Guest Post: NordVPN Advises On How To Enhance Your Anonymity In 2017

Posted in Commentary with tags on January 16, 2017 by itnerd

Online security is becoming a bigger issue than ever, as 2016 seemingly brought one of the worst years ever when it comes to staying secure and private online. 2017 is not promising to be any better, considering increasingly restrictive surveillance laws are being passed around the world and authoritarian regimes are increasingly censoring the Internet.

When it comes to using public Wi-Fi, and especially managing financial transactions,  it’s known that it’s not safe to use one’s credit card or to disclose any other personal information. For example, it has been shown that a Visa credit card can be hacked online in 6 seconds. Using cryptocurrency helps users stay anonymous to some extent– but what are the other ways to remain completely invisible online?

NordVPN, a Virtual Private Network service provider, identifies five key services that could significantly enhance your online anonymity and security.

Bitcoin. Bitcoin is a decentralized currency that does not belong to any country – just its user.  And when it comes to security, it’s hard to beat it. Bitcoin online transactions are conducted without disclosing any personal financial information. When it comes to privacy, it’s certainly reassuring that no one can trace who is the owner of a certain bitcoin account. However, not all merchants accept bitcoin. In those cases when using a credit/debit card is the only option – extra security steps should be taken.  Using strong passwords and updating them often, ensuring the websites are trusted (double check for https), being wary of any suspicious redirects and using trusted encryption services (i.e. VPN service) to protect one’s Internet traffic are bare minimum.

Encrypted Email. While bitcoin is great for financial transactions online, it’s advisable to stay private while conducting any other activities – such as emailing. Emails might also contain some private and sensitive information, which could be easily intercepted by hackers or any unwanted snoopers. The solution is to use one of the encrypted email services. There are a few good examples, including Tutanota, or the Gmail-like ProtonMail that offer an automatic end-to-end encryption, and no personal information is required to create a secure email account.

Encrypted Messaging. Everybody uses their mobile devices for instant messaging – but how safe are regular communication apps? For example, WhatsApp has received some harsh criticism for tracing user chats even after their deletion. Signal, on the other hand, is an encrypted messaging and voice calling app that provides end-to-end encryption by default to secure all communications. The app can also verify the identity of people one is messaging with and the integrity of the channel they are using. When texting with non-Signal users, one has an option to invite them to an encrypted conversation via Signal.

PGP (Pretty Good Privacy). If a user is  looking for an advanced option to secure their communication and personal files, it might be wise to turn to PGP, which is actually one of the most popular encryption softwares used worldwide. OpenPGP is used to encrypt data and create digital signatures and could be used to encrypt your personal files or to exchange encrypted communication. It protects all communication with a digital signature and is available for all operating platforms.

VPN (Virtual Private Network). Anyone who is taking their online security and privacy seriously, will use a VPN – a Virtual Private Network. A VPN encrypts all user’s Internet data into a secure tunnel and creates a secure connection between one’s device and a VPN server. All the information traveling between the  user’s Internet-enabled device and the secure server remains invisible to any third party. Those who want a guaranteed protection, will be disappointed that not all VPNs accept bitcoin as method of payment – but there are a few that do. NordVPN, for example, allows to pay by bitcoin and, most importantly, does not store any logs. It also offers an option to encrypt all the data twice for extra safety, which is a rare feature for a VPN. A helpful kill-switch feature allows a user to select Internet programs that would be terminated if the Internet connection dropped for any reason, to make sure that no unprotected Internet activity was exposed. Privacy issues have taken another shape completely over the past year. 31% of Internet users used a VPN in 2016, and VPNs will be increasingly popular in 2017 as online security issues grow to monumental proportions. 

In addition to these super tough security measures, anonymity-minded Internet users should be more vigilant, use extra caution when sharing information or opening messages from unknown recipients, while making sure that their device’s Firewall is turned on and a reliable anti-virus program is installed and kept up to date.

Samsung Boss Headed To The Big House

Posted in Commentary with tags on January 16, 2017 by itnerd

It seems that exploding phones are not the only problem that Samsung has at the moment. It now seems certain Samsung Electronics Vice Chairman Lee Jae-yong faces the prospect of being busted as part of a high-profile investigation into possible bribery and corruption. CNN has the details:

Prosecutors accuse Lee and Samsung of providing 43 billion won ($36.3 million) to organizations linked to a confidante of President Park Geun-hye in return for government backing for the merger.

During a public grilling last month, Lee said he was unaware of Samsung’s payments to the organizations when they were made.

The arrest warrant for Lee came on the same day that National Pension Service chief Moon Hyung-pyo was indicted on charges of perjury and abuse of power. Moon is accused of pressuring the pension fund, a major shareholder in one of the Samsung affiliates, to support the merger when he was minister of health and welfare.

Samsung on Monday disputes the allegations against Lee, saying in a statement Monday that it “did not make contributions in order to receive favors.”

The corruption scandal being referred to in this story is a big deal in South Korea. There have been protests in the streets and President Park Geun-hye has been impeached because of it. Thus this has the potential of making those exploding Note 7’s look minor in comparison.

 

Source: The Battery Caused Note 7’s To Blow Up

Posted in Commentary on January 16, 2017 by itnerd

According to a source who spoke to Reuters, an investigation by Samsung is pinpointing the battery as the cause of the Galaxy Note 7 debacle. Here’s the thing though. A person familiar with the matter told the news outlet today that Samsung was able to replicate the fires during its investigation and that the cause could not be explained by hardware design or software-related matters. IF that’s true (after all, these are sources who are talking to Reuters) then Samsung is going to really have to do a better job of convincing the public that their phones are safe and they shouldn’t run to the Apple store for their next smartphone. The source also said that Samsung will officially dish the details on January 23, right before they serve up their earnings report. Hopefully the planet will get all the details on what went wrong on that date.

 

McDonald’s Website Offers Burgers, Fries, and Pwnage

Posted in Commentary with tags on January 16, 2017 by itnerd

If you’re a user of the McDonald’s website, it would appear that this site is not as secure as it perhaps should be. Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and substandard password controls on the site. Those could lead to lead to phishing attacks on top of you getting info on the new toy that comes with your next Happy Meal. The attack is possible because of an outdated version of AngularJS as well as an outdated version of JBoss that leaves holes open that any hacker can stroll through. On top of that, the company didn’t encrypt user passwords. Instead, they were left in plain text making them easy to intercept.

#Fail

He posted his results in blog post after trying to get the fast food company’s attention and failing to do so. Though, he tried to do so over the holidays so one has to wonder if that was the reason why he didn’t get their attention. Either that or Ronald McDonald was busy with other matters. In any case, it will be interesting to see if how and when the company fixes this.

In Depth: Genesis Motors

Posted in Commentary with tags on January 13, 2017 by itnerd

Hyundai has been on a roll as of late. They are third behind Kia and Porsche in terms of the influential JD Power Initial Quality Study. Their cars are winning awards, and they’ve sold 2 million vehicles in Canada since they’ve arrived in 1983. All by playing the game of making quality cars with an uplevel feel to them that are loaded with content, and selling them at a fair price. Which is why when you look around, you see a lot more Hyundai cars on the road than ever before.

So, what does Hyundai do for their next trick? How about starting a luxury brand. Hyundai has decided to spin off their Genesis models into a separate brand called Genesis Motors. But they are going about it in a radically different way.

First there are no dealerships for now. Instead, the cars which are the Genesis G90 which is a full sized sedan or G80 which is a mid sized sedan that is based on the Hyundai Genesis sedan that won an IT Nerd Award in 2015 (For the record, other cars including a compact sedan and a crossover are coming by 2021) are sold online and delivered to your home. There are four or five boutique locations as well as some standalone dealerships that are coming to Canadian cities this year. But at present, you’ll go to the Genesis website or call them and book an “Experience Drive” and a demo car will be brought to you. You’ll test drive it and if you buy it, you’ll pay the same price that everyone pays as Genesis Motors has a no haggle price policy. During the buying experience, those interested in a Genesis Motors vehicle won’t have sort through a massive list of options. Instead, you choose the engine that you want (at present your choices are a V6 and a V8) and the car comes with pretty much everything you’d likely want in a car in the luxury space. Will I will admit that the V8 models of the G80 and G90 do come with a few extra features, you won’t miss out on the safety front as every model comes standard with a pile of active and passive safety features. From where I stand, the fact that you don’t have to immerse yourself in the lexicon of a car manufacturer or be forced to buy an expensive package of options just to get the one or two things that you really want is really respectful of the customer’s time. Also, the fact that I don’t have to get involved in the combat sport of negotiating the best price is very much welcome.

Now respecting the customer’s time is one of the things that Genesis Motors had in mind according to Chad Heard who is the Senior Manager, Public Relations for the brand. According to Mr. Heard, Genesis had the opportunity to really do something different and distinct from the rest of the luxury segment. Everything they do is centered around the fact that they want to have their customers rave about all aspects of Genesis Motors. The car, the brand, the buying and ownership experience. If that happens, which I think it will, then it’s a huge win for Genesis Motors. From a personal standpoint, this really appealed to me as I am one who has long thought that the car buying experience is not “customer centric.” Thus what Genesis Motors is doing will be something that draws buyers to the brand. That’s evidenced by the fact that every G90 that Genesis Motors had access to in Canada is sold (they’re working to get more as I type this) and 7 people bought them sight unseen. Clearly Genesis Motors has hit on something that resonates with buyers in the luxury space.

The marketing around the Genesis brand is very interesting. The website is very slick, technically sound as I was able to use any browser on any platform, easy to navigate, and provides information on the brand, the cars and the owner experience clearly and concisely. This is backed up by presences on Facebook, Instagram, Twitter and YouTube (Though there was nothing on the YouTube channel when I clicked on it. According to Mr. Heard, content is coming shortly). It’s important for me to point all of this out as I have made a bit of a name for myself for pointing out when companies screw this sort of stuff up. Sometimes in epic fashion. Genesis Motors got this right on day one and that needs to be highlighted. Now all of this is meant to enhance the perception of the brand. That’s important because there are going to be some out there who will have problems processing the fact that Hyundai now has a luxury brand. In my discussion with Mr. Heard on this point, it’s clear to me that they get that and they are working hard to dispel that. As he put it “it’s a marathon not a sprint” on this point. If I may add my two cents to this, anyone who thinks that Hyundai is still the car company that made the Pony needs to go into a dealership and drive one, or take an Experience Drive of either of the Genesis models. I believe that your perception of these two brands will change very, very quickly.

If you’re in the market for a car in the luxury space, you should add Genesis Motors to your list as it is clear that they have entered into this space with a plan to not only be a player, but to become the player in this space that everyone else chases.

Trump Appoints A Cyber Security Advisor Who Has A Horribly Insecure Website

Posted in Commentary with tags , on January 13, 2017 by itnerd

President Elect Donald Trump has appointed Rudy Giuliani to be his cyber security advisor. Here’s the problem. If you go to his website which is www.giulianisecurity.com, which is down as I type this for reasons unknown, it becomes clear to cyber security experts that it is a cyber security nightmare that anyone can easily pwn. Robert Graham of Errata Security detailed this in a blog post:

The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.

But here’s the deal: it’s not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It’s there only because people expect if you have a business, you also have a website.

That website designer in turn contracted some basic VPS hosting service from Verio. It’s a service Verio exited around March of 2016, judging by the archived page.

The Verio service promised “security-hardened server software” that they “continually update and patch”. According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you’d expect from a legacy hosting company that’s shut down some old business.

To add to this, The Register got someone to look at the site. The results are not good if you’re Giuliani. This really don’t project him in the best light as a “cyber security advisor” as you’d think he’d get someone to make sure that he didn’t get pwned by hackers (if he hasn’t already seeing as the site is down).

Quite simply, the optics of this are not good.

Backdoor Found In WhatsApp End To End Security

Posted in Commentary with tags on January 13, 2017 by itnerd

It seems that those who rely on the fact that popular messaging app WhatsApp appears to have a backdoor that could allow Facebook (who owns WhatsApp) to read messages as well as making it possible for the company to comply with court orders to make messages available to government bodies. Here’s what The Guardian reports:

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

This news is sure to send Facebook into full damage control mode as Facebook really pushes the end to end encryption feature of WhatsApp and that they can’t read your messages. It will be interesting to see how they respond to this (which they haven’t as I type this), and how WhatsApp users respond to this.