https://f-droid.org/packages/opencontacts.open.com.opencontacts

We should not be sharing our contact information online. So, keep your contacts safe in a different database. This app saves contacts in its own database separate from android contacts. This way no other app would be able to access contacts. 

Adaway update version 4.2.1

Changelog 04.02.2019

👉Add hosts source download cache
👉Add snackbar notification to update host from DNS request listing
👉Update UI from Material Design to Material Theming
👉Update gradle, plugins and dependencies
👉Fix crash parsing not defined host source last modified date
👉Fix native modules build script (required for F-Droid build server)
👉Fix Transifex issues
#adaway #adblock #update

Facebook Struggles in Privacy Class-Action Lawsuit

Facebook's privacy disclosures "are quite vague" and should have been made more prominent, a federal judge argued.

Facebook, in the midst of a class-action privacy lawsuit, was dealt a blow last week when US District Judge Vince Chhabria argued its privacy policies and practices cause users harm.
https://www.darkreading.com/endpoint/facebook-struggles-in-privacy-class-action-lawsuit/d/d-id/1333786?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Read Via Telegram

📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE

Evidence and proof of concept that keweon Online Security is not as secure as claimed by its developer.

After a group of independent IT and cyber security specialists proved that keweon is not as secure as claimed by the developer, they confronted the developer with the results and reminded him of a bet. All keweon support groups on TG then were deleted by the developer personally and without further explanation on the morning of February 4, 2019.

We all know by now that the way keweon DNS works is based on users using keweon's DNS and the keweon root certificate.
What has now been proven is exactly what keweon could do with its users, but Torsten vehemently denies and claims "that's impossible" and "that doesn't work":

1. get users to use your DNS server.
2. get users to use your root certificate.
3. redirecting a page, e.g. mybank.com, to one of the keweon servers (by changing the DNS record)
4. issue your own SSL certificate for the website, users have installed your Root-CA and so this is not a "witch work"
5. read username/password from the connection (if 2FA is used, just wait until the user logs in and use the token again quickly as it is valid for 30 seconds).

We now have proof that this is possible without a doubt. In fact, this is a classic MITM attack, and anyone who denies that it is possible either has no idea (you shouldn't assume this from Torsten) or is trying to hide something from his users.

The developer of keweon has repeatedly asserted and insisted that a root certificate cannot intercept connections or collect data.

Quote from the keweon developer with his PayPal bet:
"Prove that to me. Give me any DNS and a root certificate and try to get my PayPal data.
I'll then even contact you when I sign up for PayPal. If you manage to get my PayPal data this way, you can log in and transfer 500 Euro to your account. I have made this offer very often and this is a serious offer from my side."

Unfortunately the developer of keweon didn't contribute his part to the test as he promised so often and of course he didn't log into Paypal via our provided DNS and root certificate.
The only reaction on his part was, apart from some insults, the deletion of all keweon groups on TG.

The security test of the keweon servers also revealed that under certain conditions connections are even redirected to keweon's own termination server and answered with 1x1 pixel gifs.
The fact is that the requests contain tracking IDs that can be easily managed from these servers.

So even Torsten's statement that the keweon SSL server only terminates requests with empty (0 byte) responses is wrong.
This again contradicts Torsten's own statement.

The point now is that the developer of keweon Online Security is actively trying to deny that it is possible for him to abuse the root certificate, although it has now been proven that it is actually possible for him to do exactly that with the keweon root certificate and its users.

Until the developer decides to disprove the accusations made against keweon Online Security or can prove that the accusations against him are unfounded, it is advisable for obvious reasons of security not to use keweon Online Security for the time being.

Anyone who is interested in repeating this test can do so at:
https://keweonwette.info.tm, where you will find a DNS and a root certificate, same as with keweon Online Security.
Furthermore there is a real-time log about recorded connections.
Everything else can be found there.
Please be careful not to use your correct email address or password for this test!
#keweon #test #bet #evidence #ProofOfConcept

DNS And Root Certificates - What You Need To Know

Due to recent events we felt compelled to write an impromptu article on this matter. It's intended for all audiences so it will be kept simple - technical details may be posted later.

1. What Is DNS And Why Does It Concern You?

DNS stands for Domain Name System and you encounter it daily. Whenever your web browser or any other application connects to the internet it will most likely do so using a domain. A domain is simply the address you type: i.e. duckduckgo.com. Your computer needs to know where this leads to and will ask a DNS resolver for help. It will return an IP like 176.34.155.23; the public network address you need to know to connect. This process is called a DNS lookup.

There are certain implications for both your privacy and your security as well as your liberty:

- Privacy

Since you ask the resolver for an IP for a domain name, it knows exactly which sites you're visiting and, thanks to the "Internet Of Things", often abbreviated as IoT, even which appliances you use at home.

- Security

You're trusting the resolver that the IP it returns is correct. There are certain checks to ensure it is so, under normal circumstances, that is not a common source of issues. These can be undermined though and that's why this article is important. If the IP is not correct, you can be fooled into connecting to malicious 3rd parties - even without ever noticing any difference. In this case, your privacy is in much greater danger because, not only are the sites you visit tracked, but the contents as well. 3rd parties can see exactly what you're looking at, collect personal information you enter (such as password), and a lot more. Your whole identity can be taken over with ease.

- Liberty

Censorship is commonly enforced via DNS. It's not the most effective way to do so but it is extremely widespread. Even in western countries, it's routinely used by corporations and governments. They use the same methods as potential attackers; they will not return the correct IP when you ask. They could act as if the domain doesn't exist or direct you elsewhere entirely.

2. Ways DNS lookups can happen

2.1 3rd Party DNS Resolvers Hosted By Your ISP

Most people are using 3rd party resolvers hosted by their internet service provider. When you connect your modem, they will automatically be fetched and you might never bother with it at all.

2.2 3rd Party DNS Resolver Of Your Choice

If you already knew what DNS means then you might have decided to use another DNS resolver of your choice. This might improve the situation since it makes it harder for your ISP to track you and you can avoid some forms of censorship. Both are still possible though, but the methods required are not as widely used.

2.3 Your Own (local) DNS Resolver

You can run your own and avoid some of the possible perils of using others'. If you're interested in more information drop us a line.

3. Root Certificates

3.1 What Is A Root Certificate?

Whenever you visit a website starting with https, you communicate with it using a certificate it sends. It enables your browser to encrypt the communication and ensures that nobody listening in can snoop. That's why everybody has been told to look out for the https (rather than http) when logging into websites. The certificate itself only verifies that it has been generated for a certain domain. There's more though:

That's where the root certificate comes in. Think of it as the next higher level that makes sure the levels below are correct. It verifies that the certificate sent to you has been authorized by a certificate authority. This authority ensures that the person creating the certificate is actually the real operator.

This is also referred to as the chain of trust. Your operating system includes a set of these root certificates by default so that the chain of trust can be guaranteed.

#dns

3.2 Abuse

We now know that:

- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator

How can it be abused?

- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.

- This site can send you a fake certificate.

- A malicious root certificate can "verify" this fake certificate.

This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!

It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.

All your data is compromised!

4. Conclusion

4.1 Risks

- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.

4.2 Actions To Take

Do not ever install a 3rd party root certificate! There are very few exceptions why you would want to do so and none of them are applicable to general end users.

Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.

5. Seeing It Live

5.1 WARNING

A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.

DO NOT ENTER PRIVATE DATA!

REMOVE THE CERT AND DNS AFTERWARDS

If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.

5.2 Live Demo

Here is the link: https://keweonbet.info.tm/

- Set the provided DNS resolver
- Install the provided root certificate
- Visit https://paypal.com and enter random login data
- Your data will show up on the website

6. Further Information

If you are interested in more technical details, let us know. If there is enough interest, we might write an article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.

All content is licensed under CC BY-NC-SA 4.0. (Attribution-NonCommercial-ShareAlike 4.0 International https://creativecommons.org/licenses/by-nc-sa/4.0/)

By @privacytoday

#dns

OpenWPM

OpenWPM is a web privacy measurement framework which makes it easy to collect data for privacy studies on a scale of thousands to millions of websites. OpenWPM is built on top of Firefox, with automation provided by Selenium. It includes several hooks for data collection. Check out the instrumentation section below for more details.

https://github.com/mozilla/OpenWPM

📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE

📺 Goodbye Big Five (Week 4: Microsoft)

Reporter Kashmir Hill spent six weeks blocking Amazon, Facebook, Google, Microsoft, and Apple from getting her money, data, and attention, using a custom-built VPN. Here’s what happened.

I am on a mission to live without the tech giants, to discover whether such a thing is even possible. Not just through sheer willpower but technologically, with the use of a custom-built tool that would literally prevent my devices from accessing these companies, and them from accessing me and my data.
https://gizmodo.com/i-cut-microsoft-out-of-my-life-or-so-i-thought-1830863898

📡 @cRyPtHoN_INFOSEC_DE
📡 @cRyPtHoN_INFOSEC_EN

📺 Goodbye Big Five (Week 5: Apple)

Reporter Kashmir Hill spent six weeks blocking Amazon, Facebook, Google, Microsoft, and Apple from getting her money, data, and attention, using a custom-built VPN. Here’s what happened.

I am on a mission to live without the tech giants, to discover whether such a thing is even possible. Not just through sheer willpower but technologically, with the use of a custom-built tool that would literally prevent my devices from accessing these companies, and them from accessing me and my data.
https://gizmodo.com/i-cut-apple-out-of-my-life-it-was-devastating-1831063868

📡 @cRyPtHoN_INFOSEC_DE
📡 @cRyPtHoN_INFOSEC_EN

iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment

This post by a security researcher who prefers to remain anonymous will elucidate concerns about certain problematic decisions Apple has made and caution about future decisions made in the name of “security” while potentially hiding questionable motives. The content of this article represents only the opinion of the researcher. The researcher apologises if any content is seen to be inaccurate, and is open to comments or questions through PGP-encrypted mail.

⛔️iOS subliminally and constantly collects sensitive data, links it to hardware identifiers almost guaranteed to link to a real identity

⛔️iOS forces users to “activate” devices (including non-cellular) which sets up a remote UUID-linked (also collecting registration IP) database for a given device with Apple for APNS/iMessage/FaceTime/Siri, and then Apple ID, iCloud etc. Apple ought be open to users about “activation” and allow users to avoid it.

⛔️Apple Activation servers are accessed via Akamai, which means sensitive data may be cached by Akamai and its’ peering partners' which includes many global ISPs and IXPs

⛔️Risk that macOS could be iOS-ified in the near future in the name of “security” while ignoring significant flaws in iOS’ design wrt privacy, forcing users to unnecessarily trust Apple with potentially sensitive data in order to even simply use devices.

⛔️Controversial, draconian surveillance laws being implemented worldwide which could take advantage of Apple’s data collection and OS design choices, notably in, but not limited to, China, one of Apple's largest markets.

❗️If iOS is to really be considered a secure OS, and if vanilla macOS is to become more secure, independent end-user control must be considered. Increased low-level design security at the cost of control, and the ability to prevent leaking data, cannot be considered a real improvement in security.

Much more info and source: https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d

#iOS #macOS #freedom #security #privacy

🇬🇧 Keweon Root Certificate Checker

Here you can check if your system is compromised by the currently most prevalent perpetrator. This check may be eventually blocked by them, don't rely on it. There is more than one person or group trying to undermine basic security, this is by no means a novel idea.

🇩🇪 Keweon Root Zertifikat Test

Hier können Sie testen ob Sie von dem aktuell prävalenten Angreifer kompromittiert wurden. Dieser Test kann früher oder später von demselben geblockt werden, also verlassen Sie sich nicht darauf. Es versuchen mehr als eine Person oder Gruppe grundlegende Internetsicherheit zu unterwandern, dies ist bei Weitem keine neuartige Idee.

✅ Test/Check at:
https://https-interception.info.tm/test.html

✅ DNS + Root Certificate Hijack Proof And Demonstration:
https://https-interception.info.tm/

#keweon #test #evidence #ProofOfConcept #dns

Germany as a pioneer when it comes to limiting Facebook's data collection madness.
Will other countries now follow them restricting Facebook's data collection madness?

German Cartel Office restricts data collection from Facebook

Facebook has a dominant market position in Germany - and abuses it:
This has now been decided by the Bundeskartellamt. It prohibits the merging of data, Whatsapp and Instagram are also affected.

❗️The Bundeskartellamt has prohibited Facebook from collecting data outside the online network, for example with the Like button, because it sees unfair competition in it. Facebook has a dominant position in Germany and abuses it, the authority declared on 7 February 2019.

The Cartel Office also prohibited Facebook from merging the data collected on third-party websites with information collected from the users themselves on the platform of the online network. The authority also considers apps belonging to the group, such as Instagram and Whatsapp, to be third-party sources.

👉 https://www.golem.de/news/like-kartellamt-schraenkt-datensammelei-von-facebook-ein-1902-139243.html
👉 https://t.iss.one/cRyPtHoN_INFOSEC_DE/2087

#Facebook #Bundeskartellamt #Cookies #Datenschutz #Datensicherheit #Instagram #Messenger #SozialesNetz #Whatsapp
#Internet #DeleteFacebook #DeleteWhatsapp
📡 @cRyPtHoN_INFOSEC_DE
📡 @cRyPtHoN_INFOSEC_EN

Signature spoofing for MicroG fixed... Finally

28 Fake Apps removed from Google Play Store post Quick Heal Security Lab reports

Quick Heal Security Lab has spotted 28 Fake Apps with over 48,000+ (all together) installations on Google Play Store. Google play has removed a total of 28 fake apps from the Play Store after reports by Quick Heal Security Lab. The apps do not have any legitimate functionality related to…

https://blogs.quickheal.com/28-fake-apps-removed-google-play-store-post-quick-heal-security-lab-reports/

#google #fake #vulnerability
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE

OpenVPN vs IPSec, WireGuard, L2TP, & IKEv2 (VPN Protocols 2019)

What are VPN protocols and why do you need to understand the different options?
— What is IPSec?
👉 https://t.iss.one/BlackBox_Archiv/66

— What is IKEv2/IPSec?
— L2TP/IPSec
👉 https://t.iss.one/BlackBox_Archiv/67

—WireGuard
— PPTP
— SSTP
👉 https://t.iss.one/BlackBox_Archiv/68

— OpenVPN UDP vs OpenVPN TCP
— What is the best VPN protocol?
— VPN protocols conclusion
👉 https://t.iss.one/BlackBox_Archiv/69

#OpenVPN #IPSec #L2TP #IKEv2 #WireGuard #guide
📡 @cRyPtHoN_INFOSEC_DE
📡 @cRyPtHoN_INFOSEC_EN

How Android Q improves Privacy and Permission Controls over Android Pie

https://www.xda-developers.com/android-q-privacy-permission-controls

#android #q #permissions

The Big DNS Privacy Debate at FOSDEM

https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem

HN comments:
https://news.ycombinator.com/item?id=19104167


#dns #doh #fosdem

🇬🇧 Surveillance — Self-Defense
Your Security Plan

Trying to protect all your data from everyone all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that’s right for you. Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.
🇬🇧👉 https://t.iss.one/BlackBox_Archiv/71

🇩🇪 Überwachung — Selbstschutzmaßnahmen
Ihr Sicherheitsplan

Der Versuch, alle Ihre Daten jederzeit vor jedem zu schützen, ist unpraktisch und anstrengend. Aber haben Sie keine Angst! Sicherheit ist ein Prozess, und durch eine durchdachte Planung können Sie einen Plan zusammenstellen, der für Sie geeignet ist.
🇩🇪👉 https://t.iss.one/BlackBox_Archiv/73

#Surveillance #SelfDefense #SecurityPlan #Security
📡 @cRyPtHoN_INFOSEC_DE
📡 @cRyPtHoN_INFOSEC_EN