/ Technology

Computer hacking: how do we uncover online security flaws?

Say the word hacker and a certain image comes to mind: hooded top, hunched over a laptop, lines of green code fluttering around like menacing birds. But that’s mostly a Hollywood myth – and the reality is far more interesting…

Many so-called hackers are ‘white hats’; honest, curious and socially conscious individuals who want to share their knowledge to improve products and online environments for everybody. And they should be heard.

Responsible disclosure

As the lead for privacy and security testing and investigation in the Which? Product Research team, I have disclosed various flaws and vulnerabilities to companies.

Today, I published a story about a significant flaw found in an internet router supplied by full fibre broadband provider, Hyperoptic. The flaw meant the router was at risk of being hacked with a phishing message.

Our findings were based on in-depth testing by respected experts at Context IS. (Disclaimer: some of whom may wear hoodies.)

We disclosed the issue to Hyperoptic in November and, after some back and forth, it committed to address the vulnerabilities.

Hyperoptic has been cooperative ever since and has fixed the flaw, but it has taken more than six months for it to be safe to publish our findings without putting Hyperoptic customers at risk.

Legal threats

Although time-consuming and lengthy, the Hyperoptic disclosure was relatively painless. On other occasions, it has been much more challenging.

Some companies take the feedback as a constructive act, helping them fix an issue that could have been exploited in much more devastating fashion down the line, while also spinning a nice PR story about ‘taking security seriously’.

However, we still see too many occasions where companies take a much more defensive or even aggressive stance when an issue is disclosed. This can mean grumblings and radio silence. Or, at worst, it can manifest in legal threats.

‘Secure by Design’

In March, the government came to Which? to launch its new ‘Secure by Design’ project, aimed at creating a code of practice for companies making network-connected products.

Among its various recommendations is this: ‘They [companies] have a vulnerability policy and public point of contact, so security researchers and others can report issues immediately, and they are quickly acted upon.’

Not all security researchers have the power and resources of Which? behind them. They are often working alone, trying to help companies, and indeed the industry as a whole, improve standards of practice.

Of course, a company should be allowed to qualify what has been discovered about its own products, services and systems. But as long as the discloser is acting responsibly, it’s important that they are heard, rather than fobbed off, delayed or even threatened.

After all, not all hackers are bad…

Have you changed your internet router password to be more secure? Do you think internet service providers are doing enough to protect their customers?


The problem with defending hackers is the only hackers the public know are the BAD ones and rest assured for every “good one ” there are 10 bad ones. Nice hackers have conferences in California I have actually been invited to several although I am not a hacker just a member of some of their websites in the USA. The worst thing you can do is make out what big business and HMG would like you to believe so that globalization goes smoothly and “don’t worry ” its “okay ” on the web the mass of web complaints on Which and 100,s of websites deny this approach. What we have here is a defense of profit-making using a system that’s full of flaws and holes and back-doors, its not viable. When you go into a shop you see a product, you ask the price a transaction takes place but not so in Virtual Land where between the asking and getting “middlemen” exist to rip you off. Look its been admitted that the web isn’t safe but WHO is to blame? the internet companies blame the customer – your computer is too open to attack and ward off complaints but isn’t that transferring the guilt of a basically unsound system to the customer, yes, in my view. The ordinary public want a safe and asurable means of transacting remote business but they don’t get it .

Have you changed your internet router password to be more secure? YES. (I usually change the wifi name too… one of my repeaters is called MadHouse.)

Do you think internet service providers are doing enough to protect their customers? NO. But I’m not sure how we should define “enough” here. I know some do offer free anti-virus & anti-spam, but I don’t know of any that do anything beyond that.

In practice though, just as we cannot have absolutely safe electrical appliances, we can never expect to be absolutely safe online. That said, we need to make sure that the benefits of going online far out weight the risks.

At one time my ISP was renamed to virusnet.

It usually happens to me when I post on Which I got an email from the USA saying “Authorities ” in the USA/UK/Netherlands on Tuesday had shut down a popular hacking website labelled as – Webstresser .org – “hacking for hire ” with —136,000 members registered who had launched between 4 million and 6 million attacks over the past 3 years . The attacks used now are called “Fileless Attacks ” designed to evade detection and bypass the majority of endpoint solutions, blocking those types of attacks is not that easy . My point is all this type of news is covered up from the general public so as to stop them from having doubts about safety online , I prefer the truth to any social niceties.

Duncan, there seem to be plenty of public facing websites describing “fileless attacks”, so how exactly can you say this news is “covered up” from the general public? Hidden in plain view might be more accurate…

When I said “covered up ” I mean the mass media – newspapers / TV etc , what do the public watch ?-TV as witnessed by CPCW having massive sales due to, heavy advertising . Where are the newspaper headlines on all the hacks that continually take place in this country or TV headlines for that matter ? You and I can access websites describing methods of scamming/hacking/ malware etc but the general public dont as witnessed by Which giving out warnings and many convos on the subject just because Which advertises it not the other media . Which Convo brings in many complaints about the subject but its got to be put out where the public can see it . This convo is about making people aware of whats out there on the Web I just dont see the media doing the same because they think it will lose sales and profit will drop. At least which is making an effort .

Thanks Duncan. I think “covered up” is a “glass half-empty” viewpoint and the role of mass media is peripheral to the main topic here, which is more about the process of discovering, reporting and fixing vulnerabilities.

As for the (recently coined?) term “fileless attacks”, its prominence does perhaps show that regular antivirus s/w is now quite good at dealing with traditional virus attacks, i.e. where the user must be conned into downloading a file that contains a malicious executable program, before the main thrust of the attack can progress.

In that sense, there is really nothing new about the nature of “fileless attacks”. That said, as you suggest, an alternative name for them (e.g. “hostile websites”) won’t serve to encourage e-commerce for the benefit of Amazon and other business interests. (As we both already know “non-fileless attacks” generally only work against Windows systems, because downloaded files won’t be executable by default on more sensible OSes.)

With regard to the mass media, I think they generally need to pitch their stories so they can be understood by any average school leaver (i.e. with little or no qualifications or life experience), so it is hard for them to get into as much technical detail as we can here.

…primary school leaver, in the case of most tabloids…

Many of us have a router supplied ‘free’ by our internet service provider. Hopefully most users will have changed the password but would our ISP inform us of a security problem? I recall my ISP informed users of a problem with one model of router that they had supplied but cannot remember if it was a security issue because I had a different model.

Much in the same way as the first operation on many things has to be change the password, it is not beyond the wit of man for this to be a requirement on router installations – and I suggest it is disgraceful that that doesn’t happen where the defaults are empty, admin, 0000 etc. BT at least make their default router passwords unguessable and all different.

Good you brought that up Roger as a BT customer with one of their very reliable routers I cant figure out why they dont publicize it. Its one of the biggest pluses for hackers — get the default password and you get the rest.

In my experience, most ISPs now give you a sensible router passwords like 8d29ebf4 from the get go.

It’s ages since I last bought a new router, but the ones I’ve bought tend to come with default passwords like “admin”.

As Duncan said he does, I also backup passwords to paper records, as I don’t expect those to ever be hackable.

I’ve also recently discovered that saving passwords in web browsers like Chrome is really nasty, because they have to be capable of delivering the plain text version of the password. That probably explains why my banking websites don’t allow those functions to work.

Although this convo is about hacking this post is still relevant to those people being scammed by emails. I have just been informed by a Defense contractor (USA ) that there is an Email service available to Defense Contractors /Government departments that pings the sender and asks if it is legitimate even though it looks official and can tell if the domain is legitimate. It stops Federal Officials from opening phishing emails and SPOOFING accounts and spoofing Federal domains to trick people into opening malicious emails. My point ? WHY? isn’t this universal for the British public ?

Duncan, where I work similar safeguards are in force, as part of paid for endpoint solutions.

In another convo you recently said “A good commercial firewall AND internet malware/virus protection is definitely required for Windows…”, from the basis that software engineers won’t often work for free, all this has to bought and paid for.

It may be that the costs are too high to encourage these particular solutions from being marketed or sold to the general public.

You might be right Derek but should not the option be openly provided to those who want better security ?

Duncan, I think these services are publically available. A quick look on the Sophos website seems to suggest they claim to provide the kind of capabilities you mentioned above.

Derek what the US defense industry are waffling on about is DMARC . I cant get into Sophos after accessing the website as my blockers wont let me to check the inner detail but it looks like a virus /malware type of blocker but maybe you could add to that , Click on https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ thats the simplified version the tech version is much more “brain heating ” .

Duncan, thanks for the info.

According to dmarc.org, anyone can use this protocol.

I think I had to enable script to dive into the Sophos website. As Sophos is the best security software that I’ve ever personally used, I was happy enough to do that.

Krebs on Security isnt happy with the new regulations as they will limit the public from getting info on WHOIS as it will be redacted under ICANN applying it .

I’ve often thought that the principle of paying extra on domain registration for anonymity is wrong and that the detailed information should only be available to officialdom – a bit like the DVLA database should be.

In the interests of the British public and especially the posters on Which convos relating to the internet and computers I have been sent the very up to date -2018 tests on a wide variety of malware/virus control companies done by a registered independent tech. organisation .It includes all Windows 10 computers and Windows malware system itself , plenty of graphs /figures to look at and goes into tech. detail . The company is AV-Comparatives a profession company click on https://www.av-comparatives.org/wp-content/uploads/2018/04/avc_mpt_201803_en.pdf?utm_source=emsisoft only cloudfront and zendesk trackers -site okay . I have said there are not many UK companies who will supply pukka computers from companies without a Windows or other system built in because they make money out of it — Scan UK is one a company that has been in business for many years so Linux or another system can be installed easily especially removing booting problems associated with Windows being involved.

Duncan – thanks for that link.

Re “especially removing booting problems associated with Windows” – I agree that booting Windows generally leads to problems 😉

That said, those results show that many common a/v programs – including some free ones – seemed to perform quite well.

This applies to Android users and computer users . I have just been offered by a Hacking investigation website – Wi-Fi Hacking -10 best Android and Desktop Wi-Fi hacking apps — one of which is used by the NSA all FREE and download link supplied on website . It took me by surprise that they are not illegal as they can be used for other issues but make no mistake they can cut into and obtain all your personal data and they actually boast of the methods used which, obviously , I will not post . With some of those free apps you have to put up with adverts but that would not bother any amateur hacker . While not illegal in the USA I have not checked on the legal aspects in the UK . There are many apps available where you can see who is on your Wi-Fi these go a big step further . As you know I use a LAN cable and ,yes. Wi-Fi- is completely disabled on my PC . They say even the “rank ” amateur can easily use them.

Duncan – a piece of software like a hacking app, is just a tool. Of itself, it cannot be either good or evil. So there is no need to make such software illegal.

Hacking software can be put to good uses by “pen testers” and other security consultants, who will find, expose and then fix security flaws on computer systems.

Or, the same software might be used for malicious purposes by criminals intent on stealing data and/or committing fraud.

I didn’t say otherwise Derek , you do understand I posted this to alert the British Public not to alert the “cognitia ” ( yes the word exists ) or if you want more perfection – cognitus, on Which , this is ,after all a Convo on Hacking . You know and so do others the amount of posters on this type of subject complaining of- they know my name/ address/ etc and have hacked my router/modem.

Duncan, you’d said “It took me by surprise that they are not illegal” which struck me as odd, if not surprising, given that you claim to hang out on US hacker forums and such like…

Derek it took me by surprise that they were so easily downloadable on websites , okay some were obscure websites but young people would know them . The US websites I am on have data on them but thats different from having “open-house ” to the apps on the web . The hacking websites inform me of the latest actions by hackers and are not “Dark Web ” inhabitants but are there for good not evil. Show me the UK equivalents ?

So when you said “illegal” you weren’t suggesting it might be a criminal offence to produce, posses or download such software?

Point of law Derek ( US law ) not in the three instances you quote but it is to USE it – the Computer Fraud and Abuse Act (CFAA) , see https://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame/crimelaws.html I have not looked up UK regulations on it but hacking per se I take to be illegal in the UK ( unless you know otherwise ? ) .

Duncan – I agree that was point exactly?

So by “illegal” did mean you thought your ISP or your a/v s/w (if you have any) ought to have blocked those downloads?

Assumptions Derek , I never downloaded anything, why would I download as I dont use Wi-Fi and have it completely disabled in the main programming so that the hardware ( two types ) doesn’t function ? My ISP hasn’t blocked me accessing the website , anybody can , it isn’t political and its American not Russian . As I am also member of three US “freedom of access on the web ” websites I get all the latest action by the US government to control/slow down websites for profit etc I am against restriction and have signed their petitions to Congress , its as I posted the link , its illegal to actually use it . The UK has the same type of laws in other areas – okay to buy ( usually from the USA ) but illegal to use. Read up on Arch Linux , I dont need to download from “iffy ” websites arch contains the largest range of compatible programmes and programming that I have come across because if you install a programme outside its range it usually doesn’t work correctly as you have to allow parts of basic operation programming to make it function properly it also lets you know with BIG warning in red – Warning !! this programme isnt safe/ out of date / not kept up to the latest level security by updates etc -download at YOUR risk of installing infected software and corrupting your system . Then the whole system is constantly re-installed by updates with a new kernel but not the core, unlike Windows where you have to start from scratch with a complete re-installation and other Linux distros . I learned long ago using Windows 7 Prof . the bad side of downloading willy-nilly ( old obsolete expression ) .

Duncan, I wasn’t suggesting that you had downloaded any of those apps, I was just wondering whether or not you would expect any blocking software from stopping you if you had wanted too?

In the past I have experienced Windows Security Essentials did block the download of certain “utilities” that could be used for legal work – or potentially for other things too.

Well you have a point Derek . Arch being different from the rest Blocks normal downloads by default in other words downloading an app/programme doesn’t install it nor is it able to function in any capacity but isolates it leaving you with a good bit of programming to install it. I only have a limited amount of third party programmes mainly audio/hi-fi and even there I had to install libraries etc from Pacman to make them function . But that the beauty of Arch you control it even if you destroy it. I had to remove two small browsers because Arch didn’t like them as they weren’t secure enough. One was a text browser I tried , worked for one day then locked up permanently the second locked up my screen ,as again, Arch wasn’t happy. I would rather have that than an “open to the web ” system.

HMG as of now is being taken to the Supreme Court of the United Kingdom for its hacking of the UK public under a “General Warrants ” case where a whole city can be hacked by our “government services ” even if its only one individual thats being hacked . If that isn’t “1984 values ” then I dont know what is . That means EVERY mobile phone in that city – Draconian doesn’t come close, not even the home of capitalism- the USA allows that . UK Third world citizenship . As a certain departed comedian ( KE) once said –“all done in the best possible taste ” .Hearing scheduled -3rd-4th December -2018.

Thanks for the link malcolm .

Thanks Duncan and malcolm – that’s interesting. I think it shows the danger of leaving unfixed security flaws around, in case authorities might want to use them as backdoors into systems. The trouble is, if that’s done, then others might also be able to discover and use those flaws.

There are some here that use Apple computers, but do you use the default Apple Mail? I have been warning about HTML being able to gather data, some I think do not believe me, well the same is now being used to hack your PGP-encrypted emails and are advised to use Thunderbird which I use as it blocks REMOTE content. For those that think I am exaggerating I provide a URL to back up my post on this subject https://theintercept.com/2018/05/25/in-apple-mail-theres-no-protecting-pgp-encrypted-messages/

Got an Android mobile phone ? — got Windows 10 computer ? – if yes to both then listen carefully – DONT connect your Android phone to your windows system IF — you have visited Google Play Store and downloaded any of nearly 145 apps in the past 8 months (approx ) , they contain malicious MS executable files and worse they get a FOUR STAR rating ! Your Android phone will NOT be affected but your Windows system certainly will . Do NOT connect your phone to your computer –Palo Alto Networks researchers – embedded Windows executable binaries /APK files –the whole chain can be infected opening a wider attack scale for KeRanger and NotPetya sort of malware . Apps include (but not limited to ) men,s design ideas-gymnastics training tutorial- learn to draw clothing-modification trial-hair paint colour containing keyloggers, they were available for 6 months –Google (as of this date ) has now removed them — shows where Google,s priorities lie.

Duncan – now that this information is out there, won’t Windows anti-virus software just simply block those files from executing?

Windows wont block what you authorise Derek thats how malware gets through , you have got to accept it first , the same as -dont click on that link etc in an email , if Windows anti-virus was that good the world and the UK wouldn’t be full of people getting infected by malware , its because they allow it also just like telephone scammers just do this or that to allow us to deposit our controlling Trojans/malware on your system , MS doesn’t stop that happening its not reached the AI stage yet in intelligence . Its supposed to protect you from yourself but if you okay it it gains entry , in any case this wasn’t some dumb virus easily spotted it was an up to date sophisticated one masquerading as a normal file. They were all packed with different malware strains from different manufacturers and packed as portable ex. files (PE) but all used the same source code . No virus control can boast of 100 % efficiency and hackers arent stupid in this category , no wonder both our government and the USA want to employ them .

Duncan – would I be right in thinking you have no hands-on experience of using Android phones and W10 PCs – either singly or in tandem?

Not Windows 10 Derek and I would never buy Android as its easy to hack . Are you saying Windows virus control will block your commands Derek ?

Duncan, I’m not happy making sweeping general statements from the basis of limited experience.

It concerns me that you have no such inhibitions.

And i think it leads you to post incorrect advice.

Like your recent advice on the use of Windows task manager for a boot- looping Android phone.

Then there was your recent project IT fear advice against the use of USB discs.

Hence, given the allowance for debate on W?C, I do sometimes feel moved to question some of your posts.

Okay prove to me that Windows 10 is “safe ” and that a user cant override the built in virus control . Tell the public its “safe ” Derek , when MVP,s cant answer a question they just repeat their statement leaving no answer , if you have one give it to the public , are you saying thumb drives are safe Derek ?

With intelligent use I don’t see much problem with using flash drives as long as you don’t use them for sensitive data or if you do then treat them as if they were confidential paperwork. I trust that most people are aware that simply deleting a file on a flash drive does not erase the data.

I think it is good to be aware of risks but if they are overstated then readers will just switch off.

Duncan, I agree with wavechange that flash drives are safe to use.

My employer even lets me use them at work, so they think so too.

Duncan, if you are asking me prove to you that Windows 10 is “safe”, then I think you have just validated my position.

I would not even try to “prove” that plastic backed fridge-freezers are “safe”, yet I have one right here that is powered on 24/7/365 and seeing its hottest ever summer.

That said, I am content that the fire risk posed by my fridge freezer is tolerably remote.

I apply similar judgement to my uses of Andriod phones and tablets, Windows PCs and USB disc.

Duncan, I have not taken it upon myself to advise the public via W?C.

I merely question your posts as a member of the public, albeit one with experience that challenges the overall veracity of some of your statements.

The time you advocated ReactOS as a (presumably viable) alternative to Windows was another memorable time when I became aware of the need to challenge the wisdom of one of your posts.

Comparing fridge freezers and Microsoft Window 10 in the same category of public safety says it all to me Derek I dont trust your responses , I hesitate to say – “you cant be serious ” as tennis is in full swing just now . Come on Derek tell the public just how “safe ” Win 10 is in reality ? If you are telling the British public its as safe your fridge freezer I rest my case .

As you refuse to believe me Derek , have you heard of the USB malware -Bad USB ? detected by none other than the Chief Scientist and founder of Security Research Labs -Berlin- Karsten Nohl – quote Most of the USB thumb drives have a major dilemma like several other USB peripherals that they fail to provide protection to their firmware. This refers to that software which is known for running upon the microcontroller which is inside them according to the founder as well as the chief scientist of the Security Research Labs based in Berlin namely Karsten Nohl.This denotes that the firmware on a USB device can be replaced by any malware program with the help of SCSI (Small Computer System Interface) commands. Nohl further claims that it can be made to act as any other piece of hardware.This spoofed piece of hardware can then be used imitate key presses as well as transfer commands in order to download and for the execution of a malware program. This malware then can also be used for reprogramming the other USB drives which are put into the infected computer. This way it becomes a self-multiplying virus. I will stop before the tech detail as its “not approved ” here but of course – he doesn’t know what he is talking about –right ? I have tech website after tech website showing how vulnerable thumb drives are to hacking but of course – “they are all lying ” -yes ?

Duncan, I’m not accusing you of lying. I’m just saying that, from the light of experience, I cannot attribute much value, utility or veracity to the information that you post. I have already explained my reasons, so this is my final post for this thread.