Blog

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to target a computer running on unpatched or unsupported versions of Windows and servers and then spread itself like a worm to infect other vulnerable systems in the internal network.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

"If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened" NSA whistleblower Edward Snowden says.

Introduction

Back a long time ago, one of the first computers at least came out was known as the “TRS-80”, which was manufactured by Radio Shack at the time. This computer came out in the late 1970s, and at the time, it was heralded to be a breakthrough in computer technology.

It could run and execute software code quite efficiently, which was “BASIC.” Then about a year later, the pocket version of the TRS-80 came out, and it too was branded as a success in the field of computer technology.

Widely popular Android AppLock application by DoMobile Ltd. is claimed to be vulnerable to Hackers.
 
AppLock Android app enables users to apply a security layer to their devices, which locks and hides the SMS, Gallery, Gmail, Facebook, Calls and any app installed on the device.

 

Few of its features are:
 
  • Protecting apps either in a PIN number form or a pattern lock
  • Providing users a Photo Vault to hide pictures
  • Providing users a Video Vault to hide videos
  • Creating different user profiles, easy to change the locks
  • Preventing apps from being uninstalled
  • AppLock cannot be killed by task killers
This acts as an advance protection for your device, by securing many features that come with an android phone.
 
But, does this really protects you?
 
Let’s have a look…
 
Security researchers at Beyond Security’s 'SecuriTeam Secure Disclosure' (SSD) have reported three critical flaws reside in the AppLock App.
 
They say, the app that promises to hide and secure your data lacks when:
  • You hide your photos and videos in Vault
  • You apply PIN Protection to the AppLock App
  • You enable reset the PIN
The First vulnerability exploits the vault services with which the “AppLock empowers you to control photo and video access”.
 
The researchers say, when you put something in the vault, the files did not get encrypted, rather they are hidden in the file system of the device and not the one assigned to the app.
 
With this activity, anyone can access those files and an intruder can accomplish this task by installing a file manager on the device with simultaneously replacing some files in the directory and getting the data from the SQLite database.
 
The Second vulnerability allows an attacker to break the PIN attached to an app by brute forcing. The researchers claim that the SALT that used to attach with the password/PIN was a fixed SALT that is “domobile”.
 
For this, the device is required to be rooted. Also, an attacker can remove and change the lock applied to an app.
 
The Third vulnerability allows the attackers to reset the PIN code and gain complete access to the targeted application without getting any special permissions.
 
Here, the researchers say that an attacker can exploit the user’s privacy by resetting the password by:
 
  • If the user has not provided any E-mail address- an attacker can add his own and get the reset code.
  • If the user has provided an E-mail address- an attacker can intercept the traffic using Wireshark and get the MD5 hash.

SecuriTeam tried to contact the vendor, but they did not respond. Also, they say their agenda is to protect the user’s privacy by notifying them about a “false sense of security”.
 
AppLock is installed in over 50 countries with over 100 Million users, supporting 24 languages. Besides AppLock, DoMobile develops various apps supporting on Android and iOS operating system devices.

 

Bought a brand new Android Smartphone? Don't expect it to be a clean slate.
 
A new report claims that some rogue retailers are selling brand-new Android smartphones loaded with pre-installed software.
 
Security firm G Data has uncovered more than two dozens of Android smartphones from popular smartphone manufacturers — including Xiaomi, Huawei and Lenovo — that have pre-installed spyware in the firmware.

 

G Data is a German security firm that disclosed last year the Star N9500 Smartphone's capability to spy on users, thereby comprising their personal data and conversations without any restrictions and users knowledge.
 

Removal of Spyware Not Possible

 
The pre-installed spyware, disguised in popular Android apps such as Facebook and Google Drive, can not be removed without unlocking the phone since it resides inside the phone's firmware.
"Over the past year, we have seen a significant [growth] in devices that are equipped with firmware-level [malware and spyware] out of the box which can take a wide range of unknown and unwanted actions," Product Manager Christian Geschkat from G Data said in a statement.

Spyware Capabilities

 
The spyware is capable of doing the following actions:
 
  • Listening in to telephone conversations
  • Accessing the Internet
  • Viewing and copy contacts
  • Installing unwanted apps
  • Asking for location data
  • Taking and copying images
  • Recording conversations using the microphone
  • Sending and reading SMS/MMS
  • Disabling Anti-Virus software
  • Listening in to chats via messaging services (Skype, Viber, WhatsApp, Facebook and Google+)
  • Reading the browser history

Third-Party Vendors or Intelligence Agency?

 
Unlike the Star devices, the security firm suspects third party vendors or middlemen (retailers) and not the manufacturers to be behind modifying the device firmware to steal user data and inject advertisements to earn money.
 
The possibilities may also include unintentional infection via compromised devices in the supply chain or intentional interference by government intelligence agencies.
 

Affected Brands

 
The affected Smartphone brands include Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido. Most of the suspected models are sold in Asia and Europe.
 
However, this isn't the first time Chinese handsets come with pre-installed spyware. Back in March, the mobile security firm Bluebox found pre-loaded malware on Xiaomi Mi4 LTE. To which Xiaomi said the compromised handsets were high-quality counterfeits.
 
Late last year, researchers from Palo Alto Networks discovered that the high-end devices from Coolpad came pre-installed with the backdoor, dubbed "CoolReaper," sold exclusively in China and Taiwan.

 

Google is planning to introduce a trimmed down special version of Google Play Store and Android Wear to The Mainland China.
 
But wait, if I’m not wrong…
 
Google had ended ties with China five years ago. Then what made Google to re-establish itself in China once again? Business??
 
Recent reports by Amir Efrati at The Information state that Google has massive plans to re-establish itself in the Mainland China.
 
The search engine giant is aiming to get approval from China (the largest populated country in the world) for:
  • Reviving Google as the Internet service provider
  • Designing a tailor-made Google play store for China
  • Android Wear software for the wearable existing in China

Smart steps, though, but what happened back in 2010?

 
Google and China always contradict each other, China's Internet laws and Google's censoring the search engine was one battle.
 
In 2010, Google famously retracted its search engine Google.cn from Mainland China, after they made accusations of the Chinese government for the data theft of unspecified intellectual property from their internal systems.
 
They suspected that some state-sponsored hackers conducted a targeted cyber attack on Google's Gmail, which China later denied.
 
Was it a mistake then, or is it the start of a new chapter now?; Why take a U-turn? Let bygones be bygones...Google must break the ice soon.
 
See what a month old Google's CEO Sundar Pichai has to say about it.

 

If you think that IP address, cookies and HTTP headers are the only factors used to uniquely identify and track users around the web… you are terribly wrong!

New, modern fingerprinting techniques rely on multiple factors:

  • IP address
  • Cookies
  • Language
  • Timezone
  • HTTP headers (User agent, referer, etc)
  • HTML5 APIs (WebRTC, Battery API, etc)
  • HTML5 and CSS3 features detection
  • CSS media queries
  • WebGL
  • Browser plugins (Flash, Silverlight, Java, etc)
  • Browser add-ons
  • Browser options (Do-Not-Track etc)
  • Browser storage
  • System fonts
  • TLS/SSL Session IDs
  • Hardware detection (Camera, Mic, Touch screen, etc)
  • Screen (resolution, color depth, pixel density, etc)
  • Audio and video codecs
  • Accessibility features

Recent W3C additions to HTML standards allow developers to communicate with the user device for enhanced options in websites, apps or games. It is not surprising that many APIs are exploited to actually calculate a more precise user fingerprint.

What is a fingerprint?

Imagine you walk in a shop and at the entrance an advanced camera scans you and saves informations like: body type, height, skin color, clothes, shoes, walk style, tone of voice etc. All this data is then serialized and passed through a hashing function to calculate your unique fingerprint. Next time you visit the shop or a shop of the same franchise, even if you have different dressing style, with a quick analysis your fingerprint is still associable to the one of your previous visit.

The same happens visiting a webpage with a browser (without user explicit cooperation).
Doesn’t matter you are not logged in or you disable cookies. It is still possible to associate a user to a token, it is not 100% accurate technique (yet) but continues to evolve.
Electronic Frontier Foundation researched browser fingerprinting in the publication “How unique is your Web Browser?” (PDF). An accurate description of device fingerprinting is on WebKit Wiki and on Wikipedia.

Client side Javascript

To have a better idea on how fingerprinting currently works you can inspect a javascript library used by web developers: Fingerprintjs2.

To effectively block scripts disable javascript globally or use NoScript or uMatrix extensions. Other factors can still reveal a lot about you and might exist other fingerprinting ways not disclosed yet.

HTML5 APIs

Thanks to new HTML5 standards, developers can access sensible user information or device hardware in some cases without the need to ask for permissions. The following APIs are currently exploited in the wild. The most common way to block this features is to disable javascript or use a specific add-on.

Canvas

This is a nasty, stealth and (with javascript enabled) almost unstoppable technique, utilized actively since 2012, occasionally embedded in widely used scripts (remember AddThis “research” to find alternatives to cookies).

When the browser visits a webpage with a canvas fingerprinting script, it is instructed to draw a hidden graphic that gets converted to a token. The uniqueness of the token depends by factors like browser, operating system and installed graphics hardware.

To avoid Canvas fingerprinting you can either:

  • disable javascript globally
  • use NoScript, uMatrix or CanvasFingerprintBlock (Chrome only) extensions
  • use Tor Browser

Battery

According to researches Battery Status API is able to get level, charging time and discharging time of device battery. All this data combined together is nearly unique for each device and battery status, potentially allowing the tracking of activities on the web.

A paper (PDF) titled “The leaking battery – A privacy analysis of the HTML5 Battery Status API” targets Firefox users on Linux systems. As result of the impressive study: ” We propose minor modications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.

On Chrome you can install the add-on Battery Info Blocker to prevent websites from accessing your battery info.

WebRTC

You should disable WebRTC if you don’t use it. WebRTC leaks your local IP and might leak your IP on VPN (on Windows) other than be another factor used to fingerprint your system.

To avoid WebRTC leaks you should use Firefox and disable WebRTC opening about:config, find the value media.peerconnection.enabled and set it to false.

On Chrome you can install the add-on WebRTC Block but IP leaks might occur.

Resource Timing

Developers can use this API to collect complete timing information related to resources on a document. Concerns involving privacy are expressed in the Working Draft: “Statistical fingerprinting is a privacy concern where a malicious web site may determine whether a user has visited a third-party web site by measuring the timing of cache hits and misses of resources in the third-party web site. “.

If you use Firefox you can disable this API opening about:config and setting to false the options dom.enable_resource_timing, dom.enable_user_timing and dom.performance.enable_user_timing_logging.

On Chrome the only way to disable it might be to disable javascript.

Geolocation

If enabled can reveal your physical location compromising your privacy. Modern browsers always ask permission to reveal geo location to websites and apps requesting it.

To disable this feature permanently on Firefox you should open about:config in the address bar, look for geo.enabled value and set it to false.

On Chrome go to Settings, then Show advanced settings, find Privacy block and click on Content settings, in this window look for Location and select the option Do not allow any site to track your physical location.

Hardware fingerprinting

A paper (PDF) titled “Hardware Fingerprinting Using HTML5” shows new potential techniques that rely on the ability to communicate with device hardware to get a specific hardware fingerprint in addition to a software based one (browser, Os, etc).

The paper shows that hardware like GPU (modern browsers use hardware acceleration), camera, speakers and micmotion sensors, GPS and battery can all be accessed with HTML5 (not always with user permission) and in particular GPU can effectively be used to fingerprint users.

Links

Device fingerprinting
https://en.wikipedia.org/wiki/Device_fingerprint

What is fingerprinting?
https://trac.webkit.org/wiki/Fingerprinting

EFF: How Unique Is Your Web Browser? (PDF)
https://panopticlick.eff.org/browser-uniqueness.pdf

EFF: Panopticlick tests your browser to see how unique it is
https://panopticlick.eff.org

The Web never forgets: Persistent tracking mechanisms in the wild
https://securehomes.esat.kuleuven.be/~gacar/persistent/

A privacy analysis of the HTML5 Battery Status API
https://eprint.iacr.org/2015/616.pdf

Resouces Timing API Working Draft
http://www.w3.org/TR/resource-timing

Hardware Fingerprinting Using HTML5
http://arxiv.org/abs/1503.01408

Browser leaks and web browser fingerprinting
http://browserleaks.com

Modern & flexible browser fingerprinting library
https://github.com/Valve/fingerprintjs2