Posts tagged Cyber Security
The new series of Rip Off Britain begins this Monday on BBC1 resuming its mission to expose shams, scams and poor customer service.
In this series I look at how failures in Vodafone’s billing systems and customer services have left subscribers out of pocket and with costly black marks on their credit history; also I investigate how freely available information might be used by identity thieves to build up detailed profiles of their victims.
One item that I hope to be covering more of is the future of passwords.
Like a stuck record, over the last four or so seasons on Rip Off Britain I’ve made the point again and again about the importance of good password hygiene to minimise the risk of hacks.
But recent developments in voice biometrics technology might be part of a move to make our live online much safer. In fact, customers of some major UK banks and service providers are already using just their voices to securely log-in to their online accounts.
The software claims to analyse around one hundred different behavioural and physical characteristics of our voices (for example accent or length of vocal folds) and is being used by customers of TalkTalk and HSBC among others. Its developer, Nuance, says the technology is so sophisticated that it can even distinguish between identical twins.
We took a special version of the voice recognition app to the BBC pop up shop at the Trafford Centre in Manchester to discover whether shoppers there felt secure using their voice as their password.
Rip Off Britain airs on BBC1 Monday to Friday from 12th September at 9.15am.
A lot of my work right now is around cyber crime and cyber safety. My Hackageddon feature this week’s Connect section in The Metro illustrates some ways in which our online data might be vulnerable.
While there are precautions we can all heed and best practices we can each adopt when online – good password hygiene among the most important – we are still at the mercy of the organisations we trust to safeguard our data. Sadly, too many of these have been found wanting, with poor security contributing to the estimated 500,000,000 personal records that were leaked or lost in 2015 alone (source: Symantec).
In the Metro feature I look at passwords and password managers, the rise of ransomware, and how to check if your data has already been leaked. We also see how Facebook boss Mark Zuckerberg may take care to keep his details safe now, but how his previous poor security choices recently came back to bite him.
Read the full feature in the Metro e-edition here.
As a side note, the feature coincides with season two of Golden Globe-winning cybercrime drama Mr Robot airing on Amazon Prime Video. I enjoyed the first series – it’s a good drama with plenty of technical authenticity – and can’t wait now to get stuck into the second.
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
The leak of personal details from the Ashley Madison extramarital dating website is one of the significant breaches of sensitive information in the web’s history.
High-profile data leaks have outed private customer data from internet service providers, online retailers and high-tech toy manufacturers in the last few months alone. As a result, cyberattacks have been elevated from trade-press niche news to stop-the-press nine o’clock news.
Yet the Ashley Madison data-breach is different: it wasn’t just email addresses and credit card details that were liberated this time, it was data of the most personal nature. Changing your passwords after a cyberhack is a hassle; salvaging your family relationships after being publicly outed on an adulterous dating website is something infinitely more profound.
While the story was still developing in August 2015 the team from Mentorn Media got in touch to ask if I could add some context to the story for a quick-turnaround documentary they were making for Discovery Networks. Beyond the hack itself, the show sought to explore the wider impact that internet and connected technology is having on 21st century sex and relationships – it’s not often I get to talk about teledildonics and virtual reality sex on television…
The documentary aired in September 2015 in the UK and in January 2016 in Australia. Here’s a trailer:
In whichever direction your moral compass points, Ashley Madison has for a long time been a hugely popular online destination. The Ashley Madison Agency Limited launched in 2001 and, until the events of July and August 2015, welcomed almost 125 million visitors every month from over 50 countries around the world.
In the wake of the VTech hack I answer ITV Good Morning Britain viewers’ concerns on the safety of their kids’ personal details.
Another week, another high-profile online hack.
In August 2015 the Ashley Madison scandal climbed the mainstream news agenda based largely on how the outed data transcended the all-too-commonplace bank details and password leaks.
The breach of tech-toy manufacturer VTech’s data last week has achieved a similar degree of infamy: six million sets of children’s personal details – including photos and chat transcripts – were swiped with apparent ease.
It’s of scant consolation that the hacker chose to share the story (and data) with a journalist rather than the denizens of the dark web: the Hong Kong firm hadn’t a clue that its online defences had even been breached until the journalist contacted them, begging the question of whether VTech’s website has been breached before? Nobody, not even VTech, can be sure.
The very nature of the VTech hack is disappointing but, if there is a positive, also a cautionary tale for remainder of the online industry.
‘SQL injection’ attacks are the oldest in the book, literally child’s play to execute, with plug-and-play exploitation toolkits and tutorials freely available online.
Like TalkTalk before it, VTech should have known better. As well as poorly-secured passwords (hashed with fatally insecure MD5 but not salted, therefore crackable with little more than a Google search) were plain-text secret questions and non-existent SSL security, all of which indicates a business quite simply not taking seriously its duty of care with users’ most sensitive data.
That in 2015 high-profile online services are still open to rudimentary exploitation signifies – to me at least – a distinct immaturity of the web as a whole. If any good comes of this attack it will be the wake-up call to other service providers to get real with their online security.
While VTech might make it through the immediate blip in its seasonal sales, time will tell whether it can survive the longer reputational damage. I hope so: as a parent I’ve found VTech’s tech toys to be among the best in class. I just hope it now takes less of a toy-town approach to its online services and its users’ data.
In the same Good Morning Britain episode I also talked viewers through how to enable parental restrictions, controls and security measures for other Christmas gadgets – the full story is available on the ITV website.
October is National Home Security Month, the last week of which is Smart Home Security Week. Writing once again for The Metro newspaper I revealed six app-connected cameras for your connected home that give you piece of mind and, if necessary, help to catch crooks red-handed.
Amongst those I reviewed were flyaway Kickstarter success story Canary, home security heavyweight Piper nv and the innovative app-only Manything, which helps you to put to old smartphones to good use.
“Hello, this is Mark, I’m calling from the Windows Technical Department. We have identified a problem with your computer…”
Have you ever received a phone call that begins like this? I have, too many times to count. The so-called ‘Microsoft Tech Support Scam’ is almost as old as the internet itself but, like a nasty virus, it refuses to go away. I’ve just filmed an investigation for the new series of BBC Watchdog to highlight the how the scam works and catch the fraudsters red-handed.
Despite being plagued by these calls, I am fortunate; I know that they are almost certainly from scammers intent on stealing my money, personal details or identity. However, thousands of people do fall victim to this fraud every year with many hundreds of thousands of pounds reported stolen in the UK alone.
According to the National Fraud Intelligence Bureau (NFIB) the average victim of ‘Computer Software Service Fraud’ will be 59 years old and £210 worse off as a result of the crime, although some report losses of up to £6,000. As with many nuisance calls these criminals work on volume, and for every one hundred calls they make, if only one is successful then it will have been worthwhile.
In the past legal action against the perpetrators has proved difficult (although there have been some successes) but by showing Watchdog viewers what to look out for we hoped to raise awareness and reduce the number of victims.
We decided the best way to do this was to capture the scam in action for the cameras — a first for UK television, we think, and no mean feat given how difficult it is to track down the fraudsters. What happened next was quite intense…
You can watch the full report here.
Watchdog Scams the Tech Support Scammers broadcasts on BBC1 at 7.30pm on Thursday 29th October 2015.