Posts tagged Presenting
Watchdog Wednesdays continues on BBC Three and in this week’s film I investigate how easily a criminal can hack a public Wi-Fi hotspot and compromise its users’ personal information.
Coffee shops, high streets and hotels increasingly offer free public Wi-Fi so visitors can sync up while they eat, shop or stay. However, as I’ve reported on before, Wi-Fi hotspots are easy to spoof, are frequently unsecured, and even when there is a password there is still no guarantee of safety.
Hacking the Hotspot
So, in a controlled experiment at a central London coffee shop, I set out to see what the hackers see. What I saw when the Watchdog cameras began rolling surprised even me:
— BBC Three (@bbcthree) April 20, 2016
With very little investment in time or equipment I learnt how to intercept traffic sent between users’ devices laptops, smartphones, tablets and the internet.
Just to be clear – I am not a hacker, I’m a journalist, but picking up the basics was worryingly easy.
The Man in the Middle
My attack (known as a ‘Man in the Middle‘ attack by ARP poisoning) targeted only a single device operated by a member of the BBC crew. It could equally have targeted a number of devices, perhaps all logged in to the Wi-Fi hotspot.
I found unencrypted traffic easily visible, plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker — and webpage images appeared on my hacktop just as they did on the victim’s machine. I was even able to work around some (but not all) websites’ attempts to enforce HTTPS security.
plain text usernames and passwords flashed before my eyes in real time — gold dust for a hacker
I was shocked that supposedly secure websites such as John Lewis, ebay and Amazon were vulnerable to this basic attack on an iPad, along with email accounts that didn’t have SSL security enabled. Facebook and Twitter didn’t fall for the hack.
Are we really aware of how easy it is for data we send over the airwaves to be intercepted by a silent criminal? I suspect not. This is a perfect crime where victims are unaware that their details have been compromised until the criminal executes his hack hours, days or weeks later when emails get intercepted, accounts get hijacked and funds go missing.
There’s nothing here that’s difficult to get hold of:
- Sony Vaio laptop
- External USB antenna
- Kali Linux operating system
- Tools including Wireshark, sslstrip, ettercap, driftnet
I should add that none of the software used here was illegal; Kali Linux and its bundled utilities are open source, promoted as ‘penetration testing and ethical hacking’ software and is used by security professionals to ensure their corporate networks and public websites remain secure to hackers. Of course, the very same software may also be used by hackers for malicious means. And then, of course, there is YouTube – there’s any number of tutorials here to help you get to grips with the tools and utilities mentioned above.
Stay Safe on Public Wi-Fi Hotspots
So there’s the scare story. But what can you do stay safe when on public WiFi?
- For light browsing I prefer to bring my own network and tether from my smartphone or Mi-Fi, but my data plan is generous (and yes, expensive) to allow for that; if cellular reception is poor it’s painfully slow or impossible.
- A VPN, or Virtual Private Network, is my next security measure – this creates a secure ‘tunnel’ between my laptop, tablet or smartphone and a server elsewhere on the internet into which a fraudster cannot eavesdrop. These can be free, fairly cheap or you can even build your own.
- If all else fails I make sure that websites I exchange data with support safe browsing, denoted by HTTPS and the green padlock (but beware that tools like ‘sslstrip’ can subvert this). I do not ignore errors from the web browser which talk about invalid certificates, even if I don’t understand exactly what they mean – I can visit those websites later when I’m on a secure connection.
How secure are apps? How do you know whether they’re secure if there’s no green padlock or HTTPS visible in an address bar? In my testing I found some apps that are blatantly not secure broadcasting personal details, but I’ll be exploring this in more detail very soon.
Watchdog Wednesdays, a spin-off from the popular BBC1 investigative consumer affairs show, has launched on BBC Three and I’m excited to be fronting its films about online hacks and scams.
My first film, a re-version of an item which aired in Watchdog in October, sees me and LBC’s James O’Brien shed light on a scam known to many as the ‘Microsoft Support Scam’, eventually catching the crooks red-handed.
A three-minute short can only tell so much of the story, so for the many who’ve gotten in touch here’s the technical bit:
On an Apple MacBook running virtual machine software I performed a fresh install of Microsoft Windows 7, loaded anti-malware software, and seeded files in my Users folder and desktop to make it look like a well-used PC. On the host Mac I ran screen recording software, an X server and the Wireshark packet sniffing software to help identify where the scammers were connecting from (alas, we didn’t get to cover the last bit in the film). My final tool was a web browser with some simple who.is tools, and an hour or so raking through some ‘who called me’ forums to find some leads.
Let’s talk about trolling. Last autumn I began working on a documentary for the BBC and, after several months and many late nights, it finally airs this week. In Troll Hunters I join YouTube vlogger Em Ford, a high-profile victim of internet trolls in the past, to investigate the rise of online abuse in Great Britain.
Online trolling has what could be described as a rich history that dates back to the first exchanges on the internet. Some consider trolling an art-form, others a menace. Opponents say it’s the internet equivalent of assault; supporters argue it’s about humour, mischief and freedom of speech. I believe the very term ‘trolling’ has become confused, too often a generalised catch-all used in the media for any harsh words online.
In making Troll Hunters we’ve strived to understand where trolling stops and online hate-crime begins. Throughout I’ve found myself challenging my own understanding of what trolling is and where the line falls between robust-but-defensible discourse and unacceptable online behaviour. I defend free-speech on the internet, I defend our right to express opinions and to question those in authority, and anonymity can play an important role in those. Provocation, mischief-making, mockery is a part of life online (fuelled by the online disinhibition effect, perhaps). As the saying goes, just because I disagree with you it does not make me a troll. But there are lines that should not be crossed.
For me, more often than not it comes down to intent: directing posts with a determination to abuse, menace or threaten somebody because of their gender, race, how they look, who they’re dating, their political beliefs or sexual orientation is not trolling, it’s abuse.
In its most extreme form, trolling is a criminal offence – one increasingly pursued by the police – but online anonymity remains a major barrier to conviction. As we learn in the show, trolling can escalate to levels so severe that victims and their families succumb to anxiety, depression and, tragically, suicide.
We also explore online anonymity and investigate whether it is possible to track down a troll. We attempt to understand the psychology and motivations of a troll, and to shine a light on the real-world impact of online bullying. The film also hopes to encourage cyber-victims to put a stop to the hatred levelled at them and stand up to their trolls.
All of the victims of trolling, online abuse, net-hate – call it what you will – that we spoke to had one thing in common, a question above others that they each needed answering: Why? What motivates their troll, why do they expend so much energy in singling our their victim? Sadly, there is not one common answer.
I find it difficult to believe that a documentary like Troll Hunters will make a substantial difference to life online, but I do hope it empowers victims of online abuse to see beyond their abusers’ masks. I also hope that by seeing the real-world distress caused by their actions some would-be trolls are persuaded to behave more responsibly online.
Troll Hunters airs on BBC Three at 9pm on Wednesday 27th January 2016 as part of the One Click Away season.
*** Update *** Troll Hunters will also run on BBC1 on Tuesday 9th February 2016 at 11.15pm
Make no mistake, hoverboards have been the hot technology of 2015.
Fuelled by Back to the Future fever and celebrity spots with Jamie Foxx, Justin Bieber et al, self-balancing scooters (to give them their proper name) have proven so popular with the public that online auction site eBay reported sales of one every twelve seconds earlier in December.
On Thursday I joined the ITV Good Morning Britain team to talk through the hoverboard phenomenon and the growing safety concerns that have led retailers around the world to stop selling and start refunding.
Negotiating an obstacle course on a hoverboard in windy conditions while answering Ben Shephard’s questions live on national television? No sweat!
There are two powerful safety angles to this story:
First up, hoverboards are heavy, powerful vehicles requiring skill, balance and practice to master. Unlike a Segway – considered the hoverboard’s forebear by many – there are no handlebars here, it’s just a motorised sideways skateboard.
Like the Segway, however, it is illegal to ride hoverboards on public streets and pavements in the UK. When the Crown Prosecution Service issued a statement reinforcing this guidance in October some argued the law (derived from the Highway Act of 1835 in England and Wales) was overbearing and heavy-handed. Then, last week, a 15 year-old lost control and was killed, run over by a London bus after losing balance on a hoverboard.
The other safety angle is the construction of the boards themselves. Leaping aboard the lucrative coat-tails of the hoverboard craze far-east manufacturers have mass produced hoverboards to lower price points with inevitable corner-cutting. Sadly, these short-cuts have been potentially lethal, with basic safety standards and common sense all but ignored. The main flashpoint has been the electronics.
One problem is that lithium-ion batteries used are notoriously unstable unless properly shielded. Major airlines are refusing to carry hoverboards in hold or checked luggage for risk of the batteries catching fire mid-flight. The other problem is that to keep costs low manufacturers are choosing to ship hoverboards with inferior quality poorly-shielded batteries, without thermal cutout circuitry or fuses in their plugs. Outcomes have included spontaneous explosions and fires and have been well-documented in various social media and the mainstream press. National Trading Standards claims to have examined thousands of self-balancing scooters at UK borders since October, with 88% (15,000) assessed to be unsafe and detained.
Eager to avoid a PR horror story major retailers have been quick to ground hoverboards, pulling stock from shelves and issuing health and safety advisories faster than you can say Great Scott. Amazon has been issuing automated refunds to customers and advising to dispose of hoverboards in WEEE approved sites.
Of all the high-profile hacks and leaks of 2015 the TalkTalk Data Breach in October may prove to be one of the most significant yet, potentially impacting all four million of its UK customers.
While details of the breach are still emerging the leaked data appears to include unencrypted names, addresses, email addresses, bank account/credit card information, customer account numbers and more.
The ‘significant and sustained’ cyberattack, likely using a DDOS (distributed denial of service) attack as a smokescreen for their chosen method of entry and extraction, shows the hallmarks of highly-organised cybercrime.
Sadly, this isn’t the first time that the UK telco’s customers have had their personal details sneaked out of the back door. Data leaks in November 2014 and August 2015 exposed information that has been used to successfully defraud customers of thousands of pounds with phishing and vishing attacks.
- Treat incoming telephone calls purporting to be from a service provider – TalkTalk or otherwise – as potentially toxic. Regardless of any account number or information quoted, or the telephone number called from (Call Line IDs are easy to spoof), in my opinion phishing and vishing fraud is now so common that incoming calls are impossible to trust. A reputable/genuine caller will quite understand any concerns and give you an option to call back on a verified number found on your (for example) bank statement or the firm’s main website (not a link they send). However, make sure you call back from another number (maybe a mobile if you have one – but check call charges) or ensure your landline has been cleared first (wait 5 minutes or call a friend first).
- Check your bank statements, credit card bills and any online payment service accounts (eg Paypal). If there are any transactions you don’t recognise, no matter how small, query them. And then keep checking them – this is good practice anyway.
- Check and change your passwords, particularly if you use the same password as your TalkTalk account across any other accounts? Email, social network, PayPal, auction sites etc?
TalkTalk has a dedicated page to keep those concerned updated with the latest news and advice on the data breach: http://help2.talktalk.co.uk/oct22incident
September is one of the busiest periods in the technology calendar as manufacturers race to announce and release the consumer products they hope will make their Christmas a happy one.
Not only a great time of year to be working in technology but a great time to be reporting on it too. Over the last few weeks I’ve joined the technology desk at International Business Times UK to report on breaking news from Apple, Samsung, Sony and more.
Alongside announcements of new smartphones, tablets and watches I wrote about topics as diverse as Virtual Reality video and fallen enterprise mobile player Blackberry and its attempts to remain relevant.
However, I want to share a couple of video stories here. First up is my bite-sized take on the major announcements at IFA 2015:
New smartphone announcements by Apple are a highlight for many tech-watchers but, frankly, they do go on a bit. I produced an extremely cut-down version of the Apple press conference revealing everything you need to know in roughly three minutes – saving you about an hour and forty minutes of your life.
Planet of the Apps is back for an all-new season on Ginx TV!
The fourth series of TV’s top mobile tech show kicks off this Tuesday 21st April.
In the first show Adam, Lucy and I look at whether smartphones are killing the games console, and some of the kicking mobile gaming kit currently making waves on Kickstarter.
Later on in the series we’re delving into virtual reality, flying high with drones and getting ahead with extreme sports tech.
Here’s an item from the third show in the series in which we lift the lid on Virtual Reality:
Planet of the Apps hits your screens on Tuesdays at 7pm in the UK on Virgin Media ch 286 and online at www.ginx.tv.
In Technology Corner recently I’ve been exploring everything in science and tech from the rise and fall of Google Glass, smartwatches and the latest in wearables, to alternative fuels, eco-homes and upgrade culture.
During the BBC’s WW1 centenary commemorations in 2014 I presented a special item on technology that has changed the world over the last 100 years.
Here’s a clip of an item I broadcast on the Kevin Fernihough show in March 2015 on the emergence of Virtual and Augmented Reality: