Information Security News
Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc.
However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the employees devices (workstation, mobile, etc.) is required to understand what happened and get comprehensive timeline of the events.">/private/var/mobile/Containers/Shared/AppGroup/
Another interesting background information we need to remember is the fade-out effect on iOS. Every time a user presses the Home button or receives a call while using an application, iOS will make a snapshots">WhatsApp
">iLab1:/private/var/mobile/Containers/Shared/AppGroup root# tree 332A098D-368C-4378-A503-91BF33284D4B
">ChatStorage.sqlite, where it is saved the actual content of the messages exchanged. Among the tables of interest, one of the most important is ZWAMESSAGE, which contains, among others, the messages exchanged, their timestamp, the name of the user involved in the chat. Other tables worth to be analyzed are ZWACHATSESSION, ZWAGROUPMEMBER, ZWAGROUPINFO and ZWAMEDIAITEM, which stores references to the multimedia files exchanged, indication of the users involved, timestamps, and the path where the file has been stored.
As also recently mentioned by J. Zdziarski on his blog , an interesting feature of Whatsapp is that deleted chats are not actually deleted form the database. This because when a SQLite record is being deleted, for performance reasons it is not actually wiped/purged from the database immediately, but marked as free and eventually overwritten later on when that storage space is needed. Therefore by simply using a tool like SQLite-parser , you can quickly carve out deleted record from your Whatsapp chat database.
However, as matter of facts, you will find this feature in most applications using SQLite storage databases, since most of them do not handle properly this aspect.
Last but not least, the Snapshot feature">convesations_v29, which contains the list of active conversations as showed in the Chats">encrypted_cids_v29, which contains the conversation ids of the secret chats.
Other than the (expected) behavior already found in Whatsapp, which means that deleted records are not immediately purged out of the database and therefore can be recovered, Telegram messages from secret chats are stored in clear in the">
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 WhatsApp Forensic Artifacts: Chats Arent Being Deleted, http://www.zdziarski.com/blog/?p=6143
 Python Parser to Recover Deleted SQLite Database Data, http://az4n6.blogspot.ch/2013/11/python-parser-to-recover-deleted-sqlite.html
 SQLite-parser, https://github.com/mdegrazia/SQLite-Deleted-Records-Parser
Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans' mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week's Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM.
Chip card technology—often called EMV for EuroPay, MasterCard, and Visa for the three companies that developed the chip card standard—is supposed to offer significant security benefits over the old magnetic stripe card system. Magnetic stripe cards have a static card number written into their magnetic stripe, and if a POS system is infected with malware, as was the case in the infamous Target and Home Depot hacks, then a malicious actor can take those card numbers and make counterfeit purchases with them. An EMV card, by contrast, uses a chip to transmit a dynamic number that changes with each purchase. That makes it a lot harder to steal a card number and reuse it elsewhere.
But that doesn’t mean it’s impossible. Late last year, security researcher Samy Kamkar demonstrated that he could calculate a replacement American Express card number based on the previous card number, replicate the credit card’s magnetic stripe information on a programmable chip, and use it to make purchases around town, much like the now-defunct Coin card. Kamkar was even able to do this with chip cards—the magnetic stripe on the back of every card has two tracks of data that tell card readers information like cardholder name, the card’s number, its expiration date, etc. Track 2 data will tell a card reader if the card has a chip and needs to be dipped—otherwise it can be swiped. Kamkar’s solution was to alter the Track 2 data and spoof the card reader to tell it that the card only has a magnetic stripe, no chip, thus bypassing the entry of a dynamic number.
by Jonathan M. Gitlin
Over at Wired, Andy Greenberg reports that security researchers have discovered how to use software defined radio (SDR) to remotely unlock hundreds of millions of cars. The findings are to be presented at a security conference later this week and detail two different vulnerabilities.
The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.
Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car.
Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called "golden key"—which allows users to unlock any device that's supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.