vCard Vulnerability : WhatsApp

1.     WhatsApp,the exceedingly renowned application that has actually swung around the way we all chat, talk, share and do so many things has so many PROs but over this small period of time since its inception it has also been the quarry of cyber criminals. With a user base as strong as 900 million active users in Apr 2015,any vulnerability in the architecture cosmos is destined to be a remunerative lure for any cyber criminal. A recent vulnerability in the form of simply sharing a vCard with other user discovered by Check Point security researcher Kasif Dekel has come to the fore. It involves simply sharing the seemingly guileless vCard with the victim and as the victim clicks the vCard, his task his over since rest will be done in the background by the malicious code terra incognita to the user. This vCard actually exists as an executable file and gets into action the moment it gets clicked by the user in the application. 

 

 

RESOLVED by update from WhatsApp 

2.   WhatsApp affirmed and recognized the security egress and have released the fix in all versions greater than 0.1.4481 and blockaded that especial lineament. 

How it Happens? 

3.   To activate the code, Kasif Dekel ascertained an attacker could just inject the command to the name attribute of the vCard file, separated by the ‘&’ character. When executed, it will attempt to run all lines in the files, including controlled injection line. Once such a contact is made, all an attacker has to do is share it via the normal WhatsApp client. 

What made the application Vulnerable? 

4.    WhatsApp Web allows users to view any type of media or attachment that can be sent or viewed by the mobile platform/application. This includes images, videos, audio files, locations and contact cards.Thus the default action runs for the vCard for running the code whilst being understood as sharing the contact details. 

 

What can it do ?

 

Once the code is activated,it is bound to take complete control over the target machine and will definitely monitor the user’s activities and use the target machine to spread malicious malwares and viruses ahead.

Timelines by CHECKPOINT on the vulnerability 

 
    August 21, 2015 – Vulnerability disclosed to the WhatsApp security team.
    August 23, 2015 – First response received.
    August 27, 2015 – WhatsApp rolls out fixed web clients (v0.1.4481)
    September 8, 2015 – Public disclosure 

Thanks CHECKPOINT

Android Factory Reset : How trustworthy from a PRIVACY view?

1.  It is an accepted fact that one can remove all data from Android devices by resetting it to factory settings, or doing a "force reset." One can do so by either using the Settings menu to erase all your data or by using the Recovery menu.It is also understood that by performing a factory data reset, all data — like apps data, photos, and music etc will be wiped from the device.This reset in most of the cases will be required as a maintenance issue or when the user decides to sell his mobile to some other third guy.Now when he does a factory reset for ensuring himself that all his/her data is removed from the mobile,there is a sad angle recently revealed in a paper named "Security Analysis of Android Factory Resets" by Laurent Simon and Ross Anderson@University of Cambridge available at http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf  that proves with technical demonstrations to negate the fact that the data and all privacy of accounts goes with the reset.Read on further for brief details...

2.  Even with full-disk encryption in play, researchers found that performing a factory reset on Android smart-phones isn’t always what it’s assumed safe up to be.Researchers found the file storing decryption keys on devices was not erased during the factory reset and they were successfully able to access data “wiped” Android devices from a wide variety of sources, including text messages, images, video, and even third-party applications. What’s more, researchers were able to “recover Google authentication tokens”, thereby enabling them to sync up any data a user had tied to Google’s services, including private emails.The study unveils five critical failures:

- the lack of Android support for proper deletion of the data partition in v2.3.x devices;

- the incompleteness of upgrades pushed to flawed devices by vendors;

- the lack of driver support for proper deletion shipped  by  vendors  in  newer  devices  (e.g.  on  v4.[1,2,3]);

- the  lack  of  Android  support  for  proper  deletion  of  the internal  and  external  SD  card  in  all  OS  versions; 

- the fragility  of  full-disk  encryption  to  mitigate  those  problems up to Android v4.4 (KitKat)

RECOVERY DETAILS OF DATA BY RESEARCHERS

ATTRIBUTED REASON

3.   Smartphones  use  flash  for  their  non  volatile  memory storage  because  it  is  fast,  cheap  and  small.  Flash  memory is  usually  arranged  in  pages  and  blocks.  The  CPU  can read  or  write  a  page  (of  typically  512+16  to  4096+128 data+metadata  bytes),  but  can  only  erase  a  block  of  from 32   to   128   pages.   Each   block   contains   both   data,   and “out-of-band”  (OOB)  data.When  removing  a  file,  an  OS  typically  only  deletes  its name  from  a  table,  rather  than  deleting  its  content.  The situation is aggravated on flash memory because data update does not occur in place, i.e. data are copied to a new block to  preserve  performance,  reduce  the  erasure  block  count and  slow  down  the  wear.  This makes a vulnerable issue as realised here by both these researchers.

Hardening your Android Device : Few Essentials

1.   Android is the most popular mobile platform in the world, with a wide variety of applications, including many applications that aid in communications security, censorship circumvention, and activist organization. Moreover, the core of the Android platform is Open Source, auditable, and modifiable by anyone. Unfortunately though, mobile devices in general and Android devices in particular have not been designed with privacy in mind. In fact, they've seemingly been designed with nearly the opposite goal: to make it easy for third parties, telecommunications companies, sophisticated state-sized adversaries, and even random hackers to extract all manner of personal information from the user. This includes the full content of personal communications with business partners and loved ones. Worse still, by default, the user is given very little in the way of control or even informed consent about what information is being collected and how.

 

2.  This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completely exhaustive but it brings out basic necessities as expected from any smart user.

 

DeathRing: Non-removable Pre-installed Malware@Androids

The smart-phones penetration in our country and for that matter any country has been seeing explosion like never before...from cheap mobiles with luring specs to high end smart-phones by Apple,Samsung,Sony etc.The growing and already a subject matter of concern in IT ie SECURITY is majoring as a serious threat in the mobile world too...like the Microsoft b70 case few years back(click here for details)....As evidenced by the latest pre-loaded malware identified called DeathRing that’s  a Chinese Trojan that is pre-installed on a number of smart-phones most popular in Asian and African countries.

as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)

as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)

as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (https://blog.lookout.com/?p=15835)

[SOLVED] Unable to mount SAMSUNG_Android : Error initializing camera: -60 : Could not lock the device

1.   This is a common issue for Ubuntu users trying to transfer files from a Samsung or any Android Mobiles.You get the following screen as seen below :

2.   Two simple terminal commands should be able to solve this issue :

First : sudo add-apt-repository ppa:langdalepl/gvfs-mtp

Second : sudo apt-get update

3.  Running these you will get something like this ready to explore the folders :

UBUNTU 12.04 LTS beats Windows 7,MAC @ GCHQ Report

1.    Now this is some good news for all Ubuntu lovers.Ubuntu 12.04 LTS has topped a UK security agency’s security assessment of mobile and desktop operating systems.CESG (originally Communications-Electronics Security Group) is the group within GCHQ(an intelligence and security organization, working to keep Britain safe and secure in the challenging environment of IT communications).CESG conducted a series of tests in the last few months to review a set of 11 operating systems which currently run on various devices such as desktops, laptops, servers, mobile phones and tablets. The security assessment included the following categories:

    - VPN
    - Disk Encryption
    - Authentication
    - Secure Boot
    - Platform Integrity and Application Sandboxing
    - Application Whitelisting
    - Malicious Code Detection and Prevention
    - Security Policy Enforcement
    - External Interface Protection
    - Device Update Policy
    - Event Collection for Enterprise Analysis
    - Incident Response

2.   Ubuntu 12.04 LTS is the only operating system to fully pass 9 of the 12 listed security recommendations above.Ubuntu was marked down on VPN and encryption because its implementation/software has yet to be independently assessed by an approved CESG body.The VPN issue is likely to be addressed in the UBUNTU 14.04 LTS thats likely arrival date is somewhere in Apr 2014...ie in another about two months from now.

3.    The list of operating systems which were compared are mentioned below :

- Windows 7/8
- Android 4.2
- Samsung devices with Android 4.2
- Apple iOS6
- Apple OSX 10.8
- Blackberry 10.1(EMM Corporate)
- Blackberry 10.1(EMM Regulate)
- Google Chrome OS 26
- Windows 8 RT
- Windows Phone 8

4.  What Canonical has to say about this

“We are working hard to close the gap and make Ubuntu clearly stand out as the most trustworthy operating system for the future and we hope to make excellent progress before our next LTS release in April 2014, 14.04 LTS, which will be even better,” Darryl Weaver, Canonical Sales Engineer

5.  Few screen shots from web with this news :

6.   Source of news as above...thanks http://www.zdnet.com

Facebook on Basic Phone : Possible@YESS!!!

1.  The penetration of smartphones in the market is rapidly setting new benchmark verticals.Smartphones have changed our basic routine access exercise of switching on laptops or workstations to access our facebook,gmail and other accounts...but somehow this access to facebook and other accounts has been limited to smartphones only...and thus the basic mobile user still has the traditional method of accessing the mails and social networking sites....but thankfully this is not likely to go on for long...

 

2. One Mr Sumesh Menon, co-founder and CEO of U2opia Mobile,has fine-tuned USSD (Unstructured Supplementary Service Data) technology and is using it to allow anyone with a mobile phone to connect to Facebook. Unstructured Supplementary Service Data (USSD) is a protocol used by GSM cellular telephones to communicate with the service provider's computers. USSD can be used for WAP browsing, prepaid callback service, mobile-money services, location-based content services, menu-based information services, and as part of configuring the phone on the network. Thus even if a user has a very basic phone and no data connection, he can use USSD to connect to Facebook.

3.  Offcourse the concept of USSD is not new per se as a technology..users have all been using it in some way or the other in routine.For example, when you check your remaining pre-paid balance in the phone using a code, you use the USSD technology.So basically it is a kind of 1G solution that works in a 3G world.For those who wish to know about the 'G' family...please click here to find the 'G' Generation.

HOW TO USE THIS SERVICE :

-  In India, it is available to almost all mobile phone users, except those who are using network of BSNL.

-  To access Facebook from a basic (or from a smartphone that has no data connection) a user has to first subscribe to the service by dialling *325#.

-  Once the service is active, which happens within a few minutes, users can utilize the USSD menu to go through their timeline, check status updates, post status updates and check likes or comments on their posts. The service also allows access to Facebook Messenger and users can exchange messages with their friends.

-  There is no limit on how many times you can access Facebook or how many messages you can send to your friends on Facebook messenger. While different operators charge different price for the service, usually the price is around Re 1 per day, making it a cost-effective way to keep in touch with friends.

Few interesting points about this :

-  The underlying technology is called FoneTwish.

-  Any operator can use FoneTwish to enable access to Facebook through USSD for its users.

-  Service is used by over 40 operators in 30 countries.

-  Currently, there are over 10 million users across the world who access Facebook through USSD.

LIMITATIONS :

-  Facebook will be limited to a text-based service when used through USSD.

-  A user cannot access photographs on his phone through FoneTwish.

-  Offcourse there will be limitations w.r.t the proper web based experience that we see on a smartphone...but still..kudos to the effort and congrats to basic phone users.

4.   Well there may be one good news that as on date such phones will be more secure than smartphones.Too early to say before they get broken  too...lets wait and watch...

5.   Thanks http://timesofindia.indiatimes.com

After What's APP : Now WeChat threat!!!!

1.  Few backs earlier I wrote a post about Security Issues in Whatsapp here. Now exactly on the same lines there is a proven issue on Wechat....

2.  WeChat gained an immediate success the moment it was launched few months back in India.Every one was so happy to adopt it in their respective androids but it seems that the application is not so secure as hackers have been able to bypass the security mechanism to decrypt the messages sent using the app and China could be potentially spying on Indian citizens...
 

3.   Rest ditto from Parity news at http://www.paritynews.com/2013/08/26/2487/wechat-is-a-threat-to-national-security-claim-researchers/

According to a couple of young researchers, Jiten Jain and Abhay Agarwal, the free messaging app doesn’t employ the best of encryption and security technologies, which leaves personal information of its users vulnerable to theft. To prove their point the researchers went onto demonstrate the ease with which the messages sent using WeChat can be decrypted, indirectly indicating that foreign governments could be doing the same thing for spying and surveillance purposes.

The researchers were discussing the potential risks to privacy of users because of surveillance techniques employed by service provides across the globe at The Hackers Conference in New Delhi India on August 25. The researcher duo claimed that app from Chinese Internet Giant Tencent is threat to national security.

Jain and Agarwal claimed that not only can the Chinese government access the chat logs, but they can also access each and every detail about users stored in their smartphones – ranging from contact lists, messages, calls, geographic locations, etc.

One of other points raised at the conference was that the Indian Government is not able to successfully utilize the vast potential of security researchers in India. The Government has failed to secure its websites never mind the security of the whole nation. Researchers present at the conference stressed for the need of raising awareness about security within government establishments and masses in general.

Researches urged the government to strengthen the security of its websites as well as digital data by grooming in-house security experts as well as by availing help from industry experts present in India.

4.   In fact the duo did not hold back to say that it is a severe national threat...and I agree to their view...but who cares!!!!elections are coming...we are not even bothered about so many internal threats...external is out of purview!!!!!SAD.

Your ANDROID APPLICATIONS : Mining your profile

1.    It is common for us to hear a company promoting its phone or tablet showcasing that lakhs of android applications are available for free...and the poor(???) customer generally falls for it...so he buys the device and immediately starts exploiting the world of millions of applications on the net and the Google play store...now off course Google just does not upload a application for download once the up loader does his part of the formalities and registration...it checks under its set of QRs if the application is ok from the point of being malicious in nature or not but that does not always works....so many times android applications even in the Google play-store have been found to be suspected...now lets keep suspected apart...does the typical user even checks the terms and conditions of any application before installing?...the blind rule is JUST ACCEPT IT!!!and this goes against the user...this allows invasion to privacy...why should a company ask to access your phone contacts..your location..your system settings...your configuration settings before it allows to install it application on your device...BUT NO ONE THINKS ABOUT THIS!!!!

Back in February of this year, Google announced it was hardening its stance on Android security, unveiling an app-scanner (codenamed Bouncer) to weed out malware uploaded to Android Market (now Google Play) through automatic scanning. Since then, Google has taken more steps to protect Android users: it acquired VirusTotal back in September and in Android 4.2 Jelly Bean introduced an optional app verification feature that enables users to identify dangerous and potentially-dangerous apps on their devices, even if they downloaded them from the Web or got them from an app store other than Google Play.

How have Google’s efforts to combat Android malware been working out? Perhaps not so well. Security researchers were quickly able to analyze how Bouncer operated and find easy ways to circumvent Google Play’s automated scanning — techniques publicly available now to malware authors if they hadn’t managed to think of them on their own. Further, Xuxian Jiang of North Carolina State University has published an assessment of Jelly Bean’s app verification capability. The results? Google’s app verification service identified just over 15 percent of malware samples thrown at it from the Android Malware Genome Project

Source : http://www.digitaltrends.com/mobile/who-can-fight-android-malware-not-google/

2.     Mobile malware is lately becoming a organised crime with complex sophistication in terms of tracking back....and this makes the attack surface for the hacker and the black hats more big and the user more vulnerable at the same time....The most common victim is the one who looks for free applications in various heads of education...technology and not to forget the games section which is a big hit among-st all...the users love the games for which he has to pay nothing and the attacker gets a lot of attack surface to play around...and then the DO IT YOUR SELF TOOLS again add to the attack surface.

WHAT CAN YOU DO TO AVOID THIS?

- Keep your android updated: Now in this case most of the devices till 4.2.1 may not support upgrades..but then you have to keep your fingers crossed!!!

- Refrain from android applications other then google play store.STill you have to be careful...wherever possible read the Terms and Conditions before installing

-  Avoid public open wifi connections

-  Limit your greed to free applications.You may google about the application on google before you install it on your device.

Spying your friend at WhatsApp : Cause of concern

1.   In my last post here,I discussed about the growing lure of using WhatsApp and the basic security concerns that comes with it from point of a naive user.Now will take you one step higher to the level of a script kiddie....

2.  How does WhatApp identify you in billions?The answer is the unique MAC address that each digital device on this earth holds. If any one changes his/her device,then automatically the MAC address also changes and the user is requested to re-verify their WhatsApp account. Means he/she cannot access same WhatsApp account from two devices. But is MACSPOOFING not existing ?So,if the Mac is spoofed,then who stops from seeing your friends traffic that includes his/her chats,downloads etc!!!although for a naive user this may be look of some technical nature but for the young gen which has lots of techno enthusiasts there should be no stopping....that would include rooting your phone and installing Busybox. How to get your friends MAC address,here it goes :

For Android phone users simply go to settings—> About phone—> Status—> Wi-Fi MAC address.

For iPhone users go to Settings—> General—> About—> Wi-Fi address.

For Windows Phone users go to Settings—> About—> More info—> MAC address.

and for BlackBerry users go to options—> Device—> Device and Status info—> WLAN MAC.

3.   And the best part is that your Andorid can be anyone starting from 1.6 on wards till date.

TrueCaller : Is it Stealing your Info?

1.    TrueCaller is one famous application doing the rounds on Twitter Google+ Facebook Android Phones.The claim by the application goes like you login from either of the applications and you would be able to know the name of the mobile phone number owner by name.The claim actually stands right in over 90 % of the cases that I tried.This made me wonder how?...i thought like all those free forms that we keep regularly filling on the internet or some grocery shop for some free bundles or if TrueCaller has tied up with the mobile phone service providers?But then something happened that made me a little suspicious about this app.It so happened that I tried my mom's number on the application and so came the answer like "TIWARI MAM"....this made me think of how would the application know that my mom is a teacher...

2.   So I wondered if the application after installation on your mobile device actually makes all the contacts phone number available on the site with the name that I have typed against that number!!!So I tried mine which was not available, by the name "anupam CCCSP"

3.  Though it did not show promptly but after a day after I typed my phone number it came to be seen as "anupam CCCSP".So this actually means that the application is actually stealing and making my contacts info on my phone public!!!!...but then I also realized that it was me only who agreed to the terms and conditions while installing the app on my phone which most of us including me never read.

4.   So it comes actually to the naiveness of the common user who invariably without reading any of the terms and conditions agrees to install.....:-) 

Bulk SMS Ban : Carry on India

1.    The government has recently banned bulk SMS and MMS messages for 15 days in view of the exodus of people from the northeast from cities like Bangalore, Pune and Hyderabad, following rumours that they would be attacked.

2.    Now how do u feel about this ban?...do u think it is going to be effective?.....certainly not if it were actually the bulk sms that did the damage.Does'nt the govt know about various sites offering these services of bulk sms for free on a simple registration? or do they not know about various smart phones applications that can still send bulk sms via a different mode.Is it not known to them that this ban is going to be effective for pre paid owners only?....and not for post paid owners.

3.    These orders come like axing the problem instead of putting in efforts to manage it. Read the following paragraph@http://www.hindustantimes.com

"The five-SMS-per-day cap is adversely affecting a group of unsuspecting victims, the hearing impaired.A deaf individual sends up to 250 messages per day on an average as it is their only mode of conversation. "The five SMS cap is a real pain for us. It is the only way I can stay in touch with my family or friends when I go to college. If I want to have a proper conversation with someone, I have to send at least 50 messages. It is easy for people who can call and stay in touch. For us, this is the only mode that boosts our mobility. It is insensitive of the government to discount the deaf community when they take these decisions," said Mahesh P, a hearing impaired Delhi University student."

4.   Everi one knows that it is wrong...it is not effective...but hey come on ...carry on INDIA....it is just another passe...

JAVA SE DEVELOPMENT KIT NOT FOUND!!!!

1.   On way to experiment with android application with the stand SDK toolkit....i got messed up with the installation procedure so much that i thought of just leaving it..... in spite of all java installed  i got this screen.....

2.   I read all trouble shoots of on JAVA site.....some diverted me to registry editors and what not.......till i got the correct answer...simply click BACK and then NEXT again......khatam...thats the end of it.....

ANDROID APPLICATIONS CLONED : Developers make it spam

1.    The latest to add on to the growing web of spams is repackaged android applications.....though till now most of the descried repackaged applications are not reported to have any malicious code in them and also like the genuine ones they are also made available for free. These effected applications have the same module as the original, but include an advertisement module ,thus developers of these apps try making money off the clicks on the advertisements.

2.   The thing is easy on part of the developers since it is easier on thier part to just fiddle with original Android apps which are written in Java and are, therefore, easily cloned.....

3.   Thanks www.f-secure.com

ANDROID & GOOGLE : AT LOGGER HEADS????

1.    This news is bound for only one thing.....a first big dent on Google's untouched Kingdom in the cyber world.There is a reported discord among the Android developers who are irked at Google’s Android Market policies.They have formed the Android Developers Union to protest the policies.The new union has compiled a list of seven demands including renegotiation of the 32pc ‘Google Tax’ on app sales, public bug tracking, algorithmic transparency and increased payment options.They threaten Google that if these demands are not met they will cease development and move their efforts to rival platforms.

2.  "If the demands are not met, we will move our applications to alternative marketplaces or the web, cease Android development in favour of other more open platforms, we will dissuade other developers from developing Android projects, and we will work tirelessly to counter any of Google's hypocritical claims about openness in the media."

3.   This seems to be the first kind of big set back to google who may find loosing an edge in its battle for the smartphone operating system and applications market vis-a-vis Apple and Microsoft.The seven demands of the android union can be seen here...

4.   This writeup does not reflect my views of standing against anyone or supporting anyone but wishes to inform the readers only for info........

NOKIA should have merged with GOOGLE : Google CEO

This comes straight after the earlier post news spread across about the merge of Nokia & Microsoft......When asked about Nokia's choice of Windows Phone 7 as its smartphone system, Schmidt said "Google would have loved to see Nokia pick Android instead. Google tried to convince Nokia to choose Android, and it can still make that decision in the future".....(ha ha ha....Google still has hopes of a future revertive action by NOKIA....and who knows...it may just happen..we are just the readers!!!!!)

NOKIA & MICROSOFT : A MERGER TO READ ABOUT

1.    In todays shrinking world when we hear of merger of giants...its part of normal breaking news which hardly puts together rolling eyeballs 7 pop ups ....But this one is slightly different or if not different it is really BIGGGGGGG.This is about merger of fantabulous phone hardware NOKIA and the operating system giant MICROSOFT coming toether to produce and try beating the phones across?

2.    The deal which was in the rumour rounds already went much ahead of the expectations.....in effect, Nokia is handing over its future - in smartphones at least - to Microsoft and Windows Phone 7.  That means Good bye & Happy journey Symbian . So can the combo really become the third horse in the race, giving Apple and Android a run for their money ?I have my doubts....

3.    Crux of the acquisition pointwise listed below :

- Nokia to embrace Windows Phone as its principal smartphone.

- Nokia to contribute its expertise on hardware design, language support.

- Both would closely collaborate on joint marketing initiatives .

- Bing would power Nokia’s search services(nobodys guess!!!)

- Nokia Maps would be a core part of Microsoft’s mapping services.

4.    Just to mention,a year earlier when this merger was being talked about, was once declared an april fools rumour. And now about a year later it is on official Microsoft site.Thanks Microsoft site for info