The document discusses security flaws in WhatsApp related to a lack of encryption of communications, metadata exposure, and discusses ways to add a new layer of security and privacy to WhatsApp messages by routing traffic through a custom server using encryption to protect the integrity and confidentiality of messages. It provides information on how WhatsApp's customized XMPP protocol works and how authentication is handled.
This is how whatsapp scaled to handle a huge amount of concurrent traffic with erlang. This is extracted from - file:///home/udayakiran/Downloads/efsf2012-whatsapp-scaling.pdf
Whatsapp uses ejabberd and customized it to scale more.
Internet Trainng Centre in Ambala! BATRA COMPUTER CENTREjatin batra
Are you in search Basic computer Training in Ambala? Now your search is end here... BATRA COMPUTER CENTRE provides best training in:
Basics of Computer
C
C++
HTML
PHP
Web Designing
Web Development
SEO
SMO and So many other courses are available here.
This is how whatsapp scaled to handle a huge amount of concurrent traffic with erlang. This is extracted from - file:///home/udayakiran/Downloads/efsf2012-whatsapp-scaling.pdf
Whatsapp uses ejabberd and customized it to scale more.
Internet Trainng Centre in Ambala! BATRA COMPUTER CENTREjatin batra
Are you in search Basic computer Training in Ambala? Now your search is end here... BATRA COMPUTER CENTRE provides best training in:
Basics of Computer
C
C++
HTML
PHP
Web Designing
Web Development
SEO
SMO and So many other courses are available here.
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp.
WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information.
We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.
If last year’s presentation on the SANS 20 felt like more of a rant than a practical application of elite IT knowledge, Ian Trump’s technical track presentation is going to unleash GFI MAX as a security dashboard like nothing you have seen.
The Octopi team has leveraged network scanning and event log checks, and Ian takes the GFI MAX dashboard to a whole new level. MSP’s can take his code and research and immediately apply it to their practices to secure their customers from cyber threats. Dehydrated from the summer information security conferences, Ian will give you the threat intel you need to be on the lookout for in the months ahead.
Besides all the GFI MAX goodness, being part of a live demo to find APT, and seeing Ian link Human Rights, Market Research, Ice, Law, Iggy Azalea, War Ferrets, Christian Studies, Event Auditing, Security Tools, Taylor Swift and How we can all fix the cyber problem into one epic presentation – well, you don’t want to miss this.
Is the WhatsApp safe? Is it safe to send photos on WhatsApp? How safe is WhatsApp video call…Are you curious about those questions? Come and find Answers!
Review on Whatsapp's End to End encryption and Facebook integrationGovindarrajan NV
The presentation deals with the latest updates of whatsapp with the end to end encryption and Facebook integration explained in a very detailed manner from the basics with advantages and disadvantages.
IoT Deep Dive - Be an IoT Developer for an HourTaisuke Yamada
My presentation on IoT development at "Akamai Tech Summit 2016" in Boston, USA.
The goal of the session was to provide attendees an idea on difficulties IoT developers would face, especially on reliable OTA (over-the-air) upgrade. It included hands-on lab based on micropython/ESP8266 as a quick tour on IoT development.
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
La problemática de la identificación de los participantes en las plataformas ...Jaime Sánchez
Charla de la primera edición del "RegTech egambling international workshop", organizado por la Dirección General de Ordenación del Juego en el Auditorio CaixaForum de Madrid.
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
More Related Content
Similar to Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
Global surveillance emerged as a phenomenon since the late 1940s and Internet and mobile technology are being developed with such pace that it is impossible to guarantee electronic privacy and nobody should expect it. How strong are the actual Instant Messaging Platforms? Do they take care of our security and privacy? We'll look inside the security of several clients (like BBM, Snapchat, and Line) and will put our focus on WhatsApp.
WhatsApp might not be as widely known as Twitter, but the company announced that it has passed 350 million active monthly users. WhatsApp has been plagued by several security issues in the past, so we decided to start the research. We've discovered several vulnerabilities more that we'll disclosure (with proof of concept code), including encryption flaws, remote DOS (making the client crash by sending a custom message), or how to spoof messages manipulating sender address information.
We'll also release a new version of our tool with different protection layers: encryption, anonymity, and using a custom XMPP server. It's necessary to implement additional measures until WhatsApp decides to take security seriously.
If last year’s presentation on the SANS 20 felt like more of a rant than a practical application of elite IT knowledge, Ian Trump’s technical track presentation is going to unleash GFI MAX as a security dashboard like nothing you have seen.
The Octopi team has leveraged network scanning and event log checks, and Ian takes the GFI MAX dashboard to a whole new level. MSP’s can take his code and research and immediately apply it to their practices to secure their customers from cyber threats. Dehydrated from the summer information security conferences, Ian will give you the threat intel you need to be on the lookout for in the months ahead.
Besides all the GFI MAX goodness, being part of a live demo to find APT, and seeing Ian link Human Rights, Market Research, Ice, Law, Iggy Azalea, War Ferrets, Christian Studies, Event Auditing, Security Tools, Taylor Swift and How we can all fix the cyber problem into one epic presentation – well, you don’t want to miss this.
Is the WhatsApp safe? Is it safe to send photos on WhatsApp? How safe is WhatsApp video call…Are you curious about those questions? Come and find Answers!
Review on Whatsapp's End to End encryption and Facebook integrationGovindarrajan NV
The presentation deals with the latest updates of whatsapp with the end to end encryption and Facebook integration explained in a very detailed manner from the basics with advantages and disadvantages.
IoT Deep Dive - Be an IoT Developer for an HourTaisuke Yamada
My presentation on IoT development at "Akamai Tech Summit 2016" in Boston, USA.
The goal of the session was to provide attendees an idea on difficulties IoT developers would face, especially on reliable OTA (over-the-air) upgrade. It included hands-on lab based on micropython/ESP8266 as a quick tour on IoT development.
A Webinar on cyber Security Awareness and Digital Safety is hosted on the 7th of June, 2020. Sthir Yuwa in association with Information Security Response Team Nepal and Center For Cyber Security Research and Innovation conducted successfully. There were almost 70 participants on this webinar.
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
La problemática de la identificación de los participantes en las plataformas ...Jaime Sánchez
Charla de la primera edición del "RegTech egambling international workshop", organizado por la Dirección General de Ordenación del Juego en el Auditorio CaixaForum de Madrid.
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)Jaime Sánchez
Cuando un usuario tiene que elegir una contraseña, tiende a construirla de la misma forma, con la misma información personal como base, y usando las mismas ideas para añadir complejidad a la misma. En este estudio que os mostraremos , nos hicimos con varios miles de millones de contraseñas reales, con el fin de hacer un análisis a gran escala de esos comportamientos comunes, extrayendo conclusiones que nos permitan crear procedimientos y herramientas específicas para mejorar las técnicas actuales de Password Cracking.
Finalmente, usaremos este conocimiento obtenido a través de distintos análisis conductuales y estadísticos para, utilizando redes neuronales y otras técnicas avanzadas, obtener patrones que nos permitan crackear hashes cuya resistencia suele ser bastante alta utilizando otras técnicas.
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...Jaime Sánchez
La finalidad de esta presentación es mostrar al público como se puede utilizar los distintos protocolos y aplicaciones de mensajería instantánea para crear canales encubiertos que permitan a un atacante extraer información de una empresa, utilizarlos como mecanismo de comunicación de un C&C, como forma de distribuir malware o ataques de phishing
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
La vigilancia ha emergido como un fenómeno global desde finales de 1940, Internet y la tecnología móvil han sido desarrolladas en un clima de paz que hace imposible garantizar la privacidad y nadie debe esperarla, aunque los usuarios suelen pensar que existe por defecto. Esto nos hace preguntarnos, ¿Cuan fuerte es la seguridad de las actuales plataformas de mensajería instantánea? ¿Se preocupan de nuestra privacidad y seguridad? Hablaremos de la seguridad en plataformas de mensajería móvil y nos centraremos en WhatsApp.
WhatsApp no es tan conocido como Facebook o Twitter, pero recientemente ha anunciado que ha sobrepasado los 350 millones de usuarios activos al mes. La historia de WhatsApp esta llena de errores de seguridad, desde mandar los mensajes en claro, pasando por utilizar usuarios y passwords fácilmente adivinables e imposibles de modificar, hasta permitir el almacenamiento de todo tipo de ficheros de manera anónima en sus servidores, entre otras muchas.
Esto nos ha llevado a profundizar en la investigación de WhatsApp, descubriendo nuevas vulnerabilidades (que afectan tanto al cliente como al protocolo de mensajería) y creando un sistema que securice las conversaciones mediante varias capas de seguridad.
Además, dado que las manifestaciones realizadas por correo electrónico, WhatsApp y demás, son medios de reproducción de la palabra, la imagen y el sonido, éstos podrían ser medios de prueba válidos en derecho y, por tanto, con eficacia probatoria para sustentar o no una demanda judicial. Estos medios de prueba han sido claves en procesos judiciales, tanto en territorio nacional como internacional, y demostraremos que, ya que WhatsApp no almacena las conversaciones en sus servidores, es posible su alteración a voluntad del atacante, de forma indetectable para las actuales técnicas de análisis forense.
Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.
Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.
At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts or will drop packets when it sees suspicious headers or payloads.
This open source network-based intrusion detection/protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.
It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:
Protocol analysis, focusing on the examination of values within IP, TCP, UDP and ICMP headers
Content searching & matching, by analyzing every incoming packet against a database of rules; each rule represents the signature of a security exploit.
The framework architecture consists of:
Sensor: runs continuously without human supervision and is capable of analyzing traffic in real time (imposing minimal overhead), sending push alerts to the Android device in order to warn the user about the threat and reports to the Logging Server.
Server: runs inside a Linux Box, and receives all the messages the sensor is sending. It’s also responsible for sending updated signatures to remote devices, storing events in the database, detecting statistical anomalies and for real-time analysis.
The IDS rule language is powerful enough to represent current and future security exploits accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind of attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android. IDS rule language converts Snort-like rules to an AndroIDS friendly format. It has also some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap’s probes or changing the TCP header fields to avoid pof’s detection engine.
Android mobile users should start taking security seriously…
WhatsApp ha superado los 250 millones de usuarios activos mensualmente de su aplicación de mensajería instantánea. Con el escándalo de PRISM empezamos a plantearnos si no son sólo Microsoft, Google, Apple o Facebook quienes están colaborando con gobiernos para espiar los comportamientos de sus ciudadanos.
¿Será WhatsApp una de estas empresas? ¿Almacenará o interceptará las conversaciones de sus usuarios? Noticias como la amenaza por parte de Arabia Saudí de declararla ilegal si no se establecía un servidor en ese país, no nos tranquilizan y nos hacen pensar que los usuarios se encuentran indefensos y no existen medidas actuales que garanticen la privacidad de los contenidos compartidos sobre estas plataformas.
El principal objetivo de esta investigación es añadir una nueva capa de seguridad y privacidad que garantice que en el intercambio de información entre los integrantes de una conversación tanto la integridad como la confidencialidad no puedan verse afectados por un atacante externo.
Hemos definido una serie de pruebas de concepto sobre una jerarquía de niveles de seguridad:
• El primer nivel de seguridad implica el cifrado, mediante clave privada, de los mensajes y los datos intercambiados entre dos usuarios.
• En un segundo nivel, se dota de cierto nivel de anonimato a la conversación, mediante la utilización de otras cuentas (otros números de teléfono falsos en la medida de lo posible pertenecientes a otros países) y proxys / nodos intermedios de forma que las comunicaciones no se envíen de forma directa entre emisor y receptor.
• Por último, se establece un tercer nivel al modificar el funcionamiento interno de la aplicación, modificando a nivel interno los servidores de intercambio de mensajes y enviándolas a un server XMPP propio que garantice la privacidad de las comunicaciones. Con esto el usuario dispondrá de una plataforma WhatsApp propia para su uso.
Esta técnica ha sido desarrollada para poder ser utilizada de forma completamente transparente para el usuario. Para ello es necesario disponer de un teléfono rooteado, o en caso de otras plataformas como iPhone, se ha desarrollado una plataforma basada en Raspberry que actuará como punto de acceso automatizado o el uso de una VPN.
Esperamos que os guste a todos!
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure.
You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.
This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them:
- Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile)
- Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile)
- Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop)
There will be a many live demos, and will release OSfoller, that have some interesting features:
- No need for kernel modification or patches
- Highly portable and configurable
- Will emulate any OS
- Capable of handling nmap and p0f fingerprint database (beta phase)
- Transparent for the user
- Undetectable for the attacker
- Available for your Linux laptop, server and mobile device
Sorry guys, remote OS fingerprinting is over…
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
3. Defeating WhatsApp’s Lack of Privacy
WHO
WE
ARE
Jaime Sánchez
- Computer Engineer & Security Researcher
- Executive MBA, CISSP, CISA and CISM
- Speaker at Rootedcon, Nuit du Hack, BH Arsenal,
Defcon, DerbyCon, NoConName, DeepSec etc.
- Twitter: @segofensiva
- http://www.seguridadofensiva.com
!
!
Pablo San Emeterio
- Computer Engineer / I+D Optenet
- Master of Science in Computer Security by UPM,
CISA and CISM
- Speaker at NoConName and CiberSeg
- Previous experience with WhatsApp :)
- Twitter: @psaneme
Black Hat Sao Paulo
5. Defeating WhatsApp’s Lack of Privacy
¿
WHAT
IS
WHATSAPP
?
- WhatsApp is a cross-platform (no desktop clients)
instant messaging subscription ser vice for
smartphones, that let users send messages and
multimedia files to each other.
!
- Because it uses your internet data plan and there's
no additional cost for these messages, it's mostly used
young people.
!
- Was founded in 2009 by American Brian Acton
and Ukrainian Jan Koum (also the CEO), both former
employees of Yahoo!, and is based in Santa Clara,
California.
!
- WhatsApp might not be as widely known as Twitter,
but it is definitely just as popular in terms of users.
Black Hat Sao Paulo
NoConName 2013
6. Defeating WhatsApp’s Lack of Privacy
USERS
STATS
It’s interesting to compare that stat to Twitter, which has 230 million active monthly users, and to Instagram, which has 150
million on its platform.
Black Hat Sao Paulo
NoConName 2013
8. Defeating WhatsApp’s Lack of Privacy
Just how much is 10
billion messages?
416,666,670 messages an hour
6,944,440 messages a minute
115,704 messages a second
- WhatsApp has done to SMS on mobile phones what Skype did to
international calling on landlines!
Black Hat Sao Paulo
NoConName 2013
9. Defeating WhatsApp’s Lack of Privacy
NEW
ARCHITECTURE
Hardware Specs
- Dual octo-core E5-2690 (32 logical CPUs)
- 256GB RAM (128GB for A/V hosts)
- 6 x 800GB SSD (4TB SATA for A/V hosts)
- 2 x dual link-agg gig-E (public, private)
!
New features
- Resumable uploads and downloads
- Reference counting
Peak Scalability
- 214M images in a day
- 8.8K images/sec downloaded
- 29 Gb/sec output bandwidth
!
Holiday Week
Black Hat Sao Paulo
NoConName 2013
10. Defeating WhatsApp’s Lack of Privacy
SECURITY
FLAWS
- WhatsApp communications were not encrypted, and data was sent and received
in plaintext, meaning messages to easily be read if packet traces are available
(WhatsApp Sniffer)
!
- WhatsApp began using IMEI numbers and MAC addresses as passwords.
!
- Remote storage of virus, programs, html etc. on WhatsApp servers
!
- Critical flaw lead to control any account (modify account, send and receive
messages etc.)
!
- Data stored in plaintext on database
!
- An unknown hacker published a website (WhatsAppStatus.net) that made it
possible to change the status of an arbitrary WhatsApp user, as long as the phone
number was known. (To make it work, it only required a restart of the app)
Black Hat Sao Paulo
NoConName 2013
11. Defeating WhatsApp’s Lack of Privacy
MORE
SECURITY
FLAWS
- On January 13, 2012, WhatsApp was pulled from the iOS App Store, and the
reason was not disclosed. The app was added back to the App Store four days later
!
- Priyanka appeared spreading on Whatsapp through a contacts file that if you add
to your contacts.
!
- WhatsApp Voyeur: allows you to view the profile picture and current "Status" of
every user without using a mobile phone or registered account
!
- No authorization required to send messages, so any user can contact you or any
custom designed bot could be created to send you spam.
!
- Serious WhatsApp flaw allows decrypting user messages
!
!
!
- This is what we know so far ...
Black Hat Sao Paulo
NoConName 2013
12. Defeating WhatsApp’s Lack of Privacy
BLOCKING
- Saudi Arabia plans to block Internet-based
communication tool WhatsApp within weeks if the
U.S.-based firm fails to comply with requirements set
by the kingdom's telecom regulator, local newspapers
reported this week.
!
- This month the Communications and Information
Technology Commission (CITC) banned Viber,
another such tool, which like WhatsApp is hard for the
state to monitor and deprives telecom companies of
revenue from international calls and texts.
http://www.reuters.com/article/2013/06/16/ussaudi-internet-idUSBRE95F04R20130616
!
- The regulator issued a directive saying tools such as
Viber, WhatsApp and Skype broke local laws,
without specifying how.
Black Hat Sao Paulo
NoConName 2013
13. Defeating WhatsApp’s Lack of Privacy
SURVEILLANCE
- Repor ts and documents leaked by Edward
Snowden in June 2013 indicate that PRISM is used
for monitoring communications and other stored
information.
!
- The data that the NSA is supposedly able to get by
PRISM includes email, video, voice chat, photos, IP
addresses, login notifications, file transfer and details
about social networking profiles.
!
- Internet companies such as Microsoft, Google,
Yahoo, Dropbox, Apple and Facebook are inside
the program.
!
- The objectives of the PRISM program are those
citizens living outside the United States, but U.S.
citizens are included too.
Black Hat Sao Paulo
NoConName 2013
14. Defeating WhatsApp’s Lack of Privacy
¿ Could WhatsApp be one of these companies ?
The NSA infected more than 50,000 computers worldwide
with malicious software designed to steal confidential
information. Some countries affected are Venezuela, Bolivia,
Brazil, Ecuador, Cuba, Colombia and Honduras, among others.
The attacks are performed by a special department called
Tailored Access Operations (TAO), which has more than a
thousand hackers.
Black Hat Sao Paulo
NoConName 2013
16. Defeating WhatsApp’s Lack of Privacy
GOALS
- The main objective of the research is to add a new layer of security and privacy to
ensure that in the exchange of messages between members of a conversation both the
integrity and confidentiality could not be affected by an external attacker:
- Add secure encryption to the client. If
an attacker intercepts the messages, or any
governments try to intercept our messages
at WhatsApp's server , they won't find any
legible information.
- Give a certain level of anonymity to the
conversation by using fake/anonymous
accounts and intermediate communication
nodes.
- Modify the inner workings of the
application, routing all tr affic and
conversation messages to own server
(XMPP).
Black Hat Sao Paulo
NoConName 2013
17. Defeating WhatsApp’s Lack of Privacy
GOALS
- This technique has been developed to be used in a manner completely transparent to
the users.
!
- The software works for all WhatsApp’s platforms: we have developed a Linux-based
solution (it works inside a Raspberry Pi, your laptop computer or you could use a VPN).
!
- Could be ported to run inside Android.
Black Hat Sao Paulo
NoConName 2013
18. Defeating WhatsApp’s Lack of Privacy
INSIDE
THE
WORLD
OF
WHATSAPP
Black Hat Sao Paulo
NoConName 2013
19. Defeating WhatsApp’s Lack of Privacy
FUNXMPP
- WhatsApp uses a customized version of the open standard eXtensible Messaging
and Presence Platform (XMPP), called FunXMPP, that uses XML as its syntax..
!
- Without going into technical details, it is a messaging protocol that uses XML syntax:
!
<message from=”01234567890@s.whatsapp.net”
id=”1339831077-7”
type=”chat”
timestamp=”1339848755”>
<notify xmlns=”urn:xmpp:whatsapp”
name=”NcN” />
<request xmlns=”urn:xmpp:receipts” />
<body>Hello</body>
</message>
!
- Since WhatsApp is intended for mobile devices, they wanted to use as little
overhead as possible.
!
- ¿ How did they achieve this ?
Black Hat Sao Paulo
NoConName 2013
20. Defeating WhatsApp’s Lack of Privacy
FUNXMPP
- First of all, all keywords are assigned a byte each. If you can replace each by just one
byte, it would reduce the overhead a lot.
!
- FunXMPP uses a HashTable for this, containing most (if not all) keywords
!
- Given the syntax xnn for one byte with the hexadecimal value nn, the example
above could be reduced to the following:
!
!
<x5d x38=”01234567890@x8a”
x43=”1339831077-7”
xa2=”x1b”
x9d=”1339848755”>
<x65 xbd=”xae”
x61=”NcN” />
<x83 xbd=”xad” />
<x16>Hello</x16>
</x5d>
- All remaining ascii values cannot be replaced by a representative byte-value,
because they are variable/no fixed keywords.
Black Hat Sao Paulo
NoConName 2013
21. Defeating WhatsApp’s Lack of Privacy
BYTES
- Byte xfc: This byte signifies a sequence of ascii characters will be used as the value.
The length of this sequence can be found in the next byte (max length 255).
- Byte xfd: Where xfc reads one byte for the length,xfd reads three bytes. This
allows for strings up to a max of 16777215 characters.
- Byte xf8 y xf9: Declare the beginning of a list and it is followed by its number of
elements and subsequently the content,.
The way members are counted is:
!
1 2 3
<message from=”01234567890@s.whatsapp.net”
4 5
id=”1339831077-7”
6 7
type=”chat”
8 9
timestamp=”1339848755”>
<notify xmlns=”urn:xmpp:whatsapp” |
name=”NcN” /> | 10
<request xmlns=”urn:xmpp:receipts” /> |
<body>Hello</body> |
</message>
Black Hat Sao Paulo
NoConName 2013
23. Defeating WhatsApp’s Lack of Privacy
LOGGING
IN
ON
A
NEW
DEVICE
1) WhatsApp will send the user’s phone number to servers, through HTTPS,
requesting an authentication code
2) The mobile phone receives, through text message, the authentication code
3) This authentication code is sent and compared, and if matches, WhatsApp
obtains the password
!
- To log in, the client uses a custom SASL mechanism, called WAUTH-1. First, the
client sends:
!
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" user="XXXXXXXXXXXX"
mechanism="WAUTH-1" />
- Server will answer with a challenge:
!
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">YYYYYYYYYYYYYYYYYYYY
</challenge>
- To respond the challenge, the client will generate a key using PKBDF2 with user’s
password, challenge as salt and SHA1 as hash function. Only 20 bytes from result will
be used as key <phone number> || <20 bytes> || UNIX timestamp:
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">ZZZZZZZZZZZZZ</response>
Black Hat Sao Paulo
NoConName 2013
24. Defeating WhatsApp’s Lack of Privacy
ARE
MY
MESSAGES
SECURE
?
- RC4, the most widely used software stream cipher and is used in popular protocols
such as Transport Layer Security (TLS) and WEP, was designed by Ron Rivest of RSA
Security in 1987
!
- RC4 has two stages - a KSA, that initializes the state table to be a "random"
permutation based on the key, and the PRGA, which actually returns a random byte.
¿ Where is the problem ?
Black Hat Sao Paulo
NoConName 2013
25. Defeating WhatsApp’s Lack of Privacy
From the creators of:
- Don't run with scissors
- Don't run near the pool
- Don't run near the pool while carrying scissors
!
!
Now comes:
DON’T re-use the same RC4 keystream to
encrypt two different messages
Black Hat Sao Paulo
NoConName 2013
26. Defeating WhatsApp’s Lack of Privacy
EVERY
TIME
ALICE
ENCRYPTS
A
MESSAGE ,
GOD
KILLS
A
KITTEN
...
Suppose Alice wants to send encryptions of m1 and m2 to Bob
over a public channel. Alice and Bob have a shared key k; however,
both messages are the same length as the key k. Since Alice is
extraordinary lazy (and doesn't know about stream ciphers), she
decides to just reuse the key.
!
Alice sends ciphertexts c1 = m1 ⊕ k and c2 = m2 ⊕ k to Bob
through a public channel. Unfortunately, Eve intercepts both of
these ciphertexts and calculates c1 ⊕ c2= m1 ⊕ m2.
c1 = m1 ⊕ k
c2 = m2 ⊕ k
m1 = c1 ⊕ k
m2 = c2 ⊕ k
REUSED KEY ATTACK
c1 ⊕ c2 = m1 ⊕ m2
Black Hat Sao Paulo
NoConName 2013
27. Defeating WhatsApp’s Lack of Privacy
ATTACKING
WHATSAPP’S
ENCRYPTION
- From here, the task becomes separating the two plaintexts from one another
(plaintext attack or Crib-Dragging), following the steps bellow:
1) Guess a word that might appear in one of the messages
2) Encode the word from step 1 to a hex string
3) XOR the two cipher-text messages
4) XOR the hex string from step 2 at each position of the XOR of the two
cipher-texts (from step 3)
5) When the result from step 4 is readable text, we guess the English word and
expand our crib search.
6) If the result is not readable text, we try an XOR of the crib word at the next
position.
!
- To do this, we have to do a little guessing about the
plaintexts themselves.
!
- The idea is to use a Frecuency Analysis based on
the original language used in the plaintext.
Black Hat Sao Paulo
NoConName 2013
29. Defeating WhatsApp’s Lack of Privacy
"WhatsApp takes security seriously and is continually thinking of ways
to improve our product. While we appreciate feedback, we're concerned
that the blogger's story describes a scenario that is more theoretical in
nature. Also stating that all conversations should be considered
compromised is inaccurate" the company said.
Official response to https://blog.thijsalkema.de/blog/2013/10/08/piercing-through-whatsapp-s-encryption/
WTF!
Black Hat Sao Paulo
NoConName 2013
34. Defeating WhatsApp’s Lack of Privacy
INTERCEPT
MESSAGES
- We have verified that the encryption used to
protect the information and privacy of our
conversations is easy to break.
!
- ¿What can we do? We will intercept WhatsApp's
message before you leaving the mobile phone. We'll
decipher the original message with our key and we
will apply a new cipher and then encrypt it with the
original algorithm and key, not breaking the
application.
!
- From now on, we’ll be working this way:
REAL-TIME
MODIFICATION
Black Hat Sao Paulo
NoConName 2013
35. Defeating WhatsApp’s Lack of Privacy
CHALLENGE
AND
iOS
- In iOS version we’ll use a little trick to get the challenge. Instead of exchanging it during the login, WhatsApp sends the challenge for the next session while connected.
!
- We’ll flip some random bytes, forcing WhatsApp to negotiate it again:
- The result for the log in of the second mobile is the same:
Black Hat Sao Paulo
NoConName 2013
36. Defeating WhatsApp’s Lack of Privacy
SENDING
MESSAGES
- The message is sent from the client. Our program detects it, and using the RC4 session key used
by WhatsApp, decrypts the message and extracts text. Once the text is clear, encrypts it with our
algorithm and key, and re-wrap it in the original format with RC4 encryption it again, not breaking
the operation of WhatsApp:
- You can see how our program has decoded the original message: Bello
!
- HMAC is deleted in the decoded message and we calculate it again before sending. Finally, the
message will leave our mobile phone. We can see that the new message is different from the
original because is has a layer encryption implemented by us:
HMAC
Black Hat Sao Paulo
NoConName 2013
37. Defeating WhatsApp’s Lack of Privacy
RECEIVING
MESSAGES
- In the screenshot you can see how we received an normal WhatsApp message, but it’s really
special. When we use the RC4 key to decrypt the text inside, we find is completely unreadable.
- Using the same private key and algorithm, our program will decrypt the message text and
reassemble the original text, so WhatsApp will be able to process it.
!
!
- The final message can be read as usually by the user, and it’s the same as the first one:
Black Hat Sao Paulo
NoConName 2013
41. Defeating WhatsApp’s Lack of Privacy
HIDING
OUR
MESSAGES
- The above method allows us to encrypt our messages,
so other attackers capable of intercepting our traffic will
not be able to get the contents of messages.
!
- But, ¿ what if we want the traffic to directly bypass
the WhatsApp's server ?
EXTERNAL XMPP SERVER
Black Hat Sao Paulo
NoConName 2013
42. Defeating WhatsApp’s Lack of Privacy
USING
AN
EXTERNAL
XMPP
SERVER
- We analyze the outgoing message and decrypt it using the RC4 key.
!
- Then, we extract the original text and send it to our external XMPP server:
<destination number>¿<message_id>¿<original text>
- The program will replace every character in the original text with our wildcard character, so the
original message will never pass through WhatsApp's servers (this step is necessary or destination
will reject our messages)
!
- Recipient receives our message full of wildcard characters, querys our XMPP server and
replaces the wildcard characters with the original text.
Black Hat Sao Paulo
NoConName 2013