Don’t trust Instagram on shared wireless networks

Over the last decade, wireless networks have been a prime target for hackers. The ability to sniff out traffic belonging to others, and with it any unencrypted credentials or other valuable information, is what drives them. Because of this, most popular services today, such as Twitter, Facebook and Gmail, have moved to HTTPS for all authenticated communication. Instagram, however, lags behind.

Consider who the users are

To the security minded, this may not come as much of a surprise — another social media service that fails to provide basic protection, nothing new there.

What makes this one different to me, though, is who many of the actual users of Instagram are, and where they use the service from: Kids, in schools.

Many parents allow their children to use Instagram on the condition that they protect their profiles. By protecting an Instagram profile, only those added as friends may view the owner’s profile and pictures.

Some use Instagram for the sole purpose of gaining exposure, and that’s fine. For others, though, and especially the young, this can attract attention from the wrong kind of crowd. Getting attention from people you don’t know or trust can lead to anything from a young girl getting her pictures uploaded to a pornographic site, to someone in a van pulling a young boy in through the side door.

instagram secure

The problem

Whenever you bring up your phone, connect it to the corporate / coffee shop / school wifi and open the Facebook app, all relevant communication with Facebook’s servers will be encrypted. Even on public and unprotected wireless networks, this means that an attacker can’t realistically decode what’s being sent and received.

With Instagram, this isn’t the case. Sure enough, editing your profile will take you through an encrypted connection, but browsing the image stream and looking through the pictures you and your friends have posted, is not encrypted. This means that anyone on the same wireless network may capture this communication and steal key pieces of it. These key pieces can be used to bypass authentication, and let the hacker browse Instagram through the victim’s account, on the hacker’s own computer.

Recommended action

Until Instagram makes HTTPS the default for all interaction with their servers, or at least an opt-in setting, it’s use should be avoided through shared wifis.

Using it via the mobile network, e.g. 3G/4G, is (relatively) safe, but that does come with increased costs.

Technical brief

This really is your run-of-the-mill session hijacking vulnerability, but I’ll describe it real quick for good measure.

When you open the Instagram app, a request such as the following is sent to their servers:

GET /api/v1/feed/timeline/? HTTP/1.1  
Host: instagram.com  
Accept-Encoding: gzip, deflate  
Accept: */*  
Cookie: csrftoken=[...]; ds_user=einaros; ds_user_id=[...]; sessionid=[...]; mid=[...]  
Connection: keep-alive  
Accept-Language: en  
User-Agent: Instagram 4.1.3 (iPhone3,1; iPhone OS 6_1_3; nb_NO; en-GB) AppleWebKit/420+  

Bringing these cookies into the browser, and opening the same url, yields an error reading This, this page could not be found.

Looking closer at the sessionid cookie, it contains a setting which seems to indicate that the platform the session is active on is a phone. So, what happens then if you replace the User-Agent of your browser with e.g. that of an Android client?

Well, you’re allowed entry.

Local IP discovery with HTML5 WebRTC: Security and privacy risk?

With the progression of HTML5 WebRTC, browsers are getting ever closer to making pluginless video conferencing a reality. One feature of WebRTC is the ability to discover the local IP addresses of the browsing machine. Does that put us at an increased risk?

Recently I stumbled across Nathan Vander Wilt’s net.ipcalf.com. When opened from a relatively new version of Chrome or Firefox, your computer’s local IP addresses should present itself.

I’ve coded up another example, which attempts to use WebRTC to find your local IPs, and then probe for other live hosts on your network(s).

Others will likely cover the usefulness of these APIs, so I will — for the sake of argument — comment on the tinfoilhat-y perspective. Bear with me.

Privacy concerns

I know for a fact that some people use multiple browsers on the same PC, in order to separate identities or browsing profiles. These people might browse Reddit’s cute-cat-picture-subreddits with Firefox and the programming subreddits with Chrome. From the web server’s perspective, both browsers will likely have the same public IP address, but their headers, tracking cookies and whatnot will clearly differ.

local-network

With the WebRTC local IP discovery technique, those interested in tracking you, be that ad agencies or some spy organization, will be able to do make connections between browsers based on a combination of public and local IP. If they for whatever reason can tie an identity to one browser, they will probably assume that the same person is hiding behind the second one.

There’s also a risk that the local IP info can aid in identification between public IPs. Let’s say that you use some VPN service, or Tor, whenever you surf cute cat pictures, but you use the same browser. EFF’s Panopticlick tells the story of how each browser is pretty much unique, based on HTTP header fingerprinting and so forth. Add local IP addresses, or even subnets to circumvent DHCP lease times, and your browser / PC is even more unique. And by unique, I mean trackable.

Security concerns

Consider some evil page which, based on the local IP returned from the WebRTC technique, starts scanning devices on your LAN. Let’s say your IP is 10.0.8.13, then the evil javascript could start out by guessing that your router is at 10.0.8.1. Then let’s move on to assume that your router, which probably hasn’t had it’s firmware upgraded for a while, has some half-assed web interface, which is accessible from your LAN.

The chance of this router being remote exploitable — that is from your public IP — isn’t huge. It has happened, but it doesn’t happen that often. The chance of there still being some obscure XSS flaw hidden in there somewhere, however, is much greater. So what if this evil page, which has now identified that your router is on 10.0.8.1, and figured out which software it runs, then goes on to exploit one of the XSS vulnerabilities — and adds some evil person as remote admin?

Now this doesn’t have to be your router. It would be fairly trivial for a javascript to discover which hosts are up on your local network — I’ve had great luck doing timed HTTPS-request against non-HTTPS ports on IPs to do just that. With this information, the evil page can go on to test the discovered hosts for a plethora of vulnerabilities, based on simple fingerprinting. That could do all kinds of damage.

I just put this to the test on an office network I am part of, which happens to house an old Canon printer. I’m pretty sure it predates the pyramids — but at the very least the dawn of security bugs, because it will do pretty much exactly what a rogue javascript tells it to do.

So, yeah, your printer is now part of a botnet, and is routinely DDoS-ing powerplants in Iran. Congratulations.

But what does it all mean?

So there are privacy concerns, and the feature can at least make local exploitation easier for an attacker.

On the other hand, there are bigger privacy concerns around today (yes I’m talking to you, NSA), and from a security perspective not yielding the ip is arguably security through obscurity.

So I’ll let you lot make up your own minds. My tinfoil hat stays on.

How to Download Talkray For PC & Mac

Hey guys if you’re looking for a best messaging and voice and video calling app right now then I shall urge no other than Talkray. It is possible to find it free of charge for Android and iOS devices and it’s getting thousands of downloads on new users and daily basis.

You can readily get it for iOS smartphone or your Android but to get it for PC you must go through this Talkray for PC download guide.

I will let you know what you all can do while using it and ’m going to first share my own experience of the application. After I’ll share the setup guide to help out you in setup.

Talkray

Characteristics of Talkray

Now I’m sharing characteristics of the app with you which are as following. As a way to learn concerning this application go through them.

It got a very elegant and simple user interface which will make of using it you addicted. You will fast learn it and won’t uncover any difficulty in using it.

You will be able to make video calls and free calls using this application to all the friends who are using it. Along with sharing photos and video files within precisely the same dialogue it’s possible for you to send unlimited free text messages.

You can also send private messages which are with you and your pals only. All of your buddies have got a profile where you can find extra information and also know about their social profiles.

Talkray for PC Download

Now I ’m sharing the tutorial guide that’ll work on Windows 7/8 and Mac platform. The guide is simple to follow and I’m convinced that you’re also and going to love it going to recommend it for your buddies.

As a way to install this application on computer free of charge as mentioned down here, you need to follow the easy measures.

  • First get BlueStacks ready on your own computer.
  • You have to download it from proper official download links for Mac or Windows and once it’s downloaded then begin its setup procedure.
  • This software is genuine and setup is trouble and trusted by countless users around the world.
  • Begin BlueStacks on your computer and after that use its search tool to find Talkray Android app out.
  • You’re going to locate it once your PC is being worked on by internet.
  • Once the application was found by you in the search results afterward start its download procedure.

This really is all you have to do to get this application installed. After its downloaded then setup will start automatically and then you’ll be capable of found it via My Programs segment of BlueStacks.

If during BlueStacks installment you locate error in case then retry with the setup again and after that you need certainly to update the graphics drivers of your computer first to their latest versions. I expect you share this Talkray for PC download guide with your friends.

How to Download Farm Story 2 For Windows Guide

The game I’m about to share with you is super popular these days and you will just adore playing with it. Search for Farm Story 2 on the Google Play shop and see evaluations and reviews of that game and you’ll come to understand why it’s better. You’re going to find here a guide that can let you download Farm Story 2 for PC.

The guide here will be straightforward and I’m positive you’re definitely going to find it trouble free. I hope you share it with your pals.

I’m going to start with first sharing attributes of it you could know what you can make your choice of going for that or not and ’re about to experience. Later I’ll share three steps that are simple tutorial to let you do the installation at no cost.

Farm Story 2

Farm Story 2 features

You’re about to rediscover farming now and I’m confident you’ll get dependent on it. Following are the features of it, go through them to know more about it.

The very first top notch feature you’ll experience is its pure High Definition graphics. Images performance is all inspired from true to life farming life and top notch. Sound effects fit perfectly with every animation and are also inspired from real life farming encounter.

You can login with your Facebook account and then can start visiting other friend’s farms and can ask for help and may even help them with abilities and your resources.

Download Farm Story 2 for PC

So you’re convinced desire to start with the installation now and to play with it. In order to do the installation of this Android game on your Windows operating system running computer you have to follow below mentioned three easy steps.

  • First download and install BlueStacks software on your computer.
  • It’s possible for you to get it for free from here and I’m confident you’re going to find the setup trouble free.
  • You’ll locate it on the Google Play shop.
  • Once you located it in the search results afterward start its process that is downloading.
  • Once it’s downloaded fully afterward it will be installed automatically.

That is all you have to do to get this game installed in your computer and once it’s done then you’re able to found it via My Apps section of BlueStacks.

I hope you found this guide simple enough to recall and also going to share download Farm Story 2 for PC tutorial with your social buddies to ensure they can additionally understand and begin playing it.

Download ooVoo For PC Free

In the age of messaging programs, the messengers that are old and golden are doing great. Today I’m going to share a guide with you which will get you ooVoo for PC download and also this tutorial is going to work on Windows 7/8 computer readily.

OoVoo is as you can anticipate it’s a cross platform one and not a new messaging application. It’s possible for you to locate it on iTunes app store, Google Play store and even on Facebook. The official PC versions of this app are also there for Windows and Mac computers so you could call it as the best choice to Skype.

ooVoo

Attributes that are ooVoo

If you’re looking for a perfect messenger which is also available officially for PC platforms then I’ll advocate none other than ooVoo. I’m sharing its whole characteristics or the things it’ll allow you to do. Following are the features of ooVoo messaging application.

Just like any other messenger it is possible to send unlimited number of free text messages to any other user. It’s possible for you to send any other user files and the files contains photos, videos or any other media file.

In case not or if your friend is just not online using ooVoo then you may even send text messages to his/her phone number directly. This specific attribute just isn’t free and you need to purchase credits to take advantage of that.

You are able to make video calls and unlimited free voice to other users. If individual in opposite isn’t online you then can leave video message (maximum 5 minute) or you can telephone his/her phone number. Like previous one, this special feature is paid one.

The user interface of the complete application is simple to comprehend and elegant too. Because of the rationale it’s there for smartphones and PCs if you are able to invite them easily to begin using it and so you’ll be finding easily your friends using it.

It lets you do free group video chat where you can add maximum of 12 pals together and can do the video conferencing with each other remotely and also jointly. This special characteristic is free. You can place automatic recording for video phones and all voice calls so that you can revive all the moments after in your life.

Screen sharing feature can also be supported within the carton and it enables multiple users to see video or any YouTube film together to get a feel of seeing it together at home/theatre.

ooVoo for PC Download

To be able to download ooVoo then start the download procedure and you must follow this official URL. You’re able to do the installation once setup file is downloaded.

Setup is not difficult and within few minutes the app will get ready to be worked with. You need certainly to create your profile using e-mail ID and phone number. That’s it!

Two weeks after Heartbleed: Stats for Norway

Since the public disclosure on April 7th, I’ve followed the development of Heartbleed vulnerability, and especially how Norway has been affected.

Update: Charts updated April 22nd. Slight improvement for port 443 over the last 24 hours.

This work has involved regular scans of the ~16 million IP addresses allocated to Norway, and probes of a variety of ports / services throughout these subnets.

Relevant authorities have had exclusive access to the reports I’ve assembled, and I’ve published brief stats updates on Twitter. After two weeks the time seems right to publish some charts.

First off, there’s the change in vulnerable services over time. For each presented service, the total population is that which fulfills the basic premise for vulnerability: HTTPS support, SMTP withSTARTTLS, etc.

1

At any given moment, around 80.000 Norwegian IP addresses listen for, and respond to, HTTPS requests on port 443. On April 8th, around 24 hours after the public disclosure, ~6.8% of these were vulnerable. After 36 hours, roughly 5% were vulnerable. After a week, 2.7% were vulnerable. Today, two weeks after the disclosure, 2.5% are vulnerable.

Looking at the chart, it seems day-to-day patching came to an expected halt over easter. The intra day changes can just as well be attributed to services being switched off and on, as to conscious upgrades.

The second chart shows a breakdown of the Server-header returned by the various services listening on port 443. Curiously, “Microsoft IIS” is in the list – while not vulnerable itself. In this and other cases an intermediate is the actually vulnerable party. The continuing presence of VPN servers is, while not surprising, more alarming.

2

I’m somewhat concerned that web servers got the principal focus, and that all other servers and devices remain overlooked by most. Similarly there’s the risk that mostly front facing services have been patched, and that even bigger actors have forgotten the odd back-of-the-shop device or service.

We’re now entering the long run; meaning servers and devices that weren’t dealt with in the first two weeks, are likely to stay unpatched for a long, long time. Routers, VPN concentrators, network attached storage, video conferencing equipment and even mail servers – these and many more are now at risk of being forgotten.

Please patch your servers.