Friday 28 September 2012

Iran tightens grip on digital content

We’ve often said that signing onto your VPN should be as natural and quick as locking the door on your way out of the house. For many SumRando users, this is exactly how our service is used — as a layer of security between their personal data and any prying eyes. And SumRando is great for that. Whether you want to watch Hulu videos in Sweden or check the BBC in Hong Kong, we’re there for you.

For others, a VPN is more than just a security measure — it’s a portal to freedom.

But let’s back up.

About two weeks ago, U.S. Ambassador to Libya Christopher Stevens and three others were murdered in an attack framed as a response to a YouTube video that mocked the prophet Muhammad. Now, evidence has emerged indicating a branch of Al Qaeda orchestrated the attack and used the erupting video protests as a veil to justify murder to an already agitated population. But this should come as no surprise. Groups like Al Qaeda seek to control the masses and, like so many others, are ready to use any excuse available to sell a denigration of freedom to their subjects.

And now, in further responses to the controversial (and clearly hateful) video, other parties are looking to take advantage of an upset populace and tighten their grip.

Yesterday, Iranian President Mahmoud Ahmadinejad spoke to the United Nations delegates in New York City offering a conciliatory tone and attempting to display a willingness to understand the perspectives of other regional governments. But while Ahmadinejad spoke softly, his regime tightened its grip at home, further implementing a plan to cut off the Iranian public from the World Wide Web and, subsequently, the kinds of ideas and concepts that run contrary to those of its government.

“Due to the repeated demands of the people, Google and Gmail will be filtered nationwide. They will remain filtered until further notice,” read a government distributed message attributed to Abdul Samad Khoramabadi, an adviser to Iran’s public prosecutor’s office and the secretary of an official group tasked with detecting Internet content deemed illegal.

Iranian officials claim that the continued choking of Internet access is aimed to create a safer online community for Iranians — keeping them safe from information leaks. But, obviously, we know better. For a detailed image of the situation, let’s look at the history.

The Iranian government has long exercised a policy of media censorship — actively banning print and television content for some time. In response to the censors, dissident publications moved to digital outlets that, at the time, were free to broadcast on an uncensored net. This, unfortunately, would not last. In 2003 authorities published a list of 15,000 websites deemed immoral or in opposition to the ruling party and required Internet service providers to block access. At this point, only about 2 million Iranians had Internet access (contrast that with over 20 million today).

By 2005, researchers discovered, by remotely accessing computers within Iran’s networks, 34% of URLs were blocked by the censors including 100% of pornographic websites, 15% of blogs, and 30% of news sites. 94% of sites offering advice or services to circumvent online censorship were also blocked.

In the wake of the clearly rigged 2009 presidential elections the censors crossed yet another line, embarking on efforts to not only silence domestic online dissidents, but also those abroad in the Iranian diaspora. While the government was unable to detain anyone out of country, family members still residing in Iran were arrested and used to leverage silence among bloggers, writers and journalists around the world.

In advance of the March 2012 parliamentary elections, connection speeds were seriously slowed and new rules were put in place to closely monitor online activity. In a police statement reported by Iranian news service Tabnak, authorities said, "Internet cafes are required to write down the forename, surname, name of the father, national identification number, postcode and telephone number of each customer."

At the same time, tests began on the implementation of a national information network designed to replace the Internet and further sever ties with the rest of the world. Now, all government agencies are using the national information network and citizens are seeing more censorship than ever.

As of March 2012, 27% of all websites were blocked in Iran. The censorship has become so blanketed, in fact, that the Ayatollah’s own Fatwa against anticensorship was censored because it contained the word “anticensorship”.

Fortunately, there’s hope.

While traditional Internet connections are severely limited. Many Iranians use VPN services to access the full, unabridged Internet. Better yet, VPNs allow users to surf anonymously so dissident posters can express anti-establishment views without fear of reprisal.

Here at SumRando, we unequivocally believe the Internet should be an open platform, free from any kind of government censorship or limitation. Furthermore, we would like to invite users in Iran and everywhere else to use SumRando’s services to access the unlimited potential of the world’s greatest communications platform for the free expression of ideas and content.

Tuesday 25 September 2012

Rent-to-own computers secretly film renters

This week in creepy:

If you’re at all familiar with “rent-to-own” computer companies, you know that the basic premise allows customers to rent rather than buy a computer, ideally letting users constantly upgrade to new technology. What you probably didn’t know is that several of these companies are watching you during your most intimate of moments.
This guy definitely wishes he made his payments on time.

Ars Technica reported today that seven of these rent-to-own companies have settled federal charges in the United States, admitting they used spyware on rented computers to monitor locations, usernames, passwords and even webcam activity for more than 420,000 customers.

The companies used monitoring software called PC Rental Agent — developed by Pennsylvania based company DesignerWare. According to the civil complaint filed earlier this year, the software was distributed to more than 1,600 rental stores in the U.S., Canada and Australia and is supposed to be used to monitor the location of rented computers. Unfortunately, distributors decided it would be a good idea to abuse the software, using a feature called “Detective Mode” to monitor all computer activity. As you may have assumed by the name, Detective Mode was designed to help locate and possibly disable computers if payments become delinquent. Unfortunately, it looks like it ended up taking a turn for the creepy.
In numerous instances, data gathered by Detective Mode has revealed private, confidential, and personal details about the computer user.  For example, keystroke logs have displayed usernames and passwords for access to email accounts, social media websites, and financial institutions.  Screenshots have captured additional confidential and personal information, including medical records, private emails to doctors, employment applications containing Social Security numbers, bank and credit card statements, and discussions of defense strategies in a pending lawsuit.  When activated, Detective Mode can also cause a computer’s webcam to surreptitiously photograph not only the computer user, but also anyone else within view of the camera.  In numerous instances, Detective Mode webcam activations have taken pictures of children, individuals not fully clothed, and couples engaged in sexual activities. [FTC]
Somewhat shockingly, the settlement involved no cash compensation, but only an agreement that Detective Mode would no longer be used to monitor users.

Friday 21 September 2012

iPhone 5 already hacked

“Cybercriminals and hackers will always be one step ahead of developers.”

This is the mantra you tend to hear regularly spouted by top security experts. The idea, of course, is that as soon as new security technology becomes available, someone will immediately break it, leaving developers and security gurus in a frustrating reactionary state.

And this concept couldn’t have been better demonstrated than it was this past week when some Dutch researchers developed a hack for the iPhone 5… days before its release.

The researchers developed the hack using a developer model of iOS 6 to test their methods, which means the same vulnerability is present on the official iPhone 5 release.
"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol (photo left), CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit." [ZDNet]
The hack earned the team a $30,000 cash prize at the Pwn2Own contest.

But despite the early security breach, the developers contend that the new iPhone is not only a very secure device, but the safest mobile device available in today’s market. Unfortunately, that’s not saying much when it took only three weeks to hack it.

"We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target. That's the big message. No one should be doing anything of value on their mobile phone," Pol said. “It's important for people to understand, especially businesses, that mobile devices should never be used for important work."

We couldn’t agree more. 

Tuesday 18 September 2012

Subway fails at security, hackers steal $10 million

You know what’s scary? The fact that even when using every security precaution at my disposal, my information is still at risk because the morons I deal with on a daily basis don’t take my digital security seriously.

In this case, the morons are the IT folks at Subway restaurants whose point of sale (PoS) terminals were compromised by a group of Romanian hackers.
Dolan (hacker No. 1) admitted that he, along with Oprea (hacker No. 2), remotely hacked into U.S. merchants’ “point-of-sale” (POS) or “check out” computer systems, where customers’ payment card data was electronically stored.   Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them.  Using these RDAs, Dolan logged onto the targeted POS systems over the internet.  These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access.  He would then remotely install software programs called “keystroke loggers” (or “sniffers”) onto the POS systems.  These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data. [DOJ]

According to the U.S. Department of Justice, the hackers stole credit card information for nearly two years, obtaining more than 146,000 credit card numbers and stealing over $10 million.

The pair of hackers were charged last December and extradited from Romania in May and have just this past week plead guilty as part of a plea deal.

While such an egregious absence of security considerations seems completely mind blowing to us security-minded folks at SumRando, it’s probably safe to assume that if data at a company as large as Subway can be breached so easily, there are certainly other easy marks out there.

Thursday 13 September 2012

Apache gives middle finger to Microsoft. Auto-disables Do-Not-Track

Server software company Apache has decided to take matters into their own hands in the ongoing battle involving Microsoft’s Do-Not-Track setting on Internet Explorer 10.
A new patch will be added to all Apache server software that ignores browser Do-Not-Track requests if the requesting browser is Internet Explorer. Since Apache is the most popular software on servers hosting websites, this has pretty serious implications.
If you haven’t been keeping up, Microsoft announced several months ago that Internet Explorer 10 will have the “Do-Not-Track” setting checked by default. In most browsers, ad companies place cookies that allow them to track your habits and clicks as you bounce around the Internet. This tracking is great for advertising because it allows companies to sell very targeted ad space at a premium. The tracking is bad for people because it’s creepy.
This is Roy. He loves
tracking software.
Roy Fielding, the scientist who created the patch, wrote this on the topic: 
The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization. 
Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.[]
So, Fielding argues that for the DNT request to be valid, it must be implemented by a human being, not turned on by default in a browser. Ok, fine, weird perspective, but whatever. But the problem with this patch is that even if a user would very consciously like to turn on DNT, if that user is on Internet Explorer, his request will be ignored.
We suggest stopping all tracking software with a VPN like SumRando.

Saturday 8 September 2012

Five reasons you should be using a VPN like SumRando

So, yesterday, I got chatting with an acquaintance from Hong Kong about SumRando and VPNs. After a bit of talk about “The Great Firewall of China” and explaining how VPNs work and why SumRando’s so great, he blurted out, “Oh! I use a VPN to watch the BBC's streaming content!”

How cool is that?

In fairness, it's not unusual to hear conversations about online security these days. But somehow, a lot of people still say something along the lines of, “What do I care if companies know my information?” or “I don’t have any information worth stealing, so I don’t need tight security.”

Oh realllllly?

Do you have a bank account? Oh, you do?

Do you have private information in your email that you might not want the world to see? Yes?

I think you’re getting the picture.

The fact is everyone would be better off using the secure connection achieved with a VPN. But, in case you’re not convinced, here are several reasons you should be using a VPN like SumRando.

1.     Security:
Not just “I turned on my virus program thing so I should be ok” security. We’re talking Fort Freaking Knox security. Working over that open Wi-Fi network at the coffee shop? No problem. VPNs like SumRando create a tunnel of encryption around all of your activity so anyone trying to monitor you gets absolutely nothing!
 2.     No more creepy/annoying ad tracking: Ever shop for something on Amazon and subsequently see ads for it popping up on every other site you go to? This isn’t just annoying (because you already bought the thing on Amazon), it’s a violation of your privacy. Stop tracking software in its tracks (literally) with a VPN. All the trackers will see is the IP address of your VPN service.  

Let's all agree that this company
3.     Access to the unabridged internet: Want to visit in Kenya? Too bad. Facebook in China? Tough cookies. But sure enough, a VPN will let me catch the latest episode of Jersey Shore while updating my news feed from anywhere in the world. This works because awesome VPNs like SumRando have servers all over the place, and you get to pick the one you connect to. So while I’m sitting at a cafĂ© in Cairo, the sites I’m visiting think I’m from New York.
4.     Your ISP won’t stalk you: Did you know your internet service provider keeps logs of everything you do online? Seriously. Everything. As far as I’m concerned, the number of times I visit per day is nobody’s business but mine.
 5.     It’s absurdly easy: Logging on and using a VPN is literally easier than locking the door when you leave your house, so there’s absolutely no reason everyone shouldn’t be using one. To log in, all you need to do is double-click that SumRando icon on your desktop and you’re ready to surf. Think of it as part of your daily routine.

So quit procrastinating! It’s time we all started taking our online security a little more seriously. Sign up for a VPN today!