Insights For Success

Strategy, Innovation, Leadership and Security

apple

Was Google, Apple, Facebook & Microsoft traffic redirected to Russia?

GeneralEdward Kiledjian

TL;DR: Internet traffic to and from major tech companies (Apple, Facebook, Google, Microsoft, Twitch, NTT Communications and Riot Games) were redirected through a Russian provider Wednesday. This appears to have been a deliberate hijack and not an error. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BGP is a routing and reachability protocol used on internet backbones around the world. It is what allows carriers to find routing information between each other (in simple terms).

2 BGP monitoring services have reported short changes to the routing of key internet giants, and they do not believe this was a mistake. 

BGPMon recorded two three-minute hijacks affecting roughly 80 address blocks.

One of the interesting things about this incident is the prefixes that were affected are all network prefixes for well known and high traffic internet organizations. The other odd thing is that the Origin AS 39523 (DV-LINK-AS) hasn’t been seen announcing any prefixes for many years (with one exception below), so why does it all of sudden appear and announce prefixes for networks such as Google?
— BGPMon

Qrator Labs recorded a two-hour hijack affecting 40 to 80 address blocks.

Qrator dashboard for the offending AS

As mentioned in the BGPMon release, AS39523 is a Russian organization that has been inactive for years. The last time we saw them, they were involved in another BGP "incident" that involved Google.

Luckily most of the traffic that passes through these providers is encrypted at a level that is believed to be currently unbreakable. The concern is that a state-sponsored attacker could have new decryption algorithms that are not yet publicly known and it does means the traffic "could" have been decrypted (however unlikely it remains a possibility). 

You're going to love the DuckDuckGo Terms of Service

GeneralEdward Kiledjian

Terms of service are professionally written notices you agree to every time you use a new smartphone, install a new software or sign up for a new web service. Consumers are rightfully annoyed by 50+ page terms used by large companies.

Sometimes, you stumble on a company that has "good" terms of service in that they actually protect you (the consumer). This write up is about DuckDuckGo because I receive several dozen emails from readers every month asking if they really are a good alternative (from a security perspective to use). 

In this article, I am only tackling their terms of service. As specified on their privacy site "DuckDuckGo does not collect or share personal information."

DuckDuckGo says they don't save your searches. They don't send your searches or information to any other site. They don't store any personal information about you. 

They only save cookies to your browser if you enable a function that needs it (like persistent settings). 

They save search information but only as aggregated data without any personally identifying information. 

So DuckDuckGo lives up to its promise of personal secure web searching, which is great. I give it an A grade for protection in their TOS.

VyprVPN Review

GeneralEdward Kiledjian

VyprVPN owns and manages its own networks and servers. During my recent VPN testing shoot-out, VyprVPN consistently ranked as one of the fastest VPN providers out there. 

In addition to raw speed, they have an incredible list of supported clients from traditional PCs (Mac, Windows, Linux), to routers (DDWRT, OpenWRT, AsusWRT), smartphones (iPhone, Android, Blackphone, Network Attached Storage (QNAP, Synology), TVs and the Anonabox

Contrast this to other popular VPN solutions like UnlimitedVPN, which only supports a small number of custom made clients.

It's VPN clients are well designed with easy to use interfaces and useful features (kill switch, auto-connect, etc). A cool and useful feature is called Chameleon. They explain Chameleon as:

Our Chameleon technology uses the unmodified OpenVPN 256-bit protocol and scrambles the metadata to prevent DPI, VPN blocking and throttling.

The first important note is that the Chameleon protocol is not available for IOS due to Apple restrictions on the VPN function. I had the opportunity to test the Chameleon protocol on a Windows laptop from a corporate network with strong VPN restrictions, an ISP that throttles VPN traffic and from a country that severely slows (painfully) down VPN traffic. In all three of these situations, the Chameleon protocol delivered that it promised.

  • It punched through the heavily controlled corporate network
  • When used with the ISP that throttles "normal" VPN traffic, it managed to trick the provider and I was able to use a full speed connection
  • A friend travelling to a highly restrictive country compared VyprVPN to 3 other VPN providers and VyprVPN with the Chameleon protocol was the only one that seemed to operate at normal speed (aka didn't seem to be artificially slowed down)

With more and more internet traffic being encrypted, many companies, organisations and governments have turned to DNS based control tools. DNS is still an unencrypted means to determine web destinations. DNS be used to prevent a user from accessing certain types of sites (religious, political, pornography, etc) and to log web browsing habits. It can also be used to redirect your traffic (quickly without you even realizing it), to inject your session with malicious code and c compromise your device. VyprVPN offers their own self-managed private "no log" DNS solution to protect their customers from DNS snooping and control.

VyprVPN offers a clear and well-written privacy policy. Obviously you aren't anonymous but in summary, they retain " Each time a user connects to VyprVPN, we retain the following data for 30 days: the user's source IP address, the VyprVPN IP address used by the user, connection start and stop time and the total number of bytes used."

And they offer a wide range to termination locations.

VyprVPN and leaktests

I setup VyprVPN on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • VyprVPN is not subject to WebRTC leaks when in VPN mode (go here to test

VyprVPN seems well written and does offer good protection.

Beware of the unknown

The only information that we have about the service comes from VyprVPN themselves. Remember that none of the statements about privacy and logging have been reviewed by an independent third party.

They are a US company and therefore they are subject to US data collection laws including the infamous National Security Letter (NSL). 

The above caution statement isn't unique to VyprVPN. I am not aware of any consumer VPN services that have been independently audited but it is still an important factor to consider. 

Some users may want to use a non-US based VPN provider to ensure the company is beyond the legal reach of US laws. The one I am looking into right now is ProtonVPN (which I will be reviewing shortly).

Other users may choose to roll their own VPN solution (lifehacker instructions using the Algo script or you can use anyone of the other scripts that almost automate the creation of a private dedicated VPN instance you control like OpenVPN Road Warrior, streisand, etc.) 

Conclusion

VyprVPN is a fast service with a broad selection of clients and a decent privacy policy. If you are performing illegal activities or are a human rights activist in a questionable region, this probably isn't for you. If you are a "regular" user looking for a decent level or privacy when using the internet, then this is definitely something you should consider. 

For the casual user that only connects to a VPN when using public WIFI, you may want to look elsewhere because VyprVPN isn't cheap. A prepaid annual subscription costs $6,67 a month (or $12.95 paid monthly).A casual user can buy a lifetime subscription to UnlimitedVPN for $49.99 here or a 3-year subscription for $29.99 here.). 

I started testing ProtonVPN recently and will write a review shortly but their offering (plus level) is $8 a month prepaid for 1 year). VyprVPN offers the Chameleon protocol, more servers and their own DNS service (which ProtonVPN does not yet). 

So the price is on the higher end but is in no way the most expensive. For the very casual user, you could be better served by another provider, but for the more security conscious user or traveler, this is definitely a service to evaluate. 

Will your Android phone allow someone to hack you?

GeneralEdward Kiledjian

Image by Jared Tarbell used under creative commons license

When a new undisclosed (0 day) vulnerability is used to hack a target's device, the media jumps all over it and create a small panic. Government intelligence and organized crime are always looking for new creative ways to break into target devices and are willing to pay top dollar for new unknown hacks. Vulnerability brokers (companies that are willing to sell 0-day vulnerabilities) are paying to dollar for these rare and very in demand weaknesses. Zerodium is now paying $1.5M for a good complete IOS attack.

Although these are troubling, the truth is the majority of attacks (and malware/virus') still exploit time tested and patchable vulnerabilities. This is why keeping your computer, smartphone and tablet operating system/apps updated is so important.  This is one of the reasons Microsoft switched to an automatic forced update model with Windows 10.

Apple's products are opaque and I do not believe in security through obscurity. I wish they allowed for more scrutiny of their mobile products but when something is discovered, they release updates very quickly and make it immediately available to all supported devices worldwide regardless of the carrier it was acquired through. 

This is one of the chief complaints against Android. Most Android devices are never updated once they ship and the ones that do receive updated typically get them slowly and infrequently. Check out the Android Platform distribution statistics:  

Only 0.3% of Android devices support the latest version (Android 7.0 Nougat) 1.5 months after release. On the IOS side, 60% of devices had updated to IOS 10 a month after release.

Even top tier manufacturers like Samsung (Note 7 issue notwithstanding) only update their most recent flagship products and that is if your carrier decides to allow it. 

Right now, as I write this, I have an Apple iPhone 6s Plus and and Google Nexus 6P sitting next to me. I  love android and find many of the features in the most recent Nougat release better than comparable Apple features. Don't call me an Apple fanboy or Google hater. The moral of the story is you shouldn't buy any Android phone where the manufacturer has not committed to delivering (quickly) the OS updates and the monthly security releases

As it currently stands, the only android products I can recommend are those sold directly by Google (Nexus or Pixel).

Buy an unlocked Nexus or Pixel product directly from Google to make sure you receive all of the updates quickly. 

Questions

Q A question I will likely receive is what about [insert brand / model here]?

A I expect emails asking me about the OnePlus 3, ZTE Axon 7, HTC 10, LG V20, Motorola Moto Z, etc. None of these manufacturers have committed to providing the OS and security updates quickly. The answer therefore is no. I love the price / quality proposition of the ZTE Axon 7 and the OnePlus 3 but without a commitment to updates, its a no go for me.

Q. Aren't iPhones more secure?

A iPhone's are slightly more secure because of the way the operating system is designed and applications are sandboxed. This doesn't mean it is unbreakable and the attempted hack of Saudi human rights activist Mansoor proves it( Read this article by CitizenLab

Both platforms can be used safely if you ensure you don't break their built in security (rooting on Android and Jailbreaking on iPhone) and you ensure you only download "real" apps from the official app stores. 

A. What else can I do?

Q In addition to using the "right" device, it is important to think about your privacy and security. Use the right apps for the right job.

  • Use encrypted communications apps like Signal. Signal's encryption has been reviewed by leading cryptographers and has been given a big thumbs up.
  • When browsing the web, use Tor to protect your identity (easier on Android) with a browser like OrFox. You can even configure Facebook and Twitter (on Android) to use Tor via OrBot.
  • Every picture taken with a smartphone contains "hidden" information called Exif information. This is information like the type of camera used, the settings used to take the picture, etc. It also contains the GPS coordinates of where the picture was taken. If you send this to someone, they can extract this information and use it to pinpoint the location the picture was taken. Send it to a social media site and they will start building a travel pattern of you. Make sure you remove EXIF information, using an app, before posting. There are tones of apps, just search the app store.
  • Uninstall apps you no longer use. Remember that apps are sometimes sold and the new buyer may push out an update that adds unwanted features "like tracking or recording". If you no longer use an app, get rid of it.

Microsoft PIX is an AI powered free IOS Camera App

GeneralEdward Kiledjian

You can download Microsoft PIX from the Apple app store now for free.  The claim to fame (according to Microsoft) is that it uses artificial intelligence to take the best possible shot every time without forcing the user to fiddle with any settings.

This computer voodoo is possible because the app takes 10 pictures every time you press the shutter button. Some right before you pressed the button and some right after. It uses data from every shot to build the best possible image (Apple's default app also does this very same thing but it seems Microsoft is pushing the technology a little bit more). Even though it selects the best possible shot and discards the rest, it uses data from app the pictures (even the ones it will delete) to reduce noise, brighten faces and ensure it has captured colours as accurately as possible.

Another cool trick up its sleeve is motion analysis. If it believes there is motion in the series that could enhance the image then it will animate that worthwhile section and create a "live" photo. It could do this for a sparkler on a cake or hair blowing in the wind or a beautiful waterfall behind the subject. 

All of the intelligence is hidden from the user. There are no settings to change or configurations to optimize, everything is taken care of for you. It is the kind of app even your mother can use.

It is smart enough to detect faces and optimize the settings for it/them. It will detect open eyes. I started playing with this app a couple of hours ago and so far like it enough to put it on the first page of my iPhone next to the default camera app.

You can checkout this Microsoft Research page to learn more about the cool tech behind the app.