Blogger Widgets

Friday, 27 June 2014

Researchers Uncover Spying Tool Used by Governments to Hijack all Types of Smartphones #Hacking #Privacy #Spying #Hijacking #Surveillance



Purchasing malware to victimize people is illegal by laws but if the same thing any government official do, then its not!! Yes, the police forces around the World are following the footsteps of U.S. National Security Agency (NSA) and FBI.

Researchers from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and computer security firm Kaspersky Lab have unearthed a broad network of controversial spyware which is specially designed to give law enforcement agencies complete access to a suspect's phone for the purpose of surveillance.


The malware, dubbed as Remote Control System (RCS), also known as Da Vinci and Galileo, is developed by an Italian company known as Hacking Team, available for desktop computers, laptops, and mobile devices. The latest version of the malware works for all phone including Android, iOS, Windows Mobile, Symbian and BlackBerry devices, but best on Android devices, and can also be installed on jailbroken iOS devices. But even if the targeted iOS device is not jailbroken, the malware uses the famous Evasi0n jailbreaking tool to install the malware easily.

The team of researchers from both Citizen Lab and Kaspersky Lab in collaboration has presented their findings during an event in London. According to the report published, the diameter of the command infrastructure supporting Hacking Team, which sells the RCS to governments and law enforcement, is very vast with 326 command-and-control (C&C) servers running in more than 40 countries.

MALWARE DEVELOPERS - ‘HACKING TEAM’
Hacking Team is a Milan-based IT company with more than 50 employees that has made a totally different place for itself selling "offensive" intrusion and surveillance software to governments and law enforcement agencies in "several dozen countries" on "six continents."

It was a well-known fact for quite some time that the HackingTeam products included malware for mobile phones. However, these were rarely seen,” said Kaspersky Lab experts on the blog post. “In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story.”


Kaspersky Lab researchers have used a fingerprinting method to scan the entire IPv4 space and to identify the IP addresses of RCS Command & Control servers around the world and found the biggest host in United States with 64 counts of C&C servers. Next on the list was Kazakhstan with 49, Ecuador has 35, UK which hosts 32 control systems and many other countries with a grand total of 326 Command & Control servers.
"The presence of these servers in a given country doesn't mean to say they are used by that particular country's law enforcement agencies," said Sergey Golovanov, principal security researcher at Kaspersky Lab. "However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures."
RCS can be physically implanted on the victim’s device through a USB or SD card, and remotely it can be installed through spear phishing, exploit kits, drive-by downloads or network traffic injection.

Once installed on Apple iOS and Android device, the new module enable governments and law enforcement officers with larger capabilities to monitor victim devices, including the ability to:
  • control phone network
  • steal data from their device
  • record voice E-mail
  • intercept SMS and MMS messages
  • obtain call history
  • report on their location
  • use the device’s microphone in real time
  • intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.
"Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target—which is much more powerful than traditional cloak and dagger operations," Golovanov wrote.
While, the Android module is protected by an optimizer for Android called DexGuard that made the it extremely difficult to analyze. However, most of the iOS capabilities mentioned above are also available for Android, along with the support for hijacking applications such Facebook, Google Talk, Tencent of China and many more.

The mobile modules for each are custom-built for each target, researchers said. From previous disclosures we have seen that RCS is currently being used to spy on political dissidents, journalists, human rights advocates, and opposing political figures.

Credited to: Hacker News Website

Thursday, 26 June 2014

Intel Developing RFID Tracking and Remote Controlled 'Kill Switch' for Laptops #Intel #KillSwitch #Theft

 
 
Kill Switch - the ability to render devices non-operational to prevent theft - has become a hot topic nowadays. The ability to remotely destroy data of the device lost or stolen has been available for quite some time now, but Kill switch not only remotely destroy the devices’ data but also the device itself, making it useless for the thieves.
Just last week, Google and Microsoft signed an agreement with the New York Attorney General to add "kill switches" to the upcoming versions of Android and Windows Phone devices, as a part of the "Secure our Smartphones" initiative.
But now, the largest chip manufacturer, Intel will soon going to provide Kill Switches for your laptops as well. The company has been working on a project called Wireless Credential Exchange (WCE) with several partners in an effort to bring Kill switch to other mobile devices, including laptops.

The project uses RFID technology to provision, track and monitor devices such as laptops, hospital equipment and other devices, including a Kill Switch option for the lost or stolen devices.
You all might have heard about the RFID technology, which has been available for more than fifty years. RFID, stands for Radio-frequency identification, is the wireless non-contact use of Radio-Frequency electromagnetic fields to transfer signals, for the purposes of automatically identifying and tracking tags attached to objects.
The Wireless Credential Exchange (WCE) uses the Monza RFID chips developed by Impinj, industry-standard RFID readers created by Technology Solutions UK and a cloud-based data repository and dashboard created by Burnside Digital called IPTrak software.
The IPTrak software that ties all components together, allows Intel SoC to read and write data such as unique IDs, error logs, permissions, and device configuration to the Monza chip, even if the system is powered off.
Devices can be scanned using a RFID reader and data from the IPTrak software stored in a cloud-based database and accessed via IPTrak mobile device apps for Windows, iOS, or Android applications using Bluetooth technology.
For example, It has ability to disable a device prior to shipping and then only reactivating the device once it reaches its final destination. This would render a device useless if it were lost or stolen during shipment.
In addition to this, devices returned to a factory or repair center could be scanned, error logs read, and the device routed to the appropriate technicians without even opening the box.
Two years back, Intel added ‘Kill Switch’ to its Sandy Bridge processors naming them Anti-Theft 3.0, using which the processor can be disabled even if the computer has no Internet connection or isn't even turned on, over a 3G network, so that if computer is lost or stolen, it can be shut down remotely.
 
Posted Courtesy of Hacker News Website
 

Thursday, 19 June 2014

Tough Law on Cybercrime Targets All Kenyans #Hackers #Hacking #Cybercrime #Cyberbulling #Kenya


Kenya still relies on Central Depositories Act and the Penal Code, among other frameworks, that are not clear with regard to arresting and prosecuting cyber-crime suspects. Previously, Kenyans courts were limited in trying offenses committed outside the country. Those found guilty will either be fined up to Sh2 million, be jailed for three years, or both.Courts in the country will soon have jurisdiction to try any Kenyan citizen who commits an offense anywhere in the world if the Cybercrime and Computer Crimes Bill, 2014 becomes law.
The Bill, which was drafted by the office of the Director of Public Prosecution and is to be tabled in Parliament, proposes actions for offence committed in and outside Kenya.
“We need these laws and once in place we have to sensitise Kenyans so that we can deal with cybercrime,” Deputy Director of Public Prosecutions Dorcas Oduor said when opening a forum for stakeholders to discuss the proposed Bill this week. (READ: There’s urgent need for internet law)
Previously, Kenyans courts were limited in trying offences committed outside the country.

DISCLOSE PASSWORDS
Those found guilty of committing the offence on a ship or aircraft registered in Kenya, using a Kenyan domain name or outside the territory of Kenya will also be prosecuted.
They will either be fined up to Sh2 million, be jailed for three years, or both.
Evidence generated from a computer system will also be admissible in a court of law while prosecuting such a crime.
The Bill also proposes that a person who causes a computer system to perform a function, knowing that the access they intend to secure is unauthorised, commits an offence.
“A person who intentionally and without lawful excuse or justification, inputs, alters, delays transmission, deletes, or suppresses computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, commits an offence and is liable upon conviction to a fine not exceeding ten million or ten years imprisonment or both.”

EMOTIONAL DISTRESS
The Bill also proposes that a person who sells, lets to hire, distributes, publicly exhibits through a computer system and puts into circulation, or for purposes of sale, hire, distribution, public exhibition or circulation, makes, produces or their possession any obscene book, pamphlet, paper, drawing, painting, art, representation or figure or any other obscene object commits an offence.
Those using computers to threaten, abuse or insulting words or behaviour, displays publishes or distributes written or electronic material; or distributes, shows or plays, a recording of visual images will be held accountable.
The Bill also proposes action on a person who uses a computer system including electronic communication to harass, intimidate or cause substantial emotional distress or anxiety to another person.
These include communicating obscene, vulgar, profane, lewd, lascivious, or indecent language, picture or image.
Courts will also issue a warrant authorising a police officer or lawful authority, to enter any premises to access, search and seize the thing or computer data.
All public or private corporations processing personal data will be expected to report any security breaches resulting in theft, loss or misuse of data to the police and those who will fail will be committing an offence.
 Depicted from The Daily Nation

Is it worth it?! For others, they need that rush, that adrenaline flow in their blood,so its a fruit that must be eaten-I have one phrase to guide you; that's if you can't stay away from that adrenaline rush: 'Make it hard for them to find you, and impossible for them to prove they've found you' *Winks* Happy Hunting

Wednesday, 18 June 2014

Attacking WPA/WPA2 Enterprise Networks #Hacking #Networking #Infosec #WiFi #Wireless #WPA2




Introduction:

This guide will discuss some of the security flaws regarding wireless networks implementing WPA/WPA2 Enterprise authentication as well as ways to exploit these weaknesses. Enterprise type authentication models are mostly used in corporate settings consisting of companies that typically have a lot of people. From what I have seen a lot of Universities, Colleges as well as Hospitals also use this form of authentication to verify its users. The methods discussed below are usually a result of VERY COMMON poor configuration in regards to certificate validation as well as RADIUS configuration.
DISCLAIMER: DO NOT USE ANY OF THE METHODS BELOW AGAINST NETWORKS THAT YOU ARE NOT AUTHORIZED TO AUDIT.
Homework: First and foremost if you do not know exactly how enterprise authentication works I suggest you do some reading to get yourself familiar with the process of how clients are verified. I highly suggest reading this PEAP which discussed the different types authentication types that can take place within enterprise. Also take a look at RADIUS which gives some nice detail as to how the RADIUS server works. A few things to take note of:
1. WPA/WPA2 Enterprise does NOT use a preshared key, this means that every time a user is verified on the network a random key is generated. To the best of my knowledge this cannot be cracked by capturing packets.
2. This guide will cover mainly PEAP since it accounts for 80% or more of the types used in the US (see Wikipedia page)
3. EAP is responsible for authentication NOT the access point
4. The access point handles the encryption( TKIP/CCMP)
I will try and outline how the authentication process works as simply as possible...
Okay, this diagram will hopefully help you visualize what's going on. Here is the process in order which things occur.... 1.Client sends request to access point to connect. 2. The access point responds telling the client to connect to the RADIUS server to be authenticated. 3. Client connects to the RADIUS server. 4. RADIUS sets up TLS tunnel to receive username and password from client. 4. RADIUS server verifies client . 5. RADIUS server tells access point that the client is verified and can now connect. 

Scenario 1: For our first attack we will be using a rogue access point. Due to the way enterprise is implemented this becomes essential in helping us get past the RADIUS server problem. The Radius server uses a certificate to validate the access point along with the network. Once the certificate is validated the client sends his username and password to the server to be verified. What we will be exploiting is a VERY common mistake made in configuring PEAP, where certificate validation is NOT used! If PEAP is configured this way (surprisingly a lot of the time it is..) the client will not be prompted if an invalid certificate is used and unknowingly will accept it. Step 1: Create a fake AP by matching the target networks SSID, encryption type and band (a/b/g/n).
This can very simple or very complex depending on how sophisticated you want this attack to be. For example you could take a regular Linksys home router change its settings and run it off of batteries for more stealth placement. See this link for details on running a router off of batteries Wrt54g on batteries. You can run a normal Linksys router on a lead acid battery for close to a month.
This allows for stealthy placement of the access point where it will not need a hard wired power source. Using modified antennas and/or amplifies will also be more powerful in getting users to connect. (more info on this later)

 

Step 2: Create our own fake RADIUS server.

Okay we have our fake access point that identical to our target network. Now we need our fake RADIUS server. We will be setting up our own little fake RADIUS server on a version of Backtrack4 which will be connected wirelessly to our fake access point. Download the free radius server from www.freeradius.org (You may need version 2.02 haven't tested with the newer one) . Extract freeRADIUS and go to that directory. We will be applying a patch known as Wireless Pwnage Edition created by Joshua Wright and Brad Antoniewicz. Available here WPE freeradius. What this patch does:
  • Will return success for ANY authentication request regardless of who it is.
  • Will create a Log of all client credentials. This includes username, password and the challenge response. (if you don't know what a challenge response is you didn't read the Wikipedia page)
  • This will log credentials for PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2,PAP,CHAP
In the directory where freeRadius is extracted run the following to patch freeRADIUS. $ patch -p1 < ../freeradius-wpe-2.0.2.patch $ ./configure && make && sudo make install && sudo ldconfig Now we will create our certificates. $ cd freeradius-server-2.0.2/raddb/certs $ ./bootstrap $ sudo cp -r * /usr/local/etc/raddb/certs Start the server. # radiusd Monitor the Log File # tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
Next we need to set our fake access point to use our RADIUS server.
Fill in the required fields on the fake access point. Now we need to get a client to connect to our AP. You can do this a few ways. You can simply wait until a client connects or if your impatient like me you can start deauthenticating people from legit access points. ( we all know how to do that right :p ) There's other ways as well, by having the strongest signal strength people will connect to your AP instead of others, you can do this by using antennas/amplifiers if necessary. Chances are you shouldn't have to go the amplifier route and you should have a victim connect to your AP and type in their credentials which the RADIUS server will capture. When viewing the log you should see something like this. (**NOTE** VISIBLE ACCESS POINTS TAKE PRECEDENCE OVER HIDDEN ACCESS POINTS IN WINDOWS)
The challenge and response is their password. Now we have to crack it with a dictionary attack.
Fire up Asleap This is what we will be using to crack the challenge and response. Type the following ./asleap -w "wordlistgoeshere" -C "Challenge" -R "Response" Now you wait. Depending on how good your dictionary is you will have a password. GRATZ!

Scenario 2 (excuse my lack of detail, if anyone wants I will write up a more detailed version) Now what if the certificate validation is used when configuring PEAP? This will cause the user to be prompted to accept the certificate when they join a new network. The dialog box that is presented gives VERY LITTLE DETAIL! Their certificate will verify that the network they are joining is correct and legitimate. We can apply the same attack as above and succeed as long as the user accepts the certificate and they did not specify which server the certificate is valid for which is not filled in by default. This is another very common negligence by people setting up PEAP. Now knowing end users, the chances are pretty good that they will click accept since the dialog provides minimal detail. Now before we proceed we will need to sniff the certificate that the user is using. This can be done with almost any wireless capture tool. When a user connects to their network a TLS connection will be setup up and the certificate will be able to be captured as it is not encrypted during the first request. After some very basic wireless sniffing, determine the CA of the certificate. These are usually the major vendors such as Verisign. You will need to purchase a LEGITIMATE certificate from this vendor to perform the attack. After you have purchased the certificate set the fake RADIUS server up to use it. Now because the person who configured PEAP did not specify the server that the certificate was valid for the user will not see any difference in accepting ours since its from the same vendor.

Scenario 3  Iphone exploit When you have a company that uses WPA/WPA2 enterprise chances are there's going to be some iphones around. This presents a great opportunity to infiltrate the network due to a fundamental flaw in the iphones wifi setup. The iphone does not have the options to specify what authentication type to use in regards to enterprise they simply just aren't there. The iphone also doesn't allow for a preconfigured certificates meaning they can't be tied to a legit RADIUS server. This flaw makes them susceptible even in the worst case scenario being certificate validation is enabled tied to a specific radius server. Please keep in mind that some phones do support these options, such as the Motorola droid but Iphones DO NOT.
 Conclusion When performing an audit on a WPA/WPA2 Enterprise network always check for common misconfiguration of their equipment as these may lead to insecurities. ALWAYS make sure your clients have certificate authentication enabled as well as a specific server tied to it. Special Thanks to the guys over at SecureState Well that's the end of this guide...I guess. Let me know what you think =)


Tuesday, 17 June 2014

How To Remain Anonymous Online #Anonymous #Internet #Tor #WebBrowsing



One year after the first revelations of Edward Snowden, cryptography has shifted from an obscure branch of computer science to an almost mainstream notion: It’s possible, user privacy groups and a growing industry of crypto-focused companies tell us, to encrypt everything from emails to IMs to a gif of a motorcycle jumping over a plane.
But it’s also possible to go a step closer toward true privacy online. Mere encryption hides the content of messages, but not who’s communicating. Use cryptographic anonymity tools to hide your identity, on the other hand, and network eavesdroppers may not even know where to find your communications, let alone snoop on them. “Hide in the network,” security guru Bruce Schneier made his first tip for evading the NSA. “The less obvious you are, the safer you are.”
Though it’s hardly the sole means of achieving online anonymity, the software known as Tor has become the most vouchsafed and developer-friendly method for using the Internet incognito. The free and open source program triple-encrypts your traffic and bounces it through computers around the globe, making tracing it vastly more difficult. Most Tor users know the program as a way to anonymously browse the Web. But it’s much more. In fact, Tor’s software runs in the background of your operating system and creates a proxy connection that links with the Tor network. A growing number of apps and even operating systems provide the option to route data over that connection, allowing you to obscure your identity for practically any kind of online service.
Some users, in fact, are experimenting with using Tor in almost all their communications. “It’s like being a vegetarian or a vegan,” says Runa Sandvik, a privacy activist and former developer for Tor. “You don’t eat certain types of food, and for me I choose to use Tor only. I like the idea that when I log onto a website, it doesn’t know where I’m located, and it can’t track me.”
Here’s how you can use the growing array of anonymity tools to protect more of your life online.

Web Browsing

The core application distributed for free by the non-profit Tor Project is the Tor Browser, a hardened, security-focused version of Firefox that pushes all of your Web traffic through Tor’s anonymizing network. Given the three encrypted jumps that traffic takes between computers around the world, it may be the closest thing to true anonymity on the Web. It’s also rather slow. But the Tor browser is getting faster, says Micah Lee, a privacy-focused technologist who has worked with the Electronic Frontier Foundation—one of the organizations that funds the Tor Project—and First Look Media. For the past month or so, he’s tried to use it as his main browser and only switch back to traditional browsers occasionally, mostly for flash sites and others that require plugins.
After about a week, he says, the switch was hardly noticeable. “It may not be entirely necessary, but I haven’t found it that inconvenient either,” Lee says. “And it does have real privacy benefits. Everyone gets tracked everywhere they go on the Web. You can opt of out of that.”

Email

The simplest way to anonymously send email is to use a webmail service in the Tor Browser. Of course, that requires signing up for a new webmail account without revealing any personal information, a difficult task given that Gmail, Outlook, and Yahoo! Mail all require a phone number.
Runa Sandvik suggests Guerrilla Mail, a temporary, disposable email service. Guerrilla Mail lets you set up a new, random email address with only a click. Using it in the Tor Browser ensures that no one, not even Guerrilla Mail, can connect your IP address with that ephemeral email address.
Encrypting messages with webmail can be tough, however. It often requires the user to copy and paste messages into text windows and then use PGP to scramble and unscramble them. To avoid that problem, Lee instead suggests a different email setup, using a privacy-focused email host like Riseup.net, the Mozilla email app Thunderbird, the encryption plugin Enigmail, and another plugin called TorBirdy that routes its messages through Tor.

 

Instant Messaging

Adium and Pidgin, the most popular Mac and Windows instant messaging clients that support the encryption protocol OTR, also support Tor. (See how to enable Tor in Adium here and in Pidgin here.) But the Tor Project  is working to create an IM program specifically designed to be more secure and anonymous. That Tor IM client, based on a program called Instant Bird, was slated for release in March but is behind schedule. Expect an early version in mid-July.

Large File Transfers

Google Drive and Dropbox don’t promise much in the way of privacy. So Lee created Onionshare, open-source software that lets anyone directly send big files via Tor. When you use it to share a file, the program creates what’s known as a Tor Hidden Service—a temporary, anonymous website—hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it through their Tor Browser.

Mobile Devices

Anonymity tools for phones and tablets are far behind the desktop but catching up fast. The Guardian Project created an app called Orbot that runs Tor on Android. Web browsing, email and IM on the phone can all be set to use Orbot’s implementation of Tor as a proxy.
Apple users don’t yet have anything that compares. But a 99-cent app called Onion Browser in the iOS app store offers anonymous web access from iPhones and iPads. An audit by Tor developers in April revealed and helped fix some of the program’s vulnerabilities. But Sandvik suggests that prudent users should still wait for more testing. In fact, she argues that the most sensitive users should stick with better-tested desktop Tor implementations. “If I were in a situation where I needed anonymity, mobile is not a platform I’d rely on,” she says.

Everything Else

Even if you run Tor to anonymize every individual Internet application you use, your computer might still be leaking identifying info online. The NSA has even used unencrypted Windows error messages sent to Microsoft to finger users and track their identities. And an attacker can compromise a web page you visit and use it to deliver an exploit that breaks out of your browser and sends an unprotected message revealing your location.
So for the truly paranoid, Lee and Sandvik recommend using entire operating systems designed to send every scrap of information they communicate over Tor. The most popular Tor OS is Tails, or The Amnesiac Incognito Live System. Tails can boot from a USB stick or DVD so no trace of the session remains on the machine, and anonymizes all information. Snowden associates have said the NSA whistleblower is himself a fan of the software.
For the even more paranoid, there is a lesser-known Tor-enabled OS called Whonix. Whonix creates multiple “virtual machines” on the user’s computer—software versions of full computer operating systems that are designed to be indistinguishable from a full computer. Any attacker trying to compromise the user’s computer will be confined to that virtual machine.
That virtualization trick underlines an important point for would-be anonymous Internet users, Lee says: If your computer gets hacked, the game is over. Creating a virtual sandbox around your online communications is one way to keep the rest of your system protected.
“Tor is awesome and can make you anonymous. But if your endpoint gets compromised, your anonymity is compromised too,” he says. “If you really need to be anonymous, you also need to be really secure.”

Adapted from the Wired Website