BolehVPN

Archive for the ‘VPN’ Category

Saturday, January 30th, 2016

“Mummy, I’m Afraid of the Man in the Monitor”

It’s almost like a scene from any Paranormal Activity movie. But in all the horrific nightmares you could conjure up in your mind, this could be the most twisted and sickening because it is not dealing with ‘supernatural forces’, but rather real predators targeting real people in real life situations.

baby monitors

Source: CBS News

In general, baby monitors act as a tool for parents’ peace of mind to keep a watchful eye on their kids. But little do they know about the vulnerabilities and the dangers of hackable baby monitors. Following several reports of consumers recounting their horror tales of their monitor devices being hacked and abuses shouted at their children, American parents have been warned to be more wary of the types of baby monitors they are choosing to bring into their homes.

 

Creepy baby monitor stories

1) In 2013, a Houston couple were left shaken when they discovered a hacker had accessed their baby monitor to shout profanities at their then two-year-old daughter. Not only did the hacker make lewd comments to their toddler such as “wake up you little slut” and “effing moron”, the man had accessed the monitor’s camera and also called the child by her name “Allyson”, which was spelt out on the wall. When the parents, Marc Gilbert and his wife Lauren entered the room, the voice began swearing expletives at them too, by calling Gilbert a stupid moron and his wife a b****.

 

2) ohio heather

Source: NBC News

Heather Schreck was asleep in her Ohio home around midnight in April 2014 when she woke up to the sounds of a man screaming “Wake up baby! Wake up baby!” at her 10-month old daughter, Emma. When Heather checked her phone screen, she could see the camera monitor moving around the room. That’s when the screaming picked up, according to Fox 19 news. When Heather’s husband, Adam, quickly ran into the room, the camera then turned to point directly at him.

 

3) An Indiana couple, the Denmans, were freaked out when they found out a hacker was able to infiltrate their baby monitor at home and played “Every Breath You Take” by The Police. The two-year old child was playing at home with her mother when the music suddenly started playing. At first, the mother thought it was a joke, until the hacker began making sexual noises on the monitor. After Jared Denman searched online for similar cases, he found several videos posted online showing similar hacks with the same song playing over the speakers, and the hacker used a Twitter account to brag about the breaches.

 

The ongoing investigations

Now, New York’s Department of Consumer Affairs (DCA) have launched investigations into disturbing cases of baby monitor hackings by contacting four unnamed baby monitor companies, demanding information about their security and to see evidence of complaints about unauthorised access. The DCA issued subpoenas to these four major manufacturers who market their devices as “secure” in their investigation into the security vulnerabilities of the devices and whether their security claims violate NYC’s Consumer Protection Law, which prohibits deceptive and misleading advertising. If the companies are not living up to the security promises they made in their marketing, the agencies could be hit with civil fines for deceptive marketing practices. As the investigations are still currently ongoing, no names or details have yet to be released.

Earlier this month, the Federal Trade Commission (FTC) had also issued a similar warning to parents whose houses and children’s rooms, are equipped with security cameras. The FTC agency had researched five baby monitors and already found four of them to have serious security issues, because of its ease in which it could be accessed by simple, easy-to-crack passwords. Moreover, two of the five did not encrypt the feed between the monitor and the home router and one other did not encrypt the feed from the router to the internet.

“Video monitors are intended to give parents peace of mind when they are away from their children, but the reality is quite terrifying – if they aren’t secure, they can provide easy access for predators to watch and even speak to our children,” said DCA commissioner Julie Menin in a statement.

 

Tips

Due to the Internet of Things, our everyday devices and appliances are increasingly connected online, with computing and network capabilities embedded into them. Thus, this largely affects consumers’ personal privacy when exploited, such as the case of these baby monitor hackings. These are a couple of tips parents can consider to curb these disturbing hacks:

1) Use baby monitors which are not Wifi-enabled, such as this Motorola digital video baby monitor model recommended by Ars Technica. It offers no Internet connectivity and uses encryption to protect the video and audio stream sent between the camera and a dedicated handset. Although these types of monitors will probably have their own weaknesses in their kind, it does eliminate the fear of being Internet-connected, and are arguably safer as attackers will have to be in physical proximity of the people being targeted to perform any hacking.

2) As the DCA recommends, register your product and update software, firmware and applications. If you register your product, you will be notified of security updates by the manufacturer (which are important!). Be sure to install all security updates.

3) Additionally, the FTC urged parents to look for baby monitors with strong security protocols, or at least perform some research on baby monitors with any known security vulnerabilities before buying.

4) Choose strong passwords which are changed regularly. Avoid using the default camera name and password, and only share it with people you trust absolutely.

5) For those who have existing Internet-enabled baby monitors in your homes, it is preferable to cut off usage of the monitors until vendors are able to fully-address all the identified weaknesses in their devices. Monitor the manufacturer’s website for any security advisories or patches for their devices.

 

Sources

[1] Ars Technica

[2] NYC Consumer Affairs

[3] BBC News

[4] Parent Herald

 

 

 

Tuesday, January 26th, 2016

California Wants to Ban Encrypted Phones in 2017 to Fight Human Trafficking

encrypted phones nextgov

Source: Nextgov

A new Californian bill termed “AB 1681” has been introduced in aims of putting a ban on the sale of smartphones with unbreakable encryption. The bill bids for manufacturers or operating system providers to include a method for unlocking all phones upon request. Any smartphone that could not be decrypted on demand would subject a seller to a $2,500 fine per phone.

The text of the AB 1681 bill states that it would “require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.”

The introduction of this legislation follows the controversial New York bill which, in essence, is almost an exact replica in many aspects, whereby the New York bill requires that smartphone manufacturers build mechanisms into the devices that would allow the companies to decrypt or unlock them on demand from law enforcement. The AB 1681 also follows in the footsteps of UK’s Investigatory Powers Bill endorsed by UK’s Prime Minister, David Cameron, which would require Apple to stop encrypting iPhones, iMessage, and FaceTime and hold a key with direct access to user data, again creating a backdoor.

While the New York bill has cited the fight against terrorism as its rationale, the California bill on the other hand states the prevention of human trafficking as its rationale. As the government claims that the existing unbreakable encryptions on phones are being used to prevent them from getting evidence they need against criminals and terrorists, the only way to defeat human trafficking is if the government has unfettered, disk-level access to its citizens’ cell phones (and they do believe this by far outweighs all privacy concerns).

The California bill introduced by Democrat California assembly member from Sacramento County, Jim Cooper, told Ars Technica, “If you’re a bad guy [we] can get a search record for your bank, for your house, you can get a search warrant for just about anything”. He went on to say, “For the industry to say it’s privacy, it really doesn’t hold any water. We’re going after human traffickers and people who are doing bad and evil things. Human trafficking trumps privacy, no ifs, ands, or buts about it.”

Cooper also stated in a press release, “Human traffickers are using encrypted cell phones to run and conceal their criminal activities. Full-disk encrypted operating systems provide criminals an invaluable tool to prey on women, children, and threaten our freedoms while making the legal process of judicial court orders useless.”

 

Problems with the ‘AB 1681’

As the saying goes, “You can’t build a backdoor that’s only used by good guys”. Technology providers and security advocates argue that any backdoors the government decides to open will be exploited by criminals and not just the government alone. Proposals of encryptions which include backdoors are essentially insecure and would create vulnerabilities that unauthorized parties could exploit. Similarly, Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars Technica that the bill had “glaring problems” and that it was “entirely infeasible from a technical perspective”, since there is no way to ensure that phones can be decrypted only by the ‘good guys’ but not the ‘baddies’. Additionally, lawyers speculated that the bill would also likely be illegal under the Dormant Commerce Clause, the federal legal doctrine that forbids states from imposing undue burdens on interstate commerce.

 

Considering moving to Netherlands?

Flag-map_of_the_Netherlands.svg

Similar encryption proposals have been made in countries such as the UK and China, which required companies to provide backdoor access to the government. This is the very opposite of the principles Netherland upholds. In fact, the Dutch government is actually against backdoors, and is demanding stronger encryption. The government had released a statement stating their criticision on weakening encryptions for the purposes of law enforcement and intelligence agencies.

The Dutch minister of security and justice, Ard van der Steur, voiced “the importance of strong encryption for Internet security to support the protection of privacy for citizens, companies, the government, and the entire Dutch economy”. He emphasized, “Therefore, the government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.”

 

How tech companies are affected

So far, Apple and Google have been fighting the good fight for the public, and have been adamant that it is a matter of user privacy. In the past year, Apple had added strong encryption to its devices, a move that was soon followed by Google with similar encryption on their Androids.

Way back since September 2014, Apple took a strong pro-encryption stance, saying that under any iOS 8 devices or later, the company would be unable to access customer data. Currently, both iOS and Androids customers have the option to encrypt their devices when setting them up (a default on the iOS). Both companies claim to have decided to hand over the keys to the encryption to the users themselves, which would mean the tech giants would not be able to respond to warrants for data stored on its devices even if asked by law enforcements. Overall, it would affect modern iOS and Android devices, which enable full-disk encryption that neither Apple nor Google can access even if they wanted to.

 

What happens if the bill passes

If the bill became law, iPhones (and many other smartphones) would not be able to be sold in California if their current encryption features remained intact, as well as create a legal ban across the state that would be imposed on many devices that run on Google’s Android software. Although Apple and Google are two dominant smartphone platform builders, if this bill made it into law, both companies who are headquartered in California could be driven off their home turf if they choose not to comply. Currently, the bill still needs to be passed through the Assembly and State Senate and be signed into law by Gov. Jerry Brown (D). As of now, it appears that Apple and Google will still fight to defend encryption rights and it seems that they will both protest against the bill, albeit neither have commented on the new anti-encryption legislation yet.

 

Read the text of the AB 1681 available here.

 

Sources

[1] Ars Technica

[2] Business Insider

[3] Silicon Valley Business Journal

[4] The Daily Dot

Tuesday, January 26th, 2016

BolehGEO is dead, long live BolehGEO

We’re scrapping the current BolehGEO (otherwise known as GEO-DNS-Streaming), and replacing it with a brand new BolehGEO service. This new service should bring in a whole host of new features and reliability for easy streaming of your favourite services. Netflix ban, what Netflix ban?

To start off:

  • There are two servers.
  • Each server will serve a specific region, one for the Asian/North American region, and one for Europe.
  • These servers will automatically reroute your traffic through the VPN to different countries (USA, UK, Australia, Italy, Spain and so on) based on the streaming site that you’re attempting to access.

This means that you now have access to potentially hundreds of streaming sites from all over the globe! And the best part is that it’s available right now, just head to the Settings tab of the BolehVPN client and hit Update Configurations to get your new configs. (Custom client users will have to update manually)

Let us know how it goes :)

Saturday, January 23rd, 2016

‘Netflix & Chill’ Sessions Interrupted Now That VPN Bans Are in Effect

netflix-spongebob

Netflix; and all its glory and wonder.

Netflix is available on virtually any device that has an Internet connection, including personal computers, tablets, smartphones, Smart TVs and game consoles. It automatically provides the best possible streaming quality based on users’ available bandwidth. Many titles, including Netflix original series and films, are available in high-definition with Dolby Digital Plus 5.1 surround sound and some in Ultra HD 4K. Advanced recommendation technologies with up to five user profiles help members discover suggested entertainment based on their viewing or voting preferences.

 

‘Netflix & VPNs’ are like ‘peanut butter & jelly’

With the expansion of Netflix into now 190 countries, there has been a renewed interest in Virtual Private Networks (VPN). For some of those who may not have known before that VPNs could serve to unblock region locks on Netflix, may now be aware that VPNs could potentially help Netflix users access additional library content.

Netflix libraries can have huge variances in terms of the number of titles available across each location. The selection of available titles is based upon the user’s IP address so for most users, this corresponds to their physical location. Nevertheless, it means that, for example, a user in Malaysia who accesses the Internet through a U.S.-based router-connection will be able to access the selection available to U.S. users.

Although worldwide Netflix may carry tens of thousands of titles, licensing agreements enforced by production studios which differ by country forces Netflix to provide different library content based on different locations. Netflix negotiates with these studios to arrange deals for streaming certain titles; hence, every region’s list of movies and shows is unique. For instance, AMC’s series ‘Better Call Saul’ aired on Tuesday nights in the US and was allowed to be aired on UK Netflix the following day. The film ‘St. Vincent’ was playing on Netflix France while it was still in the US cinemas.

Finder took it upon themselves to peruse every available Netflix library to see how they compare, and this is their list of content titles based on different countries. (Malaysia can only access 11.08% of USA’s movie library!) While your country’s Netflix library may be lacking, the most compelling reason many users subscribe to VPNs is to access better entertainment content. VPNs allow one to virtually travel to another country and access their Netflix despite physical location limitations, as well as expanding choices for library content in just minutes.

 

Is it legal?

legal illegal

Unless you are living in a country which specifically bans VPNs (say, Iran or Saudi Arabia), the use of VPNs is perfectly legal. Generally, using VPNs for legal reasons is fine in most countries unless you are found to have used it for illegal purposes. In countries that restrict online movie providers, a VPN comes into play sometimes to unlock these sites to gain access to their files and videos.

Making use of a VPN is akin to gun ownership in the US; it is at the option of the VPN user to use it for legal or illegal purposes (such as hiding IP addresses to perform illicit activities). And while a VPN in itself is not illegal, using a VPN proxy may violate the Terms of Service for some sites, including Netflix. There is a difference between breaking the law (could land you in jail) and violating a company’s Terms of Service (your account may get suspended or your service deactivated).

Although officially Netflix does not condone the use of VPNs as it is believed to violate licensing agreements, it is not clear if the company has a way of knowing what you are up to. As Business Insider states, Netflix is in a battle for subscribers. Netflix needs to play the game against other rivals, and punishing violators is not in their interest. HBO’s CEO, Richard Plepler, for one publically admits that he does not care if users are sharing their HBOGo passwords as they are “in the business of creating addicts”, noting that it could potentially lead to more subscribers in the future.

 

Threats on VPN crackdowns

Threats by Netflix to block VPNs have pretty much been back-and-forth, with many believing that Netflix would not make good on their threats to aggressively thwart VPNs and geo-restriction avoidance tools. Even when Neil Hunt, Netflix’s chief product officer, released a statement saying:-

“We do apply industry standard technologies to limit the use of proxies. Since the goal of the proxy guys is to hide the source it’s not obvious how to make that work well. It’s likely to always be a cat-and-mouse game. [We] continue to rely on blacklists of VPN exit points maintained by companies that make it their job. Once [VPN providers] are on the blacklist, it’s trivial for them to move to a new IP address and evade”

Many deduced his statement as subtly admitting how impossible and futile efforts can be in attempting to block VPN users. Many disregarded the statement as only means to appease broadcasters and content partners from whom it licenses their programming.

However, in very recent developments, it seems that the ‘cat-and-mouse game’ has already begun, as it appears Netflix has begun restricting access from VPN users.

vpncreative

Source: VPN Creative

Now, VPN users such as Australia’s uFlix and ExpressVPN have reported being blocked when attempting to watch content outside their countries’ and received warning messages pop out such as the one screenshotted above by one Reddit user.

It appears that after all the speculation that Netflix would not follow through on their fleeting efforts to stop VPNs have been contradicted by these recent events. While the blocks appear to be affecting just a small number of people at the moment, the numbers would soon be expected to increase.

 

How would Netflix restrict users toying with geolocations?

Albeit Netflix has never explained exactly how it will combat VPNs and proxies, but this news suggests it is simply identifying and blacklisting IP addresses associated with these services.

The International Business Times explores the four ways Netflix could be using to kerb users from bypassing their country’s geo-restricted content and accessing other countries’ content:

1) Blacklist popular VPN providers – Listing popular VPN providers known to be used by many people on a blacklist and block any connections from these providers.

2) Block all connections coming from the same IP add – If many Netflix users seem to be connecting through a same IP address, it could probably set off alarms for Netflix that the users are using a VPN. Thus, they could put the VPN on the blacklist even if they may not necessarily know about that VPN yet.

3) Blacklist DNS unblocker services – It is in fact possible for Netflix to test for your actual IP address is by getting your device to ping an external domain, and then by sending the IP address from the external domain to Netflix’s servers. If the IP address appeared differently, then Netflix would know that you were trying to cheat and could block the DNS unblocker’s servers.

4) Restrict users to their billing country – Similar to iTunes and Steam’s practices, Netflix could restrict users to only using Netflix in the same country as their billing information is registered to. (Example: A UK citizen using a UK bank/credit card would not be allowed to subscribe to a US Netflix subscription.

 

The future of the Netflix VPN ban

Consumer advocacy group, Choice, stated that the number of people regularly pirating in Australia had dropped by a quarter since the launch of Netflix. If Netflix chooses to lock accounts to one country and apply such rigid restrictions, it would affect its subscribers’ ability to access the service while overseas and could drive people back to piracy.

On the other hand, global licensing could have the opposite effect on piracy, as shown by a 14% drop in the use of BitTorrent, a popular source of illegal downloads, in Australia after Netflix’s official launch there in March 2015. Shifting to global licensing would mean offering the same content on Netflix around the world. While this may very well please paying Netflix subscribers, Netflix would need to strike a balance with those who hold the rights to the content in order to uphold current business relationships with content providers.

 

Sources

[1] Netflix

[2] Business Insider

[3] Torguard

[4] The Verge

[5] Tech Dirt

Monday, January 18th, 2016

Nearly All Your Mobile Apps Have Been Hacked

File photo date 01/07/08 of an Apple iPhone as three-quarters of parents with smartphones share apps with their children and more than a third consider them to be an 'integral' part of family life, according to a study.

If you own a smartphone, the usage of mobile applications are undoubtedly an integral part of your every day life. Be it for the productivity tools, financial transactions, social networking, or entertainment, you probably access at least two or three of these apps in a day.

According to Forbes, the number of app downloads by 2017 is expected to rise to over almost 270 billion. Additionally, mobile device users were observed to have transitioned from spending more time on mobile apps (86% of time spent on mobile apps) as compared to spending time on the web (14% of time spent on web).

While the global mobile app revenue can be in an economy worth hundreds of billions, it can also leave many mobile app frontiers vulnerable to be exploited. Research by security firm Arxan Technologies in 2014 revealed that 97% of the top 100 paid Android apps and 87% of the top 100 paid Apple iOS apps have been hacked at least once.

 

Where the mobile threats are

Both Kaspersky Lab and McAfee have reported the rise of mobile threats. Mobile malware has increased for five straight quarters, with a total mobile malware growth of 167% recorded in 2014. Security researchers say mobile apps are at more risk of failing to secure users’ data than apps running on desktop or laptop computers, partly due to the reason implementing stronger security is harder on apps, and because the developers are often in a rush to release their apps. Flaws in the way thousands of these popular mobile apps store data online lies in the way those who write and sell the apps authenticate users when storing their data in online databases. This has left users’ passwords, addresses, door codes and location data vulnerable to hackers. Other weaknesses lie in the way apps transmit data, whereby FireEye, an internet security company, found developers to be regularly sending users’ names and passwords unencrypted, which leaves it to no surprise to find these sensitive information to be stored insecurely.

 

“I Accept” the T&C, now get on with it…

The majority of us upon downloading an app probably will not bother to read the Terms and Conditions of using it. Most of us will probably just click “I Accept” as though it’s second nature and get on with it anyway. And even if anyone had read through these Terms and Conditions, not many may have the knowledge to fully understand them (or care) to cancel their download.

i accept

Source: Memecollection

That is where hidden gems like these Terms of Service Agreement for Tumblr, the popular blogging platform, were born:

tumblr1 tumblr2

Rightly, app users ought to be more careful when granting app permission requests, and giving external services permission to access our personal information such as our photos, contacts and location. Some apps may even be constantly monitoring your location or information while you are not actively using it.

When Spotify released their new privacy policy which saw Spotify seeking permission for users’ sensors, photos, contacts, GPS trackers, and other personal information, many users were left disgruntled because many believed Spotify does not really require the level of personal information they claim is necessary and are in fact on-selling user data to other companies.

Before deciding to download an app, especially an app which is seeking all kinds of permissions to your personal information, ask yourself these questions:

– Does the app look safe?

– Is the app from a reputable developer?

– Does the developer explain why they need these permissions?

– Does the app have plenty of good reviews?

If you answer “No” to most of these questions, your best option is to abort the download, and do not hesitate to press Delete on it.

 

The case of the Flappy Bird clone apps

After the time of the Flappy Bird gold rush when this number one app was pulled from the app stores, developers have scrambled to meet soaring demands of the app with ‘Flappy Bird clones’. At the time, on average there were sixty Flappy Bird clones uploaded to the Apple iOS app store in one day alone, ranging from Flappy Wings, Flappy Crocodile, Fly Bird, Flappy Penguin, and Tiny Flying Drizzy.

When McAfee Labs sampled 300 of these Flappy Bird clones, it was discovered that 79% of the apps contained malware. These malicious clones may appear as a normal gaming app to the average user, but these apps can damage and invade a user’s mobile device in a number of ways when downloaded. The malware could be used to make calls, install additional apps, send and receive SMS messages, extract contact data, track geo-location, and establish root access, which would allow uninhibited control of the mobile app.

 

Mobile apps in 2016

Arxan

According to a highly-quoted report by Arxan, a security protection firm, mobile apps for health and finance could be prime targets to security risks in the next six months due to their growing number of use. Arxan found that of the 126 most popular mobile health and finance apps, 90 percent had crucial security vulnerabilities when the majority of them failed security tests and could easily be hacked.

owasp-mobile-risks

Source: Arxan

While the majority of 1083 consumers app users and IT executives surveyed indicated that they truly believed their apps to be secure, nearly all the apps assessed (including popular banking and payment apps and FDA-approved health apps), proved to be vulnerable to at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. To be precise, a lack of binary protection (96%) and insufficient transport layer protection (79%) were discovered to be the most common risks among the apps surveyed. Both of those vulnerabilities can result in reverse engineering, data theft, privacy violations, and the tampering of application code.

mobile-security-survey

A worrying thought is that many companies do not have the resources or allocate means to manage those risks. Based on Arxan, 50% of those organizations have zero budget allocated for mobile app security. This means that the vulnerable apps could continue to jeopardize users’ privacy and information well into the future.

For further reading on solutions Arxan offers to protect your software running on mobile devices, desktops, servers, and embedded platforms, head on to their page to learn more on how to protect your devices better.

 

Sources

[1] Daily Mail

[2] McAfee

[3] Graham Cluley

[4] Business Insider

[5] Arxan

[6] Mobi Health News

Join us at :

©  2012 BolehVPN. All rights reserved. Sales: [email protected] | Support: [email protected]
-->