comments 2

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature?

comment 0

Facebook giving China a censorship tool?

The New York Times reported this week that Facebook has ‘quitely developed’ a censorship tool, specifically for the Chinese government to suppress content on their platform. The piece writes:

“the social network quietly developed software to suppress posts from appearing in people’s news feeds in specific geographic areas, according to three current and former Facebook employees, who asked for anonymity because the tool is confidential. The feature was created to help Facebook get into China, a market where the social network has been blocked, these people said. Mr. Zuckerberg has supported and defended the effort, the people added” – New York Times

The report goes on to say, that Facebook intends to grant that capability to a 3rd-party, who will “have full control to decide whether those posts should show up in users’ feeds“.

In short, they’re creating a censorship on demand for China, in exchange for access to the worlds largest market.

Censorship in an encrypted world

While Facebook have neither confirmed nor denied this, this will give China special priviledge to the platform, one that no other nation currently has. Today, most governments face an all-or-nothing approach to censorship on encrypted sites like Facebook, Google and Wikipedia. China famously censor of all Wikipedia on days leading up to the anniversary Tianamen square massacre, simply because they have no ability to censor specific pages.

If I were browsing for chicken curry recipes on Wikipedia, while you were researching political dissent on the same site, our traffic would look identical to anyone ‘sniffing’ along the line. These ‘in transit’ censorship attempts are failing, and for Governments like China, a ‘block the whole damn thing’ approach is the only alternative.

This new tool however, will grant them granular control, to block specific posts and news on the social network,because the censorship now will occur at source, rather than in-transit. It is a radical shift in the way censorship will be performed on the internet, not just in China, but across the world.

It’s also worthwhile to note, that other governments have tried these ‘all-or-nothing’ approaches as well, including Brazil who famously blocked all of Whatsapp (also owned by Facebook) for 72 hours, because a Judge was ‘unhappy’ that Whatsapp responded via email and in English. Fortunately for Brazilians, the ban didn’t last that long.

Whatsapp is a private communications tool, and Facebook is a social network–the similarity is that they both use encryption and this is problematic for governments. In the case of Whatsapp, the two ends of the encrypted channel belong to users, and Whatsapp would be unable to provide any content of communications within that channel–even if it wanted to. In the case of Facebook, since one end belongs to the company–it is able to provide some control.

But I’m digressing. Let’s get back to Facebook and censorship in China–but first let’s take a look at Facebook.

comment 1

Securing your StarHub Home Router

As with all new shiny equipment,  a newly installed router in your home requires a few things to be configured to properly secure it.

Goes without saying, that you should change your WiFi password the moment the technician leaves your home, but there are other things you’d need to configure in order to secure your router against common attacks.

Now remember, even if you follow all the advice on this post, there’s a strong chance that you’d still be hacked somewhere down the road–especially if you’re relying on a crappy consumer grade router, but taking these precautions raises your security level above the general population, giving you an edge over everybody else, and sometimes the difference between being hacked and staying safe could be one simple configuration on a router.

For this post, I’m going to use the standard Dlink 868L router that StarHub gave me when I signed-up for their 1Gbps package. While the post is specific, the general principles still apply to any router you own.

Step 1: Logon to the router

Goes without saying, all changes have to be made on the router itself. The good news is that all general purpose routers like the Dlink-868L come with a web interface, i.e. the router host a website on your network that you can use to change settings.

Fire up a browser like Chrome or Firefox (God forbid you’re on Internet Explorer), and point the address bar to and you ‘should’ come to the router homepage (image below). If not, try the other possible addresses, like or, if none of those work, you’ll need to go to your ipconfig on your local windows client to determine the ‘gateway’ ip address of your router.

Once there, you’ll see the following screen. For most StarHub customers, just logon with the admin user and leave the password field blank–as in don’t enter anything for the password.


comment 1

Preventing a DDOS is not going to be easy

As a follow-up to my previous post on DDOS attacks [1,2], I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all.

While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to other Mirai attacks leave little room for doubt–at least to me.

If indeed, StarHub was a victim of a Mirai based attack, it would seem extremely odd that their CTO would reference phishing emails as a vector for infection. So a few things don’t quite line up here, including the advice from the CTO to change the default username and password, when Brian Krebs already reported that doesn’t quite help:

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

If you’re more technically inclined, I strongly suggest listening the feature interview on last week’s risky business podcast.

But the last piece of advice that the StarHub CTO gave, that didn’t make sense to me at all was this:

“If you were to buy a webcam from Sim Lim Square, try to get a reputable one”

Again, this may seem like good advice, but it doesn’t conform to the evidence. Brian Krebs has a list of devices that are hack-able, and they include the likes of Panasonic, RealTek, Samsung and Xerox. All of which regular consumers would consider ‘reputable’.

So StarHub claimed that you should change your passwords–but doesn’t protect you from Mirai.

StarHub claim that you should buy equipment from ‘reputable’ suppliers, but even reputable suppliers produce hackable IOT devices, that can’t be secured.

Finally StarHub are going to be sending technicians out in the field to help subscribers, and while this is laudable, it’s not a sustainable solution. It only fixes a short-term problem, because as long consumers continue to buy hack-able IOT devices, the threat isn’t going to go away.

And how often can StarHub afford to send technicians to make home visits before the cost start becoming un-bearable?

The way to view this issue is from a legal, economical and technical perspective–and in that order.

comment 0

How the StarHub DDOS (possibly) happened

starhub-dns-attackCustomers of Singaporean ISP StarHub, suffered two major disruptions to their service over the past week, in what the telco said was a result of a “intentional and likely malicious distributed denial-of-service (DDoS) attacks”.

Oh the humanity!!

In what appears to be a copycat of the Dyn attack we saw (at roughly the same time), the attack signals the first local salvo in the war of IOT devices. But is it really that serious?

If you’re wondering what the hell happened, let’s walk this through step-by-step, from the attackers perspective.

comment 0

Internet of shitty things!

b66b95478fBrian Krebs is the most reputable name in CyberSecurity reporting, his krebsonsecurity website is the best source of ‘real’ journalism on the subject.

But reputation works both ways, the same thing that makes him popular in some circles, makes him unpopular in other. He’s had criminal hackers send him heroin in the mail and even have SWAT teams descend on his home with guns all blazing (in a phenomenon called swatting!). Reporting and exposing underground cyber-criminals comes at a price, you don’t piss of darknet crime lords without taking a few hits along the way.

The problem though is when those ‘few’ hits, turn into a hurricane of web traffic aimed at your server, because that’s exactly what descended on Krebs’ server late last week, when krebsonsecurity was hit by an epic DDOS attack

DDOS is an acronym for Distributed-Denial-of-Service, which basically means forcing so much web traffic to a single website that it eventually collapses–making it unable to provide services to the ‘real’ visitors of the site. All websites run on servers with finite capacity, DDOS attacks are about sending enough traffic to those servers that they eventually exceed that capacity.

But this DDOS was different, and krebsonsecurity will go down in history as the Hiroshima of this type of DDOS. But nuclear weapons only had Hiroshima and Nagasaki, krebsonsecurity will be the first in a Looooong line of DDOS attacks of this scale.

So what makes this attack so different as to merit it’s own class? Well 3 things.

comment 0

Hotline Jais is a terrible idea!

Jais recently launched anew mobile app to allow the public to easily report any crimes that contravene syariah laws.

Obviously there’s social and legal implications here, which I won’t go into, but we need to understand just how stupid this idea is.

When you ask amateurs to give you security, what you eventually end up with is amateur security.

It’s the reason why Maths professors from Ivy league universities are wrongly profiled as terrorist, or why breast milk is incorrectly identified as explosive substances on planes, why it doesn’t take an evil genius to break into your gated and guarded housing project. Security is hard, and if you entrust into the hands of amateurs, things don’t end well.

Having a ‘app’ where people can report anything that contravene’s their morality is a sure-fire recipe for disaster, and I don’t think Jais have the infrastructure nor the processes to fully receive all the complaints and run a proper check on each of them.

And when it has real legal implications for Muslims (even non-Muslims), then they need to take that shit off the Playstore.

Link here.

comment 0

All you eggs in one basket

Is it wise to use an online password manager? After all, putting your passwords on the cloud seems like a really dumb idea.

But I use password manager because while storing stuff on the cloud may present risk, it’s far riskier and dumber to re-use passwords.

Why you need a password manager?

Despite the sexiness of zero-day exploits and hardcore state-sponsored hacking groups we see on the news, the number one way the average person gets hacked is through password compromise (boring!). That’s when hackers guess, or somehow figure out your passsword, and then use it to access the various online services you subscribe to.

Most people downplay the risk of this happening, ebcause they think they’re not rich enough, or famous enough to be the target of hackers. But in an era, where hacks compromise millions of accounts, and hackers can automate exploits to run on cheap cloud servers from Amazon–you’d be surprise what hackers consider a worthwhile target.

But how do hackers get your password?

On occassion they actually guess it, ala ‘the fappenning’, but more commonly they get your passwords by hacking other services. Shockingly, sometimes the easiest way to get your Google password is to hack dodgy forums, and insecure chat rooms that litter the internet.

comment 0

The safest place for your money is under the mattress


When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ‘new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats — and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There’s two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank  with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

507d7acb92f46ed8d8779be14e3f2051But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

comment 0

Michael Hayden on interesting points

Some interesting points:

  1. Non-nation state actors now pose a significant threat to nation states
  2. Historical threats usually associated with bad nation states, can now be executed by non nation-states
  3. Industrial Era, was about a consolidation of power, in the past only the Government could run something as complex as a phone network
  4. In a Post-Industrial Era, it’s about the decentralization or power–today, modern economies privatize and decentralize important things like the phone network. (my comment: The internet is the epitome of this, a fully decentralized network controlled by no one single entity)
  5. American Foreign Policy, Power Projection and Defence has been fully focused on hard power against nation states (hard power =  men with guns)
  6. In order to address the threat of non nation-states, the US government has pivoted it’s attack vectors and tactics
    • Yesterday  : Killing someone from a foreign army in a designated war-zone
    • Today : Drone Strikes on enemy combatants that aren’t fully recognized
    • Yesterday  : Capturing Foreign combatants and imprisoning them
    • Today : Guantanamo
    • Yesterday : Intercepting enemy communications, disabling and sabotaging
    • Today : Programs that Edward Snowden revealed
    • (my comment: I don’t think the full surveillance of domestic internet traffic was a good idea)
  7. We’re seeing the melting down of Post WW2 and Post WW1 global order, and maybe even the breakdown of Westphalian nation-states…ISIS is a response to Westphalian ideas of separation of church and state.
  8. There is a fundamental similarity between what Christian Europe faced in the 16th-17th century and what the middle east today, both sides are debating the relationship between religion and power.
  9. Christian Europe had the answer of separating them—we call this separation, modern!
  10. No guarantee that Islam in the Middle East will come to the same conclusion, i.e. they may never become modern.
  11. Less important stuff about Nuclear power, about how Russia is adopting a Nuclear first option, and considering it de-escalatory. And Hayden doesn’t like the Iran Deal, and not a big fan of Pakistan.
  12. American foreign policy makers like Hayden are more concerned with Chinese failure than with Chinese success. Political, Economical and Social factors may hamper the growth of China, but a failure of the regime is going to a massive problem for the world, while a success for China would a relatively smaller impact that can easily be folded into the world order.
  13. The Chinese claims on the 9-dash line, is a nationalistic approach to remedy the economical slowdown (Hayden’s opinion), what’s more interesting is that this is a diplomatic error, and ASEAN countries are running back to America to balance China’s power.
  14. Fundamentally though, China has no reason to be an enemy of the US
  15. His last slide on American foreign policy, the 4 different president types, as a fan of Wilson, and a World War 1 History freak—that was awesome!! I think one of the best historically precise frameworks for understanding US foreign policy, that isn’t based just the last 20 years
  16. Only one country supports targetted killings by the US—Israel.