When PwnedList Gets Pwned !

Featured

Why pwnedlist is not a good idea !

PwnedList Logo

[+] Intro:

PwnedList.com until recently was a free online service providing anyone the ability to check whether his/her email and password were included in major data leaks [2]. The company was scanning the internet for database dumps which were illegally disclosed by hackers.

[+] Why PwnedList is not a good idea:

– Brining collective data from the deep web to the surface of the internet it might not be the best idea. Information that was available only to few. Especially when this information when none can gurantee their safety. Creating a real and approachable target for all black hat hackers out in there.
Single point of failure. If Pwnedlist is infiltrated by criminals. I would like to stress that Pwnedlist keeps hashes of your password while they could simply keep a list of emails only. Meaning that if they get hacked by a sophisticated threat
Security is Not Bulletproof. As with all cases, dedicate enough resources and you new atramck vectors will come up. Hodges (@NanoBob) a security researcher discovered a vulnerability that allowed him to register any domain name. By exploiting it he was able to pull more than 100k apple email addresses and password from the site.

Last but not least. Recently the leaked data from 2012 LinkedIn hack created a buzz and everyone jumped on the site to see if the were hacked.
I was always told you should point the elephant in the room. Did you have an LinkedIn account in 2012?
LinkedIn Security Team applied some precautions to limit the impact of the leak. All user accounts affected were forced to password reset.
Nevertheless it’s good practice to yse different passwords for different services and regularly change your password to

– linkeind. it recently got a buzz around.

[+] The Rise and Fall:

On the 16th of May 2016, InfoArmor decommissioned the popular online service PwnedList.com without giving the reasons behind their decision. The company will continue to provide commercial protection to its customers however that option will no longer available to the public.

PwnedList.com Announcement

[+]Sources:

[1] https://pwnedlist.com/

[2] “LinkedIn Lost 167 Million Account Credentials in Data Breach”, Forune, https://fortune.com/2016/05/18/linkedin-data-breach-email-password/

When Hackers Got Hacked !

Featured

the dark SecretS of Hacking Team THAT REACHED THE SMALL ISLAND OF Cyprus 
Hacking Team Logo

Anything is ‘hackable’ and so the irony becomes even more apparent nd the title hackers got hacked. This week’s news were dominated by the leaks of Hacking Team, the aftermath of a total compromise of their internal network by unknown hackers more than 400GB of sensitive raw data are now publicly available on the internet. A quick glance on the material showed source code of their exploits, receipts, client communication and company’s spreadsheets exposing the company’s lovely guarded skeletons to anyone is techie enough to just Google the right words!

Cyprus Delivery Report

Delivery Report on the equipment sold to Cyprus Intelligence Service

Hacking Team Controversy

The Hacking Team has been on the centre of bad publicity since early 2014 when CitizenLab accused the Italian company for selling surveillance equipment to oppressive regimes [3]. At the time HT denied any involvement, however today’s leaks show that Nigerian government was in their list along with Saudi Arabia, Uzbekistan, Sudan, Morocco and Turkey classified as the worst human right violators in the international community. The infamous company was openly marketing for government agencies and law enforcement by offering them customised solutions to bypass encryption and intercept data; often stepping into a grey area.

One of their latest products was branded as “Remote Control System Galileo” and gave the power to the adversary to exploit at least 2 different 0-day vulnerabilities in Flash (CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123) to compromise and potentially take over Windows, Linux and OS X machines. According to the latest updates, their most common attack vector was a Microsoft Word (.doc) format file that silently loads an Adobe Flash in the background compromising the victim’s computer.

HT team Advertisement for Remote Control System, Galileo targeting state agencies

Angry Agents all over the World

As Business Insider reported Hacking Team has been advising its customers to disable their software stop any activities immediately as their exposed to a risk [2]. Moreover to add more confusion, sources report that their equipment was purposely backdoored and watermarked which means not they could remotely control the customer’s target machine but they could also access the outcome of any ongoing surveillance [2]. I am almost certain that this kind of ‘features’ were not communicated to their customers and as Bruce Scheiner said it’s not very pleasant to make international secret agencies upset [1]!

Cyprus, the Island for all Seasons !  <— shameless advertisment!

Among the thousands of files leaked, a client list containing the Cyprus Intelligence Service as a client, purchasing services from the Italian hackers since 2012. Financial statements record a total amount of 375,000 euros were paid by the Cypriot government to acquire state of the art surveillance malware for surveillance purposes. A licence for 5 instances of Remote Control System Galileo seems to be sold to CIS for Windows and Android targets along with maintenance and customisation services.

HT Spreadsheet

The 1st instalment of €70,000 from a total of €375,000 contract with HT

As a result of a few published articles and media coverage on the topic, citizens became concerned about two specific issues. I would try to give my view on the issue without trying to pretend I am a legal expert and focusing more on the technical aspect of the issue.

Q: Is surveillance conducted by Cyprus Intelligence Service legal?

Continue reading

Hacking without going to jail !

Featured

You ever wondered how breaking into computers feels? according to TV . . .

Hmmm.. nop, you got it so wrong again Hollywood!
 

Many finish university with a degree and all the foundations required to be great security engineers. Either you want to start a career as a Penetration Tester or you are a Developer and want to expand yourself more about security or simply because you are curious enough then you should try some of the following. The following is selection of projects that designed vulnerable applications to demonstrate security vulnerabilities that are common in the wild, usually in their simplest form penetration easy and some practical examples of vulnerabilities in their simplest found.

1. Webgoat

After OWASP Webgoat 5.0, the newly released version offers a more user-friendly interface and an almost complete selection of security topics in web application secure coding. In addition no installation is required, code is compressed in .jar format and can be run through java.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/Category:OWASP_WebGoat_Project
Format: .jar
Download: github.com/WebGoat/WebGoat-Legacy/releases

Quick Start:

java -jar WebGoat-6.1.0-exec-war.jar

2. Damn Vulnerable Web Applications (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
Format: PHP/SQL
Download: github.com/RandomStorm/DVWA

Quick Start:

The easiest way to install DVWA is to download and install 'XAMPP' if you do not already have a web server setup. 

XAMPP can be downloaded from: www.apachefriends.org/en/xampp.html

Simply unzip dvwa.zip, place the unzipped files in your public htm folder, 
then point your browser to http://127.0.0.1/dvwa/index.php

Continue reading

WhatsApp – Simple Hack (Verifying your phone number in WhatsApp)

Featured

While I was travelling outside UK and I was force to use a second cell phone, thus in order to use my what’app application I had to re-authenticate with What’App server. Instead of switching back and forth sim cards which I thought it was a bit of hassle (feeling a bit lazy), I was curious to discover to test the What’App verification process and how robust it was. I tried to find a quick way to hack through the automatic validation of my phone number and the current device using it.

How the verification process works?

Since your mobile number is used as a unique identifier (eg. username) for using the service, it is most preferable to keep the same number for your friends and acquaintances to contact you.

Photo : REUTERS/Dado Ruvic

Photo : REUTERS/Dado Ruvic

 

It simply works by sending an sms message with a 6-digit temporary code on the user’s cellphone in the following form: “WhatsApp Code 123-456”

The process is automated which actually means the android application does not allow the user to enter the code manually but it detects it as it arrives in your inbox.

Continue reading

Privacy Leaks from Wi-Fi Probing

Featured

In a modern era where smartphone use has exponentially increased, we investigate the amount of private information an adversary can extract by looking at the active service discover in Wifi where a wireless station broadcasts the list of its preferred wireless networks, without user’s consent or knowledge. This report describes a range of different techniques which violate users’ privacy by using Wi-Fi fingerprints emitted from devices. One of the main points of the report include the relationship discovery that was first implemented by Cunche, et al and explains how to infer relationships between users through their SSIDs sets. Other attacks can be mounted that will reveal not only a social link between users but the actual path that a device follows in real time.

Wi-Fi Probing Diagram

Figure 1.0 – Wireshark was used to capture the probing requests that include MAC addresses and SSIDs in plain text.

During the last decade the number of portable Wi-Fi devices such as smartphones, tablets, and notebooks have increased dramatically. Nowadays, the majority of users constantly carry their mobile devices with them not only at workplace but also at home. For this reasons, it has become the most preferable way to provide internet access for medium range connectivity.In this regard many recent scientific papers have investigated how much information can be obtained from user interaction with a Wi-Fi network. Particularly observing the fields that are transmitted in plaintext such as probe requests In order to connect to the network a mobile phone is sending the probes requests that contain the SSID name of previously associated networks. This mode is called Active Discovery Mode (ADM). Wi-Fi supports encryption and authentication standards (e.g. WPA2) to ensure that the transmitted data between a client and an Access Point are safe from eavesdroppers.

However, before we reach the phase of credentials exchanging there is the phase of Network Discovery where a Wi-Fi enabled client discovers and contacts the AP for the first time. In this phase there are several messages exchanged between the two parties (e.g. network discovery probe requests) that are transmitted necessarily in plaintext. These packets (also called frames) include in their headers, among others, the Media Access Control (MAC) address of the Wi-Fi enabled device. This address serves as a unique identifier for the said device. Based on this two features: unique identifier MAC and probes it seems feasible to identify users with a high probability.This fact enables the identification of a user by its device’s MAC address. Practically, the device serves as an interface to reach the user behind and the MAC address of the device becomes as a nickname of the user.

As a result, the user becomes vulnerable to what we would call fingerprinting attacks. Fingerprinting is called “the process by which a device, it’s driver or the OS a machine is running can be uniquely identified by its externally observable characteristics”. Therefore an adversary can extract information about someone previous history location or even track him down in small proximity.

The reports outlines the most important attacks including the following :

  1. Infer Social Link
    1. Location proximity
    2. Spatio-temporal co-occurrence probability
  2. Wi-Fi Tracking 
    1. Stalker Attack
    2. Beacon Replay Attack
  3. Estimating Smartphone Trajectories

* If you would like to read the full report please click here : Privacy Leaks from Wi-Fi Probing

For this project the following information security students contributed :

  • Pejman Najafi
  • Andreas Georgiou
  • Dina Shachneva
  • Ioannis Vlavianos

 

The Wall of Scammers – iPhone 6 for £1

This is a new series of posts coming, a sample of what I stumble upon in the internet that make me laugh!

A fake website of BBC is a good try, but honestly does anyone fall for the “iPhone 6 for £1” trick?

screenshot

*URL:  http://bbc-tech.info/news/technology-342448713/?channelid=1051

Continue reading

Are TV ratings possible with Twitter? – tweetTV

This project explains the creation and the use of tweetTV, a system that collects and analyses tweets from the micro blogging site Twitter, with the aim of comparing them with TV ratings in order to identify meaningful relationships.

tweetTV v1.2 Screenshot
tweetTV Software v1.2 Screenshot

Using tweetTV, Twitter text messages were collected, processed and then classified, by applying some data mining techniques. By isolating tweets that referred to three specific popular TV shows, a significant number of tweets was analysed and compared with TV ratings available from the British Audience Research Board (BARB). Furthermore, sentiment analysis was implemented to investigate the temporal variability of positive, negative and informational tweets in conjunction with TV ratings and whether the awareness of tweet’s attitude could enhance the accuracy of the system.

The running of tweetTV was successful in collecting sufficient amount of tweets to carry out the analyses required, which included qualitative and quantitative comparisons. A strong correlation was found between the number of tweets and the number of viewers, confirming the existence of a link between the two values that could be promising in accurately estimating TV ratings by only using Twitter. The small numbers of tweets collected for one show revealed a potential limitation of linking Twitter to some types of TV shows with relative explanations being discussed. The use of sentiment analysis also proved to be useful in identifying trends related to TV shows such as a periodicity of positive tweets during the days prior to the show. This suggested that sentiment analysis
could be used to improve the accuracy of tweetTV by weighting people’s opinions before the shows and projecting estimations.

Overall, the performance of tweetTV was successful in collecting and filtering tweets and in conjunction with sentiment analysis; it has the potential to work as a real-time application that will provide TV ratings.

Click here to read my full thesis: “Are TV ratings possible with Twitter? (2013)”

 

 

Walking The Silk Road

** An Insight to Silk Road – For Educational Purposes Only **

Imagine if there was a site like ebay where users could buy and sell Cocaine, Ecstasy  LSD and other illegal substances. That is not possible right  ? I guess that was the simplest explanation I could give to describe Silk Road an online black market. 

[Update 09/12/2013] : Almost one week after this article was released, Silk Road has been seized after FBI arrested the owner of Silk Road, Mr. Ross Ulbricht aka “Dread Pirate Roberts”. Following that, “Atlantis” black market has closed. If the arrest of Dread Pirate Roberts was due to a security weakness in TOR networks or human error, is something that we will have to wait to find out.

Continue reading

UoB Hellenic Society Project

ubhs

 Domain : www.UBHS.org.uk

Launched : January 2013

Description :

University of Bristol Hellenic Society is a Greek & Cypriot community of students in Bristol. The website was developed to provide a portal for communucationg and sharing the news and events of our society. Among our priorities was to boost the number of memberships through the creation of a facebook page.

Technical Details :

  • Platform : Wordpress 3.2

 Other Features :