Category Archives: Security

Gadget Man – Episode 113 – What is Keyless Car Crime?

Following reports of an increase in car-related crime, I spoke to Mark Murphy on BBC Radio Suffolk about what can be done to reduce the chances of falling foul to Keyless Car Crime.

Keyless Keyfobs are devices that have come to replace the ‘traditional’ car entry methods which required us to actively press a lock/unlock button on our fobs. Instead the car constantly ‘polls’ the keyfob and when you within a short distance of the vehicle, automatically opens its to allow for entry. It also enables the driver to start and stop the car using on dash buttons.

As is usual, technology strives to make our lives easier, but also it seems gives criminals new opportunities to steal our vehicles. Readily available gadgets can be purchases specifically to scan for these ‘handshake’ signals between car and fob and upon interception, thieves can drive the cars with an instantly cloned device.

It is important to note that many cars will allow the car to be driven even if the key is no longer present. Check with your manufacturer if this is the case with your vehicle.

Rather than concentrate on the specific technology to achieving this wireless theft, drivers should concentrate in the short term on how they can ensure their cars are secure.

Leading car security organisation, Thatcham Research have published a list of steps we as drivers should follow to ensure this security. This very list has been adopted by Police forces across the UK.

  1. Contact your dealer and talk about the digital features in your car. Have there been any software updates you can take advantage of?
  2. Check if your keyless entry fob can be turned off. If it can, and your dealer can also confirm this, then do so overnight.
  3. Store your keys away from household entry points. Keeping your keyless entry fob out of sight is not enough – thieves only need to gain proximity to the key before amplifying the signal.
  4. Be vigilant. Keep an eye out for suspicious activity in your neighbourhood – and report anything unusual to the Police.
  5. Review your car security. Check for aftermarket security devices such as Thatcham-approved mechanical locks and trackers, which are proven to deter thieves. A list can be found on the Thatcham Research website, here.

You can also download the Suffolk Constabulary ‘Tips for Drivers’ factsheet below. I have also included links to key pouches that block scanners. These can be purchased from Amazon using the links below.

Don’t forget to ‘Like’, ‘Subscribe’ and of course ‘Comment’ and stay tuned for our reviews and comment.

Security Tips for Drivers with Keyless Entry Vehicles - Suffolk Police
Security Tips for Drivers with Keyless Entry Vehicles – Suffolk Police

Gadget Man – Episode 108 – Why we should care about what our data is used for?

Facebook MobileFollowing on from the ongoing  Facebook / Cambridge Analytica scandal, I was invited to be a guest on James Hazell’s show on BBC Radio Suffolk. We talked in depth about how social networks and apps are using our data.

Please listen in by clicking the ‘play’ button above. Don’t forget to Like, Subscribe, Comment and Share.

Continue reading Gadget Man – Episode 108 – Why we should care about what our data is used for?

Apricorn Aegis Secure Key 3z USB Drive – Move over James Bond and Ethan Hunt, this data really can self destruct in 5 seconds!

Mission Impossible : Rogue Nation - USB Memory Stick deletion scene - image credit: Paramount Pictures
Mission Impossible : Rogue Nation – USB Memory Stick deletion scene – image credit: Paramount Pictures

If you watch Mission Impossible: Rogue Nation, you will find a scene near the end of the movie where Faust (Rebecca Ferguson) hands a USB drive to her ‘handler’ Atlee (Simon McBurney), he then proceeds to surreptitiously erase the contents of the USB stick using an combination of distraction, slight of hand, a Nokia 930 smartphone and a copy of the Financial Times. Thus Faust is oblivious to the smoke and mirrors that has just taken place and continues on with her mission (should she choose to accept it!).

All of the above just seemed completely unnecessary and it was with this still in mind that I began testing and reviewing the Apricorn Aegis Secure Key 3z, a storage device which not only hardware encrypts your data but also includes a self destruct option for those most inconvenient moments when your only option is to completely destroy the data!

The majority of disk encryption is at software level which means that you can access the information, but it is in effect ‘scrambled’ using a password or code. Try enough times using either brute force or dictionary attempts and you may just crack the key and thus give yourself access to the information.

Gadget Man Reviews the Aegis Secure Key 3z
Additional technology is simply not required to secure your data with the Aegis Secure Key 3z

The Secure Key 3z uses a hardware based encryption, namely 256-bit AES XTS. AES is an acronym for “Advanced Encryption Standard”, originally invented in 2001 as the “Rijndael Cypher” after it’s creators Daemen and Rijmen. AES is a widely used encryption standard able to be resilient against attacks. It is in fact so highly respected, it has become to ‘go to’ encryption method for security agencies, banks and governments to trust it with their highly sensitive information and state secrets. The 3z uses 256 bit encryption, which gives a hundred thousand billion billion billion billion billion billion billion billion combinations of keys. With the further addition of the XTS cypher, it renders data stored on the device effectively impossible to access or decrypt.

Gadget Man Reviews the Aegis Secure Key 3zOut of the box, the Secure Key measures in at 81mm x 18.4mm x 9.5mm and weight 22 grams and has an internal rechargeable battery. Once unpacked, you will need to set up your Admin pin number straightaway as there is no pre-programmed key. This must be between 7 and 16 digits, you cannot set consecutive numbers or numbers which are all the same, this pin is users to set up the Secure Key allows to to manage other features, but more of that later.

As soon a you’ve added your admin user, you can then (if you like) add a standard user. You would use this feature if you were going to manage the Secure Key and were going to issue it to another person to use. Again, this is a fairly straightforward and covered in the ‘quick start guide’.

Gadget Man Reviews the Aegis Secure Key 3z
In its locked state, the Secure Key is is not recognised when plugged into a PC, Mac or mobile device

Whilst locked, the USB is effectively useless, plug it into a computer’s USB port and you will find the computer won’t even recognise the device as it is hardware disabled, in other words it’s switched off. This is indicated by a ‘red’ led illuminating on the device. To unlock the device, you press the green padlock key and then enter either the user or admin pin number and press the green padlock again. The red LED will switch off and the green LED starts flashing, this indicates that device is unlocked and ready for use, it is simply a matter of plugging it in to a spare USB port.

The Aegis Secure Key’s FIPS 140-2 validation covers 11 areas of its cryptographic security system, including physical security, cryptographic key management and design integrity.
The Aegis Secure Key’s FIPS 140-2 validation covers 11 areas of its cryptographic security system, including physical security, cryptographic key management and design integrity.

The key itself is USB3.1 but is backwardly compatible to v3, v2 and v1.1. This gives it a surprising turn of speed of  to 190MB/s read and 80MB/s write.

OK, so the key performs really nicely and had government grade encryption, what happens if I lose the key and it gets into the hands of an enemy?

Apricorn Aegis Secure Key 3z
Apricorn Aegis Secure Key 3z

First off, the key is encased in a IP58 Dust and Water Resistant tough metal shell with polymer coated wear resistant keys. Inside the electronic components are protected by a filling of hard epoxy resin, making a physical attempt to access the electronics virtually impossible without causing catastrophic damage.

PIN entry ‘brute force’ protection means that if you enter the code number incorrectly more than 3 times, the space between entry of subsequent pins slows down, if the incorrect entry of keys hits 10, the red light on the key will start flashing rapidly, at this point you have 10 more attempts left, if you fail to enter a correct pin within these last attempts, the key will consider itself as under attack and will delete it’s data as a precaution.

Apricorn Aegis Secure Key 3zShould you be left in the position of Faust and Atlee in Mission Impossible : Rogue Nation, there is in fact a better option for destroying the data on the card (or in fact having a third party do it for you). Yes, the Secure Key supports the entry of a self destruct key, a key which is designed to delete all data on the key and reformat the device, this key is then assumed as the standard key for the device and it will behave as a brand new drive.

It was quite fiddly to set up, but I was successful in testing the ‘Self Destruct’ mode, it worked as documented and didn’t give me any indication that it was taking place.

Apricorn have made a very solid product with the Secure Key 3z, it looks and feels the part, it worked very well and the security features were exceptional.

I loved the fact that a company is working SO hard to make the theft of data so difficult. In times of cross border data theft, the counter-measures employed by the Secure Key 3z are both impressive and comforting.

Matt Porter
The Gadget Man

Starting at £74 for the 8GB to £228 for 128GB models, the USB Storage Key is reassuringly priced for the corporate market.

 

The Gadget Man – Episode 104 – Defeating Vehicle Security

Following a report by the RAC that vehicle thefts in the United Kingdom have risen by 30% in the last three years, I spoke to Mark Murphy on his BBC Radio Suffolk Breakfast show about how thieves are trying to defeat the security measures that car manufacturers are putting in place.

You can listen into the stream, but clicking the ‘play’ button above.

If you are interested in the technology that is regularly being used to defeat vehicle security, Andy Greenburg has written a very interesting article on Wired which can be found here.

Matt Porter
The Gadget Man

 

The Gadget Man – Episode 101 – WannaCry – WannaCrypt – Eternal Blue – What Happened and What to Do?

Following my previous post which can be found here, I talked this morning to Mark Murphy on BBC Radio Suffolk about WannaCry and the effect it has had on the NHS, what needs to be done to stop it happening again and what we can do to protect ourselves.

To read and in depth article on how to protect your computers from such attacks, click here

PLEASE ensure your computers have all their updates installed and make sure you have Anti-Virus software installed.

 

 

WannaCry Ransomware – How To Protect Yourself

WannaCry - WannaCrypt - How to Protect Yourself
WannaCry – WannaCrypt – How to Protect Yourself

WannaCry Ransomware has now affected over 200,000 systems in 150 countries around the world. In the UK, the National Health Service has been very badly affected causing massive disruption across the country.

Although the initial outbreak was stopped, several new versions of this virus have been reported in the ‘wild’. Some have been stopped by registering the ‘kill-switch’ domain name, but it is widely believed that a version or versions of the virus has been released that does not contain a kill-switch.

ONLY COMPUTERS RUNNING WINDOWS ARE IN DANGER OF INFECTION CURRENTLY.

Before you do ANYTHING else BACKUP your important files onto removable storage. Upon completion of this backup, ensure it is kept separately from your computer in a safe place. Should you become infected with this Ransomware, you don’t need to consider paying any kind of ransom as your files are safely stored elsewhere.

UPDATE your antivirus software, if you don’t have antivirus software installed enabled Windows Defender  which is free.

You MUST ensure that your Windows system is correctly patched with the latest security updates.

These are available from here and here.

SHARE THIS INFORMATION to protect YOU, Your Family, Co-Workers and Friends to avoid this affected you.

The following information was published by Wordfence Security

New WannaCry Ransomware and How to Protect Yourself

 

  1. If you use Windows, install the patch that Microsoft has released to block the specific exploit that the WannaCry ransomware is using. You can find instructions on this page in the Microsoft Knowledge Base. You can also directly download the patches for your OS from the Microsoft Update Catalog.
  2. If you are using an unsupported version of Windows like Windows XP, Windows 2008 or Server 2003, you can get the patches for your unsupported OS from the Update Catalog. We do recommend that you update to a supported version of Windows as soon as possible.
  3. Update your Antivirus software definitions. Most AV vendors have now added detection capability to block WannaCry.
  4. If you don’t have anti-virus software enabled on your Windows machine, we recommend you enable Windows Defender which is free.
  5. Backup regularly and make sure you have offline backups. That way, if you are infected with ransomware, it can’t encrypt your backups.
  6. For further reading, Microsoft has released customer guidance for the WannaCry attacks and Troy Hunt has done an excellent detailed writeup on the WannaCry ransomware.

Facebook swamped with FAKE supermarket voucher codes AGAIN!

Another weekend in the UK and Facebook users are both being SWAMPED  and are SWAMPING the web with fake voucher codes AGAIN!

Despite repeated warnings by supermarkets and trading standards across the country, there seems no let up in the social sharing of these codes along with the very high chance of having identities stolen or at the very least being added to email spam lists.

The method of sharing these scams are by using ‘Social Engineering’, ie. Friends and Family share them and add legitimacy to an other wholly illegitimate fraud.

By clicking on these fake vouchers and accepting what appears to be a vaguely official looking terms and conditions, people are effectively handing over their personal details in return for absolutely nothing…

So, what are the giveaways?

  1. An example FAKE voucher

    The vouchers contain an expiry date in US date format

  2. The barcode is the same for each voucher, these would need to be unique.
  3. The issuing store is ALWAYS Greenhithe.
  4. It can ONLY be redeemed with your original receipt
  5. All of the vouchers seem to mention ADSA Direct rather than the store they are supposedly issued under.
  6. The domain name is suspicious to say the least, The URL has not relation to Morrisons other than a VERY DUBIOUS domain name.

All of these would lead me to be extremely suspicious of the validity of the offer. So let us look at the domain name morrisons-f50f83o.grabinn.us

For starters I see no logical reason for any large company to be using such a cryptic URL for anything, but lets look at where this website lives. We do this by using a common command call ‘ping’.

ping morrisons-f50f83o.grabinn.us.
PING morrisons-f50f83o.grabinn.us (178.32.50.152): 56 data bytes
64 bytes from 178.32.50.152: icmp_seq=0 ttl=49 time=31.111 ms
64 bytes from 178.32.50.152: icmp_seq=1 ttl=49 time=31.736 ms
64 bytes from 178.32.50.152: icmp_seq=2 ttl=49 time=32.421 ms
64 bytes from 178.32.50.152: icmp_seq=3 ttl=49 time=30.546 ms

We are returned an IP address, this is the physical address that this voucher code lives at, in the case of this voucher code it resolves to 178.32.50.152

We can then lookup the IP using domaintools.com and it gives the following results

  1. The host (or computer holding the web site is located in France. This makes the tracing of the owner much more difficult as it requires international law enforcement cooperation
  2. This shows that 30 other websites are located on the same server. I would suggest these are probably variants of the web address, possibly other store names.
  3. This is the ‘abuse’ contact for this IP address, in this case it is abuse@ovh.net . This is the email address people should contact to report unlawful behaviour. Worth noting.

We now have the contact details of the host in order to report unlawful behaviour.

OK, we can now lookup the domain name to find out it’s owner. In this case it is using subdomains, so we can comfortably ignore the morrisons and hieroglyphics and concentrate on the TLD or Top Level Domain grabinn.us

  1. GRABINN.US is the domain name used to host the voucher
  2. NAMECHEAP is the registrar (or company holding the domain name)
  3. Lisa Alex is the registered owner of the domain (probably a fake name)
  4. This is the registered address of the domain owner (probably fake too), it doesn’t look like a valid address and the telephone and fax numbers are also fake looking.

So, by the look of everything, we have a domain name that cost 99p to register using a LOW COST registrar, hosted on a server that charges £1.60 per month on a  LOW COST server by a fake name at a fake address in Pakistan (supposedly).

Now, YOU need to ask yourself the following question,

Would a multinational company employ a person to run it’s national voucher system whilst sitting behind fake credentials on low cost hardware? Or would they use their own existing IT infrastructure?

Why not spend the time you might have spent being duped by reporting these people to the ‘abuse’ email address and help STOP this kind of thing from continuing.

If you live in Suffolk or Norfolk, we now have our own Cyber & Serious Crime Department which can be contacted by dialling 101. I have spoken to several officers working in this division and they are all very professional and take cyber crime very seriously.

Gadget Man – Episode 99 – Hackers, Spammers and Scammers

This morning I was interviewed by Mark Murphy on BBC Radio Suffolk about what makes me grumpy?

At the moment a lot of my time is spent securing websites and investigating hacking attempts, so this felt like a legitimate ‘grump’.

If you own a website, don’t assume it’s secure, make sure it’s secure.

Listen in to the stream and let me know what you think…

Gadget Man – Episode 88 – 500,000,000 Yahoo accounts stolen in Worlds Biggest Hack

Yahoo HQ
Yahoo HQ – image credit Yahoo

On Friday, I spoke to Mark Murphy on the Morning Show on BBC Radio Suffolk about the breaking news story concerning the massive data breach at Yahoo, possibly converning over 500,000,000 user accounts and by far the largest leak in history.

Listen to the short interview where I explain what I think happened and what Yahoo users should do to ensure their accounts are kept safe and secure from now on.

Yahoo has released a statement concerning the breach, we can be read here

Featured image credit Can Pac Swire on Flickr