Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Monday, August 08, 2016 Wang Wei

facebook-express-wifi
After the failure of Facebook's Free Basics -- an initiative to provide free Internet access -- in India due to the violation of Net Neutrality principles, Facebook has reintroduced its plan to provide Internet access in rural India, but this time:

The social networking giant is planning to launch a commercial WiFi service in India.

Facebook is testing a WiFi service in rural India, allowing people with no internet connection to buy affordable data packages from their local internet service providers (ISPs) in order to access the Internet via local hotspots.

Dubbed Express Wi-Fi, the program is in sync with Mark Zuckerberg's Internet.org -- the platform Facebook used for its Free Basics to bring the Internet to all.

India banned Free Basics in the country on net neutrality grounds. Net Neutrality advocates argued that by offering some websites and services for free, people are discouraged from visiting other sites.

Now, Facebook has partnered with state-owned carrier Bharat Sanchar Nigam Ltd (BSNL) to expand its Express Wi-Fi program into a commercial launch, rolling out 125 rural public WiFi hotspots soon in India, the Economic Times reported today.

"We are testing Express Wi-Fi program in India currently that allows customers to purchase fast, reliable and affordable data packages from their local ISP (Internet service providers) to access the Internet via local hotspots," a Facebook spokesperson told ET.

If successful, Facebook’s Express Wi-Fi program has the potential to provide the Internet to a huge user base – currently, 462 Million people in India are using the Internet, but, with the lowest average connection speed among other Asian countries.

Since just one-third of the whole population of the country has Internet access, India is a key market for global giants like Google and Facebook.

Both the companies are going out on a limb by bringing Internet connectivity in rural areas through flying drones, high-altitude balloons, and laser beams to ready the market for its next Billion users.

Last month, Facebook announced the creation of a new open-source wireless communication platform called OpenCellular, which is a doorbell-sized hardware device that can be easily deployed in remote locations by anyone.

Tuesday, January 26, 2016 Swati Khandelwal

shareit-file-sharing
What do you expect a tech giant to protect your backdoor security with?

Holy Cow! It's "12345678" as a Hard-Coded Password.

Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.

The Chinese largest PC maker made a number of headlines in past for compromising its customers security.

It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.

Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:
  • Information leaks
  • Security protocol bypass
  • Man-in-the-middle (MITM) attacks

Critical Vulnerabilities in SHAREit


SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.

All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.

Here's the list of four vulnerabilities:
  • Use of Hard-coded Password [CVE-2016-1491]
  • Missing Authorization [CVE-2016-1492]
  • Missing Encryption of Sensitive Data [CVE-2016-1489]
  • Information Exposure [CVE-2016-1490]
The first vulnerability (CVE-2016-1491) would make you scream… How Dare You!

Using '12345678' as Hard Coded Password


Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.

Here's what Core Security researchers explain:
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."
This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.

Other Critical Flaws Left Millions of Users at Risk


However, the issue got worse when the second vulnerability (CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.

This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.
This didn't end here. Both Windows and Android were open to the third flaw (CVE-2016-1489) that involved the transfer of files via HTTP without encryption.

This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.

Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.

Patch Now!


The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.

Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.

Sunday, December 06, 2015 Mohit Kumar

france-tor-ban
Now this was to be done, Sooner or Later – The Government.

In the wake of the recent deadly Paris terror attacks, the French government is considering new laws that would Ban access to Free Wi-Fi and the Tor anonymity network, according to a recent report by French newspaper Le Monde.

The report cites an internal document from the Ministry of Interior by French Department of Civil Liberties and Legal Affairs (DLPAJ) that lists two proposed bills – one around the State of Emergency and the other on combating counter-terrorism.

Last month's Paris attacks started blame games, calling Edward Snowden and end-to-end encrypted services responsible for the ISIS-sponsored massacre.


Now, the government has started renewing their assault on encryption and reviving their efforts to force tech companies to hand over encryption keys, and the document obtained by Le Monde hints the same.

Proposed Pieces of Legislation


State of Emergency Proposal: In this law, the French government is considering to Forbid the use of Free and Shared Wi-Fi connections during a state of emergency. Also, if the owners of public Wi-Fi networks did not disconnect, they could face criminal penalties.

According to the police, the reason behind restricting access to free or shared Wi-Fi is that it is apparently difficult to track suspects who use public Wi-Fi networks to communicate, so the law would shut down public Wi-Fi hotspots during a state of emergency.

The state of emergency increases the powers of the police in the country. During the state of emergency, French police may search residences without a warrant, tighten border controls, and even ban public protests.

Proposal for Combating Counter-Terrorism: This legislation proposal says the government is banning or blocking communications of the Tor network as well as requiring service providers to hand over encryption keys to police – not just during a state of emergency.

Indeed, in this section of the document, the Department of Civil Liberties and Legal Affairs questioned whether such proposed pieces of legislation might violate the French Constitution.


The Onion Router, or TOR, is an anonymising network maintained by volunteers, which routes users’ data requests globally, making it very hard (but not impossible) to discover the actual user behind the computer screen.

Tor is an easy tool to hide your real identity on the Internet and is used not only by journalists, whistleblowers, and privacy concerned people, but also by terrorists, pedophiles, and cyber criminals.

Both pieces of legislation, according to Le Monde, could appear as soon as January 2016.

If block, France would be the first European country to block TOR. Though there is no easy way to block the anonymising network, China and Iran have both made successful attempts to block TOR.

Wednesday, August 19, 2015 Khyati Jain

Google Unveils Smart, New OnHub Wi-Fi Router
Don't stare at the screen for too long for the buffering to end, Google has a solution!

It seems like Google is buckling up to carve out a niche in the market of wireless smart network devices.

Just few days after Google made itself a subsidiary and a separate venture under Alphabet Inc, it announced the news of Android Marshmallow and now ithe company has announced to offer a new way to Wi-Fi and seemingly a newer and different outlook of routers.

"OnHub a new way to Wi-Fi" as Google says is a speedy, secure, easy to use and a reliable Wi-Fi with a stylish look is all in a package the company can offer.

Key Highlights of OnHub


OnHub looks different from other routers in many unique ways, which are as follows:
  • OnHub is cylindrical in shape
  • It has Congestion Sensing Antennas
  • It provides support for connecting up to 128 Devices at a time
  • It Speaks your Language
  • OnHub contains High-Performance Antennas hidden inside the Router Shell
  • It has Minimal wires and cables to look tidier
  • It does not blink lights, only mild lighting in the outer ring of the router
  • OnHub does Bandwidth Management
  • It can be managed from your Smartphone App
  • It has Storage Space of 4GB that makes it easy for auto updates
OnHub is being manufactured by network company called TP-LINK, Google said, hinting that ASUS could be the second manufacturing partner for the product.

When and From Where do I get OnHub?


OnHub is available for $199.99 on pre-order from online retailers in the United States, including the Google Store, Amazon, and Walmart.com.

Those who wish to purchase from the retail stores in U.S. and Canada have to wait till OnHub reaches the shops, which is expected to be possible in coming weeks.

OnHub inbuilt with Smart Protocols


OnHub allows you to connect your laptop or tablet and is designed to support "the Internet of Things" as well as other smart devices over time because it is inbuilt with the smart protocols:
  1. Bluetooth® Smart Ready
  2. 802.15.4
  3. Weave

Fast Wi-Fi for Everyone


In terms of speed, OnHub uses the airwaves and selects the best channel for the fastest connection. The device offers Wi-Fi at a speed of up to 1900 Mbps by supporting 2.4GHz as well as 5GHz frequencies, meaning fast Wi-Fi for everyone.

You can even manage the bandwidth by prioritizing a device, which will get the fastest speed in doing its operations.

Google On – OnHub Mobile App


OnHub is smarter in a manner where it comes with a mobile app that can manage all your activities. It is called the Google On app, available on Android and iOS.

Google On app lets you know how much bandwidth your device is using and allows you to run a network check. So if there is an issue with your Wi-Fi, the On app offers suggestions to help.
"A unique antenna design and smart software keep working in the background, automatically adjusting OnHub to avoid interference and keep your network at peak performance," said Trond Wuellner, Group Product Manager, Google.
The global market for "Internet of Things", will nearly triple to $1.7 Trillion by the year 2020, International Data Corp said in June. Therefore, we can say...

...This is Definitely the next big thing you should vouch for!

This is not smart, but smarter Wi-Fi router Google has to offer. A brief display of how it could get comfortable in your lives can be seen in the video.

Friday, June 05, 2015 Mohit Kumar

apple-pay-hacking
Today anywhere you go, you will come across Free or Public WiFi hotspots -- it makes our travel easier when we stuck without a data connection.

Isn’t it?

But, I think you’ll agree with me when I say:


This Free WiFi hotspot service could bring you in trouble, as it could be a bait set up by hackers or cyber criminals to get access to devices that connects to the free network.

This is why mobile device manufacturers provide an option in their phone settings so that the device do not automatically connects to any unknown hotspot and asks the owner for approval every time it comes across a compatible WiFi.

Hackers can grab your Credit Card Data. Here’s How?


Recently, security researchers from mobile security company 'Wandera' have alerted Apple users about a potential security flaw in iOS mobile operating system that could be exploited by hackers to set up a rogue WiFi spot and then fool users into giving up their personal information, including credit card details.

The loophole leverages the weakness in the default behaviour of iOS devices, including iPhones, iPads and iPods, with WiFi turned on, Ars reported.

This could let attackers create their malicious wireless hotspots and inject a fake "captive portal" page mimicking the genuine Apple Pay interface asking users to enter their credit card details.

A hacker nearby a customer connecting an Apple Pay transaction could launch an attack in an attempt to force the victim’s mobile to connect to evil hotspot and then display a popup portal page which is designed in such a way that users could be fooled into believing Apple Pay itself is requesting to re-enter their Credit Card details.

According to the researchers, spoofers can loaf around a point-of-sale (POS) machine with an Apple Pay terminal and could continuously launch the attack in order to victimize more people.

However, the attack may not trick a large number of people because the fake captive portal page imitating Apple Pay interface is displayed under a fairly prominent "Log In" title bar, the report says.
"In high footfall locations, even a very small ratio of success will yield a large number of valuable credit card numbers," CEO of Wandera Eldar Tuvey pointed out. "It’s all so easy for them. Using readily available technology, which they may be discretely carrying about their person, hackers can for the first time focus their efforts where their victims are at their most susceptible—at the checkout."
The simple and easiest workaround to prevent such attacks is to turn your device's Wi-Fi simply OFF if you are not intentionally connecting to a known Wireless network.

Security researchers have warned Apple about the loophole and meanwhile recommended that Apple and Google should "consider adopting a secure warning when displaying captive portal pages to users so that users exercise caution."

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!