Category: privacy

Do You Trust Your TV? It Could be Spying on You.

Well if you have a new Samsung TV then perhaps you should think twice before answering that question.  Their new generation of Smart TVs have a voice activation feature that allows you to switch on and off, change channels and stuff like that, but it’s possible that this comes at a significant cost.

 

An eagle eyed EFF activist called Parker Higgins, took the time to read the privacy policy of these TVs and discovered a rather alarming paragraph which stated –

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

So let’s just have a think about this, if you enable the voice recognition function on your shiny new Samsung Smart TV, the bloody thing will not only listen to all your conversations it will also transmit them to a myriad of  third party companies.  Your TV would actually be sitting in the corner of your room spying on you!

Now putting aside my personal dislike of all voice enabled devices, I mean why is talking to an inanimate device preferable to pushing a button, this is a seriously worrying threat to people’s privacy.  For a start you’d have to be permanently on your guard, who knows where your conversations are going to – just some spotty Samsung technical geek  or more likely a selection of marketing companies?   Secondly, it’s not only spying on you the owner of the TV but anyone who happens to be in the room – have they given their permission ?  Should anyone entering your living room be given a disclaimer and need to sign a consent form !!

Samsung have now modified the wording in their policy insisting that the TV doesn’t in fact listen to ordinary conversations.  This is however rather difficult to believe after the initial policy wording,  I mean you’d never put that down in writing if it wasn’t in some way true.  There is obviously little thought being put into the design of these devices, as far as privacy goes – relying on stuffing a few sentences deep in the TVs documentation (which it probably thought nobody would read).

There are other aspects to the technology which makes it even more unlikely that conversations can’t be monitored by the device.  For start the TV is capable apparently of recognising complex requests like –

‘recommend a good Sci-Fi Movie’ or ‘open BBC iPlayer

I mean a TV would have to listen to pretty much everything to pick up and filter requests like that, this is beyond someone like me shouting OFF  in his stupid accent.

What is more that the TV doesn’t have a single microphone, you can’t just huddle in the corner away from the TV whispering – there’s another in the damn remote control.   Cunning move, the TV remote in my house for example it is the singlest most difficult to find device by far.  It routinely turns up in all sorts of obscure locations and I’m sure my children are on some sort of retainer to hide it every time they’ve finished watching.

Well I for one, will not be purchasing one of these things, however unfortunately it will also involve me upgrading my general level of paranoia.  I foresee a future of creeping around electronic stores or checking the backs of friends TV sets when I enter their house  (and of course enquiring about the location of the remote).

Does anyone really need this rubbish !!

Surprising New Palestine Charity Donors

If you follow the security and hacker world, you’ll know that there is a constant tit-for-tat battle going on across countries, religions and ideologies.  One group will deface a certain web site usually with badly spelt propaganda and  ‘1337 speak’, then a few days later another group will retaliate with an attack on a different web site.  There’s lots of threats and tough talk, and it sometimes seems like there are literally thousands of these groups all over the world fighting their own cyber way.
computercrime

The reality is that it’s been happening for so long it doesn’t really make much impact any more, unless it’s a really big commercial name.  There’s another problem with this attack method, especially due to the minimal impact – it usually takes much more effort than it’s worth.  Of course there are literally thousands of ways to hack a web site – vulnerabilities on the code, the host, bruteforce passwords or pinch user credentials – the list is virtually endless.

However it does take time, and can take an awful lot of effort which is why it often looks like a complete waste of time.  You spend days finding out a web sites vulnerabilities and hack into it, replace it with your leet message – then take a couple of screenshots.  What happens then?  The owner changes all the password, closes the vulnerability and restores the original from backup and it’s all back to normal.  Unless you dash out and advertise the hack, then it’s likely not that many have even noticed and those who do have seen it all before anyway.   Of course if it’s a bank or a big commercial site then there is much more of an impact and of course commercial implications – but those sites are likely to take much more effort and resources to hack into anyway.

Which is why I think this was a rather innovative angle by a group of  pro-palestinian (or perhaps just anti-Israeli) hackers called AnonGhost (not impressed with that name!).  They’re involved in an cyber offensive against the Israeli’s, which sounds a bit more impressive than the reality, and have been for several years in line with other Muslim extremist groups like ISIS.  It all get’s very messy here as you have a ‘free speech’ hacker group like Anonymous, working towards the same target alongside ISIS sympathising hacking groups such as AnonGhost.  Obviously supporting any ISIS related group is kind of a backwards step toward promoting free speech and liberty.

Anyway the point is that instead of just stealing a few user details and posting up a bit of tedious cyber graffiti which is overwritten half an hour later, they did something different.   They stole lots of credit card details from an Israeli based site and posted some of them online, the rest they used to make donations to a Palestinian children’s charity.

anonghostdonate

Well that’s the story at least, there is a little bit of evidence to support it but not enough to be completely sure. The irony of course relies on these being stolen Israeli credit cards. Though whether the payments were completed by the charity site – fundrazr, is also perhaps difficult to believe -especially after the facts were posted all over the web.

As usual, the attackers probably didn’t hide their tracks very well and unless they used some very secure VPNs, like these, have probably now got loads of their details listed on databases compiled by various security agencies like GCHQ and the NSA.  However as a stunt,  it was at least a little bit innovative.

What Information is Hidden on My PC?

The majority of people who just use the internet every day for browsing, shopping and entertainment probably imagine that they have quite a decent level of privacy by default.    They probably expect that there browsing is private, passwords are secure and emails confidential at least to a certain extent.  Unfortunately the reality is a completely different story.

The problem is that people are blissfully unaware of simply how much of their online lives is completely open and unprotected.    Take for example your computer or laptop,  most people’s are stuffed with all sorts of web browsing history, passwords, login details and a host of other stuff often going back years.

So here’s something to try if you’ve got a spare few minutes – download this free computer forensics tool – here.

It’s called Systems Information for Windows and is a pretty advanced tool for scanning your computer and analysing detailed information about it.   It takes minutes to run and in fact doesn’t even need installing as it runs from a stand alone executable.

Passwords on Your PC

Here’s a screen shot that it picked up from my laptop.  Although obviously I needed to censor it – every single line in that picture contains a website I accessed and the password I used to access the site.  SIW picked up hundreds of these all stuffed with personal details, login accounts and even the passwords I used to access.

Try it on your laptop and PC – you’ll be amazed at what information can be picked up from your computer.

Here’s a selection of the sort of passwords and login details it can pick up –

  • Screen Saver Passwords
  • Windows Logons
  • RAS Passwords (Remote access and Dial UP for your ISP)
  • Outlook (Email accounts)
  • Firefox, Chrome and IE passwords
  • MSN and Messenger Passwords
  • Wireless Keys (WPA, WEP, WPSK, SSID)
  • FTP Login Details

That’s only a sample, all stored on your local machine – all easily accessible to anyone with access to the computer either physically or remotely.

I urge you to take a look and see how much of that information you are potentially leaking to the world.  Most people will see lots of details and passwords that they would consider private.

Also remember this is the free version of the software – there are plenty of professional tools floating around the internet used by hackers and forensic scientists that can pick up much much more.

What sort of problems could this cause you if the information fell into the wrong hands – perhaps an identity thief or hacker.  Perhaps run from a virus or when you accessed free Wifi from that cafe last week.  Email passwords, Paypal, Ebay or banking details can be used very easily to steal and defraud.

Even if a sensitive website doesn’t appear in the list – how many of us use the same password for our online banking or Paypal that appears in the list?

There are privacy modes in most modern browsers that stop this information leaking out, security programs like IDC or Smart DNS – keep your connection secure and free programs like CCleaner can be used to tidy up your computer to start with.   Ultimately knowledge and some awareness of the (lack of) privacy situation online is your best defence – a little paranoia is definitely called for when you surf the web!

 

How Secure is Email – Privacy Issues

There is a common analogy used in security discussions about how secure email is. It’s generally considered that using standard email is about as secure and private as taking a postcard, writing down your secret thoughts, then handing it to a passing stranger and asking them to post it for you. If you take in to account how emails are sent and the technology involved it’s not far from the mark. Mind you I can’t remember the last time I got a postcard so maybe this particular analogy will be out of date soon.

You can go to extraordinary lengths to secure your email though, there are many secure software solutions that will encrypt your emails and patch up the various privacy holes in email in general. However for many of us, who simply strive for a reasonable level of privacy this can be a daunting and expensive task. In some senses, it’s perhaps best to stay clear of email if you want real, gold standard levels of privacy and security and look for another method of transferring information. The most serious privacy concern with email, that everything you send is sent in clear text. Anyone on the distribution route of your email can simply eavesdrop on the content and read it without any fuss – no hacking or cracking of passwords is required.

Packet Trace of an Email

Packet Trace of an Email

Take a look at this packet capture, taken from the sending of an email using Thunderbird.
The entire email – the sender, the recipient, time stamps and the message is in clear text – all of it readable without any effort.

So let’s add a level of privacy to this transmission, I’m going to use Identity Cloaker to secure my email. We fire up the application, select a secure server in another country (I’ve chosen a Swiss server here) and then tell Identity Cloaker what to encrypt using the application screen.

Set-encryption-email

In this example I’ve told it to encrypt Thunderbird, which is the email client I use on this particular PC. I’ll then resend the email and see what you can pick up from the wire using a packet capture program (Wireshark available for free here!).

Encrypted Email Traffic
As you can see, or perhaps I should say ‘can’t see’ now all the data regarding the email is encrypted and is inaccessible to anyone reading it on it’s journey. Using this technology, adds a huge level of email privacy and can be used with all applications which don’t properly encrypt your data including messaging clients, browsers and a host of others. However it is important to remember that the email is only encrypted during it’s journey, when it hits your client or mailbox then the message will be in clear text again unless some additional encryption solution is used to protect here. Having said that at least all your messages are protected in transit and aren’t left sitting unprotected in logs on routers and servers all across the net!

Iran Prepares Itself for an Intranet

When countries start to heavily censor  the intranet,  it’s easy to imagine where  they’ll end up – running a State controlled intranet.  We can see it happening now in Iran, there’s news across the net reporting that the country is building up to it’s (ahem) democratic elections in June.   One of the steps they are taking is attempting to block all proxies and VPNs being used in the country.  It’s something China have been doing for years and although they have a much  more sophisticated approach it’s incredibly difficult to do – read here about the Chinese TOR probe.   Iran are reportedly trying to block all ‘non-approved’  VPNs and proxies basically to ensure that nobody is using them to avoid the countries growing content filters and blocked web site list.

Internet Access in Iran

Iranians will still be able to use the approved VPN providers, although why those who are  concerned with state spying and internet filtering would want to use these is completely irrational.   The reality is that it is an information war that the Iranians will lose, for every block or control they put up someone, somewhere will figure out a way around it.   For example you can block access to web sites and indeed VPN services in a variety of ways.

Create Blacklist of  Proxies and VPN Services 

This is what a lot of countries like Iran do initially and how many commercial filters work.  You just build up a database of specific IP addresses and URLs of known services and just completely block access to them.  This means that the user will not be able to make that initial connection to encrypt or bypass the content filters.  But there is a huge flaw with this technique, anyone with a little knowledge could set up a VPN or proxy service on a hosted server somewhere in minutes.  There are customised scripts and simple installations of proxies like Glype and Squid that can be set up by anyone on a shared server.  It’s simply impossible to keep track of all these servers – remember it’s the Iranian Regime’s IT workers VS the rest of the Internet – who’s your money on?

Deep Packet and Pattern Inspection

You can attempt a more sophisticated technique by trying to look inside the traffic and figure out when a VPN or proxy is being used.  Even if you control the internet boundaries in your country this is very difficult to do.  For a start it’s almost impossible to analyse every packet that leaves and enters the country via the internet.  The amount of resources you will use would be enormous, not to say you end up pretty much crippling internet access at the same time.  So you have to restrict your checks to certain patterns – perhaps selecting traffic leaving or using specific ports – maybe 443 for example.  This is still going to use an enormous amount of resources and of course there’s nothing to say a specific service has to use a specific port number for connection.

Just look at one of the configuration screens of my preferred security software – . >.

identitycloakerconfiguration

Just look at the options there in one screen for cloaking, modifying port redirection and simply changing individual elements of the connection protocol.   It’s extremely difficult to look for specific patterns when there is this amount of customization is available in the connection methods.  Of course most  security/VPN software don’t  offer anywhere near this level of sophistication, but the market would soon be created if there is a demand created by increased filtering.

Wrecking the Digital Economy

This might not be of concern to Iran, but for countries like China it is a very real issue.  Whether they like it or not any successful business needs the internet, if you start breaking or restricting the infrastructure they’ll simply go elsewhere.  Any multinational business will use VPNs to connect back to their corporate networks safely and securely.  Will they be prepared to use Iranian approved VPNs instead of the tried and tested commercial alternatives?  Every web site that is blocked, every VPN closed down makes it more and more difficult to operate in a specific country.  The benefits of a digital economy are eroded and a countries economy will without doubt suffer.  As mentioned it may not matter if religious and political ideals are the primary goal, but as we have seen from the Arab spring – economic woes causes revolutions too.

These are just a few simple reasons why many believe that the technological reasons mean that inevitably the level of control required by someone like the Iranian Government will lead to an intranet.  Just to clarify  that would involve blocking all access to the outside and internet and restricting access to content created and hosted in Iran.  Sounds fun, doesn’t it but Iran has been working on this since the Spring of 2011 and is the only way they can control what people see from their phones and laptops.  Of course they’ll be dragging the country back into the dark ages when they do it but perhaps that’s not a problem.