Latest Event Updates

WhatsApp ? WhatsCryptography? WhatsEncryption? Answer is: I don’t know

Posted on

And it happens again to WhatsApp, being further embarrassed by researchers showing that they do not know how to implement encryption correctly. Recently Help-Net Security published an article about a Dutch Computer Science and Mathematics student (Thijs Alkemade) at Utrecht University has discovered how WhatsApp encrypts and authenticats its messages.

we know that not only does WhatsApp use the same (RC4) encryption key for the messages in both directions, but also the same HMAC key to authenticate messages.

The main problem being:

“But a MAC by itself is not enough to detect all forms of tampering: an attacker could drop specific messages, swap them or even transmit them back to the sender,”

But also points out that there is a simple solution which is using TLS. So in conclusion

  • All WhatsApp users are still not safe
  • Your messages can be sniffed out
  • Your message can be decrypted
  • Your only protection is to stop using WhatsApp
  • Wait for WhatsApp to learn how Encryption works so they can implement it correctly

I’ll end this post with a quote from Thijs Alkemade:

“solution that has been reviewed, updated and fixed for more than 15 years, like TLS.”

Advertisements

Java: ISO-3166 Java Enum

Posted on Updated on

Having worked software development in a bank before I know how important it is to work with proper data structures and enumerations.

I had a program I needed to write where I had to utilize ISO country codes and there was a lot of interoperability work that needed to be done. So I tried looking for some basic library that had the standard ISO-3166 country codes. Couldn’t find any. I really just needed something I could look up a country code quickly and get its description. Like saving “SLV” or “222” as a key in a database for El Salvador’s currency. Then I can retrieve it and do a look up on a table to get the country name. Or even vice-versa.

Read the rest of this entry »

DropBox Cracked

Posted on Updated on

Recently published on the SD Times (Software Development Times) is an article of how and who cracked the DropBox obfuscated python app. Two developers Dhiru Kholia and Przemyslaw Wegrzyn successfully reverse engineered DropBox’s heavily obfuscated python app. And we got an early Christmas gift too, they documented the entire procedure, step-by-step, so that we can do it too!

They claim to have used standard existing reverse engineering practices and invented new methods (also documented in their PDF paper). It seems that no one is cutting DropBox any slack, with their 2 factor authentication being bypassed (discovered by security researcher and personal friend of mine Zouheir Abdallah) and now the internals of their application is exposed. New techniques of account hi-jacking and SSL snooping are being developed to invade the privacy of users.

Lessons learned? Obfuscation is not real protection.

PGP Cryptography With The Legion of the Bouncy Castle – Part 4

Posted on

Before starting I would like to thank all the people who have viewed my posts on using Bouncy Castle. I have been monitoring the hits on my blog and I’ve noticed that my series on encryption with Bouncy Castle has been getting a lot of attention. I did promise to make Part 4 about encrypting and signing a single file all in one, but from lack of time I do not think it will make it to Part 4.

One of the main reasons is that Bouncy Castle is largely undocumented and what little documentation there exists on the net is not enough. The way I have created my posts where by reading the unit test cases from the Bouncy Castle source package and doing some trial and error and testing with PGP Desktop and GPG. So there isn’t enough time for me to continue to do that. So for Part 4 I have decided to show how we add Bouncy Castle support to Android!

Read the rest of this entry »

Zaid Rabab’a Biggest Plagiarizer on Bayt.com

Posted on

So I have an account on Bayt.com which claims to be

the leading job site in the Gulf and Middle East, connecting job seekers with employers looking to hire. Every day, thousands of new job vacancies are listed on the award-winning platform from the region’s top employers.

Rightfully so, it has a large database of job listing and some nice and useful statistics that you can browse through. So when I log in they recommend me to go to their “specialties” page where people get to ask questions and give answers. Also people’s questions and answers can be given ratings, kind of similar to how stackoverflow works. So then I see this guy who goes by the name of “Zaid Rabab’a” who seems to answer a lot of people’s questions. Like a wide variety of questions too. I thought it was kind of odd, I always do; I am very cynical.

So I did something quite silly, I selected the text of his answer and pasted it into google. Boom! I found a website with the exact same answer. Weird… it’s like they both came up with exactly the same words, punctuations, slang and terminology for the same answer whose question was asked months maybe years apart. That or he just plain out copied someone else’s answer.

I felt annoyed at first and then I felt sad. I reviewed a list of this guy’s answers to questions and they’re all (90%) copy/pasted or just outright plagiarized from other websites. I compiled a list of the page where he answers and the corresponding website where the answer has been copied from. I could have gotten more but it was just getting too sad for me.

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/1124/?feed=answers
Plagiarized from: http://stackoverflow.com/questions/10558465/memcache-vs-redis

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/1109/?feed=answers
Plagiarized from: http://php.net/manual/en/function.htmlspecialchars.php

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/716/?feed=answers
Plagiarized from: http://www.dotnetfunda.com/interview/exam2575-what-is-the-difference-between-custommasterurl-masterurl.aspx

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/1038/?feed=answers
Plagiarized from: http://javarevisited.blogspot.com/2010/10/why-string-is-immutable-in-java.html

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/1022/?feed=answers
Plagiarized from: http://stackoverflow.com/questions/8964523/how-do-i-protect-my-website-from-sql-injections

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/686/?feed=answers
Plagiarized from: https://en.wikipedia.org/wiki/Connection_string

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/999/?feed=answers
Plagiarized from: http://www.coolinterview.com/interview/44235/
http://techpreparation.com/php-interview-questions-answers1.htm

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/998/?feed=answers
Plagiarized from: http://www.w3schools.in/php-tutorial/interview-questions/

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/997/?feed=answers
Plagiarized from: http://dev.fyicenter.com/faq/php/Get-Uploaded-File-Information.html

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/996/?feed=answers
Plagiarized from: http://www.netsqlinterviewquestions.com/Php_Interview_Questions/364_what-is-meant-by-urlencode-and-urldecode.aspx?TopicID=21

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/961/?feed=answers
Plagiarized from: http://programmers.stackexchange.com/questions/186324/which-http-status-codes-are-really-ok

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/937/?feed=answers
Plagiarized from: http://www.c-sharpcorner.com/Interviews/answer/5653/what-is-use-of-app_code-folder-in-Asp-Net-application

Zaid Rabab’a Answer: http://www.bayt.com/en/specialties/question/151/?feed=answers
Plagiarized from: https://httpd.apache.org/docs/2.2/mod/worker.html

I sent bayt.com some feedback on this just to realize the person in question works for bayt.com hahaha (would not be surprised if those links mysteriously disappear too). Seriously, I would not hire or work with such a person who inflates their status in such a way and does not give credit where its due.

Java: Calculate Distance Between 2 Points on Earth

Posted on

Find the distance between 2 longitude/latitude points on earth must have been the one thing I thought was everywhere on the web. And it is! Only problem is that most of the libraries and code I would find were in JavaScript. This is OK if you develop in JavaScript or even in GWT.

What about Java?

Yes, for those of us developers who need to code such functions in Java I found it quite difficult to find a ready made library that would give me the distance between 2 longitude/latitude points. This is in fact very essential because one of the main ideas behind having GeoLocation support in your applications and/or server back-end is to tell someone how close everything is to them. You get the geographical coordinates of your user and you send it to a server. The server calculates the distance between that user and all burger joints within a 5 km radius, thus giving your user a list of delectable places close to them where they can go and eat.

After a long search on the Internet I came across 2 options.

  1. Read and learn how to calculate the distance my self from this really nice paper called "Finding Points Within a Distance of a Latitude/Longitude Using Bounding Coordinates"
  2. Use the source readily available from GeoDataSource

Guess which one I took ? 🙂 Option 2 of course. Though I did read through the paper and found it interesting. At least I know how, but I am not in that much of a mood to sit down with mathematical equations on one hand and a compiler on the other hand all night. The second option, which was kinda weird because the "Sample Code" is provided and it calculates distance nicely. I see only one trademark and a copyright notice with no specified license. They talk about buying GeoDataSource products, but I doubt that "Sample Code" is the product in question. After all, it is just "Sample Code". I think they sell you a database of geographical coordinates and give you that "Sample Code" on how you would use their data.

Great! Now that I convinced my self that the "Sample Code" is not the actual product, I start to use it. I may say that is works very well. It could use a bit more documentation so I am going to reproduce the "Sample Code" here with my added extra documentation.

In a nut shell, you would call the method distance(double lat1, double lon1, double lat2, double lon2, char unit) like so

double lat1 = getMyLatitude();
double lon1 = getMyLongitude();
double lat2 = getHisLatitude();
double lon2 = getHisLongitude();
double distance = distance(lat1, lon1, lat2, lon2, 'K');
System.out.println("Distance between me and him is "+distance+" km");

The API method as I have documented them. You can also view the original at GeoDataSource

	/**
	 * <p>This routine calculates the distance between two points (given the
	 * latitude/longitude of those points). It is being used to calculate
	 * the distance between two locations.</p>
	 * 
	 * <p>Definitions: South latitudes are negative, east longitudes are positive</p>
	 * 
	 * <p>Passed to function:
	 * <ul>
	 * 		<li>lat1, lon1 = Latitude and Longitude of point 1 (in decimal degrees)</li>
	 * 		<li>lat2, lon2 = Latitude and Longitude of point 2 (in decimal degrees)</li>
	 * 		<li>unit = the unit you desire for results
	 * 			<ul>
	 * 				<li>where: 'M' is statute miles</li>
	 * 				<li>'K' is kilometers (default) </li>
	 * 				<li>'N' is nautical miles</li>
	 * 			</ul>
	 * 		</li>
	 * </ul>
	 * Worldwide cities and other features databases with latitude longitude
	 * are available at http://www.geodatasource.com</p>
	 * 
	 * <p>For enquiries, please contact sales@geodatasource.com</p>
	 * <p>Official Web site: http://www.geodatasource.com</p>
	 * <p>GeoDataSource.com (C) All Rights Reserved 2013</p>
	 * 
	 * 
	 * @param lat1 - latitude point 1
	 * @param lon1 - longitude point 1
	 * @param lat2 - latitude point 2
	 * @param lon2 - longitude point 2
	 * @param unit - unit of measure (M, K, N)
	 * @return the distance between the two points
	 */
	public static final double distance(double lat1, double lon1, double lat2, double lon2, char unit)
	{
		double theta = lon1 - lon2;
		double dist = Math.sin(deg2rad(lat1)) * Math.sin(deg2rad(lat2)) + Math.cos(deg2rad(lat1)) * Math.cos(deg2rad(lat2)) * Math.cos(deg2rad(theta));
		dist = Math.acos(dist);
		dist = rad2deg(dist);
		dist = dist * 60 * 1.1515;
		
		if (unit == 'K') {
			dist = dist * 1.609344;
		}
		else if (unit == 'N') {
			dist = dist * 0.8684;
		}
		
		return (dist);
	}

	/**
	 * <p>This function converts decimal degrees to radians.</p>
	 * 
	 * @param deg - the decimal to convert to radians
	 * @return the decimal converted to radians
	 */
	private static final double deg2rad(double deg)
	{
		return (deg * Math.PI / 180.0);
	}

	/**
	 * <p>This function converts radians to decimal degrees.</p>
	 * 
	 * @param rad - the radian to convert
	 * @return the radian converted to decimal degrees
	 */
	private static final double rad2deg(double rad)
	{
		return (rad * 180 / Math.PI);
	}

Root Exploit on Samsung Devices Using Exynos Chips

Posted on Updated on

A root exploit has been discovered on the XDA-Developers forum by member alephzain. They state that this exploit works without having to flash the ROM using ODIN.

alephzain explains that the Exynos device file in the kernel /dev/exynos-mem allows read/write permissions to all users. Many have suggested that a simple fix would be to change the permissions to chmod value 0660 or 0600. Though forum member AndreiLux suggest that this may disrupt camera services on the device and a better solution involving “limit[ing] the access to the DMA memory spaces”

Then …. yes, 🙂 a point and click exploit APK program has been made to allow users to run the exploit and obtain super user privileges. It also allows you to patch the exploit and un-patch it as well. The APK file has been posted on the XDA-Developers thread, authored by Chainfire.

On a side note, the name “alephzain” kind of translates to “thousand good” or “a thousand good things” 🙂

** EDIT **
Just used Chainfire’s exploit APP. Works like a charm on my Samsung Galaxy S3! Now I can use the firewall to block apps from getting ads.