BolehVPN

Archive for the ‘VPN’ Category

Tuesday, April 12th, 2016

Teen Sold His DDoS Tool Which Crashed Over 224,000 Sites For £4.99

Grant Manser was only 16 years old when he first set up damaging software which helped cyber-hackers crash over 224,000 websites around the world. Working from the comfort of his Midland home, the young teen designed the “stresser” program and sold it to worldwide customers on the infamous hidden internet ‘Dark Web’ only used for criminal purposes for as little as £4.99.

Extra: “Stresser” programs, aka. DOS (“Denial of Service”) programs work by flooding websites, servers and email addresses with so much data they could not cope, causing them to temporarily crash.

grant manser1

Grant Manser leaving Birmingham Crown Court (Source: Daily Mail)

The British teenager of Kidderminster, a town near Birmingham in the UK, allegedly sold website-crashing software to around 4,000 customers who used it to carry out attacks on 224,548 targets from around the world. Among the victims included businesses, schools, colleges and government departments from Poland, France, other EU countries, the United States and the Netherlands, to name a few. A victim even included Harrogate And Hull College which suffered its entire computer network crash for 14 hours after unhappy students bought one of Manser’s tools to launch on the institutions’ websites following displeasure at being kept behind for detention.

grant manser3

Harrogate and Hull College (Source: Daily Mail)

Indeed, it was these DOS attacks which led Manser’s operations to be discovered as local law enforcements managed to track down the various attacks to Manser’s tools, and eventually managed to detect his real identity.

Officers from the Regional Cyber Crime Unit arrested the teen at his family home and seized his computer equipment, which was found to contain four DOS systems capable of launching multi-level DOS attacks, called Dejabooter, Vexstresser, netspoof and Refinedstresser. These DOS programs were sold on the ‘Dark Web’ at prices ranging from £4.99 to £20.

grant manser2

Manser’s family home (Source: Daily Mail)

 

Developing the attacks

Before Manser was convicted, the Birmingham Crown Court heard Manser’s scheme had been operating over a four-year period between January 2012 and November 2014. Manser, now aged 20, was said to have had 12,800 registered users and, of these, just under 4,000 had bought DOS packages. They had then carried out 603,499 attacks on 224,548 targets. All in all, the court heard Manser had a successful turnover of £50,000 during the period of his operations, of which he accepted via PayPal payments. By the time he was arrested, Manser’s business was doing so well he had started to advertise for support staff.

During his police interviews, the teenager stated that he initially got the idea for the “stresser” programs and to create and sell his own DOS tools after working for another hacker in the United States, which opened his eyes to the potential cash he could make from such schemes.

 

Pleading guilty

The judge, Nicholas Cole, went easy on Manser because his defending lawyer, Jamie Baxter, argued that Manser did not partake in any attacks, but rather only did it purely for monetary gains, which he mostly saved. Manser had not blown away his £50,000 extravagantly, choosing instead to spend it updating his computer equipment and devoting it to his motorbike which was his hobby. Manser’s tool did not give users access to closed computer systems, and was not designed to compromise private data.

Baxter, defending his client, stated: “He is not a hacker. The system doesn’t take or hack any information from the websites being attacked.” He added: “He was only 16 when he started to do this and it was his immaturity and naivety which led him to commit these offences.”

Manser was convicted in Birmingham Crown Court after pleading guilty to six charges under the Computer Misuse Act and four under the Serious Crime Act. His sentence by Judge Cole was two years in juvenile detention suspended for 18 months with the requirement to perform 100 hours unpaid work and also pay £800 in damages costs to cover his conviction of all 10 crimes.

Yet, Manser was spared a jail sentence from the judge after the judge acknowledged that he only did it for financial gains and described the teen as “young and naive”. In addition, the judge was seemingly impressed by the fact that Manser’s DOS tools were built containing secret safeguards in its software which prevented the tool from being exploited to attack ‘blacklist’ organisations such as healthcare organisations, banks, the police or the FBI.

 

Sources

[1] Telegraph

[2] The Sun

[3] Birmingham Mail

[4] Softpedia

[5] Tech Worm

Saturday, April 9th, 2016

The Update We’ve All Been Waiting For: Full Encryption for All WhatsApp Chats

yellow encryption bubble

If you are an avid WhatsApp user, you would have probably already seen this little yellow bubble in one of your chat conversations. Otherwise, you may have heard from a friend or colleague of the news. Afterall, WhatsApp is the most popular messaging application as of February 2016 with a user base of one billion active user accounts.

Previously, perhaps WhatsApp’s only shortcomings was its lack for more secure messaging, which was evident in the strong growth of other privacy-centric communication apps such as Telegram, which filled a void WhatsApp missed. However with WhatsApp’s latest version upgrade of end-to-end encrypted messages, the advantage of WhatsApp’s current encryption as compared to some other encrypted apps is that WhatsApp’s encryption will be switched on by default. Users do not need to actively select the encryption option (such as in Telegram’s ‘secret chats’) as once they have an encrypted conversation with someone over WhatsApp, it would not ever fall back to non-encrypted mode.

Just last Tuesday 5th April 2016, WhatsApp was excited to announce in a blog post from its founders Jan Koum and Brian Acton that end-to-end encryption was introduced to their highly-downloaded app across all types of devices.

The blog reads:

“WhatsApp has always prioritized making your data and communication as secure as possible. And today, we’re proud to announce that we’ve completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption. From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats.

The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”

 

What is end-to-end encryption anyway?

End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it is transferred from one end system or device to another. This means that the data is encrypted on the sender’s system or device and only the recipient is able to decrypt it. Nobody in between, whether they are an Internet service provider, application service provider or hacker, can read it or tamper with it because no third-parties can decipher the data being communicated or stored. If implemented with trusted algorithms, end-to-end encryption can provide the highest level of data protection.

 

WhatsApp’s encryption initiatives

In fact, Whatsapp had already been taking steps towards encryption for a few years now. Initially, the popular messaging service owned by Facebook had begun applying encryption to its messages sent on Androids in 2014. However, it was only limited to standard messages, and did not apply to group messages, photos or video messages. Only now has the company come up with their enhanced security by offering full end-to-end encryption across various more mobile platforms such as for the iPhone, Androids, Windows Phone, Nokia S40, Nokia S60, Blackberry and BB10. Additionally, the latest WhatsApp upgrade ensures that encryption now spans across all their messaging formats; be it in group messages from two or 20 people, making direct calls, exchanging texts, photos and videos, or sending files.

This latest security upgrade by WhatsApp comes after Apple was asked by the US government in February to create a special version of its operating system in order to break into an iPhone belonging to one of the San Bernardino mass shooters. Apple had rejected the order, which fired up a massive debate over the increasing use of encryption and how it affects law enforcement investigations.

WhatsApp co-founder Jan Koum was one of the first prominent tech leaders to come forth publicly to stand by Apple’s side of the encryption battle in their refusal to help the FBI create a backdoor into the iPhone. When the WhatsApp founders, Koum and Acton were releasing news on the latest encryption update on their blog, they reiterated this importance of encryption in a climate where companies like Apple are taking on government agencies.

 

Security on WhatsApp

The founders of WhatsApp begun on their serious quest for encryption on their communication app when they teamed up with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike. They were contacted by Marlinspike in 2014, who was once a key member of Twitter’s security team. The highly-regarded cryptographer runs an open source software project, Open Whisper Systems, a San Francisco group that developed its software with private funding and government grants, including a State Department program that encouraged encryption as a defense against repressive regimes. Open Whisper Systems provides encryption for messaging services, and they were the people behind the app Signal that also provides encrypted text messaging and voice calls. It is this technology that is now incorporated into WhatsApp across all its mobile platforms.

Whatsapp_Encryption_Proxima-by Wired

(Source: The Wired)

Now, not only are WhatsApp’s users benefiting from the protection of encryption on their messages, but one which is also considered strong encryption. In a technical white paper released by WhatsApp on April 4th, the company goes into detail of the underlying cryptographic exchange that occurs when messages are sent between users.

It describes how WhatsApp utilizes the double ratchet cryptographic protocol, a key management algorithm developed by Marlinspike himself. The use of the double ratcheting provides forward secrecy, even if session keys are compromised. This means that each conversation uses a new key, so even if a hacker stole the key, they cannot decrypt earlier conversations, as these will still be protected. Users can even verify the security of their conversations by comparing their ‘security codes’.

Moreover, WhatsApp practices the use of public key encryption. In an example of such public key encryption; To send a message to User B, User A asks a WhatsApp server for a public key that applies to User B. User A then uses the public key to encrypt the message. User B’s private key (only available on User B’s phone) decrypts the message. On top of that, all communication (whether with a single contact or in a group) enjoys protection through a 256-bit encryption, the highly-dependable AES256 algorithm which is accepted by the US and Canadian governments as standards for encrypting transited data and data at rest.

If your WhatsApp program has yet to automatically download the upgrade, you can install the latest encrypted versions of the WhatsApp here: iOS, Android or Windows Phone.

 

Sources

[1] WhatsApp blog

[2] Huffington Post

[3] Fortune

[4] Wired

[5] Mac World

[6] Fox News

Monday, April 4th, 2016

Why BolehVPN Will Not Offer ‘Lifetime’ VPN Subscriptions

Recently, we were approached to offer lifetime subscriptions for our BolehVPN services, which was requested at a very low price. While you may have seen other VPNs who offer lifetime subscriptions with cheap prices, let us explain why at BolehVPN we are not keen on the idea of lifetime plans.

Firstly, let’s talk a bit about other VPN services who may offer such lifetime subscriptions. You may be able to get a lifetime subscription online for as low as $29, $39 or $49. However, reviews on the product will probably reflect the usually bad service and exactly why the pricing is set as such. Bearing in mind that such lifetime subscriptions are more often than not offering the deal for the lifetime of the company and not you.

Often, reviews from users showcase how the duration of these “lifetime” subscriptions can be quite ambiguous:

  • review

review2

  • review3
  • review4

Reviews on popular VPNs offering lifetime subscriptions

Even if a VPN provider was truly offering a lifetime services according to the lifetime of a user, a company offering such lifetime subscriptions is one without a sustainable business model. Companies are dependent on constant growth in customers to survive, and a VPN provider needs an income stream to provide you bandwidth, servers and other features.

While it may make sense if a start-up VPN provider offered a limited number of lifetime subscriptions to help the company raise the needed capital to get it off the ground, businesses continuously offering cheap lifetime service contracts are paying no attention to any long term plans for how the company is going to stay in business (think pyramid schemes). A company dependent on lifetime subscriptions are ultimately adopting only a short-term business strategy to usually grab a quick buck from all its initial subscribers.

Such companies offering lifetime subscriptions would have to pray for a continuous stream of new customers subscribing. But what happens when all the customers have been saturated and their funding has run dry? Where would they be getting the funding to provide continuous improvements of their services? These companies would have to be really confident in being able to pull off new subscriptions continuously because they would already be eliminating the income stream they could have received from any returning customers re-subscribing. Without future income, the company would not be able to continue paying for the staff and infrastructure to support the VPN for a “lifetime”.

Once the VPN providers have all the money they will ever get from you, there will be no incentives for the provider to continuously improve their service since everything is paid upfront and way past any usual ‘refund policies’. And if the company are way past the liability of a refund and can’t guarantee you one if your service is not working, how can you trust them to give you a ‘lifetime’ of quality service in the future?

Additionally, if you are paying incredibly low prices for the product (or even signing up totally free), you may want to check up on the privacy policy of the company. Remember: “If you’re not paying for a product, you ARE the product”. And how would these companies be making their side-profit? Often through keeping logs on user activity to sell customer data or aggregated statistics on customers, on top of cutting back on servers and support. (Read our post on why you should be wary of free VPNs)

For your information, BolehVPN ensures a strict “No Data Log” policy, which means we do not take user logs, timestamps, user activity or IP logs nor do we record info on how much bandwidth you consume.

Alright, so back to why at BolehVPN we do not believe in lifetime subscription plans. Frankly, it is simply not a sustainable business model for a company who plans to maintain operating well into the future (and we do hope to stick around for you guys!). When our subscribers continue subscribing to us, it lets us know that you guys are happy, and that we are doing things right, something a one-time fee would not be able to directly gauge. More importantly, it enables us to continue investing in making our overall business better for our users.

Since founding BolehVPN in 2007, our priority has always been to place customer satisfaction first. Behind our daily speed tests, remote support sessions and ticket replies, we still are a small dedicated team powered by human geeks. Thankfully, to be able to continue providing our Bolehians the internet freedom and security you guys deserve, we have received your continuous support which has enabled us to carry on growing and constantly developing our services for all of you.

they like us

Tuesday, March 29th, 2016

Make Your Online Shopping Safer With Single Use “Burner” Credit Cards

privacy

Every time you have made an online purchase, you probably would have had a moment of hesitancy and fear while typing in your credit card number to pay for your purchases. You are not alone, because there naturally is a level of uncertainty in the security of entering your credit card numbers online on the wide open web.

by Randy Glasbergen

Source: Randy Glasbergen

Privacy.com, a company who launched their free app on 24th March 2016, aims to ease that particular consumer fear by creating their “burner” digital Visa cards solution.

Privacy’s virtual, burner Visa credit cards were made to be randomly generated credit card numbers that can only be used once before the card number self-destructs. Your personal information is hidden when you make online purchases because it allows you to have a brand-new virtual card for every transaction you want to make, thereby keeping your actual credit card number safe. Besides having the option to create a one-time use credit card number, users can also opt to create an unlimited number of single- or recurring-use cards, or even use of merchant-specific cards (such as a card specific for Spotify subscriptions/iTunes purchases/Kickstarter investments).

At Privacy, its self-explanatory company name clearly outlines the value it hopes to bring for their users, a basic idea which has already struck up the interests of investors. The company announced in October that it had raised $1.2 million in seed funding from investors, including Jim Messina (former White House deputy chief of staff and main driver of President Obama’s 2012 re-election campaign) and Andy Roth (former Chief Privacy Officer of American Express.

And it’s no wonder as well that the start-up company is formed from a small line-up of security-conscious directors with notable credentials. CEO Boling Jiang studied math at the Massachusetts Institute of Technology, and came from a cryptocurrency background, while Andy Roth (that former Chief Privacy Officer of American Express one) is also pro bono counsel to Bitcoin Foundation and Human Rights Watch. Other team members include Jason Cruz (who worked at Expensify, a software company that develops a travel and expense web and mobile app) and David Nichols (who worked at Palantir, a software and services company specializing in data analysis).

Jiang believes that consumers have the right to not share personal information with a merchant if they are only going to buy something from them once. “It puts the control back in your hands as the consumer,” Jiang assures. “Our policy is we collect the minimum amount of information we need to operate and make your life easy and abide by the law…A lot of tech companies we’ve seen collect the maximum amount of information. That’s the ethos that separates us from others.”

 

The beauty of burner cards

Privacy chrome extension

Privacy icon on Google Chrome Extension

As long as your bank is supported as one of the institutions Privacy works with, you will be able to use the company’s Google Chrome/Firefox extension to auto-generate new Privacy cards whenever you want (they are also available in the iOS App store with support for Safari and Internet Explorer coming soon). You are able to keep using these cards or close them whenever you feel like it. The company presently works with a couple of major banks and institutions such as Bank of America, Citibank, Capital One 360, Wells Fargo, Chase, and a couple others, but have since been receiving a ton of requests from regional banks and credit unions to link up. Privacy’s app quickly reached number one on Product Hunt and received much attention on Hacker News.

The main advantage of Privacy’s burner cards is that having multiple cards linked to your bank account and locked to specific merchants is a good way of reducing credit card fraud. A thief would be far less interested with stealing your card number if all they could do with it was to use it for New York Times subscriptions, with maximum spending limits of $1,000 per day and $2,000 per month. The great thing is that if there was a leak, you could even track and see what merchant was responsible since there are multiple card numbers for each purchase. This goes for hidden charges, billing without consent, and for using the products you buy online to market to you.

Secondly, with Privacy, stop subscriptions and prevent against deceptive recurring billing when you forget to cancel your “30-day free trials” by disabling your virtual cards so that those pesky companies cannot bill you again. Additionally, a Privacy burner card works with any billing address, so if you choose to keep your personal credentials private, Privacy would give you the permission to do so.

Finally, the service is free, just that you will need to create an account and then link your bank to the site to sign up for the service. The company makes their money by processing transactions every time a user spends using a Privacy card. The interchange fees that merchants or websites pay to Visa and issuing banks are shared with Privacy.

 

The sign-up process

Privacy pmt

Upon checking-out on a site, the Privacy icon appears in the card form

Privacy is all about simplicity for its users, and the sign-up process is just the same. The steps involved are to download the software, register, and link to a bank account, with an optional two-factor authentication for extra security. After installing the Google Chrome/Firefox extension, a Privacy icon will pop out next to a credit card form when Privacy users wrap up their online shopping and go to a cart to check-out their purchases. When users click the Privacy button, the service automatically generates a new virtual Visa debit card specifically for this website they are shopping on. Privacy will then connect to the user’s bank account so it can withdraw money from the bank account.

Privacy checkout

Privacy withdraws money from the chosen funding account

However, firstly to create an account which connects your bank account to the Privacy account, you need to hand over your banking account’s username and password, which requires users to place their trust on Privacy with all their bank information for the process to work.

The company states that login details are “passed to your bank over a secure TLS (SSL) connection.” The company also says it is Payment Card Industry (PCI) compliant and uses a 256-bit encryption key to secure all details.

After all the relevant accounts have been set-up, there are two methods to create a new card; clicking the ‘Create Card’ button on the web app or select ‘Create a New Card’ in the browser extension. If two-factor authentication was enabled, then the user will be asked to enter a TFA token.

There will be several options while creating a single-merchant card. Clicking the dollar sign icon symbol enables the user to set a purchasing limit which would otherwise be set on default to max out at $1,000 for the day and $2,000 for the month. Clicking the flame symbol would create a one-time use burner card, and select the text cursor to give your card a memorable name. The final step would be to click ‘Create card’ which will come complete with an expiry date and three-digit security code.

Privacy options

Source: PC World

Right now, Privacy is only available in the United States but if you would like to know more about the service, you can check out their official website.

 

Sources

[1] PC World

[2] Tech Times

[3] PC Mag

[4] Tech Crunch

[5] Inverse

 

Saturday, March 26th, 2016

Takeover of Free Public Wifi Kiosks All Over NYC Raises Privacy Concerns

“Internet access is not a choice, it’s a modern-life necessity”.

Thirty-four million of Americans, nearly 10%, do not have basic broadband access to the Internet. This is something that the city of New York hopes to help change in the future through their LinkNYC project. LinkNYC is a citywide Wifi system with the plans for thousands of hospot kiosks to be placed throughout all 5 boroughs of the city. How many exactly? The goal is to have more than 7,500 Wifi hotspot hubs to replace old pay phones and will expect to have 500 LinkNYC stations set up across New York City by mid-July, with each hotspot hub giving off a Wifi radius of 400 feet.

 

Out with the old, in with the new

The LinkNYC program is offered through a partnership between the city with CityBridge, which is run by the large CityBridge group consisting of a consortium of companies taking care of the LinkNYC system. The free service would see the replacement of New York City’s old pay phone booths with the LinkNYC hubs that act as wireless routers providing fiber Internet.

LinkNYC2

Source: LinkNYC

While still only in beta mode, since its official launch last motnh, New York City municipal Wifi is already said to bring a blazing fast Wifi network through the nearly three dozen already up and working, Internet speeds are registered to be 10 times faster than the city’s current public Internet speeds which is all for free.

On top of that, at each station you can make free unlimited domestic phone calls, or charge your mobile with the USB charging ports for those running low on battery juice. Additional good news is that each station will also include built-in 911 emergency access, city maps and even Skype-calling capabilities.

The ability to provide these free services comes simply through advertising money by means of ads on the kiosks’ sides. Each hub doubles as large electronic advertising displays that could change multiple times throughout the day. The Verge estimates that the total ad revenue the city could potentially earn would be over $500 million by 2028.

linkNYC map

Locality plans for LinkNYC hubs. (Source: LinkNYC)

 

Three main privacy concerns

linknyc

Source: NYU Local

Sounding too good to be true? Well, the New York Civil Liberties Union (NYCLU) believes so too since they have expressed concerns about the privacy of people using these free Wifi hotspots to connect throughout the city. The privacy advocates had sent a letter to Mayor Bill de Blasio’s office voicing their concerns about the vagueness of the privacy policy involved.

The letter, signed by NYCLU Staff Attorney Mariko Hirose and Advocacy Directory Johanna Miller, lists three main concerns at hand:

1) how long user data will be retained

2) unclear language about government requests for user data

3) whether the “environmental sensors and cameras” that sit on the new Wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network

 NYCLU had raised privacy concerns regarding the possibility of users’ email addresses when they signed in to use the free service being retained by CityBridge along with the users’ browsing history. A great concern for them was also that somehow the new project was open to unwarranted NYPD surveillance as it is potentially creating a massive database that is within the ready grasp of the NYPD.

They have written that they’re “concerned about the vast amount of private information retained” in the system, specifically worrying that the policy’s stipulation that personally identifiable information must be deleted “after 12 months of user inactivity” could be “effectively an indefinite retention period for people who use LinkNYC in their daily lives.”

Similarly, the NYCLU group feels CityBridge’s collection of user data such as “what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click” could prove just as invasive as gathering other personal information on a person. NYCLU emphasizes that CityBridge should rightly be notifying the users via email about any requests for data from the government, unless there’s a “lawful judicial order barring” them from doing so.

 

LinkNYC’s & the Mayor’s office say

The Mayor and Citybridge responded quickly to the civil rights group’s letter. After receiving much criticism on the privacy issues the city responded to the privacy backlash by reiterating that the law enforcement do not have direct access to information and environmental sensors, that getting LinkNYC data would still require a subpoena, and mentions that the system takes steps to protect data, including encryption services to protect against would-be hackers.

Jen Hensley, general manager of LinkNYC, told The Huffington Post that the company would never sell a user’s private information and that law enforcement does not have unfettered access to the data.

“CityBridge would require a subpoena or similar lawful request before sharing any data with the NYPD or law enforcement, and we will make every effort to communicate government requests to impacted users,” Hensley stated.

Hensley also went on to address NYCLU’s third concern regarding LinkNYC’s cameras, assuring that LinkNYC does not collect or store any data on users’ personal web browsing on their own devices. If a government request for a user’s information is received, a spokesperson for LinkNYC said that “reasonable attempts” would be made to contact user via the email they provided to use the service.

Correspondingly, Natalie Grybauskas the New York City mayoral spokesperson who spoke on behalf of Mayor Bill de Blasio, told Huffington Post there are privacy protections in place on the public Wifi system and said the “privacy policy is the best way to protect New Yorkers and LinkNYC users while they safely and securely enjoy free superfast Wi-Fi across the five boroughs.”

“New York City and CityBridge have created customer-first privacy protections to ensure our users’ personal information stays that way – personal. We believe our privacy policy is the best way to protect New Yorkers and LinkNYC users while they safely and securely enjoy free superfast Wi-Fi across the five boroughs. We will continue to work to ensure legitimate concerns are addressed.”

As to the NYCLU’s concerns regarding the Domain Awareness system, Grybauskas also confirmed that LinkNYC’s cameras and environmental sensors do not feed into the Domain Awareness System and that the NYPD would have to subpoena to obtain any information from the LinkNYC system as well as echoed the statement by Jen Hensley that no personal information will be shared or sold for third-party use unless a subpoena or court order requires it.

Sources

[1] Tech Times

[2] Fast Company

[3] Huffington Post

[4] Gizmodo

[5] State Scoop

[6] CBS News

[7] Fusion

Join us at :

©  2012 BolehVPN. All rights reserved. Sales: [email protected] | Support: [email protected]
-->