BolehVPN: Freedom Through Security

Lenovo installed malware into your laptop that breaks your web security

February 21st, 2015

Lenovo recently admitted that it was installing software called Superfish in customer’s laptops that were sold between September 2014 and January 2015 although we understand that ThinkPads were unaffected. Superfish sought to improve customer’s shopping experience by analyzing  the images you see during your browsing sessions and scours more than 70,000 stores to find similar products that might have lower prices.

You can test if you have Superfish installed by heading to this site made by security researcher Filippo Valsorda.

The problem with this was that it introduced a serious vulnerability as Superfish uses techniques that work like a man-in-the-middle attack to break Windows’ encrypted Web connections for the sake of advertising. To add insult to injury, security researchers who further researched Superfish found and broke the password that allowed someone to be able to completely bypass a computer’s web encryption. The key for Superfish was the same for all users putting thousands of computers at risk.

The sort of rubbish that this can be caused can be illustrated with this screenshot:

B-LnO_4CUAAHo5c.png large

Lenovo has now released a removal tool for this and we recommend those affected to run it as soon as possible.

Lenovo isn’t alone in using this type of software….

Protecting your Data while in transit and in the cloud

February 21st, 2015

Most IT users are familiar with antiviruses and spyware. What is often overlooked is the security of their data which they transmit and store online trusting the default technologies or the security of the companies that provide these services.

Transmission of Data Online

Comic from

Comic from

Anytime we use a public wi-fi connection or connect to a local area network (LAN), everyone else using that access point or LAN can spy on our traffic and monitor whatever we send through it. Many websites only implement encrypted Secure HTTP (HTTPS) only at the login stage but once authentication has been completed, data such as cookies flow unencrypted over the network. The most famous exploit that arose from this was as recent as 2010 when a Firefox extension called Firesheep allowed users to intercept unencrypted cookies from Facebook and Twitter allowing third parties to hijack the session. Site wide HTTPS was only made mandatory on Facebook in October 2012. Even when HTTPS is properly implemented, bugs such as the recent Heartbleed scare allowed an attacker to read the credentials and password or session ID of their target.

More worryingly, mobile wireless networks aren’t as secure as once thought either and just yesterday it was revealed that the British spy agency GCHQ together with the NSA, hacked into the internal networks of Gemalto the largest manufacturer of SIM cards in the world. Gemalto produces 2 billion SIM yearly cards to telco providers such as AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world that allowed them to spy on billions of users around the world as simple as tuning into a FM radio broadcast without the need of any search warrants.

Also many Instant Messaging services such as Whatsapp, SnapChat and Viber, although encrypted while in transit many of them have questionable encryption mechanisms and almost all of these companies have the necessary private keys to unlock such encryption. One particularly bad offender is Whatsapp, who from 2009 to 2012 implemented no encryption in its messages and even when it implemented it, used a painfully rudimentary encryption by incorporating your phone’s IMEI to be the password.

How do you Protect your Data Transmissions?

For computers, a VPN would encrypt all communications in and out of the computer preventing interception on the ISP layer and offering another layer of security in the event the site doesn’t implement proper encryption or there is a security vulnerability that affects it. I2P and Tor are other options but require more technical knowledge to implement probably and at least with TOR present their own security concerns. They’re also generally much slower than a VPN.

Securing phones are a bit trickier as they have two different channels, one for voice and one for data and different tools are required to secure them. For the data channel, a VPN works but for voice and SMS, users can protect themselves by equipping themselves with freely available apps like TextSecure, RedPhone and Signal that would encrypt those communications.

For IM services, head on to EFF’s Secure Messaging Scorecard for a review of popular instant messaging services to compare and pick a messenger with a privacy focus. I personally use Telegram’s secret chat function which combines ease of use with decent security although there are arguably more cryptographically secure IMs out there.

Storage of Files in Cloud Services

Cloud Storage

Dropbox, OneDrive, Box, Google Drive, Apple’s iCloud are now ubiquitous parts of our lives, allowing us to bring our files anywhere we need to go. We often trust a lot of our information on such services with many storing documents, password databases and other sensitive files and relying on the company to do its work in figuring out the security. They often claim high level encryption being used and best security practices. However reality shows that even the largest cloud storage providers can be subject to hacks or hiccups that can compromise your files’ security.

Dropbox in 2011, introduced a bug that allowed some users to log into accounts even without the right password. This bug took 4 hours to fix and in that time, affected users had their accounts left in the open. Apple’s iCloud in late 2014 did not have brute force protection which allowed hackers to expose private intimate photos of celebrities. Dropbox, Box and Google Drive also had some form or another of a hyperlink vulnerability allowing third parties to potentially see your files. OneDrive for Business was caught silently modifying code into files that you store with them giving it a uniquely identifiable code making it potentially possible to match them to a company or a specific user’s accounts.

These are but a handful of security issues plaguing cloud services and these are only the known issues.

How do you Protect Your Cloud Storage?

For the end user who continue to want to rely on the conveniences of cloud storage, I would recommend creating encrypted containers within your cloud storage. TrueCrypt used to be the leader here and is still widely used despite it being subject to a mysterious halt in development but there are other alternatives available such as Veracrypt which add further security. By keeping it in an encrypted container and saved in your regular cloud storage such as Dropbox, should there be any breaches in security on your cloud provider, your data remains safe.

Another option for businesses is to consider the use of private dedicated clouds. Compared to public cloud solutions like Dropbox where access and data control is controlled by third parties, private clouds allow complete control over all programs and storage but that means you have to ensure your in-house team is up to the task of securing your data. For example, Singlehop provides an excellent dedicated private cloud service.


Too often we put too much trust in large corporations that manage, store and transmit our data. With data breaches becoming commonplace, it makes sense to take security into our own hands and to build multiple layers of protection. Thankfully, as seen above, there are plenty of freely available tools that can enhance your data security both in the cloud and while in transit.

BolehVPN’s Warrant Canary

February 20th, 2015

We will be implementing a “warrant canary’ system whereby we will post a cryptographically signed message in the first week of every month to confirm that we have not been served any warrants or seizures, searches or requests to log. Legally speaking, we aren’t too sure of its efficacy as there hasn’t been case law on it just yet but the EFF is of the opinion it would hold.

The warrant canary will be updated regularly here.

Our PGP Public Key is

Version: GnuPG v2


Kaspersky Lab reveals NSA malware that infects Hard Drive firmware

February 18th, 2015

Kaspersky Lab, a prominent antivirus vendor has recently revealed that an advanced hacker group whom they call the “Equation Group” has been successfully installing malicious hard drive firmware in more than a dozen hard drive vendors (basically everyone).  By reprogramming the HDD (hard drive) firmware, it is an extremely persistent infection that cannot be wiped by formatting the drive or by reinstalling the operating system. It acts as “an invisible, persistent storage hidden inside the hard drive”. This malware is surreptiously named “nls_933w.dll“.

Although Kaspersky Labs do not name the NSA, Reuters’ sources confirmed that this firmware was a NSA creation and this is further evidenced with the malware’s close links to other seemingly politically and defense motivated malware programs such as Stuxnet and Flame.



On the bright side, the targets of this malware seem to be mainly in the Middle East or Russia and according to Vitaly Kamluk, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team,

“Only a very select list of victims receive this. This is one of the most rare modules I have seen because it is so valuable, so they don’t want to expose it. It’s a precious plugin that’s used only in specific cases with somebody very important.” 

It is also very hard to detect:

“It’s extremely hard to detect. From the software level it’s impossible. You have to disassemble your PC to take out the hard drive and give it to an expert to dump the firmware. And then we think very few people in the world would be capable of analyzing, comparing and revealing the malicious code within that firmware. It’s an extremely rare specialist in this area.” 

So what do we do?


Destroy it!



At the moment, it isn’t clear how we can check if we are detected and our searches for a removal tool yielded some unconvincing ‘removal tools’ of doubtful integrity. Just hang in tight and in general if you’re not a high value target, most likely you’re not affected.


Tm Net has detected a fault on the Asia-America Gateway (AAG) Submarine Cable

February 5th, 2015


To our Malaysian customers,

Telekom Malaysia Berhad (TM) inform that a fault has been detected on the Asia-America Gateway (AAG) submarine cable system at a segment near the Philippines linking Malaysia to the United States and North Asia.

During this period, Internet users may experience intermittent slow browsing and high latency while accessing international websites mainly hosted in the United States (US), North Asia and Europe. Customers using Virtual Private Networks (VPNs) and other critical business applications linked to US, North Asia and Europe may also experience similar issues.

The restoration work is expected to be completed on Saturday, 7 February 2015, subject to sea conditions, the identification of the actual location of the fault and the challenges presented working at great sea depths and pressure.


Edit: Latest reports stats that the estimated restoration date would be extended till 11 February 2015 due to challenging sea conditions and additional repairs required.