Category: technology

Global Internet War – Chinese Great Cannon

We’ve all seen those scaremongering stories on mainstream media, about cyber wars and the internet becoming a battlefield.  Usually these are rather over the top,  however a story is breaking now which is making these seem much more of a reality.

The story starts with a web site called greatfire.org which provides news and information around Chinese censorship in general and the Great Firewall of China specifically.  It contains lots of information and links to VPN and proxy tools like Identity Cloaker which can be used to circumvent the Chinese firewall and surf without restrictions.
Now obviously sites like these are not very popular with the Chinese authorities and generally can be difficult to access directly (although the site is mirrored across several locations).  It comes as no great surprise that sites like these are routinely blocked, but what has happened next is a significant escalation by the Chinese authorities.

Unleash the Great Cannon 
cannon-308996_640

On the 16th March the greatfire servers came under a huge DDoS attack, 10 days later an open source developer’s site called github came under a similar attack.  Basically the sites experienced a huge surge in traffic which their servers were unable to cope with and simply fell over.

The origin of these attacks were from thousands of computers mainly from across Asia (although outside China).   The source were thousands of clients and some injected JS scripts from traffic which appeared to be destined for Baidu (the Chinese search engine).

At first it was unclear who was responsible for coordinating these attacks, until Citizen Lab, a group based in the University of Toronto, investigated the attacks and released this report.  It is from their hard work that we can see the real culprit behind these attacks.

Basically the Chinese have developed a system which can intercepting foreign unencrypted traffic destined for any location in China, then insert malicious javascript to attack any target they specify.  This offensive system has been dubbed as the Great Cannon of China and in this instance  performed this man in the middle attack on the two sites greatfire and github.  A large proportion of unencrypted traffic was intercepted and diverted to these sites in order to overwhelm them.

So just to explain, if you had perhaps used Baidu on the 16th March, your browser may have been involved in the attack completely without your knowledge.  The Chinese have developed a system which is able to leverage internet traffic to basically destroy any web site they wish for a limited time.

Of course those worried about a one sided war where the Chinese obliterate sections of the internet, should be aware that the UK and USA intelligence services have already developed and tested similar technology.  However for free speech and internet neutrality it’s an extremely worrying development.

Summary 

It’s an extremely aggressive and high profile attack, the report seems fairly conclusive that it was conducted by the Chinese state, with parts of the code from libraries identified from the Great Firewall and several confirmed locations on the firewall injecting the scripts.

The worry is that the Chinese will so openly inject malware into any inbound traffic and redirect it at any target it likes.   This man in the middle attack could easily be redirected at any target they wish. Although larger sites may be able to cope in the short term, effectively it could finish any web site without significant resources.  The bandwidth bill of greatfire.org shot up by tens of thousands of dollars during the attack, costs that most web owners wouldn’t be able to cope with.  In fact small sites could easily be subverted quickly and efficiently using these methods – read this post which records the demise of Tomaar.net, a Saudi Arabian discussion forum.

Technically there is an even more worrying possibility, in that any computer can potentially be compromised by simply visiting any Chinese website without encryption.  The code could be altered to identify specific computers (perhaps IP addresses used by foreign Government computers)  and then infect them directly rather than launching an attack on a third party.

The possibilities and threats are endless, so unless you want to be involved in an attack it’s probably not a wise move  to visit any Chinese (Non-HTTPS) based website without using encryption.  Although this can be difficult to identify with adverts and analytics often embedded into websites which you can’t see.

Commercial pressure will hopefully cause some damage to stop the Chinese attacks, internal pressure stopped the attack on Github as it’s a powerful resource used by many Chinese programmers.  It’s not going to do a great deal for any Chinese based internet commerce or technology company either, who wants to risk being directly involved in the crazed attacks of the Chinese State on free speech websites?

Superfish Vulnerability – Free Gift from Lenovo

This week saw some staggering news, which even now a couple of days later I still find hard to believe. It’s something you might expect happening in North Korea or China, but not here!

The hardware manufacturer Lenovo, who sell millions of laptops and PC all over the world has been installing an adware program called Superfish on all their new machines. That’s right, no longer do you have to worry about getting malware installed from visiting dodgy porn or torrent sites, just buy a Lenovo laptop and they’ll pre-install them for you.

So let’s just state that again –

A computer manufacturer called Lenovo is pre-installing adware on new computers.

It’s that incredible, I think it’s worth repeating. It doesn’t matter that it has a cute cartoony name like Superfish, this is an incredible abuse of trust powered simply by greed.

superfishThe adware installs adverts into your browsing which make Lenovo money everytime you click on them.  You know adware, the stuff we all hate and go to great lengths to avoid installing.

Lenovo justified themselves in pretending that these ‘MONEY MAKING ADVERTS’ were actually for the customer’s benefit – describing Superfish as advanced technology which helps customers find different products at lower prices using image analysing techniques. I’m sure everyone capable of operating a laptop is able to see through that pathetic justification.

Unfortunately it get’s worse, not only Superfish is happily inserting damn annoying adverts into your browsing but the method it uses is actually making your computer even more vulnerable.

Superfish inserts a self-signed root certificate onto your computer giving it the capacity to intercept all your HTTPS encrypted traffic

It’s called a Man in the Middle attack and it’s something I have demonstrated on this blog previously. But basically they’re intercepting even your secure traffic so that they can insert their money making adverts. They’re apparently using the same default certificate on every single machine which effectively compromises security on each of these. Each Lenovo machine which is affected basically has a pre-installed vulnerability waiting to be used by anyone who wants to intercept your traffic.

It’s truly incredible and it’s been allegedly going on since mid-2014 so who knows how many millions of machines are riddled with this program.

Here’s a tool from the security company Last Pass which checks if you are at risk – Superfish Checker.

Hopefully Lenovo suffer a huge commercial loss due to this incredibly greedy and sneaky act – I for one will never consider buying anything from this company ever again.

Saving Money with Google

I unfortunately have a reputation of being a bit careful with money. It’s not something I’ve deliberately cultivated or crave, indeed it’s simply been thrust upon me out of necessity. Anyway, the last few years I’ve abandoned all sense of being a relaxed, free spending individual and embraced penny pinching. So here’s a short tale which has saved me money and might help someone else. It sounds quite obvious, but it wasn’t to me initially so perhaps someone else will feel the same.

thrifty

I have foolishly promised my family a trip out to the US next year, as they’re complaining that they’d never been. So I was planning a trip to include New York, the awful sounding Disney parks and a few highlights from the West Coast. It is while researching the West Coast tours that I had my epiphany, trying to organise seeing a few sites in a limited time, without spending a small fortune. Of course, I started online and began to look for tours across the West Coast of America – here’s my first search page. google-holiday

 

Seems ok, but have you noticed something ? Please click to enlarge if you can’t read it properly, there’s a point to be made here.  I noticed it a few minutes after checking out some of the links, every one of the results where UK based travel companies.  To be more precise they were UK travel companies reselling tours of the West coast of America.  The majority of these tours were run by US companies, all resold through companies based in the UK.

So what’s wrong with this, you may ask?  Well my investigations continued and I discovered that all these services were much more expensive when bought through UK companies.  Which of course makes sense, they’ve got to mark up the price to include their profit margins.  Then the penny dropped, slowly and painfully my brain came up with the idea – why can’t I just search and book these tours directly with the companies that are running them?   We all know that the more people involved in the transaction, the more fingers in the pie and the higher the costs will be – so why not book direct?  The first stumbling block is actually finding them – Google deliberately directs you to suppliers local to you.  This is of course fine when you’re searching for plumbers and local tradesmen, but why bother if you want to book a trip with a company across the globe?

After all –

  • All these companies are on the internet.
  • An email from me will arrive in California as quickly as it will in Liverpool
  • There’s no language barrier.
  • It must be cheaper!

Makes sense, doesn’t it ?  So first let’s get Google to show us local suppliers from the West Coast of the US rather than travel agents reselling me the same thing.   My first thought was to use Identity Cloaker to open up a US VPN, which of course would then make me look as though I was in the US and show me the same results.   This will work but it’s not actually necessary as all you need to do is to stop Google redirecting you when you ask for the US version of Google – here’s the url you need, just add NCR (no country redirection) like this –

http://www.google.com/ncr

Without adding the NCR switch , Google will decide that you’re a confused muppet and redirect you to your local version of the search engine instead of the US one.  But if you use it you can search on google.com with US based results – like this (again click to enlarge):

westcoasttours-google-ncr

 

This time I get local companies, that is US companies local to the West Coast not ten miles from me.  When investigated, they are all much cheaper, all are happy to accept booking direct and are just as easy to deal with as the British companies.  In fact they’re a whole lot nicer than the UK companies to be honest.

In reality using a VPN actually works a little better than using the NCR switch as you still seem to get better localised results.  But using the switch is perfectly adequate for initial research.  In my instance I booked the exact same tour for my family with a US company and save about $1600 from the UK based price.

Ok so it’s only a small personal example, but it’s indicative of how the internet giants and search engines are controlling how we access the internet.  We are being funneled down a computer generated personalized and commercialized version of the internet.  The internet does get bigger by the day, but do you often find yourself on the same old web sites every day?  I certainly do, the internet is expanding whilst I seem to be constantly railroaded into the same old sites.

Step back and think of what you want to achieve online, it does help and can greatly expand the possibilities that the search engines will offer.

Broken Smart DNS for US Netflix – Here’s the Fix

There’s a bit of a war starting online, and it looks like it might get a bit nasty.  Only a few days ago, Netflix announced that they would be launching a Australian/New Zealand version of it’s popular media streaming site.   There was one slight issue though for the global media giant, it estimated there were already over 200,000 Netflix US members already streaming from Australia. Now this wasn’t some strange mass exodus of US citizens in search of Aussie beer and TV. It referred to  the fact that loads of Australian’s fed up with the local online offerings and their TV stations were using programs like . to stream US Netflix already.

Unblock and Watch American Netflix in Canada using VPN or Smart DNS proxies

They were also using some configured proxies, although mostly these don’t work any more and the new Smart DNS technology to bypass the blocks. Normally when you sign up for a Netflix account, you actually receive a global enabled one.  This means that what you see is actually based on your location.  So my UK Netflix account turns into a US one when I’m physically in the USA, it’s a German account when in Germany and so on.  Which is fine except for one small problem, the US version of Netflix has literally thousands more films, movies and TV shows than any other version. The UK version of Netflix is ok, but the US version is awesome.

So everyone started to use methods which hide their IP addresses and get access to the US version of Netflix (although Canadian Netflix isn’t too bad either).  One of the most important was Smart DNS, which is the easiest way to get access on devices like Smart Phones, Smart TVs and other such devices.   This is the service I use and it comes highly recommended. But that looks like it was stopping, over the last few weeks Netflix has updated it’s client software on these devices and built in something that stops Smart DNS working (here’s exactly how Smart DNS works).   Now on any of these updated devices, you can only access your legitimate country version of Netflix, which means if you’re not in a Netflix enabled country you can’t watch it at all. Basically they’ve updated their systems so that third party DNS servers can’t be used to resolve the addresses of the Netflix Site.  This means that none of the Smart DNS solutions work any more.

How to Fix Broken Smart DNS for Netflix

Fortunately there is a solution which follows, I have demonstrated on my router a Netgear WNDR 4500 but you should be able to do this on most decent routers. Basically Netflix is forcing everyone to use specific DNS servers, the Open DNS and Google ones, in order to stop the Smart DNS trickery working.  The fix ensures that these DNS servers are not accessible and the client will then go back to the Smart DNS ones – So here’s the fix, first go into your routers configuration screens – mine is accessed by putting it’s internal ip address into a browser . i.e. http://192.168.1.1 which gives me this screen. netgear-smartdnsfix1 You then need to move down to Advanced settings and select Static Routes.  From this screen we need to make sure that the four public DNS servers that Netflix is trying to force us to use are not accessible. fixrbokensmartdns2

Here’s the screen (click to enlarge), and you need to simply add a route for each DNS server to ensure it never gets to it’s destination.
Commonly the information required is –  Destination IP address – the address of the DNS servers as follows:

  • 8.8.8.4  Google DNS
  • 8.8.8.8 Google DNS2
  • 208.67.222.222 Open DNS
  • 209.244.0.3   Open DNS

Subnet Mask  – Put in 255.255.255.255 Gateway IP address – Your Router or a made up internal IP address – mines set to a PC 192.168.1.253 Metric – 2 This should ensure that none of your devices will be able to access any of these DNS servers, thwarting Netflix’s plan and making Smart DNS work yet again – hooray!!  The last check to see if it’s working is to ping any of the devices to see if they can be accessed. pingcheck-dns Here’s an example, you can see the Google DNS server is not reachable.  Now Netflix runs like a dream again and connects to the USA version without a hitch.  This obviously relies on you having a router which allows static routes to be set up, however this is not always possible – the crappy routers most ISPs hand out are usually locked down so you can’t get access to these.   There are other potential solutions which I’ll check out and hopefully post up here if I get chance.

Is Smart DNS Safe? Using Free Smart DNS Codes

A lot of people are starting to use Smart DNS instead of the traditional methods of accessing geo-blocked content.   However people still seem to overlook the huge potential risks in using these free codes and servers that conveniently appear on the internet.

is smart dns safe

But first let us back track and attempt to give a short overview of Smart DNS and what it’s actually used for.  It is basically the next step in the war against web sites who want to control access to their content based on your location.  If configured correctly it has the potential to give anyone access to sites like BBC, HBO, ABC, ITV, Pandora and Netflix irrespective or where you live.  SO you can watch the US version of Netflix from Ottowa, then switch to the UK only version of BBC iPlayer without any problems.

Of course, VPNs and proxies already allow this – however the beauty of the Smart DNS proxy solution is that it works almost seamlessly in the background and can be enabled on virtually any network enabled device.  In the past, people have searched how to get proxy or VPN authentication working on games consoles, iPads, mobile phones or Smart TVs.  This can often be very difficult and sometimes it’s virtually impossible.  With Smart DNS it’s not required, simply change your DNS server and it’s done, it takes minutes and then it’s done – watch this for a demo.

It’s easy to see why it’s becoming more popular, incredibly easy to use and you can simply set and forget.  However it’s important to understand how this actually works and you’ll find the majority of smart dns reviews somewhat lacking in explanations.

How Smart DNS Works

To properly consider the risks of using this technique, it’s obviously useful to have an idea of how it works.   Instead of using your standard DNS server usually assigned by your ISP on connection, you are instead forwarding all DNS requests (the lookups that tell your computer where to find a certain web site) to a specially configured Smart DNS server.  This server will run a DNS forwarder (such as DNSmasq) which will intercept certain domain names, these will be typically the geo-blocked sites like BBC, Hulu  and Netflix.

All other requests will be resolved normally, however any request for the specific geo-blocked sites will be routed to a remote proxy in the correct location.  So for example if you request a video from BBC iPlayer your browser will automatically be redirected to a UK proxy where the connection will be made.  If you then switch to Hulu, your request will be redirected to a US based proxy instead.   Basically you will be rerouted to specific servers using the DNS forwarder – this will all be done in the background.

It’s a very simple and clever technological work around, a well configured and fast Smart DNS server works incredibly well.  You’ll be redirected through a proxy when you need to be to access the site, otherwise the DNS requests will be resolved normally.

So are there any risks to this method?

Unfortunately there are,  simply because you are giving a third party server almost complete control of your web browsing.  There is absolutely nothing to stop this server from rerouting any web request you make – here’s an example.

  • You type in paypal/home banking site  into your web browser as you want to pay some bills.
  • The Smart DNS server reroutes your connection to a different website where a mirror of Paypal/your bank site is stored.
  • You login to the fake version of the website using your username and password.
  • Your account details are stolen and your account accessed.

If it was done well, you would be completely unaware of this happening. You will have given the Smart DNS server complete control of your browsing and the ability to decide which web site it sends you to.

This is the main issue (although there are some others), the fact that anyone can knock together a Smart DNS server and use it to steal usernames and passwords quickly and easily.    All they need to do is release it on the net and post a few ‘found these free dns codes’ type messages on social media sites like Facebook and Youtube, they’ll soon have a flood of potential victims.   It’s an incredibly profitable cybercrime, people can have their various accounts plundered, identity stolen whilst thinking they’re getting a great deal whilst watching the BBC for free!

Remember changing your DNS setting hands over complete control of all your web browsing.

So back to the main question – is smart dns safe ? Well if you’re using free DNS codes found on random posts on internet forums and bulletin boards no almost certainly not.   They have the same inherent risk that using free proxies and vpns have – basically why would people do this for free, well they don’t there will always be an ulterior motive usually involving your personal details.

Of course the commercial Smart DNS services are a completely different matter.  They are on the whole run by legitimate companies who secure their DNS servers and the proxies that they route through.  The problem with these is not whether they are legitimate, but the fact that they are easier to block than VPN services.   For example Netflix have waged war on all methods of bypassing their region locks and 99% of Smart DNS services stopped working in 2016.   The technology is unfortunately much more vulnerable to blocking than the VPN services like Identity Cloaker, and of course doesn’t offer any encryption or security to your connection.

Still there’s no doubt it is easier to set up than a VPN on things like Smart TVs and media streamers so a commercial Smart DNS service is still useful to many people. However you should always check first that it works with the media sites you require, many don’t work with the BBC too.

At the moment you can try out a Smart DNS proxy review for free on probably the most advanced Smart DNS system  (only one that works with Netflix) –
FREE Trial of Unblock US Here

Try it out and see how it works for you.