Monthly archives of “November 2016

comment 0

Facebook giving China a censorship tool?

The New York Times reported this week that Facebook has ‘quitely developed’ a censorship tool, specifically for the Chinese government to suppress content on their platform. The piece writes:

“the social network quietly developed software to suppress posts from appearing in people’s news feeds in specific geographic areas, according to three current and former Facebook employees, who asked for anonymity because the tool is confidential. The feature was created to help Facebook get into China, a market where the social network has been blocked, these people said. Mr. Zuckerberg has supported and defended the effort, the people added” – New York Times

The report goes on to say, that Facebook intends to grant that capability to a 3rd-party, who will “have full control to decide whether those posts should show up in users’ feeds“.

In short, they’re creating a censorship on demand for China, in exchange for access to the worlds largest market.

Censorship in an encrypted world

While Facebook have neither confirmed nor denied this, this will give China special priviledge to the platform, one that no other nation currently has. Today, most governments face an all-or-nothing approach to censorship on encrypted sites like Facebook, Google and Wikipedia. China famously censor of all Wikipedia on days leading up to the anniversary Tianamen square massacre, simply because they have no ability to censor specific pages.

If I were browsing for chicken curry recipes on Wikipedia, while you were researching political dissent on the same site, our traffic would look identical to anyone ‘sniffing’ along the line. These ‘in transit’ censorship attempts are failing, and for Governments like China, a ‘block the whole damn thing’ approach is the only alternative.

This new tool however, will grant them granular control, to block specific posts and news on the social network,because the censorship now will occur at source, rather than in-transit. It is a radical shift in the way censorship will be performed on the internet, not just in China, but across the world.

It’s also worthwhile to note, that other governments have tried these ‘all-or-nothing’ approaches as well, including Brazil who famously blocked all of Whatsapp (also owned by Facebook) for 72 hours, because a Judge was ‘unhappy’ that Whatsapp responded via email and in English. Fortunately for Brazilians, the ban didn’t last that long.

Whatsapp is a private communications tool, and Facebook is a social network–the similarity is that they both use encryption and this is problematic for governments. In the case of Whatsapp, the two ends of the encrypted channel belong to users, and Whatsapp would be unable to provide any content of communications within that channel–even if it wanted to. In the case of Facebook, since one end belongs to the company–it is able to provide some control.

But I’m digressing. Let’s get back to Facebook and censorship in China–but first let’s take a look at Facebook.

comment 1

Securing your StarHub Home Router

As with all new shiny equipment,  a newly installed router in your home requires a few things to be configured to properly secure it.

Goes without saying, that you should change your WiFi password the moment the technician leaves your home, but there are other things you’d need to configure in order to secure your router against common attacks.

Now remember, even if you follow all the advice on this post, there’s a strong chance that you’d still be hacked somewhere down the road–especially if you’re relying on a crappy consumer grade router, but taking these precautions raises your security level above the general population, giving you an edge over everybody else, and sometimes the difference between being hacked and staying safe could be one simple configuration on a router.

For this post, I’m going to use the standard Dlink 868L router that StarHub gave me when I signed-up for their 1Gbps package. While the post is specific, the general principles still apply to any router you own.

Step 1: Logon to the router

Goes without saying, all changes have to be made on the router itself. The good news is that all general purpose routers like the Dlink-868L come with a web interface, i.e. the router host a website on your network that you can use to change settings.

Fire up a browser like Chrome or Firefox (God forbid you’re on Internet Explorer), and point the address bar to http://192.168.0.1 and you ‘should’ come to the router homepage (image below). If not, try the other possible addresses, like http://192.168.1.1 or http://10.1.1.1, if none of those work, you’ll need to go to your ipconfig on your local windows client to determine the ‘gateway’ ip address of your router.

Once there, you’ll see the following screen. For most StarHub customers, just logon with the admin user and leave the password field blank–as in don’t enter anything for the password.

login-screen

comment 1

Preventing a DDOS is not going to be easy

As a follow-up to my previous post on DDOS attacks [1,2], I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all.

While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to other Mirai attacks leave little room for doubt–at least to me.

If indeed, StarHub was a victim of a Mirai based attack, it would seem extremely odd that their CTO would reference phishing emails as a vector for infection. So a few things don’t quite line up here, including the advice from the CTO to change the default username and password, when Brian Krebs already reported that doesn’t quite help:

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

If you’re more technically inclined, I strongly suggest listening the feature interview on last week’s risky business podcast.

But the last piece of advice that the StarHub CTO gave, that didn’t make sense to me at all was this:

“If you were to buy a webcam from Sim Lim Square, try to get a reputable one”

Again, this may seem like good advice, but it doesn’t conform to the evidence. Brian Krebs has a list of devices that are hack-able, and they include the likes of Panasonic, RealTek, Samsung and Xerox. All of which regular consumers would consider ‘reputable’.

So StarHub claimed that you should change your passwords–but doesn’t protect you from Mirai.

StarHub claim that you should buy equipment from ‘reputable’ suppliers, but even reputable suppliers produce hackable IOT devices, that can’t be secured.

Finally StarHub are going to be sending technicians out in the field to help subscribers, and while this is laudable, it’s not a sustainable solution. It only fixes a short-term problem, because as long consumers continue to buy hack-able IOT devices, the threat isn’t going to go away.

And how often can StarHub afford to send technicians to make home visits before the cost start becoming un-bearable?

The way to view this issue is from a legal, economical and technical perspective–and in that order.