security

Full Disclosure Mailing List Shutting Down

Posted on

Sadly, the last post on Full Disclosure mailing list was by John Cartwright stating that he is suspending the list indefinitely. He lists his reasons below:

Hi

When Len and I created the Full-Disclosure list way back in July 2002,
we knew that we’d have our fair share of legal troubles along the way.
We were right. To date we’ve had all sorts of requests to delete
things, requests not to delete things, and a variety of legal threats
both valid or otherwise. However, I always assumed that the turning
point would be a sweeping request for large-scale deletion of
information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the
‘community’ itself (and I use that word loosely in modern times). But
today, having spent a fair amount of time dealing with complaints from
a particular individual (who shall remain nameless) I realised that
I’m done. The list has had its fair share of trolling, flooding,
furry porn, fake exploits and DoS attacks over the years, but none of
those things really affected the integrity of the list itself.
However, taking a virtual hatchet to the list archives on the whim of
an individual just doesn’t feel right. That ‘one of our own’ would
undermine the efforts of the last 12 years is really the straw that
broke the camel’s back.

I’m not willing to fight this fight any longer. It’s getting harder
to operate an open forum in today’s legal climate, let alone a
security-related one. There is no honour amongst hackers any more.
There is no real community. There is precious little skill. The
entire security game is becoming more and more regulated. This is all
a sign of things to come, and a reflection on the sad state of an
industry that should never have become an industry.

I’m suspending service indefinitely. Thanks for playing.

Cheers
– John

Ref: http://lists.grok.org.uk/

Lets hope this is just a haox, or maybe the list comes back in another shape or form.

Advertisements

WhatsApp is WhatSucks

Posted on Updated on

One of the most popular cross-platform mobile application used as a replacement for messaging and sharing multimedia is under scrutiny of being insecure. Yes, we are talking about none other than WhatsApp. Now we have seen previous instances of idiocy here but the victims there are mostly financial institutions and their reputation, which not a lot of people really care about.

It has been reported by Sam Granger that WhatsApp on Android uses your phone IMEI to generate its passwords:

md5(strrev(‘your-imei-goes-here’))

Then a little later it seems WhatsApp did something about it! By reading the comments section of Sam Granger’s blog it seems it no longer works. Yeah… WhatsApp actually did something about it! Great… but hold your excitement it seems that everything is not what it seems.

Recently reported by Ezio Amodio that WhatsApp on iOS is back up to their old password trickery again. This time they are using the iPhone’s MAC address to generate the password like so:

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Our dear friends at H-Online have verified the blog post and well just being on H-Online is something important.

So what sucks about WhatsApp ? Their security, your privacy and their embarrassment.

UPDATE
Commenter posted a link to pastebin with the most curious title Reverse Engineering: How WhatsApp (not) Securing Your Data It’s a great read and there are George Carlin references too! Can’t get better than that, cryptography, sarcasm, George Carlin and nifty rev-engineering.

Bypass Qualys and Acunetix Using GWT

Posted on Updated on

We all heard about vulnerability scanners such as Qualys and Acunetix and how they’re at the forefront of security! Right until they hit a website created using the Google Web Toolkit otherwise known as GWT.

Trying to scan a web application created using GWT with Qualys or Acunetix results in utter failure. With all the propaganda being spewed out by those companies on how advanced they are, they cannot even properly scan a GWT web app. It’s not like GWT is something special, it’s just JavaScript, Ajax, HTML5 and CSS all smashed together.

People have even raised the issue that GWT built apps are not supported by Acunetix as is shown in this issue. Poor thing has no replies and is date from last year. Yes, this is how much Acunetix cares.

Qualys has no mention on GWT support, but I can assure all that they do not have any support. Mainly because I developed a large GWT web app and we tried scanning it with Qualys and it fails numerous times. It cannot even get past the log in page. Issues were raised like months ago and it seems they’re struggling.

Why is this bad?

Well according to InfoSecurity Magazine most open-source frameworks have security vulnerabilities. Most get used in mission critical applications and the user or company may not know that vulnerabilities exists nor if new versions were released that fixed those. This being said, according to InfoSecurity Magazine Google Web Toolkit was downloaded 17.7 million times with known vulnerabilities and this was dated in April 2012. So that means GWT version 2.4.0 has the vulnerabilities and maybe people should read the changelog of release candidate 2.5.0.