Archive

Category Archives for "News"

New 451 error code to highlight online state censorship

Online censors have a new emery to contend with: the people responsible for internet standards. It has been announced that the Internet Engineering Steering Group (IESG), part of the Internet Engineering Taskforce (IETF) has approved the use of a new code which will alow users who are unable to access a website to understand if this is because of technical problems with the site, or non-technical problems, which will most commonly mean ‘because the site is being censored by your Government’.

Most online users will have encountered one of the IESG’s codes at some point whilst surfing online. There are a number of them used with each allocated numbers between 100’s and 500’s. One of the most common of these error codes is 404, which tells users that the website they are attempting to connect to cannot be found.

Now the latest addition to these codes is 451, which essentially means the website you want to access is being censored.

Regular readers will be aware that far from improving, the issue of state censorship of the internet is in fact on the rise. In just the past couple of weeks we have reported on Brazil blocking WhatsApp, Bangladesh blocking Twitter and Skype, and Kazakhstan’s plans to monitor its citizens online activity to name but three.

Plenty of countries are renowned for their online censorship, most notably China, which invests billions of US dollars in its Great Firewall, and recently added Wikipedia to its enormous list of sites that Chinese users are banned from accessing.

However, the practice is also used closer to home as well. In Europe for example, users are unable to access a long list of sites which are reported to contain pirated content. Previously it has always been difficult to be able to ascertain precisely why you couldn’t access a website which was being blocked by a Government, but this code will change that.

In a blog posting, the Chair of the IESG, Mark Nottingham, explained why the code was being introduced now. “"As censorship became more visible and prevalent on the Web, we started to hear from sites that they'd like to be able to make this distinction.”

He also highlights organizations that are keen to be able to catalogue censorship and explains how the new 451 code will make it easier for them to spider the web to seek out the number and range of sites that are being censored in different countries.

He also explained the difference between the new 451 code and the current 403 code, which informs users that access to a site is “Forbidden”. The new code tells users the reason why access to the site has been forbidden.

All good news so far if you are an opponent of online censorship, but sad to say the new code is not absolutely perfect. As Mark Nottingham himself admits at the end of his blog, “In some jurisdictions, I suspect that censorious governments will disallow the use of 451, to hide what they're doing. We can't stop that.”

This unfortunately means that in countries where online censorship is rife, it is unlikely that users will see the 451 code making an appearance anytime soon. Mark’s claims that this on its own tells you a lot about your Government, but of course it doesn’t help users in those countries to get around the censorship they are experiencing.

At the present time, there is really only one cost-effective and reliable way to achieve that, which is of course to make use of a VPN service.

A VPN allows users to direct all of their web traffic through an encrypted link and an external server. This not allow ensures they have total anonymity and privacy in their activity online, but it also means they can appear to be accessing the web from a different country – whichever country the server they are linked to is located in.

So an internet user in Bangladesh can use a VPN to appear as if he is accessing the internet in the USA, and thereby have access to any sites which are censored in Bangladesh but not in the USA.

VPN’s are used in such countries right around the world to circumnavigate the efforts of censors to control their online activity, and as censorship is on the rise, so is the use of VPNs.

The new 451 code is an important step forward to increasing the awareness of state censorship online, but is you want to get round it, a VPN remains by far your best option.

Common Encryption Algorithm about to be hacked

Are you one of the growing number of people who likes to manage their bank account or credit cards online? Then unfortunately there is potentially bad news for you this Christmas, because experts have revealed that they believe hackers are now closer to cracking the secure algorithm used to protect such services, and indeed more than a quarter of all the internet’s secure sites and services, than ever before.

We should state right at the top of this piece that so far there is nothing to suggest that they have been successful yet, so there is no reason to stop using online banking at the moment. But with reports suggesting the breakthrough could be as close as six months away, it is definitely something you need to keep a watching brief on.

The algorithm in question is known as SHA-1 and is used by these sites to encrypt information. It was thought that it would be at least another year until the algorithm was broken and browsers such as Google Chrome were planning to stop supporting it 1st January of next year.

But in a blog post, they have announced plans to move that date forward to next July over fears it will be broken before that deadline. In fact, if you log into an SHA-1 site today, you will already receive a warning from Chrome that your connection might not be safe. They are not the first to take such a step. Mozilla have already moved their date forward to July 2016, whilst Microsoft have opted to stop supporting it in June.

So what exactly is SHA-1 and what is the problem? SHA-1 is what’s known as a cryptographic hash function. It takes plain text and numbers and generates a coded series of letters and numbers to represent it known as a hash. SHA-1 hashes are designed to only work in one direction and so are more secure than regular encryption that can be decoded at the other end.

However, SHA-1 hashes are increasingly coming under attack from what is known as a collision. A collision is when two different inputs create the same hash. It takes a huge amount of power in order to attack SHA-1 hashes, but it is becoming increasingly feasible for hackers.

In their report on this matter, Motherboard reported that “in 2012, Jesse Walker, an employee at Intel, estimated that an SHA-1 collision attack could be financed with around US$2.77 million at the time. But Walker's estimates went on to say that the attack would fall dramatically in price, and would cost around US$700,000 worth of Amazon servers in 2015, and US$43,000 by 2021, per hash.”

That 2015 figure of US$700,000 is certainly a lot, but it is not out of reach for the biggest organized online criminal gangs who can make millions a year out of their enterprises.

However, the cost may now be even lower according to researchers with Centrum Wiskunde & Informatica in the Netherlands, Inria in France, and Nanyang Technological University in Singapore. They published a paper back in October which suggested the cost could be much lower, and the process of breaking SHA-1 already feasible.

Marc Stevens, one of the cryptographers who worked on the research paper said in an accompanying press release, “we just successfully broke the full inner layer of SHA-1. We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around $100,000 renting graphics cards in the cloud.”

The outcome of such a development could be hackers making fake certificates and setting up fraudulent banking sites that look identical to the real things and which fool users into handing over all their details.

Which is why the likes of Google, Microsoft, and Mozilla are already acting and others are expected to follow their lead. Indeed, it is thought that Certificating Authorities may also bring forward the date at which they will stop issuing SHA-1 based certificates.

Websites which use SHA-1 are now being urged to update to SHA-2 or other encryption techniques to ensure their security is not compromised, and that browsers such as Chrome don’t stop supporting them.

For now, users should be alert to the potential risk and keep an eye for future updates on the issue. The situation goes to show that even the most trusted of online security measures will only keep you secure for so long, and the story only services to reinforce the importance of users taking steps on their own to secure their own online security and privacy, such as using a VPN, rather than simply relying on the websites they use to do the hard work for them.

Russian VPN unearths potential VPN flaw

Another potential VPN vulnerability has been unearthed by the Russian VPN provider ProstoVPN (Link in Russian) which potentially can affect VPN users with both a direct connection and those with routers that have UPnP port forwarding enabled.

The problem that has been picked up this time is part of a rather simple network routing feature where users who are downloading media by means of a Bittorrent program respond to respond to packets that are sent to the user’s ISP IP-address. If they are using a VPN this information will of course be passed through the VPN interface. As a result, it is possible for the person sending the data to obtain both the users service provider IP address and their VPN IP Address.

Being able to put these two bits of data together could, in theory, allow them to compromise the user’s anonymity online and watch all of their other online activity which is conducted through the same VPN link.

It is simple problem, but not one which can be addressed particularly easily, especially if your VPN uses the highly popular Open VPN protocol. If you fall into that category, unfortunately the solution will require the user rather than the VPN provider to take action.

ProstoVPN says they have tested the vulnerability and have informed 11 separate, and as yet unnamed, VPN providers about the issue. They claim to have only received a response from five of those contacted and of those, only Private Internet Access and Perfect Privacy (who themselves revealed a potential VPN vulnerability only a couple of weeks ago, as reported here) have responded by releasing updates to their software which fixes the problem.

They also reported that one unnamed provider essentially washed their hands of the problem, claiming it was an issue solely for the user to deal with and nothing to do with them. ProstoVPN noted that this was the case up to a point but points out that the same provider “does protect its users against similar problems on the user-side, such as DNS, IPv6 and WebRTC leaks.”

Other VPNs which have subsequently come out and commented on the revelation includes CyberGhost which has stated that both their Windows and Mac apps are not affected by this problem as they put a fix in place more than two years ago. TorGuard also claims to have patched the issue after being made aware of it.

So given that a sizable number of VPN users have such a service in place to protect them while they use Bittorrent programs, should there be much pulling out of hair and screaming going on? Well the answer is quite simply no, for a number of reasons.

The primary reason for this is that it would be extremely difficult for such an attack to be carried out. Essentially, the attacker would have to send UDP packets to the entire Internet, which is no mean feat.

Even if they were successful in that, the chances of hitting a VPN user of interest is still relatively low. Nevertheless, it is important that all VPN users, especially those who use the service alongside Bittorrent programs, are aware of the potential risk, and have the opportunity to either take action themselves, or pester their VPN to do something about it.

If you are comfortable with jargon and are keen to learn more about this problem and ho to mitigate it, this blog post by a member of the ProstoVPN team explains the issue in great detail, and provides solutions for individuals and VPN providers.

For the more uninitiated, it should also be remembered that most VPN’s will give you the option of directing your traffic through a variety of different servers. It is the easy option to just find one that is fast and reliable, and stick with it. But there is also something to said for switching around for time to time, just to be on the safe side.

Most VPN’s, especially the ones reviewed here at Fried.com can guarantee the complete privacy and security that most users want from a VPN provider. But there are plenty of powerful agencies who are keen to break through the defenses of a VPN, and some less well managed VPN’s (such as the anonymous one quoted by ProstoVPN) might prove vulnerable.

Whatever your motives, it can’t hurt to be careful, and as well as subscribing to a top VPN provider, taking a few steps to help yourself can only work to your advantage.

State sponsored hacks on the rise

A report from the Associated Press (AP) news agency reveals that a group of hackers has launched a series of advanced attacks against the US Power Grid.

The attacks which have been staged over a period of time thought to be as much as a decade, appears to have enabled them to gain access which could theoretically allow to control the network remotely.

The hackers are thought to have Calpine, the USA’s largest generator of electricity from natural gas and geothermal resources, who are based in Houston, Texas, back in 2013. Their approach was relatively straightforward. They started by targeting contractors who were working for Calpine, before the necessary usernames and passwords to allow them to access the Calpine network.

The level of access they achieved at Calpine would have allowed them to shut down power plants had they been so inclined, but instead they chose to steal detailed plans about the company’s power stations and networks.

Whilst these plans were out of date, the fact that they were taken indicates that they were building a body of information about how to attack different sites. Speculation has grown that the reason for this was a future plan to undertake a mass assault on the power networks across the country.

They also stole details which explained how Calpine transmitted data to and around its internal virtual cloud system.

At the same time as the AP report, the Wall Street Journal has run the story of how a group of hackers managed to access the control system of a small dam in the US, less than 20 miles from New York City. Again the level of access they achieved would theoretically have allowed them to open the floodgates, which could have had potentially catastrophic results.

In both incidents, the finger of suspicion has been pointed with some confidence towards Iran. In the Calpine case especially, the attack has been traced to an Iranian IP address, and some of the code they used in the attack was found to contain Persian comments and references.

Both reports have been at pains to stress that there is no clear evidence to tie the attacks to the Iranian Government, although they do have a track record of undertaking cyberattacks against the infrastructure of other nations.

Nevertheless, it would seem that such state-sponsored attacks are on the rise, with many of the biggest names introducing a new form of warning when they believe a user’s account has been targeted by a state sponsored attack.

We reported yesterday on the Chinese Government’s efforts to hack the Gmail accounts of various Taiwanese political officials, and others including a US Diplomat who received just such a warning from Google.

They introduced the scheme back in 2012 after pulling out of the Chinese market following an attack on themselves. Since then Facebook has followed suit and Twitter warned a group of users just this week.

Yahoo are the latest to add this warning for the benefit of their users. In a blog post, the new Yahoo Chief Information Security Officer, Bob Lord, said “we'll provide these specific notifications so that our users can take appropriate measures to protect their accounts and devices in light of these sophisticated attacks."

They have introduced a specialist team, known amusingly as the paranoids, to monitor activity and provide notifications and, if required, specific advice on how to protect themselves.

"In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks," Lord wrote. "However, rest assured we only send these notifications of suspected attacks by state-sponsored actors when we have a high degree of confidence."

Of course such warnings are unlikely to deter state agencies from their activity, but they may offer users a means of defending themselves against such assaults, which in many cases they may well be completely unaware of.

Regular readers will be aware of the enthusiasm with which many more disreputable states agencies, as well as some of those closer to home, will go after our online data. They will also be aware of how hard it can be to maintain our online privacy and security in the wake of such a threat.

Filtering all your online traffic through a VPN network is one of the safety and most reliable methods of protecting yourself. It enables you to go about your business online completely anonymously and knowing that there is an extra level of encryption and security over all your online activity. Even the most persistent state hackers find getting through a VPN all but impossible.

With more and more cases coming to light, and the likes of Google, Facebook, Yahoo, and Twitter, taking steps to combat the threat, it seems a no-brainer for the individual internet user to do the same.

Hello Kitty breach exposes data of 3.3 million customers, including kids

The ‘Hello Kitty’ phenomenon has proved as divisive as marmite over the past twenty years and more. Millions of people absolutely love it, whilst for millions more it is a symbol of something they detest. However, it seems that at least one group of hackers must now be counted as fans of the character, as it seems they have managed to extract a considerable amount of customer data from their website.

The revelation has come from security researcher Chris Vickery who discovered a database of users of the Hello Kitty online community site, sanriotown.com. It is thought that more than 3 million users have had their personal information compromised, including those who signed up for the service through hellokitty.com, hellokitty.com.sg, hellokitty.com.my, hellokitty.in.th, and mymelody.com.

Vickery was interviewed by the Salted Hash website about his findings and has revealed that the information available included names, genders, and email addresses. Birthday data was present in an encoded form which was easily broken, and password hints were also present using HA-1 password hashes.

Given the demographic it seems likely that at least some of the customers whose information has been breached will have been children. This is the latest in worrying trend of children’s data being compromised, with the recent VTech hack, which we reported earlier this month, the most well-known example to date.

The risks of such data being breached were summarized quite neatly in the Salted Hash article which says “If someone managed to compromise a child's identity, the fraud might not be detected for years because most parents don't monitor their child's credit record.”

Mark James, security specialist at Eset highlighted how productive attacks on children’s data can be to hackers. “As adults we get inundated with emails to click here or sign up here and most thankfully end up in the recycle bin. But children are a lot more susceptible to that email that reads ‘Click here—for that new in-game item’ or new website that promises to give them something they don’t already have but need to own,” he said.

Vickery has said that he believes the breach was as a result of an improperly configured MongoDB database. This is a relatively common vulnerability which has affected a number of other sites in recent months, including most notably MacKeeper which had some 13 million records compromised. It should be noted that there is no evidence so far that any of the Hello Kitty data has actually been stolen.

Despite this, Sanrio, the company behind Hello Kitty has not exactly been quick out of the blocks in their response to the revelations. Their initial response was little more than a holding comment which stated "The alleged security breach of the SanrioTown site is currently under investigation. Information will be made available once confirmed."

Vickery later confirmed to the Reuters news agency that Sanrio had patched the vulnerabilities he had flagged to them, but noted that the database information had been accessible for more than a month by his estimation. "It would have been extremely easy for a bad guy to take the data," he said. "Extremely easy. Almost as easy as downloading a web page."

As media coverage broadened, Sanrio were finally forced to make a full response. They stressed that no credit card or payment data has been visible and that passwords "were securely encrypted", something Vickery might well take issue with them about.

They did also acknowledge that whilst minors were not supposed to be able to sign up, as this was done on an honesty system, it is quite likely the details of some minors was included in the breach.

Interestingly, Sanrio was the victim of another breach earlier in the year when their shareholder database was breached through a security hole in a management system that was the responsibility of a shareholder service company. There is not thought to be a connection between the two incidents, but it certainly doesn’t paint the company in a very good light, regardless of your views on their most famous product, Hello Kitty.

Speaking about the breach to InfoSecurity magazine, Brian Spector, CEO of MIRACL, an internet security company, said “Businesses should strive to use authentication technologies that eliminate the risk of username/password database breaches.” He advised all Sanrio customers to change their account passwords as soon as possible, and to also change the passwords to other accounts which use the same of similar combinations.

This is sage counsel, but there is also lots to be said for going one stage further and helping to protect your information more proactively by using a VPN service to protect your privacy and add an extra layer of security to all your online activity. However, once you upload your information onto a company site, you are trusting them to protect it for you. If they fail in that duty of care, you have little means of redress at the present time.

Apple submission highlights concerns about UK Snoopers Charter

Since its publication last month, there has been much discussion within the IT industry about the impact the UK Governments Investigatory Powers Bill (the British version of CISA which has been lovingly nicknamed the Snoopers Charter by critics) will have if it is passed into law in its current form.

Much of the commentary has been negative and it seems that formal submissions to the Bill Committee, which will scrutinize the Bill line by line, have been no less positive.

It is thought that most of the globally recognized IT companies operating in the UK will look to make a submission, and many, including Microsoft, Facebook, Google, Yahoo and Twitter have already shared their views with the Committee in writing.

To date their submission have not been made public (they will in due course) but a spokesperson for Microsoft has said “the legislation must avoid conflicts with the laws of other nations and contribute to a system where like-minded governments work together, not in competition, to keep people more secure.”

This Monday was the final day for submissions, and one hugely significant company, Apple, has made theirs publically available. In it they focus on three themes which they believe are absolutely critical to their business.

The first is Encryption, which as we noted last week, is a debate that just refuses to go away! The Apple iMessage is just one of their services which uses end-to-end encryption, which is so secure that even the company itself cannot read the contents of messages.

In their submission Apple express their concern at the wording of the bill, which they fear could mean companies being forced to put a so-called backdoor into their encrypted communications. Apple and others have long argued that such a backdoor would open up a vulnerability which could be exploited by hackers and others with nefarious purposes, and would therefore compromise the security and privacy of their users.

As they wrote, "A key left under the doormat would not just be there for the good guys. The bad guys would find it too." They went on to express a willingness to provide metadata when required to, but not the content. This is stance they have taken consistently with Governments from around the world.

Their second area of concern is over an issue most commonly referred to as ‘extra-territoriality’. This is the requirement for companies to comply with warrants issued in Britain regardless of where the company is based, and where the data they are seeking is held.

The reason for Apple’s opposition to this is a common one amongst Silicon Valley companies. They claim that if they accept obligation under UK law as well as US law, where they are headquartered, they will open the door for other more intrusive regimes like Russia and China, to demand the same of them. They also express the concern that applying the law of one country to data held in another might then breach that countries data protection laws.

Thirdly, they express reservations about the area of the Bill which relates to equipment interference. This is the means by which police and intelligence agencies can hack the communications equipment of individuals, either by tampering with the device, or hacking into it remotely.

This is something that has been prominent in the UK for sometime, and is a means to get around the encryption debate, albeit a costly and time-consuming one.

Apple’s concerns relate to the wording of the Bill, which they fear could be interpreted as requiring them to hack into their own customers devices.

They state in their submission, "the bill as it stands seems to threaten to extend responsibility for hacking from government to the private sector."

It is common for such companies to keep written submission to such a committee to a minimum, and at 8 pages in length and with just three themes, this can certainly not be considered a response to all aspects of the Bill that may trouble them, but rather their biggest points of concern. An Apple executive will most likely be invited to give oral evidence as well, and that will provide an opportunity for them to go into more detail.

But these three crucial points summarize the broader concerns that many tech companies have been expressing that the Investigatory Powers Bill in its current form is likely to impact of their ability to deliver a secure and private service to their customers.

The likes of Apple and Microsoft are unlikely to say as much, but the answer to many of these concerns if for users to run their online traffic through a VPN service. They offer users complete online anonymity for all their activities, and as we have reported previously, they are not mentioned at any point in this Bill.

Chinese hackers target Taiwan ahead of January Elections

China’s relationship to Taiwan is a complex one, but sufficed to say their One-Party Communist regime is not overly enthusiastic about Taiwan’s democratic elections, which are due to take place on January 16th. Little surprise then, that ahead of polling day, Chinese hackers have been engaging in some pretty rudimentary phishing exercises to try and glean information about them.

Targets of the phishing campaign have included local news outlets, and also the opposition Democratic Progressive Party (DPP). The DPP are more hostile towards closer ties with China, which claims Taiwan as a renegade province, and are more inclined towards independence. Their Presidential Candidate, Tsai Ing-wen is also odds on favorite to win the election and become Taiwan’s first female President.

The attacks have been unearthed by security company FireEye who have identified the suspected perpetrators as well as the pretty crude techniques used.

An email was sent to local news agencies with the headline ‘DPP’s Contact Information Update’. They also hacked the email accounts of DPP staff and officials, changed security protocols, and apparently also wrote emails spoofing the people they had hacked. Rather than a poor attempt at humor, it is thought that this was an attempt to spread their malware further and more effectively.

Ketty Chen, deputy director of international affairs at the DPP, is one of around 50 such party officials whose email account has been compromised. She said she first noticed the attack when she received an email from a colleague that didn’t sound like her.

“There were fake e-mails that looked like they came from her,” she said. “When I read it, the style was not how she would talk so I called to ask if she really sent it, and she hadn’t.”

Every fake email that has been identified, was trying to get the recipient to open an attached document. A classic attempt to deliver malware that can upload information from a machine back to the original sender.

Chen went on to say that some party officials, including herself, had moved over to Gmail, but even this had been compromised. The two step identification process was turned off when her mobile phone number was deleted, and she found that a forwarding address had been added to the account, sending all emails to another unknown Gmail account.

As well as party officials and local media outlets, it is thought that the hackers have targeted a number of prominent officials. William Stanton, a former US diplomat to Taiwan and former Director of the American Institute in Taiwan says he has received multiple warnings from Google that his Gmail account has been targeted by state sponsored hackers.


Stanton said the warning read “If you were directed to this page from a warning displayed above your Gmail inbox, we believe that state-sponsored attackers may be attempting to compromise your account or computer. It’s likely that you received emails containing malicious attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information.”

No specific country was named in the warning, but given Stanton’s history, there is only one country that would seem to have a motive.

FireEye researchers have identified the culprits of the attacks as being a group called APT16, which they claim is known to be a collective of hackers supported by the Chinese Government. The Chinese Foreign Affairs Ministry has, predictably, not responded to requests for comment.

The discovery of the attacks shows how desperate China is to understand the DPP party move, and to take whatever steps it can to stop the independence-minded opposition party taking power in January.

However, polls in Taiwan suggest this is highly unlikely to happen, with their candidate polling around 50% of the projected vote, and the ruling KMT party’s candidate, Eric Chu, struggling to get as high as 20%.

There is little doubt that Chinese efforts to hack Taiwanese enterprises will continue for the foreseeable future and Taiwanese internet users should all be aware of the risks of Chinese Government employees watching their online activity, and Chinese hackers looking to infiltrate their systems to steal information or damage their businesses.

It is therefore highly advisable for all internet users, particularly those in positions of power and authority, to take sensible online precautions.

Running their internet traffic through a VPN would be a logical first step. A VPN acts to anonymize your online activity as well as indicate to outsiders that it is coming from another location. Such a step is likely to throw many Chinese hackers off the scent allowing Taiwanese to operate safely, anonymously, and freely online as befits the citizens of a free and democratic country.

Juniper Vulnerability puts VPN users at risk

Any users of Juniper Software’s Screen OS, the software which powers its firewalls, alongside a VPN, are in for a bit of a nasty surprise after revelations that have resulted from an internal code review.

Their review has unearthed ‘unauthorized code’ in the firewall operating system which according to Juniper chief information officer Bob Worrall “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”


The code review discovered two significant vulnerabilities within the make-up of their Screen OS software. The first would enable an attacker to decrypt VPN traffic and identify users true identities whilst leaving no trace of their own identities.

The second would allow the hacker to completely compromise a device using an unauthorized remote access vulnerability over either Telnet or SSH.

When they identified the presence of the unauthorized code, Juniper said that the problem affected all NetScreen devices running ScreenOS versions 6.2.0r15 to 6.2.0r18, and versions 6.3.0r12 to 6.3.0r20. They have now revised that assessment to just include ScreenOS versions 6.3.0r17 to 6.3.0r20.

In a forum post on their website, Bob Worrall said “"At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority."

However in a later article they stated that in fact “There is no way to detect that this vulnerability was exploited.”

This has been confirmed by Rapid 7, a security research organization, who estimated from their research that up to 26,000 internet-facing devices with SSH open could be affected by the later problem.

As a result of the scale of the problem being faced by Juniper, the FBI is now investigating the issue, whilst the US Government, which does use Juniper software, is also liaising with the company over the problem.

There is no clear indication yet as to who the villain of this story is, but UK tech website The Register claims to have been contacted by a member of the Juniper staff who have some pretty strong suspicions.

The staff member told them “Maybe you should be looking where Juniper's sustaining engineering is done for the ScreenOS products.” The answer to that question is China.

In fact, Screen OS is rooted in the company Netscreen which was bought by Juniper back in 2004 for just over US$3.4 billion. Netscreen was founded by Chinese nationals, and whilst it was based in California, it was as a result of the purchase that Juniper decided to open a research and development center in Beijing. In a statement on that new center they said it was intended to “leverage the Chinese roots of NetScreen Technologies.”

Obviously the Register is at pains to stress that they are not for one moment suggesting that the code was planted by Juniper employees working in their Beijing offices. But Chinese authorities do have a vested interest in trying to see through VPN connections as we have reported before. The Register did put the question to Juniper who replied by saying “we have nothing further to add at this time.”

Whatever the source of the rogue code, it is an understandably worrying time for users of their ScreenOS products. If you are one of them and are worried about whether you have been affected, it is advisable to contact Juniper directly to be kept up to date with the latest developments.

You should also immediately download an updated and patched version of your software to ensure that the vulnerability is closed on your system as quickly as possible. These can be found on the download page of the Juniper website.

Such vulnerabilities which potentially compromise the privacy and security of VPN users are few and far between. It is an extremely difficult trick to pull off and will usually require an ‘insider job’ to be effective. It is therefore not an issue that should linger in the minds of VPN users too much.

VPN’s remain one of the most effective means of security your privacy online. They ensure that all of your online traffic is routed anonymously through an external server and no-one is able to trace it back to you. It also adds an extra layer of security to your internet activity, making it that much harder for even the most experienced hackers to target you directly.

Juniper will obviously have many questions to answer in this case, not least from the FBI, but the fault lies squarely with them and their software, and the perpetrators, wherever they may be from.

Christmas Malware stealing sensitive information unearthed

Most people have read ‘How the Grinch stole Christmas’ at one time or another, either as a child themselves, or to their own child. And it seems this year that the festive classic has been required reading for some cyber-criminals.

Because security researchers have uncovered an Asian-based APT group which has been using Apps based on Christmas topics, including Santa Claus himself, to deliver information-stealing malware onto the devices of unwitting festive downloaders.

The discovery was made by Cloudsek and revealed by their CTO, Rahul Sasi, in a blog posting revealing that the malware is designed to target the Christmas market and deliver information-stealing malware whose ultimate aim is to generate economic profit for the distributors. However, he also speculates that the malware is also capable of gathering intelligence which could prove useful for governments as well.

Cloudsek came across the group selling desktop malware on underground forums. Sasi explains that the malware was designed to jump air-gapped systems and capable of collecting classified documents from organizations such as Government departments and software companies.

It is capable of collecting two types of information, files and screenshots, but also includes a USB module which can copy data from an infected machine without internet access onto a USB drive and retain it there until it reaches an infected machine with internet access. At that point it will upload the information to the controllers, which are apparently located in Germany.

If this doesn’t sound advanced enough, they also identified unused folders in the program for things like keylogs and voice recorders, which suggests that the malware is still in development and may have more functionalities to be added to it at a later date.

As well as selling the malware online to companies or organizations who want to monitor their employees activity, they have also been recruiting app developers, and the Christmas season appears to have been the time when they have been pushing in this area, releasing the malware in a host of different themed apps.

The app-based malware is a slight variant on their core product, but still links back to the same controllers in Germany. If it makes it onto your phone, this malware is capable of stealing contacts, call records, SMS message content, location information, calendar content, browser histories, and photos. In other words, almost any data that might be of use on your smartphone.

The Apps seem to be mostly focused on the Andriod market, which is known to be less secure than rival platform. Despite the fact that users have to grant permissions for the apps to be able to start downloading information, Cloudsek reports at least 8,00 confirmed infections so far.

The app they have highlighted in their report is called ‘Play with Santa’, a free app which claims to have been developed by a company called ‘Guddyapps’. Needless to say this is one to avoid if you are looking for a festive download for your kids this year.

But it doesn’t stop there as Cloudsek believes that the group have pushed the malware onto a number of other apps beyond this one. In his conclusion, Sasi’s advice is strong and clear.

“This Christmas make sure you think about security before installing an app. Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews. And last but not the least, do not let someone else install any application on your devices.

Sound advice and certainly words that we would endorse here at Fried.com. But there is one more step you can take to add an extra layer of security to your smartphone.

Whilst many people have now become aware of running their computer’s internet connection through a VPN, many still overlook the benefits of doing so on their smartphone as well. However, a mobile VPN offers all the usual advantages of using a VPN, with some added benefits as well.

It will still enhance your online privacy by allowing you to act anonymously online, whilst avoiding the prying eyes of surveillance teams and cyber-criminals who might be keen to watch your online activity. It will also allow you to use geo-restricted content, avoid government censorship, and add an extra level of security to your device.

At the same time, a mobile VPN allow users to keep application sessions open throughout the day, avoiding the hassle and lost service on logging on and off different Wi-Fi networks.

There is no doubt that user awareness and common-sense precautions will help most users to avoid downloaded corrupted apps such as those identified by Cloudsek.

But going that extra yard to enhance your mobile online security will offer both peace of mind and the additional security you crave.

Encryption Debate rumbles on

As regular readers will know the issue of accessing encrypted communications has been a hot topic for politicians, security officials, and techies in recent weeks.

Just a couple of weeks ago, President Obama spoke about the need for US security agencies to be able to access encrypted communications, while last week the FBI starting sounding off on the issue yet again, whilst the issue also reared its head amongst the highly ill-informed Republican Party Presidential candidates during their debate.

It’s an issue that looks about as likely to go away as it does to be resolved any time soon, and so it seems again with Blackberry CEO John Chen the latest tech heavyweight to share his views.


Writing in a blog on his company website, Chen takes the opportunity to have a swipe at rivals Apple whilst insisting that it is still possible to find a balance between customer privacy and national security.

Blackberry is in a strong position to voice its views on this issue. Whilst its position as leading smartphone manufacturer might be a dim and distant memory, it has retained its reputation for offering the most secure mobile services of any manufacturer. It is for this reason that Blackberry remains the manufacturer of choice for the majority of government departments and agencies in the US, and beyond, as well as other major organizations such as banks.

Writing about the refusal of Apple to reveal customer details to law enforcement officials, Chen said "One of the world's most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would 'substantially tarnish the brand' of the company. We are indeed in a dark place when companies put their reputations above the greater good."

Chen believes that no company should reject a reasonable and lawfully made request for customer data. He highlights Blackberry’s record for rejecting efforts of Governments to read their customers encrypted conversations, saying “we have never allowed government access to our servers and never will”.

To illustrate this he highlighted the decision we reported last month of Blackberry to withdraw from the Pakistan market altogether over unreasonable demands from the Pakistani Government.

He goes on to dismiss claims by some, including the head of the FBI James Corney, to ban or limited the use of encrypted communications. He writes that he "rejects any notion of banning or disabling encryption" and insists that "we need more, not fewer, security controls for our sensitive information."

But he is still of the view that “Just as individual citizens bear responsibility to help thwart crime when they can safely do so, so do corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us.”

So what is the solution that John Chen postulates to this ongoing dilemma? HE highlights the example of messaging service Telegram, which offers private point-to-point messaging and public group messaging (called channels). Telegram is apparently zealous in closing down any public channels which espouse illegal activity, but still retains the privacy customers demand through their point-to-point messages.

He presumably is of the view that if a legal approach is made, Telegram would also be within their rights to hand over point-to-point message details as well, which of course most users would expect to be the case.

His argument rather misses the point that users who are genuinely using encrypted messaging services for nefarious purposes, do so because it is encrypted, and will actively seek the securest services (such as Blackberry) in order to do so. What security agencies want to be able to do is to monitor all these supposedly encrypted channels in order to keep to catch anyone who might be discussing activity they are interested in.


He is right to argue that technology will continue to progress whether Government and security agencies like it or not, and that it is up to them to work with tech companies rather than rail against it.

There is little to suggest that agencies in the US at least have bought into this premise yet though, as speeches and comments continue to hint at legal action to ban encryption in its current form. How such a law would be enforced is yet to be clearly explained, but whilst the idea is still on the table, many US citizens are taking steps to guarantee their own privacy online.

The simplest and most cost effective way to secure your online activity and keep it anonymous remains a VPN service – which to date at least seems to be a service most security agencies have failed to get their heads around