A lot of my work right now has hooks into cyber crime and cyber safety. In Connect, the weekly tech section in The Metro, my Hackageddon feature highlighted how vulnerable our data is online.
While there are precautions we can all heed and best practices we can each adopt when online – good password hygiene among the most important – we are still at the mercy of the organisations we trust to safeguard our data. Sadly, too many of these have been found wanting, with poor security contributing to the estimated 500,000,000 personal records that were leaked or lost in 2015 alone (source: Symantec).
In the Metro feature I look at passwords and password managers, the rise of ransomware, and how to check if your data has already been leaked. We also see how Facebook boss Mark Zuckerberg may take care to keep his details safe now, but how his previous poor security choices recently came back to bite him.
Read the full feature in the Metro e-edition here.
As a side note, the feature coincides with season two of Golden Globe-winning cybercrime drama Mr Robot airing on Amazon Prime Video. I enjoyed the first series – it’s a good drama with plenty of technical authenticity – and can’t wait now to get stuck into the second.
Right on the Money, hosted by Dom Littlewood and Denise Lewis, returns for a second season on BBC1 this summer and I’m excited to be part of the reporting team.
In Friday’s show I front a film about how make money on the move, armed with little more than a smartphone. I look at how people are using apps including Nimber, which pays you to be a courier, YouGov, which rewards you for sitting and submitting surveys, and also Bounts and Sweatcoin, which convert exercise into cash and prizes.
Here’s a quick clip from the show:
You can watch the full Right on the Money episode here (for as long as BBC iPlayer allows, that is).
Despite this appearing on screens in the height of summer, the item was filmed during the depths of winter – the shorts and t-shirt sequence in particular during a sub-zero day in High Wycombe!
Right on the Money airs on BBC1 weekdays 9.15-10am between 11th – 22nd July 2016.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
The leak of personal details from the Ashley Madison extramarital dating website is one of the significant breaches of sensitive information in the web’s history.
High-profile data leaks have outed private customer data from internet service providers, online retailers and high-tech toy manufacturers in the last few months alone. As a result, cyberattacks have been elevated from trade-press niche news to stop-the-press nine o’clock news.
Yet the Ashley Madison data-breach is different: it wasn’t just email addresses and credit card details that were liberated this time, it was data of the most personal nature. Changing your passwords after a cyberhack is a hassle; salvaging your family relationships after being publicly outed on an adulterous dating website is something infinitely more profound.
While the story was still developing in August 2015 the team from Mentorn Media got in touch to ask if I could add some context to the story for a quick-turnaround documentary they were making for Discovery Networks. Beyond the hack itself, the show sought to explore the wider impact that internet and connected technology is having on 21st century sex and relationships – it’s not often I get to talk about teledildonics and virtual reality sex on television…
The documentary aired in September 2015 in the UK and in January 2016 in Australia. Here’s a trailer:
In whichever direction your moral compass points, Ashley Madison has for a long time been a hugely popular online destination. The Ashley Madison Agency Limited launched in 2001 and, until the events of July and August 2015, welcomed almost 125 million visitors every month from over 50 countries around the world.
Around this time I’m often asked what I think will be the big technology trends for the coming year. This time I thought it would make sense to get my thoughts together and share them on my YouTube channel.
As it happened the first opportunity I had to do this was while I was in Las Vegas for CES – rather aptly, the world’s largest technology show.
So, in no particular order, my top tech predictions for the year ahead:
- Virtual Reality – 2016 is the year VR takes its biggest steps yet into the mainstream. Off the back of major investments and acquisitions by some of consumer technology’s largest firms, this year sees long-awaited releases from the likes of Sony (PlayStation VR), Facebook (Oculus Rift), HTC (HTC Vive). Virtual reality becomes actual reality this year, and Christmas 2016 will be a key battleground.
- Biometrics – If the high-profile hacks and data breaches of 2015 taught us anything it’s that username and passwords are broken. Biometric authentication – whether fingerprint, retina or even voice – will continue to grow in 2016.
- Mobile Payments – Apple Pay, Android Pay and more please – I for one am hoping it’s all change for loose change this year as these payment systems expand beyond premium devices into the mid-range. And while BitCoin took a bit of a battering in 2015, the underlying block chain technology is what is piquing the interesting of many mainstream players.
- Internet of Things – Embedding everyday objects with computing power and connectivity; connecting people with their possessions and their possessions with one another (I may have unwittingly borrowed, condensed or paraphrased those definitions from others over the years). I really hope we stop talking about IoT in 2016 and start seeing it instead – more everyday stuff getting connected (notwithstanding safety concerns – VTech et al). A little less IoT conversation, a little more IoT action please.
- Drones – in the beginning drones were about fun: the category breakthrough device was the 2010 Parrot AR.Drone, an augmented reality gaming device (hence the AR); however, the French firm soon realised the onboard camera was what got everybody excited and so the drone photography and videography revolution began. However, the next revolution here will be about non-camera payloads – how drones (eg Amazon delivery drones are a, ahem, Prime example) are able to carry small packages further and further.
The YouTube video was picked up by ITN Productions tech show N2K and cut into one of the January episodes – I haven’t seen the show yet but will be sure to share here when I do.
I rather enjoyed compiling my 2016 predictions, so I plan to do a debrief later in the year to see how close to the mark I’ve been, then to try again with my top tech trends for 2017.
Let’s talk about trolling. Last autumn I began working on a documentary for the BBC and, after several months and many late nights, it finally airs this week. In Troll Hunters I join YouTube vlogger Em Ford, a high-profile victim of internet trolls in the past, to investigate the rise of online abuse in Great Britain.
Online trolling has what could be described as a rich history that dates back to the first exchanges on the internet. Some consider trolling an art-form, others a menace. Opponents say it’s the internet equivalent of assault; supporters argue it’s about humour, mischief and freedom of speech. I believe the very term ‘trolling’ has become confused, too often a generalised catch-all used in the media for any harsh words online.
In making Troll Hunters we’ve strived to understand where trolling stops and online hate-crime begins. Throughout I’ve found myself challenging my own understanding of what trolling is and where the line falls between robust-but-defensible discourse and unacceptable online behaviour. I defend free-speech on the internet, I defend our right to express opinions and to question those in authority, and anonymity can play an important role in those. Provocation, mischief-making, mockery is a part of life online (fuelled by the online disinhibition effect, perhaps). As the saying goes, just because I disagree with you it does not make me a troll. But there are lines that should not be crossed.
For me, more often than not it comes down to intent: directing posts with a determination to abuse, menace or threaten somebody because of their gender, race, how they look, who they’re dating, their political beliefs or sexual orientation is not trolling, it’s abuse.
In its most extreme form, trolling is a criminal offence – one increasingly pursued by the police – but online anonymity remains a major barrier to conviction. As we learn in the show, trolling can escalate to levels so severe that victims and their families succumb to anxiety, depression and, tragically, suicide.
We also explore online anonymity and investigate whether it is possible to track down a troll. We attempt to understand the psychology and motivations of a troll, and to shine a light on the real-world impact of online bullying. The film also hopes to encourage cyber-victims to put a stop to the hatred levelled at them and stand up to their trolls.
All of the victims of trolling, online abuse, net-hate – call it what you will – that we spoke to had one thing in common, a question above others that they each needed answering: Why? What motivates their troll, why do they expend so much energy in singling our their victim? Sadly, there is not one common answer.
I find it difficult to believe that a documentary like Troll Hunters will make a substantial difference to life online, but I do hope it empowers victims of online abuse to see beyond their abusers’ masks. I also hope that by seeing the real-world distress caused by their actions some would-be trolls are persuaded to behave more responsibly online.
Troll Hunters airs on BBC Three at 9pm on Wednesday 27th January 2016 as part of the One Click Away season.
*** Update *** Troll Hunters will also run on BBC1 on Tuesday 9th February 2016 at 11.15pm
CES – or the International Consumer Electronics Show to give its full name – is in full swing and I’m here in Las Vegas making some sense of the tech gifts we’ll be unwrapping in Christmas 2016 and beyond.
As expected virtual reality, unmanned aerial vehicles (okay, drones), connected home/internet of things and wearables are all well represented here, as is the motoring industry with major announcements on driverless cars, electric vehicles and more from the likes of Ford, Toyota and newcomer Faraday Future.
Here’s a quick hit of one of my live reports for the Mark Forrest show on BBC radio broadcast midway through press day: