WhatsApp security still broken…

“WhatsSpy Public” a tool for spying on WhatsApp users bypassing security settings

WhatsAppSpy

Social media is growing at a fast pace nowadays but with growing socialization the safety measures and privacy option should also be developed so that one’s information cannot be leaked at any endpoints. Social apps such as Facebook, WhatsApp, Hike, Instagram etc. are used by several people without knowing that how safe they really are or if their messages or personal information are not leaked.

The smartphone stand alone instant messaging App, WhatsApp is once again in the news due to a certain tool which can break its security features.  WhatsSpy Public tool which was recently released can give you status updates of any WhatsApp user, even if privacy options have been enabled.

WhatsSpy Public uses the web-based utility to trace the moments of a WhatsApp user and shows them in a dashboard with events being displayed in a timeline. The tool can be used to compare activities from one user to those of another for a more comfortable experience.

via WhatsSpy Public : WhatsApp status tool lets stalkers track you bypassing privacy settings.

Dark Clouds above the Netatmo Weather Station After Sending WPA Passphrase in the Clear

I have the bad habit of playing with home automation and various data acquisition tools. I could quit any time if I wanted to, but so far, I decided not to. My latest toy to add to the collection was a “Netatmo” weather station. It fits in nicely with the aluminum design of my MacBook, so who cares if the manufacturer considered security in its design, as long as it looks cool and is easy to set up.

Setting up the device was pretty straight forward, and looked “secure”. It requires connecting to the device via USB, and a custom application is used to configure the device with your username, password and WiFi settings including the WiFi password. After the initial setup, the station needs USB for power only, and communicates via WiFi to the “Cloud”.

InfoSec Handlers Diary Blog - Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear

But after the simple setup, a nice “surprise” waited for me in my snort logs:

[**] [1:1000284:0] WPA PSK Passphrase Leak [**] [Priority: 0] {TCP} a.b.c.d:21908 -> 195.154.176.41:25050

I do have a custom rule in my snort rule set, alerting me of the passphrase being sent in the clear. Lets just say that it happened before. The rule is very simple:

alert ip any any -> any any ( sid: 1000284; msg: “WPA PSK Passphrase Leak”; content: “[Iamnotgoingtotellyou]”; )

So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to “the cloud”, along with some other data. The data include the weather stations MAC address, the SSID of the WiFi network, and some hex encoded snippets.

Not only should data like this not be transmitted “in the clear”, but in addition, there is no need for Netatmo to know the WPA password for my network.

I reported the problem to Netatmo, and got the following reply:

Hi,

 

Indeed at first startup we dump weather station memory for debug purposes, we will not dump it anymore.

We will remove this debug memory very soon (coming weeks).

 

So far I haven’t seen any additional transmissions from the weather station containing the password, even after restarting it. I didn’t do a full factory reset yet. But in general, the data appears to be unencrypted. The MAC address of the station and the outdoor sensor are easily found in the payload. So far, I couldn’t find a documentation for the protocol, so it will take a bit more time to reverse it.

According to the weather station map provided by Netatmo, these devices are already quite popuplar. Here a snapshot of the map in my “Neighborhood”:

via InfoSec Handlers Diary Blog – Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear.

Alcatel-Lucent report on malware in 2014 sees rise in device and network attacks that place personal and workplace privacy at risk | Alcatel-Lucent

The Motive Security Labs report – which looked at all popular mobile device platforms – found that such malware infections in mobile devices increased 25% in 2014, compared to a 20% increase in 2013. Android™ devices have now caught up with Windows™ laptops, which had been the primary workhorse of cybercrime, with infection rates between Android and Windows devices split 50/50 in 2014. While less than 1% of infections come from iPhone® and Blackberry® smartphones, new vulnerabilities emerged last year to show they are not immune to malware threats.

Malware growth continues to be aided by the fact that a vast majority of mobile device owners do not take proper device security precautions. A recent Motive Security Labs survey found that 65% of subscribers instead expect their service provider to protect both their mobile and home devices. Motive’s malware report concluded that infection rates in residential networks also rose significantly in 2014, with malware found in 13.6% of residences, an increase of 5% over the previous year.

“With malware attacks on devices steadily rising with consumer ultra-broadband usage, the impact on customer experience becomes a primary concern for service providers,” said Patrick Tan, General Manager of Network Intelligence at Alcatel-Lucent. “As a result, we’re seeing more operators take a proactive approach to this problem by providing services that alert subscribers to malware on their devices along with self-help instructions for removing it.”

Other Motive Security Lab report highlights include:

The mobile infection rate in 2014 is 0.68%. Based on this Alcatel-Lucent estimates that worldwide, about 16 million mobile devices are infected by malware.

Mobile malware is increasing in sophistication with more robust command and control protocols

Mobile spyware, used to spy on a phone’s owner, is also on the increase. It tracks the phone’s location, monitors ingoing and outgoing calls, text messages, e-mail and tracks web browsing.

The overall monthly infection rate in residential fixed broadband networks is just under 14%. This is up substantially from the 9% seen in 2013. This is mostly attributable to an increase in infections by moderate threat level adware.

High-level threats such as ‘bots’, ‘rootkits’, and ‘banking trojans’ remain steady at around 5%.

via Alcatel-Lucent report on malware in 2014 sees rise in device and network attacks that place personal and workplace privacy at risk | Alcatel-Lucent.

Need for Security grows Again after Anthem Breach

Gov-Security

Mobile devices are a potential entry point for hackers and their malware. If you’re considering solutions to plug your mobile security gaps, our cross-platform solution is well-positioned to help deliver those security gains and satisfy the needs of both enterprises and government agencies. BES12 supports iOS, Android and Windows Phone devices and provides the confidentiality, integrity and authenticity to help protect your organization from data loss and theft.

Furthermore, as the leading EMM provider, BlackBerry counts all G7 governments and 16 of the G20 governments among its customers.

For even more proven security, consider devices running the BlackBerry 10 platform, which is the first to obtain a coveted approval from the U.S. Defence Information Systems Agency (DISA) for Full Operational Capability on U.S. Department of Defense networks.

via U.S. Gov Cybersecurity Budget, Anthem Breach, Need for Security | Inside BlackBerry for Business Blog.

ARKICK by REFOCUS TECH updated for Blackberry Passport and Classic

ARKICK by REFOCUSTECH has been updated to support the Blackberry Classic and Passport. Way to Go!

Arkick

ARKick is your personalilzed contextual Augmented Reality Sidekick.’ It is the world’s leading contextual Augmented Reality app which helps you find nearby places in the most innovative way ever! Use ARKick to find places in the camera view based on your context- location, weather, time and also based on trending places near you via our Sidekick Engine.

via ARKICK | REFOCUS TECH.

Remotely install and launch Android apps from the Play Store Vulnerability

Lucky for me… i am using a Blackberry Passport! 

Vulnerability Summary

Android Metasploit

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google’s Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).

 

Affected Platforms

Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.

 

Simplified Demonstration of the XFO Gap

The following Javascript is sufficient to elicit a response from the play.google.com domain without an appropriate XFO header:

via Metasploit: R7-2015-02: Google Play Store X-Fra… | SecurityStreet.

Snap v3 Beta ready for download!

Android apps on your Blackberry 10 Device? yes u can with the new and improved SNAP V3. Still in Beta but worth a Try

What has changed prior to V2

Snap V3

Snap v3 Beta 1 (2.9.9.0)

  • Complete rewrite of Snap v2
  • New user interface inspired by the latest version of Google Play Store
  • Browse more app categories and view suggested apps
  • Read app reviews
  • Search Snap via BB10 extended search
  • Pause and resume downloads
  • View screenshots full screen
  • Download of additional files (such as .obb)
  • Remove apps from “My Apps”

Snap v3 Beta – Red Light Of Love, Ltd..

Vivaldi browser, 500,000 downloads in 10 days

The new Vivaldi browser Hits 500.000 downloads in just 10 Days!

As mentioned on Reuters..

Launched on Jan. 27 for desktop computers, Vivaldi targets users who conduct a large number of searches, offering features like speed dials, personalized notes and bookmarks with small screen shots.

Vivaldi browser hits 500,000 downloads in first 10 days | Reuters

“It’s a very high number, especially if you consider that it’s still a technical preview,” founder and Chief Executive Jon von Tetzchner said.

When launching the browser, von Tetzchner, who owns 90 percent of the company, said it only needed “a few million users” to become profitable in a market dominated by household names like Google’s Chrome, Microsoft’s Internet Explorer, Mozilla Corp’s Firefox, Apple’s Safari and Opera Software.

 

So far Vivaldi has been made available for desktop computers on Windows, Mac and Linux, with a mobile and tablet version in the pipeline.

Read more using the link below

Vivaldi browser hits 500,000 downloads in first 10 days | Reuters.

Web Security Analysis of 12 BlackBerry 10 Applications | FileArchiveHaven

There are many things that tie BlackBerry users together, and one of those has always been the importance of security.  Some people forget that being secure means more than just ensuring an application is virus free!  Nefarious (what a great word) applications can access private data, sneak that data out to private websites, and even monitor your device traffic to keep tabs on what your doing all without the user knowing.  Real dangerous applications can go even farther, allowing a developer to remotely execute code on a users device without the users permission!  Imagine, applications that can decide what you can and can’t do, search the internet for things without you knowing or perform actions on your phone without your knowledge.

Web Security BB10 Apps

Not only are these security concerns very real, but they go unnoticed by all major platforms during testing and validation cycles.  No major device manufacturer at this time is monitoring applications submitted to their platforms for what data is being sent and received.  Although, to give them credit, BlackBerry has done a fantastic job of limiting what applications with back-doors can do.

via Web Security Analysis of 12 BlackBerry 10 Applications | FileArchiveHaven.

BlackBerry OS 10.3.1 Arriving February 19th | N4BB

BlackBerry users have been eagerly anticipating the rollout of an official OS 10.3.1 release for their devices. That is, those users who do not have a Passport or Classic.

BlackBerry OS 10.3.1 Arriving February 19th | N4BB

The update is long overdue as we first exclusively revealed BlackBerry had pushed back the update until 2015.

Despite a failed rumor that BlackBerry was going to release the update in January, the company had already let customers know to expect it in February.

When in February? We have exclusively learned the global rollout of OS 10.3.1 to all current in-market BB10 devices will be on February 19th.

Apparently, the rollout was supposed to have happened yesterday. However, BlackBerry had issues with the update accidentally wiping the entire device. Hopefully, BlackBerry has solved the issue and we can expect the update to hit user’s devices by the 19th.

The BlackBerry OS 10.3.1 update will bring new features and an upgraded virtual assistant with Siri-like capabilities.

via BlackBerry OS 10.3.1 Arriving February 19th | N4BB.