A lot of my work at the moment revolves around cyber crime and cyber safety. In Connect, the weekly tech section in The Metro, my Hackageddon feature highlighted how vulnerable our data is online.
While there are precautions we can all heed and best practices we can each adopt when online – good password hygiene among the most important – we are still at the mercy of the organisations we trust to safeguard our data. Sadly, too many of these have been found wanting, with poor security contributing to the estimated 500,000,00 personal records that were leaked or lost in 2015 alone (source: Symantec).
In the Metro feature I look at passwords and password managers, the rise of ransomware, and how to check if your data has already been leaked. We also see how Facebook boss Mark Zuckerberg may take care to keep his details safe now, but how his previous poor security choices recently came back to bite him.
Read the full feature in the Metro e-edition here.
As a side note, the feature coincides with season two of Golden Globe-winning cybercrime drama Mr Robot airing on Amazon Prime Video. I enjoyed the first series – it’s a good drama with plenty of technical authenticity – and can’t wait now to get stuck into the second.
Right on the Money, hosted by Dom Littlewood and Denise Lewis, returns for a second season on BBC1 this summer and I’m excited to be part of the reporting team.
In Friday’s show I front a film about how make money on the move, armed with little more than a smartphone. I look at how people are using apps including Nimber, which pays you to be a courier, YouGov, which rewards you for sitting and submitting surveys, and also Bounts and Sweatcoin, which convert exercise into cash and prizes.
Here’s a quick clip from the show:
You can watch the full Right on the Money episode here (for as long as BBC iPlayer allows, that is).
Despite this appearing on screens in the height of summer, the item was filmed during the depths of winter – the shorts and t-shirt sequence in particular during a sub-zero day in High Wycombe!
Right on the Money airs on BBC1 weekdays 9.15-10am between 11th – 22nd July 2016.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
The leak of personal details from the Ashley Madison extramarital dating website is one of the significant breaches of sensitive information in the web’s history.
High-profile data leaks have outed private customer data from internet service providers, online retailers and high-tech toy manufacturers in the last few months alone. As a result, cyberattacks have been elevated from trade-press niche news to stop-the-press nine o’clock news.
Yet the Ashley Madison data-breach is different: it wasn’t just email addresses and credit card details that were liberated this time, it was data of the most personal nature. Changing your passwords after a cyberhack is a hassle; salvaging your family relationships after being publicly outed on an adulterous dating website is something infinitely more profound.
While the story was still developing in August 2015 the team from Mentorn Media got in touch to ask if I could add some context to the story for a quick-turnaround documentary they were making for Discovery Networks. Beyond the hack itself, the show sought to explore the wider impact that internet and connected technology is having on 21st century sex and relationships – it’s not often I get to talk about teledildonics and virtual reality sex on television…
The documentary aired in September 2015 in the UK and in January 2016 in Australia. Here’s a trailer:
In whichever direction your moral compass points, Ashley Madison has for a long time been a hugely popular online destination. The Ashley Madison Agency Limited launched in 2001 and, until the events of July and August 2015, welcomed almost 125 million visitors every month from over 50 countries around the world.
Let’s talk about trolling. Last autumn I began working on a documentary for the BBC and, after several months and many late nights, it finally airs this week. In Troll Hunters I join YouTube vlogger Em Ford, a high-profile victim of internet trolls in the past, to investigate the rise of online abuse in Great Britain.
Online trolling has what could be described as a rich history that dates back to the first exchanges on the internet. Some consider trolling an art-form, others a menace. Opponents say it’s the internet equivalent of assault; supporters argue it’s about humour, mischief and freedom of speech. I believe the very term ‘trolling’ has become confused, too often a generalised catch-all used in the media for any harsh words online.
In making Troll Hunters we’ve strived to understand where trolling stops and online hate-crime begins. Throughout I’ve found myself challenging my own understanding of what trolling is and where the line falls between robust-but-defensible discourse and unacceptable online behaviour. I defend free-speech on the internet, I defend our right to express opinions and to question those in authority, and anonymity can play an important role in those. Provocation, mischief-making, mockery is a part of life online (fuelled by the online disinhibition effect, perhaps). As the saying goes, just because I disagree with you it does not make me a troll. But there are lines that should not be crossed.
For me, more often than not it comes down to intent: directing posts with a determination to abuse, menace or threaten somebody because of their gender, race, how they look, who they’re dating, their political beliefs or sexual orientation is not trolling, it’s abuse.
In its most extreme form, trolling is a criminal offence – one increasingly pursued by the police – but online anonymity remains a major barrier to conviction. As we learn in the show, trolling can escalate to levels so severe that victims and their families succumb to anxiety, depression and, tragically, suicide.
We also explore online anonymity and investigate whether it is possible to track down a troll. We attempt to understand the psychology and motivations of a troll, and to shine a light on the real-world impact of online bullying. The film also hopes to encourage cyber-victims to put a stop to the hatred levelled at them and stand up to their trolls.
All of the victims of trolling, online abuse, net-hate – call it what you will – that we spoke to had one thing in common, a question above others that they each needed answering: Why? What motivates their troll, why do they expend so much energy in singling our their victim? Sadly, there is not one common answer.
I find it difficult to believe that a documentary like Troll Hunters will make a substantial difference to life online, but I do hope it empowers victims of online abuse to see beyond their abusers’ masks. I also hope that by seeing the real-world distress caused by their actions some would-be trolls are persuaded to behave more responsibly online.
Troll Hunters airs on BBC Three at 9pm on Wednesday 27th January 2016 as part of the One Click Away season.
*** Update *** Troll Hunters will also run on BBC1 on Tuesday 9th February 2016 at 11.15pm
CES – or the International Consumer Electronics Show to give its full name – is in full swing and I’m here in Las Vegas making some sense of the tech gifts we’ll be unwrapping in Christmas 2016 and beyond.
As expected virtual reality, unmanned aerial vehicles (okay, drones), connected home/internet of things and wearables are all well represented here, as is the motoring industry with major announcements on driverless cars, electric vehicles and more from the likes of Ford, Toyota and newcomer Faraday Future.
Here’s a quick hit of one of my live reports for the Mark Forrest show on BBC radio broadcast midway through press day:
Make no mistake, hoverboards have been the hot technology of 2015.
Fuelled by Back to the Future fever and celebrity spots with Jamie Foxx, Justin Bieber et al, self-balancing scooters (to give them their proper name) have proven so popular with the public that online auction site eBay reported sales of one every twelve seconds earlier in December.
On Thursday I joined the ITV Good Morning Britain team to talk through the hoverboard phenomenon and the growing safety concerns that have led retailers around the world to stop selling and start refunding.
Negotiating an obstacle course on a hoverboard in windy conditions while answering Ben Shephard’s questions live on national television? No sweat!
There are two powerful safety angles to this story:
First up, hoverboards are heavy, powerful vehicles requiring skill, balance and practice to master. Unlike a Segway – considered the hoverboard’s forebear by many – there are no handlebars here, it’s just a motorised sideways skateboard.
Like the Segway, however, it is illegal to ride hoverboards on public streets and pavements in the UK. When the Crown Prosecution Service issued a statement reinforcing this guidance in October some argued the law (derived from the Highway Act of 1835 in England and Wales) was overbearing and heavy-handed. Then, last week, a 15 year-old lost control and was killed, run over by a London bus after losing balance on a hoverboard.
The other safety angle is the construction of the boards themselves. Leaping aboard the lucrative coat-tails of the hoverboard craze far-east manufacturers have mass produced hoverboards to lower price points with inevitable corner-cutting. Sadly, these short-cuts have been potentially lethal, with basic safety standards and common sense all but ignored. The main flashpoint has been the electronics.
One problem is that lithium-ion batteries used are notoriously unstable unless properly shielded. Major airlines are refusing to carry hoverboards in hold or checked luggage for risk of the batteries catching fire mid-flight. The other problem is that to keep costs low manufacturers are choosing to ship hoverboards with inferior quality poorly-shielded batteries, without thermal cutout circuitry or fuses in their plugs. Outcomes have included spontaneous explosions and fires and have been well-documented in various social media and the mainstream press. National Trading Standards claims to have examined thousands of self-balancing scooters at UK borders since October, with 88% (15,000) assessed to be unsafe and detained.
Eager to avoid a PR horror story major retailers have been quick to ground hoverboards, pulling stock from shelves and issuing health and safety advisories faster than you can say Great Scott. Amazon has been issuing automated refunds to customers and advising to dispose of hoverboards in WEEE approved sites.