Wednesday 28 November 2012

Criminals hack hotel room locks at the Hyatt


Sometimes cybercrime seems abstract. For the luddites (techno-muggles?) among us, the idea of stealing data doesn’t always come across as frightening or immoral as the theft of physical property.

Unfortunately for Hyatt Houston guest Janet Wolf, a Dell IT services consultant, cyber crime and physical crime came together in a perfect storm when a criminal was able to exploit a vulnerability in her hotel room’s electronic key card reader, allowing the thief to enter her room and steal her laptop.

Initially, hotel management suspected the maid staff, but after discovering that none of the maid’s keys had been used to open the door, other culprits were investigated, eventually leading police to 27 year-old Matthew Allen Cook who was caught after selling the stolen laptop to a local pawnshop.

It turns out Cook used software and a device originally developed by Mozilla developer and security researcher Cody Brocious who detailed the key card hack at the Black Hat security conference. Brocious’ device, as he demonstrated, could be built for less than $50 and utilized the DC port on the bottom of the door lock to access the locks memory where a data string is stored that can trigger the door to open.

Fortunately, this is, so far, an isolated incident. But, White Lodging, the franchise that manages the Houston Hyatt, said the vulnerable locks made by a company called Onity are used on more than 4 million hotel room doors worldwide.

So how do you patch a security flaw like this? As it turns out, quite literally, with a patch. White Lodging said they put putty in the DC ports of all of their hotel room locks to prevent further access.

Onity has also released a technical and mechanical solution to their lock problem and is currently filling orders for the new systems.

Sunday 25 November 2012

A Letter to Facebook


Dear Facebook,

We need to talk. You’ve been a bit of a jerk lately. Look, I know you’ve been under a lot of pressure this year. Your IPO back in May was, erm, less than impressive and you’ve been scrambling ever since to find a way to really monetize your business. But screwing over the very users that make your company successful is hardly a good solution.

Quite frankly, privacy has never been your strong suit. You still don’t let users actually delete their accounts, only “deactivate” them, leaving their information sitting in cyberspace until the end of time. But you know what, we got over that. After all, Facebook is about sharing. But now, you're changing your privacy so you can actually sell our personal information to your third-party affiliates. Sure, it’s a great way to make a few bucks, but it’s pretty unfair to the rest of us. This relationship is starting to feel a little abusive.

But that’s not even the end of it.

For a little while now, you’ve been operating by a system that allowed users to dictate company policy according to the “number of substantive comments” on a policy change. You thought, “Hey, if 7,000 people care, we should listen to what they have to say and let them vote on the issue.” Really, it was cute how much you cared about what we thought. Naïve, but cute. It must have been shocking when you realized that ::gasp:: people were posting just to raise the comments number towards the 7,000 mark. Fortunately, this realization has opened your eyes to what the rest of us already knew; commenters are jerks. Unfortunately, this has also made you a jerk.

So now you’re upset. Mean commenters have ruined your digital democracy. You’re thinking, “To hell with them, we’ll make our own decisions from now on.” Of course, your shift towards autocracy won’t sit easy with a lot of users and certainly not well with the technorati’s journalists and bloggers. So you’ve tried to quell fears of a social media dictatorship with promises that a new, better system will be implemented that encourages quality over quantity. Conveniently, you’ve failed to describe this system at all and nobody can quite figure out how it might work.

Facebook, we’ve had some really good times together. But as our relationship developed, I got the feeling you just don’t care about me. I really like you. I want you to be successful. I want you to make lots of money. But I also want a little bit of privacy and just a little say in what goes on around our personal data.

So before you go off the deep end turning us into dollar signs, remember that users like me are the only reason you exist at all. 

Sincerely,

SumRando

Wednesday 21 November 2012

OMG sending sexy pics with Snapchat is such a bad idea


“O-M-G!”

Don't be this girl. She ended up on
a cybersecurity blog!
“My BFF Melissa, said she was like talking to Stacy, who like, knows this guy who is like cousins with that super dreamy guy Brian that I like kind of went out with the other weekend. And like this guy said Brian is going to ask me out again. OMG. I should like totally send him a naked picture of myself with Snapchat. There’s like, no way this could go horribly wrong.”

Somewhere, someone said or thought this. And it did indeed go horribly wrong. If you aren’t in the habit of sending saucy pictures over your mobile device, then you probably have no idea what I’m talking about, so let’s back up.

Snapchat is a new app available for Android and iOS devices that allows users to snap a picture of themselves and send it to someone on a timer. Once time runs out (it has a maximum of 10 seconds), the app deletes the picture. Snapchat is marketed to teenagers and young adults who, tend to make poor life decisions send pictures they don’t want around forever. The idea, of course, is to allow users to send naughty pictures without the risk that they’ll be posted on r/gonewild the next day.

As you may have realized by now, this app is the worst idea since black highlighters.

Although Snapchat does indeed delete images after the set amount of time (though the company has issued a disclaimer that basically says “no promises”), there is absolutely nothing stopping the recipient from simply taking a screenshot or using a camera once the picture is on the screen. If a screenshot is taken, Snapchat will alert the sender. But at that point, it’s a little late, and obviously there is no warning should the receiver use a camera to take a picture of the screen.

Look, I’m not saying there is anything wrong with two consenting adults sending each other risqué self-portraits. If you trust one another and understand the risks, by all means, go crazy*. Unfortunately, Snapchat is the kind of app that tries to lull users into a very false sense of security.

Actual security measures like a good VPN are great for a lot of things and will go a long way to keep your private information safe, but in some cases, nothing replaces good old-fashioned common sense.

*For the love of God, use a VPN like SumRando if you intend to send sexy pictures. Our encryption software will make sure only those you intend see your private (literally) information.

Sunday 18 November 2012

6 Strikes and you're out! Big Brother's cracking the whip in the U.S.


You know what we are just so excited about? The constant and steady erosion of privacy rights in the United States. I hope you’re picking up on the sarcasm. Sadly though, privacy will be taking another hit this month as American internet service providers team up with big content providers and implement a digital 1984 “Six Strikes” plan. Thankfully, a good VPN like SumRando can completely quash their attempts to police your personal life.

If Six Strikes sounds familiar, that’s because it’s been floating around as a possibility for some time now. And while there have been various versions and ideas suggested and each ISP will enforce the plan a little differently, all of them will be following a similar blueprint. Here’s how it works.

Rights holders will monitor peer-to-peer sharing sites like BitTorrent and look for users distributing and downloading content they (the rights holders) own. In the case of torrents, rights holders will look at the swarms (groups of people downloading and uploading a file) and record the IP addresses of swarm participants. Now, the rights holders will only be able to record IP addresses, not actual names or locations. At this point, the IP addresses will be passed on to the Internet Service Providers who can then pair the IP address with the name of a subscriber. It should be noted that ISPs will not share names or any other details with rights holders. Once an ISP has identified a copyright violator, they will issue a strike. The more strikes you accumulate, the worse life gets.
Strike 1: The ISP will send an email notice to the email address registered with the account notifying them that their account has been used to download illegal content. 
Strike 2: This strike is the same as the first. Just a second notice. 
Strike 3: On the third offense, an email will be sent out, but the account holder will be required to reply to the notice, confirming that they have actually received it. We’re not yet sure how the read receipt will work or what the consequences are for not acknowledging it. 
Strike 4: Same as Strike 3. 
Strike 5: This is where sh*t gets real. At this point, ISPs will implement what they call “mitigation measures” There are several possibilities here. The worst is a suspension of service, leaving you sans internet. But some ISPs are saying they’ll only throttle internet speed. Once your connection is either throttled or suspended, you will be required to call your service provider to discuss your deviant ways. Fortunately for you, ISPs can choose whether or not to enforce the mitigation measures at Strike 5. 
Strike 6: The mitigation measures are required. Frankly though, if you haven’t started using a VPN at this point, you pretty much deserve to have your internet cut off. (Just kidding. Kinda.)
Proponents of the Six Strikes plan say it’s a good alternative to litigation. Unfortunately, there’s no evidence and no likelihood that rights holders will stop suing anybody because of this plan.

The Center for Copyright Information, the grotesque organization spawned in a horrible ménage-à-trois involving American ISPs, Hollywood and the record labels, says the new approach will function “primarily as an educational system” and that it’s not intended to be used for enforcement. Right…

Like I said before, nobody at SumRando is advocating for any kind of illegal activity or speaking in support of copyright violators. However, we certainly believe that what you do on your computer and through your internet connection is your own business. As things are, both your ISP and rights holders (along with hundreds of other parties that have nothing to do with this system) are monitoring your online activity. This is both an invasion of your privacy and very creepy.

The ISPs have said that Six Strikes won’t affect “hardcore” rights violators because they’ll simply use a VPN to access the content. After all, when you use a VPN, you’re assigned an anonymous IP address that leads snoopers back to the VPN servers, not your computer. But it shouldn’t just be “hardcore” users who dodge Big Brother.

So in that sense, maybe I agree with CPI. Let’s make this an “educational system”. Let’s make sure that every user on every ISP knows exactly what they need to do to keep their information away from the prying eyes of the content industry and ISPs. 

Thursday 15 November 2012

Skype accounts get swiped

I love Skype. I use it all the time to talk "face-to-face" with far away family and friends. I'd be willing to say, in part, I depend on the program and service. So it really freaks me out when a service as popular as Skype is so easy to hack.

Fortunately, the flaw has been fixed. But here's the deal. Up until yesterday, in order to hack someone's Skype account, all you needed was their email address and username.
All that was required, according to the post, was knowledge of the e-mail address of the victim. Attackers could then register for a new account using the same address. Once logged in to the new account in the Skype client, attackers activated the password-reset feature and waited for the client to display instructions for resetting the passcode. [Ars Technica]
The post referred to by Ars is from a Russian website you can view in English via Google Translate here
Here's the takeaway. At SumRando, we talk a lot about keeping your data safe. In fact, that's why we run such a great VPN, because we know what it's like to have information abused. But sometimes — as is the case here — the best personal security can't protect you from an attack. And in that light, we'd like to encourage all our users to be as careful as possible. If your email is compromised, but you have the help of great anti-virus software, careful browsing, and a bullet-proof VPN, it's unlikely anything too terrible is going to happen.

Wednesday 7 November 2012

Don't give away free porn


As if you need more reasons to be careful or (better yet) anonymous online, this past week, an illegal file sharer was fined $1.5 million for distributing movies through BitTorrent.

So here are the details: The defendant, Kywan Fisher, was sued earlier this year by adult entertainment company Flava Works after being caught sharing 10 of their films on torrent sites. Fisher had actually purchased the films originally, but decided to spread the love online.

Unfortunately for Fisher, Illinois federal court Judge John Lee wanted none of his love and ordered Fisher to shell out $150,000 per movie.

“Defendant's conduct was willful to the extent that he copied or distributed Flava Works, Inc.' intellectual property at least 10 times and caused the videos to be infringed or downloaded at least 3,449 times,” Lee wrote in a legal memo.

You’re probably thinking this is a pretty harsh punishment for sharing a few tasteful films. This guy must have had the worst representation. Well, as it turns out, he had no representation. He never showed up for court.

Look, we aren’t going to tell you what you should or should not do online. In fact, at SumRando, we have no idea what you do online. But should you choose to break the law, at least be careful about it. You know who wasn’t using a VPN like SumRando? Kywan “I owe $1.5 million” Fisher, that’s who.

And should you get caught, for goodness sake, show up in court!