Category: Security

Internet of Things reaches the White House Beware of the Bikes!

22 January 2021 Ivo No Comments Internet of Things, Security
Image: Peloton

We’ve witnessed some upsetting security incidents in the United States of America recently. As a new president is entering the White House, the latest security concern is in fact… a bike! We’re not talking about an ordinary bike. Part of Joe Biden’s favourite fitness routine includes a Peloton exercise bike, which is a stationary exercise bike combined with an interactive tablet. This setup allows you take part in group training sessions remotely, which is perfect when gyms are closed because of lockdowns, or when you’re keeping a busy schedule, for example because you were just elected president of the USA!

So what’s the concern? The bike is in fact part of the Internet of Things and contains a camera and microphone that connect to the Internet. Bringing these devices into the White House could potentially allow hackers to access them remotely and capture all kinds of sensitive information. I’m sure they’ll eventually work out a solution that will allow the President to stay fit and his conversations private. The good thing is that at least they’re aware of the risks being posed by bringing all kinds of devices in our homes online… quite unlike some unsuspecting people that recently had their Ring doorbells hacked or their stuffed animals taken hostage!

The quest to make routing more secure Protecting against BGP hijack attacks

17 December 2020 Ivo No Comments Protocols, Security
Image: Cloudflare

When you visit a webpage, send out an e-mail or watch a funny cat video, how does that particular piece of data find its way from one end of the Internet to the other? You may be aware that the Internet is a collection of many smaller networks, connected to each other using routers. When a router recieves a packet of information, it will check the destination address and then forward it to the next router along the way. That router repeats the process, and so on, until the final destination is reached. So, how do routers know in what direction they should be forwarding these packets? The answer is that they use routing protocols to share information with one another. Suppose that router A knows of a way to reach a certain destination. It will communicate this route to other routers. On receiving this information, router B may answer: sure, you may know of a way to reach that destination, but I know this shorter route!

The Border Gateway Protocol

To connect various different networks together, we really all need to speak the same language. The routing protocol that thus forms the backbone of the Intenet is BGP, the Border Gateway Protocol. Like many of the fundamental protocols that make the Internet work, it was not designed with much focus on security. Routers will simply accept the updates they receive from other routers, without validating the authenticity. And this is, in fact, a big problem!

Read More

Passwords? Choose wisely… Don't be like Donald

22 October 2020 Ivo No Comments Security
Donald Trump
Image: Jon Tyson on Unsplash

We’ve talked about the importance of choosing a good password before, and we’re happy to make this point again. Of course you should avoid using passwords like ‘secret’ or ‘12345’. Everybody else is using them and rest assured: hackers are well aware of that. In addition, you should also be careful not to use any personal information: anyone that knows you well enough to know your birthday, the name of your kids or your favourite pets, could have an easy way into your account.

It seems like Donald Trump did not receive this particular word of advice. A Dutch hacker was able to access his Twitter account after no more than 5 tries to guess his password! After entering the password ‘maga2020!’ (from his well-known campaign slogan: Make America Great Again), security expert Victor Gevers found himself having unrestricted access to the president’s 87 million followers. Amazingly, this was not the first time Gevers pulled this off: in 2016 he also managed to login to Trump’s account using the password ‘yourefired’, the catchphrase from the hit TV series the Apprentice, that made Donald famous at the time.

If one hacker can accomplish this in a manner of minutes, just imagine what havoc a dedicated army of state-sponsored Chinese, Russian, or North-Korean hackers could wreak on the accounts of the President of the United States.

The moral of this story: don’t be like Donald and use a password manager to generate and store strong passwords. Also enable two-factor authentication when you can!

Update: after posting, I found an interesting article on the Vrij Nederland website, explaining more about Gevers’ approach as an ethical hacker and his commitment to responsible disclosure. Meanwhile Twitter claims to see no evidence of this hack.

December 17, another update: after this news was initially released, it caused quite some controversy. Many people didn’t believe any of this really happened and suspected Gevers of boasting, while others pointed out his respected reputation in the field of cyber security. Twitter denied seeing evidence of the hack, as I added to the story at the time. The White House also issued a denial, which I didn’t add, as I prefer to report from reliable sources only. In what will perhaps be the final word, the Dutch Ministry now confirmed, based on an investigation by the national police’s High Tech Crime unit, that this hack did in fact take place.

The hacker who saved the Internet

13 May 2020 Ivo No Comments Security
Wired Magazine
Image: Ramona Rosales, Wired.com

Today’s recommended reading: the story of Marcus Hutchins, about a boy growing up to develop extraordinary computer skills, slowly being swayed towards the dark side of hacking, then ending up saving the world (and quite literally saving lifes) by stopping the infamous WannaCry ransomware attack, only to find himself being haunted by his past…

Please read the excellent article on Wired.com.

China’s Great Firewall Case studies in censorship

12 February 2019 Ivo 1 Comment Security
Great Wall of China
Image: Joel Danielson on Unsplash

A surprisingly large number of countries exercise at least some control over what content their citizens can and cannot access on the Internet. In many cases, this means very selective blocking of information considered to be harmful, but a handful of countries have developed much more powerful tools to regulate Internet access for political and social reasons. I’m planning to write a few articles about Internet censorship, starting with a look at the country that didn’t just build the great wall to keep outsiders out – it also build the Great Firewall. We’ll start in China!

Read More

Dutch intelligence apprehends Russian hackers uncovers the tools of their trade

4 October 2018 Ivo No Comments Security

 

Russian nesting dolls
Image: Alina Grubnyak on Unsplash

Dutch intelligence apprehended four Russian hackers, associated with the Russian secret service unit GRU, in the process of trying to hack into the OPCW, the international organisation keeping an eye on the use of chemical weapons. Apart from being a job well done, the Dutch operation also gives us some insight into the way the Russian cyber operatives go about their business.

Pictures provided by the Dutch Ministry of Defence show that the GRU operatives rented a car and hid all kinds of computer and network equipment in the trunk. Then they quietly parked the car next to the OPCW building, putting them in a good spot to intercept the organisation’s WiFi communications and allowing them to try to hack into the network.

Their equipment included a computer with an extra battery to power everything, connected to a cellphone, an extra powerful WiFi antenna hidden under a coat as well as a WiFi pineapple. This device, that you can buy online for about $100 dollars (though I’m unsure whether GRU would allow for the budget to get the optional morale patch)  is essentially a WiFi access point that is specifically equipped to listen in on WiFi traffic in the area.

If there’s a lesson to be learned: if you see four guys in a Citroën C3 parked around the corner, double-check to make sure you’re still connected to the right access point!

 

NotPetya The story of a devastating cyberattack

26 August 2018 Ivo No Comments Security

Image: Wired.com

A little over a year ago, we were taken aback by news of a devastating cyberattack. Striking in many countries all over the world and crippling hospitals, shipping companies and even chocolate factories, a piece of malware called NotPetya ended up causing over 10 billion dollars of damage.

What was NotPetya and where did it come from? Wired has written an excellent article exploring these questions and making the case that NotPetya was a Russian cyberweapon unleashed on the Ukraine, that – just maybe – got a little bit out of control. Read more on wired.com…

Crypto Wars

25 April 2018 Ivo No Comments Security

Wired has published a great article on the “Crypto Wars”: the ongoing debate between people that want to protect their data and privacy by using cryptography, versus those people (usually in government and law enforcement) that still want to be able to access that encrypted data to do useful things like tracking criminal networks, identifying terrorists or finding missing persons… or just to spy the heck out of us without any proper democratic oversight, depending on whose side of the argument you’re on. Public-private key cryptography might in fact even be able to provide a way to satisfy both parties. A lengthy but very insightful article, making it today’s recommended reading.