In "מנורת לילה - Nightlight TLV" I was doing Brain Hacking.
The main idea was to teach normal people what is to be a color blindness,and to help color blindness to see.
This project was published first,in Geekcon 2012,and became a tool to help people.
I'm looking for people who want to help ,to hack the human brain,for good.
During my preparation to the art exhibition in NEVE SHA'ANAN TLV LIGHT FEST I had to buy RGB floodlights, so I went to Aliexpress which is part of Alibaba group.
Very fast I've realized that's my shipping address, exposed in the internet as well as many other clients, all of them.
WiFi monetization by a patent pending system that allows us to inject
any kind of content including ads, during the browsing session rather
than just on the landing page like our competitors. Our deployment will
allow advertisers to advertise by geo-location and segment in order to
pinpoint the right audience.
Cloud Services
Simplicity in creating and editing landing and connection pages (and
much more) with Yadwire’s back office and studio. Instead of paying an
outrageous amount on a WiFi system with a landing page, with us it can
be done in a minute, online! We have a series of products to offer as a
WiFi service and they are all cloud based.
Management system
With our cloud management system, every WiFi owner or other IP
related technology owner can manage messages, ads and any kind of
content from the cloud. Owners can also communicate with their
guest/employees on a real time basis."
אם עד היום התרגלתם לראות פרסומות על האוטובוסים של אגד, בקרוב תוכלו לצפות בפרסומות גם בזמן גלישה בזמן נסיעה,ואולי קצת יותר.
לא
ברור עדיין מה מידת המעקב אחר הגולשים, אבל יש כאן מהפכה ביחס ליכולת של
בתי עסק וגופים לפרסם פרסום ממוקד ומפולח למשתמשי הקצה ברשת האלחוטית.
כחלק
ממכלול השירותים של השירות שמציעה Yadwire, היא מאפשרת פרסום ממוקד,
שמשתלט על חלקים ממסך המחשב או הטלפון האישי של הגולש,לדוגמא באוטובוס של
אגד.
אישית, אני בעמדה דואלית כלפי הנושא.
אני בעד תיעול של מערכת האינטרנט האלחוטי, אבל נגד איסוף פרטים אישיים.
אני חושב שאגד שהייתה הראשונה שהטמיעה אינטרנט אלחוטי באוטובוסים בישראל, מאמצת כאן חידושים טכנולוגיים שיקדמו אותה ויש לברך אות על הנושא.
מנגד, יש לשים לב לאבטחת המידע והפרטיות של הלקוחות.
Looking for a job can take you into very interesting places.
That's how I found this security flaw in TMP Worldwide.
If you looking only for technical report, I'll make it simple for you.
Instead of typing password,attacker had abilities to insert the email of his victim.
Attacker can check, where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from jobs if the current employer find that's they want to change a job. (BI)
TMP Worldwide, didn't handle so well. they even told me to contact theirs client,instead of taking the problem into the hand.
eBay answer me,but didn't gave me new update for up then 45 days.
Since the major problem has been fixed, I'm publishing my finding.
פרצת אבטחה שאיתרתי בסוכן המשרות החכם של חברת TMP Worldwide פגעה בין היתר בחברות:
HP
Walmart
Officedepot
eBay inc
Scotiabank
כל המועמדים לעבודה בחברות אלו,אשר השתמשו במערכת שוכן המשרות החכם (Job Alert) היו חשופים לפגיעה.
רמת הפגיעה: נמוכה עד בינונית
היקף:רחב
Many
of you are trying to get a job, In my recent journey to get one, I've
found this security flaw in TMP Worldwide (Telephone Marketing
Programs).
I really wanted a job,nothing more nothing less.
TMP
got the warning first, I was trying phone call (i was ugly) as well as
email exchange which started fine but then they disappeared.
SInce
I was told by TMP representative to speak with the company where the
problem appears, I was emailing eBay related to the issue.
eBay answer was
Into the point: you can read more about TMP Worldwide in theirs website or Wikipedia
In
generally,they are independent recruitment advertising agency, The
product which had a problem was theirs Job Alerts system, which is part
of the TalentBrew
Stay
connected with your candidates through e-mail sign-up and RSS feeds.
Job Alerts give job seekers the ability to receive customized updates on
job listings they are interested in."
After understanding who are TMP, let's try to understand more about the impact of the problem.
In
the Talent service they gives, potential recruits got an offer to add
his email,as well as the favourite countries/jobs. by then, the job
alert system start to work,and the potential recruits get update for any
new job listed in the website.
As a SAAS (Software as a service) product,and with great integration into verity of clients, TMP Worldwide got awards and made later on cooperation with major players over the world,such as Oracle which acquired Taleo Corporation (NASDAQ:TLEO) back in 2012.
The
Impact is really clear, Taleo and TalentBrew in many recruits website,
coming hand by hands, Teleo for the job offer, and TalentBrew to do many
things behind the scene,like Job Alerts.
Since TMP Worldwide have verity of clients, in many cases they handle the whole recruits website,not only the TalentBrew integration.
To make things clear, the problem appears in TMP, Oracle is another way to sell the SAAS services of TMP.
Now to the problems:
Architecture - didn't fixed:
Basic system problem:
1.Password contain only six digits,number only which can be hacked very easy by brute force.
2.The channel is not secure with SSL
3.The emails came from tmp.com which is not eBay/PayPal or any of your group.
Attack scenario:
Attacker can brute force the password
Those problem never fixed.
The problem which has been fixed,is the ability to hack into the recruits alert system,when you know the target's email.
Attack scenario:
Using
the email of the target, and by having the database of eBay's workers,
the HR office can check if someone added him self into HP recruits
website,this gave the attacker ability to know what are the planes or
wanted jobs of his workers.
By the way, remember this? "Apple, Google, Intel, Adobe to pay $325 million to settle hiring lawsuit" ..
We can just imagine how many workers, are using Job alert system every year.
Potential workers should get better security.
After sock:
Attacker can know now now where is the current location/wanted location of potential worker.
Attacker can send emails with offer to work under your company name.
Workers can be fired from his jobs, if the current employer find out who want to change a job. (BI)
HP
eBay inc
Wallmart
OfficeDepot
Scotibank
In here you can see how I've spotted the SQL vulnerability VIA Google:
To add more data, I've added this who.is proof to show the conncetion into TMP Worldwide.
If you really want to see the video, here is the POC related to eBay inc.
The Israeli Movement for Freedom of Information,exposed again private and sensitive data, of many private and public personal this included phone numbers and more sensitive data.
To be clear, I blame the minister offices,who gave them the files. I blame the NGO - Movement for Freedom of Information who publish it - as is. I blame as well any information security and legal advisory who didn't edit the private information in the files.
The exposed took place during usual act of sharing with the public, information which was hidden until now.
In the 2th of Nov. 2014 just couple of days ago,the NGOexposeddata of up to 85 mental ill people,who were mention in a list,given them by the ministry of health.
Unlike the ministry health,who took responsibility,and apologized, the NGO answer the the issue was (Calcalis) blaming only the ministry of health. they didn't said anything about the fact that's they published online information of people against the privacy of them.
"והיה גם המקרה המוזר של משרד הבריאות, שהעביר לנו רשימת ספקים שכללה
בין השאר גם שמות של חוסים ופגועי נפש שהוא מעביר להם תשלומים. הסבנו את
תשומת לבו של משרד הבריאות לעניין וביקשנו לקבל רשימה מעודכנת (המגנה גם על
צינעת הפרט). משרד הבריאות טרם שלח רשימה מעודכנת."
They said: "We asked the ministers to their appointment calendar for 2013. Despite
the directive of the Attorney General determined that this information
should be published - only 14 ministers from the 23 we gave them, and
they partially. And these are the names of ministers who have not shared the public in their path: Gideon Sa'ar Yuval Steinitz and Israel Katz. Prime Minister Benjamin Netanyahu ignored our request" (Google translate from Hebrew)
Well,they did published many dairies which is good,but many information related to private people, phone numbers and much more has been published as well.
The NGO used to blame anyone who send him info,and said "we don't touch it" but saying that's you don't take any responsibility on information which is giving you by others, doesn’t put you with clear hand. I really like what they do,but I'm sure everyone who want to publish information about elected officials,or government ministry ,should see if more people will be in the line of exposure.
This story can't be understood ,without knowing that's now days,there is a very cool project in Israel which called "100 days of Transparency" founded by Tomer Avital.
This different project had a significant success,by getting crowd funding of 159,151 ILS from 1473 Backers,as well as making people in the parliament,looking around to see if there is a private investigator.
Having this kind of activity,can be really good,as long as you don't harm the public,like the Movement for Freedom of Information, done at least in the story related the the mental ill people.
The story have a twist,since not only the government ministry have a responsibility,of sharing other people information with NGO,knowing it will be publish,we can realized that's there is lasting impact against privacy in Israel.
Last week we have heard about the story of the Dog centre apps, which have been publishedhere in the first time,and made the Minister of agriculture
agreed with the problem of the apps, and even consider of taken it down..
Now,back to our story, I can see how the project "100 days of Transparency" can be change to "100 days of protecting the privacy"...
I really hope that's this project of Tomer Avital will be a great story,I really like it.
Moreover,I will do my best to help the Movement for Freedom of Information,but I can't accept the idea of publishing private information like they did,with blaming others on the miss editing.
As the government as the NGO,they both did mistakes. Unlike the NGO the ministry of health took responsibility,while they refuse to do it,end even insist to keep the same process in the future.
Since it's contain many pages, I'm adding them now for the public review.
To remind you, the ministry of health,as well as the NGO did a bigger mistake not so long ago.
In my opinion,the Movement for Freedom of Information should double check any data they publishing,as well as the people who giving it to them,which is mostly government officials.
Sharing data with the public should have more privacy related rules,and guarding the privacy of the public, should be integrated into the motivation of sharing all we knows about the Elected officials.
Update 15:52 13.11.2014:
Answers from the NGO
09:23 AM
אמיתי שלום רב,
ראשית חשוב להבהיר שהתנועה מפרסמת מידע כמו שהוא נמסר לה. ללא כל שינוי, הוספה או גריעה.
שיקול הדעת כיצד למסור את המידע מצוי בידו של מוסר המידע, במקרה זה משרדו
של בנט, על כן ממליצה לך לפנות אליהם ולהביע הסתייגותך מהאופן בו בחרו
למסור את המידע.
בברכה,
רחלי אדרי, עו"ד
התנועה לחופש המידע
10:56 AM
אמיתי,
כפי שאתה הצלחת להשיג אותנו
בטוחה שמי שמחפש גם כן ימצא. לא מסובך, אנו זמינים לרוב בטלפון במשרד
ובמייל הזה וכפי שאתה רואה עונים לכל פונה.
לגבי משרד
הבריאות, המידע לא התפרסם, אנו הסבנו לכך את תשומת לב משרד הבריאות,
וביקשנו מהם שישלחו רשימה חדשה ללא שמותיהם של חוסים. טרם קיבלנו רשימה כזו
ולכן מכל רשימות הספקים שקיבלנו הרשימה של משרד הבריאות חסרה, על אף
שנמצאת ברשותנו.
גם פה, הטעות הייתה של משרד הבריאות וכמו שכתבתי אילולא תשומת הלב שלנו היה נגרם עוול גדול מאוד לעשרות חוסים.
הנהלים שאנו עובדים לפיהם הם הוראות חוק חופש המידע ותו לא.
כמו שכתבתי לך במייל הקודם כל טענה על המידע שנשלח עליך להפנות למי ששלח את המידע.
למיטב
הבנתי, לשכת בנט עובדת על רשימה חדשה כשזו תשלח אנו כמובן נעדכן, בינתיים
לא קיבלנו כל פניה רשמית ממשרדו של בנט להסיר את המידע.
ᐧ
--
רחלי אדרי, עו"ד התנועה לחופש המידע המסלול האקדמי המכללה למנהל ת.ד. 25073 ראשון לציון, מיקוד - 7502501 טלפון: 03-9560146 | פקס: 03-9560359 |
Above all,I like Google,I don't like to way they took our privacy.
This story will show you where is the limits,and why tracking files and the people who read them, it's not a smart move in the world where the privacy is waking up.
Google drive act as a cloud service by Google Inc, with abilities to
store data,and writing docs it's one of the features the service
gives,which is good as long as they tracking you,but don't leave hidden
tracking mines in the files.
I was reading my CV which in the first time, has been written with Google Drive service, then I saw something really interesting,hyperlinks which were different then the original which was added by me.
I didn't ask Google to track for me my file.
Even after converting the file to PDF ,I had those Google mysterious tracking links.
Checking them out I saw how the redirection is being made:
Google track hyperlinks in Google search,
some people think it's related to redirection and nothing more,others
saw the attack options,but having this in docs/drive is less known and this should concern not only the owner of the files but the readers of them.
Tracking users files, show us why Google don't see the red line.
Knowing that's your files are being tracked, and sent anonymously to Google,put anyone who gets them under surveillance.
You should think about it,as adding your own hidden tracking script, to spy on someone who gets a file from you.
Solution
Always check the hyperlink before opening it.
Don't write the file in Drive/Doc
Don't add hyperlinks.
P.S.
I've done confirmation only in Drive,but it seems to be the same in Google docs as well.
-----------------
For more info about Google tracking and it's uses:
בתחילת אוגוסט,אחד מחברי קבוצת דפקון בישראל (dc9723.org) העלה את הפוסט הבא:
----
בן של חבר נהרג בעזה.
הבן השאיר סלולארי עם קוד נעילה, אני עדיין לא יודע איזה טלפון והטלפון
עדיין לא אצל המשפחה, אבל שאלו אותי אם אדע לפרוץ את הקוד מבלי למחוק את
המידע.
אפשרי בעיקרון, לא?
----
חברי הקבוצה,נרתמו לנושא וניסו לסייע ולעזור לפרוץ את הנעילה.
במקביל בלי לבקש כלום,או לנסות לתעל את זה תקשורתית,חברת סלברייט הסכימה להירתם.
בפועל, לפי מה שהבנתי המשפחה הסתדרה,וגילתה את הסיסמא למכשיר.
ורד שביט בעלת הבלוג אבק דיגיטלי ,העלתה עכשיו ראיון שהיא עשתה עם החברה בעקבות הסיפור.
פרצת אבטחה שאיתרתי בחברה שמספקת שירותי גיוס,איפשרה לחדור ל 'סוכן החכם' שמתריע על עבודות פוטנציאליות.
ברשימת הנפגעים היו חברות מוכרות בעולם בתחום הפיננסים,הבנקאות,המסחר הקמעוני,וההייטק. הפירצה תוקנה ובקרוב יפורסמו פרטים נוספים. החברה איננה ישראלית. כל עובד פוטנציאלי שהשתמש במערכת היה בסיכון.
This research began one day,after I realized that's I have had too much spam in my email. So I decided to have some fun,and to find problem with the way of that's those companies are keeping the privacy of the users,and the interest of their own business.
I decided to find problem in the system,and to make it much more secure.
Since mailing lists,and marketing are not always equal to spam, there is needs to secure the mailing list database,but security is not always what we understand in the first time ,its not always about the best firewall/antivirus/detection of APT attack, we need to understand the way of how people dealing with system,emails and how the system should be created. Its about logic security,thinking.
Sharing emails,I mean person to friends mailing lists, is nothing new,and we all have friends which got this motivation to share with us the last deal they just got by the email. So what the problem? The sender included the password of their account in the body of the email.
Normal email which a person got by is newsletter subscription, has couple of weakness point,based of the interest of the side:
1.The regulation:You have to allow opt-in/opt-out ,which is the abilities to choose to unsubscribe yourself from the mailing-list.
2.The sender:The company behind the campaign want to track the users,they want to know where they are,included geo-location with maps,they want them to share the email with friends,they want them to see the email,even if that's mean to open the email in a different windows with personal address.
3.The receiver:The person who actually subscribe to the himself to the list,want to read it,to share it,to change sometime his information inside,to get update about the conference,or just the best deal.
4.The shipper: Shipping companies, there are the people who make money,totally legal money in the digital era,this by sending digital goods like emails. They want to get more users to theirs client,to have more abilities like adding SMS abilities, the security? well ,security is something which needs to improved.
Next step
Pattern hunting
After understanding a bit more about the situation in the marketing field,I was looking into my emails,as well as another website so I will be able to catch petters from the emails.
Very fast I was realized thats most of companies,who have are specialist in marketing emails/campaigns are exposing the users.
What you should hunt:
1.Forwards to friends.
2.Edit subscription information.
3.Unsubsribe.
4.View in a web page.
5.Campaigns unique token or code.
6.Sender unique token or code.
7.View in web page without SSL to secure the channel.
8.No configuration against scraping/robots.
The story got into really funny point,since even when I saw a try to secure the email of the client,after successful unsubscribe, the email appears with a timestamps.
After I gave a warning to more then five major companies in this field,I've realized that's we are suffering from something more then a weakness point,I was told that's the users are stupid because they are sharing the emails in the web,and more interesting answer.
The brainstorm with couple of them show,thats it's possible to secure but it's really hard to have the all interest join together,since regulator, end user ,client (of the sipper) and the shipper,have different needs,and somehow the privacy is the first to suffer.
Having information about the the things you should get into your email,is the best thing to ask, for a person who want to attack you.
Currently I'm still waiting for answers related to the issue,but I will publish very soon more updates.
Until then,If you can share your marketing emails/newsletters it will be great.
Your welcome to use one of the following websites as well:
Logs of successful installation related to Divx products have been exposed, via Coduit service in cloud server based on amazon.
The exposed logs included,but not limited to IPs.Country of the users.machine type (ex. Mac).
I was in contact with conduit related to this case couple of times,but they choose to avoid changing the status,and kept the data as is.
Since they where in the middle of merging, at the time when I spoke with them in the first time related to this case of Divx,I decided to avoid sharing the finding with the public.
Recently (21 Sep. 2014), I gave them another warning but they said "not relevant,thank you".
In my opinion,this kind of data can be really useful related to BI (Businesses intelligence) and if someone have a zero-day tool against Divx software.
In any ways,IPs can be tracked and privacy should be kept in better ways.
