STE WILLIAMS

How-to The Let’s Encrypt project has opened to the public, allowing anyone to obtain free TLS certificates and set up HTTPS websites in a few simple steps.

It’s a major leap forward in encrypting the world’s web traffic, keeping people’s information and browser histories out of the hands of eavesdroppers and and other miscreants.

The certification-issuing service is run by the California-based Internet Security Research Group (ISRG), and is in public beta after running a trial among a select group of volunteers. The public beta went live at 1800 GMT (1000 PT) today.

Its certificates are trusted by all major browsers – Google Chrome, Mozilla Firefox and Microsoft’s Internet Explorer worked in our office with fresh certs from the fledgling certificate authority.

Incredibly, it is almost too easy to use. You download an open-source client to your web server, and then one command will request and install a certificate, and configure your system to use it. And that’s it.

Here’s what this humble hack ran on a personal webapp development machine powered by Apache (yeah, yeah, kicking it old school):

cd ~/src
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt
./letsencrypt-auto --apache -d your.domain.here

You’re then prompted for your sudo password. Next, the client installs its dependencies, and then asks for your email address so you can be contacted if there are any problems. You’re also asked to agree to a set of terms and conditions. Next, it asks if you want to force all traffic to go through HTTPS – yes, obviously.

And then, bam. It’s done. A 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs. Crucially, this process can be completely automated – email addresses and agreement to the fine print can be set on the command line using --email and --agree-tos.

Full documentation is here and a quick start guide is here. The project’s root certificates and intermediate certificates can be found here; the intermediates are cross-signed by IdenTrust.

Let’s Encrypt is overseen by folks from Mozilla, Akamai, Cisco, Stanford Law School, CoreOS, the EFF and others, and sponsored by various internet organizations.

“It’s time for the Web to take a big step forward in terms of security and privacy. We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates,” the team wrote in a blog post today.

“We have more work to do before we’re comfortable dropping the beta label entirely, particularly on the client experience. Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We’ll be monitoring feedback from users closely, and making improvements as quickly as possible.”

Let’s Encrypt’s client software emerged in early November, and signed its first certificate in September. Since then the team have been squishing bugs in their systems, managing to catch at least one nasty flaw before going public.

You can typically expect to pay for SSL certificates, although some authorities do offer freebies. None so far, to our knowledge, are as straightforward as Let’s Encrypt’s free service. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/letsencrypt_public_beta/

Kazakhstan may be about to intercept and decrypt its citizens’ internet traffic – by ordering them to install rogue security certificates.

On Monday, the nation’s dominant telco Kazakhtelecom JSC said it and other operators are “obliged” by law to crack open people’s HTTPS connections, and that this surveillance will begin from January 1.

This spying will be made possible by insisting everyone installs a “national security certificate” on their computers and mobile gadgets – most likely a root CA certificate just like the ones found in Lenovo’s Superfish and Dell’s Superfish 2.0 scandals.

This cert will trick web browsers and other apps into trusting the telco’s systems that masquerade as legit websites, such as Google.com or Facebook.com. Rather than connect directly to those sites, browsers will really be talking to malicious man-in-the-middle servers.

.@scott_helme you are reading that right. pic.twitter.com/XPxaPnMrF6

— The Register (@TheRegister) December 3, 2015

Shortly after word spread of the interception caper, the statement was pulled from the Kazalhtelecom site. The Register has asked the ISP if this means the policy has been cancelled, but has yet to hear back. Apparently, details on how to install the insecure “security certificates” will appear on the telco’s website this month.

Forcing people to install dodgy root CA certs allows the government to grab people’s passwords and other sensitive data right off the wire, keep tabs on citizens online, and even censor webpages.

We believe that by ordering people to install the cers on their machines and handhelds, Kazakhstan will be the first country to resort to such measures.

“According to the law, telecom operators are obliged to perform traffic pass using protocols that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan,” the translated announcement reads.

“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.”

The notice said that encrypted traffic between systems located within Kazakhstan will not be subject to the requirement.

Kazakhstan has a history of strict censorship policies. Civil liberties site Freedom House has noted the particularly tight controls Kazakhstan’s government keeps on media and political organizations, and the site’s 2015 freedom of the net report for Kazakhstan noted that earlier in the year, government officials outright blocked internet access in parts of the country due to civil unrest. ®

Sponsored:
Improve app performance in the hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/

Malware that first appeared in September is now building a ransomware-as-a-service business.

In a weird twist on Stockholm Syndrome, the Chimera ransomware is taking victims hostage, then recruiting them to be part of the criminal team, according to researchers at Trend Micro’s Trend Labs.

Compared to other ransom messages, Chimera’s is refreshingly brief, straightforward, and polite: it says “please” twice. What’s particularly noteworthy, though is the addition at the bottom:

“Take advantage of our affiliate program! More information in the source code of this file.”

The disassembled code does actually contain contact info — a Bitmessage address through which both parties can have their identities masked and their communication encrypted. From the report:

Peddling ransomware as a service (or RaaS) has some advantages. RaaS lessens the possibility of the illegal activity being traced back to the creators. Selling ransomware as a service allows creators to enjoy some profit without the increased risk of detection. For Chimera, the commission is 50%, a large payoff for lesser effort.

The drawback of the model is that the code itself is less sophisticated — with a weak command-and-control infrastructure and no obfuscation techniques.

Chimera first appeared on the scene in September, demonstrating another unique tactic — threatening to publish a victim’s files online if payment is not received. The threats, however, might be empty. According to TrendLabs, “our analysis reveals the malware has no capability of siphoning the victim’s files to a command-and-control (CC) server.”

It’s not uncommon for ransomware to make empty threats. As Engin Kirda, chief architect at LastLine, has told Dark Reading before, some ransomware claims to encrypt files when it can’t. Yet, as Michael Sentonas, vice president and chief technology officer of Security Connected for Intel Security, wrote on Dark Reading, “It is not clear if Chimera actually exports your files and can carry out the threat, but if it cannot, the next one will.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/endpoint/chimera-ransomware-trying-to-recruit-more-operators-from-victim-pool/d/d-id/1323401?_mc=RSS_DR_EDT

What’s This?

Two sets of insights inform near- and long-term security strategies.

The best hockey players navigate within the ice rink, grapple with opposing players, take advantage of opportunities when available, and critically, as Wayne Gretzky once said, always skate to where the puck is going to be—not where it has been.

The newly released McAfee Labs Threat Predictions Report offers short- and long-term trend insights for organizations racing to keep pace with and perhaps overtake business and technological change, while continuously fending off a growing variety of cyber threats.

The report predicts key developments on the cyber threat landscape in 2016 and provides unique insights into the expected nature of that landscape through 2020, as well as the IT security industry’s likely response.

It illustrates an ever-evolving threat landscape, where applications and prominent operating systems are hardened to attacks, but attackers shift their crosshairs to less prominent but critical attack surfaces, innovative attack styles, and new device types.

Researchers depict enterprises building out their complex security defenses and comprehensive policies, while attackers target the weak security of employees working remotely. The cybercrime-as-a-service ecosystem discovers, mutates, and sells these advanced capabilities and support infrastructure down to the least sophisticated malicious actors in cyberspace in the burgeoning dark Web.

Here are some key threat predictions from the report for 2016:

• Hardware. Attacks on all types of hardware and firmware will continue, and the market for tools that make them possible will expand and grow. Virtual machines will be targeted with system firmware rootkits.
• Ransomware. As it has come to pass in other areas of cybercrime, the true accelerator of ransomware growth will be the availability of ransomware-as-a-service offerings on the dark Web. By lowering barriers to entry into cybercrime, this ecosystem of talent, tools, and infrastructure will enable more criminals to launch more attacks.
• Attacks through employee systems. Organizations will continue to improve their security postures, implement the latest security technologies, work to hire talented and experienced people, create effective policies, and remain vigilant. Thus, attackers are likely to shift their focus to increasingly attack enterprises through their employees by targeting, among other things, employees’ relatively insecure home systems to gain access to corporate networks.
• Cloud services. Cyber criminals could seek to exploit weak or ignored corporate security policies established to protect cloud services. Now home to an increasing amount of business-confidential information, such services, if exploited, could compromise organizational business strategies, company portfolio strategies, next-generation innovations, financials, acquisition and divestiture plans, employee data, and other data.
• Warehouses of stolen data. Stolen personally identifiable information sets are being linked together in big data warehouses, making the combined records more valuable to cyber attackers. The coming year will see the development of an even more robust dark market for stolen personally identifiable information and usernames and passwords.
• Integrity attacks. One of the most significant new attack vectors will be stealthy, selective compromises to the integrity of systems and data. These attacks involve seizing and modifying transactions or data in favor of the perpetrators such as a malicious party changing the direct deposit settings for a victim’s paychecks and having money deposited into a different account. In 2016, we could witness an integrity attack in the financial sector in which millions of dollars could be stolen by cyber thieves.
• Sharing threat intelligence. Threat-intelligence sharing among enterprises and security vendors will grow rapidly and mature. Legislative steps may be taken that make it possible for companies and governments to share threat intelligence. The development of best practices in this area will accelerate, metrics for success will emerge to quantify protection improvement, and threat-intelligence cooperatives among industry vendors will expand.

To “beat the puck” on business, technology, and threat landscape realities in 2016 and beyond, organizations will need security strategies that enable them to see more, learn more, and detect and respond faster, all the while fully utilizing the decidedly finite technical and human resources at their disposal.

Stay tuned for my next post, which will revisit the McAfee Labs Threat Predictions Report to preview the 2020 threat landscape and the likely cybersecurity industry responses to it.

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He’s also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent’s team … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/mcafee-labs-2016-2020-threat-predictions-part-1-/a/d-id/1323411?_mc=RSS_DR_EDT

More than a rebranding, what is really needed is an end to Flash, say some security analysts.

In giving Flash Professional CC a new name this week, Adobe only appears to have prompted fresh questions on when exactly the company plans on phasing out the notoriously buggy technology entirely, instead of just trying to distance itself from it.

Adobe on Monday announced that Animate CC would be the new name for Flash Professional CC.  Animate will become available early next year and will serve as Adobe’s primary animation tool for developing HTML5 content, the company said. The company will also release a video player based on HTML5 for desktop browsers to complement its support for the technology on mobile browsers.

Adobe described the rebranding as part of a broader effort by the company to move to new standards like HTML5 for running animations, multimedia, and video in web browsers. Standards like HTML5 have matured to a point where they provide many of the capabilities that Flash does and customers have said they would like Adobe to adopt such standards, the company noted.

According to Adobe, the rebranding is necessary because they have completely rewritten Flash Professional over the past several years and the product now integrates native HTML5 and support for WebGL. Over one-third of the content created in Flash Professional already is based on HTML5 rather than the Flash format and the name change reflects that evolution, the company said.

Looking ahead, Adobe wants content creators to build apps using the new standards, while the company will focus on supplying tools and services around them. At the same time though, Adobe’s commitment to the creation of new Flash content will continue. “Moving forward, Adobe is committed to working with industry partners, as we have with Microsoft and Google, to help ensure the ongoing compatibility and security of Flash content,” the company said.

Facebook, which earlier this year famously called on Adobe to announce an end-of-life date for Flash, has agreed to work with the Adobe instead. According to Adobe, the two companies will work together to ensure that Flash gaming applications run securely on Facebook. “As part of this cooperation, Facebook will report security information that helps Adobe improve the Flash Player,” Adobe said.

Adobe’s decision to give Flash Professional a new name may well be an attempt to distance itself from a technology that has the unenviable reputation of being among the most vulnerable ever. But it has done little to assuage growing concerns over the security threats posed to users by Flash technology.

“A buggy app is still a buggy app by any other name,” says Richard Stiennon, chief research analyst at IT-Harvest.

Over 50 of 317 yet-to-be-published security advisories involving vulnerabilities discovered by researchers at Tipping Point’s Zero-Day Initiative involve Adobe.

And that’s just the tip of the iceberg. A report released this week by Flexera Software shows that Microsoft ended up as the vendor with the most vulnerable products over the last three months largely because many of the products came bundled with buggy versions of Adobe Flash. Another recent report by Recorded Future showed that eight of the top 10 vulnerabilities used by exploit kit makers in 2015 were in Adobe Flash Player.

The sheer number of recently discovered bugs in Adobe Flash Player and its popularity among exploit kit makers and APT groups such as Pawn Storm raise questions about Flash’s role in a secure environment, Recorded Future had noted.

In that context, it’s possible to see why Adobe may have chosen to rebrand the product, says Scott Donnelly, director of presales at Recorded Future. “It’s a smart branding move for Adobe, due to the heavy associations Recorded Future sees between exploit kits and Flash,” he says. 

“However, based on multiple sources from the web, the product’s security posture remains unchanged for the millions of people who use Flash on a daily basis,” Donnelly says.

So far at least, Adobe has said nothing to indicate that Animate CC will be a major security upgrade over Flash Professional, says John Pescatore, director of emerging security trends at the SANS Institute. “They do seem to be trying to encourage HTML5 output, which is a good thing, but rather than see more features I would have preferred first hearing about a gigantic and deep security push,” Pescatore says.

Users should try to move away from Flash where possible, he says. “Personally, I think the cold turkey approach would be the best way to go. I think users would get over the lack of Flash within a week, if not faster,” he says.

But neither Pescatore nor Stiennon expect to see Flash go away anytime soon.

“Flash is going to be around at least as long as Windows XP,” Stiennon says. “There are too may legacy sites that continue to use it.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/by-renaming-flash-professional-adobe-does-little-to-alleviate-security-concerns/d/d-id/1323410?_mc=RSS_DR_EDT

We don’t typically think of tax authorities as staking out neighborhoods to make busts, but that’s how the Internal Revenue Service has relied on a stingray, it’s been revealed.

Last week, IRS Director John Koskinen sent a letter to Oregon Senator Ron Wyden in which he wrote that the service has used its stingray device – also know as a cell-site simulator – to track 37 phones in the course of 11 grand jury investigations and to assist with one non-IRS federal investigation and three non-IRS state investigations.

The IRS cases have involved stolen refunds and money laundering.

The non-IRS cases involved tracking six mobile phones involved in investigations of narcotics, attempted murder, murder, and gun trafficking.

Stingrays work by spoofing cell phone towers and tricking phones into connecting with them, so as to track and locate those phones.

StingRay is the brand name of an International Mobile Subscriber Identity locator, also known as an IMSI catcher, that’s targeted and sold to law enforcement.

The term stingray has also come into use in the US as a generic term for these devices.

The devices are a concern to civil liberties advocates because they scoop up phone information indiscriminately, able as they are to intercept hundreds of phones in surveillance dragnets, the majority of which belong to people innocent of whatever crimes the police happen to be investigating.

Those crimes can be petty: An in-depth investigation by USA Today recently showed hundreds of cases in which stingrays had been used to conduct routine police work, including tracking down stolen phones or pursuing check forgers.

In his letter, Koskinen wrote that the IRS first obtained its stingray in October 2011, and that it began the process of procuring a second one in July 2015.

In late October, Koskinen told a Senate committee that the IRS stingrays are “only used in criminal investigations”:

It’s only used in criminal investigations. It can only be used with a court order. It can only be used based on probable cause of criminal activity.

Koskinen’s letter to Wyden came one day before The Guardian revealed that the IRS had made two purchases from well-known surveillance device manufacturer Harris Corporation in 2009 and 2012.

The 2009 invoice was mostly redacted.

The 2012 invoice showed that the IRS spent $65,652 to upgrade its Stingray II to a more powerful version called HailStorm, as well as $6,000 on training from Harris.

Wyden, along with Rep. Jason Chaffetz, R-Utah, have been targeting the stingray program in a broader bill called the GPS Act that would require law enforcement agents to obtain warrants before tracking Americans’ locations with stingrays or tapping into mobile phones, laptops, or GPS navigation systems.

In September, the US Department of Justice (DOJ) released a new policy that requires all federal agencies to get a search warrant – based on probable cause, with exceptions granted where time is of the essence to avoid human death or injury or to pursue suspected fugitives – before using stingrays.

Koskinen said in the letter that the IRS hasn’t used its device since the DOJ issued the new policy, and it’s working on its own policy – one that will require a search warrant with probable cause, to mirror the DOJ’s policy – that was due on Monday.

Follow @NakedSecurity

Follow @LisaVaas

Image of Stingray courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d3Fj7G_iGxo/

We don’t typically think of tax authorities as staking out neighborhoods to make busts, but that’s how the Internal Revenue Service has relied on a stingray, it’s been revealed.

Last week, IRS Director John Koskinen sent a letter to Oregon Senator Ron Wyden in which he wrote that the service has used its stingray device – also know as a cell-site simulator – to track 37 phones in the course of 11 grand jury investigations and to assist with one non-IRS federal investigation and three non-IRS state investigations.

The IRS cases have involved stolen refunds and money laundering.

The non-IRS cases involved tracking six mobile phones involved in investigations of narcotics, attempted murder, murder, and gun trafficking.

Stingrays work by spoofing cell phone towers and tricking phones into connecting with them, so as to track and locate those phones.

StingRay is the brand name of an International Mobile Subscriber Identity locator, also known as an IMSI catcher, that’s targeted and sold to law enforcement.

The term stingray has also come into use in the US as a generic term for these devices.

The devices are a concern to civil liberties advocates because they scoop up phone information indiscriminately, able as they are to intercept hundreds of phones in surveillance dragnets, the majority of which belong to people innocent of whatever crimes the police happen to be investigating.

Those crimes can be petty: An in-depth investigation by USA Today recently showed hundreds of cases in which stingrays had been used to conduct routine police work, including tracking down stolen phones or pursuing check forgers.

In his letter, Koskinen wrote that the IRS first obtained its stingray in October 2011, and that it began the process of procuring a second one in July 2015.

In late October, Koskinen told a Senate committee that the IRS stingrays are “only used in criminal investigations”:

It’s only used in criminal investigations. It can only be used with a court order. It can only be used based on probable cause of criminal activity.

Koskinen’s letter to Wyden came one day before The Guardian revealed that the IRS had made two purchases from well-known surveillance device manufacturer Harris Corporation in 2009 and 2012.

The 2009 invoice was mostly redacted.

The 2012 invoice showed that the IRS spent $65,652 to upgrade its Stingray II to a more powerful version called HailStorm, as well as $6,000 on training from Harris.

Wyden, along with Rep. Jason Chaffetz, R-Utah, have been targeting the stingray program in a broader bill called the GPS Act that would require law enforcement agents to obtain warrants before tracking Americans’ locations with stingrays or tapping into mobile phones, laptops, or GPS navigation systems.

In September, the US Department of Justice (DOJ) released a new policy that requires all federal agencies to get a search warrant – based on probable cause, with exceptions granted where time is of the essence to avoid human death or injury or to pursue suspected fugitives – before using stingrays.

Koskinen said in the letter that the IRS hasn’t used its device since the DOJ issued the new policy, and it’s working on its own policy – one that will require a search warrant with probable cause, to mirror the DOJ’s policy – that was due on Monday.

Follow @NakedSecurity

Follow @LisaVaas

Image of Stingray courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d3Fj7G_iGxo/

I’m on the road at the moment, staying in a business hotel with three pleasant surprises.

There’s an inexpensive restaurant with fantastic pizzas, an amazing vista, and a generous free Wi-Fi allowance. (Perhaps that’s four surprises.)

None of those spongy, rubbery pseudopizzas with thick bases like stale loaves; no room view into the back of a haulage yard; and none of that “200MB for $20 network access” that you find in some parts of the world.

FAST FREE WI-FI

Fast, free Wi-Fi sounds handy, and it is, but we’ve written about the potential problems with open Wi-Fi hotspots several times before.

Some of the risks you face are:

• The hotspot could be run by anyone, and there’s almost no way of telling who that might be.
• Anyone in the vicinity, whether they’re on the network or not, can “sniff” (eavesdrop on) and record all your network traffic.
• Your DNS requests, which turn server names into network numbers, are visible to anyone, so even if you subsequently use secure HTTPS connections only, the services you are using are nevertheless revealed.
• The hotspot can send you bogus DNS replies, redirecting you to imposter servers, blocking your access to security updates, and more.

USING A VPN

One handy countermeasure is to use a VPN, short for Virtual Private Network.

That’s where you get your computer to encrypt all your network data before it leaves your laptop or phone, and send the scrambled stream of data back to your own network.

When the scrambled data is safely back on home turf, it is decrypted and sent out onto the internet just as if you were at home, effectively sidestepping the hotspot and its numerous risks.

Of course, many free Wi-Fi networks make you jump through some sort of simple authentication process first, directing you to what’s called a captive portal – a special web page that pops up in place of the site you’re trying to visit.

Captive portals may ask you to accept various terms and conditions, show you a few ads, or ask you for some sort of identifier to track your usage.

The latter is common in hotels, often to differentiate between paying guests, day visitors attending a conference, and unentitled passers-by.

In other words, even if you want to use a VPN, you typically need to spend a short while online with your network shields down, until you can get past the captive portal.

Only then will the hotspot let your network traffic out into the real world so your VPN can call home.

SHIELDS DOWN

Here’s what happened in my hotel during my brief “shields down” period:

I’m sure you can spot the problem here.

To activate my connection, the hotel wants to validate that I’m a guest, so it uses exactly the same information that it might do in the poolside bar or when signing the bill in the pizza restaurant: name and room number.

Room keys don’t have numbers on them, so this is a simple, customer-friendly and reasonably satisfactory way of regulating your room charges.

Except that in this case, the hotel’s hotspot service is run by an external company whose logon portal expects you to hand over your name and room number over an unencrypted HTTP connection.

As a result, any nearby computer running a network sniffer (I used Wireshark) can read those fields out of the ether:

You have to tell the truth, too, because making up an answer for safety’s sake won’t work:

IF IN DOUBT, DON’T GIVE IT OUT

When I checked in to the hotel, I wasn’t asked if I wanted to make use of the free Wi-Fi service, nor whether I consented to having the details of my stay shared in some way with the Wi-Fi portal company for Wi-Fi validation purposes.

If I’d known, I’d have declined, on the principle of “if in doubt, don’t give it out“.

In the end, I used my trusty fallback: a pre-paid mobile phone SIM with enough inexpensive data loaded on it to tide me over, with my phone acting as my very own hotspot.

At least in the USA, you’re always able to do that these days, following a court ruling that hotels aren’t allowed to use technological tricks to stop you using your own hotspot.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ldt5jzAVr88/

I’m on the road at the moment, staying in a business hotel with three pleasant surprises.

There’s an inexpensive restaurant with fantastic pizzas, an amazing vista, and a generous free Wi-Fi allowance. (Perhaps that’s four surprises.)

None of those spongy, rubbery pseudopizzas with thick bases like stale loaves; no room view into the back of a haulage yard; and none of that “200MB for $20 network access” that you find in some parts of the world.

FAST FREE WI-FI

Fast, free Wi-Fi sounds handy, and it is, but we’ve written about the potential problems with open Wi-Fi hotspots several times before.

Some of the risks you face are:

• The hotspot could be run by anyone, and there’s almost no way of telling who that might be.
• Anyone in the vicinity, whether they’re on the network or not, can “sniff” (eavesdrop on) and record all your network traffic.
• Your DNS requests, which turn server names into network numbers, are visible to anyone, so even if you subsequently use secure HTTPS connections only, the services you are using are nevertheless revealed.
• The hotspot can send you bogus DNS replies, redirecting you to imposter servers, blocking your access to security updates, and more.

USING A VPN

One handy countermeasure is to use a VPN, short for Virtual Private Network.

That’s where you get your computer to encrypt all your network data before it leaves your laptop or phone, and send the scrambled stream of data back to your own network.

When the scrambled data is safely back on home turf, it is decrypted and sent out onto the internet just as if you were at home, effectively sidestepping the hotspot and its numerous risks.

Of course, many free Wi-Fi networks make you jump through some sort of simple authentication process first, directing you to what’s called a captive portal – a special web page that pops up in place of the site you’re trying to visit.

Captive portals may ask you to accept various terms and conditions, show you a few ads, or ask you for some sort of identifier to track your usage.

The latter is common in hotels, often to differentiate between paying guests, day visitors attending a conference, and unentitled passers-by.

In other words, even if you want to use a VPN, you typically need to spend a short while online with your network shields down, until you can get past the captive portal.

Only then will the hotspot let your network traffic out into the real world so your VPN can call home.

SHIELDS DOWN

Here’s what happened in my hotel during my brief “shields down” period:

I’m sure you can spot the problem here.

To activate my connection, the hotel wants to validate that I’m a guest, so it uses exactly the same information that it might do in the poolside bar or when signing the bill in the pizza restaurant: name and room number.

Room keys don’t have numbers on them, so this is a simple, customer-friendly and reasonably satisfactory way of regulating your room charges.

Except that in this case, the hotel’s hotspot service is run by an external company whose logon portal expects you to hand over your name and room number over an unencrypted HTTP connection.

As a result, any nearby computer running a network sniffer (I used Wireshark) can read those fields out of the ether:

You have to tell the truth, too, because making up an answer for safety’s sake won’t work:

IF IN DOUBT, DON’T GIVE IT OUT

When I checked in to the hotel, I wasn’t asked if I wanted to make use of the free Wi-Fi service, nor whether I consented to having the details of my stay shared in some way with the Wi-Fi portal company for Wi-Fi validation purposes.

If I’d known, I’d have declined, on the principle of “if in doubt, don’t give it out“.

In the end, I used my trusty fallback: a pre-paid mobile phone SIM with enough inexpensive data loaded on it to tide me over, with my phone acting as my very own hotspot.

At least in the USA, you’re always able to do that these days, following a court ruling that hotels aren’t allowed to use technological tricks to stop you using your own hotspot.

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ldt5jzAVr88/

He went by the name of Christian Anderson on the online dating site, and what a sweet fairytale he spun.

He was a well-to-do engineer working in the oil industry, he said. He was divorced, with a daughter, having lost his father and sister to cancer.

Within weeks, they’d met in person.

He confessed that he’d fallen in love and wanted to leave the project he was working on in Benin, Africa, to come home to her.

But first – there’s always a “but,” isn’t there? – he needed “special machinery” to finish the project.

He’d need upwards of £30,000 to pay import duty on the machinery. Could the love of his life find it in her heart to help him?

Fast forward to January 2015 and the end of this romance scam, with its numerous iterations of “plus then too there’s this cost”, and you arrive at a woman in her 40s from Hillingdon, UK, telling ActionFraud that she’d been bilked out of an astonishing £1.6 million (about $2.4 million).

Her case was referred to London’s Metropolitan Police cyber crime and fraud team, FALCON.

The Met last week said that the money got swindled out of her not only by the online dating Lothario but also by a whole gang of crooks posing as his “associates.”

Two of the gang, 31-year-old Ife Ojo, from Peterborough, and 43-year-old Olusegun Agbaje, from Hornchurch, Essex, have pleaded guilty to conspiracy to defraud.

According to news reports, they’ve been remanded in custody, their case adjourned until 8 January 2016.

According to the Met, the victim paid over £30,000 into the business account of somebody who posed as “Christian Anderson’s” personal assistant: a man who was allegedly using the name Brandon Platt.

That £30,000 wasn’t good enough. Anderson wanted more cash.

The requests ranged from £25,000 for a police fine to thousands of pounds to free up inheritance money left by his mother, who lived in Cape Town.

Anderson told his mark that he’d use the inheritance to set up a life with her.

The fees to free up the money included costs for holding it in a vault in Amsterdam and $170,000 to pay for what the Met said was a fictional “anti-terrorist certificate” so that the money could be deposited at a bank.

The woman was, more or less, convinced. She was looking for a house that they could buy.

She met with someone claiming to be Anderson’s lawyer. She even travelled to an office in Amsterdam to meet a man calling himself Dr Spencer, who was supposedly responsible for holding the money in a vault.

The victim paid the £1.6 million into numerous bank accounts between March and December 2014. From there, the crooks transferred the funds into personal accounts, including £35,000 to the bank accounts of Ojo and Agbaje.

Still, the victim had doubts. But every time she asked Anderson for proof, he either sent false documentation or sweet-talked her, coming up with excuses for why he couldn’t give her evidence.

FALCON investigators found what they identified as that sweet talking: a financial investigation led to Agbaje being one recipient of the stolen money, so they went to his home address and found him with Ojo.

Upon arresting the pair and searching their homes, they found a laptop at Ojo’s home that contained records of conversations with the victim, as well as a memento book that seems to have been sent to Anderson by another victim and a copy of the book The Game.

The Met provided these excerpts from emails that “Christian Anderson” sent to the victim:

I know our relationship is still young, but I am really trying to hang on here and after the contract we have all the time in the universe together.

I called you this morning for us to have a sweet good Friday together and you did a good job in letting me feel down.

But most times when your brain tells you things, it’s all because of the hurts you had in the past and insecurities.

On a related note, most times when your brain tells you things about online cutie pies, we really, really hope it’s saying DO NOT SEND YOUR INTERNET LOVER EVEN ONE SLIM DIME.

Fortunately for a North Wales man whose online friend convinced him to strip in front of a webcam, his brain recently told him not to pay the £6000 she then tried to sextort from him.

As the BBC reports, the fraudsters are believed to be in Africa, though the police admit that it’s extremely difficult to trace a scam like this.

Speaking anonymously in an interview, the man said she looked like a local woman to him:

I could see her clearly. She looked like a woman from Wales – a white woman with dark hair. We never spoke to each other even though I could see her. She always messaged me.

The day after he stripped, the con artist got in touch and said that she had something to show him.

She played the recording of the man stripping and warned that if he didn’t cough up the £6K, she’d post it to Facebook and claim that he’d stripped in front of an 8-year-old girl.

He refused. She posted it. He called police.

The woman had originally approached the man online. Details about where, exactly, weren’t provided, but we know that romance scams – and sextortion attempts – don’t just originate on online dating sites.

Detective Chief Inspector Gary Miles of FALCON had this to say about the case of “Christian Anderson”, but of course it pertains to all sorts of sex and romance scams:

Any stranger who approaches you on a chat site, via email or any other way could potentially be a fraudster. In a recent case, a woman was defrauded of £250,000 after a suspect relentlessly tried striking up a conversation on Skype. She eventually answered and the scam progressed from there.

The Met offered these tips to anybody who’s talking to a potential partner online:

1. See through the sob stories.
   Con artists will tell you tales to pluck at your heartstrings, with a view to gaining your trust and sympathy. Sometimes they ask for money to help them through a difficult situation. These are lies to get you to send them money.
2. Don’t be fooled by a photo.
   Justin Bieber probably doesn’t need to chat up strangers to get a date, so is that really the Biebster contacting you? Anyone can send a picture to support whatever story they’re spinning. Scammers often use the same story and send the same photo to multiple victims. You may be able to find evidence of the same scam posted on anti-fraud websites by other victims: here’s how to do a reverse image search on Google, for one.
3. Keep your money in your bank account.
   Never send money abroad to somebody you’ve never met or don’t know well, no matter how strongly you feel about them. No one who loves you will ask you to hand over your life savings and get into debt for them.
4. Question their questions.
   Suspects will pay you a lot of compliments and ask you a lot of questions about your life, yet tell you very little themselves beyond a few select tales. Never disclose your personal details, such as bank details, which leaves you vulnerable to fraud.
5. Don’t keep quiet.
   It can be embarrassing to admit that you’ve been taken in, but not reporting this type of fraud plays right into fraudsters’ hands. Sometimes scammers ask you to keep your relationship secret, but that’s just a ruse to keep you from talking to someone who’ll realize you’re being scammed. If you think you’re being scammed, stop communicating with the fraudsters and report it to police immediately.

Follow @NakedSecurity

Follow @LisaVaas

Image of internet dating scam courtesy of Shutterstock.com. Image of Ojo and Agbaje courtesy of Metropolitan Police.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DHPY4Th3Y6k/