Category: News

EU Change Forces iPlayer Rethink

There’s encouraging news that the European Union is going to be forcing the way forward in the market for digital services and one of the biggest impacts could be on the BBC iPlayer.   As you probably know the BBC iPlayer works wonderfully if you’re actually in the United Kingdom but stops working the moment you try and access it from anywhere else.  Which leads to the situation where a BBC license fee payer is blocked simply because they are outside the country,  so you can’t watch the News on holiday or keep up with your favorite soaps.

europe-558828_1280

Obviously there’s now a whole range of VPN and IP proxy products available to circumvent the blocks but should it really be necessary for a valid purchaser to use these just because they happen to be out of the country for whatever reason.

The BBC is not alone, virtually every large digital media company on the internet operates under similar restrictions.  You can’t watch Hulu or HBO from outside the USA, M6 Replay is blocked outside France and so on.  Even supposedly global digital companies do the same, your Netflix account will only work if you are in a country it which it operates,  certainly seems a nonsense in this digital world.

EU Proposals are designed to move towards a single European digital market with the idea that if you legally buy content in one country there should be no restrictions on accessing them in any other country.   Currently there are all sorts of restrictions on digital content usually fuelled by complex copyright rules and regulations.    However these could all be overruled if it became a new right for EU citizens that these digital products were portable across European boundaries.

As it stands it’s just a proposal, the planned implementation if it gains approval is 2017 however we might have to wait a little longer than that.  Firstly there are genuine concerns that some countries will not be keen to support this proposal, particularly those who like to protect their own culture and national media.

There are also some powerful and well funded lobby groups who feel that it is a fundamental right to be able to control production and distribution based on specific territories.  However of course, they would say that because it enables them to operate profit maximisation techniques by selling for different prices in European regions – certainly not the definition of a single market.

For the BBC there will also be some technical difficulties in implementing a system which allows license fee payers the rights to watch wherever they are in Europe, the current BBC iPlayer has no real authentication system like Netflix or Sky. It is likely that the changes required will take some time, perhaps even beyond the 2017 implementation proposal.

However at least there is hope on the horizon that we will genuinely be able to access digital content internationally without having to use a VPN or Smart DNS that we have legitimately bought, without having to pay individually in each country we want to access it from.

The IQ of Cyber Criminals – the Bootle Cyber Attacker

There is I suspect rather a misconception about the IQ level of your average cyber criminal. From your harmless hacker to the sophisticated cyber crime networks of Asia and Eastern, everyone involved is normally portrayed as sophisticated, misguided and highly intelligent. The reality is I’m afraid far from truth and a huge proportion of those who commit cyber crimes are pretty damn stupid.

Meet Mr Ian Sullivan, from Bootle who has just been jailed for 8 months for conducting a series of DDoS attacks on high profile websites.

cybercrime

The 51 year old, unemployed father of six conducted these attacks against 300 websites taking many of them offline.  A DDoS attack involves saturating the target servers with thousands of requests which are difficult for the server to process.   It simply aims to overload the target server with these connections until it falls over.

DoS – Denial of Service Attack (Single attack)

DDoS – Distributed Denial of Service Attack ( attack involving multiple machines usually using malware installed on ordinary computers)

There are a variety of these attacks, most involve volume but often involve specialist techniques crafted against certain types of web servers.  Have a google of these attacks if you want to know more

  • Buffer Overflow
  • Smurf Attack
  • Ping of Death
  • SYN Attack
  • Teardrop Attack

However the thing to remember about the vast majority of DDoS attacks is that you can conduct them through a simple software interface i.e. you need very little technical knowledge.  Of course, there are very skilled attackers out there who can bring down servers with individually crafted attacks against specific targets however these are certainly the exception not the rule.  Mainly there’s little to be gained from Denial of Service attacks although many try extortion to stop them.

Although Mr Sullivan claimed some sort of affiliation with the activist group Anonymous, there are suspicions that his technical knowledge was perhaps limited. One of the biggest clues that this wasn’t the work of a digital moriarty is the fact that he would post warnings to the websites he attacked with his Twitter account.  It’s kind of like posting a self addressed letter to the victim, it does help tracking down criminals when they leave huge clues like this.

I think  the point to take away from this, is that computer crime is actually very easy to do.  Many popular attacks have been automated so you only have to fill a few fields in on a web front end, pay a few bucks to for a service from the Darkweb or install a DoS program on yours and a few computers.   The important part is that you need the intelligence and the knowledge to hide your tracks which is much, much harder.

When they looked up Mr Sullivan’s Twitter account and paid him a visit they found lots of  DDoS/DoS related software installed on his machine using simple computer forensics techniques.  Probably his only smart move was to plead guilty, which presumably led to the relatively low sentence of 8 months in prison.  He would not have got away so lightly if he’d performed this attack in the US or against a US based server though.

What a cyber muppet !!

Facebook Crime – Removal Scam

There is a very real and fundamental problem with buying and selling anything using social media, identifying whether the person you are dealing with is legitimate. Think about it, normally when you find a trader or company they will have premises, registered offices, land lines. You may have responded to an advert or directory listing, all these things take time and money to set up.

Now let’s compare that with a Facebook Company page, which takes two minutes and no verification. In fact, you can set up a Facebook page for a fictitious company and then add hundreds of fake likes and reviews in an hour or so. The result can look extremely legitimate and representative of a well respected, reliable company or tradesman. It’s not hard to do and costs very little money, what is more if you’re reasonably careful almost impossible to trace back.

moving-312082_640

 

 

This is unfortunately what happened to Becky Szenk and her partner Mark Higgins when they moved from their flat in Wolverhampton.

They needed to find a inexpensive removal firm, and like many of us turned to the social media site Facebook to see if they could find someone. They managed to find one of those ‘man with a van’ services and immediately contacted them to book his services. Many of us do exactly the same, only last month I booked a roofing contractor who came up in a Facebook search. My experience was good despite my lack of care, however it was a very different story for Becky Szenk.

The removal guys turned up on time, and two of them quickly and efficiently loaded up their worldly possessions into a large transit van. What was notable was the speed in which they completed the task, loading up in about 45 minutes and driving off to the pub that they had invested their savings in.  Or so they thought, in fact that was the very last time they saw their stuff – the men and their possessions were never seen again.

“I have never cried more in my life than I did on Friday afternoon – I am so distraught that they have taken my engagement ring and my baby’s toys.”
Becky Szenk

It’s not an isolated case, police have reported several similar incidents just within the West Midlands area of the UK.  It is an easy crime to perpetrate, you can easily hide your tracks and the payoff can be extremely large – the possessions lost by Betty Szenk and her partner were estimated in the region of £10, 000.

 

Surprising New Palestine Charity Donors

If you follow the security and hacker world, you’ll know that there is a constant tit-for-tat battle going on across countries, religions and ideologies.  One group will deface a certain web site usually with badly spelt propaganda and  ‘1337 speak’, then a few days later another group will retaliate with an attack on a different web site.  There’s lots of threats and tough talk, and it sometimes seems like there are literally thousands of these groups all over the world fighting their own cyber way.
computercrime

The reality is that it’s been happening for so long it doesn’t really make much impact any more, unless it’s a really big commercial name.  There’s another problem with this attack method, especially due to the minimal impact – it usually takes much more effort than it’s worth.  Of course there are literally thousands of ways to hack a web site – vulnerabilities on the code, the host, bruteforce passwords or pinch user credentials – the list is virtually endless.

However it does take time, and can take an awful lot of effort which is why it often looks like a complete waste of time.  You spend days finding out a web sites vulnerabilities and hack into it, replace it with your leet message – then take a couple of screenshots.  What happens then?  The owner changes all the password, closes the vulnerability and restores the original from backup and it’s all back to normal.  Unless you dash out and advertise the hack, then it’s likely not that many have even noticed and those who do have seen it all before anyway.   Of course if it’s a bank or a big commercial site then there is much more of an impact and of course commercial implications – but those sites are likely to take much more effort and resources to hack into anyway.

Which is why I think this was a rather innovative angle by a group of  pro-palestinian (or perhaps just anti-Israeli) hackers called AnonGhost (not impressed with that name!).  They’re involved in an cyber offensive against the Israeli’s, which sounds a bit more impressive than the reality, and have been for several years in line with other Muslim extremist groups like ISIS.  It all get’s very messy here as you have a ‘free speech’ hacker group like Anonymous, working towards the same target alongside ISIS sympathising hacking groups such as AnonGhost.  Obviously supporting any ISIS related group is kind of a backwards step toward promoting free speech and liberty.

Anyway the point is that instead of just stealing a few user details and posting up a bit of tedious cyber graffiti which is overwritten half an hour later, they did something different.   They stole lots of credit card details from an Israeli based site and posted some of them online, the rest they used to make donations to a Palestinian children’s charity.

anonghostdonate

Well that’s the story at least, there is a little bit of evidence to support it but not enough to be completely sure. The irony of course relies on these being stolen Israeli credit cards. Though whether the payments were completed by the charity site – fundrazr, is also perhaps difficult to believe -especially after the facts were posted all over the web.

As usual, the attackers probably didn’t hide their tracks very well and unless they used some very secure VPNs, like these, have probably now got loads of their details listed on databases compiled by various security agencies like GCHQ and the NSA.  However as a stunt,  it was at least a little bit innovative.

Hacking Your Exam Grades

There’s a scene in the iconic 80’s film Ferris Bueller’s Day Off where the hero logs into his school’s computer system and starts modifying his records.   It’s a dream that’s probably passed through the thoughts of millions of young people over the years.  If only I could just go and change a couple of those grades discretely, no-one would ever know.

ferris-hacker

Unfortunately as with nearly all ‘computer crimes’, committing is much, much easier than getting away with it. The problem is that it’s very difficult to hide your tracks online, one tiny mistake and there’ll be lots of markers pointing your way.

This is exactly what has happened to student Imran Uddin early this year. A bio-science student at the University of Birmingham, Imran decided that his projected 2:2 degree wasn’t quite good enough and decided to try and gain access to the Universities Exam system to modify his grades slightly – changing the scores on five exams in order to boost his grades.

His attack involved installing keyloggers into a selection of the Universities computers in order to steal staff passwords who had access to the exam recording system.
keylogger
These are little hardware devices which you can pick up for a few dollars on the internet, that plug into the back of a computer and record every keystroke made on that keyboard. It’s the easiest way to steal usernames and passwords as it operates at the hardware level and you don’t need to worry about encryption and security. Imran managed to grab a handful of staff accounts including ones that were able to change the exam grades, where he duly modified his own.

Of course, the problem is that these devices have to be installed and can be identified if someone looks carefully enough. Which is what happened in this case, a technician performing an upgrade on some computers in the Bio-Science lab noticed the device. Of course then all the University computers were checked and staff found several more including one on the back of a computer in a staff only area.

After that all roads led back to Mr Uddin and when police checked his own computers they found a huge amount of incriminating evidence. There were ebay searches and purchases of the keylogging devices, evidence of a failed attempt to login to the University marking system plus loads of other forensic evidence incriminating him.

Which is mainly the problem with these computer crimes, although they’re pretty easy to commit, it’s very difficult to hide all this incriminating evidence when people start looking for it. There will be CCTV records of the keyloggers being installed, records of IP addresses and logins and of course simply looking at backups of the exam system will reveal logs of grades being modified. You can route your connection through Russian or Australian proxies but if you leave obvious clues elsewhere it won’t help you.

I once investigated a system where criminal records where accessed by someone who shouldn’t have had access. Looking at the logs of this system it took about ten minutes to find them – although there were hundreds of thousands of records the culprit stood out like a sore thumb. While every legitimate user of the system logged in and performed searches using an account in this format – USR1077672356, one account was logged in as Jamie333 (details slightly modified!). It was the first account checked and despite the individual being cunning (his name was not Jamie) it didn’t take long to find lots more evidence.

Mr Uddin was sentenced to six months and presumably lost his degree completely, he also faces the possibility of legal action from the University too. It’s impossible to know how many people actually get away with crimes like this, but one small mistake or piece of bad luck and it’s very simple to track the culprits down. Still kind of feel sorry for the guy though, but there’s definitely a lesson to be learnt here!