The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

Read 11 remaining paragraphs | Comments

Multiple Samsung Android Mobile Devices CVE-2017-5350 Denial of Service Vulnerability
Zabbix CVE-2016-10134 SQL Injection Vulnerability
GNU ed CVE-2017-5357 Denial of Service Vulnerability
Oracle January 2017 Critical Patch Update Multiple Vulnerabilities
Aerospike Database Server CVE-2016-9052 Stack Buffer Overflow Vulnerability
Lenovo XClarity Administrator CVE-2016-8221 Privilege Escalation Vulnerability
Multiple Samsung Android Mobile Devices CVE-2017-5351 Denial of Service Vulnerability
Aerospike Database Server CVE-2016-9050 Information Disclosure Vulnerability
Multiple F5 BIG-IP Products CVE-2016-9247 Denial of Service Vulnerability

I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. IVRE [1] (DRUNK in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. Its a network reconnaissance framework that includes:

  • Passive recon features (via flow analysis coming from Bro or Nfdump
  • Fingerprinting analysis
  • Active recon (via Nmapor Zmap)
  • Import tools (from Nmap or Masscan)

I deployed this tool and feed it with attacker" />

Very useful to find compromized hosts which delivermalware! The web interface provides a powerful search feature. Examples:

  • Show me all IP addresses from Russia, that have a port 27017 open (MongoDB)
  • Show me the network devices" />

    Getting more knowledge about your attackers is always good. IVRE can help you in this way. This is avery powerful framework that will help you to build your own small Shodan. Happy hunting!


    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[security bulletin] HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information
Internet Storm Center Infocon Status