BolehVPN Security Upgrade incoming!

security

BolehVPN has been running for almost ten years now and in our continuous efforts to stay ahead in the security race, we feel that this is the right time to do a complete update and upgrade of our PKI security implementation to eliminate and reduce current and future threats in encryption technology.

This is a major update and would involve an update of keys and configurations. The whole process would approximately take a day to complete and we will give notice once a firm date has been decided on. We apologize for the inconvenience and will endeavour to keep disruptions to a minimum.

For those who want to know the technical details:

  1. Deployment of servers and certificate authorities (CA) public keys to RSA 4096 bits key.
  2. All new keys to users will be signed by the new CA. This will be effective upon new renewal or new orders.
  3. Old keys are still usable until June 2017.
  4. All user keys requests will use RSA 2048 bits keys.
  5. All servers will employ TLS 1.1 as the minimum TLS and this will effectively remove SSL 3.0 vulnerabilities. We wanted to deploy TLS 1.2 but due incompatibility with older operating systems, this is not possible at this time. However users are advised to check for compatibility if any issue arises.

How Charging Your Phone Using a Laptop Could Get You Hacked

phone batt

When your phone’s battery is running low, you would have probably never thought twice before plugging it to charge through your laptop or to freely available charging points like at airports, cafes, on public transport or even free hotspot kiosks provided by your very own city. Nevertheless, security experts are warning why you may want to lay off charging your devices this way and opt for your traditional charger or powerbank instead.

LinkNYC2

Source: LinkNYC

A research team at security firm Kaspersky Labs discovered that is entirely possible to hack and install a third-party application like a virus onto your phone while it is being charged through a USB cable connection to a laptop. The simple act of charging your phone could potentially give hackers access to all your personal details from the moment you plug in your device. Driven by the curiosity of what and how much data was being transferred between your mobile and the charging points, the Kaspersky team decided to conduct a research to these questions. The answer: a lot. In fact, data is transferred between your phone and the charger it is plugged into as soon as the charging connection is made, and the whole process took them under a mere three minutes.

During the study, the Kaspersky researchers tested devices running different versions of iOS and Android to see what data is transferred while connected to a Mac or PC for charging. According to the researchers, plugging your iPhone or Android phone into a computer results in a whole load of data being exchanged between the two devices. The phones tested leaked a host of private data, although varying in amount depending on the device and host as it moved data to the computer during the ‘handshake’, it still included the basic set of information like the phone’s name, the manufacturer, the device type, the serial number, firmware information, the operating system information, the file system and the electronic chip ID.

Extra: A ‘handshake’ begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back and forth that enable them to agree on a communications protocol.

While this information may seem harmless to us, Kaspersky warns that these data would be sufficient enough for a hacker to break into your phone and take control of it. For many, our phones have turned into our extra limbs we could not imagine living without. Much of our daily lives are integrated with our phones and they serve as unique identifiers to third parties who might be interested in collecting such data for some subsequent use. The fact that the version of firmware in use and unique device identifier was exposed could mean hackers are able to target the device with a specific exploit, as the Kaspersky researchers were concerned.

Kaspersky explained that it was ill-advised to charge phones using a public USB port or through the laptop as during several of their tests, the security experts were able to silently install a root application on a dummy phone this way using a regular PC and a standard micro USB cable and armed with a set of special commands (so-called AT-commands), which ended up exposing the device. It amounted to a total compromise of the smartphone, even though no malware was used.

phone-computer-hack-main

Source: Mirror

In fact, this is not the first time this has been heard of. This is not even the first time that the theft of data from a mobile connected to a computer has been observed. This technique was used in 2013 as part of the cyberespionage campaign Red October. Additionally, the notorious Italian Hacking Team group also carried out a similar process by making use of a computer connection via the USB port to infect a phone with malware. They plotted the attack based on the device model of the victim, which the hackers managed to get through the USB-connected computer. “That would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port,” Kaspersky Labs said. According to Mirror, by checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and then use this information to tailor their attack.

This proof of concept was presented in 2014 at Black Hat when researchers demonstrated the process of how they were able to infect devices with malware using AT commands by plugging it into fake charging stations in public places.  Now, two years on from the original announcement, the Kaspersky experts are still amazed that the same method still successfully reproduce the results.

“It is strange to see that nearly two years after the publication of a proof-of-concept demonstrating how a smartphone can be infected through the USB, the concept still works,” said Alexey Komarov, researcher at Kaspersky Lab said.

He went on to warn that: “The security risks here are obvious: if you’re a regular user, you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware. And, if you’re a decision-maker in a big company, you could easily become the target of professional hackers”.

 

Protecting yourself

Worried about getting hacked just by wanting to charge your phone through your laptop? Kaspersky Lab provides a list of tips on several techniques to protect yourself:

  • Use only trusted USB charging points and computers to charge your device
  • Protect your mobile phone with a password, or with another method such as fingerprint recognition, and do not unlock it while charging
  • Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data
  • Use encrypted apps like WhatsApp, Telegram, Wired etc. to communicate
  • Install some kind of antivirus software that is capable of detecting malware even if a “charging” vulnerability is used
  • Update your mobile operating system to the most recent version, as that will have the most up-to-date bug fixes

 

Sources

[1] Kaspersky Lab

[2] Telegraph

[3] Mirror

[4] Coventry Telegraph

[5] IT Pro

[6] Tech Worm

China’s Government Fakes Over 488 Million Social Media Posts, Study Shows

China

Source: Social News Daily

The headlines probably comes as no surprise. A recent May 17th investigative paper has described how the Chinese government who has long been rumoured to hire as many as two million people to fabricate social media posts for strategic distraction. The study, led by Harvard University data scientist Gary King, co-authored by academics from Standford and University of California, takes a look at China’s ‘Fifty Cent Party’, described by the researchers as a “massive secretive operation”.

‘Fifty Cent Party’ refers to the government employees who were believed to be paid 50 Chinese cents (US$0.08) by the government for each social media comment posted with pro-government sentiments, although there is no evidence from the study suggesting that the fabricated posts were being paid-for, but rather written by government employees who were contributing as part of their job responsibilities. The researchers were surprised to find that nearly all the posts were written by workers at government agencies including tax and human resource departments, and even at courts.

Additionally, while the study highlights how far China’s authorities are willing to go to closely monitor, censor and control their news, the paper in fact also suggests that the fabricated posts are shying away from arguments and controversial issues. The estimated 488 million fabricated social media posts per year are instead speculated to have the goal to “regularly distract the public and change the subject” from any policy-related issues, posted during times of social unrest, a major political event, or when a controversial issue is being widely debated. Many of the posts do not attempt to rebut or argue with critical commenters, the researchers proclaimed.

“They do not step up to defend the government, its leaders, and their policies from criticism, no matter how vitriolic; indeed, they seem to avoid controversial issues entirely… Letting an argument die, or changing the subject, usually works much better than picking an argument and getting someone’s back up,” the paper said.

Approximately half of the posts appear as posts and comments on government websites, while the other half are injected into the streams of 80 billion commercial social media posts via sites such as Baidu and Weibo.

The research team based their paper primarily from documents and spreadsheets leaked in 2013 and 2014 archives in the trove of emails sent from the Internet Propaganda Office of Zhanggong, a county-level district of nearly half a million people in Ganzhou City, in Jiangxi, a province in southeast China. The leaked posts from the archives inluded a mix of multiple forms of email formats, programs and attachments. This required the research team to crack the multiple formats and deploy automated text analysis and extraction by using their own customised computer code, with which they successfully extracted 2,341 e-mails of which more than half contained a Fifty Cent post, and 43,797 Fifty Cent Party posts used to identify the style of other propaganda posts inside the dispatches. According to CNN, the academics used that information to extrapolate from that sample in an effort to estimate the true scale of official activity on social media sites, and the number of government-fabricated posts that could be posted nationwide. The emails were said to include messages from workers claiming credit for carrying out their ‘Fifty Cent’ assignments, with posts typically spiking during periods of social unrests gaining momentum, an indication that they had “a high level of coordination on the part of the government”.

The documents leaked had disclosed the names and online pseudonyms of over two million people employed by the Chinese authorities to write deceptive posts on their behalf in the stream of real social media posts, as if they were the genuine opinions of ordinary people. The research team were able to identify Fifty Centers by cross referencing names from leaked emails with online social media profiles. They found the name, contact information, and even photographs of many of the authors although they chose not to disclose them.

As told by Bloomberg, the research team deduced the rules for the messages; Firstly, it was crucial for Fifty Cent workers to not engage in controversial issues. Secondly, it was part of their duty to stop discussion about potential collective or street protests by active distraction. While allowing some dissent serves the purpose of letting the regime gauge public opinion on local leaders, complete censorship would only serve to stir up anger.

“The main threat perceived by the Chinese regime in the modern era is not military attacks from foreign enemies but rather uprisings from their own people”.

Read the research paper here.

 

Sources

[1] Bloomberg

[2] BBC

[3] CNN

[4] Sky News

[5] Digital Trends

[6] China File

BolehVPN’s new website launched!

You will have noticed our new website launch! Nothing has changed, we’re still the same people providing you the same reliable service, just a new look and we hope you’ll like it. Bear with us as we sort out the minor bugs here and there.

We will however be pushing a series of major security updates over the next few weeks to further beef up our VPN security by increasing our key security and encryption and there will be a more detailed post on this soon!

The Smartphones Built for the Japan Government to Secretly Track Your Location

NTT Docomo

Source: Android Headlines

NTT DOCOMO, Inc. is the predominant mobile phone operator in Japan, with its headquarters operating from Chiyoda, Tokyo. At the beginning of 2015, it was the fourth largest public company in Japan in terms of market capitalization, even over other companies when compared with Honda, Sumitomo Mitsui, and Canon. NTT Docomo is said to have more than 68 million customers, roughly half the population in Japan and generates an annual turnover of $22.9 billion. Despite being an independent corporation, NTT Docomo remains a subsidiary of the Japanese government, which owns a 33.7% majority share of the company.

Apparently now the Japanese government may just be using this to their advantage, as NTT Docomo has recently declared its new phone launches which will enable the Japan government to track users without consent. The Japanese mobile network giant has never denied working together with law enforcement in the past, previously openly stating that:

“If requested, we provided positional information using the GPS systems on phones to emergency services such as the police, ambulance services and the Japan Coast Guard, in line with proper guidelines”.

The mobile carrier announced on Tuesday that various new models of their smartphones will give powers to investigative authorities to track the owner’s locations and extract GPS data, without needing the explicit consent or knowledge of users.

Prior to this, such a move would not be possible due to long-running guidelines provided by the Ministry of Internal Affairs and Communications. Carriers would have to firstly obtain the permission of users before providing data to the authorities. So although the technology has already existed to track location of smartphones using these methods, it was still necessary for the tracked person to agree first in providing such data, mostly relating to crime investigations. This however was changed in June 2015 when the Ministry of Internal Affairs and Communications decided to drop this requirement. Without this need so that it was made possible for GPS to be tracked.

Without the need to get permission from users, Docomo developed a software that could discreetly track phones whereby they are planning to install that functionality into five Docomo Android smartphones over the next few months.

NTT Docomo1

Source: The Japan Times

The five models proposed are the Xperia X Performance, the Galaxy S7 Edge, the Aquos Zeta, the Arrows SV and the Disney-branded Mobile. The Galaxy S7 Edge will be available in stores from Thursday, while the other models will go on sale in June. Of course, other Docomo handsets will also be similarly upgraded through a firmware update said to be released later this year in order to implement the new tracker feature for remote tracking capabilities. All the phones mentioned in the report run Google Android, and while Docomo also sells Apple’s complete iPhone range, any information on whether the iPhone range would receive the software update process in the future is yet to be seen.

Naturally, this new development is ringing the alarm for experts and privacy advocates. Many privacy advocates regard it as illegal for carriers to distribute user locations without informing users, especially since Docomo would be granted access to a smartphone’s location at any time, information companies and advertisers are hungry for.

Although the investigative authorities wanting location data from the smartphones will still need to obtain a court warrant from the carriers, keeping our data and our privacy secure is a difficult matter to fight for, especially when large companies like Docomo are already relatively public with their stance on the side of law enforcements.

Lawyer Tsutomu Shimizu was deeply concerned over the new feature.

“This is an extreme invasion of privacy. It’s nothing like acknowledging merely which country you’re in. Positional information is highly private because it reveals people’s movements. However, I understand that investigative authorities would need such information in certain situations, so there should be a law passed to help public understanding.”

Although admitting positional data can be clues for criminal and rescue investigations, he added that further laws should be put in place to avoid abuse of the GPS tracking. “It is a common practice and belief internationally that personal information should not be distributed to external organizations,” he said.

 

Extra tips to turn off locations on your current phone

Android:

  • Open Settings
  • Scroll down to Location
  • You will see an on/off switch in the top right. Use this to turn location services on or off.
  • Tap on Location > Google Location History
  • There is a button in the top right that lets you turn your location history on or off
  • If you also want to delete your location history, go under Location History,and tap Delete Location History

 

Apple:

  • Go into Settings > Privacy > Location Services
  • You can individually control which apps and system services have access to your Location Services data.

 

Sources

[1] The Japan Times

[2] Digital Trends

[3] Android Authority

[4] Engadget

[5] Security Affairs

[6] Uber Gizmo