NoGoolag
4.52K subscribers
13K photos
6.79K videos
582 files
14K links
Live free!

๐Ÿ“ก @NoGoolag

FAQ:
http://t.me/NoGoolag/169

โ˜…Group:
https://t.me/joinchat/nMOOE4YJPDFhZjZk

๐Ÿ“ก @Libreware

๐Ÿ“ก @TakeBackOurTech

๐ŸฆŠ @d3_works

๐Ÿ“š @SaveAlexandria

๐Ÿ’ฏ % satire OSINT
Download Telegram
The Eye on the Nile

Phishing
attack on government opponents in Egypt - with apps from the Play Store

Specialists reveal a sophisticated phishing attack in Egypt. Android apps that made it into the Play Store without catching the eye were involved.

Back in March 2019, Amnesty International published a report that uncovered a targeted attack against journalists and human rights activists in Egypt. The victims even received an e-mail from Google warning them that government-backed attackers attempted to steal their passwords. https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/

According to the report, the attackers did not rely on traditional phishing methods or credential-stealing payloads, but rather utilized a stealthier and more efficient way of accessing the victimsโ€™ inboxes: a technique known as โ€œOAuth Phishingโ€. By abusing third-party applications for popular mailing services such as Gmail or Outlook, the attackers manipulated victims into granting them full access to their e-mails.

Recently, we were able to find previously unknown or undisclosed malicious artifacts belonging to this operation. A new website we attributed to this malicious activity revealed that the attackers are going after their prey in more than one way, and might even be hiding in plain sight: developing mobile applications to monitor their targets, and hosting them on Googleโ€™s official Play Store.

After we notified Google about the involved applications, they quickly took them off of the Play Store and banned the associated developer.

๐Ÿ‘‰๐Ÿผ Read more:
https://research.checkpoint.com/the-eye-on-the-nile/

#Egypt #pishing #attacks #research #android #apps #playstore
๐Ÿ“ก@cRyPtHoN_INFOSEC_DE
๐Ÿ“ก@cRyPtHoN_INFOSEC_EN
๐Ÿ“ก@cRyPtHoN_INFOSEC_ES
You are not anonymous on Tor - Last February, my Tor onion service came under a huge Tor-based distributed denial-of-service (DDoS) attack

I spent days analyzing the
attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.)

While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address.

I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine.

As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor !!

๐Ÿ’ก Threat Modeling

There are plenty of documents that cover how Tor triple-encrypts packets, selects a route using a guard, relay, and exit, and randomizes paths to mix up the network traffic. However, few documents cover the threat model. Who can see your traffic?

๐Ÿ‘€ ๐Ÿ‘‰๐Ÿผ https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html

#tor #onion #service #zeroday #DDoS #attacks #anonymous #poc #thinkabout
๐Ÿ“ก@cRyPtHoN_INFOSEC_DE
๐Ÿ“ก
@cRyPtHoN_INFOSEC_EN
๐Ÿ“ก
@BlackBox_Archiv
๐Ÿ“ก
@NoGoolag
Powerhouse VPN products can be abused for large-scale DDoS attacks

Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.

Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.

This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.

The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.

Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.

Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack โ€”in what security researchers call a reflected/amplified DDoS attack.

https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-large-scale-ddos-attacks/

#powerhouse #vpn #abuse #ddos #attacks
๐Ÿ“ก@cRyPtHoN_INFOSEC_FR
๐Ÿ“ก
@cRyPtHoN_INFOSEC_EN
๐Ÿ“ก
@cRyPtHoN_INFOSEC_DE
๐Ÿ“ก
@BlackBox_Archiv
๐Ÿ“ก
@NoGoolag
Let's Encrypt's performance is currently degraded due to a DDoS attack

Our services' performance is currently degraded due to a Distributed Denial of Service (DDoS)
attack, which we are working to mitigate.

https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/6044830be2838505358d3108

#letsencrypt #ddos #attacks
๐Ÿ“ก@cRyPtHoN_INFOSEC_FR
๐Ÿ“ก
@cRyPtHoN_INFOSEC_EN
๐Ÿ“ก
@cRyPtHoN_INFOSEC_DE
๐Ÿ“ก
@BlackBox_Archiv
๐Ÿ“ก
@NoGoolag
ndss2021_1C-3_23159_paper.pdf
430.5 KB
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers

Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.

Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
๐Ÿ“ก @nogoolag ๐Ÿ“ก @blackbox_archiv
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)

๐Ÿ’ก All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers
(PDF)
https://t.me/BlackBox_Archiv/2042

Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).

Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.

๐Ÿ’กSignal:

Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signalโ€™s users, at least for profile pictures.

๐Ÿ’กTelegram:

For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegramโ€™s rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.

๐Ÿ’ก Comparison WhatsApp | Signal | Telegram:

With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.

๐Ÿ’ก Conclusion:

Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attackerโ€™s perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]

#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
๐Ÿ“ก @nogoolag ๐Ÿ“ก @blackbox_archiv
#Heart #attacks are caused by everything now except...