Email Matters - Two Case Studies from Acquisition to ConversionGood Works
A joint presentation with Holly Wagg from Good Works and Nicola Leckie from the Cornell Lab of Ornithology at NTEN, Washington, DC, March 2014.
No matter the size of your fundraising shop (small, medium, or large), email levels the playing field. Email is a single touch point in your online program, and we're going to focus on what has worked (and failed to work) to build your new supporter pipeline and boost the conversion rate for each and every fundraising email you send. This is an interactive dialogue kicking off with two case studies of email programs in action from The UN Refugee Agency Canada and Cornell Lab of Ornithology.
What participants will learn:
1) How to use inbound marketing strategies such as organic search and google grant traffic to build your list (we increased our file by 56%).
2) How to grow an integrated email program with the goal of making it the biggest slice of your direct response pie (email revenue has increased by 50% in 2014
Conceptual design of a bus emergency exit rampmaputi
Abstract: Bus mass transport vehicles are designed to ferry passengers along routes in cities and between cities. Advancement of technology in the 21st century has resulted in various designs of buses. Innovation in bus design has been centered on lightweight materials, formability and aesthetic appeal of the bus interior and exterior. Meanwhile the bus structure has not developed in terms of emergency exit tools to aid quick passenger egress in the case of emergency. This paper focuses on the design on a bus emergency exit tool. This tool will be applicable at designated emergency exit windows. The tool will assist passengers to escape the bus as soon as an accident occurs while emergency services have not yet arrived. The design will be modelled using SolidWorks software.
What solar panels did BMW use? How did Gehry include solar PV in his Basel building ? Clever engineering from Sunways AG excites and delights in these reference photos showing the solar dream
NdP_ Akamon lanza VIVA! Bingo & Slots, una nueva suite de juegos sociales de ...Akamon Entertainment
Akamon Entertainment, la compañía líder en juegos sociales especializada en juegos tradicionales y de casino en América Latina y el sur de Europa ha lanzado VIVA!, una nueva suite de juegos de social casino que incluye juegos de Bingo, Slots y VideoBingo.
Con VIVA!, Akamon entra en la categoría del VideoBingo, un tipo de juego de casino muy popular especialmente en América Latina, y lanza una oferta de productos muy enfocados a los mercados estratégicos de la compañía.
En la vispra del día del libro, bajo la lluvia, se presenta el número 10 de nuestra revista.
La receta de esta semana está llena de placeres. En Portada, un héroe descalzo, protagonista de la obra 'La dama boba', estrenada con gran éxito el domingo pasado.
De segundo, los dioses mitológicos emplatados por Erein, con Saturno y su fábula del tiempo, para todas las mentes que les guste 'de pensar'
Pasaremos al sorbete con La maja endoscópica, que nos acerca un poco más al asfalto irregular del día a día.
Y sin querer, besamos el suelo en el tercer plato, con el gran reserva ElFer, recordando que la suerte y las miserias no son igual para todos.
Levantamos el vuelo con los postres, que nos trae Pacorro en su crónica semanal maratoniana, esta vez atrapado en la barra de una caseta de feria.
Y como todos los jueves, los eventos de ocio para el fin de semana en zaragoza. Un poco de todo.
Difícil resistirse. Y ya sabes, si encuentras algo mejor, mándamelo :-)
Email Matters - Two Case Studies from Acquisition to ConversionGood Works
A joint presentation with Holly Wagg from Good Works and Nicola Leckie from the Cornell Lab of Ornithology at NTEN, Washington, DC, March 2014.
No matter the size of your fundraising shop (small, medium, or large), email levels the playing field. Email is a single touch point in your online program, and we're going to focus on what has worked (and failed to work) to build your new supporter pipeline and boost the conversion rate for each and every fundraising email you send. This is an interactive dialogue kicking off with two case studies of email programs in action from The UN Refugee Agency Canada and Cornell Lab of Ornithology.
What participants will learn:
1) How to use inbound marketing strategies such as organic search and google grant traffic to build your list (we increased our file by 56%).
2) How to grow an integrated email program with the goal of making it the biggest slice of your direct response pie (email revenue has increased by 50% in 2014
Conceptual design of a bus emergency exit rampmaputi
Abstract: Bus mass transport vehicles are designed to ferry passengers along routes in cities and between cities. Advancement of technology in the 21st century has resulted in various designs of buses. Innovation in bus design has been centered on lightweight materials, formability and aesthetic appeal of the bus interior and exterior. Meanwhile the bus structure has not developed in terms of emergency exit tools to aid quick passenger egress in the case of emergency. This paper focuses on the design on a bus emergency exit tool. This tool will be applicable at designated emergency exit windows. The tool will assist passengers to escape the bus as soon as an accident occurs while emergency services have not yet arrived. The design will be modelled using SolidWorks software.
What solar panels did BMW use? How did Gehry include solar PV in his Basel building ? Clever engineering from Sunways AG excites and delights in these reference photos showing the solar dream
NdP_ Akamon lanza VIVA! Bingo & Slots, una nueva suite de juegos sociales de ...Akamon Entertainment
Akamon Entertainment, la compañía líder en juegos sociales especializada en juegos tradicionales y de casino en América Latina y el sur de Europa ha lanzado VIVA!, una nueva suite de juegos de social casino que incluye juegos de Bingo, Slots y VideoBingo.
Con VIVA!, Akamon entra en la categoría del VideoBingo, un tipo de juego de casino muy popular especialmente en América Latina, y lanza una oferta de productos muy enfocados a los mercados estratégicos de la compañía.
En la vispra del día del libro, bajo la lluvia, se presenta el número 10 de nuestra revista.
La receta de esta semana está llena de placeres. En Portada, un héroe descalzo, protagonista de la obra 'La dama boba', estrenada con gran éxito el domingo pasado.
De segundo, los dioses mitológicos emplatados por Erein, con Saturno y su fábula del tiempo, para todas las mentes que les guste 'de pensar'
Pasaremos al sorbete con La maja endoscópica, que nos acerca un poco más al asfalto irregular del día a día.
Y sin querer, besamos el suelo en el tercer plato, con el gran reserva ElFer, recordando que la suerte y las miserias no son igual para todos.
Levantamos el vuelo con los postres, que nos trae Pacorro en su crónica semanal maratoniana, esta vez atrapado en la barra de una caseta de feria.
Y como todos los jueves, los eventos de ocio para el fin de semana en zaragoza. Un poco de todo.
Difícil resistirse. Y ya sabes, si encuentras algo mejor, mándamelo :-)
Starke Kinder - der Weg der Mitte. (Sabine Erath-Stark)gemeindelingenau
Gesunde Ernährung für große und kleine Kinder aus Sicht des ganzheitlichen Gesundheits- und Ernährungsverständnis der Traditionell Chinesischen Medizin-TCM.
Was nährt unsere Kinder?
Was tut ihnen gut?
Was schwächt sie?
Ist weniger manchmal mehr?
Wie können wir sie für Wind und Wetter rüsten?
Wie können wir ihnen mit einer einfachen und vor allem natürlichen Ernährungsweise helfen eine stabile Mitte und eine stabiles Immunsystem zu entwickeln?
Charla: Análisis Forense de Dispositivos Android, impartida por Antonio Díaz de Informática 64 para el curso de Especialización en Dispositivos Móviles que tuvo lugar en la Facultad de Informática de la Universidad de A Coruña del 20 al 22 de Junio de 2012. Diapositivas 2/3
Northeast Wireless Safety Summit February 4, 2015 PresentationsIlissa Miller
Northeast Wireless Safety Summit (NEWSS), founded by HPC Wireless, hosted the first annual Wireless Safety Summit in Tarrytown, NY on February 4, 2015. The panel of presenters delivered these slides during the full day program.
Dell - The Incredible Shrinking DatacenterNEXTtour
Nutanix eliminates the complexity and bottleneck of the storage network and delivers a converged solution for virtual environments that can be scaled out on demand
"Netiquette" refers to the code of behavior or set of rules governing acceptable online communication. It encompasses guidelines for interacting with others, expressing oneself appropriately, and maintaining civility in online interactions. Examples of netiquette include being respectful to others, avoiding offensive language, using proper grammar and punctuation, and respecting others' privacy.
WhatsApp is a messenger application on your smartphone with basic like Blackberry messenger . This cross- platform messaging application that allows us to exchange messages without having to pay for SMS , as WhatsApp Messenger uses the same internet data plan for email ,web browsing , and others , so do not use fee to be able to stay connected. Sending messages using a 3G or WiFi connection to communicate without the cost . By using WhatsApp , we can chat , file sharing and others.
Starke Kinder - der Weg der Mitte. (Sabine Erath-Stark)gemeindelingenau
Gesunde Ernährung für große und kleine Kinder aus Sicht des ganzheitlichen Gesundheits- und Ernährungsverständnis der Traditionell Chinesischen Medizin-TCM.
Was nährt unsere Kinder?
Was tut ihnen gut?
Was schwächt sie?
Ist weniger manchmal mehr?
Wie können wir sie für Wind und Wetter rüsten?
Wie können wir ihnen mit einer einfachen und vor allem natürlichen Ernährungsweise helfen eine stabile Mitte und eine stabiles Immunsystem zu entwickeln?
Charla: Análisis Forense de Dispositivos Android, impartida por Antonio Díaz de Informática 64 para el curso de Especialización en Dispositivos Móviles que tuvo lugar en la Facultad de Informática de la Universidad de A Coruña del 20 al 22 de Junio de 2012. Diapositivas 2/3
Northeast Wireless Safety Summit February 4, 2015 PresentationsIlissa Miller
Northeast Wireless Safety Summit (NEWSS), founded by HPC Wireless, hosted the first annual Wireless Safety Summit in Tarrytown, NY on February 4, 2015. The panel of presenters delivered these slides during the full day program.
Dell - The Incredible Shrinking DatacenterNEXTtour
Nutanix eliminates the complexity and bottleneck of the storage network and delivers a converged solution for virtual environments that can be scaled out on demand
"Netiquette" refers to the code of behavior or set of rules governing acceptable online communication. It encompasses guidelines for interacting with others, expressing oneself appropriately, and maintaining civility in online interactions. Examples of netiquette include being respectful to others, avoiding offensive language, using proper grammar and punctuation, and respecting others' privacy.
WhatsApp is a messenger application on your smartphone with basic like Blackberry messenger . This cross- platform messaging application that allows us to exchange messages without having to pay for SMS , as WhatsApp Messenger uses the same internet data plan for email ,web browsing , and others , so do not use fee to be able to stay connected. Sending messages using a 3G or WiFi connection to communicate without the cost . By using WhatsApp , we can chat , file sharing and others.
If you are looking for free security awareness training presentation look no further - we have you covered! :) Not only is this a great PowerPoint presentation, it's also short and to the point with only 25 slides including the cover and summary slides. But don't let this security awareness training example for employees fool you - it includes all the security awareness basics plus a bit more.
Rivers of Living Waters ministries Curacao's ministry for Woman - Heart to Heart - presentation on the dangers of Internet.
Presentor: N. Everts
Date: March 28, 2009
ICT deals with the use of different communication technologies such as mobile phones, telephone, Internet, etc. to locate, save, send, and edit information.
Example: when we make a video call, we use internet.
How to Install Cell Phone Spyx
The exact instructions for how to install a cell phone spy to a cell phone vary SLIGHTLY depending upon which exact phone spy you are going to use. Below is a list of the most reliable and least expensive ones. The requirements to be able to spy on a persons cell phone include...
install cell phone spy
How to avoid facebook scams
With more than 800 million users all over the world, Facebook is the perfect breeding ground for scam artists. Every Facebook user has their account interlinked with hundreds or even thousands of their friends. With the exponential amount of users connected to each other Facebook scams require only a few clicks to reach to colossal levels. The peril arises when a scam is spread through someone’s account using the friend list as a medium as this considerably lowers the unsuspecting users guard. So in effect, all it takes is one moment of weakness by one individual on your friend’s list to start off a chain of events that can prove harmful to one and all.
This phenomenon has been termed ‘Social Engineering’ since it involves predicting human behavior based on a study of common user habits and general psychological traits. Piquing a user’s curiosity with a sensational headline can cause one to fall prey to legitimate looking scams. Some scams take the user to a page that asks for their Facebook login credentials, some ask for personal details about the user which are then misused, some direct the user to install a program that is malware in disguise, some ask for money while some account for a lot of spam.
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Introducing Man in the Contacts attack to trick encrypted messaging apps
1. Introducing Man In The
Contacts attack to trick
encrypted messaging apps
Cyber Securtiy Conference #CYBSEC16
03/11/2016 – Securing Apps
2. whois securingapps
Developer background
Spent last 10 years working in Switzerland on security products
and solutions
Focus on mobile since 2010
Now software security consultant at my own company
http://www.securingapps.com
Provide services to build security in software
Mobile
Web
Cloud
Internet Of Things
Bitcoin/Blockchain @SecuringApps
3. Introduction
Popular messaging apps recently switched to End-to-End
encryption
Great communication around it
Privacy now is a requirement
Debates at the government level to ask for backdoors
Going dark ?
Used by terrorists ?
Increased feeling that those applications are unbreakable
4. Super crypto. But wait ….
Advanced ratcheting in Signal Protocol à
Looks like an obvious flaw won’t be there
But how messaging apps authenticate myself ?
No explicit identifier
Provisioning done via SMS
Link to device/phone number
And when I change phone number ?
And my contacts ?
Get them from my address book
No manual contact handling (e.g. Skype)
5. Threat model: mobile focus & simplified
Other app
Messaging
app
Mobile OS
Contacts
S
t
o
r
a
g
e
N
e
t
w
o
r
k
Messaging
backend
E2E encryption
SMS init codeSMS init code
messages
messages
backups
6. Accessing contacts
Easy to read/modify/create contacts
There is an API for that
Android example
Shared data structure accessible in read/write
Only restricted by permissions
And it contains authentication data in clear !
There is room for a side channel attack: Man In The Contacts
Not requiring a rooted device (e.g no RowHammer attack)
7. Introducing Alice, Bob and Eve
Convention: Alice on the left, Bob on the right, Eve in the center
Devices not rooted, latest OS updates available
Installed apps: latest version (29th October 2016) of
WhatsApp, Telegram and Signal
Android 5.0 Android 5.1iOs 10.1
Alice Eve Bob
+33 X XX XX XX 60 +41 XX XXX XX 21 +41 XX XXX XX 66
8. Old joke: swap contacts
Install MITC app on Bob’s device
Start a conversation between
Alice and Bob
Swap Alice and Eve phone numbers
on Bob’s device
See what happens
Bob
9. Old joke: swap contacts
WhatsApp 1
Bob starts a conversion with Alice
Alice answers
Bob
10. Old joke: swap contacts
WhatsApp 2
Eve triggers contact swap via
remote MITC app on Bob’s device
Eve sends «This is eve» to Bob
Notification received as Alice
But new conversation
Bob
11. Old joke: swap contacts
WhatsApp 3
Ignore notification
Conversation of Alice now displayed
as Eve
Bob
12. Old joke: swap contacts
WhatsApp 4
Accept notification
Eve triggered a new conversation
But displayed as Alice
Bob
13. Old joke: swap contacts
Telegram 1
Bob starts a conversion with Alice
Alice answers
Bob
14. Old joke: swap contacts
Telegram 2
Eve triggers contact swap via
remote MITC app on Bob’s device
Eve sends «This is Eve» to Bob
Notification received as Alice
But new conversation
Bob
15. Old joke: swap contacts
Telegram 3
Accept notification
Eve triggered a new conversation
But displayed as Alice
NB: If you change the name of
Alice, in the future notifications and
conversations will still be under the
name of Alice
Bob
16. Old joke: swap contacts
Signal 1 & 2
Screenshots refused by Android app
But same behaviour than WhatsApp
Bob
17. Old joke: swap contacts
Signal 3
Accept notification
Eve triggered a new conversation
Displayed as Alice
But phone number also displayed
(the iOs version doesn’t display it)
Bob
18. Old joke: swap contacts
Signal 4
Not the case in the main view
Bob
19. Old joke: swap contacts
Signal 5
Stay in this view
Switch back contacts with MITC app
Nothing happens for a while
And then main view updated
=> contact sync process
Bob
20. Swap contacts results
Can’t be used to trick Bob within an existing conversation
But produces a notification and a new conversation that may
seem legitimate to Bob
Different behaviors depending on the app
Name in the notification vs name in the conversation
Name configured by the sender vs contact name as seen by receiver
Contact sync time
Not discrete in case Alice and Bob have a phone call
or send a message
21. Nasty trick: contact with similar name
Start a conversation between
Alice and Bob
Create a contact name « Alice» on Bob’s
device with Eve’s phone number
See how the whitespace in front of
Alice gets displayed
Bob
22. Nasty trick: contact with similar name
WhatsApp 1
Alice starts a conversion with Bob
Bob
23. Nasty trick: contact with similar name
WhatsApp 2
Eve starts a conversion with Bob
Bob
37. Contact with similar name results
Creating « Alice» in addition to Alice is far more discrete
Phone call/SMS OK with real contact
Whitespace prefix is not visible in messaging apps
Requires a new contact, but MITC app can delete/recreate
« Alice» as often as needed
Why does it work ?
Design error from a security point of view: phone number poor identifier
Abusing TOFU: new contact = new key = accepted by default
End user/mobile not really included in threat model
Focus on protecting network/backend (e.g. against government agencies)
Side channel attack with some social engineering out of scope
Yet after a few messages, Bob can guess it is not really Alice
speaking to him
38. Building an attack scenario with MITC
Let’s build an easy exploitation scenario
Convinced many more similar attacks are possible
Look in detail in the implementations how contacts are handled
Reverse engineering for WhatsApp/Telegram
Highly likely Java readable code for handling the Android contacts
Open source code for Signal
Extra identifiers stored in contacts: they can also be modified !
Suppose Alice also installed the MITC app
because it’s very popular
or MITC app sends her a SMS recommending to do so
because it found her in Bob’s contacts
39. Man In The Middle: init phase
1. Have MITC deployed
on the devices of Alice
and Bob
2. Login as Eve to web
version of messaging
app
3. Create « Alice» and
« Bob» with Eve’s phone
number via MITC app
BobAlice Eve
40. Man In The Middle: provoke discussion 1
BobAlice Eve
41. Man In The Middle: provoke discussion 2
BobAlice Eve
47. Man In The Middle results
WhatsApp
Possible to share a real conversation between Bob and Alice via Eve
Only need to switch to a new conversation by forcing a chat
Later conversations will likely continue in this session (UI easiest path)
Telegram: same results (web version also available),
as long as the new contacts are used for the first time
Signal: same results
Phone number always displayed below contact name
(Android version only)
48. Risk assessment
Simple evaluation: risk = easiness of attack * user impact
Difficulty of attack: Low-Medium
Technically: Low
Easy to access contacts via code
Not a problem to get MITC application approved for publication
Logistics : Medium
One phone number is enough
Need to convince many users to install the MITC application
But « Ponzi scheme » possible by using the contact information
Impact: High
Thousands of users can be spied: multi-app + multi-mobile os
49. Vendors feedback 1/4
Telegram
Very efficient Level 1 support (a contact in Telegram app)
Level 2: security@telegram.org = /dev/null
Contacted them 3 times
Asked Level 1 to recontact them
Public question via Twitter
WhatsApp
Contact Facebook security via form => automatic confirmation
No answer for one month
Recontacted them: answer received the next day
Replied to it, but never got feedback
50. Vendors feedback 2/4
WhatsApp answer (layout as is, bold added)
We appreciate your report. Ultimately an attacker with malware installed on
a device is going to be able to alter data on the device itself. In your
examples for WhatsApp conversations remained properly bound to the
phone number that the messages were sent to. Beyond that, WhatsApp
allows people to set local aliases for contacts and to view the number
associated with a specific message thread at any point. Given that, we don't
feel that this behavior poses a significant risk and we do not plan to make any
changes here. Please let us know if you feel we've misunderstood something
here!
51. Vendors feedback 3/4
Signal
Not clear what is the channel for security issues
Create report for Android app in Signal bug tracking tool
Recontacted twice but no answer for 2 months
Public question via Twitter
Quick answer from support
Someone from tech team will contact me soon
After recontacting support, discussion started
52. Vendors feedback 4/4
Signal 1st reply (layout as is, bold added)
Hey Jeremy, saw your support email about "man in the contacts." This, like
all interception techniques, is what safety numbers are for. Signal users
would be notified that the safety numbers for their contact have changed,
and be asked to verify them. A successful MITM attack would need to find a
way to intercept communication without triggering that notice.
Signal 2nd reply (layout as is, bold added)
Hey Jeremy, Signal is not designed to protect your device against
malware. Thanks for getting in touch, good luck with everything.
53. Countermeasures: mobile apps
Give up the implicit trust on contacts
Deal with contacts the old way
Provide an explicit identifier + authentifier
Manually approve contacts to be added
Or mitigate risk by increasing user awareness
Clear message when a new conversation starts explaining to be
cautious
Ideally warning sign in the corresponding notification
Display a visible trust level indicator next to the contact name
If no chat history for this number/key, trust level set to minimum
Phone number can help (if people know the numbers by heart …)
Mobile OS: stronger restrictions for accessing contacts
54. Countermeasures: end user
Check your contacts
Avoid installing applications asking for modify contacts
permission
Yes messagins apps ask for this permission …
Use Threema
Swiss German app
Manual id handling
Optional contact sync
Visible trust level: Red/Orange/Green
Questions on contacts handling sent to press@threema.ch
Very detailed answer with the clear design choices received the next day
55. Conclusion
E2E can’t guarantee privacy if you’re not sure who you’re talking to
Beware of messages displaying good cryptography is used because it
can bring a false sense of security
Security model around contacts is far too open for sensitive apps
Authenticating the other party is an absolute necessity
But it’s a difficult task, particularly the provisioning processes
And even more to make it user friendly
The end user must be in the loop to detect suspicious activity
If it’s too complex, secure features won’t be used
A significant part of end users will install crappy apps, accept anything and not
care about security warnings
If the design of your solution includes access to contacts,
start a threat modeling session