Security&Privacy

S
  • Access Keys in AWS Lambda
    Let’s look at AWS Access Keys inside a Lambda function, from how they are populated into the function’s execution context, how long they last, how to exfiltrate them out and use them, and how we might detect an compromised access keys. But before that, let’s go through some basics. Lambda functions run on Firecracker, a microVM ...
  • Contact Tracing Apps: they’re OK.
    I thought I’d write down my thoughts on contact tracing apps, especially since a recent BFM suggested 53% of Malaysians wouldn’t download a contact tracing app due to privacy concerns. It’s important for us to address this, as I firmly believe, that contact tracing is an important weapon in our arsenal against COVID-19, and having ...
  • My experience with AWS Certified Security – Specialty
    Last week I took the AWS Certified Security – Specialty exam — and I passed with a score of 930 (Woohoo!!) In this post I cover why I took it, what I did to pass, my overall exam experience, and some tips I learnt along the way. So let’s go. Why? Why would anybody pay good money, subject themselves ...
  • Run serverless on GitHub actions
    GitHub actions is the new kid on the workflow block. It allows users to orchestrate workflows using familiar git commands like push & pull requests, and un-familiar GitHub events like gollum, issue creation and milestone closures. In this post, we’ll use GitHub actions to orchestrate a build pipeline that will deploy lambda functions using the Serverless framework. ...
  • Lambda functions in a VPC
    In my honest (and truly humble) opinion, VPCs don’t make much sense in a serverless architecture — it’s not that they don’t add value, it’s that the value the add isn’t worth the complexity you incur. After all, you can’t log into a lambda function, there are no inward connections allowed. And it isn’t a persistent ...
  • Amazon KMS: Intro
    Amazon KMS is one of the most integrated AWS services, but probably also the least understood. Most developers know about it, and what it can do, but never really fully realize the potential of the service. So here’s a rundown of the innards of the KMS service. What is KMS? KMS (Key Management Service) is an AWS ...
  • Interactive Shell on a Lambda Function
    One of a great things about Lambda functions is that you can’t SSH into it. This sounds like a drawback, but actually it’s a great security benefit — you can’t hack what you can’t access. Although it’s rare to see SSH used as an entry path for attackers these days, it’s not uncommon to see organizations ...
  • You own your software supply chain
    Just this week, my team was on the cusp of demo-ing a product they’ve been working on for the last 2 months, only for a build process to fail, just hours before the demo to some very high ranking people. Troubleshooting the build took a while, but eventually we found the root cause, a missing package ...
  • Securing Lambda Functions
    First a definition. A lambda function is a service provided by aws that runs code for you without the introducing the complexity of provisioning servers of managing Operating Systems. It belongs in a category of architectures called serverless architectures. There’s a whole slew of folks trying to define with is serverless, but my favorite definition is this. Serverless ...
  • Thoughts on SingHealth Data Breach
    On the 20th of July, Singaporean authorities announced a data breach affecting SingHealth, the country largest healthcare group. The breach impacted 1.5 million people who had used SingHealth services over the last 3 years. Oh boy, another data breach with 1.5 million records … **yawn**. But Singapore has less than 6 million people, so it’s a BIG ...
  • The Malaysian Government isn’t watching your porn habits
    Recently, there was a poorly written article in The New Straits Times, that suggested the Malaysian Police would know if you were watching porn online. Let me cut to the chase, the article is shit. The software in question, aptly named Internet Crime Against Children Child Online Protective Services (ICACCOPS) is used to detect Child Pornography, and ...
  • Security Headers for Gov-TLS-Audit
    Gov-TLS-Audit got a brand new domain today. No longer is it sharing a crummy domain with sayakenahack (which is still blocked in Malaysia!), it now has a place to call it’s own. The domain cost me a whooping $18.00/yr on AWS, and involved a couple hours of registration and migration. So I felt that while migrating domains, ...
  • The GREAT .my outage of 2018
    Last week, MyNic suffered a massive outage taking out any website that had a .my domain, including local banks like maybank2u.com.my and even government websites hosted on .gov.my. Here’s a great report on what happened from IANIX. I’m no DNSSEC expert, but here’s my laymen reading of what happened: .my uses DNSSEC Up to 11-Jun,.my used a DNSKEY ...
  • The Malaysian Ministry of Education Data Breach
    Ok, I’ve been pretty involved in the latest data breach, so here’s my side of the story. At around 11pm last Friday, I got a query from Zurairi at The Malay Mail, asking for a second opinion on a strange email the newsdesk received from an ‘anonymous source’. The email was  regular vulnerability disclosure, but one ...
  • 3 times GovTLS helped fixed government websites
    Couple months back I started GovTLSAudit. A simple service that would scan  .gov.my domains, and report on their implementation of TLS. But the service seems to have benefits above and beyond that, specifically around having a list of a government sites that we can use to cross-check against other intel sources like Shodan (which we ...
  • Look ma, Open Redirect on Astro
    If you’ve come here from a link on twitter — you’d see that the address bar still says login.astro.com.my, but the site is rendering this page from my blog. If not, click this link to see what I mean. You’ll get something like this: Somehow I’ve managed to serve content from my site on an astro ...
  • The Astro Data Breach
    I previously wrote about how data breaches are like diamonds: They’re not as rare as you think They’re worth far more to you than to a thief They last forever And the recent debacle over the Astro data breach epitomizes all of these characteristics. First off, Lowyat has already reported 3 big data breaches (at least by my count), and ...
  • Gov TLS Audit : Architecture
    Last Month, I embarked on a new project called GovTLS Audit, a simple(ish) program that would scan 1000+ government websites to check for their TLS implementation. The code would go through a list of hostnames, and scan each host for TLS implementation details like redirection properties, certificate details, http headers, even stiching together Shodan results ...
  • Gov.My TLS audit: Version 2.0
    Last week I launched a draft of the Gov.my Audit, and this week we have version 2.0 Here’s what changed: Added More Sites. We now scan a total of 1324 government websites, up from just 1180. Added Shodan Results. Results includes both the open ports and time of the Shodan scan (scary shit!) Added Site Title. Results now include ...
  • Sayakenahack: Epilogue
    I keep this blog to help me think, and over the past week, the only thing I’ve been thinking about, was sayakenahack. I’ve declined a dozen interviews, partly because I was afraid to talk about it, and partly because my thoughts weren’t in the right place. I needed time to re-group, re-think, and ponder. This blog post ...
  • SayaKenaHack.com
    On the 19th of October, Lowyat.net reported that a user was selling the personal data of MILLIONS of Malaysians on their forum. Shortly after, the article was taken down on the request of the MCMC, only to put up again, a couple of days later. Lowyat later reported that a total of 46.2 Million phone numbers were ...
  • Everything wrong with TalkingPoint’s “Cybersecurity” episode
    Channel News Asia posted last week that hackers could steal your info by just knowing your phone number. Woah!! Must be some uber NSA stuff right–but no, it was a couple of guys with Metasploit and they required a LOT more than ‘just’ the phone number. The post was an add-on to a current affairs show called Talking Point, that ...
  • Cyberwar assessment of Malaysia vs. DPRK
    Would North Korea ever declare war on Malaysia? Probably not. But nothing is predictable when you’re dealing with a erratic despot who killed his own uncle with an anti-aircraft gun. Realistically though, few nations have the resources and political will, to launch a war, half-way across the world. And neither Malaysia nor North Korea are one of those ...
  • Writing a WordPress Restoration script
    WordPress sites get hacked all the time, because the typical WordPress blogger install 100’s of shitty plugins and rarely updates their site. On the one hand, it’s great that WordPress has empowered so many people to begin blogging without requiring the ‘hard’ technical skills, on the other it just gives criminals a large number of potential ...
  • So you got hit by Ransomware
    Last Monday, I got a text message from my uncle saying his office computer was hacked, and he couldn’t access any of his files. Even without probing further, I already knew he’d been hit with ransomware and was now an unwitting victim in a criminal industry estimated to be worth Billions of dollars. After learning a bit more, I found out ...
  • Relax dear-citizen your contactless card is relatively safe—ish
    As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well. To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them ...
  • Securing your StarHub Home Router
    As with all new shiny equipment,  a newly installed router in your home requires a few things to be configured to properly secure it. Goes without saying, that you should change your WiFi password the moment the technician leaves your home, but there are other things you’d need to configure in order to secure your router ...
  • Preventing a DDOS is not going to be easy
    As a follow-up to my previous post on DDOS attacks , I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all. While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to ...
  • Internet of shitty things!
    Brian Krebs is the most reputable name in CyberSecurity reporting, his krebsonsecurity website is the best source of ‘real’ journalism on the subject. But reputation works both ways, the same thing that makes him popular in some circles, makes him unpopular in other. He’s had criminal hackers send him heroin in the mail and even have SWAT teams ...
  • The safest place for your money is under the mattress
    When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest. In the 80’s this ...
  • Michael Hayden on interesting points
    Some interesting points: Non-nation state actors now pose a significant threat to nation states Historical threats usually associated with bad nation states, can now be executed by non nation-states Industrial Era, was about a consolidation of power, in the past only the Government could run something as complex as a phone network In a Post-Industrial Era, it’s about the ...
  • Anonymity and IP addresses
    This week, I’ll put the final touches on my move from Malaysia to Singapore. So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited  and completely useless advice on them. It wasn’t easy shifting through a boat-load ...
  • Two years on, teaching coding in schools declared a success
    KLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020. The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 ...
  • More security theatre
    So now, only actual travellers will be allowed into airports, and everybody else from your mother to your 3rd aunty twice removed has to say their teary goodbye at home rather than at the Airport KFC. But why? So that terrorist will now have to buy a ticket in order to blow up the airport? I can picture ...
  • Show notes for today
    Your browser does not support native audio, but you can download this MP3 to listen on your device.   Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later in the week. Office of Personnel Management Data Breach (Chinese hackers breaking into US Federal Employee Databases) China arrested ...
  • This is how Pedophiles get caught
    This will easily be the most controversial blog post I ever wrote, so consider yourself warned. It’s controversial, because it touches on multiple taboos in our society, sex, child abuse and security theater. You see, there’s been a growing call for a national sex offender registry, especially in the wake of news that a British Pedophile had ...
  • The law shouldn’t rely on good behavior from Billionaires
    Gawker is the internet’s most slimy news organization, a online website that has no qualms disclosing people’s sexual infidelities regardless of the cost such disclosures have on their personal lives. So for most people, seeing WWF superstar Hulk Hogan win a lawsuit against Gawker to the tune of $140 Million dollars was a real sight for sore eyes. But when ...
  • Passcodes should be protected
    Some people are fans of medieval torture, and who can blame them. There’s just something about the sadistic treatment of people that makes us both want to watch with a bowl of popcorn in our hands, yet at the same time turn away in disgust and discomfort. How else do you explain the popularity of shows like Saw? I ...
  • Making the world safe for Technology
    On April 2nd, 1917, the President of the United States of America addressed an extraordinary session in congress, asking them to authorize America to declare war against the central powers in World War 1. Across the Atlantic, the European continent had been devastated by nearly 3 years of bloody conflict. Regardless of who started the war, President ...
  • Full Disk Encryption with the keys inside
    Nobody really knows how the FBI is hacking into iPhones. Well nobody, except Cellebrite and the FBI themselves. We can safely assume that the underlying crypto wasn’t hacked–that would be truly catastrophic for everyone’s security, and way above the pay grade of a company like Cellebrite. So we have to conclude that somehow the FBI has managed to trick ...
  • When bad advice comes from good people
    What happens when a government agency tasked with providing cybersecurity “guidance” and “expertise” gives you advice like “avoid uploading pictures of yourself to avoid the threat of black magic”? And then goes into damage-control claiming that it “was just a casual remark and did not represent the federal agency’s official position on the matter”,  only to follow-up with ...
  • Security vs. Liberty : Sometimes it’s security and liberty
    A public service announcement from our good friends at the FBI, warns that motor vehicles are increasingly vulnerable to remote exploits, which in the wake of the bad-ass research from Chris Valasek and Charlie Miller shouldn’t be shocking. What struck me, is that the security advice the FBI is offering drivers was identical to the advice cybersecurity experts have been ...
  • FBI vs. Apple : Everything you need to know part 2
    The Apple vs. FBI story has evolved so much in the past weeks, I thought I needed to write a separate post just on the updates. Admittedly, the story is far more complex and nuanced that I initially presumed, and everyone wants to be part of the conversation. On one side, we have the silicon valley tech ...
  • The miners dilemma – Bitcoin sabotage can be profitable
    Imagine a small village of a 100 people. One day,  a sorcerer shows up,  and grants all the villagers magical 1000-sided dice, which are purely random and can only be thrown at a fixed rate of 1 throw per second (no faster & no slower). Over the next year, at noon of every day, the sorcerer will announce a random number ...
  • Apple vs. FBI: Everything you need to know
    A judge in the US has ordered Apple to provide ‘technical assistance’ to FBI, in creating what some (but not all) cybersecurity experts call a backdoor. In the few years I’ve written about these issues, I’ve never seen anything as hotly debated as this one, across the folks from digital security to foreign policy all coming down ...
  • Keith’s on BFM Talking about spyware–again!!
    Today, I was on BFM talking about Hacking Team, the audio for which is below, and more comments and thoughts below that. Your browser does not support native audio, but you can download this MP3 to listen on your device.    This is my last ditch attempt to get a conversation started about the use of surveillance software by ...
  • Forcing journalist to reveal sources will be bad–for the government!
    Our spanking new, hand-picked Attorney-General is proposing life imprisonment for journalist who refuse to reveal their sources. And surprisingly, my favorite Member of Parliament,Dato Azalina Othman, has supported the move, saying it was ‘high-time’ Malaysian did something. Fortunately, some calmer more rationale heads, like Dato Paul Low have criticized the A-G for his short-sighted stupidity. Putting aside ...
  • Being Terrified: The price of terrorism
    Next week, I’ll be on BFM for an interview about spyware, which will be my last Hail Mary play to get a conversation started about the use of surveillance software by the Government. If a radio interview on a popular station won’t do it, nothing on my blog will possibly be able to anyway 🙂 In ...
  • Questions we need to ask about spyware
    If you believe (as I do), that the government bought spyware, then here are some pertinent questions Question 1: Do these government agencies actually have investigative powers? While the police might have the legal authority to investigate someone, does the PMO, MACC or anyone else share that authority. If a government agency has no right to investigate ...
  • PMO purchases of Hacking Team software
    The Prime Ministers Department has denied (twice!) that it has ever procured surveillance software from Hacking Team. Even though hundreds of e-mails in the leaked Hacking Team archive point to it. The latest rebuttal, Datuk Azalina distanced her Ministry from other government agencies, encouraging reporters to seek official statement directly from other agencies accused of ...
  • The Government doesn’t buy spyware–yea right!
    The Government has denied buying spyware from hacking team, they really should have checked with me before issuing the statement. On the 23rd of November 2015, Datuk Seri Azalina Othman Said denied that the Malaysian government had procured spyware from hacking team. In a formal response (in Parliament!!), the Minister simply stated “For your information, no such ...
  • The PM’s year end cyber-security message
    From: [email protected] Sent: 23 Dec 2015 To: [email protected] Subject: Cybersecurity Year end message. *This message is intended for all Malaysian Government servants only, do not forward without prior approval* Greetings and Salam 1Malaysia. I want to use this year-end as an opportunity to discuss the important topic of Cybersecurity. This year was interesting for me personally, and for all Malaysians, and we need ...
  • Hackers and terrorist
    There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers. Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high. The magic analogy is apt, ...
  • Chip And Pin : An intro for Malaysians
    In 2016, Chip and Pin will gradually be introduced in Malaysia, that means your Credit Cards now will prompt you for a PIN instead of signature during purchases. This will be a bit of a hassle, but it will be worth it,  here’s what you need to know about it and credit card transactions in ...
  • The problem with bio-metrics
    Passwords have always been a problem. For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed. The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true). Remember ...
  • Ransomware
    By now, you either know someone that’s been a victim of nasty malware or have yourself been on the business end of nefarious software. The perpetual duel between security companies and malicious elements in cyberspace has changed dramatically over time, and no change has been so dramatic as the rise of a new type of threat, ...
  • Hacking Government, Malaysian Style
    The simplest definition of a hacker, is someone who breaks systems. We tend to equate systems to computers, but that’s a limited definition of the term. A system can also refer to a legal system or a set of processes that have nothing to do with technology. For example, lawyers often hack around the law, looking ...
  • How corporations lie to the technologically challenged
    Two weeks ago, Lowyat.net published a ‘challenge’ to their readers, one that would supposedly pay a cool RM100,000 to the winner.All you had to do was decrypt an AES-256 encoded blob of code (more accurately referred to as ciphertext). As expected, no one won. Because breaking that ‘military-grade’ encryption is beyond the capability of most normal human ...
  • Why we fear ‘hackers’: Dangers of Technical Illiteracy
    Are you afraid of Hackers? Do you lie restless at night thinking of what might happen if they got into your bank account, facebook profile, or e-mail. Perhaps you’re also worried about that they might hack into a forum you visit, or that they might get into your personal messages on whatsapp. It’s true that hackers ...
  • Hacking Team got Hacked, and here’s what Malaysia Bought
    There are two types of governments in the world, Those that build complex surveillance software to spy on their citizens, and those that buy them–and our government is more the buying type. Few nation-states have the budgets to build out complex surveillance software, but some are finding that ‘off the shelf’ software sold by dodgy companies are just ...
  • The technological effects of SOSMA and POTA
    The new Prevention of Terrorism Act (POTA) in Malaysia should not be considered in isolation but rather in the context of the 6 other anti-terrorism Bills that were concurrently proposed. All of these new laws, will almost certainly come into effect, thanks to the whip system employed by the ruling party. Yet the laws violate ...
  • FireEye: Group spied on Malaysia for 10 years
    The team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to ...
  • Worked Example: iPhone PIN Hack
    Last month, a company called MDSec released a video detailing how they manage to brute force hack an iPhone PIN lock. Pretty sweet piece of work, but I thought this would be a good example to understand how hacks work, and how hackers think. What is a hacker First off, we need to define what a hacker ...
  • The Snowden Revelations
    It’s now almost two years on, since that fateful day at the Mira Hotel in Hong Kong when Edward Snowden divulged secret NSA documents detailing unlawful and on-going spying programs carried out in the name of security. Sure we knew the government had ‘a’ spying program, and we’ve all seen Hollywood movies with fictional technology that allowed governments ...
  • Secure Apache configuration for WordPress & SSL
    Recently I moved the hosting for keithRozario.com from a regular hosted platform called WPWebhost to my own Virtual machine on digitalOcean. The results have been great, but the migration process was a bit tedious and took some effort. I thought I’d share my Apache configurations, so that if you’re thinking of hosting your own WordPress site on ...
  • Jho Low uses Gmail? Why emails can’t be considered evidence
    As the 1MDB fiasco begins to simmer over the political stove, I wanted to inject some technical information into this discussion, specifically around emails and how they’re almost useless pieces of evidence. Just to make sure everyone’s on the same page, here’s some context. In early March 2015, sarawakreport.org, a website run by investigative journalist Clare Rewcastle-Brown together ...
  • What happened in the MAS hack. All questions answered, one question asked.
    Late in January the Malaysian Airlines website was ‘supposedly’ hacked by Lizard Squad. You  might remember Lizard Squad as the guys who ‘hacked’ the XBox and Play Station network over the Christmas holidays, and I’m using a lot of ‘quotes’ here because Lizard Squad didn’t really ‘hack’ XBox One or Playstation, they merely DDOS-ed the ...
  • How to determine your Unifi router MAC ID
     Step 1: Logon to your router To logon to your router, fire up your web-browser (Chrome, Firefox, Safari–even Internet Explorer will do).  In the address bar where you usually type www.google.com type http://192.168.0.1 (sometimes it’s http://192.168.1.1 ) or just click the link. Once there enter the username and password of the router. If you’re uncertain try any one ...
  • Can Malaysia be Land of the Free and Home of the Brave
    As we come to terms with the terrible events that occurred at the offices of Charlie Hebdo, I think we need to be cognizant of  what these attacks really mean, and how our response to these events (even in far away Malaysia) has severe repercussions on our future. As a Blogger and Techie, I’m 100% for ...
  • Maxis Forum needs an upgrade
    Yesterday I Googled something about maxis that took me to a forum.maxis.com.my link. Unfortunately, Firefox wasn’t happy with Maxis, because I got the following screen: Firefox is the first of the mainstream browsers to end support of SSLv3, ever since Poodle was published. For those of you who aren’t keeping tabs of security issues–Poodle was a ...
  • Streamyx forced ads (202.71.99.194)
    A couple of days back, I was at my in-laws doing some browsing on their PC. Now my in-laws have a Windows XP laptop, that isn’t secured, which is fine because as far as I can tell, I’m the only one that uses it. Most of them now go to their phones or tablets for ...
  • Malaysian Government Hacked Environmental website?
    Environment News Service, an environmental focused news website this week accused Malaysian government hackers of attacking it after it ran a story implicating Sarawak governor Tun Abdul Taib Mahmud of corruption and graft. As a result, the site was down for 2-hours, before the site manage to re-gain control. “The attack on our site came from a Malaysian ...
  • ATM Hacks are so bloody boring
    Last week, while I was flying from KL to London, I noticed a strange anomaly on the screen of the boarding gate at KLIA. Closer inspection revealed that it was an anti-virus warning that signaled the computer had been infected by a Virus (almost 2 days ago!!). As a techie, I quickly deduced 3 things ...
  • A Techie’s view on the Law
    Are some laws worth following–in other words, are some Laws so idiotic that they should be ignored completely? That sounds anathema, because we have a romanticized definition of the law, we define the Law as a broad general agreement a society undertakes, and the law keeps society from tearing itself apart. In other words, the law is so sacred ...
  • Nearlyfreespeech the hosting provider that takes security seriously
    You all know how much I love nearlyfreespeech, it’s one of the best hosting providers out there. Here’s one more reason, recently they alerted me to a suspicious number of login attempts to my wordpress site, which usually means someone was trying to hack it. If you remember the post I did about the RHB bank ...
  • Who are you trusting online?
    When you get behind the wheel of your car, and hit the road–you’re implicitly trusting ever other road user to play by the rules.  You trust no one will go out of their way to crash into you, or that no one would swerve into you for an insurance claim, you even trust that pedestrians won’t ...
  • RHBNOW Email: Intricate details of a Phishing scam
    Last month alone I’ve received 6 phishing emails asking me to change my RHB banking password. I always wondered what would happen if I’d actually clicked on one of the links in the email–and today I did just that. Immediately I was transported to a dodgy world of sophisticated deception, and soon realized this was far more complicated that ...
  • Seatbelts and Anti-Virus software increase your risk
    There’s evidence to suggest that mandating seat-belts actually increases the accident rate in a country. The hypothesis is that drivers are  likely to take more risk in cars with visible security features like seat-belts than in cars without these safety features. Ironically feeling safe–is the most dangerous thing drivers are at risk from. In addition because car drivers ...
  • Malaysia boleh: 3 countries, 3 card-skimmers, all Malaysian
    On April 28th, 4 men were caught for installing card-skimming devices on ATM cash machines in Bangkok Thailand. They were all Malaysian. On the 14th of May, 6 men were caught for installing similar devices in ATM machines in Jakarta Indonesia. They were all Malaysian. On the 8th of June, 2 men were convicted in Singapore for ...
  • The right to be forgotten
    The truth is we all have something to hide–secrets we wished the world would never know. A political stance we once had, a video of ourselves after too many drinks, or even just a sentence we once uttered at a party somewhere. If you think you’ve got nothing to hide–you should think harder. So, when European Court ...
  • TrueCrypt is dead, long live ….bitlocker?!?!
      The understatement of the month would be calling this a peculiar moment. This is far from peculiar–this is straightup WTF?! My favorite encryption software, TrueCrypt, has been abruptly and mysteriously shut-down(que dramatic music!!!). The official TrueCrypt website now only has some information on ‘alternatives’ and offers the following advice. WARNING: Using TrueCrypt is not secure as it ...
  • WTF is a bitcoin?
    WTF is a bitcoin? There’s much ado over the digital currency and many people struggle to understand what it is. In fact, even I haven’t fully grasped the fundamental nature of how it works–but then again I don’t know how the banking and fiat currency system work, yet I still use it. In essence, there’s been ...
  • Heartbleed explained in under 2 minutes
    Well maybe that’s an exaggeration, it’s actually 2 minutes and 1 second!
  • What kind of Porn do Malaysians watch
    Let’s be honest–Malaysians watch a lot of Porn. On the outside, we may espouse our ‘Asian’ values and culture, but the cold-hard data suggest we’re as horny as the Japanese. In one of my past post, I showed how we have evidence of someone using the Government internet connection to download porn. Today however, PornMD the self-proclaimed ...
  • How to prevent your Unifi account from being hacked
    OK….I made a boo boo! Actually my method of ‘hacking’ the Unifi modems has a ridiculously simple work-around. Unfortunately, when I published the findings I was absolutely convinced the workaround didn’t work–I was wrong 🙁 Details about how I was mis-lead are unimportant for now (although I will explain it later on), for now I think the ...
  • How I hacked 4 Unifi accounts in under 5 minutes
    So I was wondering if I should publish this, but I guess I have to. If you’re one of the 500,000 Unifi subscribers in Malaysia, you need to know that your stock router–is completely hackable. TM has left you literally hanging by your coat-tails with a router that can be hacked as easily as pasting ...
  • Of pirated software and vaccinations
    Here’s a quick question–do you have a ‘original’ version of Windows running on your PC or is it pirated? If you’re like me, then obviously you’ve learnt long ago to only use original versions of software–especially when it’s the operating system of your PC. Of course, I wasn’t always like this, back in my university days, ...
  • CCTV in toilets vs. Photos on facebook
    Wedding dinners in the Klang Valley, can only be called wedding dinners if they have at least 3 video presentations, one of photos of the couples on their ‘pre-wedding’ shoots, one for their ‘wedding-day’ shoots and of course the ever popular ‘story of our life’ montage–where the couple walk you through photos of their childhood ...
  • Best VPN for Malaysians : Privateinternetaccess
    As you’ve probably gauged from my recent bout of paranoia, I’m a bit of a security-freak. My PC at home, not only runs an original version of Windows (something rare in Malaysia), but also multiple anti-virus and anti-malware suites, not to mention using EMET for even more security and a software firewall to boot. So it ...
  • Asus N12 HP: The best Unifi replacement router?
    Update: 20-July-2014 Since writing this post, my 1-year old Asus router begun experiencing issues with its WiFi. My devices couldn’t connect via WiFi, although the wired-Ethernet connections were fine. I called up Asus and they confirmed that my router was still under warranty, however I tried sending it to the many service centers listed on their ...
  • Hack TM Unifi: In case you’ve lost your default password
    There’s a lot of documentation online on how to hack your neighbours Wi-Fi, but sometimes you need to hack your own system. Usually its because you’ve change your router password and forgot it completely, leaving you in the cold desolate place we like to call “No router land”. Don’t fear though, its actually pretty darn easy ...
  • The Security Offences Bill 2012 -Technology Perspective
    The Security Offences (Special Measures) Act 2012 and it’s new amendment. that wonderful piece of legislation meant to repeal the archaic and ‘draconian’ ISA may turn out to be even more archaic and draconian than the ISA it was meant to replace. While much of the legal fanfare has been focusing on the detention without trial sections of ...
  • How Computer Security Research works: Facebook 20,000 prize
    In the early days of public computing, researchers who discovered vulnerabilities would quietly tell the product vendors so as to not also alert hackers. But all too often, the vendors would ignore the researchers. Because the vulnerability was not public, there was no urgency to fix it. Fixes might go into the next product ...
  • .my domains hacked: Why SSL is more important than ever
    MyNic is the organization responsible for managing the .my Top Level Domain, which means every website address that ends with a .my is under their administration. These centralized control centers act as giant targets for hackers, but for the most part, they’re protected better than Fort Knox–or they should be. Yesterday, a hacker going by the ...
  • Should the government use Microsoft products?
     I don’t think the US government should use operating systems made in China for the same reason that most governments shouldn’t use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them. -Richard Matthew ...
  • Part 3: PRISM and Upstream
    Initially I wrote about PRISM and how a lot of people felt it was a tool to intercept communication in flight to companies like Google and Facebook, however slightly more details have emerged to debunk that claim. However, it’s of paramount importance that we understand what people are saying. No one is denying that communications aren’t ...
  • PRISM and Tempora
    As Edward Snowden begins to look for more ‘accommodating’ countries who wouldn’t mind playing host to a man that currently is more wanted than Osama bin Laden, Saddam Hussein and Kim Kardashian combined, more details slowly begin to emerge about PRISM, painting an ever clearer picture of the extent of the program both Stateside and ...
  • How secure are the webpages of Malaysian Banks and Telco
    I’ve almost been fascinated by the fact, that our money in the bank these days are secured not by steel doors or armed guards, but rather by cryptography and the encryption keys that enable them. To put it in the simplest form  your money in the bank is protected by a number–that’s what an encryption ...
  • What is PRISM?
    There’s a controversy brewing in the land of the free, one that will have implications for Americans, but also Malaysians and nearly every citizen of the world. We may look back at the moment Mr. Snowden leaked controversial (and ugly) slides about a program called ‘PRISM’ as the start of a pivotal moment in internet ...
  • Security Offences Bill vs. Universal declaration of Human Rights
    This is what Article 12 of the Universal Declaration of Human Rights says: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. This is what security offences bill ...
  • Can you out-tech the government?
    Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen ...
  • Microsoft is eavesdropping on your skype conversations
    The guys over at H-online reported recently that they have some pretty good evidence that good ol’ Microsoft is eavesdropping onto your Skype conversations, and the results are pretty damning. The method for detecting those sneaky little eavesdroppers was pretty ingenious though. The researchers sent two urls in their skype messages to each other. The urls ...
  • What is Finfisher capable of
    Heard about the latest allegation accusing the Malaysian BN government of using Finfisher on its own Citizens? Well that allegation is true–to me at least, and here’s a taste of what Finfisher can do in the hands of the government.
  • Telekom Malaysia is censoring the internet prior to GE13
    I’m not a usual fearmonger, or a person who panics easily–yet you friendly local tech evangelist has a warning for Malaysian users out there. Unifi is censoring the internet in the run up to the hotly contested GE1–and that’s what the data suggest. You heard that right folks, some of you suspected all along, and I ...
  • Malaysian Cyberwar: Is it an external war or is it civil
    A really piece written by Asohan Aryaduray on DigitalNewsAsia some time back talked about how the CyberWar between Malaysia and the Philippines was going on, and how he wanted government agencies to step up the security of our digital assets (or at least start the discussion). Asohan claims that Malaysia perhaps has “the most number of government ...
  • Malaysian government using spyware against citizens? No, not really.
    I’ve been pretty busy the past few months, and my post count has been pretty low, and although I just returned from a 2 week trip abroad and am now flushed full of work, I decided to burn a bit of the midnight oil today because the Malaysian Insider completely pissed me off. It all started ...
  • Evidence Act: Anonymity before the internet
    I read a brilliant article on the Evidence act by Zul Rafique and Partners that I think everyone should read. In it, the author compares the newly amended Evidence Act (supposedly amended to combat the evils of the internet) to a sub-section of the original act meant to look into telegraphs. Now I must admit, ...
  • Evidence Act Technological Misconceptions: A response to Rocky and Fatimah
    The government has finally ‘relented’ and now wants to ‘discuss’ section 114A of the Evidence act 1950. Now it’s great because it proves beyond a shadow of a doubt that: 1. The internet can be used for fantastic good. 2. The general Malaysian public can make a difference in the governance of the country. My website also had ...
  • Internet Privacy with TOR: Should the internet be anonymous
    It’s an irony that while the internet was the first place you could create avatars and split personalities to impersonate others, it has now turned into a free for all buffet for private data. I previously shared on how the ads you see on facebook were inherently tied to the Google searches you perform, and ...
  • Scary Scary Privacy Concerns Online
    Would you get freaked out if I told that from just 1 hour of internet browsing, your information could be shared with nearly 70 organizations, including advertisers who use it to target ads to you. Would you be angered if this information were sold to other 3rd parties including insurance providers and even governments to ...
  • How come the ads you see look like your previous searches?
    Ever wonder how come the ads you see on Facebook or Malaysiakini reflect the searches you just recently made. Ever felt freaked out about it, there really is nothing to freak out about, unless of course you’re worried that a Multi-Billion dollar company may be keeping information about your searches and sharing them with ad ...
  • Google Trust Issue
    I remember graduating from university and heading over to Intel for my first job interview. I can’t remember most of the interview (and maybe that’s why I never got the job), but I do remember telling the interviewer my dream was to work for Google, in hindsight I probably shouldn’t have said that. Even then, and ...
  • First xxx domain hijacked : Popebenedict.xxx
    The first (of probably many) xxx domain hijacks have started springing up. Earlier today, a reader contacted me about a recent post I did on the .xxx domains. He mentioned that he spotted popebenedict.xxx in the wild and was curious if this was the first .xxx domain hijack. He maybe right, but in a post ...
  • YTL has the most ridiculous Acceptable Use Policy
    YTL Communications has been doing a pretty good job recently. The Star even went as far as claim that “YTL Comms to Break Even” until of course you read the article in which case it mentions that YTL require an additional 500,000 subscribers on top of it’s current 300,000 to achieve that.  However, it did ...
  • Good Design: Google reminds you that you recently changed your password
    A couple of weeks back, Dreamhost reported a security breach on it’s servers, so I thought for security sake I should change my passwords as well. I’d been using the same password for the past couple of years and it was time for a change anyway. However, as most of you will notice,  whenever you’ve just ...
  • WordPress 3.3.1: security vulnerability fix, Thanks to Go Daddy?
    Wordpress 3.3.1 was released today. This latest version of wordpress comes fresh of the heels of the 3.3 release and fixes 15 issues including a security vulnerability fix which Wordpress doesn’t fully disclose. Wordpress admins should see the prompt to update their blogs, and a update can be done fairly quickly via the automated update from ...

Add comment

Astound us with your intelligence