Welcome to nsane.forums
Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.
- Access special members only forums
- Start new topics and reply to others
- Subscribe to topics and forums to get automatic updates
Search the Community
Showing results for tags 'mitm'.
Found 6 results
vissha posted a topic in Mobile NewsExplained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug! What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited What's the Issue: The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes. WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change. In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding. Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." What Experts argued: According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration." Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp." A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor." What's the fact: Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats. What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment." What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO! No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption. As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly. Then Why Signal is more Secure than WhatsApp? You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor." It's because there is always room for improvement. The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender. And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered. So, here WhatsApp chose usability over security and privacy. It’s not about 'Do We Trust WhatsApp/Facebook?': WhatsApp says it does not give governments a "backdoor" into its systems. No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users. But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access. Why 'Verifying Keys' Feature Can't Protect You? WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number. But here’s the catch: This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this. WhatsApp Prevention against such MITM Attacks are Incomplete WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings. But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense. Have you received a notification indicating that your contact's security code has changed? Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually. The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys. What WhatsApp should do? Without panicking all one-billion-plus users, WhatsApp can, at least: Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users. ...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it. Source
Batu69 posted a topic in Security & Privacy CenterSSL is a great way to encrypt and protect data transferred between servers or between browser and servers from any attempt to spy on the data on its way or as known as man in the middle attack, we will focus in this article on HTTPS protocol and the method to attack it and proper way to fight against this attacks. Is HTTPS that important ? first let’s declare the importance of using SSL with HTTP traffic. Imagine the next scenario. you are trying to login to your bank account with your laptop connected in your wifi and you know its secure its you and your little sister who connect in the same wifi, secure right? ? but your wifi uses weak password or vulnerable to exploits, so someone gain access to the same wifi and with a simple tool he can run a packet sniffer and catch all your and your sister’s traffic and look into your password and even change the data if he wants. Imaging the same scenario but your bank is using HTTPS, when you access the website you receive the website certificate signed and your browser validate the signature to make sure that certificate belongs to the website, then your browser encrypt all data then send the encrypted data to the server and do it vice versa, so if our attacker try to sniff the data all what he will get is the encrypted data, cool right ? Lets be honest no one is 100% secure and SSL had a tough couple of years from attacks like Heartblead, DROWN and POODLE , this attacks target the SSL it self , all what you have to do to mitigate this attacks is to be up to date always and apply vendors patches as it appears. But what about sniffing dangerous, does using HTTPS solve it? the answer is not completely, some researchers tried to sniff HTTPS packages by inventing tools like SSL sniff and SSL strip. SSL sniff :- SSL sniff is tool programmed by Moxie Marlinspike based on vulnerability he discovered, let us quickly describe it. When you request a website for example ( example.com ) as we said before you receive the example.com certificate the certificate must be issued by one of the valid vendors, so if follow certificate chain from the root certificate ( root certificate embedded in the browsers by default) to the leaf certificate ( example.com certificate) but what if leaf certificate tried to generate another certificate in the chain? lets say to website like paypal.com! the surprising thing that it worked and no one bothered himself by checking that leaf certificate generated another leaf certificate, but how attacker can use this? the website still be example.com not paypal.com, and that’s why he made SSL Sniff tool. by intercepting the traffic (man in the middle attack) you will intercept the request to paypal.com and with SSL Sniff, then you can generate the paypal.com certificate from the leaf certificate you have example.com and send it back to the browser instead of original paypal.com certificate, when the browser try to validate the certificate it will pass because the chain is correct, then any request between the browser and the server will be signed by the certificate you generate so you can decrypt the data as you want, and then re-transfer it by using the original paypal.com certificate, Boom. fortunately it had been fixed and now the leaf certificate cannot generate another certificate. SSL Strip:- Another tool by the same man Moxie Marlinspike. but in this time he came up with another trick using man in the middle, but what if he changed the request to http instead of HTTPS, and he will request the website on behalf of the user using HTTPS but between the attacker and the user its plain http, and the user will not be so suspicious to notice the difference in his browser. How to defend against this techniques ? Using HTTPS only will not solve it completely, even if you restricted the connection to HTTPS only in the server side, the attacker still can force user to use HTTP by using SSL strip and you will not notice the request still HTTPS in your end, and here HSTS header comes. HTTP Strict Transport Security (HSTS) is a web security policy mechanism it tells the browser that he must only connect to the website using secure HTTPS connection. just send header like this from your server. Strict-Transport-Security: max-age=31536000 The key is Strict-Transport-Security that tells the browser or any other agent to strict the transportation to ssl . the value is maximum age to use this header in seconds 31536000 equal to one non-leap year. Then the user agent will automatically change any url to HTTPS before it send it to the server allowing only secure connections. Bottom line , using HTTPS comes with responsibilities , you must be up to date , patch your system if any vulnerability comes up, renew your certificate on time and don’t forget to use Strict-Transport-Security Policy. Article source
vissha posted a topic in Security & Privacy CenterOne of the comments from a user of Adguard posted about supicious activity of Adguard. It may be another Superfish. The reply from Adguard Admin seems to be partially satisfactory. So, I request Nsaners and other developers to review the activity of Adguard after testing rigorously and post more information in this thread! Related links: Souce of the suspicious comment and its following replies from Site Author: Click here. Reply from Adguard Forum Admin: Click here.
Chinese online censorship body the Cyberspace Administration of China (CAC) has hit back at claims made by activists this week that the authorities allowed a Man in the Middle (MITM) attack against Outlook users in the country. CAC spokesman Jiang Jun branded the claims “groundless slander” and “unsupported speculation,” and claimed they were designed to “incite dissatisfaction and smear China's cyberspace management system,” according to state-run outlet Xinhua. He also argued that anti-censorship body Greatfire.org, which made the claims earlier this week, was run by “overseas anti-China forces.” Greatfire.org said in a blog post on Monday that it believed the CAC – which governs China’s certificate authority CCNIC – was behind the attack, which lasted for about a day and targeted mobile users of the Microsoft email system. “The authorities are most likely continuing to test their MITM technology. The authorities may also be gauging user response,” it argued. “By keeping track of how many users ignore the certificate warnings, the authorities will be able to determine the effectiveness of this type of attack.” The rights group also urged Microsoft, Apple and others to revoke trust for the CCNIC, which has been implicated in similar attacks against iCloud, Google and Yahoo users. Greatfire.org co-founder Percy Alpha responded to Beijing’s rebuttal of the claims in detail, in an email to Infosecurity. He argued that the body’s accusations weren’t “groundless” – in fact they have been confirmed by Microsoft, as other MITM “accusations” in the past have been confirmed, by Apple and others. Alpha also responded to the claims made in Xinhua that Greatfire.org’s blog post was “unsupported speculation” by pointing out that his team “provided data collected during the attack, multiple reports confirming our analysis, screenshots, independent analysis from security experts,[and] independent tests from Chinese users.” “If CAC claim they are not responsible, how could someone get into the backbone of Chinese internet and implement nation-wide attacks six times over the course of two years without being noticed?” he added. “How come related reports on MITM are censored, even those on state media People's Daily?” Greatfire.org was not founded by “anti-China forces,” incidentally a common phrase used by the authorities to undermine any criticism of Beijing. Instead, Alpha and his co-founders set up the group in 2011 to fight Chinese internet censorship, with its main role to test and report on the various measures taken by the Great Firewall to block forbidden content and monitor Chinese citizens. Alpha claimed the Chinese version of the Xinhua article further blames the group for timing its revelations to coincide with a CAC announcement that it had closed down multiple illegal websites and WeChat accounts. “How can we ‘time’ the incident while they are the attacker? Microsoft has confirmed the incident. Unless we're colluding with Microsoft, there is no way to time it,” he told Infosecurity. “The timing of closing down of WeChat accounts and websites with Outlook MITM further proves CAC are cracking down on information flow. Closing websites and Outlook MITM might even be in the same crackdown plan.” Source
SSL Eye is a unique tool that detects SSL man in the middle spying, by comparing SSL fingerprints of single or multiple sites across many remote nodes that are owned and managed by EEDS located in different countries such as Singapore, USA, and Netherlands. In order to compare the results with your own fingerprint that comes through your local ISP. Additionally the tool will tell you if the site is using Extended Validation (EV) certificates or perfect forward secrecy as the key exchange mechanism such as DHE_RSA or ECDHE_RSA which is used by google. We have also implemented global shortcut keys on the application so that you can copy a site from the browser address bar and call it for instant scan to check if you are a victim of Man in The Middle Attack (MITM). Where the attacker listens to your communication channel in a public key exchange re-sends the keys on your behalf, substituting his own fake keys for the requested one, so that the two original parties (you and your bank) will still appear to be communicating with each other. Screenshots Features Retrieve fingerprint of any given ssl url from single or multiple sites with SNI support across EEDS nodes located in Netherlans, USA and Singapore.Check if the site is using Extended Validation (EV) certificates.Check if the site is implementing perfect forward secrecy on key exchange.Export results into HTML report.Sound alerts for invalid certificates.Scan with global keys from clipboard without user interaction.Homepage: https://www.digi77.com/ssl-eye-prism-protection/ Download Link: http://www.digi77.com/software/ssleye/update/SSLEye_Setup.exe