Credit Card Scam

This Morning I received a text message from what I thought was a potential client. It took some time, but later found out that it was a decently executed credit card scam. This post is to show you what transpired, and to hopefully help you to not be deceived by a scam such as the one below.

The text message came early in the morning, 7:30am. It was poorly written but it was a text message so that wasn’t too surprising. The potential client said his name, said he was hearing impaired, asked if Shreveport IT Solutions can design a website for a new company and if we accept credit cards. (nothing strange so far)

“Hi,Am Jones W*****s am hearing impaired.i wanna know if u can handle website design for a new company and if u accept credit cards ?”

I responded with an initial response and suggested that we use e-mail to continue as to have an easier medium to type long form on. (Standard response)

“Hi Mr. Williams, yes we can Design and Develop websites. We also accept credit cards. If you would like to email the details of what you need to we can create a bid and timeline for you.”


I started to become a little suspicious when he responded insisting we continue to use text messages, but I continued.

“i can text you the detail here now”


Ok, great. So what is the business name?”


The next string of messages were what made me seriously believe that this was a legitimate client.

Web Design

have small scale business which i want to turn into large scale business now it located in TN and the company is based on importing and exporting of Agriculture products such as Kola Nut, Gacillia Nut and Cocoa so i need a best of the best layout design for it.

the site would only be informational, so i need you to give me an estimate based on the site i gave you to check out, the estimate should include hosting and i want the same page as the site i gave you to check out and i have a private project consultant, he has the text content and the logos for the site.

Can you handle that for me ?. so i need you to check out this site but i need something more perfect than this if its possible .http://www.*******.com….


  1. I want the same number of pages with the example site i gave you to check excluding videos and blogs.
  2. I want only English language
  3. I don’t have

a domain yet but i want the domain name as ********.com

4. you will be updating the site for me.

  1. i will be proving the images, logos and content for the site.
  2. i want the site up and running before ending of next month.
  3. My budget is $**** to $****

Kindly get back to me with:

(1) an estimate

The detail of what he said led me to believe that this was going to be a solid deal. The website that he sent that he wanted to emulate was a good site, the budget was on point, and the rest of the information sounded good for a initial starting point. I reviewed and sent him back a bid.

“Going by what the site provided shows, about 15 pages and the blogs $**** + $**** a year for hosting fees + $**** a year for website support.
Total $
$***** for design and development.
$**** a month for hosting and website support (updates and changes) Domain name purchase is separate and price varies by website name. ******.com is auctioning at $***** right now. ***** is going for $****** *******.com is already taken.”

So far the entire conversation was a little strange but still sounded fairly normal. At this point his responses turned to what I considered to be an obvious scam.

Thanks for your response, i am okay with the estimate and i wanna proceed so i will be depositing $**** using credit card so work can commence ASAP, i understand the content for this site would be needed so as for the job to commence so regarding the content i will need a Lil favor from you would be a deposit payment for my website design and the remaining $***** you would help me send it to the project consultant that has the text content and the for surgery so i will be glad if you can help me out with this favor,The favor i need from you is. i would give you my card info’s to charge for $****.so $**** log and the reason i need this favor from you is because the consultant does not have the facility to charge credit cards and i also am presently in the hospital for my website so once he has the $**** he would send the text content and logo needed for my website to you also the funds would be sent to him via cash deposit into his account,sending of funds would be after funds clear into your own account and also $100tip for your stress

I’m not going to claim to know exactly how this would have worked, but I knew a few things were definitely off. My list of a few small strange things, when added to the request to send cash funds to his private consultant added up to scam.

My list of oddities:

1. Text only. — I understand the need to communicate via written form because of  physical impairments, but e-mail is a more appropriate medium.

2. The lack of a company name. — In some circumstances a company will withhold company names or locations without a signed NDA (Non-Disclosure Agreement). The issues with this is that he claimed to be the owner so there was no reason to withhold the name, also he never asked for an NDA.

3. The money aspects. — There are a few issues here. 1: He offered up his highest budget amount within 10 minutes of talking with me and didn’t ask for a bid or quote before telling me. 2: Once I sent him the bid, he offered up more than %50 of the money immediately without asking for a contract or how the price should be paid out. 3: the biggest issue. the request to send us extra money to then cash and send to his still unnamed private consultant. 4: Offering a $100 tip on top of the agreed bid.

4. The hospital notations. — the fact that he said that he was in the hospital and unable to get any money to the consultant was a obscure. It also seemed to be a pull on the sympathy strings.

All of those issues led me to call the local police and express my concerns that it was a scam. the police instructed me to stop communication. They did not request any further information. (I’m sure this is not a rare occurrence for them)

Here is how the rest of the conversation played out.

“I am sorry sir, our company can not accommodate that. Any transactions between you and the private consultant would need to be made between your two parties.”

i want you too help me with this because right now am in the Hospital

“I am sorry to hear that, but our company cannot do business that way. I hope you find someone to build your site for you. I hope you get better soon.”

I hope that this information is helpful.


Written By: Paul Groven


Malicious intent can turn Chrome speech recognition into spying device


A speech recognition expert contends malicious players can turn Google’s Chrome web browser into a remote listening device.


Chrome microphone 1.jpg

Last year around this time, Google updated Chrome, adding a unique feature to the company’s web browser—Speech Recognition. Six months later, Tal Atar, a SME in this field, discovered what he considered a serious breach of security in the Chrome web browser, and the culprit—speech-recognition.

How Chrome’s speech recognition works

Google created a speech-recognition Application Programming Interface (API) that informs developers building websites how to interact with Google Chrome and the computer’s microphone. The whole purpose is to give visitors to the website the ability to control their experience using voice commands, rather than having to type or click.

What makes the feature interesting is that Google transcribes the voice command into text. After transcription, Chrome sends the text to the website; where the web server deciphers the command, then executes it. Visiting this link will demonstrate the speech-recognition API.

Ater’s contention

When visitors first arrive at a speech-recognition enabled website, they are offered a choice, interface with the website normally, or give the website permission to use the microphone.


Chrome microphone 2.jpg

There should be an indication similar to the slide seen above, notifying that the microphone is active. Ater’s security concern centers on how the web site can enable the microphone without advertising that it is active. One example was what he called a pop-under window:

“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden pop-under window. This window can wait until the main site is closed, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.”

This may be a bit difficult to visualize. To clarify the process, Ater created a YouTube video showing how the pop-under window works.

Bottom line, if Ater’s contention is valid, putting Chrome’s speech-recognition API in the hands of an ill-intentioned website developer could turn a remote computer’s Chrome web browser and built-in microphone into a listening device.

How the listening device works

Let’s say a bad guy created a malicious website that uses speech recognition. Upon viewing, the malicious website appears to be an exact duplicate of someone’s favorite website. That user receives an email saying there is a gift waiting for him at his favorite website, just click the link. Unknown to this person, it’s a phishing email, and the link sends that person to the malicious website instead. That person is asked to try the new speech recognition feature. They say yes.

According to Ater, this computer is now a remote listening device. The malicious site will be able to monitor everything within range of the microphone, whether the user knows it or not.

Google or Ater, who is right?

Ater first reported his findings privately to Google in September 2013. Ater said Google engineers had a fix within weeks. Then a week ago, with no evidence of Google removing the bug from Chrome, Ater decided to go public:

“As of today, almost four months after learning about this issue, Google is still waiting for the standards group to agree on the best course of action, and your browser is still vulnerable.”

The standards group Ater referred to is the World Wide Web Consortium (W3C). And, Google believes their implementation of the speech-recognition API is in agreement with Section 4, Security and Privacy Considerations of the W3C report about speech recognition.Ater disagrees:

“[T]he web’s standards organization, the W3C, has already defined the correct behavior which would’ve prevented this… This was done in their specification for the Web Speech API, back in October 2012.”

Options to prevent eavesdropping

I want to reiterate, for speech recognition to work, the visitor must initially give the website permission to use the computer’s microphone. If permission is not given, the exploit falls apart.

There are ways to prevent eavesdropping for those who want to use speech recognition. There are also ways to disable speech recognition completely. For example:

The default setting in Chrome is “Ask if a microphone requires access” (see slide below). One option is to trust that Chrome asking for permission, plus some kind of indication that the microphone is on will be enough security.

Users who visit sites that use speech recognition and want to use it, but do not trust the software indicator have the ability to toggle the microphone on and off as shown below.

Users who are concerned about eavesdropping more than using speech recognition can click on the setting circled in red (as seen below) and leave it.


Chrome microphone 3.jpg

One problem: all of the above options are software based. There is no hard-wired switch to shut the on-board microphone off. For those concerned about this, there are two additional options:

Visit the Web Speech API demonstration website I mentioned earlier. If the microphone is off, you will get verification similar to the slide below.

For those who want to be absolutely sure, physically disable the on-board microphone, and when a microphone is required, plug an auxiliary microphone into the appropriate socket.


Chrome microphone 4.jpg
Written by:  

Wi-Fi Woes? Time to Upgrade Your Wireless Router

Every time I have to reboot my wireless router, I cross my fingers and hope nothing will go wrong. Superstitious, sure, but anything to avoid the personal technology hell that is tinkering with that mysterious box at the core of my home’s Wi-Fi network.

Plugging and unplugging cords, going cross-eyed reading manuals with more acronyms than the military—it’s no wonder I haven’t upgraded my router in four years.

But trying to avoid that little blinking machine turns out to have been my gravest tech mistake in years. I’ve been missing out on faster speeds, better security protection, new networking features—even some awesome-looking new router hardware designs.

Yes, I just used “awesome-looking” and “router” in the same sentence. D-Link’s Corvette-red $310 AC3200 Ultra Wi-Fi is a cross between an alien spaceship and an upside-down crab. Netgear’s $300 Nighthawk X6 AC3200 looks like it could speed out of the Bat Cave. Both promise the fastest Wi-Fi speed available.

But why should you mess with a box that still works—or was handed to you by your cable provider? Well, are there rooms in your house where Wi-Fi can’t be accessed? Can only one person stream Netflix at a time? Ever wonder who else is using your network? If you answered “yes” to any of those, it’s time to upgrade.

And while you may not need a fancy $300 model, in an age when everything from our TVs to our toaster ovens are connecting to the Internet, it’s best not to cheap out on that all-important hub.

For the past week, I’ve been living a networking nightmare, testing 10 routers in both a one-bedroom city apartment and a big suburban house. Now that I’ve done the hard work, it’s time for you to learn (the easy way) the best approach to upgrading your home Wi-Fi network.

© Provided by The Wall Street Journal.

If you remember anything from this article, it should be this: Buy an “802.11ac” router.

Those who haven’t upgraded a router lately probably have an 802.11n or 802.11g router. AC is the newest and fastest wireless standard available. (Even a kindergartner would be insulted by the nonsensical alphabetic ordering on these things.)

Many of the latest phones, tablets, laptops, TV set-top boxes and other connected devices in your home now have faster, more finely tuned AC radios and antennas inside, but they’re only better when connected to an AC wireless network. (If you have an older desktop or laptop, AC wireless USB adapters sell for under $50.)

Bear in mind, you won’t get faster Internet speeds from a new AC router—that depends entirely on your Internet service plan.

What you will get, provided you have AC-equipped devices, is less degraded speeds at longer distances, and better performance when transferring data from one device to another. When I tossed out my ancient N router this week for an AC router, surfing the Web on the latest-generation MacBook Air from two rooms away was twice as fast.

Deciding what type of AC router to get can make your brain hurt. Router makers still confuse shoppers with speed claims we’ll never get and terms we don’t understand. And service providers try to rent you combo modem-routers that lack flexibility and—in many cases—power, while quietly adding up in cost, month after month.

To help make sense of it all, I enlisted Tim Higgins, managing editor of SmallNetBuilder, a router reviews site. You should consider AC routers that range in classification from AC1200 at the lower end to AC3200 at the high end, he said. In larger homes, the pricier models should deliver faster speeds at greater distances.

As you might expect, in my New York City apartment, I saw no performance difference between three AC routers: a $100 model, a $180 model and that “Ultra” $310 model. The space simply wasn’t big enough.

But in my parents’ larger home, the top-of-the-line D-Link AC3200 and Netgear’s Nighthawk AC1900 routers provided better speeds—and smoother, higher-quality Netflix streaming—than the competition at various points around the house, especially when I got farther away from the boxes.

Even with six multi-directional antennas, however, the D-Link’s range wasn’t greater than lower-grade AC models (though AC range was, across the board, noticeably better than older routers). Think of it this way: With AC3200 routers, the data highway gets wider but not longer. In my mom’s office, a known dead zone 75 feet from the router, there was still no Wi-Fi signal.

One way to avoid dead zones like that is to find a better home for the router. “Router placement is going to buy you the best performance improvement,” Mr. Higgins told me. Place your router in the middle of the house, he says, in an area where it isn’t obstructed by, say, a cabinet or closet.

For spots that still don’t get signal, you need a network extender—a second wireless router or a pair of plug-in-the-wall “powerline” networking boxes such as the $65 Linksys PLSK400 powerline adapter set.

Beyond speed, the other big benefit of the priciest AC3200 routers is that they were designed with lots of connected devices in mind. Behind the scenes, they operate three separate networks, while cheaper (and older) routers only have two. This means your devices don’t have to compete. That bandwidth-hogging Xbox could live on one network, the new smart TV on a second, and various laptops, tablets and phones on a third.

Those faster speeds and smarter connections won’t do you any good if you can’t set the darn thing up. The second thing you should remember from this article: Pick a router that’s easy to set up and manage.

That’s why I don’t recommend TPLink. The Chinese company has great deals on AC routers, making it one of the most popular buys on Amazon. But its setup tool looks like it was designed in the early ’90s, and you have to have networking experience even to change the network password.

Netgear and Linksys, on the other hand, were the easiest to set up and manage on a Windows PC, while Apple’s AirPort Extreme was dead simple on a Mac—or even an iPad or iPhone, using the Airport Utility app.

The torturous psychodrama of setting up a router is no more. It’s as simple as connecting your computer, tablet or phone to the router’s network, then following guided steps in any Web browser. You don’t have to download any additional software, though some apps can be helpful.

My favorite routers from Linksys, Netgear, D-Link and Apple all let you easily set up security, manage guests and see what devices are on your network. The Linksys Android and iPhone apps even let you check in on your home network while you’re away. Netgear has also begun rolling out the feature.

Let’s stop right here a second: Do you have a password protecting your Wi-Fi network? If not, then don’t complain when you get hacked.

Fortunately, all the new routers come password protected out of the box. In fact, Netgear, Linksys and D-Link told me that every router comes with a unique name and password. While this is relatively safe, security experts do recommend picking your own name and strong password during setup.

When you’re in the security settings, always make sure that AES/WPA2 encryption is selected. Also, stay on top of updating your router’s firmware. This may mean logging into your router every month or two. Netgear’s Genie app alerts you when a new security update is available, and Linksys gives you the option to install updates automatically at night.

So, which router did I upgrade to? For my apartment, I decided to go with Netgear’s $180 Nighthawk AC1900. It’s more than enough for my wireless needs. If you have a larger house with lots of connected devices, clear a landing pad for D-Link’s AC3200 Ultra Wi-Fi router. Sure, it looks ferocious, but I promise, there is no reason to be scared of the blinking box in the corner anymore.

Written by: Joanna Stern

How To Add Check Boxes to Word Documents

When you are creating surveys or  forms, with Microsoft Word, it is usually a good idea to add check boxes to make the options easy to read and answer. There are two main methods which you can use. The first method is ideal for documents that you want people to fill out digitally, while the second option is great for printed documents like to-do lists.

Option 1 – Content Control for Digital Documents

In order to create fillable forms that include check boxes, you will need to start by enabling the developer tab by clicking on the “File” drop-down menu and then choose “Options.” Open the “Customize Ribbon” tab and select the “Main Tabs” option under “Customize the Ribbon.”

Checkbox 1

Now you will need to select the “Developer” box and press “OK.”

Checkbox 2

Once you have done this, you will notice that an additional menu has been added to the top of the screen with several new developer options.

Checkbox 3

Now that you have enabled the Developer Tab, you are ready to add your check boxes. Simply create your question, as well as the responses. Open the developer tab, and click on the “Check Box Content Control” option  Checkbox icon 1.

Checkbox 4

Once you have done this, you should repeat it for all your responses. You will see the check box next to your answers as shown below.

Checkbox 5

Option 2 – Check boxes for Printed Documents

The second option for creating documents with check boxes that you will print out, will require you to insert a custom bullet point  Checkbox icon 2. In the “Home” tab of MS Word, under the “Paragraph” section, you will see an option to insert bullet points.

Simply click on the small arrow next to it, and then select the “Define New Bullet” option. You will notice that there are already a few options there, but there is no check box.

Checkbox 6

Now that you have chosen to define a custom bullet point, you will need to select the “Symbol” option.

Checkbox 7

When you open the symbol window, you will see many different options. You will need to click on the “Symbol” drop-down menu and select “Wingdings 2.”

Checkbox 8

Now you will need to enter the number “163” into the “Character Code” box to automatically navigate to the best check box option available in Word.

Checkbox 9

Once this is done, you can finish your list of responses in the same way you would use bullet points.

Checkbox 10

Now, the next time you need them, you will just need to click on the small arrow next to the bullet options and you will see the check box listed with the default options.

Checkbox 11

Feel free to check out all the bulleting options using symbols. You may even find options you like better than the traditional check boxes. Have fun creating your surveys, and documents with your new check boxes.

Written by: Martin Hendrix on:

30 iPhone and iPad tips and tricks to make you faster and more efficient

There’s little doubt that the king and queen of the post-PC era are the iPad and the iPhone, and while these devices both started out life as content consumption devices, they’ve grown over several hardware and software iterations into formidable content creation devices.

But as with any device, there are tips and tricks and shortcuts that can help you get more from your iDevice investment. Here, in no particular order, I’m going to rattle through a list of tip and tricks that will help you be more productive when using your iPad and iPhone, whether you use it for work or play.

1.When ending a sentence, instead of typing a period and then a space, just tap the space bar twice, which does the same thing and is faster.

2.Find yourself typing a lot of text and numbers? Do you find switching back and forth to the numeric keypad time consuming? Press and hold the “123” button and slide up to the character you want to input then, when you let go, the standard keyboard will return.

3.Want to TYPE WITH CAPS LOCK ON? Just double-tap the on-screen shift key. Tap again to return to lower-case.

4.In Safari (and Chrome), press and hold down the period key to bring up a listing of top-level domains such as .com, .net and so on (what you get is region specific so will vary).

5.Spend a lot of time looking at your iOS device in low-light? Invert the screen colors for more comfortable viewing. To do this click Settings > General > Accessibility and turn on Invert Colors.

6.There are a whole bunch of things you can do  if you have earphones that have the remote control, from controlling the camera to rejecting calls.

7.iPad only: You can add as many as six icons to the bottom dock (the default is four) and you can also add folders. Just press and hold any icon until they jiggle and start rearranging. Press the Home button when you are done.

8.Don’t want to be hassled by calls or notifications? Click Settings >Do Not Disturb and turn on Manual.

9.Make text larger (in supported apps) by tapping on Settings > General > Text Size and adjusting it using the slider.

10.Want to still be able to receive some calls while in Do Not Disturb mode? Use the Allow Calls From setting to control which of your contacts can get in touch.

11.What about those urgent calls from people not in your contacts? You can use the Repeated Call feature to allow a call through if it is the second one made within three minutes.

12.You can quickly get to the Camera app from the lock screen by swiping up the camera icon in the bottom-right corner of the screen.

13.You can quickly scroll to the top in most apps by tapping the status bar at the top of the screen.

14.Spotlight search has been revamped. Instead of swiping to the left in iOS6 and earlier, you now swipe down from any home screen for quick access.

15.You can now block a caller. To block someone, go to Contacts then select a contact and hit Block this Caller. Users on the blocked list will not be able to call, text or FaceTime you.

16.Got a lot of typing to do? Pair any Bluetooth keyboard to your iPhone or iPad to make the job faster.

17.iPad only: Put the keyboard into ‘thumb mode” by pressing and holding the press the “dock and merge” button in the bottom right-hand corner and dragging up. Drag down to return the keyboard to its normal state.

18.Want to fast-charge a device? Pop it into Airplane Mode (tap Settings turn on Airplane Mode). It will charge much faster.

19.Want to cache maps for offline use in the Google Maps app? Zoom in to the area you want and type OK maps into the search bar and hit Search and the map tile will be saved.

20.Did you accidentally archive an email? Shake your phone to bring up the Undo Archive dialogue.

21.Remove digits you’ve typed into the Calc app by swiping left to right across the digits to remove them one by one.

22.Starting with iOS 7 there’s no longer a limit on the number of apps you can put into a folder, so there’s no more need for duplicate folders.

23.Swamped by emails? If you tap Edit when in the Mail app you can select from a range of filters including VIP, Flagged, Unread, and so on.

24.Worried about young ones racking up huge in-app purchase bills? Tap Settings > General > Restrictions and scroll down to disable In-App Purchases.

25.AirDrop is a great way to share files with other iPhone and iPad (not all devices are compatible) users using Wi-Fi and Bluetooth (both need to be enabled for it to work). Swipe up from the bottom of the screen to bring up Control Center and tap on AirDrop. Here you can choose to make your device discoverable for Contacts Only or Everyone or turn it off completely in here. When you choose someone to share with, or they choose you, there’s a notification giving you a preview of the file and the option to deny or accept the transfer.

26.You can make audio-only FaceTime calls by tapping the phone icon instead of the video icon in the FaceTime app. If you’re paying for wi-fi or cellular by the megabyte, this will save you money.

27.You can use Siri to do all sorts of things, from switching on wi-fi to taking a photo. Tap on the tap the ‘?’ symbol in the bottom left of the Siri screen.

28.Instead of tapping on back buttons, you can now use a gesture to return to a previous view by swiping right from the left edge of the screen.

29.In iOS 7, you can view the sent/received times for each message (text and iMessage) by swiping left from anywhere within the chat history.

30.Siri can read out your email for you. Hold down on the Home key then say “Read my emails” to get the name of the sender, time and date sent, and subject of the email. Follow-up by saying “Yes” when asked if you want the text read out to you.

Written by: Adrian Kingsley-Hughes On:

Sprint pleased by early response to its half-off deal

Six days into its new “Cut Your Bill in Half” offer, Sprint was enthusiastic about the offer’s early reaction from new customers, but didn’t offer any details.

Meanwhile, T-Mobile countered with a new unlimited 4G LTE family plan called Simple Choice that started today, marking another sign of the unrelenting pricing competition in the wireless carrier realm.

Sprint promoted the unusual half-off deal with a wacky integrated TV-radio-print advertising campaign. It includes a TV ad showing actors cutting printed bills from Verizon Wireless and AT&T in half with a saw, sword, weed-whacker and chainsaw.

The half-off event, which launched Friday, offers new Sprint customers, who switch from Verizon or AT&T, unlimited talk and text in the U.S. while on the Sprint network. Sprint will also match the customer’s data allowance with the previous carrier but at half the cost. Sprint said the deal is scheduled to end Jan. 15, but it may be extended beyond that date.

In an example, Sprint said a Verizon customer paying $140 a month for four phone lines and 10 GB of data can get four lines with the same phone numbers, plus 10 GB of data on Sprint for $70 a month. For a limited time, Sprint will waive the activation fee of $36 a line and will buy out a customer’s contract for up to $350 per line.

New customers also must buy or lease a new phone from Sprint and turn in the devices on their AT&T or Verizon devices to Sprint or face a penalty. With the requirement to get a new device from Sprint, the company’s Chief Financial Officer Joe Euteneuer admitted at an investor conference last week that the net discount customers can expect is actually about 20%, but still a “great value creator” for Sprint.
Sprint CEO Marcelo Claure helped launch the deal last week with a visit to a  Sprint retail store in Leawood, Kan., near the carrier’s corporate headquarters in Overland Park. Claure told reporters that Sprint is “looking for one of the best Decembers Sprint has ever had” while sending a “very strong message to Verizon and AT&T,” according to the Kansas City Star.

The half-off deal isn’t the only reason Sprint could improve its financials in the final quarter of the year. The carrier is also laying off 2,000 workers, in addition to 5,000 job cuts earlier in the year, reducing its total work force to 30,000.

Claure said that the half-off deal will help bring in new customers to Sprint stores. Once there, new customers might find that Sprint’s iPhone for Life deal or its Family Share Pack is more suited for their needs.

Analysts have variously called the half-off promotion a desperation move by Sprint or one that will only have a muted impact, given its other promotions. Some said new customers may be unimpressed with Sprint’s network and could ask for refunds due to spotty network reliability with the Sprint LTE nationwide buildout.

While Sprint’s half-off deal focuses on attracting Verizon and AT&T customers, it ignores T-Mobile customers although T-Mobile has often outdone Sprint as a value carrier for the past 18 months.

Starting today for instance, T-Mobile began offering a new Simple Choice family plan to provide unlimited 4G LTE data for an entire family. It starts at $100 month for two people and extends to up to 10 people for $40 more per line.

Written by: Matt Hamblen on:

Apple iMessage Open to Man in the Middle, Spoofing Attacks

The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.

The iMessage system is Apple’s proprietary text system, which works only among iOS devices. It uses a series of servers owned by Apple that receive and forward messages. Those messages are sent via Apple’s PUSH notification service, which keeps an IP connection open all the time to check for new notifications and display messages. Each iPhone, iPod or other iOS device serves as a PUSH client, and they communicate with Apple’s servers over SSL. The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system.

One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users’ messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could. Users’ AppleID passwords also are sent in clear text to the Apple servers.

“What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order. As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” the pair, who work for Quarkslab, wrote in a long analysis of the iMessage protocol.

“Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.”

Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices. The company uses proper encryption to protect the communications, but the Quarkslab researchers discovered that Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers. During their research, Pod2g and GG were able to create a new certificate authority, add it to an iPhone keychain and then proxy the SSL communications to and from the device. Certificate pinning is the process of associating a given host with a specific certificate. That way, if a browser or other client encounters a certificate for a host that isn’t the expected one, it can reject it and warn the user of the problem. Google, for example, use certificate pinning for many of its Web properties.

“I guess they just didn’t get around to it. There’s no great reason, I think they just didn’t do it. The Twitter app does, which is kind of ironic because Twitter isn’t typically handling your sensitive information,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.

The lack of certificate pinning for iMessage is troubling, the researchers said, as it opens the door for attackers to create a forged CA, and if they can get it onto a device or devices, proxy all of the supposedly encrypted communications. This is especially problematic in enterprise environments that employ Apple’s iPhone Configuration Utility, which enables enterprises to manage iPhones centrally. An attacker could install his CA at enrollment on all of the target devices.

“All communications to Apple’s servers are made through a secure SSL tunnel. We do not need to know what protocol is used or how packets are forged. The first thing we want to try when we see that is adding a certificate to perform a MITM. We were actually very surprised it worked as easily, which means there is no certificate pinning. We created a fake CA, and added it to the iPhone keychain. Then, we could [proxy] communications much more easily. When a SSL communication arrives to the proxy, we generate a certificate signed by the newly added CA, and everything becomes unencrypted,” the researchers said.

The researchers put together several scenarios through which an attacker could intercept iMessage transmissions through a MiTM attack. They also developed a tool called iMiTMProtect that can defeat certain of these attacks on OS X devices. Green of Johns Hopkins said that there are other methods that Apple could have used for the key infrastructure to avoid some of these problems.

“Companies like Silent Circle do real end-to-end key management and OTR (Off the Record) messaging. So all of these instant message things that use OTR-like protocols , they do end to end key establishment. The idea there is that the two parties establish keys without any central directory. And then what you’re supposed to do is either compare a key fingerprint over another phone line or you’re supposed to check – Silent Circle has an authentication string – so you’re supposed to read this string back and forth over the phone. That is the alternative way. That is the de-centralized version of this where you don’t have to trust Apple or some centralized server. And maybe that’s too hard for some people, but a lot of people will use OTR; it’s pretty easy to use. It certainly wouldn’t be so hard to add something like that as an optional feature for security-conscious people into iMessage. Definitely you can do better,” Green said.


Written by: Dennis Fisher on: