How to hack WAP portals

---

NOTE: This post is based on my personal experience and is not intended to cause any malicious harm. I strongly believe that transparency is a necessity on the Internet, and will gladly post comments (and other view points) surrounding this topic in the interest of educating others on the need to plug security loopholes.

---

Quick tip on how to hack your way through WAP portals using Firefox.

Install the following Firefox add-ons:

• Modify Headers: used to add, modify and filter http request headers
• wmlbrowser: used to emulate a WML browser, although most mobile sites these days should be compatible with XHTML-MP

After restarting Firefox, both add-ons should be active.

To spoof your way through, do as follows:

In Firefox, click Tools > Modify Headers.

Add: x-up-calling-line-id, followed by a mobile number, e.g. 60128889999:


You should now see the header entry, and it should be "enabled" (green circle):


With this in hand, you can spoof your way through to initiate content downloads such as ringtones, wallpapers, and more. What's scary is that you can initiate downloads for random mobile numbers. Unless an SMS acknowledgement is part of the process, this random user will be charged the cost of the download. Screenshot below shows my spoofing experience with a content download via the Maxis WAP Portal. Thankfully, this one required an SMS acknowledgement:

The Great Internet Crash of 2007

Really funny -- you have to watch it!

On Lina Joy

Excerpts from a couple of profound viewpoints on the Lina Joy case.

The Economist, June 2nd, page 28:

In many places, constitutional guarantees of liberty are undermined by laws constraining religious belief. Indonesians, for example, are also obliged to state their religion on their identity cards and to choose between just six officially recognised faiths. The governor of the state of Rajasthan, in India, is being pressed by the state assembly to approve a law punishing conversion from Hinduism. Constraints on individuals' rights to choose their beliefs are usually backed up by claims that religions are somehow “under threat”: a curious lack of faith—in faith itself.

Farish Noor, June 21st:

In the end, however, cases like Revathi's and Lina Joy's revolve around the fundamental freedom to believe in what one believes, and to be recognised as such. The Muslim majority in Malaysia are not Muslims because their identity cards and passports tell them they are, but because they simply are, and exist, as Muslims.

The time has come for the laws of the land to recognise that being Muslim, Christian, Hindu or Buddhist in Malaysia has little to do with paperwork and legal technicalities, but in the more fundamental nature of existential being itself. Until then however, those trapped in the legal chasm where Revathi and Lina Joy are in at the present are the unfortunate victims of a legal system at odds with itself and which oddly defend freedom of belief for some and yet not for others...

Sayonara PHP 4!

Excerpt of the End-of-Life announcement:

The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5.

Want a Pownce invite?

I have 3 invitations to Pownce.

What is it?

Pownce is a way to send messages, files, links, and events to your friends. You'll create a network of the people you know and then you can share stuff with all of them, just a few of them, or even just one other person really fast.

It's a startup co-founded by Kevin Rose, one of the guys behind Digg.

First-come, first-served basis. Leave a comment on this page, linking back to your blog. An invite will then appear in your Inbox within 24 hours.

Can you spot it?

Photo of a new housing development in Taman Meranti Jaya, thanks to Melissa. It's a real photo!

*p/s: bottom left corner (*woof*)

CrossLoop: great product, but is it a trojan horse? - Update (2)

The problem I was facing with CrossLoop / AVG has been RESOLVED.

If you're still facing similar problems, please try updating your AVG. Mine worked with CrossLoop using program version 7.5.476 and virus database 269.10.6/900.

Thanks to the teams at CrossLoop and AVG that were behind this, and many thanks to everyone that shared their experience via comments on this blog.

A great product listens to its users -- kudos to CrossLoop!

Related links:

• CrossLoop: great product, but is it a trojan horse? - Update (1)
• CrossLoop: great product, but is it a trojan horse?

CrossLoop: great product, but is it a trojan horse? - Update (1)

Just received a reply from CrossLoop with regards to a recent problem. No solution until AVG fixes it!

I am DISAPPOINTED. Read the email reply below.

While I trust that they have taken great steps in ensuring tight security, why are they offloading the problem to me? It may have been a better approach to take proactive steps to address this matter, either with AVG directly or by acknowledging it as a possible problem, on their website. I would consider AVG as a very popular free anti-virus software; this type of problem, irrespective of whether it is AVG's error, limits the CrossLoop user experience significantly.

This is what CrossLoop had to say in their email reply (pasted as-is):

Greetings from Crossloop tech support,

Thank you for using Crossloop and for the report! We appreciate your support. It has been brought to our attention that AVG Software is identifying our file CrossloopConnect.exe as a Trojan Virus. This is a mistake on their part. We at Crossloop are very serious about security and have done everything in our power to make Crossloop safe to use. Please go to the following page of our Web Site if you would like to read about our Security model http://www.crossloop.com/security. Please note that no other antivirus software identifies CrossloopConnect.exe as a virus. Please report this mistake to AVG so they can correct it.

Regards,
Joseph Stark
Tech Support
Crossloop Inc.
Joes@Crossloop.com
www.Crossloop.com
Stay 'in the loop" @ the CrossLoop Blog http://crossloop.typepad.com

Rule #1 with customer / technical support: "Never offload your problems onto your users!"

Related links:

• CrossLoop: great product, but is it a trojan horse?

Map of Online Communities

...and related points of interest. Very cool, don't you think? I think Facebook is bound to invade other territories soon.



Thanks to xkcd.

CrossLoop: great product, but is it a trojan horse?

I've been using CrossLoop a lot lately for screen-sharing. It has helped in cases where remote troubleshooting is required, and firewall settings are cumbersome to change.



What is CrossLoop:
CrossLoop is a FREE secure screen sharing utility designed for people of all technical skill levels. CrossLoop extends the boundaries of VNC’s traditional screen sharing by enabling non-technical users to get connected from anywhere on the Internet in seconds without changing any firewall or router settings. It only takes a few minutes to setup and no signup is required.

Strangely, AVG (v7.5.476, Virus DB v269.10.2/894) has been detecting my instance of CrossLoop as a trojan horse. CrossLoop now refuses to work. Has anyone else faced a similar problem?



*p/s: sorry for the geeky post!