How Safe is your Hotel Wifi Connection?

How safe are the Wifi connections that you use when away from home, who owns them, who runs them and how secure are they?   Well chances are, like most of us, you're likely to  have virtually no idea about the answers to any of these questions.  For sure, you might hazard that the owner is Starbucks or the hotel management, but that will probably be only a guess based on your location (many firms outsource their internet provision in any case).

The reality is that you have little or no information concerning any wifi connection you use, when away from your office or home.  Most of us expect to see half a dozen available networks whenever we try and connect from a coffee shop or hotel room.   Something like this, is fairly typical -

A selection of wifi access points, some secured, others completely open.  There is only one common element, the fact that you have no idea who runs the majority of them.   Of course if you're at a hotel or airport, you can look for a name representative of that location.  However anyone can name an access point whatever they like, there are no restrictions on what you can call any access point.

What most people do is click on the most obvious culprit, then  name of the hotel or initials or something similar.  

So What's the Danger?

Well the dangers are very real and growing all the time, due to the increasing number of attacks targeting public wifi access points.  The attacks have a variety of names from 'evil twin' (referring to a duplicate access point) to session hijacking but they all share a common goal - to harvest people's credentials in order to profit.  They basically consist of setting up rogue access points, often free, to get unsuspecting users to connect to them.

The problem is that whenever you connect to an access point anywhere, you are entrusting your connection and details to the administrator of that connection.   All your information will flow through that access point and it's perfectly possible to intercept and log all those details without the user being aware.  Tools which help perform MITM (man in the middle) attacks like responder, evilgrade and sslsplit are easily available and fairly simple to use. 

Imagine, that every piece of data that flows through your connection is logged and recorded.  Perhaps you login to your webmail account, check that auction in ebay or perhaps set up a standing order in Paypal or using online banking.   All these credentials are then compromised and become available to the bad guy.  It doesn't matter that they're supposed to be protected by SSL, because that data can be intercepted. Or the attackers can merely spoof DNS entries to direct users to duplicate copies of the legitimate sites and steal login details directly.

Unfortunately it's actually very difficult to tell whether you're using a legitimate access point, often the rogue access point will even have the same web portal as the real site.  Others simply advertise their connections as 'free wifi' or something equally as tempting.
If you are using unfamiliar wifi connections you should restrict your web usage to non-secure sites, do not login to webmail or banking sites.  Anything where you need to authenticate should be avoided,  if you must use these then use a VPN like Identity Cloaker to protect your data while using it.


Travels with My Roku - Mobile Entertainment Perfection?

I thought I had this sussed, a three week stay in the US followed by a couple of weeks staying in European hotels - evening entertainment was needed.  My problem is that my entertainment options when travelling usually involve two choices drinking in bars or watching TV, but although most US hotels have lots of channels - I'm afraid I just can't get used to the number of adverts.

I needed a better option for the sake of my liver, so I started looking around for something I could travel with and access my favorite TV channels on things like BBC iPlayer and Netflix ( both free of adverts). Being able to access Netflix on my travels was particularly appealing as it would default to the US version whilst in the USA with lots of different content than the UK version.

Of course, I could watch both of these with Identity Cloaker and my laptop or tablet.   However I for one have never really enjoyed watching films on smaller screens very much so wanted to watch it on the TV. Cables obviously exist to hook up devices to your TV but every time I try this, the hotel TV has different ports or missing sockets.  The solution I thought lay in the numerous media devices that plug simply into any TV and stream online from a variety of channels including Netflix,  BBC iPlayer and other British TV programmes.

I chose the wonderful Roku, as I knew it worked and could use my Smart DNS account on it easily ( here's the one I use), this meant I could watch any channel I liked by switching my location easily.  All you need to do is change the Roku's DNS address to the Smart DNS one and it can access any channel irrespective of your location.

The other big advantage of the Roku is it's size, about the size of a cigarette box, it weighs next to nothing and fits easily into your luggage.`I thought it was perfect, and packed it all up (remembering the remote control) and thought I had with me a mini entertainment package for all my travels. I could watch any film I liked from any region of Netflix and enjoy the BBC on demand too with my Overplay account. Unfortunately this happy state of mind lasted only until my first hotel visit when I encountered the fundamental problem of travelling with a Roku when using public Wifi access points.

I eagerly set up the Roku and checked out how to access the hotel's wifi, this was where it dawned on me. The hotel offered fairly reasonable wifi rates on a weekly basis and you just sign in with your browser to access the internet. I soon discovered that this authentication method was very common in hotels and coffee shops, just fire up your browser and login.

Even when the access was free (as in some US airports) you had to login with an email address. Unfortunately opening a web page isn't something you can do with a Roku, it has no browser and so you can't authenticate the device. Even if you access the internet via a tablet, you still can't authorise you Roku as most grant access rights to the Mac address of the device you logged into.

 If Internet Access Requires Authentication via a browser - the Roku is virtually useless.

It's true and there's no simple solution until the Roku has the facility to open a web page to authenticate itself. There are some technical options of course, you could cone the mac address of the Roku onto a laptop and then authorise it there - which technically should work. However this is lots of hassle and you might even need to keep doing this every few minutes. So next time I'm going to try and take a Chromecast instead although there are issues with this using Smart DNS.


Listening to Test Match Special Abroad

There are some things which make Summer complete for me, and one of those is listening to the unique sound of Test Match Special on a hot, sunny day. Obviously this isn't always the case, sometimes it involves cringing as you listen to a calamitous  England batting collapse or CMJ trying to while away a few hours talking about pigeons and cakes whilst the covers are installed for the third time in a day.

If you've been brought up on TMS, though it's difficult to enjoy the cricket any other way - even Sky subscribers I know will turn down the volume and listen to the radio commentary whilst watching on screen. Unfortunately some of the very best matches like the Ashes for example always seem to clash with my summer holidays and you'll find the radio broadcast difficult to get from outside the UK.

This came as a bit of a surprise to me, I'd always presumed that although the BBC restricted access to it's TV programmes online the radio was completely unfiltered however this isn't the case.  I'm not sure to what extent but any radio sports programme that contains live coverage doesn't seem to work when you're outside the UK.

 This includes all the local radio broadcasts which cover football matches too and of course trying to access TMS from the BBC web site is also a non-starter.

The reason I presume to copyright issues, and it's basically the same situation as the BBC TV programmes which you can't watch live or via iPlayer from anywhere outside the UK without a British IP address.

However fear not, it's relatively simple to listen to the Test Match Special broadcast online from anywhere in the world.  You just need to hide your IP address and hence your location by using an intermediary server.  Now I should point out here that proxies although sufficient for BBC TV programmes won't work with live broadcasts either for TV or radio shows - you'll need a VPN service like Identity Cloaker.

All you need to do on a computer is fire up Identity Cloaker, select a UK based server from the list and then go to the BBC website.  Instead of seeing the International version of the BBC site, you'll get access to the UK version and what is more when  you navigate to the broadcast links like TMS they'll work without problems.

This method will work for your laptop or PC, but although you can use Identity Cloaker on other devices you'll have to use a slightly different method.  Here's the way you can set up the VPN on your iPad using exactly  the same account, it also works with Android devices too in much the same way.

Security Chief Hacks the Lotto

Over the years, I've written about many cyber-crimes in this blog and there's always one recurring theme that always occurs to me.  It is that although it's incredibly easy nowadays to profit from all sorts of cyber based crimes, it's still very difficult to actually get away with it.  In fact it's the same with any sort of illicit cyber activity, it's not hard to bring down even a large web site with a DDOS attack, to hack  and steal a few files or even just empty someone's paypal account but not getting caught is much more challenging.

The criminal opportunities are endless, if you work in IT you'll likely see them all around you.  Of course most of us are basically honest but we also recognise that it's very easy to get caught doing something we shouldn't and very hard to stay anonymous.   The fact is that everything we do leaves some sort of trail back to us, systems, computers and applications log all sorts of information every time they are used it's usually quite simplistic to trace a digital transaction back to the computer it originated from.

Yet it still doesn't stop people and indeed it didn't stop 52 year old Eddie Tipton either who has hit the BBC news this week. Eddie was the head of IT security at the Multi-State Lottery which runs loads of lotteries across the US.   His chief role was to protect the lottery computers which were used to draw the winning numbers.  However he didn't do that and actually installed a root kit on those computers allowing him to calculate the winning numbers of the next Iowa Hot Lotto lottery.

This is all quite easy for a Head of IT Security to achieve, but you can see the problem though, can't you? How does the Head of IT security claim the lottery prize, after he's stolen the numbers?  Well first of all he's got to buy the winning ticket, surrounded by CCTV cameras.

This is the video evidence that was circulated by the crime investigation authorities trying to identify the person who bought the suspicious ticket. This brought Tipton's name into the investigation as a co-worker recognized him from the video. He then defended himself by saying he was in Texas at the time of this purchase, although his cell phone records told a different story. The reality is that as soon as suspicion was on Tipton he was doomed. He was only one of five people with security clearance to the lottery computer, CCTV picked him up entering the room before the draw was made, the cameras were modified to record selectively.

I'm certain digital forensics from laptops, the servers and other computers all would incriminate him too even if he was careful and used proxies. Of course he also had the rather daunting prospect of trying to actually claim the prize without implicating himself, something he attempted through a network of lawyers. This was something he also never managed to achieve, and was arrested for Fraud shortly after.

He now waits for sentencing in a Iowa jail and could face up to ten years in jail. Although it demonstrates how difficult it is to hide your tracks in these situation, it also highlights how easy it is to attempt these crimes. The dangers are usually from insiders or with specific knowledge of a system. It is likely that no-one would have ever noticed that the lottery numbers were being manipulated though if he hadn't tried to claim the jackpot!