1/ Yesterday night, I analysed "COVID-19 Gov PK", the official #Covid19 mobile app made by the Pakistani government. Hardcoded passwords, insecure connections, privacy issues, ... nothing is ok with this app.
Want to see this horror? Follow me ⬇️
2/ This app, made by the Ministry of IT and Telecom with National Information Technology Board, is available on the PlayStore and has been downloaded more than 500,000 times.
3/ It's NOT a contact tracing app. It gives access to dashboards for each province and state, you can do a self-assessment, get radius alert, get a popup notification reminding the user of their personal hygiene (wut?).
4/ When you open the app, it asks a token to the pak gov server with hardcoded credentials: CovidAppUser / CovidApi!@#890#
5/ Because hardcoded credentials seems to be a thing in Pakistan, when the app requests the position of infected people on the map, they used another hardcoded creds: ApiUser / ApiUser@1234#
6/ The 1st request made by the app is, ofc, an insecure request
7/ In the "Radius Alert" tab you can get a map of infected people. Ofc, the exact coordinates of infected people are downloaded by the app 🤦♂️
Sick people deserve privacy
8/8 To sum-up, in "COVID-19 Gov PK" we found:
- hardcoded passwords
- insecure requests
- privacy issue
Thanks for the good laugh, you are the worst #Covid19 app I analysed
Today, the @FBI announced today the arrest of RUI-SIANG LIN, a/k/a “Ruisiang Lin,” a/k/a “林睿庠,” a/k/a “Pharoah,” a/k/a “faro,” in connection with his operation and ownership of “Incognito Market,” an online dark web narcotics marketplace
Our starting point will be the specially designated nationals list. It gives 2 email adresses linked to Lockbitsupp:
- khoroshev1@icloud.com
- sitedev5@yandex.ru
According to Jon Di Maggio from @Analyst1:
- Bassterlord is a ransomware affiliate who runs his team, known as the National Hazard Agency. Originally, he was a junior. team member, but as time progressed, he moved up the ranks and is now its leader.
- Bassterlord partnered with at least four ransomware gangs: REvil, RansomEXX, Avadon and LockBit.
- Bassterlord is a Caucasian male around 27 years old, born, raised, and living in Lugansk, Ukraine. He operates on Russian underground forums under the monikers “Fisheye,” “Bassterlord,” “Buster,” and “National Hazard Agency,” which is also the name of his team.
Bon. Il faut qu’on parle du “hack” des 600k comptes de la CAF.
Encore une fois, tout et n’importe quoi a été dit. Résumons la situation ⬇️
Lundi 12 Février, le compte Twitter officiel du groupe lulzsec fr a publié le tweet suivant, suivi rapidement d’un autre tweet comportant une capture d’écran supplémentaire de la part d’un compte appelé kizarush
1. On remarque que ces 2 tweets n’ont pas particulièrement été relayés.
2. On voit 4 captures d’écrans, du tableau de bord de 4 comptes.
3. Dans le 2ème tweet, on voit un fichier texte flouté.
Ca c’est l’information brute. Pas plus que ça.
Quand on évalue la fiabilité d’une information, il faut prendre en compte 2 choses : 1. La fiabilité de la source de l’info 2. La crédibilité de l’information
On ne prend jamais pour argent comptant l’information reçue. Jamais. Jamais.
Les informations provenant des réseaux sociaux ont par nature une “qualité” moindre.
- Olvid est une bonne solution de messagerie pour des communications dans un cercle restreint, une communauté. Je connais la personne, j’échange mon QR code en présentiel avec lui et je démarre la discussion
1/n
- Olvid n’a pas de serveur central permettant de retrouver qui à un compte sur Olvid. C’est une bonne chose en terme de vie privée
MAIS
C’est un frein immense en terme de vitalité.
2/n
Conséquence directe : Olvid ne sera jamais WhatsApp, ni Signal ou Telegram.