BolehVPN

Google files creepy patent for toys that can watch and record you.

May 26th, 2015

google-patent-for-iot-toys-100586948-large.idge

The Internet of Things (IOT) revolution is here…Most people have a common conception of IOT as fridges telling you when you’re running low on milk, thermostats automatically controlling temperature, washing machines that tell you when the laundry is done and other mundane tasks. Google’s new patent filing shows a creepier side of IOT, by integrating them into toys that can record, watch and speak to you. It even has body gestures and facial expressions…

To express interest, an anthropomorphic device may open its eyes, lift its head, and/or focus its gaze on the user or object of its interest. To express curiosity, an anthropomorphic device may tilt its head, furrow its brow, and/or scratch its head with an arm. To express boredom, an anthropomorphic device may defocus its gaze, direct its gaze in a downward fashion, tap its foot, and/or close its eyes. To express surprise, an anthropomorphic device may make a sudden movement, sit or stand up straight, and/or dilate its pupils.

google-patent-for-iot-toys-to-control-one-or-more-media-devices-100586947-large.idge

As creepy as it sounds, the privacy implications of IOT are far reaching. In the recent paper, Iota of Fear: eDiscovery of the Internet of Things, there was a reason why Google bought Nest, the company that built the smartphone controlled thermostat.

Google knows alot about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house. By connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?

Having IOT also gives hackers potential control over the real world. For example, Kevin Munro has hacked into the internet connected My Kayla Doll to spew curse words. Humorous as it may be, with a slight twist, all our Chucky nightmares can be made real…

Chucky's backkkk...

Chucky’s backkkk…

BolehVPN not vulnerable to Logjam DHE vulnerability

May 22nd, 2015

Logjam-vulnerability-exposure-chart

VPN Implications

A couple of alarming findings have emerged namely the Logjam DHE Flaw. News reports claims that up to 66 percent of the VPN servers can be vulnerable to eavesdropping by nation-states if they use a DHE key exchange with a key that is 1024-bit or smaller. This means using huge computational power, agencies such as the NSA can decrypt VPN connections that are subject to this vulnerability.

Nevertheless, it is not that easy to do so as certain conditions have to be met:

It takes a lot to mount a practical attack that hinges on Logjam (think: more computing power than the NSA or a major university lab).

1. The attacker must be actively listening to the conversation before it starts — lurking on an airport Wi-Fi near the victim is an example. The attacker must select a victim in advance and actively manipulate the victim’s connection. He cannot vacuum up all the data today and find a victim in it next week.

2. Both the victim and the victim’s online service must use traditional Diffie-Helman key exchange and “export-grade” ciphers.

3. The attacker must be a man-in-the middle on the conversation. The attacker must be in between the victim and the victim’s internet connection already or able to insert themselves once the conversation has started.

4. The attacker needs to spend some time and crypto power in advance to precompute values based off of commonly used 512-bit prime numbers. Or, they need access to a list of precomputed values for the primes that the client will choos

Also:

The main data an attacker would get from a VPN connection is whatever data she could get if there was no crypto. Internal email, internal web page content, phone numbers, email addresses, appointments, names, and so on will all be in the clear.

If the victim is using TLS with an internal system, even though they are connected via the VPN, the attack will probably fail. The attacker would have to detect and tamper with that TLS connection via more man-in-the-middle stuff inside the VPN connection they’re already attacking.

However, notwithstanding the implications of Logjam, BolehVPN is not subject to this vulnerability as we had updated our encryption mechanisms last year to use the 2048 bit Diffie Helman exchange. We continue to be at the forefront of VPN encryption developments and are constantly evaluating the best mix of security and speed.

Browser Implications

Surprisingly as at the date of writing, only Internet Explorer 11 is not subject to this bug as they had patched this a while back. All other browsers are still affected.

You can do a test to see if you are vulnerable by performing a test at Qualys SSL Labs or weakdh.org

To temporarily fix this while waiting for an update, follow the instructions here:

Firefox Instructions:
Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

Chrome Instructions:

Try this plugin. We have however not audited the plugin so it’s at your own risk.

For further details on the Logjam bug, you can read it here. Bruce Schneier also has an excellent article.

Exclusive ProtonMail “NSA-Proof” E-mail Invites for long term users

May 21st, 2015

logo1

We are pleased to announce that after working things out with Protonmail, we are now ready to start giving out exclusive Protonmail invites to our eligible users giving as close as possible to “NSA-proof” secure e-mail. This comes with 1 GB of space! Please read our previous blog entry to find out more about what makes Protonmail so special.

Eligible Users

  • New 180 days and 365 day accounts
  • Existing users with equal or more than 180 days unexpired.

This offer is subject to limited availability and may be discontinued at any time.

Eligible users will just need to login into our user panel and head on over to the Bonus section for redemption details. Account details will be sent out within a day. Remember to change your login and mailbox password from the defaults upon first login!

Exclusive Protonmail secure e-mail accounts for BolehVPN users

May 18th, 2015

We are proud to announce that we’ve worked out a great offer with Protonmail. You asked us for a secure e-mail solution, we are happy to oblige!

screen

Protonmail is unlike your regular secure mail provider in that it has the following privacy protections

  • No IP logs
  • ProtonMail works by encrypting messages in the user’s browser before it ever reaches its servers – meaning that the company never has access to the password and can never read emails. Even if Protonmail is asked to do so, it cannot decrypt it as they do not have the keys to do so.
  • Hosted in a Swiss datacenter located within a granite mountain

These features will give you peace of mind that your e-mail provider will not hand over your private e-mails under duress and is the closest thing most people will get to having a surveillance proof e-mail service.

Normally, if you click to Sign-Up to Protonmail, you will be presented with a screen informing you that you have to wait and they will send you an invite. This wait can be pretty long! My request since 25 April 2015 still has not yielded an account.

protonmailinvite

However with the deal we’ve worked out, we are able to offer private invites to Protonmail subject to the following terms:

Eligible Users

  • Existing users with not less than 180 unexpired days in their account
  • New 365 days customers
  • We may consider expanding this invite list further depending on availability and response

Terms and Conditions

  • Invite is to the free version of Protonmail (which you can’t get now even if you wanted to). If and when Protonmail launches its commercial/paid version, you will not be automatically upgraded to it.
  • Subject to availability (though we are confident that we have enough barring unforeseen circumstances)
  • This is purely a free gift and we reserve the right to withdraw this deal at any time or to amend the eligibility requirements.

Further details on getting an account will be announced over the coming days so hang in tight!

The Malaysian Government is probably spying on your internet. Foreign powers almost certainly are.

May 11th, 2015

Before we continue, we would like to reiterate that we are not politically aligned or motivated. The author of this post voted for Barisan Nasional in the last general elections. However we need to address some scary developments that don’t seem to be getting the attention it deserves.

With all the Snowden revelations, we often think that it’s only the US’s NSA and the UK’s GCHQ that is spying on us. Even recent news that China was spying on Malaysian users and even possibly classified government networks went relatively unnoticed.

However evidence is mounting to point that government surveillance of Malaysian citizens is a very real possibility. We’ll deal with these telltale signs one by one.

Finfisher: Spying malware that is used by governments

Click to watch Finfisher's promotional video

Click to watch Finfisher’s promotional video

Finfisher is a malware that can pretend to be recognized software (such as Firefox), when what it does is that it can steal passwords, taps Skype phone calls, turns on your camera and microphone to record video and audio without you knowing. Finfisher is not created by some renegade hacker group but by a professional surveillance company which markets Finfisher to law enforcement agencies. Finfisher is sold exclusively to governments. It has been sold to repressive regimes to control its populations and political dissidents and both Egypt and Ethiopia have confirmed cases of Finfisher being used by governments.

The common perception is that Malaysia isn’t competent enough to do such things, but if countries like Egypt and Ethiopia can implement it, there’s no reason why our government can’t. There is some strong circumstantial evidence that this may have happened already. Citizen Lab has identified in 2013 a Finfisher server being operated in Malaysia. This alone does not confirm whether this was run by the Malaysian government. However, they also found an election-related document that is infected by Finfisher that appears to be targeted to Malay speaking users that were interested in the general elections. Given that Finfisher is sold only to governments, there’s strong evidence that some government is involved that was interested in spying on the Malaysian electorate.

Deep Packet Inspection by our ISPs: Big Brother knows what you’re doing on the internet

Deep packet inspection (DPI) is a technique whereby ISPs can identify the content of what you are posting automatically on a large scale. DPI can be configured to detect keywords, links, digital signatures and how you’re using the internet. Wired Magazine has an excellent article on how DPI works.

DPI was probably originally introduced in around 2007 by Telekom to combat P2P downloaders by identifying P2P traffic like torrents, eMule etc and purposely throttling it down to save them costs from having to expand their bandwidth capacity but there has been reports that DPI has been used in the latest General Election to block access to opposition sites and media. Rizvanrp seems to have confirmed this from his investigation showing that viewing certain political videos were being MITMed (man in the middle) and disrupted.

Combine the fact that your ISP knows who is using what IP on it, it is trivial for them to see what you’re doing on the internet unless you’re using a VPN or TOR to hide your internet activity.

Changes to the law to curtail internet freedom and to monitor/retain data

In 2013, Paul Low, the minister in charge of fighting graft announced that the Malaysian government was considering implementing phone tapping and internet monitoring to combat graft. He mentioned that the government was in the planning stages of coming out with legislation that would allow the government to conduct widespread internet monitoring. It appears that this was already in the works when he mentioned this as seen in the rapid passing of new laws over the past few years to crack down on internet freedom and to monitor/retain data. This period saw a rapid replacement of the old guard of ministers, but has since gone pretty quiet despite serious corruption allegations. Combat on graft or weeding out political opponents?

a) S.114A Evidence Act: Guilty until proven innocent on online publications/postings

S114A was introduced in 2012. The normal rule of law is that you’re innocent until proven guilty. However S.114A introduced a reverse presumption in the following circumstances:

  1. If your name, photograph or pseudonym appears in a publication, which depicts yourself to have some connection with the publication, either you as the owner, editor or etc., you are presumed to have published or re–published the contents of the publication;
  2. If a publication originates from a network service that you have registered and subscribed to, you are presumed to have published or re-published the contents of the publication; or
  3. If a publication originates from a computer which you have custody or control on it, you are presumed to have published or re-published the contents of the publication.

Credits to Loyar Buruk for the above summary.

What this means is that you’re presumed to be a criminal unless you prove that you aren’t. A horrible example is this: if someone registered a fake profile with your name and picture and then posted some illegal material, you are deemed to be responsible for it unless you can prove it wasn’t you. Now how would you prove that?
How is this relevant to the current discussion on government spying? If we examine the motive behind this amendment, this seems to be targeted at online publications and to control social media postings. The Inspector-General of Police himself said that he has 126,000 police personnel available to check round the clock on all writing, postings, Twitter and social media. To be fair, this doesn’t appear to be a specialized unit but rather the sum of the total police force in Malaysia, however gives an idea on our law enforcement’s priorities.

b) Sedition Act Strengthened

The Sedition Act instead of being repealed as promised, was strengthened with the excuse to protect domestic harmony. For sedition, there is no requirement to prove intention to be seditious, merely that the court is satisfied that is a seditious tendency. Unfortunately, the definition of sedition isn’t very clear leaving it open to interpretation and abuse. Note that the Sedition Act was actually created by our British colonial masters to combat the rising dissent against the British. Oh, wait…sorry, we were apparently never colonised….merely a protectorate.

Home Minister Datuk Seri Dr Ahmad Zahid Hamidi’s statement on the same is telling: “Last time, there was no Internet and non-verbal communication over social media. Those days, we didn’t have groups of people inciting people (in Sabah and Sarawak) to get out of Malaysia.”Among the many amendments, one is squared solely on online publications. It allows the court to issue an order to remove seditious content from publications issued by electronic means, such as online publications. Those who are found to be “propagating” seditious messages can be prohibited from accessing any electronic device. Thankfully, government criticism is still allowed though the Sedition Act had been used as a weapon to stamp out government opposition before the amendments were passed.

The vague terminology given to what is ‘propagation’ of seditious speech would mean a Facebook share or a retweet could also be caught as seditious. We are now looking at these changes possibly coming into force in June.

c) Security Offences (Special Measures Act) 2012 – Ability to intercept and log communication as per police discretion without your knowledge

Although the Internal Security Act has been repealed, the act that replaced it, the Security Offences (Special Measures Act) 2012 allows a public prosecutor to intercept your postal letters, your instant messaging, your email and what you surf. They can even require communications providers like Maxis, Telekom, Digi etc etc to intercept and retain data without your knowledge. Given that everything passes through your internet service provider, they will have quite a comprehensive picture of your online activity. Such activities do not have to be approved by a court but merely by a public prosecutor (which includes deputy public prosecutors which are police officers). All that is required is for the public prosecutor if he ‘considers it is likely that it may contain any information in relation to a security offence’. This all happens silently without your knowledge.

d) Prevention Against Terrorism Act

Although not targeting online activity, this newly passed bill does raise serious questions whereby it allows the arrest without trial or judicial review (meaning you can’t challenge it in court). This trust is placed in a ‘Anti Terrorism Board’ consisting of at least 5 and not more than 8 members who will decide whether they can detain you without trial. Each detention can last up to two years upon which the Board can choose to renew it indefinitely for further two year periods if it feels it necessary to renew it.

Our growing chummy relationship with the USA

Malaysia was originally a target of internet surveillance with evidence that Australian intelligence, a member of the Five Eyes signals intelligence alliance have been spying and bugging Malaysian ministers since the early 1990s. It was also in partnership with British, American and Singaporean intelligence agencies to tap undersea fibre optic telecommunications cables through South East Asia. After U.S. surveillance of Malaysia was exposed, Malaysia’s foreign ministry sent a written protest to the U.S. ambassador to Malaysia. Malaysian Prime Minister Najib Razak said that the surveillance infringed upon national sovereignty and that the Malaysian government firmly opposed all forms of U.S. monitoring activities in Malaysia.

Yet as pictures of our prime minister playing golf with Obama are shared, we can’t help but notice how chummy we have become with the US. A joint statement issued by the White House confirms this including in areas of defense and security.

A few months later it was reported that Malaysia offered to host US spy planes according to statement by Admiral John Greenert  (US Chief of Naval Operations) which was later denied by our defense minister and said it had only agreed to do joint military training.

Most worryingly, Malaysia is a big supporter of the US-led secretive Trans Pacific Partnership agreement, and it could require ISPs to ‘police’ user activity which would mean data logging. Although this data is collected seemingly for the purpose of preventing copyright infringements, such data can easily be used to monitor citizens.

Although there is a great deal of speculation here, the growing cooperation in areas of defense and security could mean that our governments are already cooperating in the areas of internet surveillance. This is not from the realm of fiction as it has been done before with other countries. Germany was in close cooperation with the US’s NSA and only recently has stopped sharing its electronic surveillance intelligence with them that is probably also partly due to the fact that the NSA had spied on Angela Merkel’s personal phone.

Conclusion

The debate is still out as to whether the Malaysian government is performing mass surveillance on its citizens but it is almost certain that our internet communications are being intercepted and monitored to a certain extent. It is also very clear that the Malaysian government does have the capabilities and tools to effect such surveillance easily and its expansion of its powers in the internet realm is telling as to its intentions. Search histories, e-mails, instant messages, phone calls can no longer be considered private.

Using a VPN should be part of an overall measure to protect your internet freedom and privacy and we will delve into how you can do this in detail at a later date. Using BolehVPN will prevent your ISPs or governments from tracking your internet movements as all they will see is an encrypted connection to our VPN servers.

Thankfully although BolehVPN is a Malaysian company, only one of our VPN servers is located in Malaysia and the rest of the servers and customer database are all outside jurisdiction so they are unable to do this silently without our knowledge. Our warrant canary also does offer some protection against this and we are taking steps to protect our customer’s privacy.

Stay tuned for some wide sweeping security changes that we would be making to our customer portal and VPN system that we hope to roll out this month and we hope that you will be patient when we do implement such changes.