Tag Archives: texts

How hackers can use message mirroring apps to see all your SMS texts — and bypass 2FA security

Posted on by

Shutterstock

Syed Wajid Ali Shah, Deakin University; Jongkil Jay Jeong, Deakin University, and Robin Doss, Deakin UniversityIt’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.

As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks.

But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB and Westpac.



Read more:
A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?

So what’s the problem with SMS?

Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.

For example, SIM swapping has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.

SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy. This facilitates communication between the victim and a service being impersonated.

So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use).

In addition to these existing vulnerabilities, our team have found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone.
Shutterstock

If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.

The attack on Android

Our experiments revealed a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronise user’s notifications across different devices.

Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as username@gmail.com) to nefariously install a readily-available message mirroring app on a victim’s smartphone via Google Play.

This is a realistic scenario since it’s common for users to use the same credentials across a variety of services. Using a password manager is an effective way to make your first line of authentication — your username/password login — more secure.

Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.

For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this they can remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.

Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.

What’s the alternative?

To remain protected online, you should check whether your initial line of defence is secure. First check your password to see if it’s compromised. There are a number of security programs that will let you do this. And make sure you’re using a well-crafted password.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

However, this approach can also be compromised by hackers using some sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.

Hand holds up a YubiKey USB with the text 'Citrix' in the background.
The YubiKey, first developed in 2008, is an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA.
Shutterstock

These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.

Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.

It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.

At the same time, further work must be carried out by service providers, developers and researchers to develop more accessible and secure authentication methods.

Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.



Read more:
Can I still be hacked with 2FA enabled?


The Conversation

Syed Wajid Ali Shah, Research Fellow, Centre for Cyber Security Research and Innovation, Deakin University; Jongkil Jay Jeong, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), Deakin University, and Robin Doss, Research Director, Centre for Cyber Security Research and Innovation, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Facebook videos, targeted texts and Clive Palmer memes: how digital advertising is shaping this election campaign

Posted on by

Andrew Hughes, Australian National University

This year’s election will be the first in Australia where the parties will be advertising more on social and digital platforms than traditional media (TV, radio, newspapers and magazines).

There are a few key reasons for this. First, cost-wise, social media is far cheaper, sometimes as low as a few cents per click. Unlike heritage media, digital and social is extremely targeted, and can be done in the “dark,” so your opponents may not even be aware of the message you are pushing out.

Digital and social advertising can also be shared or even created by users themselves, further increasing the reach of a party’s messaging. This gets around the Australian Electoral Commission rules on advertising – technically they are not ads since no party is paying for them to be shared on people’s feeds.

Throw into the mix laws on political advertising – which allow parties to advertise up to and on election day on social media, but not traditional media – and we are likely seeing the first largely digitally driven election campaign in Australian political history.



Read more:
Election explainer: what are the rules governing political advertising?

Here are a few ways the parties are using advertising in the campaign so far and what makes this election unique:

What you can do with A$30 million

Among all the candidates running this year, perhaps no one has used political advertising as prolifically as Clive Palmer. This shows what money can buy.

The most recent Nielsen figures put the cost of Palmer’s ads since September at around A$30 million, though Palmer says himself he’s spent at least A$50 million. This compares to just A$16 million spent in total advertising during the last federal election, with Labor and the Coalition accounting for more than 90% of that.

From a campaign perspective, Palmer is ticking many of the right boxes: a mix of different platforms on digital and social; heritage media ads for mass market awareness featuring candidates selected from the middle; the use of memes and user-generated content; and even text messaging.

This United Australia Party ad has over 2.4 million views on YouTube thus far, making it the most viewed election ad on the platform.

Despite the ubiquity of his ads, though, Palmer is still struggling to connect with most voters. This demonstrates a very important aspect to any advertising campaign: the actual brand still needs to be seen as offering real value to voters.

The UAP has used text messaging like this one below, for example, to try to change its negative perception with voters by delivering positive campaign promises.

UAP text message advertisement.
ABC

The ‘Grim Reaper’ strategy and micro-targeting

One of the most effective ads ever done in Australia was the “Grim Reaper” AIDS awareness campaign in 1987, which showed how well “scare campaigns” and negative messaging can work, given the right context and framing. The ad’s micro-messaging was another aspect that worked so well: it personalised the issue and made it tangible to anyone sexually active.

Basically, negative messaging works on the theory that what you fear, you will avoid – or the “fight or flight response”. Negative political ads highlight the level of risk and consequence of a certain party’s policies – and then emphasise how to avoid this by not voting for them.



Read more:
Why scare campaigns like ‘Mediscare’ work – even if voters hate them

Trouble is, most ads on TV are losing their potency. As attitudes towards political messaging and brands become increasingly negative, voters are less likely to watch ads in their entirety. Many people also don’t see them as being personally relevant.

Social media, though, provides an excellent delivery mechanism for these types of messages. Digital ads can be personalised and focused on issues that voters have already expressed an interest in and therefore find relevant to their lives.

Personalised messaging from the LNP on Facebook, targeting voters in the seat of Ryan in western Brisbane.
Facebook Ad Library

Social media ads can also be altered to be even more targeted as the campaign goes on, based on voter responses. And their speed of production – only taking a matter of hours to produce and place online – allows digital advertising to do what heritage no longer can and provide a more fluid, grassroots dynamic to campaigning.

This ad by Labor featuring Prime Minister Scott Morrison in bed with Palmer, for example, was released on social media within 24 hours of the preference deal struck between the Coalition and Palmer’s UAP.

Labor’s Facebook ad depicting Scott Morrison in bed with the UAP’s Clive Palmer over their preference dealing.
Facebook/Click here to watch the video

That said, even on social media, negative advertising is not as effective if it just comes from the party itself. But when combined with information from third-party sources, such as from the media, this can increase the effectiveness. For example, the Liberal Party used the 10 Network image in this ad to support its claims on Labor’s tax policies.


Facebook Ad Library

Youth engagement

Youth voter enrolment is at an all-time high in Australia, driven, in part, by engagement and participation in the marriage equality plebiscite in 2017.

The major parties are aware of this and are creating ads specifically targeting this demographic on Snapchat, WhatsApp and Instagram. Some of these are “dark social” ads (meaning they can only be seen by the target market) or are user-made so not to be subject to disclosure rules.

For more general audiences, Labor has created ads like this one on Facebook that highlight issues young voters are concerned about, such as wage increases and penalty rates. Ads like this also attempt to engage with these voters by asking them to sign petitions – a form of experiential marketing that’s proved highly effective with young audiences, as seen through platforms such as Change.org.

Labor Facebook ad inviting voters to sign a petition demanding a higher wage.
Facebook Ad Library

Groups like the Australian Youth Climate Coalition are tapping into experiential marketing by combining online advertising with a call for offline action on issues that appeal to young voters, such as climate change. Part-rock concert, part-protest, these events might remind some of the rallies that proved so popular during the Gough Whitlam era.

The AYCC is using a combination of online and offline strategies to engage with young voters.
Facebook Ad Library

The increasing influence of lobbying groups

One of the more interesting developments of this election so far is the increasing sophistication, knowledge and strategies of political lobbying groups, or Australia’s equivalent to America’s PACs.

GetUp! is one such group, collecting A$12.8 million in donations in the last 12 months alone. Among the group’s tactics are direct phone calls to voters, partly achieved through “phone parties” where volunteers freely offer their time, phones and other resources to call people in targeted electorates. GetUp! has a goal of making 1 million phone calls in the lead-up to the election.

A GetUp! video ad encouraging voters to host ‘calling parties’

Other well-funded groups, such as the right-aligned Advance Australia, are also seeking to influence the narrative in the election, particularly in electorates like Warringah, where it has released ads against Tony Abbott’s challenger, Zali Steggall.

In part to counter the influence of lobbying groups, the Australian Council of Trade Unions has launched its own advertising campaign featuring working Australians describing how hard it is to make ends meet.

The ACTU’s “Change the Government, Change the Rules” campaign.

The rise of these groups in Australian politics opens a Pandora’s Box on just who can influence elections without even standing a single candidate – an issue that’s becoming part of politics now in many Western democracies. As many in politics would know, where there is money, there is power, and where there is power, there are those who are seeking to influence it.The Conversation

Andrew Hughes, Lecturer, Research School of Management, Australian National University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

4th century biblical manuscript now available online

Posted on by

The British Library has announced that the pages of 4th century biblical manuscript called the Sinaiticus Codex have been scanned and posted online after four years of work, reports Catholic News Agency.

The manuscript was written in Greek and dates to the time of the expansion of Christianity under Constantine. It can now be viewed with translations in English, German and Russian at www.codexsinaiticus.org.

For centuries it was kept at the monastery of St. Catherine on Mount Sinai, until it was divided up in the 19th century and sent to the University of Leipzig library in Germany, the National Library of Russia in St. Petersburg and the British Library. Some portions of the manuscript remained at the Mount Sinai monastery.

The project to digitalize the manuscript cost more than one million dollars.

The Codex, written by three scribes, also includes texts from the 1st century and is one of the best preserved manuscripts of the era.

Report from the Christian Telegraph 

MALAYSIA: COURT SET TO RULE ON USE OF ‘ALLAH’ AMONG NON-MUSLIMS

Posted on by

Judges to determine whether Malaysians of other faiths can use the Arabic word.

MUMBAI, India, July 6 (Compass direct News) – With the Kuala Lumpur High Court in Malaysia scheduled to determine the legality of the word “Allah” in non-Muslim literature tomorrow, what is at stake goes beyond the sanctioned name for God among non-Muslims in the majority-Muslim nation.

Such a limit on free speech in Malaysia is especially biting for Muslim converts to Christianity; already the Malaysian government does not recognize their conversions and marriages and still considers their offspring to be legally Muslim. With non-Muslims increasingly feeling the sting of discrimination and Muslim elites feeling a need to assert a national Islamic identity, the skirmish over “Allah” is clearly part of a greater cultural war.

Malaysian authorities and Malaysia’s Roman Catholic Church have continued to lock horns over use of the word “Allah” in the Malay-language edition of the Herald, the church’s newspaper, as they await the ruling. The newspaper had been allowed to use the term until a final court decision, but the Kuala Lumpur High Court on May 30 overturned that brief reprieve.

The Catholic newspaper has provided a panoply of historical uses of “Allah” among Christians in Malaysia. The Rev. Lawrence Andrew, editor of the Herald, quotes examples from a Malay-Latin dictionary dated 1631, and the Dutch-Malay Dictionary of 1650 lists “Allah” as the vernacular translation for God.

“This is testified by the fact that we have a Malay-Latin Dictionary printed in 1631, in which the word ‘Allah’ is cited,” Andrew said. “To have a word in a dictionary means that that particular word has already been in use in the community prior to the dictionary. The word for ‘God’ in Latin is ‘Deus’ and in Malay, it is ‘Allah.’ Upon the arrival of the Dutch…a Dutch-Malay Dictionary was produced in 1650 where the word for ‘God’ in Dutch was ‘Godt,’ and in Malay, ‘Allah.’”

According to church sources, the Malay term for “God,” Tuhan, came into vogue only after deadly May 13, 1969 communal riots as part of a national unity campaign.

Andrew noted that “Allah” is an Arabic term derived from the same roots as the Hebrew Elohim, and that the word pre-dates Muhammad, Islam’s prophet. Besides ignoring history, Andrew says, the government also conveniently ignores its universal use among Christians in the Middle East.

“Since the status quo remains, we will not use the word ‘Allah’ in our publication” until the court says otherwise, Andrew said. “In fact we have not been using it since our January edition.”

Since 1970, the government of Malaysia has consistently championed Islam as a parallel source of identity and nationalism among the politically dominant Malay-Muslim majority. Dress codes, cultural norms and the Malay language underwent a rapid Islamization in tandem with discriminative actions against minority groups.

Christians were particularly hard-hit by the effort in the name of national unity. Licences are rarely issued for church buildings in the capital city, Kuala Lumpur. New evangelical congregations had to meet at either hotels or warehouses for their Sunday services while Islamic semiotics and terminologies swamped the intellectual and official discourse. Conversion of Christians to Islam were particularly trumpeted by the media.

These efforts have largely failed. Local churches continued to grow, and the number of secret Muslim converts to Christianity began to rise.

At the same time, pandemic corruption and political authoritarianism have gradually led to a sense of disenchantment with political Islam among many. This erosion in Malay-Islam dominance has led to political bankruptcy, as evidenced by disastrous results for the ruling coalition during March 2008 general elections.

Given these political realities, Malay elites believe they can ill afford to be seen as soft on minority “encroachment,” and observers say this need to ingratiate Islamists lies at the root of the tussle over non-Muslim use of the word “Allah.” Officially, however, the government says only that use of the word among non-Muslims could create “confusion” among Muslims.

The Herald has a circulation of 13,000 and an estimated readership of 50,000. The newspaper is sold in Catholic churches and is not available from newsstands.

Malaysia’s population is about 60 percent Muslim, 19 percent Buddhist and 9 percent Christian. About 6 percent are Hindu, with 2.6 percent of the population adhering to Confucianism, Taoism and other traditional Chinese religions.

Arabicization of Malay Language

The debate over “Allah” follows an effort by the government to promote the Arabicization of the Malay language at the expense of Sanskrit and Malay terms. When a Malaysian student has to refer to a pig in an essay or test, the required term is the Arabic khinzir.

Other Malay terms such as pokok (tree) and bunga (flower), long used to refer to loan principal and interest respectively, have been expunged from school texts in favor of the Arabic kaedah (base) and faedah (benefit).

Some sources indicate that the Arabicization of the Malay language, however, has come with unintended consequences, such as making Christian mission work and translation easier. Since the Malay vocabulary has its limitations, Christians can use time-tested Arabic-derived terms to provide meaningful context.

For a long time, the only Malay Bible available in Malaysia was the Indonesian “Al Kitab,” which, included the word “Allah.” As Bahasa Malaysia (official name of the Malay language in Malaysia) and Bahasa Indonesia are very similar, the “Al Kitab” can be easily understood by a native speaker of Malay. As a result, the “Al Kitab” was viewed as an unwelcome missionary tool by Malaysian authorities. Its legal status was heatedly contested behind closed doors during the 1981-2003 reign of then-Prime Minister Mahathir bin Mohamad.

Significant Christian indigenous populations in East Malaysia use Bahasa Malaysia as a language of wider communication. The Malay-language content of the Herald reportedly serves just that need: using the national language with universal terms across a multi-lingual Babel of tribal Catholic communities in East Malaysia.

Report from Compass Direct News 

BAD EXAMPLES DO NOT INVALIDATE THE VALUE OF PRIESTLY CELIBACY

Posted on by

Bishop Juan Ruben Martinez of Posadas in Argentina said celibacy cannot be reduced to a “mere imposition of the Church” and that “bad examples and even our own limitations do not invalidate the contribution of so many who, in the past and today, give their lives for others,” reports Catholic News Agency.

Bishop Martinez said that a “materialistic vision” of man that is based solely on “instinct and the physiological” makes it difficult to these values as a “gift of God” and an “instrument of service to humanity and to the common good.” He recognized that “from materialistic anthropology, celibacy and monogamous marriage tend to be considered as something unnatural.” However, he warned, “To reduce celibacy to a mere imposition of the Church is in fact to insult our intelligence and Christ himself who was ‘the eternal high priest,’ ‘celibate,’ and gave his life for all of us, and he himself recommended it. It is to insult the biblical texts which show great respect for celibacy and chastity for the sake of the Kingdom of Heaven, and it insults the Fathers, doctors and pastors of the Church from apostolic times to the present.”

“Uniting celibacy with the priestly ministry is a more radical Gospel choice made by the Church based on her authority and supported by the Word of God and the testimony of the saints and of so many men and women who, throughout history, strove and strive through this gift and even through their own frailties to give everything exclusively to God and his people. Bad examples and even our own limitations do not invalidate the contribution of so many who, in the past and today, give their lives for others,” the bishop said.

He went on to note that only on the basis of faith can we have “a profound understanding of issues such as life, the family, marriage, the Church and her mission, the priesthood and celibacy.”

Bishop Martinez encouraged Catholics to pray for vocations to the priesthood and religious life, “trusting in the initiative of God and man’s response,” and he thanked God, who continues to call young people to consecrate themselves to God and their brothers and sisters. “They respond to the call because they believe in love,” he said.

Report from the Christian Telegraph

ISRAELI ARCHAEOLOGISTS WORK ON ‘FURTHER EVIDENCE’ OF HEROD’S TOMB

Posted on by

Israeli archaeologists at Jerusalem’s Hebrew University are working on what they believe is further proof that a site uncovered in 2007 is the tomb of King Herod, the king of Judea, whose actions are noted in New Testament texts of the Bible, reports Ecumenical News International.

Based on studies of architectural elements uncovered at a mausoleum they discovered in 2007 at Herodium, about 15 kilometres south of Jerusalem, researchers have determined the structure was a lavish two-story building with a concave-conical roof.

Report from the Christian Telegraph

SIMPLE SIGNPOSTS TO THE CELESTIAL CITY 001: Jesus the Only Way to God (John 14:6) – Albert N. Martin

Posted on by

This is the first in a series of sermons by Albert N. Martin on Scriptural texts that epitomise the Gospel.

This is a very good and simple sermon declaring the Gospel from John 14:6. Pastor Martin fairly clearly expounds the practical sense and meaning of Jesus being the Way, the Truth and the Life exclusively.

The link below leads to an mp3 file of the sermon:

http://www.sermonaudio.com/sermoninfo.asp?SID=9140313751