Jump to content

Search the Community

Showing results for tags 'mobile'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 24 results

  1. Salutare! Dacă o ardeți pe freelancereală și le aveți cu Ionic/Firebase sau React Native/Xamarin și/sau alte combinații de stack-uri în special pe tehnologii mobile hibride și vreți să colaborăm, dați-mi un PM. Mulțam!
  2. Fitbit is building a new security team in Bucharest. Full details here: https://grnh.se/gmt7lrkc1 Brief description of the job: The application security team at Fitbit is responsible for overseeing the secure design and implementation of applications. We do this by: Consulting with software engineers to ensure the relevant controls are built into their work Assessing software produced by Fitbit and its partners Participating in the security community to understand new and emerging threats We try to find achieve our mission through innovative ways of collaborating with our software teams that allow them to continue to deliver at scale and ve What You’ll Work On: Conduct threat modelling exercises New security sensitive functionality (e.g. changes to authentication flows) require a security team member to be involved New application infrastructure, e.g. entirely new SOA services required a feedback from a security engineer Provide application security consulting to engineers Perform manual and automated code review Our goal is to automate us much of our role as possible Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer Help enable self-service reviews for engineers Work on tooling to expedite the process of doing software reviews Perform ad-hoc application assessments Assist with Fitbit’s Bug Bounty programs Help with the replication, prioritization and filing of issues identified via our bug bounty programs Assist with Fitbit’s developer outreach efforts Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them Required Skills: Significant experience in application penetration testing and source code review Knowledge of mobile and web application architecture Ability to read and break code written in different languages, emphasis on Java Strong understanding of applied cryptography Strong understanding of web application security technologies like CORS, OAuth, JSONP and browser security concepts such as the same origin policy Experience with static and dynamic application security tools A passion for security and technology Experience in a variety of software development environments and knowledge of contemporary agile software development methodologies Experience with test-driven development and other agile practices Broad knowledge of all areas of information technology including networking, operating systems and ideally application development Strong software development skills in at least one language Aspires to develop a deep understanding of information security Experience as a system administrator or security engineer Experience with managing information security incidents Solves problems through scripting and automation Willing to learn new things Willing to look at for innovative or non-standard solutions to problems Good sense of humor Calm under pressure Good time management skills Interactions with other teams The application security team is responsible for consulting with software engineering teams about the best and safest way to implement their features. They are also responsible for reviewing the output of software engineering teams for safety. As such, strong interpersonal skills are required. This person needs to be able to diplomatically provide software engineers with advice, and to coach developers through problems that may be identified in their work. The successful applicant will be able to positively influence software engineers’ behaviour through their interactions. Nice-to-Have Skills: Have a strong development background Background in infrastructure penetration testing Experience with compliance such as PCI and/or ISO27000 Experience with exploit/proof of concept development Experience in information security consulting Experience in in-house application security teams at larger technology companies with a reputation for security engineering Had incident response experience Developed tooling to automate information security tasks Have a wide knowledge from diverse parts of IT Worked on open source security projects
  3. Salut, Vreau să vă prezint site-ul www.betit.ro, un site ce a fost înfiinţat în anul 2014. Sper să vedeţi acest site ca un lucru pozitiv şi constructiv, aştept un feedback fără off-topic şi cu reacţii constructive, fără injurii sau similare. O zi bună vă doresc, apropo, doresc ca să aduc mai mult trafic monetizabil (trafic care produce bani, nu trafic adus de roboţi, sau alte programe), dacă cunoaşteţi o metodă bună iar traficul adus de dumneavoastră ajuta la monetizarea site-ului împărţim profitul (pe care l-aţi adus). Mulţumesc!
  4. Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud. The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on the Starbucks mobile app. Victims commonly receive emails saying the passwords and login details for Starbucks’ mobile app had been reset before receiving notice of fraudulent transactions. However, Starbucks denies its app has been hacked. In a statement, the coffee chain suggested the isolated reports of fraudulent activity on customers’ online accounts are down to password re-use or other lax security practices by its clients. Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false. Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously. Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information. Reports that hackers were targeting Starbucks mobile users – stealing from linked credit cards without knowing account numbers – first surfaced this week. Bob Sullivan, journalist and consumer advocate, was the the first to report on the scam. Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards. Criminals who obtain username and password credentials for Starbucks.com first drain a consumer’s stored value before siphoning off funds from their linked credit card. Starbucks reportedly allows consumers to move balances from one gift card to another. Hackers can also cash out by using a hijacked account to buy gift cards. These can then be sent to an arbitrary email address which can be trivially registered – without secondary confirmation – from within hijacked Starbucks accounts. In its statement, Starbucks said “customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected”, so those who have been left out of pocket will hopefully get their money back. The apparent scam appears to be limited to the US. El Reg understands that Starbucks customers in Europe and elsewhere outside North America have not been affected. Roy Tobin, a threat researcher at security software firm Webroot, recommended that consumers and businesses alike should re-examine their security practices. "Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers," Tobin said. "The key security take-away from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly re-used by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services," he said. For businesses, the use of two-factor authentication technology can help mitigate against this class of threat, according to Tobin. "Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts," he added. "Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used," he concluded. Source
  5. Document Title: =============== Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability References (Source): ==================== http://vulnerability-lab.com/get_content.php?id=1361 Oracle Security ID: S0540289 Tracking ID: S0540289 Reporter ID: #1 2015Q1 Release Date: ============= 2015-05-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1361 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Oracle Business Intelligence Mobile HD brings new capabilities that allows users to make the most of their analytics information and leverage their existing investment in BI. Oracle Business Intelligence Mobile for Apple iPad is a mobile analytics app that allows you to view, analyze and act on Oracle Business Intelligence 11g content. Using Oracle Business Intelligence Mobile, you can view, analyze and act on all your analyses, dashboards, scorecards, reports, alerts and notifications on the go. Oracle Business Intelligence Mobile allows you to drill down reports, apply prompts to filter your data, view interactive formats on geo-spatial visualizations, view and interact with Dashboards, KPIs and Scorecards. You can save your analyses and Dashboards for offline viewing, and refresh them when online again; thus providing always-available access to the data you need. This app is compatible with Oracle Business Intelligence 11g, version 11.1.1.6.2BP1 and above. (Copy of the Vendor Homepage: http://www.oracle.com/technetwork/middleware/bi-foundation/bi-mobile-hd-1983913.html ) (Copy of the APP Homepage: https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application. Vulnerability Disclosure Timeline: ================================== 2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement Program) 2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement Program) 2015-04-15: Vendor Fix/Patch (Oracle Developer Team) 2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin Acknowledgement) 2015-05-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Oracle Product: Business Intelligence Mobile HD 11.1.1.7.0.2420 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application. The vulnerability is located in the input field of the dasboard file export name value of the local save (lokal speichern) function. After the injection of a system specific command to the input field of the dasboard name the attacker is able to use the email function. By clicking the email button the script code gets wrong encoded even if the attachment function is activated for pdf only. The wrong encoded input of the lokal save in the mimeAttachmentHeaderName (mimeAttachmentHeader) allows a local attacker to inject persistent system specific codes to compromise the integrity of the oracle ib email function. In case of the scenario the issue get first correct encoded on input and the reverse encoded inside allows to manipulate the mail context. Regular the function is in use to get the status notification mail with attached pdf or html file. For the tesings the pdf value was activated and without html. The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicous script codes or persistent web module context manipulation. Vulnerable Module(s): [+] Lokal speichern - Local save Vulnerable Parameter(s): [+] mimeAttachmentHeaderName (mimeAttachmentHeader) Affected Service(s): [+] Email - Local Dasboard File Proof of Concept (PoC): ======================= The application-side vulnerability can be exploited by local privilege application user accounts with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual reproduce of the vulnerability ... 1. Install the oracle business intelligence mobile hd ios app to your apple device (https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015) 2. Register to your server service to get access to the client functions 2. Click the dashboard button to access 3. Now, we push top right in the navigation the local save (lokal speichern) button 4. Inject system specific payload with script code to the lokal save dashboard filename input field 5. Switch back to the app index and open the saved dashboard that as been saved locally with the payload (mimeAttachmentHeaderName) 6. Push in the top right navigation the email button 7. The mail client opens with the wrong encoded payload inside of the mail with the template of the dashboard 8. Successful reproduce of the security vulnerability! PoC: Email - Local Dasboard File <meta http-equiv="content-type" content="text/html; "> <div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br> <fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT CODE!]>.html</legend></fieldset><br> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction and filter validation of the local dashboard file save module. Encode the input fields and parse the ouput next to reverse converting the context of the application through the mail function. The issue is not located in the apple device configuration because of the validation of the mimeAttachmentHeaderName in connection with the email function is broken. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the oracle mobile application is estimated as medium. (CVSS 3.8) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  6. zANTI is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network.
  7. Introduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I will be discussing the method that could be used to see the traffic on a GSM network and how an attacker could abuse the GSM network. Mobile communication technology was already developed and widely used in the early 1980s. For the first time, the C-NET system was developed in Germany and Portugal by Siemens, the RC-2000 system was developed in France, and the NMT system was developed in the Netherlands and Scandinavia by Ericsson, as well as the TACS system which operates in the UK. GSM appeared in mid-1991 and eventually turned into mobile telecommunications standard for the whole of Europe, maintained by the ETSI (European Telecommunications Standards Institute) technical committee. GSM started its commercial operation at the beginning of the last quarter of 1992 because GSM is a complex technology and needed more assessment to be used as standard protocol. In September 1992, type approval standards for mobile agreed to consider and incorporate dozens of test items for GSM production. In Europe, GSM was originally designed to operate at the frequency of 900 MHz. In this frequency, the uplinks use frequencies between 890 MHz to 915 MHz, and frequency between 935 MHz to 960 MHz is used for downlinks. The bandwidth used is 25 MHz ((915 – 890) = (960 – 935) = 25 MHz), with a channel width of 200 kHz. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) And all elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture. Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user’s or customer’s end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI). Mobile Subscriber ISDN (MSISDN). Encryption mechanism. Base Station System or BSS consists of: Base Transceiver Station (BTS) is a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC) is a controller device for base stations located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC) is a central network element in a GSM network. MSC works as the core of a cellular network, where MSC main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR) is a database that saves the data and customer information permanently. Visitor Location Register (VLR) is a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layer There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer, whose main role is to identify the data that is sent from UM to BTS. Layer 3 consist of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serves as a regulator for radio, mobile management and call control. Illustration of How GSM Works [mg]http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031815_2231_Introductio2.png icture 2. Illustration of how GSM works. Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS send to MSC to continue and proceed to the AuC for checking the user identification. MSC proceeds to the HLR / VLR to check the existence of mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. Problem The background of this issues lies in the GSM network. Due to leaking of the design of encryption in 1994, it could be attacked, such as sniffing the voice in an established communication. Attacking 1. Packet Analysis At this stage, the attacker will do packet analysis on one of GSM providers (for this example, the attacker will attack one of the service providers in Indonesia). The attacker is using multiple devices for packet analysis (Openmoko and Nokia 3310) and using Wireshark to dissect information used in GSM networks such as: Encryption used by the provider. ARFCN number. Location of the mobile phone, etc. The first step is that the attacker will analyze encryption used by the provider: Picture 3. A5/1 encryption used by the provider. In the picture above, the encryption used by the provider is A5/1. In the second packet, we could see the location in ARFCN, because ARFCN is determinant of the uplink and downlink signal to a GSM network. Picture 4. ARFCN (downlink) in use. From the above picture, we could see that the provider uses ARFCN 881. For more details, the frequency for ARFCN 881 is as follows: ARFCN: 881 Downlink frequency: 1879000000 Hz Uplink frequency: 1784000000 Hz Distance: 95000000 Hz Offset: 512 Band: GSM1800 (DCS 1800) It could be assumed that the provider uses encryption A5/1 and 1879000000 Hz frequency for downlink and 1784000000 Hz for uplink. However, ARFCN is not static in a communication. Picture 5. ARFCN calculation (GSM 1800) Picture 6. GSM900 frequency allocation in Indonesia. Picture 7. GSM1800 frequency allocation in Indonesia. 2. Authentication of a Communication When MS communicates to a BTS, MS identifies himself using IMSI and IMEI, and BSC to MSC communication to respond to IMSI. The authentication function is to assure that MS is a legitimate user. An illustration can be seen in the image below: Picture 8. MS Authentication flow. An explanation for the above picture is as follows: MS sends IMSI and IMEI to BSC. BSC requests IMSI and IMEI to MSC. MSC responds and sends RAND, SRES and Ki. BSC sends RAND to MS. MS responds with SRES’. BSC checks SRES’. 3. Kc Generation On A5/1 Picture 9. Kc generation on A5/1. The picture above shows the process of Kc generation before being used to send and receive a communication. RAND is a random number generated by the AuC when a customer makes a request authentication to the network. RAND isused to generate SRES and Kc. Ki is key authentication paired with IMSI when a SIM card is made. Ki only exists on the SIM card and the Authentication Center (AuC). Ki never get transmitted over the GSM network. A8 is an algorithm that’s being used to calculate Kc. Ki and RAND are inserted into the A8 algorithm and the result is Kc. The A8 algorithm exists on the SIM card and the AuC. Kc is the key used in the A5 encryption algorithm to write and decipher data that is being sent when communication occurred. 2. Sniffing GSM In Realtime In order to be able to sniff a GSM packet, you must have a hardware that works as a receiver. For example, the RTL-SDR with rtl2832 chip. However, this hardware has a limitation. The maximum packet capture is 16 kHz wide. In other words, not all GSM packets can be captured using this hardware. Picture 10. Sample packet captured with rtl2832 DVB (max 16 kHz). GSM uses 200 kHz for communication and it is divided into 8 slots (200 kHz / 8 = 25 kHz / slot). Picture 11. Downlink and uplink frame illustration. Before we could start capturing GSM packets, first we must know the ARFCN in use. One method that could be used to find out the ARFCN is by using Blackberry Engineering Mode. In order to use that feature, you can simply search for “blackberry engineering mode calculator“. After entering the engineering mode, you can see the ARFCN currently in use as you may see in this picture: Picture 12. Blackberry engineering mode (ARFCN 114). After knowing the ARFCN, we could proceed to capture the downlink packets. The capturing process could be seen in this picture (the result is not optimal due to a standard antenna being used): Picture 13. Sample captured with DVB (only to see the downlink frequency). From the above picture, we could see that the signal is not strong enough and it could increase the packets lost during capture period. Here’s an example of captured GSM packets using RTL-SDR and analyzed using Wireshark: Picture 14. Sample GSM packet captured using RTL-SDR and analyzed using Wireshark. Conclusion From the above explanation, we could conclude that communication through GSM exposes some security concerns. An attacker who understands how the GSM protocol works and has complete GSM standard documentation could find a way to attack the GSM networks, especially if security is poorly implemented. Source
  8. GSM or Global System for Mobile Communication is a technology that’s widely used in mobile communications, especially mobile phones. This technology utilizes microwave and signal transmission divided by time, so that the signal information sent will arrive at the destination. The GSM standard for mobile communications as well as mobile technology is deployed more than its counterparts around the world, like CDMA. At this time we will discuss how to track a cell phone by using the Doppler effect, in other words we will make it easier to know the whereabouts of a person just by having information such as cell phone numbers. GSM Network Architecture Typical GSM network architecture is divided into 3 parts: Mobile Station (MS) Base Station Sub-system (BSS) Network Sub-system (NSS) All elements of the network at the top form a PLMN (Public Land Mobile Network). Picture 1. GSM network architecture Mobile Station or MS is a device used by the customer for making phone calls. This device consists of: Mobile Equipment (ME) or the handset (UM) is a GSM device that is located on the user or customer end that serves as a terminal transceiver (transmitter and receiver) to communicate with other GSM devices. Subscriber Identity Module (SIM) or SIM card is a card that contains all customer information and some information about services. ME can’t be used without a SIM in it, except for emergency calls. The data stored in the SIM in general are: International Mobile Subscriber Identity (IMSI) Mobile Subscriber ISDN (MSISDN) Encryption mechanism Base Station System or BSS consists of: Base Transceiver Station (BTS), a GSM device that is directly related to MS and serves as the sender and receiver. Base Station Controller (BSC), a controller device for base stations which is located between the BTS and MSC. Network Sub System or NSS consists of: Mobile Switching Center (MSC), a central network element in a GSM network. The MSC works as the core of a cellular network, where its main role is for interconnection, both among the cellular or wired network PSTN or with the data network. Home Location Register (HLR), a database that saves the data and customer information permanently. Visitor Location Register (VLR), a database of the subscribers who have roamed into the jurisdiction of the Mobile Switching Center (MSC) which it serves. Authentication Center (AuC) authenticates each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). This also checks the validity of the customer. Equipment Identity Registration (EIR), is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. GSM Layers There are 3 layers in the GSM network: Layer 1 or the physical layer, for setting the channels. Layer 2 or the data-link layer’s main role is to identify the data that is sent from UM to BTS. Layer 3 consists of 3 parts: Radio Resource (RR), Mobility Management (MM) and Call Control (CC) that serve as regulators for radio, mobile management and call control. Picture 2. Illustration of how GSM works Mobile phone is input with the destination number and connects to the nearest BTS. BSC and BTS sends to MSC and proceeds to AuC for checking the user identification. MSC proceeds to the HLR / VLR to check for the existence of the mobile phone. BSC and MSC proceed to the nearest BTS where the destination mobile located. How Doppler Works Doppler is a change in the frequency or wavelength of a wave source that is received by the observer. This is the Doppler effect formula which is not affected by wind: Doppler effect formula which is influenced by the wind: This is the illustration of Doppler effect: Picture 3. Doppler effect illust From the above picture, there are 3 persons: A, B and C. A is the person in the middle who could detect the source of the wave/sound from B or C. Because the wave/sound that came from B or C travels in a certain frequency and distance, the A person could distinct the source of the wave/sound. Concept In this article, we are proposing a GSM radar using the Doppler effect, where the Doppler effect itself will be used to listen for the mobile phone uplink. There are some literature and references that mention about the Doppler effect being used to identify a signal if the Doppler effect is combined with the right filter processing according to the signal characteristic being transmitted. Research 1. OpenBTS Installation This article won’t go further step by step on this OpenBTS installation until it could be used, because there are already a lot of tutorials which cover the installation process. For this research, we are using USRP N200 from Ettus Research. But as we proceed using OpenBTS with USRP N200, we realize that there is an anomaly in the signal transmitted by USRP N200. So, we are using a spectrum analyzer to figure out and find a solution for the signal anomaly. This is the setup we are using: Picture 4. Using spectrum analyzer to figure out USRP N200 signal anomaly Picture 5. Signal anomaly as seen on spectrum analyzer As you can see from the picture above, the signal generated by USRP N200 looks like a horn and the noise is quite high. The possible cause for that anomaly is USRP N200 clock is not accurate, and the solution for that is by adding a filter, so the final result will be a correct GSM modulation like this picture: Picture 6. Correct GSM modulation after adding a filter 2. Doppler Design After doing some research on Doppler design, we found out that some design is not capable for a frequency of 900 MHz, but we have a workaround and modified existing Doppler design so it capable of reaching 900 MHz and even higher. This is the block diagram for modified Doppler design (courtesy of Ramsey): Picture 7. Modified Doppler design Picture 8. Tracking mobile phone illustration Conclusion From the above explanation, we could conclude that the Doppler effect could be used to lookup the position of a device transmitting a signal in a certain frequency. We could take this research further to detect any kind of living creature (e.g. endangered species) that in some way is transmitting a signal in a certain frequency, as long as we have the sound sample of that creature. Source
  9. Poate va foloseste... https://dailysoftwaregiveaway.com/shop/cyberghost-5-premium-plus-vpn-discount/ Unlimited traffic volume included Unlimited bandwidth included Access to Most Wanted Servers: US, German, Romanian, Czech Republic and Netherlands Additional protection for mobile devices (PPTP, L2TP/IPSec) Guaranteed availability without any waiting times Incl. Premium support 1 Device
  10. When it comes to search on mobile devices, users should get the most relevant and timely results, no matter if the information lives on mobile-friendly web pages or apps. As more people use mobile devices to access the internet, our algorithms have to adapt to these usage patterns. In the past, we’ve made updates to ensure a site is configured properly and viewable on modern devices. We’ve made it easier for users to find mobile-friendly web pages and we’ve introduced App Indexing to surface useful content from apps. Today, we’re announcing two important changes to help users discover more mobile-friendly content: 1. More mobile-friendly websites in search results Starting April 21, we will be expanding our use of mobile-friendliness as a ranking signal. This change will affect mobile searches in all languages worldwide and will have a significant impact in our search results. Consequently, users will find it easier to get relevant, high quality search results that are optimized for their devices. To get help with making a mobile-friendly site, check out our guide to mobile-friendly sites. If you’re a webmaster, you can get ready for this change by using the following tools to see how Googlebot views your pages: If you want to test a few pages, you can use the Mobile-Friendly Test. If you have a site, you can use your Webmaster Tools account to get a full list of mobile usability issues across your site using the Mobile Usability Report. 2. More relevant app content in search results Starting today, we will begin to use information from indexed apps as a factor in ranking for signed-in users who have the app installed. As a result, we may now surface content from indexed apps more prominently in search. To find out how to implement App Indexing, which allows us to surface this information in search results, have a look at our step-by-step guide on the developer site. source: Google Webmaster
  11. Mogwai Security Advisory MSA-2015-03 ---------------------------------------------------------------------- Title: iPass Mobile Client service local privilege escalation Product: iPass Mobile Client Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also affected) Impact: medium Remote: no Product link: http://www.ipass.com/laptops/ Reported: 11/03/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- The iPass Open Mobile client for laptops is lightweight and always on. It provides easy, seamless connectivity across iPass, customer, and third-party networks, and allows you to mix and match carrier networks without disrupting your users. The iPass Open Mobile client for laptops allows organizations to provide granular options for how employees connect to iPass Wi-Fi (the iPass Mobile Network), campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single platform to manage all connections. Open Mobile also enables cost and security controls that provide virtual private network (VPN) integration options; mobile broadband 3G/4G usage controls for both data roaming and data usage; endpoint integrity verification that checks the security of the device at the point of connection; and several additional options for setting network connection and restriction policies. Insight into an organizations mobility usage is provided through user and device activity and summary reports as well as mobile broadband usage reports. ----------------------------------------------------------------------- Vendor response: ----------------------------------------------------------------------- "We do not consider this a vulnerability as it is how the product was designed" Business recommendation: ----------------------------------------------------------------------- Disable the iPass service unless really required -- CVSS2 Ratings ------------------------------------------------------ CVSS Base Score: 5.6 Impact Subscore: 7.8 Exploitability Subscore: 3.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N) ----------------------------------------------------------------------- Vulnerability description: ---------------------------------------------------------------------- The iPass Open Mobile Windows Client utilizes named pipes for interprocess communication. One of these pipes accepts/forwards commands to the iPass plugin subsystem. A normal user can communicate with this pipe through the command line client EPCmd.exe which is part of the iPass suite. A list of available commands can be displayed via "System.ListAllCommands". The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which allows to execute arbitrary commands as SYSTEM. This can be abused by a normal user to escalate his local privileges. Please note that this issue can also be exploited remotely in version 2.4.2.15122 as the named pipe can also be called via SMB. However according to our information, the pipe is no longer remotely accessible in current versions of the iPass Mobile client. Proof of concept: ---------------------------------------------------------------------- The following EPCmd command line creates a local user "mogwai" with password "mogwai": EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c net user mogwai mogwai /ADD;; Disclosure timeline: ---------------------------------------------------------------------- 10/03/2015: Requesting security contact from iPass sales 10/03/2015: Sales responded, will forward vulnerability information to the development 11/03/2015: Sending vulnerability details 11/03/2015: iPass asks which customer we represent 11/03/2015: Responding that we don't represent any iPass customer 12/03/2015: iPass responded, wont fix, says that the product works as designed Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source
  12. Beginning with April 21 2015, the biggest search company Google will use the mobile friendly websites in the ranking algorithm, which mean that if your website is mobile friendly,it will rank higher then the other websites. Surce: Goodweb
  13. After rolling out free SSL for its users last fall, CloudFlare has deployed a new level of encryption on its service that hardens and speeds up the user experience, especially when accessing domains via mobile browsers. The form of encryption, a relatively new transport layer cipher suite known as ChaCha20-Poly1305, has largely been used by Google until now. But as of yesterday, it is being used on 10 percent of CloudFlare’s HTTPS connections with more to follow. CloudFlare’s Nick Sullivan, who described the move on the company’s blog yesterday, called the cipher fast, useful and its security level “more than sufficient” for HTTPS. The algorithm is based on a combination of two other ciphers, ChaCha20 and Poly1305 MAC, both crafted by cryptographer Daniel Bernstein in 2008 and 2005 respectively. After being batted around for a bit, it surfaced in Chrome 31 in November 2013. Sullivan points out that the cipher, when paired with TLS, should excel at bridging the gap between having secure encryption on mobile browsers and APIs. While the cipher will fill that void, it also improves upon two other alternatives, RC4, which of course has its many foibles, and AES-GCM, which can cost a fortune depending on the way its implemented. It also helps that ChaCha20-Poly1305 is three times faster than AES-128-GCM on mobile services – the cipher provides 256 bits of security over GCM’s 128 – something that should reduce the strain of batteries on mobile devices. “Spending less time on decryption means faster page rendering and better battery life,” Sullivan wrote. The content delivery network explains that the change is partly fueled by the rest of the web’s fervent push towards HTTPS but that the move could also be seen as a foreshadowing of the cipher’s future widespread adoption. Sullivan acknowledges that Mozilla is planning on adding support for it in Firefox and that at the very least, using the cipher is a good fallback in case someone digs up a bug in AES-GCM, the algorithm primarily being used right now, in the near future. Source
  14. Security experts are still trying to assess the effects of the reported attack on SIM card manufacturer that resulted in the theft of millions of encryption keys for mobile phones around the world, but it’s safe to say that the operation has caused reverberations throughout the industry and governments in several countries. The attack, reported by The Intercept, is breathtaking in its scope and audacity. Attackers allegedly associated with the NSA and GCHQ, the British spy agency, were able to compromise a number of machines on the network of Gemalto, a global manufacturer of mobile SIM cards. The attackers have access to servers that hold the encryption keys for untold millions of mobile phones, allowing them to monitor the voice and data communication of those devices. The document on which the report is based was provided by Edward Snowden, and it says in part, “Gemalto–successfully implanted several machines and believe we have their entire network…” If true, that would mean that the attackers had access to far more than just those SIM encryption keys. Gemalto officials said in a statement that they were previously unaware of this operation. “The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” the statement says. Security researchers have said since the beginning of the NSA scandal–and before that, in some cases–that the agency and its allies have an intense interest in monitoring mobile communications. Mobile networks present different challenges than traditional computer networks do for attackers, but they are not insurmountable ones for organizations with the resources of NSA and GCHQ. Gemalto, as one of the larger SIM manufacturers on earth, would be a natural target for signals intelligence agencies, as it provides products to hundreds of wireless providers, including Verizon, AT&T and Sprint. Bruce Schneier, CTO of CO3 Systems and a noted cryptographer, said that this operation may represent the most serious revelation of the Snowden documents. “People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards,” Schneier said on his blog. “I think this is one of the most important Snowden stories we’ve read.” The Gemalto revelation could have long-term effects for the technology industry and its relations with the government in the United States and UK. The relationships already have been strained by past revelations of NSA operations against infrastructure owned by companies such as Google, Yahoo and many others. This latest revelation likely won’t help matters. But White House officials aren’t worried. “We certainly are aware of how important it is for the United States government to work with private industry; that there are a lot of situations in which our interests are pretty cleanly aligned. And there are certainly steps that the U.S. government has taken in the name of national security that some members of private industry haven’t agreed with. But I do think that there is common ground when it comes to — and this is a principle that I’ve cited before — it’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so,” Josh Earnest, White House press secretary, said during a briefing on Friday. Source
  15. The world's biggest SIM card manufacturer, Gemalto, revealed yesterday to have been hacked by the NSA and GCHQ, has taken a $470m hit in its stock price. Gemalto was caught unawares by the revelation that the US and UK intelligence agencies had compromised its systems, and stole potentially millions of SIM card keys used to encrypt phone calls around the world. Gemalto supplies SIMs to 450 networks on Earth, from AT&T to T-Mobile, and launched an investigation. Speculation that the Dutch manufacturer may be forced to recall chips, incurring huge costs, caused its share price to fall eight per cent in early trading before recovering a little to four per cent down on closing. Obtaining SIM card private keys allows intelligence agencies to decrypt intercepted calls without anyone knowing – not the users, the network operators nor the handset manufactures. Communications eavesdropped today, yesterday or five years ago can be decoded once a SIM's Ki key is obtained. The company issued a statement today in which it promised to get to the bottom of the hack: "Gemalto is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday. “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.” Incensed Security watchers praised the company for its prompt and forthright response. But privacy and communications experts are incensed by the latest revelations about GCHQ/NSA warrantless mass surveillance. The World Wide Web Foundation has called for urgent steps to be taken to secure private calls and online communications. Its chief exec Anne Jellema commented: "The news that US and UK spy agencies hacked the network of a Dutch company to steal encryption keys for billions of SIM cards is truly shocking. "Possession of these keys would allow these agencies to access private calls, web browsing records and other online communications without any of the legal safeguards and processes in place to prevent abuses of power.” Jellema argued that the surveillance would undermine trust in mobile payments, among other concerns. “This is yet another worrying sign that these agencies think they are above the law. Apart from its blatant disregard for multiple human rights, this foolish move undermines the security and future of the global mobile payments industry." She noted that any security weakness or backdoors into a cryptographic system might also be exploited by third-party cybercriminals and called for an investigation into GCHQ including "a full and frank disclosure as to why they hacked a private company, and one headquartered in an ally country." Other security experts warned that other intelligence agencies may be up to the same tricks. Andrew Conway, research analyst at Cloudmark, said: “The ease with which the NSA and GCHQ were able to compromise all mobile communications is shocking. But there are other nation state actors with just as much determination and sophisticated hackers. In particular, China's Axiom Group has shown remarkable abilities to penetrate targets in the West.” Not just the NSA? He highlighted other worrying accounts of mobile companies being targeted: "Last year, mobile security company ESD revealed that they had detected a network of fake mobile phone towers intercepting communications near US military bases. It was assumed that whoever was responsible was just collecting metadata, because 3G and 4G communications are encrypted. Could it be that this was some foreign espionage agency with the ability to listen to US mobile phone calls? Or perhaps it was the NSA monitoring all civilian phone calls near military bases for possible terrorist activity? Regardless, it is clear that mobile communications have been badly compromised.” A complete revamp of mobile comm security may eventually be required, Conway concluded. "In the short term organizations requiring secure voice communications can consider deploying mobile devices with another layer of encryption, such as Blackphone or Cryptophone. In the long term, we need to do a better job of end-to-end encryption of all mobile and fixed line communications - which will include not relying on a single master key for all communications." Source
  16. Una dintre cele mai frecvent utilizate functii ale smartphone-urilor este mesageria. O comunicare privata trebuie sa ramana privata, iar comunicarea in interes de servici nu trebuie sa fie, in nicio imprejurare, interceptata; sub aceasta deviza G DATA prezinta noua sa aplicatie Secure Messaging la Mobile World Congress 2015 din Barcelona. G DATA SECURE CHAT ofera securitate extrema, text multi-criptat si comunicare chat – si totodata, garanteaza transferul securizat de fisiere media, de exemplu transferul de fotografii. G DATA se bazeaza pe protocolul securizat Axolotl, care a fost initiat de TextSecure si care are deja peste 10 milioane de utilizatori din intreaga lume. G Data prezinta si alte repere la Barcelona: INTERNET SECURITY pentru Android si Mobile Device Management. Companiile isi pot pastra smartphone-urile si tabletele in siguranta, oriunde in lume, datorita solutiei mobile de securitate “Made in Germany”. G DATA va expune la Mobile World Congress 2015 de la Barcelona in Pavilionul 6, Standul 6B40, in perioada 2- 5 martie 2015. “Protectia comunicatiilor mobile si integrarea dispozitivelor mobile in concepte de securitate la nivel de companie devin din ce in ce mai importante pentru companii. G DATA se pozitioneaz? ca un lider in tehnologie in acest sector si ca furnizor de solutii de securitate IT complete,” spune Walter Schumann, CSO G DATA Software AG. Protejarea mesajelor, datelor si comunicatiilor de voce impotriva atacatorilor cibernetici, sustragerilor neautorizate de date si atacurilor spyware este provocarea majora a viitorului.” Cu SECURE CHAT oferim utilizatorilor de smartphone-uri si tablete o aplicatie usor de utilizat, care cripteaza, extrem de eficient, mesageria mobila, si astfel, ofera o protectie eficient impotriva accesului tertilor.” O versiune gratuita a aplicatiei G DATA SECURE CHAT, cu capacitati complete de criptare text, comunicare prin chat si trimiteri de imagini, va fi disponibila pe site-ul G DATA si in Google Play Store din aprilie 2015. Comunica in siguranta, fara restrictii Protocolul Axolotl permite utilizatorilor sa comunice cu un nivel ridicat de criptare, indiferent de aplicatia de mesagerie folosita. Datorita procesului de criptare bazat pe curbe eliptice, acest protocol este considerat pe plan international ca fiind extrem de sigur, fiind practic indestructibil. Singura conditie este de a utiliza o aplicatie care utilizeaza protocolul de criptare, cum ar fi G DATA SECURE CHAT sau TextSecure de la Open Whisper Systems. G DATA SECURE CHAT pe scurt: Criptare securizata end-to-end pentru chat individual si de grup Un rapid, simplu si mai presus de toate, securizat mod de a trimite imagini si fotografii utilizand criptografia Backup al istoricului pe cardul SD Criptarea prin parola a istoricului Caracteristici ale versiunii Premium (licenta de G DATA INTERNET SECURITY FOR ANDROID este necesara): Filtru antiphishing pentru URL-urile din mesajele de pe chat Filtru pentru mesajele primite si trimise si pentru SMS-uri Capacitatea de a ascunde contactele selectate prin SMS TRUST IN GERMAN SICHERHEIT G DATA la Mobile World Congress 2015: Pavilionul 6, Standul 6B40 -> Sursa: MWC 2015: G DATA lanseaza un serviciu impenetrabil de mesagerie mobila
  17. A privacy hole in WhatsApp allowed anyone to view someone else's profile photo – even if a user had configured the mobile messenger app to only show their pic to their contacts. The privacy slip-up, which came with the debut of WhatsApp’s newly-introduced web interface at web.whatsapp.com, was discovered by 17-year-old security researcher Indrajeet Bhuyan. The service was designed to allow users to chat with WhatsApp contacts through a browser, potentially on a PC or laptop. Privacy settings applied on the mobile app were apparently not carried over onto the browser-based version of the technology, launched just days ago and only available through Google's Chrome browser. On the smartphone side, you can only use the functionality on Android, BlackBerry and Windows Mobile since there's no iOS version at this nascent stage. There's no suggestion that messages themselves were exposed. Only profile pictures were viewable to world+dog. A second issue, also discovered by the enterprisingly precocious Bhuyan, means that deleted photos are still viewable through the web client even though they appeared as blurred if deleted when accessed though mobile versions of the software. In both case you'd need to be logged in to see pictures in the trash, blurred or otherwise. This issue apparently stems from glitches in syncing functionality. It's unclear if and when the web version of WhatsApp will be updated to iron out these security glitches. WhatsApp recently introduced end-to-end encryption to better secure users’ messages, much to the chagrin of UK politicians such as David Cameron. Bhuyan, who had previously discovered a way to crash WhatsApp on users’ phones simply by sending a specially crafted message, has put together videos illustrating the ?WhatsApp web photo privacy bug? (here) and photo synch bug (here). Security veteran Graham Cluley said even though no sensitive data had actually been exposed, the teenager was right to call WhatsApp out on the latest issues he's managed to uncover. "Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point," Cluley explained in a blog post. "The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved." Source
  18. Last week, the most popular mobile messaging application WhatsApp finally arrived on the web — dubbed WhatsApp Web, but unfortunately it needs some improvements in its web version. An independent 17-year-old security researcher Indrajeet Bhuyan reported two security holes in the WhatsApp web client that in some way exposes its users’ privacy. Bhuyan called the first hole, WhatsApp photo privacy bug and the other WhatsApp Web Photo Sync Bug. Bhuyan is the same security researcher who reported us the vulnerability in the widely popular mobile messaging app which allowed anyone to remotely crash WhatsApp by sending a specially crafted message of just 2kb in size, resulting in the loss of conversations. Whatsapp Photo Privacy Bug According to him, the new version of WhatsApp Web allows us to view a user’s profile image even if we are not on the contact list of that user. Even if the user has set the profile image privacy setting to "Contacts Only," the profile picture can be viewed by out of contacts people as well. Basically, if we set the profile image privacy to Contacts Only, only the people in our contact list are able to view our profile picture, and nobody else. But, this is not in the case of WhatsApp Web. You can watch how this works in the video demonstration below: WhatsApp Web Photo Sync Bug The second security hole points out the WhatsApp Web Photo Syncing functionality. Bhuyan noticed that whenever a user deletes a photo that was sent via the mobile version of WhatsApp application, the photo appears blurred and can’t be viewed. However, the same photo, which has already been deleted by the user from mobile WhatsApp version, can be accessible by Whatsapp Web as the photo does not get deleted from its web client, revealing the fact that mobile and web clients of the service are not synced properly. You can also watch the video demonstration on this as well: This is no surprise, as WhatsApp Web introduced just a couple of days before and these small security and implementation flaws could be expected at this time, as well as some other bugs could also be revealed in the near future. However, the company will surely fix the issues and will definitely make its users’ messaging experience secure. As partnered with Open Whisper Systems, WhatsApp recently made end-to-end encryption a default feature on Android platform, stepping a way forward for the online privacy of its users around the world. -> Source: 17-Year-Old Found Bugs in WhatsApp Web and Mobile App - Hacker News
  19. As Ars has previously reported, documents passed to journalists by former National Security Agency contractor Edward Snowden have shown that the NSA and its British counterpart agency, the GCHQ, have exploited privacy "leaks" in mobile applications (including Rovio's Angry Birds) to track individuals of interest. A new document recently published by Der Spiegel provides further details on just how much the GCHQ was able to extract from mobile data to keep tabs on those it targeted for surveillance. The British agency used a program referred to as BADASS to suck up data emitted from Angry Birds and other apps, and the information was so granular, analysts could even track how well (or poorly) a person was doing playing. BADASS is an acronym for "BEGAL Automated Deployment And Survey System," and the system pulled in data from GCHQ and NSA network taps identified as mobile analytics and advertising traffic. Among other things, this data included Google "pref" cookies (such as those used by Ars to identify users in our own passive network surveillance testing with NPR) and Flurry application analytic data used by developers to track usage and performance of their mobile apps. User location data and activity could also be monitored based on the data stream, allowing analysts to pinpoint an active user within minutes, according to the GCHQ presentation from 2011. Much of this data was easily tracked because the mobile apps did not encrypt data in transit, leaving data exposed to anyone who might be able to monitor the network. That's still the case for many of these analytics and advertising services. Source
  20. Bafta! http://www.bitdefender.com/media/html/spread/download-bms/
  21. What is Pixelknot? Pixelknot is an Android application that allows users to hide short text-based messages in photographs and share them across trusted channels. Pixelknot is now available on the Google Play store, Amazon appstore, and also on our website and verifiable via the asc. What is Steganography? The practice of embedding secret messages into a piece of media so that no one, apart from the sender and intended recipient, know that the secret message exists. The newly developed algorithm F5 withstands visual and statistical attacks, yet it still offers a large steganographic capacity. F5 implements matrix encoding to improve the efficiency of embedding. Thus it reduces the number of necessary changes. F5 employs permutative straddling to uniformly spread out the changes over the whole steganogram. The Guardian steganography standard: we are working towards ensuring that the secret message in an image must: Have the original image appear, to the trained human eye, unedited. Have the bytes of the image appear, to a trained analyst, undistorted so much so as to arouse suspicion. Have the complete message be recoverable no matter how it is transmitted. Screenshots Features Have a secret that you want to share? Why not hide it in a picture? With Pixelknot, only your friends with the secret password can unlock your special message. Everyone else just sees a pretty picture. It’s a fun and easy way to share hidden messages without anyone knowing. Take those pixels, twist them in a knot, and see for yourself! ? DISGUISE YOUR MESSAGES: Pictures are public, the text is hidden inside. Even a trained eye will think the image is unedited. It’s security through obscurity! ? FOR YOUR EYES ONLY: Put a password on the secret message to make sure that no one can read it except the person it’s meant for. ? EASY IMAGE CHOOSER: You can use the camera to take photos, or just use photos you’ve already taken. ? INVISIBLE CHANGES: Even a trained analyst analyst shouldn’t be able to detect any message. The image bytes should seem undistorted. ? SHARE ACROSS PLATFORMS: Want to share the images over email, file sharing tools (like Dropbox & Sparkleshare), social media (like Google+ & Flickr) or directly through Bluetooth or NFC? Not a problem! The messages are still recoverable on the other side. We’ll have even more tools (like Facebook) working soon, so stay tuned! ? AD-FREE: We want your love, not your money. ? MATHEMATICALLY SECURE: We use the newly developed steganography algorithm F5 which implements matrix encoding to improve the efficiency of embedding and employs permutative straddling to uniformly spread out the changes over the whole steganogram. ? ATTACK RESISTANT: We’ve launched attacks on images with messages hidden in them using a specialized version of stegdetect, an automated tool for detecting steganographic content in images. In most cases, the pictures have been impervious to attack. We will be including detection in an upcoming version of the application so you can easily test it yourself! ? ARTIST FRIENDLY: The app features the work of Pablo Picasso. His painting “Girl before a Mirror” from March 1932, to be exact. We hope it inspires you to share beautiful imagery and wonderful ideas. ? WE SPEAK YOUR LANGUAGE: Or at least we try to. Don’t see your language? Join us and help translate the app: https://www.transifex.com/projects/p/pixelknot/ Download: https://guardianproject.info/wp-content/uploads/2013/04/pixelknot-qr1.png Source: https://guardianproject.info/apps/pixelknot/
  22. Daca nu am postat unde trebuie, rog un moderator sa mute acest topic in sectiunea potrivita! In ultimii ani am avut contact cu tot felul de situatii care au pus marile companii de furnizari servicii din Romania, intr-o lumina proasta. Ma deranjeaza faptul ca, daca prin absurd cineva da pread pe internet unei metode de exploatare a unui serviciu in scopuri "malefice", acea persoana este pedepsita conform legilor in vigoare, dupa cum sustin autoritatile.Insa, daca incerci sa le aduci la cunostinta marilor companii anumite vulnerabilitati care nu fac parte din aria web, coding, infrastructura, esti tratat cu o atitudine de genul "hm, cine mai este si asta?". Ma deranjeaza foarte tare faptul ca se investesc milioane de euro in tot felul de platforme, proiecte, si simteme menita sa previna atacurile si vulnerabilitatile existente, sa nu fure ala nu stiu ce, sa nu fie expuse datele confidetiale ale clientilor nu stiu unde si asa mai departe, constantand cu stupoare ca de fapt nu se face nimic. Haideti sa tratam putin un subiect care, dupa parerea mea cauzeaza prejudicii enorme. Poate fi numita o facilitate insa nu este pusa foarte bine la punct. Si o sa vedem si de ce. Confirmarile de plata - companiile de telecomunicatii si gafa imensa a lor. In urma unei analize atente a metodelor prin care utilizatorul poate efectua plata facturii, operatorii de servicii de telecomunicatii iti pun la dispozitie instrumente de plata care genereaza o intarziere a virarii banilor in contul operatorului si de asemenea o intarziere pentru restabilirea serviciilor. Concret: Daca a fost efectuata plata unei facturi la casieria operatorului, plata este procesata mult mai repede si bineinteles restabilirea serviciilor se face mai repede. Daca plata a fost efectuata la un PayPoint spre exemplu, bani ajung cu intarziere in contul furnizorului. Aceste metode alternative de plata, sunt facilitati pe care operatorii le pun la dispozitia clientului (Exemplu: Imi iau de la astia internetul pentru ca pot sa platesc oriunde factura). In cazul in care plata a fost facuta in orice alta locatie decat casieria furnizorului, ai la dispozitie optiunea de a efectua o CONFIRMARE DE PLATA.Aceasta confirmare de plata iti ofera posbilitatea restabilirii serviciilor pe o perioade de 4 pana la 12 zile, in fucntie de operator si in functie de rapiditatea cu care acesta verifica daca banii platiti de tine au intrat in contul lor. Un abonament al unui operator denumit X, este facut pe datele de identificare ale unui utilizator Y. Acest abonament are o valoare de 15 euro. Acestui utilizator i se emite o factura pe luna precedenta ca urmare a utilizarii serviciilor, plata urmand sa se faca retroactiv, dupa cum bine stiti. Utilizatorul abonamentului nu efectueaza plata serviciilor folosite in termenul scadent al facturii stabilit de operatorul de telefonie mobila/fixa, urmand ca serviciile sa fie suspendate pe motiv de neplata. Ce se intampla daca, serviciile mele au fost suspendate, iar eu nu am platit factura si fac o confirmare de plata? Se intampla urmatorul lucru: Sun la numarul de telefon pentru relatii cu clientii, aleg sa fac o confirmare de plata, robotul ma identifica si ma va pune sa introduc suma platita, iar eu introduc valoarea facturii, confirm ca am introdus corect si VOILA! Serviciile sunt restabilite, timp in care operatorul verifica daca banii au ajuns. Eu de fapt nu am platit nicio factura, dar serviciile mele sunt restabilite si pot din nou sa stau linistit pe internet sau sa vorbesc la telefon. Iata cat de "bine sunt structurate" lucrurile in Romania. Dezavantaje: -Poti face o singura confirmare de plata in decursul aceleasi luni de facturare. -Masura pe care o pot lua impotriva voastra este aceea de "a se interzice accesul la acest serviciu pe o perioada nedeterminata/determinata".( nu se intampla niciodata asta) Punct Nu imi asum raspunderea pentru actiunile voastre sau pentru prejudiciile cauzate. Acest post are rol pur informativ.Nu este o metoda de frauda.
  23. 2Prieteni.Net - Trimite gratis, sms cu numar necunoscut in orice retea mobila din Romania
×
×
  • Create New...