Here I am going to share a few articles I had written for a local magazine of my college. Couldn't get hold of the one published last year though... Here we go.
Risks of Automated Algorithms
23rd April, 2013. It was a fine day when The Associated Press –one of the leading journalism houses in USA- posted a tweet. It claimed that two explosions had rocked the white house and that Barack Obama was injured. The next thing you know, the Stock Market had crashed! Dow Jones Average slipped by 143 points. One of the biggest downfall we had seen after the great economic crisis of 2008. Obviously the twitter account of the Associated Press was hacked, but it sent down impulses of serious questions in the spine of community.The reason for this was computerized stock trading algorithms. Thomas Peterffy, a Hungarian Immigrant and Entrepreneur had revolutionized trading of securities in stock markets by introducing computerized trading back in 1980’s. Fast forward, the wave of social media in 21st century. Stock market traders were analyzing constant input from social networking sites and news websites to predict the market behavior and make their bids accordingly. Shortcomings of this practice came into focus in 2010 when one fine day, there was a similar heavy crash in the market. This incident is popularly known as the Flash Crash of 2010. The reasons were partially attributed to the algorithmic glitch present in the software of Thomson Reuters – a leading provider of such software.In the incident of 2013, the Associated Press was quick to acknowledge about the fake tweet and compromise of their account. A group of criminal hackers going by the name ‘Syrian Electronic Army’ accepted the responsibility for this hack. They are already notorious for their hacks on BBC Weather (posted about possible tsunami in UK), National Public Radio and CBS news. They claimed that the hacking attack was executed through sophisticated Phishing attempts on AP’s employees’ accounts. Such hacks on news websites are common these days. Another group of hackers had managed to get access to The New York Times website and posted an article showing support for Wikileaks. Thomas Reuters’ website was also compromised and interviews of Free Syrian Army movement leader were posted. It turned out that they were using an old version of WordPress, popular blogging software.Direct or Indirect hacking attacks on critical infrastructure like stock markets and power grid are on the rise. With our increasing dependence and reliance on technology, there is greater scope for these kinds of attacks to happen again. Indiatimes reported that half of the world’s stock markets faced hacking attacks last year. 90% of stock markets perceive this to be a critical systemic risk. As it is evident from the above incident, it is relatively easy to manipulate the current system. Even though hacking attacks happened till now have been benign in nature, there is possibility of more intense attacks which can cause losses to the nation as a whole and put their reputation on stake. India stands at even higher risk. On the brighter side, the government is proactively involved in beefing up the security infrastructure. We will need thousands of programmers, security professionals and ethical hackers to take up the challenge of combating these threats.
Whatsapp Security
(this is just a cut down version of a post I made earlier)WhatsApp is something you probably use right now ,or have atleast heard of. It is a cross platform IM application for smartphones that handles a few billion messages every day. That is approximately more than 50,000 messages sent every second. However, it comes packed with its own set of drawbacks, being criticized for its security issues, mainly cryptographic standards and the way it handles users’ personal data.
Like most of the popular IM clients, such as YAHOO! and Gtalk , WhatsApp implements a modified version of XMPP i.e. eXtensible Messaging and Presence Protocol. On installing this app, it creates the user’s account on WhatsApp’s server. Its username, or technically known as ‘Jabber ID’ is concatenation of the user’s country code and their mobile number.
An interesting fact about its password generation is its usage of the phone’s IMEI number or MAC address. For android devices, the password is md5 hash of the phone IMEI no. reversed.
Password: md5(strrev($imei))
For iOS, the password is md5 hash of the device’s Wireless Interface card’s MAC address, written twice. Mac address is concatenated with itself and its md5 is found out.
Password: md5(mac+mac)
As WhatsApp claims, no messages are stored on their servers once they are delivered to the recipient. For sending of multimedia like audio, video or images, the data is first uploaded to their HTTP server. A link to the uploaded file is sent to the recipient’s phone along with thumbnail file, if required.
Until recently, messages were being sent in clear text. Anyone using the same WiFi network could sniff the packets and read messages. This gave attackers ability to launch a session hijacking attack. However, currently messages are being sent encrypted for iOS and Android. The encryption algorithm it uses has been reverse engineered, especially for iOS devices. Overall verdict is that the current encryption mechanisms used does not follow normal standards.
As it uses phone’s IMEI number or MAC address as its password, someone in physical contact with the phone can easily access it. Someone sharing the same WiFi network can easily find out the MAC address of iOS device with sniffing. All an attacker has to know is the victim’s mobile number and the phone’s MAC or IMEI to enter into a script. Then they can send and receive messages from the compromised account.
Its API, reverse engineered by an open source project called ‘WhatsAPI’, is coded in both PHP and Python and can be integrated with web apps. It can be used to send WhatsApp messages to any number supporting it. This app uploads your contacts to their server to see which of them are registered on WhatsApp. This is carried out in an insecure environment. The mobile numbers of your contacts are sent as an array through the HTTP request parameter.
The verdict is, WhatsApp has to work on its security but with the recent updates, they have made reasonable improvements in this aspect. We hope that they come up with a better alternative to current passwords and cryptography implementation to increase reputability with the security community.
Vipul Chaskar
Pune Institute of Computer Technology
Information Technology