Archive for July 31, 2016

WhatsApp Chats Never Really Get Deleted, Says Security Researcher

Most popular messaging app ‘WhatsApp’ doesn’t really deletes your chats, says researcher Jonathan Zdziarski. Zdziarski claims that the chats on WhatsApp are never removed,even after users have hit the delete button.

Zdziarski found that the message leaves a forensic trace of the logs which could be used to recover it in its original form. "The latest version of the app tested leaves forensic trace of all of your chats, even after you've deleted, cleared, or archived them... even if you 'Clear All Chats', he said in a post.

Zdziarski said that ,"To test, I installed the app and started a few different threads. I then archived some, cleared, some, and deleted some threads. I made a second backup after running the 'Clear All Chats' function in WhatsApp. None of these deletions or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database.”

The issue of data privacy is even more prominent for users of iPhone. Zdziarski said during a backup, WhatsApp's chat database gets copied to users' iCloud backup (on desktop as well) from the iPhone. This then leaves a user's WhatsApp data open to law enforcement warrants.

Zdziarski suggests that the only way to completely remove all traces of chats is to remove the app entirely from the phone.

Osram’s ‘Smart’ Lightify Bulbs Susceptible To Hacking

If you think those smart light bulbs installed in your homes are just carrying out the task of lighting, then you might not be all correct. Those bulbs may just be giving access to your home network’s security, creating cracks that hackers can slip through to press attacks.

Security researchers at Rapid7 have found flaws in Osram’s Lightify light bulbs that could give attackers access to a home wi-fi network, and potentially operate the lights without permission. Rapid 7 has discovered nine vulnerabilities in the Home and Pro range and reported them to the manufacturer.

“Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication,” security firm Rapid7 said in vulnerability report posted earlier this month.

(pc-google images)
Osram's Lightify range features internet-connected light bulbs that can be controlled using a smartphone app. In the vulnerabilities found, hackers could exploit the flaws to identify your network’s password, steal or change your PC’s data, launch browser-based attacks against you, or even seize control of your lights. In addition, the smart bulbs' relatively short eight-character passwords could also be cracked quite easily, giving another possibility for hackers to explore.

On the brighter side, Osram plans to patch the majority of the flaws in an August update. In a statement, Osram said: "Since being notified about the vulnerabilities identified by Rapid7, Osram has taken actions to analyse, validate and implement a risk-based remediation strategy.”

Osram said that it is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.

Yahoo Saves A Copy Of Your Deleted Emails !

If you think your emails are taken out of your account permanently after being deleted, then you are not entirely correct. Yahoo's 'auto-save' feature saves a copy of emails even after they have been deleted from Trash and Draft.

A US judge has granted a motion forcing Yahoo to explain how exactly it is able to recover emails that have been deleted from a user's inbox. The motion has been granted as part of a convicted UK drug trafficker Russell Knaggs’ appeal to try to get evidence against him thrown out of court by arguing that the information was illegally obtained by Yahoo.

Knaggs, convicted in 2012 and jailed for 20 years, is now trying to get his conviction overturned by taking Yahoo to court in the US, claiming that the email provider was using an NSA-style real-time interception technology to bulk collect data, which contravenes privacy laws in the UK.

Yahoo is ordered to present a witness and provide documents on how the email retention system works, as well as a copy of the software's source code and instruction manuals used by email provider’s staff on how to retrieve the emails.

Yahoo said that it is able to recover the emails via its "auto-save" feature, which creates snapshots of an email account preserving its contents at a certain date, and that it provided law enforcement from the Yahoo account used by Knagg and his accomplice.

Yahoo's Compliance Guide For Law Enforcement states:
Yahoo! retains a user's incoming mail as long as the user chooses to store such messages in their mail folders and the user's email account remains active. Yahoo! retains a user's sent mail only if the user sets their email account options to save sent mail and has not subsequently deleted specific messages. Once the trash folder has been emptied, which usually occurs automatically within 24 hours of when the user has placed messages in the trash folder, Yahoo! will be unable to search for and produce deleted emails. Yahoo! may set an email account to inactive status and delete all account contents after at least four (4) months of inactivity.

Whatsoever the issue turns out to be, if the emails are retrieved by Yahoo ; then there is simply no guarantee of online service from the service. Yahoo has until the end of August to respond.

After ‘Erdogan Emails’, WikiLeaks Reveals Info Of Turkish Women

(pc-google images)
After publishing the ‘Erdogan Emails’ amidst the failed military coup in Turkey, whistleblowing platform WikiLeaks has now revealed the personal detail of every woman in the country. WikiLeaks has been criticised for tweeting a link to archives holding personal and sensitive data of 'every female voter in 79 out of 81 provinces in Turkey'.

According to Turkish academic and reporter Zeynep Tufekci, the site also linked to the personal details of hundreds of thousands of women on the electoral register via their social media accounts.

( Zeynep Tufecki, pc-google images)
In an article in the Huffington Post, Tufekci asserted: "[WikiLeaks] posted links on social media to its millions of followers via multiple channels to a set of leaked massive databases containing sensitive and private information of millions of ordinary people, including a special database of almost all adult women in Turkey.”

"If these women are members of Erdogan's ruling Justice and Development Party (known as the AKP), the dumped files also contain their Turkish citizenship ID, which increases the risk to them as the ID is used in practising a range of basic rights and accessing services. The Istanbul file alone contains more than a million women's private information, and there are 79 files, with most including information of many hundreds of thousands of women."

Tufekci claims she confirmed the legitimacy of these files by asking "dozens of friends and family members" about the accuracy of the leaked data. Many, she said, said it contained "correct private information."

Giving a warning to WikiLeaks supporters, Tufekci concluded: ‘I hope that people remember this story when they report about a country without checking with anyone who speaks the language; when they support unaccountable, massive, unfiltered leaks without teaming up with responsible parties like journalists and ethical activists; and when they wonder why so many people around the world are wary of “internet freedom” when it can mean indiscriminate victimisation and senseless violations of privacy.’

After publishing the article – which has been widely shared on social media – Tufekci was blocked by the WikiLeaks Twitter account.

TechCrunch hacked for security check

Famous tech site, TechCrunch became the latest victim of hacker group, OurMine.

The group describes itself as ‘an elite hacker group known for many hacks showing vulnerabilities in major systems’. For quite some time they’ve been famous for compromising high profile celebrity Twitter accounts and the DDoS-ing of hot properties like Pokemon Go.

 OurMine Security gained publishing access to Verizon-owned site, which uses the popular content management system Wordpress, and posted its now infamous message. Rather than completely defacing the site, OurMine chose instead to simply post a news story to indicate that the CMS had been breached.

The group said that it hacked the site to check its security. A post on the site under the byline of Seattle-based writer Devin Coldewey said: “Hello Guys, don’t worry we are just testing techcrunch security, we didn’t change any passwords, please contact us.” The story appeared at the top of TechCrunch with a big, highly-noticeable red banner.

 The OurMine posting appeared at around 5:10 pm but was removed within two hours. It was still showing in Google’s index and cache at the time of writing. It did not take TechCrunch long to notice and remove the story.

Multi-factor authentication is the ground level security for any news organization. TechCrunch admits that re-used passwords must have been instrumental to this hack. Sharing passwords between sites and services is the worst.