Edward Snowden obtained classified NSA documents by stealing coworker's password

 We are very cognizant of the releases that the Whistleblower Edward Snowden did against the US National Security Agency (NSA) and in the wake of perusing each related redesign, viewing each report that he gave to different news sites, every one of you are left because of an address that, How he could complete this entire operation without any making a difference?

Yes, you are correct! The previous NSA builder Edward Snowden supposedly figured out how to gain entrance to many the ordered records by taking one of his colleague's passwords, as per an unclassified NSA notice got by the NBC News.

Three Members, one NSA's regular person representative, a dynamic obligation part of the U.s. Military and a builder were discovered included in the activities that may have helped Snowden's operation; from which NSA's regular person worker has been stripped of his exceptional status and has surrendered.

Other two has been impeded from entering National Security Agency (NSA) offices, the reminder states showing that their status is under survey as of now.

The colleague said that he permitted Snowden to utilize his Public Key Infrastructure (PKI) endorsement to gain entrance to the grouped data on "Nsanet" that was formally denied to enter by Snowden.

The reminder's record doesn't furnish much detail, consistent with NBC, however experiencing the entire notice, Snowden's by one means or another got one of his non military person NSA workers and associates to enter his watchword "onto Snowden's work station," the update states. "Unbeknownst to the regular person, Mr. Snowden was equipped to catch the secret key, permitting him significantly more terrific access to arranged data"

The update additionally states that the citizen colleague was not cognizant of Mr. Snowden's propositions that he "proposed to unlawfully unveil ordered data," and imparted his PKI authentication, an arrangement of greatly secure qualifications that furnished more stupendous access to NSA's inside machine framework, and "neglected to follow security commitments," that made him leave.

This was not the first occasion when we caught wind of the inclusion of the associate of NSA in the matter of purported country's pride. Heat in the month of November, the update has all the earmarks of being the first official affirmation of a Reuters report in November; Reuters reported that a percentage of the workers, the same number as 20 to 25 specialists who imparted their passwords had been distinguished, addressed, and evacuated from their assignments, yet the NSA never openly remarked on that report and Snowden seemed to deny it throughout an open Google talk simply a month ago.

Right away this is the thing that NSA should very attentive to the control supported by the laborers who work at NSA to complete the most refined undertaking to spy on every person, while their inbuilt risk may pass their head over.

Vulnerability in WhatsApp allows decrypting user messages

A serious vulnerability in WhatsApp allows anyone who is able to eavesdrop on WhatsApp connection to decrypt users' messages.

Whatsapp, the mobile application for instant messaging platform has become one of the main communication tools of the present day and its popularity makes it attractive for security researchers and hackers.

This time it is debated in the protection of the messages exchanged through the application, thanks to a vulnerability in the crypto implementation they can be intercepted by an attacker.

Thijs Alkemade is a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, during its research activity he disclosed a serious issue in the encryption used to secure WhatsApp messages.

In the post titled "Piercing Through WhatsApp’s Encryption" Alkemade remarked that Whatsapp has been plagued by numerous security issues recently, easily stolen passwords, unencrypted messages and even a website that can change anyone’s status.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but expect to stop using it until the developers can update it." states the researcher.

An attacker sniffing a WhatsApp conversation is able to recover most of the plaintext bytes sent, WhatsApp uses RC4 software stream cipher to generate a stream of bytes that are encrypted with the XOR additive cipher.

The mistakes are:

• The same encryption key in both directions
• The same HMAC key in both directions

Below the trick used by the researcher to reveal the messages sent with WhatsApp exploiting first issue:

WhatsApp adopts the same key for the incoming and the outgoing RC4 stream, "we know that ciphertext byte i on the incoming stream xored with ciphertext byte i on the outgoing stream will be equal to xoring plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By xoring this with either of the plaintext bytes, we can uncover the other byte."

The technique doesn't directly reveal all bytes but works in many cases, another element that advantage the attacker is that messages follow the same structure and are easy to predict starting from the portion of plaintext that is disclosed.

The second issue related to the HMAC id more difficult to exploit, Alkemade said WhatsApp also uses the same HMAC key in both directions, another implementation error that puts messages at risk, but is more difficult to exploit.

The MAC is used to detect data alteration but it is not enough to detect all forms of tampering, the attacker potentially could manipulate any message.

"TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC."

Alkemade is very critical to the development team of the popular platform:

“There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a xor correctly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS,” he said.

I agree with the thinking of the researcher, security for applications such as WhatsApp is crucial given its level of penetration, it is true that the interest of the scientific community and cybercrime will surely lead them to discover new vulnerabilities to which WhatsApp have to provide a quick solution.

Alkemade confirmed that there is no remediation for the flaw in this moment, that's why he suggest to stop using WhatsApp until developers produce a patch.

Silk Road taken down by FBI

Notorious online marketplace "Silk Road" has been taken down by the FBI and the owner "Ross Ulbricht" a.k.a (Dread Pirate Roberts) has been arrested . Proving that "Perfect security is impossible"

He has been charged with  conspiracy to traffic narcotics, conspiracy to hack computers, and conspiracy to launder money.

The website now shows a "This Hidden Site Has Been Seized" message

Silk Road was the drug dealing website in the world .It used the "TOR hidden network" to hide itself and its users.It seems Ross Ulbricht was caught due to his own mistakes and NOT due to a vulnerability in the TOR network.


This site had been a major point used lawmakers and politicians to try to curtail the growth of the TOR
 network.And now the recent actions by the FBI against many hidden sites in the TOR network is indeed a very big setback for it.

All the transactions in silkroad were done using Bitcoins and since the news of Ross Ulbricht's arrest bitcoin value has dropped quite a bit (Due to paranoid selling). But this is just the currency stabilizing itself, when it stabilizes BTC value will rise again. And the removal of association from such illigal market places might actually be a good thing for bitcoins.

Jordan's PM's website hacked by Anonymous hacktivist

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm - See more at: http://www.ehackingnews.com/2013/09/jordans-pms-website-hacked-by-anonymous.html#sthash.jNlmt3gn.dpuf

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm - See more at: http://www.ehackingnews.com/2013/09/jordans-pms-website-hacked-by-anonymous.html#sthash.jNlmt3gn.dpuf

FBI demands SSL Keys from Secure-Email provider Lavabit in Espionage probe

During the summer, The Secure email provider 'Lavabit' and preferred service for PRISM leaker Edward Snowden decided to shut down after 10 years to avoid being complicit in crimes against the American people.

The U.S. Government obtained a secret court order demanding private SSL key from Lavabit, which would have allowed the FBI to wiretap the service’s users, according to Wired.

Ladar Levison, 32, has spent ten years building encrypted email service Lavabit, attracting over 410,000 users. When NSA whistleblower Edward Snowden was revealed to be one of those users in July, Ladar received the court orders to comply, intended to trace the Internet IP address of a particular Lavabit user, but he refused to do so.

The offenses under investigation are listed as violations of the Espionage Act and Founder was ordered to record and provide the connection information on one of its users every time that user logged in to check his e-mail.

The Government complained that the Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to defeat its own system, So on the same day, U.S. Magistrate Judge Theresa Buchanan ordered Lavabit to comply, threatening Lavabit with criminal contempt.

FBI's search warrant also demanded all information necessary to decrypt communications sent to or from the Lavabit email account redacted including encryption keys and SSL keys.

But because Lavabit hadn’t complied till August 5, and a court ordered that Levison would be fined $5,000 a day beginning August 6, for every day he refused to turn over the key. 

On August 8, Levison finally decided to shut down Lavabit. “I’m taking a break from email,” said Levison. “If you knew what I know about email, you might not use it either.”