Truecrypt Encryption Tool Clears The First Phase Of Security Audit .

Is TrueCrypt Audited Yet? Yes, In Part! One of the world's most-used open source file encryption software trusted by tens of millions of users - TrueCrypt is being audited by a team of experts to assess if it could be easily exploited and cracked. Hopefully it has cleared the first phase of the audit and given a relatively clean bill of health.

TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition. 

The program is also capable to do some amazing things, such as can create a hidden operating system on a computer, essentially an OS within an OS where users can keep their most secret files.

EVERYONE HAS SOMETHING TO HIDE
TrueCrypt developers are anonymous and used the aliases “ennead” and “syncon”, perhaps to avoid unwelcome attention from their own governments. But when we talk about Privacy and Security, we can't trust anyone, especially when someone like NSA is out there.

This is a major reason that security community has took an initiative to perform a public Security Audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it.

iSec Research Lab was contracted to carry out  public cryptanalysis and security audit of TrueCrypt by the cryptography community, Open Crypto Audit Project (OCAP) and they has ‪found “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”

11 VULNERABILITIES FOUND, BUT NOT CRITICAL
Auditors review more than 70,000 lines of TrueCrypt source code and architecture. Finally yesterday they have turned up 11 vulnerabilities in the full disk and file encryption software's source code, but no "high-severity" issues, which means nothing particularly found inappropriate and certainly nothing looks like a backdoor or intentional flaws.

According to the researchers, none of the vulnerabilities seems as an intentional flaw or immediate exploitation vectors, rather all of the identified findings appeared to be accidental.

“Overall, iSEC does think changes can be made to improve code quality and maintainability, and that the build process should be updated to rely on recent tools with trustworthy provenance. In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report,” reads the audit report [PDF released on April 14].

These results are from the first phase of the audit, focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code review.

PHASE 2 - CRYPTOGRAPHIC TESTS
Now, TrueCrypt is about to get a second phase exam that may hopefully give the software a clean bill of health too, because the project to audit TrueCrypt has raised tens of thousands of dollars to peer into TrueCrypt's deepest recesses. Second Phase test will include a thorough analysis of the various encryption cipher suites and  implementation of random number generators and critical key algorithms.

Hacking Facebook Account With Just A Text Message .

Can you ever imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc. ?

Today we are going to explain you that how a UK based Security Researcher, "fin1te" is able to hack any Facebook account within a minute by doing one SMS.

Because 90% of us are Facebook user too, so we know that there is an option of linking your mobile number with your account, which allows you to receive Facebook account updates via SMS directly to your mobile and also you can login into your account using that linked number rather than your email address or username.

According to hacker, the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php

This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.

As attacker, follow these steps to execute hack: 

1. Change value of profile_id to the Victim's profile_id value by tampering the parameters.
2. Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
3. 
4. Enter that code in the box or as confirmation_code parameter value and Submit the form.

Facebook will accept that confirmation code and attacker's mobile number will be linked to victim's Facebook profile.

In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim's account.

Attacker now can get password recovery code to his own mobile number which is linked to victim's account using above steps. Enter the code and Reset the password!

Facebook no longer accepting the profile_id parameter from the user end after receiving the bug report from the hacker.

In return, Facebook paying $20,000 to fin1te as Bug Bounty.