BolehVPN: Freedom Through Security

New Server! (SurfingStreaming-USA)

February 25th, 2015

Hey guys,

 

Just brought up a new server for you. It’s a Surfingstreaming-USA server, and should work well with Hulu! You’ll need to update your configurations to get access.

  • For BolehVPN client users: Go to the Settings tab of the BolehVPN client and hit Update Configurations
  • For custom users: You’ll have to grab your configurations from our website, then update your custom client.
  • For custom router users: 104.250.136.242 is the IP you’re looking for.

Test it out, let us know how it goes!

Lenovo installed malware into your laptop that breaks your web security

February 21st, 2015

Lenovo recently admitted that it was installing software called Superfish in customer’s laptops that were sold between September 2014 and January 2015 although we understand that ThinkPads were unaffected. Superfish sought to improve customer’s shopping experience by analyzing  the images you see during your browsing sessions and scours more than 70,000 stores to find similar products that might have lower prices.

You can test if you have Superfish installed by heading to this site made by security researcher Filippo Valsorda.

The problem with this was that it introduced a serious vulnerability as Superfish uses techniques that work like a man-in-the-middle attack to break Windows’ encrypted Web connections for the sake of advertising. To add insult to injury, security researchers who further researched Superfish found and broke the password that allowed someone to be able to completely bypass a computer’s web encryption. The key for Superfish was the same for all users putting thousands of computers at risk.

The sort of rubbish that this can be caused can be illustrated with this screenshot:

B-LnO_4CUAAHo5c.png large

Lenovo has now released a removal tool for this and we recommend those affected to run it as soon as possible.

Lenovo isn’t alone in using this type of software….

Protecting your Data while in transit and in the cloud

February 21st, 2015

Most IT users are familiar with antiviruses and spyware. What is often overlooked is the security of their data which they transmit and store online trusting the default technologies or the security of the companies that provide these services.

Transmission of Data Online

Comic from http://www.cagle.com/2013/06/license-to-eavesdrop/

Comic from http://www.cagle.com/2013/06/license-to-eavesdrop/

Anytime we use a public wi-fi connection or connect to a local area network (LAN), everyone else using that access point or LAN can spy on our traffic and monitor whatever we send through it. Many websites only implement encrypted Secure HTTP (HTTPS) only at the login stage but once authentication has been completed, data such as cookies flow unencrypted over the network. The most famous exploit that arose from this was as recent as 2010 when a Firefox extension called Firesheep allowed users to intercept unencrypted cookies from Facebook and Twitter allowing third parties to hijack the session. Site wide HTTPS was only made mandatory on Facebook in October 2012. Even when HTTPS is properly implemented, bugs such as the recent Heartbleed scare allowed an attacker to read the credentials and password or session ID of their target.

More worryingly, mobile wireless networks aren’t as secure as once thought either and just yesterday it was revealed that the British spy agency GCHQ together with the NSA, hacked into the internal networks of Gemalto the largest manufacturer of SIM cards in the world. Gemalto produces 2 billion SIM yearly cards to telco providers such as AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world that allowed them to spy on billions of users around the world as simple as tuning into a FM radio broadcast without the need of any search warrants.

Also many Instant Messaging services such as Whatsapp, SnapChat and Viber, although encrypted while in transit many of them have questionable encryption mechanisms and almost all of these companies have the necessary private keys to unlock such encryption. One particularly bad offender is Whatsapp, who from 2009 to 2012 implemented no encryption in its messages and even when it implemented it, used a painfully rudimentary encryption by incorporating your phone’s IMEI to be the password.

How do you Protect your Data Transmissions?

For computers, a VPN would encrypt all communications in and out of the computer preventing interception on the ISP layer and offering another layer of security in the event the site doesn’t implement proper encryption or there is a security vulnerability that affects it. I2P and Tor are other options but require more technical knowledge to implement probably and at least with TOR present their own security concerns. They’re also generally much slower than a VPN.

Securing phones are a bit trickier as they have two different channels, one for voice and one for data and different tools are required to secure them. For the data channel, a VPN works but for voice and SMS, users can protect themselves by equipping themselves with freely available apps like TextSecure, RedPhone and Signal that would encrypt those communications.

For IM services, head on to EFF’s Secure Messaging Scorecard for a review of popular instant messaging services to compare and pick a messenger with a privacy focus. I personally use Telegram’s secret chat function which combines ease of use with decent security although there are arguably more cryptographically secure IMs out there.

Storage of Files in Cloud Services

Cloud Storage

Dropbox, OneDrive, Box, Google Drive, Apple’s iCloud are now ubiquitous parts of our lives, allowing us to bring our files anywhere we need to go. We often trust a lot of our information on such services with many storing documents, password databases and other sensitive files and relying on the company to do its work in figuring out the security. They often claim high level encryption being used and best security practices. However reality shows that even the largest cloud storage providers can be subject to hacks or hiccups that can compromise your files’ security.

Dropbox in 2011, introduced a bug that allowed some users to log into accounts even without the right password. This bug took 4 hours to fix and in that time, affected users had their accounts left in the open. Apple’s iCloud in late 2014 did not have brute force protection which allowed hackers to expose private intimate photos of celebrities. Dropbox, Box and Google Drive also had some form or another of a hyperlink vulnerability allowing third parties to potentially see your files. OneDrive for Business was caught silently modifying code into files that you store with them giving it a uniquely identifiable code making it potentially possible to match them to a company or a specific user’s accounts.

These are but a handful of security issues plaguing cloud services and these are only the known issues.

How do you Protect Your Cloud Storage?

For the end user who continue to want to rely on the conveniences of cloud storage, I would recommend creating encrypted containers within your cloud storage. TrueCrypt used to be the leader here and is still widely used despite it being subject to a mysterious halt in development but there are other alternatives available such as Veracrypt which add further security. By keeping it in an encrypted container and saved in your regular cloud storage such as Dropbox, should there be any breaches in security on your cloud provider, your data remains safe.

Another option for businesses is to consider the use of private dedicated clouds. Compared to public cloud solutions like Dropbox where access and data control is controlled by third parties, private clouds allow complete control over all programs and storage but that means you have to ensure your in-house team is up to the task of securing your data. For example, Singlehop provides an excellent dedicated private cloud service.

Conclusion

Too often we put too much trust in large corporations that manage, store and transmit our data. With data breaches becoming commonplace, it makes sense to take security into our own hands and to build multiple layers of protection. Thankfully, as seen above, there are plenty of freely available tools that can enhance your data security both in the cloud and while in transit.

BolehVPN’s Warrant Canary

February 20th, 2015

We will be implementing a “warrant canary’ system whereby we will post a cryptographically signed message in the first week of every month to confirm that we have not been served any warrants or seizures, searches or requests to log. Legally speaking, we aren’t too sure of its efficacy as there hasn’t been case law on it just yet but the EFF is of the opinion it would hold.

The warrant canary will be updated regularly here.

Our PGP Public Key is

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v2

mQENBFTl/DEBCADRF7Qc3hiJcBwpTKbGfsOVWY+5nEUUfIYgSnQSYuqhYDl9bLGF
zw5tgkCBK/Z1N/7CEJcrIuYZr373BnnLxxY+jPn9Cnc4EUYEICMagsz2WWz834lh
XSrtMnXGS8948NYf57pbF9qBkcphDHXPEWeC8p3LAcGEdo54jgH70j4kh9LRTtg/
EUr0SkAs+2WHVnNtrUK1cSGjuuXx/oBGlTNrjOZp7dWaCgpZevOsbVgxOmrHRomH
6AZdbiBmcJQnV0YXMJgoSteFLxdXzlFD5T6Q2bjOvSPyG69JNco6Mm8/z5FBrSwT
Ar+aHiwQfb/LQiQfBbwPnrNKk4+uD8wA8LBzABEBAAG0HkJvbGVoVlBOIDxyZXVi
ZW5AYm9sZWh2cG4ubmV0PokBOQQTAQIAIwUCVOX8MQIbAwcLCQgHAwIBBhUIAgkK
CwQWAgMBAh4BAheAAAoJENlL54UhZ6ZoEkgIALx7XvNmgA1fPeT0h5n0cCSAsO6k
prgglmfINYZXxulDIGLPNhRMzL5QG/SwBDnMINE94JxODK4RSKgFLZqhavQ3xjqY
7QsOvJTtI+oMqEgp7qn1TU91T5m7cU7PPt6yod65XFs+5A3qyQPFe/0afgJ0f6WB
8JadVLpxKgOdeizR1oLMD1zD8UVB9pxAc/Os91dvEnyAltBXetYZXOHaE08pBp29
KG6l75U5Oksyg19aUtkfSaj6ODFoKuNjr/tOeG/nhogMT+skIznN+DfUFuyJzU71
TRJ3K2oWFwzT+WWeLL/lOYiCVySKbyYyQ7MXFLxEucGmkQqh73UE4QqWvF25AQ0E
VOX8MQEIAJ8TQnZQKFFOqpu5oWiEU+zDAzdYWGl0IaAfFT3r4+eh27Kp5m+NwGaT
iPZpJu8hbkd07SlMsCz8Gn+qAR0mGoCCWvpdPbpbAoWcvMDGgNHblWAduaLOVhPm
R5KT9D7uArzc1BFkXVGWZOyG6/AOTIJeCMwpuvpyiCM3LaNv2pZFPwK5bfANom+T
3VJYFQKkHODpPRRJgZykBN3h8pV+qM042ybXui8CtfrLbYsAJ9PP994j3kWR5eB6
7WlFsZ8ameoIz90hRgVR/SqBZrP2vq86r8/50Wlk/TlagZB83h6+ZvDi7A3bB0JE
UpshvPYfctlzrRPyG2m1Mo4HcwoYWg0AEQEAAYkBHwQYAQIACQUCVOX8MQIbDAAK
CRDZS+eFIWemaAhCCACQXr2qO1UBqlonarA5anP7SChpjK2vZzBB9MgT/k7Eo8el
+0OmlDiGDE4EFZ9pzNS+x74F3ed7ezUZRL8UIkbg1xZXeYyiIXgolvwrLhjq+A4P
K/uAYpCfEaMYxruVew/r9xu2SbcDysYvyxxhoB8KO6t6QJJsSq1mmfW+BYSrbgqr
lCtErUsv8meHdXryHK7skGbXZ0LkkcuvdZp6Ope/6WvHwBOHSvTe+IGMrOqZ0yDy
dQflocLRSuslZ0vgaNhH+0GJYT5j369E0GZR8WKOjQCpDE5ex5fIHcEi08H7FHZ5
JDr2C2DXlwnSpxCMKYyWp9ZNv6b7NvDH3thbfijA
=KEsh
—–END PGP PUBLIC KEY BLOCK—–

Kaspersky Lab reveals NSA malware that infects Hard Drive firmware

February 18th, 2015

Kaspersky Lab, a prominent antivirus vendor has recently revealed that an advanced hacker group whom they call the “Equation Group” has been successfully installing malicious hard drive firmware in more than a dozen hard drive vendors (basically everyone).  By reprogramming the HDD (hard drive) firmware, it is an extremely persistent infection that cannot be wiped by formatting the drive or by reinstalling the operating system. It acts as “an invisible, persistent storage hidden inside the hard drive”. This malware is surreptiously named “nls_933w.dll“.

Although Kaspersky Labs do not name the NSA, Reuters’ sources confirmed that this firmware was a NSA creation and this is further evidenced with the malware’s close links to other seemingly politically and defense motivated malware programs such as Stuxnet and Flame.

infection_rate_87

 

On the bright side, the targets of this malware seem to be mainly in the Middle East or Russia and according to Vitaly Kamluk, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team,

“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it. It’s a precious plugin that’s used only in specific cases with somebody very important.” 

It is also very hard to detect:

“It’s extremely hard to detect. From the software level it’s impossible. You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.” 

So what do we do?

B9_Yf_GCQAAnPBO

Destroy it!

 

 

At the moment, it isn’t clear how we can check if we are detected and our searches for a removal tool yielded some unconvincing ‘removal tools’ of doubtful integrity. Just hang in tight and in general if you’re not a high value target, most likely you’re not affected.

Sources: