. Turns every VOIP phone into a potential voice bug living in offices, research centers, government agencies, you name it.

Why Hackers target Cisco? or Why Consumers choose Cisco

Why do all these offices use Cisco products? Well, Cisco assures its consumers with over 200 pages of a book that says how secure is the device. Cisco claims that their product runs only 100% signed binaries, checksums on data, use of secure admin console, random key challenges, secure os, blah blah.
Call it their marketing trap, everyone buys Cisco.

The Methodology: Hacking the Cisco VoIP phones

The hacker realized that most of the claims were simply not true. Cisco’s VoIP phones check for signed binaries only during boot. Once boot process completes, its fairly easy to add a user binary into IOS with standard user.

The hacker then talked about how he was able to find an exploit. They use a small wired device called a “thingp3wn3r” to plug into a RJ11 serial port of a Cisco phone and upload malicious code. Researchers then used an android smartphone to connect to the thingp3wn3r over a Bluetooth connection to remotely deliver the exploit.

They used syscall fuzzer to findout all different syscalls supported by the system. They found the syscalls which were able to crash the kernel and the whole system. In a case of Kernel-Panic, the system dumps the memory dump, thereby making it possible for the hackers to analyze what caused the crash .

On carefully analyzing the cause of crashes, they were able to create and execute a malicious code inside user space and direct a syscall that resulted in execution of an instruction to open a door to have Root access. And once you’ve the root, the potential is simply unlimited.  Using the hacked phone, hacker can then infect other phones on the same network and attack connected computers and devices such as printers.

Cisco phones have red colored LED that switches on before microphones are enabled. Somehow, even the Audio DSP has the pre-requisite. Hackers thought there is really no work around for this until they realized that there was a second microphone on the desk phone that was in the handset. This microphone is pretty sensitive to pickup surrounding voices, unlike one would expect it to. The way to turn it on is to lift the cradle which in turn completes the circuit. That was reprogrammable and hackers made it always connected.

Soon after the security analysts contacted Cisco, they worked on a fix that was found to be totally in-effective as per hackers. Cisco had put a one-line fix that would just not work. Cui said, “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”

Hacking Cisco VoIP [Full Video with Demo]

Cisco is finally taking this seriously. They have put down a task farce to work on a permanent fix. But researchers aren’t convinced. They claim that if the compromised Phone is injected with Rootkit, it can reprogram the ROM, which is actually a Flash memory. Once this is permanently written to this ROM, there’s no way you can fix the hacked microphone with any sort of software update fix.

Who is at Risk?

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications.”

Hacking Cisco Phones [PDF] Slide 210 states, “Cisco Unified IP Phone 7900 series, also referred to as Cisco TNP Phones contain an input validation vulnerability. A local authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.”

The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.

The following Cisco Unified IP Phone devices are affected:

  • Cisco Unified IP Phone 7975G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7906

The following models have reached end-of-life (EOL) status (for hardware only):

  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7906

Fix for Cisco VoIP hacking

The concrete solution to this problem is a “new defense technology, called Software Symbiotes, that protects them from exploitation. The beauty of the Symbiote is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars—systems that we all use every day.”

Symbiotes are a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement. “They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation and, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”

Workaround

Cisco is working on the patch “CSCuc83860 bug,” till then you’ve to settle down with workarounds. Thingp3wn3r  suggest “Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.”

Its time for Cisco to start caring for their customers.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us@geeknizer OR on Facebook FanpageGoogle+

]]>
http://geeknizer.com/hack-any-cisco-voip-phone/feed/ 0
How to Hack WhatsApp Messenger | Build WhatsApp API Client http://geeknizer.com/how-to-hack-whatsapp-messenger/ http://geeknizer.com/how-to-hack-whatsapp-messenger/#comments Fri, 14 Sep 2012 20:12:15 +0000 http://geeknizer.com/?p=11152 Read more »]]> Desktop IMs have long been our favorite mode of communication. But with time, their significance has definitely come down.

Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM,  etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.

As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.

 

WhatsApp Encryption

You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.

The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report

WhatsApp API & Reverse Engineering

If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-on WhatsAPI, an API for WhatsApp messenger.

WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.

1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.

Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.

On Android, the password is a md5 hash of the reversed IMEI number:

$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS, the password is generated from the devices WLAN MAC address:

$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.

The JID is a concatenation between your country’s code and mobile number.

Initial login uses Digest Access Authentication. You can try this for yourself:

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei))

The response you would receive would be in XML, containing messages designated for your phone.

2. Text Message communication

Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).

Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.

WhatsApp Privacy Leak

WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>P</key>
<string>1234567890</string>
<key>T</key>
<integer>10817</integer>
<key>S</key>
<string>Some Status Message</string>
<key>JID</key>
<string>23xxxxxxxxx</string>
<key>NP</key>
<true/>
</dict>
</array>
</plist>

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.

Verdict

WhatsApp is fastest growing IM service and yet, the most insecure. If you really care about your data privacy, stop using WhatsApp till its fixed. Rely on GTalk, facebook IM, which are proven to be secure by all means.

Related: Read, Extract WhatsApp Messages backup on Android, iPhone, Blackberry

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage

]]>
http://geeknizer.com/how-to-hack-whatsapp-messenger/feed/ 17
Java 0-Day Exploit Code, Prevention Explained http://geeknizer.com/java-0day-exploit-explained/ http://geeknizer.com/java-0day-exploit-explained/#comments Tue, 28 Aug 2012 17:15:11 +0000 http://geeknizer.com/?p=10972 Read more »]]> Once in a while a new exploit or vulnerability arises that affects every single PC on the internet and within a span of few hours, it spreads across the globe. Such exploits are often called as Zero-day exploits (or 0-day exploit).

While Zero-day Exploits are critical and widespread, most users never have a clue about it. The awareness is important and that’s why Tech blogs take them seriously. One such recently discovered 0-day exploit was in intel processors.

Who is under Threat?

A new browser-based exploit for a Java vulnerability have been discovered that affects almost every PC on the internet that runs Java. The vulnerability allows attackers to execute arbitrary code on client systems has been spotted in the wild. So far there is no possible fix other than disabling Java plugin for browser itself.

The vulnerability is observed in the latest stable version of Java runtime, JRE 1.7. The problem doesn’t exist on previous versions like 1.6 or older.

Virtually, everyone is affected. Every platform: Windows, Mac OS X, Linux.

All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

The Vulnerability detailed

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. The virus was observed as an windows executable, but it can be distributed as a binary for any platform including Linux, Mac OSX.

The exploit has been numbered CVE-2012-4681.

It was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

The exploit code is available via the popular security suite, Metasploit. Full code for the exploit is available openly via pastie, here is the code snippet that disables your security and makes you vulnerable:

public void disableSecurity() throws Throwable
    {
        Statement localStatement = new Statement(
               System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(
             new CodeSource(
                new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext =
            new AccessControlContext(new ProtectionDomain[] {
                   localProtectionDomain
            });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }

and once security has been turned off, hacker can download a binary & execute the binary like usual:

Process localProcess = Runtime.getRuntime().exec("calc.exe");
localProcess.waitFor();

 

Should I downgrade to JRE 1.6?

No, that would only make things worse. Even though earlier versions aren’t vulnerable to this particular exploit, they contain other bugs that expose still other vulnerabilities which may be even more widespread, and known to more hackers.

How to Prevent Java Zero-day Exploit Vulnerabilities?

There are ways by which you can prevent payload injection using advanced techniques.

But for individual users, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.

Corporate users: Atif Mushtaq from FireEye covered the payload part of the exploit, which is helpful and something to look out for if you are protecting your network or your customers. We should note that attackers are not limited to .net addresses and already used other domains and  IP addresses.

How to Disable Java in Chrome, Firefox, Opera, Safari

In Firefox: Press Firefox button -> Add-ons, go to Plugins and click the “Disable” button next to anything named “Java”.

In Chrome: Type in: “chrome://plugins/” into the address bar (no speech marks). Scroll down to Java and click disable.

In Opera: Type in “opera:plugins” into the address bar (no speech marks). Scroll down to:

  • Java(TM) Platform <click on> Disable.
  • Java Deployment Toolkit <click on> Disable.

In Safari: Safari > Preferences > Security

Stay safe!

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

]]>
http://geeknizer.com/java-0day-exploit-explained/feed/ 2
How to Hack Open/Unlock Office Door http://geeknizer.com/how-to-hack-open-office-door/ http://geeknizer.com/how-to-hack-open-office-door/#comments Fri, 10 Aug 2012 10:52:39 +0000 http://geeknizer.com/how-to-hack-open-office-door Read more »]]> In movies, geeks would pitch-in and attach a PDA to the door that sweeps the magnetic field patterns against the doors or analyze the lock code in matter of seconds. They employ modern science, mostly imaginary, but it sure looks complex. In reality, unlocking doors can be as easy as buying a Good Magnet.

Most office doors employ magnetic sensors that require a access card to be swiped across to unlock. These magnetic cards have unique magnetic pattern underneath the plastic, which when scanned is matched against a person’s identity.

Among the most popular lineup of Office door lock, Kaba Ilco Simplex lineup has been there for more than 3 decades, and had been pretty much unhackable till 2010. But if you have a strong  magnet, it opens up effortlessly in under 3 seconds.

You devise the Hack, you need powerful rare-earth magnets, which formulates the state-of-the-art attack.

Worst part is,  most other locks that use a combination chamber are equally vulnerable.

How it Works

Normally, these door locks need to capture weak magnetic fields generated in vicinity of a access card or a specific combination of buttons  have to be pressed to make the bolt withdraw. However, when a strong magnet is presented,  it messes with the magnetic field inside the combination chamber, the system scrambles making the bolt withdraw even if no buttons are pressed/ no card is presented.

Kaba, being the industry leader, has fixed the problem with a new combination chamber design in the latest models of its lock, but that won’t change the existing locks that have lying world over in offices since last 3 decades.

The rare earth (lanthanide) elements are metals that are ferromagnetic, meaning that like iron they can be magnetized, but their Curie temperatures are below room temperature, so in pure form their magnetism only appears at low temperatures. However, they form compounds with the transition metals such as iron, nickel, and cobalt, and some of these have Curie temperatures well above room temperature. Rare earth magnets are made from these compounds.

You can buy one of these neodymium magnet for about $10, no experience required.

Warning: This is just for educational purposes, do not hack into someone’s office, you and alone you would be responsible for any consequences.

Alternatively, you can design a a card writer that can hack magnetic locks:

In the above demo, hacker used pre-made connectors so he could easily disconnect and reconnect the device. When you put the reader’s cover back, the Gecko would be hidden behind it.

The card reader also continues to work fine with the Gecko attached. It passes along the signal from the reader to the control system as it’s supposed to. But when someone swipes an authorized card that unlocks the door, Gecko saves that signal.

With that saved unlock signal, the attacker can swipe a ‘replay’ card that tells Gecko to re-send that saved signal, and the doors unlock. What’s more, any saved access logs would only show that the same person who originally swiped the saved signal swiped his card again.

The replay card isn’t anything special, and could be any card. It’s just one that Gecko knows about beforehand. When it sees that card’s code – because the card reader passes it along – Gecko knows to send its saved signal in response.

The device also knows to look out for another card code – again, just a regular card – and in that case, disable the system. Only the recognized replay card can unlock the door. Every other card, authorized or not, will fail.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

]]>
http://geeknizer.com/how-to-hack-open-office-door/feed/ 2
Hackers Exploit Intel Core 2 Duo, Atom PC with Javascript http://geeknizer.com/hackers-exploit-intel-core-2-duo-atom-pc-with-javascript/ http://geeknizer.com/hackers-exploit-intel-core-2-duo-atom-pc-with-javascript/#comments Sun, 15 Jul 2012 09:50:16 +0000 http://geeknizer.com/?p=10612 Read more »]]> How often it is the case that a new Exploit is discovered that renders most of the PCs vulnerable to attacks? Well, thats like everyday. But most of such exploits never go mainstream or is controlled at the source.

What if an Exploit is found deep down in the Processor design and it affects every single OS that runs on that processor architecture. If those aren’t accelerating enough, how about adding scope of spreading via ANY web browser? Such exploits which are unpatched and previously unknown are called Zero-day exploits.

A new zero-day Exploit has been discovered in Intel’s Core 2 Duo and Intel Atom processors which exploits cache control mechanism in the processor’s core.

This demo consists of actually two programs. A test loop, which gets exploited and the malicious code. The test loop needs to run until patched. It is completely running from the cache. When the exploit runs, it modifies the 4 first bytes of the cached loop into 4 NOPs via the cache exploit. When the change happens, the exploit is successful.

The test code published to public is safe for Intel Core 2 duo users to try. It just checks, if the cache modification is possible. To bring it to practical scenarios, it will combine this with other exploitation code and would change the machine code of the test loop into a jump or a call.
The real scary part of this is, that it is possible to patch code despite of access rights. If the loop is really changed, this can be made into an effective exploit.

In others words, it’s a partially-obfuscated piece of malware, which claims to demonstrate a zero-day, security vulnerability affecting Intel Core 2 Duo and Intel Atom processors, allowing privilege escalation from inside a Javascript interpreter up to kernel memory. I don’t know whether it actually works, since I’m not brave enough to experiment with it, but it’s likely that it does.

As one developer explains it, the CPU is trying to optimize an infinite loop from the firefox interpreter, but there is a CPU bug where some address is not aligned properly, which allows them to overwrite other memory.

// the infinite loop will be patched on the fly because of the Intel CPU bug

// addr of the test() func should be aligned by 4Kb boundary,

// 1st dword will be changed to NOP, NOP, NOP, NOP

// it’s possible to change the kernel memory as well,

If this works as advertised, then if you have an affected CPU, it is a zero-day exploit affecting every web browser on every operating system, both desktop and mobile, as long as you have Javascript enabled. Until a workaround has been found, any site which serves you Javascript or any of its advertising networks could use it to give you malware.

Some hackers claim that this Exploit is unreal and others claim such CPU bugs are nothing new and couple of such exploits have been discovered long ago.

Are you safe?
Since it affects every single browser and platform running javascript, there’s a little you can do to prevent it till its officially patched on all PCs. One way is to turn off Javascript, but thats virtually impossible. Safer way is to go with script blockers that block malicious code and malware.

Second, you should use only the most security hardened browser, which is Google Chrome; it’s not clear whether Chrome’s hardening will actually help, but it’s likely that it will.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+or on Facebook Fanpage:

]]>
http://geeknizer.com/hackers-exploit-intel-core-2-duo-atom-pc-with-javascript/feed/ 0
Hackers Take Control of Drone by Hacking GPS http://geeknizer.com/take-control-of-drone-by-hacking-gps/ http://geeknizer.com/take-control-of-drone-by-hacking-gps/#comments Sun, 08 Jul 2012 17:37:19 +0000 http://geeknizer.com/?p=10569 Read more »]]> Drones, the unmanned aerial flying vehicles, have become a major part of modern warfare. Researchers at the University of Texas’ Lab have successfully demonstrated that a drone with an unencrypted GPS system can be taken over by a person owning a GPS spoofing device.

Using only $1000 worth of equipment, one can easy exploit vulnerabilities of unencrypted GPS signals.

While the powerful military drones used overseas use encrypted GPS signals, the ones in the United States rely on signals from open civilian GPS, which makes them vulnerable to GPS “spoofing.”

By Spoofing GPS signals, it is possible to gather enough information that makes it possible to take over the Drone. To elaborate, by the transmission of matched-GPS-signal-structure interference in an attempt to commandeer the tracking loops of a victim receiver and thereby manipulate the receiver’s timing or navigation solution, hackers can transmit its counterfeit signals from a stand-off distance of several hundred meters or it can be co-located with its victim.

Hacking the Drone

To commence the attack, the spoofer transmits its counterfeit signals in code-phase alignment with the authentic signals but at power level below the noise floor. The spoofer then increases the power of the spoofed signals so that they are slightly greater than the power of the authentic signals. At this point, the spoofer has taken control of the victim receiver’s tracking loops and can slowly lead the spoofed signals away from the authentic signals, carrying the receiver’s tracking loops with it.

Once the spoofed signals have moved more than 600 meters in position or 2 microseconds in time away from the authentic signals, the receiver can be considered completely owned by the spoofer.

Although our spoofer fooled all of the receivers tested in our laboratory, there are significant differences between receivers’ dynamic responses to spoofing attacks.

Are we Under Threat?

After the research experiment was conducted, it was noticed immediately by the U.S. government:

“DHS is attempting to identify and mitigate GPS interference through its new ‘Patriot Watch’ (pdf) and ‘Patriot Shield’ (pdf) programs, but the effort is poorly funded, still in its infancy, and is mostly geared toward finding people using jammers, not spoofers.”

The only way out is to work for hardening of GPS systems used in drones before they expand further into our worlds.

To be honest, this GPS flaw affects almost anything that flies ove head: Aircraft, ship, or vehicle navigation systems that feature unencrypted GPS systems. This technique may even be able to bring down a smart grid (pdf) or financial market.

Securing the UAVs

AUVSI is the world’s largest non-profit organization devoted exclusively to advancing the unmanned systems and robotics community. The provie following statements for Ensuring the Safe Use of Unmanned Aircraft:

“The unmanned aircraft systems industry is committed to the safe and responsible integration of unmanned systems into the national airspace. We are already in communication with a variety of stakeholders to ensure unmanned aircraft are integrated safely so we can unlock the tremendous potential of this technology to enhance public safety, advance scientific research and otherwise benefit society, all while potentially creating thousands of jobs.

“‘Spoofing’ or otherwise tampering with GPS has dangerous implications for any technology which depends on it for guidance, whether it is manned or unmanned aircraft, your cell phone or your car. In fact, commercial airliners are relying more and more heavily on GPS signals to locate the runways at airports and, with the advent of the next generation air traffic control system, all aircraft – manned and unmanned – will rely on GPS for navigation.

“The industry is well-aware of so-called ‘spoofing’ and is already advancing technologies, such as SAASM – Selective Availability Anti-Spoofing Module – to prevent it. This technology is already in use by the military to thwart GPS spoofing abroad and we expect it will transition to civilian unmanned aircraft in the coming years to protect aircraft flying in the national airspace. Meanwhile, some unmanned aircraft also have alternate navigation systems, such as radio links and backup inertial systems, which provide redundancy to GPS.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage:

]]>
http://geeknizer.com/take-control-of-drone-by-hacking-gps/feed/ 2
dSploit: Android-based Network Pentest Security Tool [Wifi Hacking] http://geeknizer.com/android-network-pentest-security-tool/ http://geeknizer.com/android-network-pentest-security-tool/#comments Fri, 01 Jun 2012 12:48:29 +0000 http://geeknizer.com/?p=11376 Read more »]]> If you are geek enough to pentest every wireless network you connect, we got an app for you.

dSploit is an Android based network analysis & penetration suite. It is a comprehensive toolchain which can be used by anyone in order to perform a number of advanced network analysis and Pentests. dSploit contains a number of powerful functions for IT security experts/geeks, but is easy enough for just about any one to perform exploits.

Android Network hacking Pentest tool

dSploit allows you to analyze, capture, and manipulate network packets. You can scan networks for connected devices like other smartphones, laptops, & identify the operating system, running services and open ports on each device. Once open ports are known, you can go further by checking open ports for vulnerabilities. These features together make dSploit the most complete and advanced professional toolkit to perform network security assesments on any mobile device, ever.

Other than analysis, dSploit even allows man in the middle attacks for a number of network protocols i.e. you can monitor and inject packets into the network and spoof your identity. In simpler words, it allows you to intercept wireless network traffic and mess it with in the way you want. You can poison the DNS, for example, so that your family members go to Google+ everytime they try open facebook, or replace all the images with a custom PWNed/funny image. The ideas are what limit you, possibilities of fun are endless.

You can also trigger a DoS attack (Denial of services) in which your family and friends would lose Internet connectivity. Everytime they try accessing a webpage, instead of loading the page, it would redirect to your custom webpage that displays a “You’ve be PWNEed” message. If you ain’t ethical enough, you can even indulge yourself in sniffing and capturing login passwords, web forms etc.

dSploit also allows you to create a Map of your Network, and then  fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack logon procedures of many tcp protocols, perform man in the middle attacks such as password sniffing (with protocol filters), real time traffic manipulation, etc.

dSploit is like Metaspl0it framework from desktop world as it is very pluggable. As of now app is in beta stages with few modules, expect more in the future.

dSploit Modules

  • RouterPWN
    Launch the http://routerpwn.com/ service to pwn your router.
  • Port Scanner
    A syn port scanner to find quickly open ports on a single target.
  • Inspector
    Performs target operating system and services deep detection, slower than syn port scanner but more accurate.
  • Vulnerability Finder
    Search for known vulnerabilities for target running services upon National Vulnerability Database.
  • Login Cracker
    A very fast network logon cracker which supports many different services.
  • Packet Forger
    Craft and send a custom TCP or UDP packet to the target.
  • MITM
    A set of man-in-the-middle tools to command&conquer the whole network.

    • Simple Sniff
      Only redirects target’s traffic through the device ( useful when using a network sniffer like ‘Sharp’ for Android ) and shows network stats.
    • Password Sniffer
      Sniff passwords of many protocols such as http, ftp, imap, imaps, irc, msn, etc from the target.
    • Kill Connections
      Kill connections preventing the target to reach any website or server.
    • Replace Images
      Replace all images on webpages with the specified one.
    • Replace Videos
      Replace all youtube videos on webpages with the specified one.
    • Script Injection
      Inject a javascript in every visited webpage.
    • Custom Filter
      Replace custom text on webpages with the specified one.

App requirements:

  • At least Android 2.3 ( Gingerbread )
  • The device must be rooted
  • The device must have a BusyBox full install, this means with every utility installed ( not the partial installation ).

Download [github] App isn’t allowed on Play store.

checkout the XDA thread for updates.

You can also checkout Pen Test Tools List app for all Pentesting Android apps. [Play Store]

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer OR on Facebook FanpageGoogle+

]]>
http://geeknizer.com/android-network-pentest-security-tool/feed/ 0
Download Symantec NAV, PCAnywhere Source Code http://geeknizer.com/download-symantec-nav-pcanywhere-source-code/ http://geeknizer.com/download-symantec-nav-pcanywhere-source-code/#comments Sat, 11 Feb 2012 16:48:12 +0000 http://geeknizer.com/?p=9737 Read more »]]> This could be one of the biggest disasters for a company. Hackers stole the source code of Symantec’s pcAnywhere back in 2006 and have now claimed to release it to public. In the meantime hackers stole all source code for all the Symantec products i.e Norton Antivirus, Norton works, Internet security, etc.

The hackers had been threatening Symantec in a series of e-mail negotiations with what they thought were representatives of Symantec. The group is known as Yamatough, Indian hacker force operating under the umbrella of Anonymous, had been demanding a $50,000 payoff from Symantec to keep the source code private. Emails are published to Pastebin. Hackers tell Reuters that their intention was never to get the money but to release the code.

“All the Symantec source codes are now on sale! PcAnywhere, System Works, Internet Security and Norton GoBack with Utilities, NAV”, hacker said in one of his tweets. Source code is now available on Pirate bay.

Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since January 23 to protect our users against known vulnerabilities.

“At this time, Symantec recommends disabling the product until we release a final set of software updates that resolve currently known vulnerability risks.”

“We have been conducting direct outreach to our customers since January 23 to reiterate that in addition to applying all relevant patches that have been released, customers should also ensure that PCAnywhere version 12.5 is installed, and follow general security best practices.”

On January 23, Symantec released a patch to secure PCAnywhere 12.5. And then on January 27, the company rolled out another patch directed toward PCAnywhere versions 12.0 and 12.1. The hackers, who call themselves The Lords of Dharmaraja, originally claimed they found the code after breaking into servers run by Indian military intelligence. But Symantec later revealed that the group had captured the code for PCAnywhere and other products by breaking into the security vendor’s own network in 2006.

But Symantec has insisted that since all the source code dates back to 2006, customers of the current versions of these products are at no risk. Though that may be true, the entire incident does raise the question of how a security vendor, of all companies, would be so vulnerable that its key source code could be stolen.

“As the extortion attempt by Anonymous indicates, we’re working with law enforcement right now, Therefore, given the active investigation, we’re not in a position to provide specifics on the incident at this time.”

Symantec is of course sitting silent, they are working on a number of things in order to prevent such mistakes in future:
Improved Network Defenses, Compartmentalized Access to Information, Improved Source Code Security, Improved Process Controls, Employee Education.

Anonymous believed that companies like Symantec had been creating scareware, malwares and spreading them to networks in order to scare users and promote it’s security products. What do you think, is that what Symantec and other security companies do?

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook FanpageGoogle+:

]]>
http://geeknizer.com/download-symantec-nav-pcanywhere-source-code/feed/ 1
Network Spoofer for Android over WiFi [ARP Spoof hacks] http://geeknizer.com/network-spoofer-android-arp-spoof-hacks/ http://geeknizer.com/network-spoofer-android-arp-spoof-hacks/#comments Sun, 29 Jan 2012 17:48:27 +0000 http://geeknizer.com/?p=9651 Read more »]]> Network Spoofer lets you run arpspoof attacks and other fun hacks from Android, messing with your Wifi internet from your phone, just like WifiKill can kick users from Wifi.

Note: This app is just for fun, it doesn’t cause any damages to anyone other than annoyance. Use it with precaution.

The project is similar to the Upside-down-ternet project: from the phone you can flip pictures on someone’s computer upside down. There are couple of fun things you can do with this app. It lets you:

  • Flip pictures on someone’s PC.
  • Change Google searches keywords,
  • redirect websites to some other sites,
  • and many more features to come.

App works well in combination with Shark for Android – combined they allow you to capture packets when logged onto wifi networks.

Simply install from the Android Market (on a rooted device running >2.2), and download the setup files from the application. This requires about 600MB free SD card space. The program needs the phone to be rooted, and have busybox (most custom firmwares have this).

Developers can contribute at Launchpad (main project) and Sourceforge.

Download the App from Market.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook FanpageGoogle+:
 

]]>
http://geeknizer.com/network-spoofer-android-arp-spoof-hacks/feed/ 0
SEAndroid: Security Enhanced Android by NSA http://geeknizer.com/seandroid-security-enhanced-android-nsa/ http://geeknizer.com/seandroid-security-enhanced-android-nsa/#comments Thu, 19 Jan 2012 18:41:23 +0000 http://geeknizer.com/?p=9573 Read more »]]> Android is the most secure mobile smartphone OS in the market today, thanks to the inherent sandboxing inspired from world’s most secure browser: Chrome.

Such security is really consumer grade, its secure in the real world but may not be secure enough for driving Top most secret tasks like the ones Government agencies like NSA is involved with.

The National Security Agency (NSA) released the first version of their custom build of Google’s popular OS, called Security Enhanced Android. The system is designed to minimize the impact of security holes on Android. The SEAndroid project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps.

SEAndroid is born with robust support for:

  • Per-file security labeling support for yaffs2,
  • Filesystem images (yaffs2 and ext4) labeled at build time,
  • Kernel permission checks controlling Binder IPC,
  • Labeling of service sockets and socket files created by init,
  • Labeling of device nodes created by ueventd,
  • Flexible, configurable labeling of apps and app data directories,
  • Userspace permission checks controlling use of the Zygote socket commands,
  • Minimal port of SELinux userspace,
  • SELinux support for the Android toolbox,
  • Small TE policy written from scratch for Android,
  • Confined domains for system services and apps,
  • Use of MLS categories to isolate apps.

You can integrate SEAndroid into your own Custom ROM. First, you should make sure that you are able to successfully download, build and run the Android Open Source Project (AOSP) source code by following the instructions starting from http://source.android.com/source/initializing.html

Once you have successfully built and run AOSP, you can obtain a local manifest specifying the SE Android git trees from http://selinuxproject.org/~seandroid/local_manifest.xml. Copy this file to the .repo subdirectory of your AOSP clone, and then run repo sync. Your tree should now include the SE Android modifications. For further dev info, visit the official Wiki.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook FanpageGoogle+:

]]>
http://geeknizer.com/seandroid-security-enhanced-android-nsa/feed/ 0
Decipher, Bypass Captcha codes [DeCaptcha] http://geeknizer.com/decipher-bypass-captcha-codes/ http://geeknizer.com/decipher-bypass-captcha-codes/#comments Thu, 03 Nov 2011 16:15:39 +0000 http://geeknizer.com/?p=9067 Read more »]]> To bypass spams and brute force attempts on various sites, whether its registering for accounts or submitting forms, sites world over use Captcha codes. Till today, these captcha codes would have to be entered as indicated by humans, but this is changing with discovery of new way to decipher it.

Captcha stands for Completely Automated Public Turing Test to differentiate between Computers and Humans. It was invented by Carnegie Mellon University computer science graduate student in 2000 as a security tool to safeguard web sites from automated bot attacks and spammers.

Team of researchers at Stanford have outsmarted the Captcha codes. Their anti-spam tool-breaker was able to kill off captcha’s protective cover.

“As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme… approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.”

Decaptcha is capable of isolating the text from noise in the captcha image. From the clean text image, it then runs a smart OCR (optical character recognition) to translate image to text.Each text character is identified individually.

To prototype was able to break into Real world websites with Captcha. Decaptcha worked successfully on Visa’s Authorize.net payment gateway was defeated 66 per cent of the time. eBay’s captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two that beat out the Stanford team’s automated tool–no gotchas for either one.

More details: PDF

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/decipher-bypass-captcha-codes/feed/ 1
How Police can Tap, Steal Phone data http://geeknizer.com/how-police-can-tap-steal-phone-data/ http://geeknizer.com/how-police-can-tap-steal-phone-data/#comments Sat, 01 Oct 2011 21:43:07 +0000 http://geeknizer.com/?p=8855 Read more »]]> You will be amazed by the fact that Police can now Tap & steal your personal data from your smartphone/ feature-phone alike. This data is extremely valuable, contains not just the call records, Text but also your location history and what not.

Michigan police was already found to do that last month, but if sources are to be trusted, they are going nationwide in US and soon in several other countries. The device used is the CelleBrite UFED, which is able to copy most of the data on over 2500 different mobile devices. It does all that in under 2 minutes. UFED brochure claims:

The UFED system extracts vital information from 95% of all cellular phones on the market today, including smartphones and PDA devices (Palm OS, Microsoft, Blackberry, Symbian, iPhone, and Google Android). Simple to use even in the field with no PC required, the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive.

And technical description:

The UFED hardware with Physical Extraction module, used to create Physical and/or Logical dumps from mobile devices, which can then be saved to a USB disk drive, SD memory card, or directly to your PC.ƒ The UFED Physical Analyzer (PA) PC application, which provides an in-depth physical memory analysis of the extracted mobile phone data (phonebook contents, SMS messages, call logs, image files, video files, audio files, and more) The Physical Analyzer also serves to generate comprehensive and verified evidence reports of relevant data extracted and analyzed from the mobile device.

The UFED Physical Analyzer software allows the investigator to perform in-depth analysis of the extracted data
and generate reports. The UFED PA application provides the following key features:

  • ƒ Analysis of the hex dump with a layered view of memory content
  • Provides a detailed view of the hex dump
  • Reconstructs the phone file system
  • Decodes contact lists, SMS messages, call logs, phone information (IMSI, ICCID, user codes) and more
  • Provides a view of data files – images, videos, etc.
  • Provides access to both current and deleted data
  • Retrieves phone passwords
  • Simple viewing and user friendly browsing of information

ƒ Powerful search tools

  • Instantly search for project content
  • Search the hex dump or file system

Search by various parameters such as strings, bytes, numbers, dates

  • Use GREP search (regular expressions) to look for specific data strings
  • Bookmarking memory locations for indexing of key areas for later review

The ACLU fears that the next time you get stopped for speeding in Michigan, you’ll be handing over your cell phone, and your entire mobile history, to the nice officers. Of course, you have no idea into what all they can grab. Of course, you don’t have an option.

There’s something thats more scary than being able to extract your information — Being able to inject information into the phone like fake call logs, gps logs, text messages, calendar appointments. It would open your call log SQLLite DB (in the case of an iPhone, Android) and write a new entry. e.g. If my intake information says I received the phone at 15:20:00 but there is a write to phonecalls.sql at 16:22:00 User better have a logical explanation.

We write about GoogleTwitterSecurityOpen SourceProgrammingWebAppleiPhoneAndroid and latest in Tech @geeknizer on Twitter or by subscribing below:

 

]]>
http://geeknizer.com/how-police-can-tap-steal-phone-data/feed/ 1
Access Anyone’s Location Database http://geeknizer.com/access-anyones-location-database/ http://geeknizer.com/access-anyones-location-database/#comments Mon, 01 Aug 2011 08:04:12 +0000 http://geeknizer.com/?p=8442 Read more »]]> Microsoft had been trying to build a location database, similar to what Google had done using street view cars, consisting of data based on publicly broadcast MAC addresses with their corresponding street address. This data includes your phones and laptops. That’s fine right? No, not really,  Microsoft didn’t secure the database and is available to anyone on the web who cares.

Microsoft is gathering data from Windows Phone 7 handsets that connect to wi-fi networks, along with cars that go around sniffing out hotspots, and logging it all here. I don’t know why by anyone can get access to the data. Cnet did a self test of various MAC address of its Windows devices and found themselves with complete location history.

How it Works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google’s database doesn’t include the MAC address 02:1A:11:F2:12:FF. But Microsoft’s does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Ugly Part: Since you might have used your smartphone’s Tether Wifi hotspot,  its highly possible that your data has been captured by Microsoft and available to public. If an attacker knows your MAC address, he already knows your mobile activity on the map. Story doesn’t end here, Microsoft still doesn’t comment on whether they collect additional data on the WP7 devices  like the devices connected to the network. What this means is that they might have also captured all phones, laptops connected to those Wifi networks. So If you’ve ever connected to a Wifi (which you often do), your location might be already public to everyone.

Microsoft’s statement:

“To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses.”

Ugliest part of the whole story is that  there’s no way to “Opt-out”, you can’t prevent your MAC address from being added.

How to check if your location is Public or not

Go to this website and enter your mac address, if you see your location info, go and fight with them.

Update: 31st July – Microsoft seemed to have fixed the problem [via]

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/access-anyones-location-database/feed/ 1
Lulzsec hacks 62,000 Passwords, publishes online, User Security compromised http://geeknizer.com/lulzsec-hacks-passwords-user-security-compromised/ http://geeknizer.com/lulzsec-hacks-passwords-user-security-compromised/#comments Sat, 18 Jun 2011 17:24:10 +0000 http://geeknizer.com/lulzsec-hacks-passwords-user-security-compromised/ Read more »]]> lulzsecLulzsec is the biggest name these days that scares almost every organization around the world, government and private companies alike.

Lulzsec hacker group have been on a hacking rampage since a while now. They have been taking down sites of the CIA, Sony, FBI and a bulk of other large and small companies. Motive behind the hacks has rather been dicey, is it for fun or something else. The document is available on Pastebin and their activities are visible via their Twitter account.

Very recently they hacked released 62,000 username and passwords of a popular porn site. However, the ugly part of the story is that users tend to have similar passwords for all their accounts: mail, facebook and even paypal. Hackers and script buggies have been scanning the password list and discovered that this is actually the case for most users whose username/passwords have been shared in the leak.

If you analyze the password list, its not hard to figure out that a lot of users registered on the porn site are actually people from government organizations. Other than that Google, Yahoo, facebook have already out the accounts corresponding to those ids on hold till user verifies the ownership to prevent all kinds of misuses. However, hotmail and other unpopular email providers are still vulnerable.

What You can do: Staying secure online

Go through the password list and if you are on it, you are probably already in trouble. Going further, make it a habit to have different user/password combos for different sites. Doing so can be hard but if you follow a pattern for passwords, remembering them could be piece of a cake. e.g. you can change the first or last digit of the password based on the domain name. A password that was “pA$$w0rdG” on gmail would become  “pA$$w0rdf” on facebook. Do something similar, but purely your own idea.

What is the Future of LulzSec

Lulzsec would continue to hack down the internet with almost no clear intent. The press release states that for the past month or so they have been causing chaos throughout the internet by attacking several targets and they’re going to bring down more internet laws by continuing their public shenanigans, and that their actions are causing clowns with pens to write new rules for users.

They say that releasing data is just as ‘evil’; however they mock by saying, “This is the Lulz lizard era, where we do things just because we find it entertaining.”

They conclude by saying, “We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be.“

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, AndroidOpen Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/lulzsec-hacks-passwords-user-security-compromised/feed/ 4
Governments use Facebook to Spy on Citizens http://geeknizer.com/government-uses-facebook-to-spy/ http://geeknizer.com/government-uses-facebook-to-spy/#comments Wed, 18 May 2011 18:28:35 +0000 http://geeknizer.com/?p=7707 Read more »]]> Our Governments are getting smarter with growing age of the web. They are now employing more and more mechanisms to monitor citizens online, thanks to the social network addictions.

Government has shifted its older ways of monitoring traditional landlines, phone calls, to cell phones and email, while they try to hunt down the criminals and terrorists.

We don’t care about this, coz its for our own safety at the cost of privacy that remains in the hands of officials behind closed doors. But the truth is, giving backdoor access to governments make a business’ data more vulnerable to the bad guys as well.

Which Countries spy on citizens?

Governments in US, UK and EU already monitor citizen’s mode of communications.

How do they do it?

Government may not peek into everything, but the most relevant data like: Email subject lines, mobile phone GPS locations, call histories. Trust me, this data dtogether makes up piles of data that is sent for monitoring to governments.

Julian Assange, head of WikiLeaks,  stated that tech companies, such as Facebook, are so accessible to US intelligence agencies that they act as de facto information gathering sources. You would be surprised to knwo the facts shown in the video below:

EU is working with several telecom giants to assist them in establishing automated data mining for mobiles, email, social networks, etc. This data, however, is not accessible to any human, a unless required. Mostly smart algorithms would determine suspicious activity before they are put under scrutiny.

Backdoors that grant access to the FBI or NSA also serve as tempting targets for everyone else. Whether they are exploited for identity theft, or used to coordinate concentrated cyber attacks from other nations, wiretapping access is a proven weak point in telecommunication security.

Here’s another news video on the topic:

How secure is your online information? Depends on how much attention you’ve gained by posting an update to the web.

via NYtimes

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/government-uses-facebook-to-spy/feed/ 0
How Osama Bin Laden was Tracked, Technically http://geeknizer.com/how-osama-bin-laden-was-tracked/ http://geeknizer.com/how-osama-bin-laden-was-tracked/#comments Mon, 02 May 2011 17:16:29 +0000 http://geeknizer.com/?p=7534 Read more »]]> osama-trackedU.S. secret agencies had been gathering information from people in Bin Laden’s circle. One of the major advances was made by retrieving information about his personal couriers. After few attacks, detainees gave the secret agencies information on couriers. By 2009, a little actual progress was made as they identified areas in Pakistan where the courier and his brother operated.

In August 2010, they found their home in Abbottabad, a suburb which is less than 40 miles from the Islamabad, the capital of Pakistan. Everything about Osama’s compound was extraordinarily unique which brought more and more attention. It was not just 8 times larger than the other homes in the area, it had a lot of physical security in place with 12 to 18 feet walls, guarded by two giant security gates.

Strangely enough, there was barely any communication between this compound and the outer world. There were little to no social activity and had strange forensics. It preferred burning its trash, and there were no open windows for fresh air to come in. Despite the gigantic and costly architecture, it had no means of communications: No internet, no phones.

The secret agencies and the army had no concrete proof, but everything leaded to the same conclusion. No one could afford and match the semantics of this place other than the man himself. Whole of this information was not shared with anyone, and was limited to a small group of people, which made the attack possible.

Background Intelligence (Technology Used to Track Osama)

All of this has a longer history. Joint Special Operations Command or JSOC had been in command for years trying to find tits and bits of information and compile them into something more concrete.

The way JSOC solved this problem still remains a top secret, but it is said that commandos learned basic criminal forensic techniques and then used highly advanced and still-classified technology to transform bits of information into actionable intelligence. One way they did this was to create forward-deployed fusion cells, where JSOC units were paired with intelligence analysts from the NSA and the NGA. Such analysis helped the CIA to establish, with a high degree of probability, that Osama bin Laden and his family were hiding in that particular compound.

These technicians could “exploit and analyze” data obtained from the battlefield instantly, using their access to the government’s various biometric, facial-recognition, and voice-print databases. These cells also used highly advanced surveillance technology and computer-based pattern analysis to layer predictive models of insurgent behavior onto real-time observations.

The military has begun to incorporate such techniques across the services and improvements are on their way in areas where intelligence is gathered, analyzed, and utilized.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, AndroidOpen Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/how-osama-bin-laden-was-tracked/feed/ 0
Find, Lookup Corporate Email addresses http://geeknizer.com/find-corporate-email-address/ http://geeknizer.com/find-corporate-email-address/#comments Wed, 27 Apr 2011 18:54:21 +0000 http://geeknizer.com/find-corporate-email-address Read more »]]> Security breaches happen often sometimes causing good amount of damages and sometimes insane. Email, the primary mode of our communication still has little signatures that can be relied upon.

Security researchers have comeup with a new tool that can verify email account existance/genuineness for people at businesses, even if the address hasn’t been published online and lies in a closed private company.

Peepmail assures the delivery of emails to everyone from Apple’s Steve Jobs and Microsoft’s Steve Ballmer to the random guy whose business card you lost. It uses the knowledge of the mail protocol to verify email delivery. Simply stated, its based on the fact that many email servers will inform the email sender whether the address is valid, even before the message is actually sent.

Peepmail does a great job at finding the email address for any person in the world using his first, second name. Peepmail tests permutations of the name until the company’s email server responds with a message that indicates the address is valid. However, peepmail tricks the server, and doesn’t actually sends the email, so the person being looked up has no idea about it.

We tried peepmail to actually locate email addresses of business corporates. With our tests, the app did a good job by giving the right email 50 percent of the time.

For cetain searches, the tool failed to return any email address, thats because some mail servers don’t actually reply back whether an address is valid before getting the email. They just digest every incoming email and later send back an error message only after the offending email is sent.

The developer of the tool claims that the tools is not intended to hurt privacy of the corporates, but its a Proof of concept that shows how vulnerable our email servers are, and how bad our Email security is,  “I created the tool to demonstrate what has been possible for years but very few people know,” he said.

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/find-corporate-email-address/feed/ 0
US Army uses Android Smartphone for Soldiers http://geeknizer.com/us-army-android-smartphone/ http://geeknizer.com/us-army-android-smartphone/#comments Fri, 22 Apr 2011 19:25:12 +0000 http://geeknizer.com/us-army-android-smartphone Read more »]]> US army had been looking to equip their soldiers with smartphones designed to integrate the team with a powerful custom interface.  And for them, the Droid does prove out to be the solution.

So far, tech nonprofit MITRE has made a lot of progress on the project and the prototype is ready under the name ” the Joint Battle Command-Platform”. It is now under some testing in the simulated battelfields, before it steps into the real army battlefields. The SDK used to develop apps for the Joint battle command platform is called the Mobile/Handheld Computing Environment, and army would releasing the sdk in June 2011 for app developers.

There will be lots of different apps that would empower the soldiers in the fields. There would be app that would provide mapping function that displays location and movements of all the soldiers and help them communicate the strategy better (Blue Force Tracker program). There will be some cloud to phone data exchange rebranded as “Critical messaging” to exchange crucial data like medevac requests and on the ground reporting.

“I was just shown a quick, little, five-minute brief on it – that’s all it took and we were ready to use them,” said Spc. Randy Fite, who like Bui experimented with the JBC-P Handheld prototype during a recent training exercise at Fort Bragg, N.C. He said the app’s blue icons indicating the GPS locations of his fellow Soldiers helped them navigate and coordinate actions during the capture.
“We can know where each unit is in our platoon, and how they’re moving,” Fite said. “It makes the job a lot easier.”

The army would face lots of challenges especially for areas with low or no signal coverage, which is something very common for battlefields.  Also, the army has high hopes on designing a phone hardware that is rugged enough to withstand wears and tears of all sorts.

This android based tablet/smartphone platform would help them phase out the current generation communication system: Nett Warrior – a suite of sensors, other functions which smartphones do much more easily. The complete system of Joint battle command platform would weigh less than 2 pounds, making it way better than Nett warrior.

Army’s aim is to build a core framework that can run on a large number of hardwares and form factors, obviously Android is the best (and only?) option they could have thought about. iOS is way too restrictive as per the officials, among which there are several iPhone lovers.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, AndroidOpen Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/us-army-android-smartphone/feed/ 0
Disable iPhone location Tracking History http://geeknizer.com/disable-iphone-location-tracking-history/ http://geeknizer.com/disable-iphone-location-tracking-history/#comments Thu, 21 Apr 2011 18:53:25 +0000 http://geeknizer.com/disable-iphone-location-tracking-history Read more »]]> iphone-location-trackYour iPhone secretively tracks your location, all the way without permission. This may freak out almost every user, its creepy and its true.

Apple has integrated this malicious behavior into iOS 4 and its so dirty that it takes automatic backups every time it’s connected to iTunes, then pulls out a lifelong list of your locations, timestamps included. This data can be visualized using iPhoneTracker, showing you complete location history.

Apple uses Cellular tower triangulation and that’s why it always works no matter your GPS is off or out of range. This location data is available to any person (or app) that knows where to look.

How to Disable iPhone location Tracking

Thanks to the Jailbroken app in Cydia, its now possible to escape this apple’s blunder. The app is called “Untrackerd” and it continuously watches and deletes the database that is used by apple to store location data. The app is available for free on Cydia under BigBoss repository, simply search for Untrackerd on Cydia and install it to prevent your iPhone from tracking your location.

Untrackerd

The package [will install a] daemon (process that can run in the background) to clean consolidated.db file. No new icons are added to your homescreen. There are no options to configure.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, AndroidOpen Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

Read more about how to Jailbreak your iPhone: http://geeknizer.com/untethered-jailbreak-ios-4-3-2-iphone-ipad-ipod-touch

]]>
http://geeknizer.com/disable-iphone-location-tracking-history/feed/ 0
Hackers Hack Car with Music http://geeknizer.com/hack-car-with-music/ http://geeknizer.com/hack-car-with-music/#comments Sat, 19 Mar 2011 16:11:07 +0000 http://geeknizer.com/hack-car-with-music Read more »]]> car-hacking.jpgIt was once said that by English playwright William Congreve “music has charms to soothe a savage breast, to soften rocks, or bend a knotted oak.” As per the latest research, music actually lets hackers break into your car.

Researchers at UaC & University of Washington have spent years trying to fin security flaws in modern cars which are controlled via mini-computer systems and so far they have identified a bunch of security flaws in cars.

The most interesting attacks were triggered via car’s Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops.

The one that interested us was on the Car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car’s stereo, this song could alter the firmware of the car’s stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on P2P file-sharing networks without arousing suspicion.

“It’s hard to think of something more innocuous than a song,” said Stefan Savage, a professor at the University of California.

The same team had achieved wide Car hacks in experiments in which they were able to kill the engine, lock the doors, turn off the brakes and falsify speedometer readings on a late-model car of 2009. In that experiment, they had to plug a laptop into the car’s internal diagnostic system in order to install their malicious code. In 2010, team also hacked Cars from wireless tyre sensors.

But the latest research, is about remotely controlling cars. The attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. “The easiest way remains what we did in our first paper: Plug into the car and do it,” he said.

Car Hacking: Possibilities & Future

Now, thieves could instruct cars to unlock their doors and report their GPS coordinates and Vehicle Identification Numbers to a central server. “An enterprising thief might stop stealing cars himself, and instead sell his capabilities as a service to other thieves,” Savage said. A thief looking for certain kinds of cars in a given area could ask to have them identified and unlocked, he said.

With the high technical barrier to entry, the researchers believe that hacker attacks on cars will be very difficult to pull off, but they say they want to make the auto industry aware of potential problems before they become pervasive.

Another problem for would-be car thieves is the fact that there are significant differences among the electronic control units in cars. Even though an attack might work on one year and model of vehicle, it’s unlikely to work on another. ”

So far, carmakers have been very receptive to the university researchers’ work and appear to be taking the security issues they’ve raised very seriously.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android, Open Source, Latest in Tech, subscribe to us @taranfx on Twitter OR on Facebook Fanpage:

]]>
http://geeknizer.com/hack-car-with-music/feed/ 0
How to Hack GSM Nework, Phone http://geeknizer.com/how-to-hack-gsm-nework-phone/ http://geeknizer.com/how-to-hack-gsm-nework-phone/#comments Sat, 01 Jan 2011 13:05:15 +0000 http://geeknizer.com/how-to-hack-gsm-nework-phone Read more »]]> gsm-hackedA Group of researchers demonstrated a start-to-finish means of monitoring an encrypted GSM cellphone calls and text messages, using only sub-$15 telephones as network “sniffers,” attached to a laptop computer  powered by open source softwares.

GSM Security is inherently weak and that’s why it was made possible to Hack GSM Security (GSM’s 64-bit A5/1 encryption), last year. However, governments own devices that are worth $50,000, which essentially monitor phone activities for National security.

“GSM is insecure, the more so as more is known about GSM,” said Security Research Labs researcher Karsten Nohl. “It’s pretty much like computers on the net in the 1990s, when people didn’t understand security well.”

Every aspect of the GSM Hack was demonstrated from start to end including scenarios in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allows anyone to determine a subscriber’s current location with a simple Internet query, to the level of city or general rural area. Once a phone’s City is known, a potential attacker can drive through the area, sending the target phone “silent” or “broken” SMS messages that do not show up on the phone. By sniffing to each bay station’s traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.

GSM Network Sniffer

Researchers replaced the firmware of a simple Motorola GSM phone with their own, which allowed them to retain the raw data received from the cell network, and examine more of the cellphone network space than a single phone ordinarily monitors. Modifying the USB interface, helped them send this data in real time to a computer, which captured every bit of the information.

By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which of the myriad streams of information they wanted to record from the network. After that, the next step is essentially decrypting the information. ITs not that easy, but was made possible by the way operator networks exchange system information with their phones.

gsm-hack

As part of this background communication, GSM networks send out identifying information, as well as “keepalive” messages and empty spaces are filled with buffered bytes. Truth be told, a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard. Sticking to older standards enabled hackers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a 2 terabyte table of pre-computed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds. (Rainbow tables are usually used in all kinds of Brute-force password hacking).

Many GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call, minimizing the need for recomputation.

The process was demonstrated using their software to sniff the headers being used by a phone, extract and crack a session-encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes.

gsm-phone-hack

Can something be done about GSM’s security?

Any geek can make such devices and with the help of the open source software, can mimic these hacks. So can we really do something to prevent these kinds of hacks from happening?

“Much of this vulnerability could be addressed relatively easily”, Nohl said. “Operators could make sure that their network routing information was not so simply available through the Internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs”.

“This is all a 20-year-old infrastructure, with lots of private data and not a lot of security,” he said. “We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.”

Worst part is, all the current 3G phones are NOT shielded from this hack. Knowing that 3G is primarily used for Data, its now easy to capture any 3G user’s online activity including their passwords and credit card numbers.

Maybe its high time for GSM consortium to wakeup and address these issues, or atleast learn few things from CDMA networks, which are inherently secure.

Resources:

Rainbow tables, Airprobe, Kraken  srlabs.de
OsmocomBB firmware osmocom.or

PDF Presentation

The Video Presentation can be downloaded here: Part1, Part2.

We write about SecurityOpen Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

]]>
http://geeknizer.com/how-to-hack-gsm-nework-phone/feed/ 0