Spying your friend at WhatsApp : Cause of concern

1.   In my last post here,I discussed about the growing lure of using WhatsApp and the basic security concerns that comes with it from point of a naive user.Now will take you one step higher to the level of a script kiddie....

2.  How does WhatApp identify you in billions?The answer is the unique MAC address that each digital device on this earth holds. If any one changes his/her device,then automatically the MAC address also changes and the user is requested to re-verify their WhatsApp account. Means he/she cannot access same WhatsApp account from two devices. But is MACSPOOFING not existing ?So,if the Mac is spoofed,then who stops from seeing your friends traffic that includes his/her chats,downloads etc!!!although for a naive user this may be look of some technical nature but for the young gen which has lots of techno enthusiasts there should be no stopping....that would include rooting your phone and installing Busybox. How to get your friends MAC address,here it goes :

For Android phone users simply go to settings—> About phone—> Status—> Wi-Fi MAC address.

For iPhone users go to Settings—> General—> About—> Wi-Fi address.

For Windows Phone users go to Settings—> About—> More info—> MAC address.

and for BlackBerry users go to options—> Device—> Device and Status info—> WLAN MAC.

3.   And the best part is that your Andorid can be anyone starting from 1.6 on wards till date.

Security Issues : Whats App !!!!

1.   WhatsApp had set a new record with 27 billion messages in a day on 13th Jun 2013...now that's hell of a lot!!!!!a huge success by any means in terms of revenue generation and collection of info...as I really wonder if all these naive users most of them who are actually not aware of the kind of critical information they have allowed to be passed on...such applications are currently enjoying huge success banking on the naive users....who don't actually realize the repercussions owing to this valuable personal info loss.....just read these few eye raising conditions before any one installs this app :

- Prevent Phone from sleeping

- Change Wifi state

- write sync settings

- Modify/delete SD card contents

- read phone state

- Read contact data

- Write contact data

- Record audio

- Read my location

- Read my other accounts credentials

2.  If one goes through the deeper insights of all these aspects that the user has to invariably accept for enjoying the application thinking its free(when he has given invaluable personal info to a stranger) from point of view of security...it starts getting scary...!!!!going through the above terms it is invariably understood that all your contacts info is already gone....now how much is that info depends on how much have you stored...if you have stored the residential address,his email,his other phone numbers etc...that's all gone the moment you install!!!!..and add to this location and hardware details....from a hacker point of view the attack surface is already prepared vide one shot of installation only.....

3.  If Whatsapp says that they respect user privacy and would not submit all the info to any advertising agency or any third party...then y are they collecting all this ?Whats their security architecture?How reliable is that?Do they guarantee a NO-HACK situation?......

E-Governance and Security Challenges

Copy of the presentation that I gave at the Mini Seminar held under the aegis of IETE at AVCC,NOIDA on the subject : E-Governance and Security Challenges.

  E-Governance and Security

Big Spatial Data and Security Challenges

The presentation copy that i gave at the Geo intelligence meet on 13-14 June 2013 as I mentioned here at http://anupriti.blogspot.in/2013/05/geointelligence-2013-13-14-june-2013taj.html

  Big Data and Security Aspects

FEDORA 19 BETA INSTALLATION

The screen cord shows the guide to Fedora 19 " Schrödinger's Cat " Beta Installation on a Virtual Box.

Your passwords can be cracked easily if less then 16 Characters now!!!!

1.    When the IT security big bang of Do's and Don'ts started some years back it was widely advertised to the Cyber masses to keep their respective passwords any thing more then 8 characters with a mix and match of capitals and smalls with special characters...then this was increased to 10 and last heard it was 15...and was told that 15 character password which is not dictionary based will take years and is actually uncrackable...

2.  As recent as 4 days back,a team of 3(your read it rite it's three) hackers has been able to crack more than 14,800 supposedly random passwords from a list of 16,449 by simply brute forcing!!!!

Image courtesy : http://www.buzzquake.com/tag/brute-force-attacks/

3.   In December it was unveiled by Jeremi Gosney, the founder and CEO of Stricture Consulting Group, that a 25-computer cluster can cracks passwords by making 350 billion guesses per second. It can try every possible word in less than six hours to get plain text passwords from lists of hashed passwords...the word of significance is that you do not need high end machines and east-west architecture to build this kind of IT infra...it is simply a cluster of machines processing power...

4.   The general user in the cyber space like you and me have actually no control over which hashing process websites use and therefore remain at the mercy of an algorithm all would invariably be clueless about...so if you are concerned about security and your email id and password which is the key for so many transactions in your routine life.long passwords are the best defense....and not simply long it has to be a mix match of numerics,capitals,smalls and special characters!!!.

5.  All the best to all of us...keep surfing but avoid drowning!!!! :-)Thanks http://thehackernews.com

GeoIntelligence 2013 : 13-14 June 2013,Taj Palace,New Delhi

Geo Intelligence 2013

1.   GeoIntelligence is a premier India based annual conference and exhibition dedicated to the highest level of information exchange and networking within the Defense and Security sector. The conference will be hosting its seventh edition this year with its primary focus on the perspectives and requirements of the key decision makers who directly influence national security policies and procedures. The conference aims to tap the most influential speakers and delegates not only from India, but also from various international defense and security establishments, as well as key international players from the industry. With the presence of such key players in the conference, the forum is uniquely positioned to offer adequate opportunities for knowledge sharing related to defense and security personnel, as well as, for business development and networking.

Theme

Geospatial – Force Multipier for Modern Warfare

2.   With nations today faced with a multitude of challenges for national Defence and Security,both from state and non state actors, the need for higher content and cohesive geospatial intelligence data is more critical. In parallel with the rapid development of geospatial intelligence technology, the role played in modern warfare by the operational geospatial information changes as well. With rapid advancement in LiDAR, multispectral and radar imagery technologies as well as surface and airborne sensor platforms, the geospatial technology is developing dynamically and will have wider applications in combat operations, crime mitigation, internal security, border control, arms treaty monitoring, etc. With the theme “Geospatial – Force Multiplier for Modern Warfare”, the speakers will deliberate on the modern outlook for the development of military geo-informatics and for modern warfare. 

3.  More special for me since I am there as one of the speakers.Will be speaking on security challenges in Big Spatial Data.

4.  For more details please visit : http://geointelligenceindia.org/

How to be Anonymous on Internet ?

1.   Every one of us who is aware and conscious of the repercussions of cookies,trackers,malware's, ad-wares, extensions in browsers,privacy issues on the internet would always dream of if he/she could be anonymous on the internet whilst surfing....and in my few posts in past here , here and here, I have discussed few ways and tools that could make you anonymous on the web.But in recent times after having surfed for a while I have compiled a list of LIVE DVDs and few OS that can help you maintain anonymity.These along with the website and the name are mentioned below :

Mandragora Linux: Gnome desktop built on Ubuntu, to be used for digital forensics during incident response and vulnerability assessments. It comes with hacking tools like nmap (port scanner), Wireshark (packet sniffer), Kismet (Wi-Fi monitoring) and enhancing privacy tools like the tor proxy, torchat and i2P.Website at : 

 Jondo Live-CD / DVD : Jondo Live-CD/DVD offers a secure, pre-configured environment for anonymous surfing and more. It is based on Debian GNU/Linux. The live system contains proxy clients for JonDonym, Tor Onion Router, I2P and Mixmaster remailer. JonDoBrowser is pre-configured for anonymous web surfing, Thunderbird for e-mails, Pidgin for anonymous instant messaging and chats, Parole media player, MAT for cleaning documents and more application are part of the live-cd.Website at : https://anonymous-proxy-servers.net/en/jondo-live-cd.html

Privatix Live System: This is a live distro based on Debian. It is an easy to operate, safe and portable system that can be booted from a cd-rom, an usb flash drive or an external hard drive and ensures your privacy and confidentiality while using the internet and communicating or editing and encrypting sensitive data. Private data and settings, documents, e-mails, or pgp-keys are not saved on the computer that you use but instead those are saved on the encrypted usb flash drive or on the encrypted external hard drive. In case of loss or theft of the data medium your personal data is going to stay protected by a password. Privatix Live System allows for anonymous web surfing using Tor, Firefox and Torbutton.Website at http://www.mandalka.name/privatix/index.html.en

The Amnesic Incognito Live System (TAILS): Based on Debian this is a live distro aimed at preserving your privacy and anonymity. All outgoing connections are forced through the Tor network. Also no trace is left on local storage devices. TAILS comes with bundled software with software like OpenOffice, Claws Mail with OpenPGP and Pidgin.Website at https://tails.boum.org/

Polippix: Polippix is based on  Kubuntu and was made by the IT-Political Association of Denmark as a protest against the anti-terror laws being passed in Denmark. It uses Tor for anonymous Internet surfing, MAC address changer, GnuPG for encryption and driftnet for traffic sniffing.Website at : http://www.polippix.org/

Ubuntu Privacy Remix (UPR): Ubuntu Privacy Remix runs from a modified Live-CD based on Ubuntu.The goal of Ubuntu Privacy Remix is to provide an isolated working environment where sensitive data can be dealt with safely. This is achieved by storing all user data in encrypted form in the removable storage media. Warning: UPR is to be used for encrypting sensitive data and not for anonymous web surfing. It doesn’t allow network connections.Website at : https://www.privacy-cd.org/

Liberte Linux: This is live linux distribution based on Gentoo  that is secure, lightweight and easy to use. It uses Tor for anonymous network communication and has features such as persistent storage on a virtual partition, Netfilter IP firewall and more.Website at : http://dee.su/liberte

Whonix: Whonix is an anonymous general purpose operating system based on Virtual Box, Debian GNU/Linux and Tor. By Whonix design, IP and DNS leaks are impossible.Website at : http://sourceforge.net/p/whonix/wiki/Home/

Ipredia: IprediaOS is a fast, powerful and stable operating system based on Linux that provides an anonymous environment. All network traffic is automatically and transparently encrypted and anonymized. Many applications are available in IprediaOS, including mail, peer-peer, bittorrent, IRC chat and others. Contrary to other anonymity enhancing Linux distributions, Ipredia does not use Tor but prefers the I2P anonymizing network.Website at : http://www.ipredia.org/

Qubes OS: Qubes is an open source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. Qubes implements Security by Isolation approach by providing a user with ability to easily create many security domains.Website at : http://qubes-os.org/trac

2.    Thanks : http://www.kimpl.com

What's BUILD-ESSENTIAL equivalent in FEDORA ?

1.    Needing to install the equivalent of build-essential we require in Ubuntu for Fedora is given by this command line in root mode :

yum groupinstall "Development Tools" "Development Libraries"

Difference between Open Source & Free Software ?

1.   More often then not I find most of us swapping these words between each other in general usage...Opensource and free software's are considered  to be one and the same but there is distinct and certain difference between the two....Software available free of charge is not necessarily free from restriction.In the open source community, "free software's  generally means software considered "open source " and without restrictions,in addition to usually being available at no cost.This is in contrast to various "free ware" applications generally found on windows system available solely in a binary executable format,mostly .exe but at no cost. 

2.  Apart from this another term FOSS is available in this lingo...FOSS is an inclusive term that covers both free software and open source software, which despite describing similar development models, have differing cultures and philosophies.Free software focuses on the fundamental freedoms it gives to users, whereas open source software focuses on the perceived strengths of its peer-to-peer development model.

Source : Digital Forensics with open source tools by Cory Altheide and Harlan Carvey and Image Source : http://fullmetallinux.wordpress.com