Wednesday, 26 December 2012

China cracks digital whip. Blocks VPNs and dissolves anonymity.

image courtesy of methodshop.com

For quite awhile now, China and its “Great Firewall” have been the poster child for internet censorship and filtering. But despite already tough regulations, the People’s Republic is instituting two new policies designed to choke access to content and free expression online.

The first policy comes as a machine learning algorithm capable of detecting and disconnecting virtual private network connections. Despite widespread filtering, many in China are able to access blocked content through a VPN rerouted to servers in countries with less or no censorship. The new algorithms, however, sniff out VPN connections and subsequently shut them down. Currently, censored content includes social media sites like Facebook and Twitter as well as Western media outlets.

The second policy is not yet official, but, if implemented, could be a game changer in an already tough environment. According to state media, China may require internet users to register with their real names when signing with network providers.

Under the law, anyone signing a contract for a landline or mobile internet access would be required to present their government-issued ID, effectively destroying any semblance of anonymity left in China.

Already, laws are in place regulating anonymity on certain websites, including the popular microblogging site, Weibo.

On their own, these laws are controlling and restrictive. But in tandem, they represent a new culture of digital control previously unachieved by even the most oppressive regimes.

And what happens when these strategies are exported? Among internet users in restrictive countries like Iran, Syria, and Vietnam, unabridged internet access through VPN services and anonymous browsing allows the transmission of ideas and the coordination of political movements.

Fortunately, the struggle between censors and free internet activists has historically favored the latter party. It’s a mistake to think that any regime can completely cut off their citizens from the rest of the world. But measures like those taken in China work, often effectively, to disconnect the average users and limit the scope and influence of free expression.

Friday, 21 December 2012

Phishers are scamming shady web surfers


Symantec put out a report this week revealing that phishers in the Middle East are using the Syrian conflict as context for their scams. It’s quite common for phishers to use current events, but I think we can all agree, this is pretty messed up.

Sadly, just monetizing the conflict isn’t the only bad part here.

The scam spoofs a Middle Eastern social networking site and offers victims a torture video of a prisoner in the Syrian prison, State Security Branch Khatib.

So, in a nutshell, we have scammers taking advantage of a violent civil war in order to fleece money from snuff seekers. Classy stuff.

The title of the phishing site translated to “Liberal torture in the State Security Branch Khatib”. The site warned that the video contained scenes of violence and asked users for their permission before proceeding. After permission had been granted, users were prompted to enter their login credentials. The login credentials were allegedly required to confirm that the user was over 18 years of age. After the login credentials had been entered, the same phishing page was reloaded. If users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft. [Symantec]

Frequently, phishers compromise files on target computers for their scams, but in this incident, the actual domain was compromised.

One thing that’s important to remember: this kind of scam relies not on complicated hacking, but human vulnerability. No matter what security measures you take, if you don’t surf smartly and carefully, this kind of thing could happen to you.

Symantec provides the following guidelines for staying safe:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently which protects you from online phishing

Sunday, 16 December 2012

Major exploit discovered in Samsung phones

Whelp, it's that time of the week again. Or at least it seems like a new major exploit is revealed every week. Anyhow, this time it's Samsung's Android smartphones that are falling victim... or at least have that potential.

User Alephzain on the xda developers forum site revealed a security flaw in several Samsung devices (demonstrated on a Galaxy S III) that allows remote access to all physical memory. Such a vulnerability could allow hackers to brick your phone, download malware, or steal some really sensitive information.

"This security hole is dangerous and expose phone to malicious apps," Alephzain wrote in the thread.

Clearly, when an exploit like this is discovered, a public forum is the best place to go first... Fortunately, another forum poster said they had confirmed that Samsung is now aware of the issue. We'll see if they do much about it.

According to the post, the exploit can be used on the following devices:

Samsung Galaxy S2 GT-I9100, Samsung Galaxy S3 GT-I9300, Samsung Galaxy S3 LTE GT-I9305, Samsung Galaxy Note GT-N7000, Samsung Galaxy Note 2 GT-N7100, Verizon Galaxy Note 2 SCH-I605 (with locked bootloaders), Samsung Galaxy Note 10.1 GT-N8000, and the Samsung Galaxy Note 10.1 GT-N8010.

Wednesday, 12 December 2012

Top 5 ways to keep your email secure and safe!

When’s the last time you actually mailed a letter? Seriously think about it. If you’re anything like us, you’re probably not too sure.  And like us, I bet you send a ton of emails. But the old envelope and stamp is a bit underrated when it comes to security. Unlike email, real letters can’t be hacked, they can’t be copied en route, and if anyone reads them, they need to be ripped open, so you’ll know.

But there’s no reason your emails shouldn’t be just as safe. So, check out our top 5 safe email tips and correspond with confidence!

1.    Know your enemy

This is big. A lot of people worry about their spouse, boyfriend or coworkers going through their email and take security precautions accordingly. But the enemy you least expect is the one that’s going to get you. The girl looking over your shoulder at the coffee shop may be suspicious, but the guy in the corner sniffing packets is the one you should be watching.

The best solution is to be ready for anything. Emails contain a lot of sensitive and valuable information, so be ready for anyone who might want unauthorized access.

2.    Don’t put all your eggs in one basket

Split up your emails! You probably already have at least two accounts — one for work and one for personal stuff — but you should really break it down even further. Create another account for things like internet banking and bills. If your primary email account is compromised, you really don’t want the wrong people getting their hands on your account numbers and passwords.

We also recommend a separate account for newsletters. You know all those sites that require an email address to access their content? Most of them are selling that address to third parties that want to spam you with all kinds of things you’re probably not interested in. Relegate unsolicited ads to a newsletter/advertiser account and keep your inbox a little safer.

3.    Close your email account on shared computers

This one’s pretty obvious. If you access webmail from a public computer at a library or internet café, make sure you log off when you’re done! But even beyond that, empty the browser’s cache before you leave. All browsers keep a history and a cache that lists sites you’ve visited and content you’ve accessed. Some caches might even display some of the content you’ve looked at in your emails. So before you log off, just click over to settings and empty that cache.

4.    Encrypt!

This is where things get real. Keeping email safe on your computer is one thing, but, by its design, email must travel between servers and computers. And this is where your information is most vulnerable.

Hackers often employ a tactic called packet sniffing to steal your data. Normally, when a computer is connected to a network, it automatically collects only the packets with its own address on them. A packet sniffer, however, can collect all data packets moving on a network and it takes only a novice to reassemble that information on their own computer. In many cases, that data is your private email!

Encryption stops packet sniffers in their tracks. When you encrypt your data, the only thing cybercriminals see when they grab your packets is garbled gibberish.

Most webmail clients automatically offer some level of encryption. When you see the “s” at the end of “https://” in your webmail’s URL, that means they are using a form of encryption called Secure Sockets Layer (SSL). Unfortunately, many criminals can now crack some forms of SSL encryption, leaving your data exposed.

Desktop mail clients like Microsoft Outlook can also encrypt messages but require the sender and the recipient to first share private keys that are used to encrypt and decrypt the messages. While this is certainly useful for regular correspondents, it’s not particularly practical all the time.

So while SSL and private keys are both handy, if you want serious security, you’ll need to take matters into your own hands. And a virtual private network (VPN) is without a doubt the best way to keep your email safe after it leaves your computer. When you use a VPN, not only is your data thoroughly encrypted, but it also travels through a VPN tunnel that actually hides your packets. Unless your adversary has a supercomputer and a lot of time on his hands (it would take a supercomputer longer than the age of the known universe to crack a VPN’s 512-bit encryption), you’re safe.

5.    Inbox Canary

This is probably one of the coolest and most clever ideas I’ve ever heard, but it does require some substantial infrastructure.

Coder and blogger John Graham-Cumming developed what he calls the canary as a way to see if any nefarious individuals are accessing his Gmail account. Here’s how it works:

John created a bait email sent from a fake account with the subject line, “Barclays Private Banking: Confidential Account Details and Login Credentials.” He then starred the email, which keeps it at the top of his inbox. Surely, anyone looking for valuable information would click on it immediately.



Once opened, the email looks like a typical letter from a bank with a Barclays logo right in the message. This is the canary. The Barclays image is hosted on John’s personal server where he runs a bit of code that lets him know whenever the image is loaded. Since the image is loaded from the server any time anyone opens the email, the code on the server knows, the canary sings, and John knows somebody is in his email.

So there you have it! Follow our guidelines along with basic safe browsing techniques and your email will be safer than even old fashioned letters!

Monday, 10 December 2012

Androids getting hacked left and right, crooks make away with €300M


A lot of people I speak with seem to be under the unfortunate impression that smartphones are a safe device for conducting business, banking and other sensitive tasks. Those people would be sad to know that in many countries, the Android IOS is now under more attack than Windows.

In fact, in Australia, more than 10% of Android phones have been attacked within the last six months.
But even knowing that, it was shocking to hear that cybercriminals made away with nearly €36 million using Android-based malware. The malware targeted mobile banking users and siphoned away money by performing automatic transfers. It’s estimated that the crooks made away with €500 to €250,000 per attack.
The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan. Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices, giving attackers a wider reach. 
With victims’ PCs and mobile devices compromised, the attackers could intercept and hijack all the victims’ banking transactions, including the key to completing the transaction: the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully. [CheckPoint]
Customers at an estimated 30 different banks were affected by the attacks.

This is the kind of thing that can be prevented with just a few precautions. SumRando recommends using a dedicated browser only for online banking. If you normally use Firefox, use Chrome for banking. And certainly try to avoid banking on your smartphone if at all possible.

Thursday, 6 December 2012

It's not even illegal for advertising companies to hack your browser history


Here’s a joke: “Privacy”.
Laughing yet?
Seriously though, as if the legal violations of our online privacy weren’t bad enough, now it seems we need to contend with businesses literally hacking our information to make a few extra bucks.
The all-seeing eye of advertisers
Advertising network Epic Marketplace settled federal charges today that accused the company of illegally hacking website users’ browsers with a 10-year-old exploit that allowed them to view and cull information from users’ histories.
Let’s go ahead and take a moment to really appreciate how offensive this is. This is the same company that uses things like tracking cookies to follow everything you do anyway. This is also the kind of company that lobbied the federal government when Microsoft tried to disable tracking by default in their new browsers.
But here’s the best part. The settlement resulted in the Federal Trade Commission issuing an administrative complaint that requires the company to delete data obtained through this exploit and to “curb” further use of this method.
Um, what now?
If I break into your house and steal your TV, no court on the planet is going to ask me to “curb” this behavior in the future. They’re going to send my ass to prison. But I guess in this case they can’t do much because it’s not even illegal.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent order is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. [FTC]

That’s right. Although the charges contend that the firm’s behavior was illegal, the settlement dodged any kind of legal position and resulted only in a slap on the wrist. This effectively means it’s not even illegal for a company to use a browser exploit to steal your personal information for their own gain.
This is the sad state of privacy legislation today. And this kind of behavior is hardly limited to the United States. I cannot emphasize enough the importance of taking your privacy and security into your own hands. At the very least, consider checking out a good VPN.

Sunday, 2 December 2012

What kind of online content is protected by free speech laws?


Most of the free speech legislation we have today was written for a time when music was only played live, movies were only for theaters, and people actually bought newspapers.

But a lot has changed. The web not only changed the way we communicate, but also the very concept of expression.

The issue made headlines in the United States last year when a bill (SOPA) was introduced that would require search engines to delete links to websites “dedicated to copyright infringement”. Proponents of the bill said the links were tools enabling piracy. Opponents argued that hyperlinks are a form of expression and should be protected.

Now, in a similar light, the British Phonographic Industry (BPI) has asked the UK Pirate Party to disable their Pirate Bay proxy service. Obviously, the Pirate Party has declined.

UK Pirate Party Leader Loz Kaye defended the service and said it’s an issue of censorship and freedom of expression.

According to Loz Kaye, "The battle against censorship and indeed the use of site blocking to deal with issues like copyright infringement is disproportionate and not productive. Issues like these are at the core of why we exist and why we want to change the current system and stand up for internet users." [TorrentFreak]

However, BPI’s Geoff Taylor said the proxy service is not an issue of free speech and should be disabled.

"Pirate Party UK's free speech arguments are a complete red herring. We are passionate believers in freedom of speech, but it doesn't justify The Pirate Bay helping themselves to other people's work. The human rights implications of blocking this illegal site have been fully considered by the High Court. Whatever their views, Pirate Party UK are no more above the law than anyone else." [MusicWeek]
Conveniently, no matter which side you fall on, you can always access the entire, uncensored internet (including the Pirate Bay) with a good VPN like SumRando.