When PwnedList Gets Pwned !

Featured

Why pwnedlist is not a good idea !

PwnedList Logo

[+] Intro:

PwnedList.com until recently was a free online service providing anyone the ability to check whether his/her email and password were included in major data leaks [2]. The company was scanning the internet for database dumps which were illegally disclosed by hackers.

[+] Why PwnedList is not a good idea:

– Brining collective data from the deep web to the surface of the internet it might not be the best idea. Information that was available only to few. Especially when this information when none can gurantee their safety. Creating a real and approachable target for all black hat hackers out in there.
Single point of failure. If Pwnedlist is infiltrated by criminals. I would like to stress that Pwnedlist keeps hashes of your password while they could simply keep a list of emails only. Meaning that if they get hacked by a sophisticated threat
Security is Not Bulletproof. As with all cases, dedicate enough resources and you new atramck vectors will come up. Hodges (@NanoBob) a security researcher discovered a vulnerability that allowed him to register any domain name. By exploiting it he was able to pull more than 100k apple email addresses and password from the site.

Last but not least. Recently the leaked data from 2012 LinkedIn hack created a buzz and everyone jumped on the site to see if the were hacked.
I was always told you should point the elephant in the room. Did you have an LinkedIn account in 2012?
LinkedIn Security Team applied some precautions to limit the impact of the leak. All user accounts affected were forced to password reset.
Nevertheless it’s good practice to yse different passwords for different services and regularly change your password to

– linkeind. it recently got a buzz around.

[+] The Rise and Fall:

On the 16th of May 2016, InfoArmor decommissioned the popular online service PwnedList.com without giving the reasons behind their decision. The company will continue to provide commercial protection to its customers however that option will no longer available to the public.

PwnedList.com Announcement

[+]Sources:

[1] https://pwnedlist.com/

[2] “LinkedIn Lost 167 Million Account Credentials in Data Breach”, Forune, https://fortune.com/2016/05/18/linkedin-data-breach-email-password/

When Hackers Got Hacked !

Featured

the dark SecretS of Hacking Team THAT REACHED THE SMALL ISLAND OF Cyprus 
Hacking Team Logo

Anything is ‘hackable’ and so the irony becomes even more apparent nd the title hackers got hacked. This week’s news were dominated by the leaks of Hacking Team, the aftermath of a total compromise of their internal network by unknown hackers more than 400GB of sensitive raw data are now publicly available on the internet. A quick glance on the material showed source code of their exploits, receipts, client communication and company’s spreadsheets exposing the company’s lovely guarded skeletons to anyone is techie enough to just Google the right words!

Cyprus Delivery Report

Delivery Report on the equipment sold to Cyprus Intelligence Service

Hacking Team Controversy

The Hacking Team has been on the centre of bad publicity since early 2014 when CitizenLab accused the Italian company for selling surveillance equipment to oppressive regimes [3]. At the time HT denied any involvement, however today’s leaks show that Nigerian government was in their list along with Saudi Arabia, Uzbekistan, Sudan, Morocco and Turkey classified as the worst human right violators in the international community. The infamous company was openly marketing for government agencies and law enforcement by offering them customised solutions to bypass encryption and intercept data; often stepping into a grey area.

One of their latest products was branded as “Remote Control System Galileo” and gave the power to the adversary to exploit at least 2 different 0-day vulnerabilities in Flash (CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123) to compromise and potentially take over Windows, Linux and OS X machines. According to the latest updates, their most common attack vector was a Microsoft Word (.doc) format file that silently loads an Adobe Flash in the background compromising the victim’s computer.

HT team Advertisement for Remote Control System, Galileo targeting state agencies

Angry Agents all over the World

As Business Insider reported Hacking Team has been advising its customers to disable their software stop any activities immediately as their exposed to a risk [2]. Moreover to add more confusion, sources report that their equipment was purposely backdoored and watermarked which means not they could remotely control the customer’s target machine but they could also access the outcome of any ongoing surveillance [2]. I am almost certain that this kind of ‘features’ were not communicated to their customers and as Bruce Scheiner said it’s not very pleasant to make international secret agencies upset [1]!

Cyprus, the Island for all Seasons !  <— shameless advertisment!

Among the thousands of files leaked, a client list containing the Cyprus Intelligence Service as a client, purchasing services from the Italian hackers since 2012. Financial statements record a total amount of 375,000 euros were paid by the Cypriot government to acquire state of the art surveillance malware for surveillance purposes. A licence for 5 instances of Remote Control System Galileo seems to be sold to CIS for Windows and Android targets along with maintenance and customisation services.

HT Spreadsheet

The 1st instalment of €70,000 from a total of €375,000 contract with HT

As a result of a few published articles and media coverage on the topic, citizens became concerned about two specific issues. I would try to give my view on the issue without trying to pretend I am a legal expert and focusing more on the technical aspect of the issue.

Q: Is surveillance conducted by Cyprus Intelligence Service legal?

Continue reading

Hacking without going to jail !

Featured

You ever wondered how breaking into computers feels? according to TV . . .

Hmmm.. nop, you got it so wrong again Hollywood!
 

Many finish university with a degree and all the foundations required to be great security engineers. Either you want to start a career as a Penetration Tester or you are a Developer and want to expand yourself more about security or simply because you are curious enough then you should try some of the following. The following is selection of projects that designed vulnerable applications to demonstrate security vulnerabilities that are common in the wild, usually in their simplest form penetration easy and some practical examples of vulnerabilities in their simplest found.

1. Webgoat

After OWASP Webgoat 5.0, the newly released version offers a more user-friendly interface and an almost complete selection of security topics in web application secure coding. In addition no installation is required, code is compressed in .jar format and can be run through java.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/Category:OWASP_WebGoat_Project
Format: .jar
Download: github.com/WebGoat/WebGoat-Legacy/releases

Quick Start:

java -jar WebGoat-6.1.0-exec-war.jar

2. Damn Vulnerable Web Applications (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
Format: PHP/SQL
Download: github.com/RandomStorm/DVWA

Quick Start:

The easiest way to install DVWA is to download and install 'XAMPP' if you do not already have a web server setup. 

XAMPP can be downloaded from: www.apachefriends.org/en/xampp.html

Simply unzip dvwa.zip, place the unzipped files in your public htm folder, 
then point your browser to http://127.0.0.1/dvwa/index.php

Continue reading

WhatsApp – Simple Hack (Verifying your phone number in WhatsApp)

Featured

While I was travelling outside UK and I was force to use a second cell phone, thus in order to use my what’app application I had to re-authenticate with What’App server. Instead of switching back and forth sim cards which I thought it was a bit of hassle (feeling a bit lazy), I was curious to discover to test the What’App verification process and how robust it was. I tried to find a quick way to hack through the automatic validation of my phone number and the current device using it.

How the verification process works?

Since your mobile number is used as a unique identifier (eg. username) for using the service, it is most preferable to keep the same number for your friends and acquaintances to contact you.

Photo : REUTERS/Dado Ruvic

Photo : REUTERS/Dado Ruvic

 

It simply works by sending an sms message with a 6-digit temporary code on the user’s cellphone in the following form: “WhatsApp Code 123-456”

The process is automated which actually means the android application does not allow the user to enter the code manually but it detects it as it arrives in your inbox.

Continue reading

Walking The Silk Road

** An Insight to Silk Road – For Educational Purposes Only **

Imagine if there was a site like ebay where users could buy and sell Cocaine, Ecstasy  LSD and other illegal substances. That is not possible right  ? I guess that was the simplest explanation I could give to describe Silk Road an online black market. 

[Update 09/12/2013] : Almost one week after this article was released, Silk Road has been seized after FBI arrested the owner of Silk Road, Mr. Ross Ulbricht aka “Dread Pirate Roberts”. Following that, “Atlantis” black market has closed. If the arrest of Dread Pirate Roberts was due to a security weakness in TOR networks or human error, is something that we will have to wait to find out.

Continue reading