Hackers Can Figure Out Your Phone's Password by the Way You Tilt the Device



We often hear news about hackers bypassing phone locks, guessing passwords etc but can you imagine that hackers can now figure out your phone's password by the way you tilt the device with an accuracy of 70% in first attempt. Shocked right ?

According to a team of cyber researchers from the British Newcastle University, it's quite easy to steal a four-digit PIN by analyzing the way you tilt your phone and the way it moves as you type.

As they were testing things out to prove this theory, they were able to crack four-digit PINs on the first guess 70% of the time. Even better, or worse, depending how you look at it, 100% of all PINs were guessed by the fifth attempt.

"Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer. But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords," explains Dr. Maryam Mehrnezhad, the lead author of the paper.



More worryingly on some browsers it is found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

The vulnerabilities have been shared with tech companies and browser makers. Apple and Firefox have already issued patches for this issue, while Google is looking for a fix.

My Experience at Nullcon 2017


NULLCON is one of the best information security conference in India and every year everyone from the InfoSec community attends it. I have a great interest in Security and hacking ( If you follow my blog you will probably know it already ) and yes I too look forward to the conference. Every year most of my friends who are into security attend NULLCON. I failed to go last year due to my Exams and last to last year i had my class 12 boards exam.

This time I wanted to attend it . But then the task is not so easy. I visited NULLCON's website to buy a pass but the cost was too much ( at least for students ) And since I'm from Northeast India there is no direct flight to Goa ( NULLCON venue ) and if i take train then it would take almost 4 days to reach goa and my college won't allow to take leave for such a long duration. So the total cost of travel and event pass was way too much so i thought I'll have to drop this time too.

But then i got to know about Garage4Hackers community providing free passes to those who have contributed to open source community. I was not sure if i should try or not but then i thought lets give it a try. So i provided them some of my contributions in InfoSec and and work and to my surprise I got selected and got the Indian student delegate pass for nullcon and i decided that I'LL GO TO NULLCON THIS YEAR.

On 2nd march 2017 i started my journey from guwahati and reached goa via mumbai. YES FINALLY GOA. I was damn excited for the next day.

Next day I reached hotel Holiday Inn at around 9am . Kaza and his friends were waiting for me and then we entered together. WOW the place was simply awesome. We directly went to the exhibition area and visited various booths that were set up there. I finally met Rahul Sasi sir. He is a great guy. He was representing his company Cloud Sec. He gave me a hackers cheat sheet and we clicked photos. 

With Rahul Sasi



Finally met these awesome people

There were a lot of CTFs going on in the exhibition area and I took part in few. I won a power bank, Pen drive, Lots of t-shirts from these CTFs. It was a great experience. After that I met a lot of people whom i earlier met online.

Most of the talk in nullcon were great and was very informative. i attended few talk like

1. How to be successful in azure bug bounty by michael Hendrickx.
2. Drone Hijacking and other IoT hacking with GNU Radio and SDR by Arthur Garipov.
3. Hacking medical device and infrastructure by anirudh duggal.
4. 7 sins of ATM protection against logical attacks by timur yunusov.

I did not attend much talks as i was busy meeting new people, taking part in CTFs and eating. A lot of companies who are related to security came to nullcon and it was a great opportunity to know what is the latest things that are going on in security. Also I got internship offer from few of the companies that visited nullcon.

I know a lot of people online who are into security and nullcon was the best platform to meet them in person also I made lots of friends there. 

With Himanshu sharma
With the Nullcon Crew and Govt. Officials
Also I made a small video about the overall experience of Nullcon, goa and meeting friends. Do watch it.

Conclusion


It was a great experience. Many people say that we can watch the talk online too why to spend so much money going to conference? the thing is the experience that we get when we visit conferences like is something that cannot be get just by watching the talk videos. I would like to thank all the awesome people of Garage4Hackers for giving me the pass as without it I might have not been able to make it this year too. THANK YOU

How Can Games Help In Education

How Can Games Help In Education


This infographic explains how games can be important for the learning of children in the educational system. The most important thing that the infographic explains is that in our environment, children grow up using technological gadgets, and this particular thing contributes to the development of the learning process in general. That is to say, little children are more likely to learn from these latest innovations for more easily than they would learn from traditional ways. Thus the usage of games can be really helpful for children in order to learn more things in an effective manner.

There are different reasons why the games can also be used for educational purposes and you can see it all in the infographic which is compiled by Kyle Ward who works at GamePeriod. The most important benefit of using games is that children are familiar 2with these things because they start playing games even before they start school. Therefore, learning by playing games helps children, and they aren’t afraid of the novelty of the learning process itself. The other reason is that all the kids love playing games, and hate going to school – at least in the initial levels – but learning with games eliminates this hesitation to go to schools.

It is an ongoing debate that whether children love from playing games or not, and the majority seems to agree that they do. However, where people agree, they don’t know anything about the mechanisms or scientific data or facts that prove this. You can also find this scientific evidence in the infographic. A research by Paul Howard Jones is mentioned in the infographic which indicates that when children play games, the dopamine level in their brains increases and which is very fruitful for productivity and creativity. The dopamine has two specific functions: the first one is that it promotes productivity, and the second one is that it makes connections between neurons. We learn by the associative power of our memory, that is to say, we learn by making the association of new things to existing ones in our brains. Thus more the association, the more we would be able to recall and retain.

The other aspect of the introduction of gaming in the educational system is because games promote the motivational level of the children. As they play games, they are confronted with different challenges, which teach them to stand on their own. On the other hand, these games also have different problems that require some solutions; so when children come up with different solutions, in fact, they are developing their skills of problem-solving and decision making. In the expanding era of technology, games aren’t the only things that can be used. Many educational apps are also being introduced into the educational system.


How can Games help in Education Co-produced by :Game Period & Hack a Trick

Saving Google Hangout Calls on a PC with Movavi Screen Capture



Ever since Google consolidated their various messaging services and into a single platform, it has definitely proven to be a hit. Today Google Hangout boasts the ability to communicate via instant messaging, SMS, or even VoIP and video calls. Because it is so versatile, you will have the choice of being able to place calls or send messages in exactly the way that you prefer.

The only problem with Google Hangout is that any calls that you place won’t be saved. For casual conversations that may not be an issue, but if you’re conducting business calls, interviews, or important discussions then it often helps to have some record of them.

If you want to record Google Hangout sessions all you need is a screen recorder such as Movavi Screen Capture. It will enable you to record your screen, so you can capture the interview and save it on your PC as a video. To pull that off, all you need to do are follow these steps:

  1. Launch Movavi Screen Capture.
  2. Click and drag the mouse cursor to draw a frame encompassing the Google Hangout call that you want to record.
  3. Make sure both the ‘System Audio’ and ‘Microphone’ icons are highlighted and click on them once if not, so that both incoming and outgoing audio will be recorded.
  4. Click ‘REC’ as the call is about to begin to start recording after a 5 second delay.
  5. Click ‘Stop’ when the call is done, then ‘Save as’ to save it.


Make no mistake, Movavi Screen Capture will give you full control over all the recording parameters and let you set the frame rate, choose to capture keyboard and mouse actions, or even schedule the recording itself to automatically start and stop at a particular time or after a certain duration. As you save your video you will even notice a number of built-in presets that will let you optimize your video for various devices and platform.

Before saving your video, Movavi Screen Capture will let you trim out any segments that aren’t necessary, which may be helpful to get rid of footage that was inadvertently recorded at the start or end of the call. All you need to do is position the marker at the appropriate point then use the ‘scissors’ icon to split the video, then select the segment you want to remove and click the ‘trash can’ icon.

All said and done Movavi Screen Capture should let you easily record calls from Google Hangout. By doing so, you can ensure that you can keep track of your calls and save important ones for future reference.

Toka Poisa, A big security disaster ?

 

 

Disclaimer:


This is not a hacking attack. Yesterday ( 11/1/2017) government of assam launched an e-Wallet, Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language.

I have found a serious security flaw in it yesterday itself ,which could be used to completely take over anyone's account. I reported it to Amtron through Special Branch of Police,  Assam as the email id that was mentioned in the official website ( http://tokapoisa.in/ ) was not working and i also tried to contact amtron from the email id that was provided in amtron's official website ( http://amtron.in/ ) which too was surprising not working. 

The flaw is fixed now . Since the flaw is fixed I'm making a public disclosure here so that others in the community can learn from it . This is ethical hacking ( healthy and legal ). Please do not misunderstand it to be hacking attack. 




On 11th January 2017, Assam Government launched an e-wallet Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language. The e-wallet is a joint venture developed by State's Assam Electronics Development Corporation Limited ( Amtron ), and ICICI Bank. Soon many news portals covered the news . So as a security researcher I too was curious to see how this platform works.

Since it involves money transaction I was sure that it will be secured one but i was mistaken. The security level of the platform was too poor. Anyone with a little knowledge of hacking could easily bypass its security features and misuse it. Such flaws can be considered if the app is in testing phase but the app was launched and made public which clearly indicates that they failed to recognise such basic flaws during their testing phase !

So here are the flaws : 


( I have reported the flaws and it has been fixed today )

Flaw 1 ( Serious )


Flaw name : Bypass OTP Verification while sign in

The best thing about the site is that there is no password verification, user needs to enter their phone number and an OTP is sent to their phone and once they enter the OTP, user can sign in.

Only one level of authentication is used which is OTP. So if an attacker bypass the otp he can have access to anyone's wallet and misuse it. Once he is inside , he can make payments , steal money etc.
While registering it does not ask the user to verify, which means an attacker can register anyone's number.

Now let us assume that an user have already created an account ,then an  attacker can  login to a specific user's account to make payments on his behalf or steal money etc.

Here is the Proof of concept 




This was possible because there is no limit set for the number of times an attacker can enter invalid otp due to which an attacker can easily brute force it and get full access to anyone's account and money.


Flaw 2 ( low impact )


Flaw name : Directory listing

There was a directory listing flaw in the website by which an attacker can see all the files that are in the directory . this flaw can be used to know about files that are inside the directory even if they are not mentioned anywhere in the site. So it gives a good idea about all the files that are hosted in the directory.



Flaw 3 ( medium)


There is no SSl certificates in the site. The site deals with money and transaction and yet it runs on http and not https. SSL Certificates provide secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates are typically installed on pages that require end-users to submit sensitive information over the internet like credit card details or passwords. But here in tokapoisa site there is no SSL which means that the connection is not secured and is unencrypted and anyone can perform a man in the middle attack and get sensitive information from it.  This is the first website i have seen which deals with money and dont have a SSL certificate.

Miscellaneous


Tokapoisa have launched an Android app which is not exactly an app because it is just an web viewer which displays the site. there is nothing special in the android app. When you open the app it just shows you the webpage thats all, which means anyone can create the exact same app. This can be dangerous because they have not yet launched it in any app store so if an attacker creates an app which displays the website inside the app no one can differentiate it with the original one and the attacker can take this advantage and add malicious codes in his version.


When I Found the flaw I first prepared a report on it and mailed it to the email ID that was provided in the tokapoisa website ( appsupport@amtron.in ) but the delivery failed as they have not configured the mail service.

Then I mailed it to the General Manager of Amtron (



30.94 million ( population of assam - 2012 ) could be at risk .

So I did my bit to secure the platform. Hope it benifits the people of assam.

Security Risk of Cashless Economy in India



8th November,2016 was a great date for the entire world. On the one hand, Us election results were announced and on the other hand Prime Minister of India, Shri Narendra Modi Announced Demonetization in the country ( India ). If you are not from India, you might be thinking what do I mean by it. Well on 8th November the prime minister of the country Announced that from 9th November Rs 500 and Rs 1000 notes will no longer be used as legal tender and all the citizens needs to deposit it in their bank. Soon after the announcement, there was a big rush in banks as  Millions of people went to Exchange Old Currency Notes.

Long queue in banks


But soon after the announcement the government of India started setting up various rules. One of the major rule was that the citizen could only withdraw Rs 2000 per day. This became a huge problem as Rs 2000 is not enough and also as everyone was depositing their money there was a scarcity of physical notes. Government launched rs 2000 notes but since no one had change so it was almost useless at that time.

The Solution ?


Many started using online transactions as there were no restrictions in it. many people started using Third party apps like PayTm and Mobiwik etc to make payments. Over the past week, digital payments have hit record transactions: PayTM said there was a 200 per cent increase in its mobile application downloads and a 250 per cent increase in overall transactions; MobiKwik said its user traffic and merchant queries increased by 200 per cent within a few days of the government’s announcement. Companies such as Oxigen and PayU have also seen a rise in their service usage.


Demonetization came as a good news for these apps. Soon after few days of Demonetization, Paytm went to almost all the shops and local business firms and made them join Paytm by which they can take money from customers via the app.

Now Even the government is focusing on cashless economy. Many banks have already come up with their apps by which customers can make transactions. here in India everyday we can see ads by government where they ask people to use these app based service so that the country can go full cashless.

But is this a good step ?

Well I don't know at this point of time how successful or useful it will be but are we ready for a full cashless economy here in India ?

Lets see the security aspect of cashless economy.

The Risk.


The first ATM in India was setup In the year 1987 but still most of the people don't know to use it due to which we see a lot of fraud done in ATMs.  The weakest security link in any transaction is not the technology system, but the user, and their lack of understanding of security issues. To get a sense of this, to withdraw money from ATM’s, some people were giving others their card and PIN numbers. 

Now imagine if we ask those people to switch to these mobile based apps all in just 1-2 months how will they do it ? Now since their is a limit in cash withdraw, people are forced to use these apps .

One of the biggest financial data breaches in India, exposed in late October, had compromised the financial data of over three million users and victimized major banking companies. The breach occurred when a network of Hitachi ATMs infected with malware enabled hackers to steal users’ login credentials and make illegal transactions. Following this, companies issued new cards and asked customers to limit their ATM usage to those operated by their banks. However, a few weeks after the breach, the demonetization announcement pushed people to do just the opposite — rush to withdraw money from just any functioning ATM. Till date, there has been no communication from banks or the Reserve Bank of India assuring the public that the infected ATMs have been taken out of service or fixed to prevent further breaches.

Now since all are new to this mobile transactions and use of apps, it have become easy for hackers and fraudsters to fool these people and take away their money . I'll give you a small example here.

One of the fast food joint near my home have started accepting PayTm payments. Earlier he use to take only cash but now he accepts paytm payments too. But here is the risk. He is not much educated and he don't know much about security. Now if a fraudster calls him up and says that he is from PayTm and say him to transfer 20% of his money to that number else his account will get deleted. I'm 100% sure that he will do it.

This is the problem that we are facing right now. People of the country lacks awareness. We must first aware them about how to use it, what are the risk only then we can start using it.


These are the Physical risk. Now lets come to technical risk.

Now since everyone is dependent on these app based payment systems, it has become a prime target of hackers. One flaw in these apps and all our money is gone. Also since users are now aware it become very easy to hack them.

Last year Popular Bollywood singer papon mahanta's Official Facebook page was hacked and i helped him get back the page. While working on it I got to know that the hacker actually sent him a phishing page and his social media manager thought it was a legitimate one and gave away his login details. 


Now think if his social media manager who deals with online stuffs most of the time failed to recognize it was a phishing page then how can you expect a normal guy to distinguish between a normal login page of these money based apps and phishing page ?

Also Recently we have seen in that a hacker group called "Legion" is hacking into all high profile people like Rahul Gandhi ( Vice-President of the Indian National Congress party ), Indian National Congress, Barkha Dutt ( Indian television journalist ), Ravish Kumar ( Indian television journalist ) etc. In one of their interview they have said that Indian banking systems can be easily hacked. So how can we be sure that the apps that all the banks launched in the last 1 month are secure. How safe are our money ?

Conclusion


Demonetization is a good step by the government but I think this is not the right time to go cashless. today we use apps likes Ola and Uber because we like it and not because we are forced to use it. Right now people are using these payment apps because they don't have any other choice.  I think Government should focus on how they can aware  people on how to use it, its security and benefits etc and let the people them self decide if they want to go cashless or not.