Category: News

Security Concerns of Pokémon GO

There’s a certain virtual reality type game that’s causing quite a stir at the moment, it’s called Pokémon GO and in common with anyone over 40 years old – I think it’s utterly pointless. However I seem to be in a minority and there does seem to be some upside – my son actually voluntarily walked the dog yesterday, I feel the need to add exclamation marks to this statement but instead here’s a picture which perhaps illustrates better ….

pokemon-dog

Yes of course he didn’t actually want to walk the dog he went searching for these virtual, cartoon type things with his phone.   Look carefully as you go about your business and you’ll notice these Pokemon hunters blindly walking into street signs, busy roads all the time transfixed by their phones.    Reading up in the papers and online there are stories of people walking off cliffs, being mugged and even finding corpses whilst engaged in Pokémon GO.

So here’s some brief security tips on playing safely:

  1. Download from a trusted source: There are bound to be dodgy or malware filled copies of the game floating around all over the internet, don’t be dumb download it from a reputable source. Go to Google Play or Apple App store, search for the application and select the one with millions and millions of downloads. Seriously it might be slow but you should be ultra careful installing anything which has access to your GPS.
  2.  Remember GPS: Your location will be tagged and marked, if you want to remain incognito or simply want to keep your location discrete don’t play.
  3.  Keep your Privacy: Don’t log into the app with your main account. Don’t log in with your main gmail, google or Facebook account you will be releasing your personal information to the app owner who can of course tie it into your physical location using the GPS data, too creepy – use a throwaway account or login directly.
  4. Play Safe: Don’t wander around dangerous places you are unfamiliar with, staring at your phone like an idiot waiting to be mugged. Be sensible and keep to safe and public places, don’t trespass or climb into private property – imagine how sad you’re going to look when the police are called.
  5. Everyone Can See Pokestops: Be especially careful when using Pokestops, try to go with a friend or group. Don’t visit them late at night in remote places, people have been mugged or robbed at these locations.

There will inevitably be some stories of bad stuff happening to Pokémon GO players. However in reality bad stuff happens to people all the time, although stupidity does increase your chances. I suspect it will eventually get taken off the market when a series of law suits arrives from Pokémon GO related incidents. At the moment though it’s at least trebled my teenage son’s activity level, my dog walking duties have been reduced and well all these kids seem to have a smile on their face for a change – so enjoy.

Finding a US Netflix VPN

There is something of a battle going on across the internet and it looks like it’s going to continue for a long time.  On the one side are the media giants of the internet, companies like Netflix, Amazon, BBC and Hulu who supply streaming media services to millions across the planet, on the other are the users of these services who use the better VPN services when they access the internet.   The growth of the VPN (virtual private network) has been pretty incredible, once they were primarily used for very high security connections such as people dialing back into corporate networks to access confidential servers.  Nowadays millions of people use them for everyday browsing and accessing secure sites online, they also use them to bypass the various blocks and filters which have been established by the media companies – but what is really the a good US Netflix VPN.

This is a big problem for the media companies, many of whom have very specific licensing agreements which allow them to broadcast in specific countries.  This however has led to huge disparities in the service offered across different countries – the Netflix service in some countries offers a very small proportion of the movies and shows available in US Netflix for example.   Not surprisingly people use VPNs to allow them to switch to the better services, in fact it is estimated that there were nearly half a million Australian Netflix subscribers before it was even available in that country! The practice was pretty much ignored until recently, most of the media companies blocked the easier to detect proxies but didn’t do anything about the many VPN users, until recently.

There’s obviously something happening behind the scenes, likely the content providers themselves are forcing the media companies to enforce the licensing agreements.  It’s  a crazy situation where online media is still licensed in this way, instead of globally which is after all how the internet was meant to work.   The reality is that millions of VPN users are now finding their service blocked or restricted in the wake of this clampdown.  Netflix have been particularly aggressive in blocking access to people using a VPN, it used to be simple but now you’re liable to get the following message –

US Netflix VPN

Quite a friendly, happy message but it’s meant millions have been either blocked completely from accessing Netflix or restricted to using the one offered in their own country.    Some VPNs still work, however before I give some clues to how to choose a US Netflix VPN I’d first like to clarify a couple of points that I see in comments on this site and across the internet.

  • First, a VPN is not illegal, criminal or anything like that.  It is perfectly legitimate to use a VPN all the time when you connect to the internet and many millions do to protect their security and privacy.
  • You are also not committing a criminal act by using an American VPN to access US Netflix from somewhere like Canada, UK or Europe.   At the very worst you are breaking the Netflix Terms and Conditions and could get your subscription cancelled – though it’s not happened to anyone yet as far as I’m aware.
  • VPNs are now useless because they can be detected by media websites, this is incorrect.  A VPN service still provides you with encryption and privacy whilst you’re online and they are still very smart thing to use particularly if you’re travelling and using unknown Wifi hot spots and networks.  The media companies block these VPN connections by building up lists of IP addresses which they suspect to be VPNs.

This is the reality of the situation, although it’s virtually impossible to detect the use of a VPN – companies like Netflix can build up lists of IP addresses used by VPN services and put them into a black list denied access.    This is quite easy to do, they simply target high profile online services who advertise a lot and they also monitor which IP addresses are used for multiple, simultaneous connections.

When choosing the best VPN for Netflix and other services, there’s a few simple rules to follow.  Firstly look for a low key web site which doesn’t openly advertise the facility to watch these services.  One of my favorite pre-purge options for watching US Netflix was a successful company called Overplay and their Smart DNS service, their servers were among the first to be blocked and stopped working for me several months ago for Netflix.  They have also aggressively targeted the online TV watching facilities, both directly on their websites and through advertising.

Choose a VPN service which doesn’t mention the media companies, they still work the same way but are less likely to get blocked.

Be cautious, particularly if your primary requirement is a VPN to watch a specific region of Netflix.  What is currently happening, is a cat and mouse game – Netflix will block a range of IP addresses and access will be blocked, the VPN service will switch out these ranges and replace with others enabling them to work with Netflix again.  This has been continuing over the last few months and there’s no way of knowing how long this will last.   It is time consuming and expensive for both sides in the war, and the result probably depends on whether Netflix continues their efforts to block all VPN servers.

Update – July 7th 2016, Netflix have now blocked almost all VPN services from accessing their site by restricting access to only residential IP addresses. However . have issued an update and expanded their network to include residential addresses. I’ve been testing for a couple of weeks and it now works perfectly for US Netflix – you can try their . here. It’s now not only the Best VPN for Netflix but one of the only ones that now works, currently you can only access the US version of Netflix but that’s expected to expand although this is the version that most VPN users want access to.

Hollywood Hospital Pays Hacker Ransom

For many years, those of us working in IT security have heard phrases like ‘why should hackers target us?’.  They think they’ve nothing to hide, there’s no gain to be made attacking them so security is neglected on this basis.  Unfortunately virtually any individual, company or organisation is a potential target as the Hollywood Presbyterian Medical Centre recently discovered.

Hollywood Presbyterian Centre

The incident occurred on february 5th when hackers managed to infiltrate the hospital’s servers and infected them with malware effectively blocking all communication within the hospital.  The software was actually a specific type of malware known as ransomware – specifically designed to hold the victim to ransom – pay up or lose your data.  There are two main types of ransomware (although probably more will be developed) –

  • Lockscreen – Locks you out of your computer either by blocking boot-up or a screen saver preventing access.  There will be usually be a message on how you can regain access.
  • File Encryption – Normally will leave the majority of your computer alone but will encrypt all data files making them inaccessible.  Again you’ll usually get a message on how to obtain the decryption key.

The lock-screen types can usually be bypassed with some technical assistance, in fact it’s usually very simple  to fix.  The file encryption ransomware is much more difficult to get rid of if implemented correctly, the only solution is normally to get the decryption key.

Unfortunately for the Hollywood Presbyterian Medical Centre, they were subjected to the file encryption attack which encrypted many of the core data files on the hospital’s computer systems.  This paralysed the hospital who were forced to use pen and paper for ongoing record keeping.  The hospital realised that the quickest solution was to pay the $17000 ransom to obtain the decryption key despite the obvious risks.

The CEO Allen Stefanek made this call and fortunately with some technical assistance and the decryption key they were able to restore all it’s computer systems.  Stefanek stated that patient care was never compromised, nor were hospital records.

However this is a difficult statement to believe although patient care might have been protected, it’s impossible to know whether the hospital records and patient data were compromised.  If you have allowed malware onto your computer systems then there’s no way you can be 100% sure what else that software has done, it could have easily stolen data records as well as encrypting them.

The case has been now passed to the FBI, so there is a very strong chance the culprits will be caught.  The most difficult part of these attacks is hiding your tracks and is rarely accomplished completely.  The attackers did demand payment in bitcoins which is much harder to trace but there network and computer forensics will often leave clues as the origin on the infection or from the ransom demand communication.

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Turkish Hacker Sentenced

If you’re thinking of setting up for a career in computer crime, there’s many very tempting options for locating your centre of operations.  The obvious place is somewhere like Russia, where as long as you make money the police will be likely to turn a blind eye for a few dollars. There are many other places where minimal law enforcement exist particularly in relation to computer crime which mean the risks are relatively negligible particularly if there’s a lack of any extradition treaties to the developed world.
turkish-hack

However some countries are a staggeringly bad idea to base a criminal cyber empire and it looks like Turkey is one of those. The reason is now becoming clear to a 26 year old Turkish hacker named Onur Kopcak who was sentenced on Sunday for stealing 11 people’s credit card information and selling them online to other criminals. It wasn’t the world’s worst cyber crime and in fact would largely pass unnoticed in many places.

Although to be fair  Onur’s crimes did extend to a few more people after more were discovered from the initial investigation – in all 54 in total claimed to have their card details stolen by him. He, along with a few other hackers set up a few interfaces designed to mimic a bank’s internet portals and combined with a phishing campaign were beginning to see some results from their criminal enterprise.

Unfortunately for the fledgling gang and in particular Onur Kopcak,  these crimes were heard and sentenced separately and Onur received a 199 year sentence for the initial victims followed by an additional 135 years for the later offences. The crimes were listed as identity fraud, access device fraud, wire fraud and website forgery which are all criminal offences in Turkey.

So for a crime which probably netted only a few hundred dollars before they were caught Kopçak has been sentenced to 334 years in prison. It’s a staggering sentence and Onur will probably look in awe at the sentence handed to a UK fraudster called Theogenes de Montford who stole 35,000 credit card details and was sentenced to 4 and a half years in prison for his role in the theft.

So remember all you budding cyber criminals – setting up in Istanbul or anywhere in Turkey is likely a very bad idea if there’s the slightest risk that you’ll be caught.