29/04/2017 Click - Short Edition
Similar Content
Browse content similar to 29/04/2017. Check below for episodes and series from the same categories and more!
Transcript
| Line | From | To | |
|---|---|---|---|
Over the last few years, billions of e-mail accounts | :00:00. | :00:33. | |
Last year, Yahoo announced that over 1.5 billion e-mail accounts | :00:34. | :00:41. | |
were compromised between 2013 and 2014, the largest | :00:42. | :00:43. | |
Then it emerged that Russian hackers had gained access to 60,000 e-mails | :00:44. | :00:52. | |
from Hillary Clinton's presidential campaign. | :00:53. | :00:56. | |
Some believe the resulting leaks helped swing the election for Trump. | :00:57. | :00:59. | |
is something most of us already knew. | :01:00. | :01:07. | |
We send, each of us, all the time, hugely personal information | :01:08. | :01:10. | |
Information that we'd like to keep private, | :01:11. | :01:14. | |
but others are all too often able to see. | :01:15. | :01:18. | |
So how about something that guarantees to protect | :01:19. | :01:21. | |
Sounds like something you wanna have, doesn't it? | :01:22. | :01:27. | |
Well, this is Nomx, a box which promises | :01:28. | :01:29. | |
It was at CES that we came across this device as it was introduced | :01:30. | :01:40. | |
I met the boss, Will Donaldson, who has impressive security | :01:41. | :01:45. | |
He's worked in computer security and built web applications | :01:46. | :01:49. | |
for the Pentagon, the Marine Corps and he was Chief Technology Officer | :01:50. | :01:53. | |
for the F35 joint strike fighter communications facility. | :01:54. | :02:04. | |
So what does he think is wrong with bog standard e-mail? | :02:05. | :02:08. | |
Well, the Nomx promotional videos explain the problem. | :02:09. | :02:09. | |
When you send an e-mail, copies of the message end up | :02:10. | :02:13. | |
on several internet servers along the way. | :02:14. | :02:14. | |
Will says all of the recent big e-mail hacks have involved one | :02:15. | :02:18. | |
of these servers being compromised and what's more | :02:19. | :02:20. | |
So those vulnerabilities, we've identified six core ones | :02:21. | :02:28. | |
that encompass 100% of hacks that have occurred to date. | :02:29. | :02:32. | |
Will's solution is a $199 box that acts as your own | :02:33. | :02:35. | |
It'll talk to other e-mail services, but where it comes | :02:36. | :02:43. | |
into its own is when it connects directly to another Nomx box | :02:44. | :02:47. | |
at the other end, the pair of them replacing the cloud servers | :02:48. | :02:50. | |
that your message would usually flow through. | :02:51. | :02:54. | |
That means no copies are stored anywhere | :02:55. | :02:55. | |
The idea has caught the imagination of some in the security industry, | :02:56. | :03:06. | |
who've called it a "personal cloud on steroids" and Will himself has | :03:07. | :03:11. | |
become a bit of a star, being interviewed on US national | :03:12. | :03:14. | |
television and elsewhere in the media as a security guru. | :03:15. | :03:19. | |
So what you're pitching here is that you can make a black | :03:20. | :03:22. | |
box, that black box there, that is more secure | :03:23. | :03:25. | |
than a multibillion dollar company's servers? | :03:26. | :03:26. | |
It's been proved they're vulnerable, my question is to you is, | :03:27. | :03:35. | |
you're not a multibillion dollar company. | :03:36. | :03:37. | |
Not yet. Not yet. | :03:38. | :03:39. | |
Why should I believe that your security is any better | :03:40. | :03:43. | |
than theirs and why should I believe that there are no vulnerabilities | :03:44. | :03:47. | |
that you have accidentally left in your box? | :03:48. | :03:49. | |
What we've done is identify the categories of those | :03:50. | :03:51. | |
vulnerabilities and all of the hacks have occurred have been | :03:52. | :03:54. | |
By removing them from the equation, we've now negated them | :03:55. | :04:01. | |
So the theory sounds a good one, avoid making multiple copies | :04:02. | :04:05. | |
of your messages across potentially vulnerable servers on the internet. | :04:06. | :04:08. | |
You just have to rely on the Nomx boxes themselves not | :04:09. | :04:11. | |
You all know this man, Dan Simmons, one of Click's most experienced | :04:12. | :04:19. | |
reporters and famously, if someone says something | :04:20. | :04:21. | |
is unbreakable, you try and break it? | :04:22. | :04:23. | |
Well look, often on this programme we look at new things | :04:24. | :04:27. | |
as anybody else to see them, but sometimes just sometimes, | :04:28. | :04:34. | |
something seems a little bit too good to be true and absolute | :04:35. | :04:37. | |
security, I've never heard anyone in the cyber security industry | :04:38. | :04:39. | |
promise that, but that's exactly what this company are doing. | :04:40. | :04:42. | |
So to prove a point, you're going to try and hack this box? | :04:43. | :04:49. | |
I think I've found somebody who may be able | :04:50. | :04:52. | |
Scott Helm is one of the UK's most respected professional white hat | :04:53. | :04:57. | |
He's helped discover some big security flaws in the past, | :04:58. | :05:05. | |
including hacking home routers and electric cars. | :05:06. | :05:07. | |
Scott's had the Nomx box in his hands for just a few minutes | :05:08. | :05:11. | |
Hey, Scott. How's it going? | :05:12. | :05:19. | |
How'd you get on? Good, yeah. | :05:20. | :05:21. | |
I've had a look over this device and I was quite surprised | :05:22. | :05:24. | |
So when I flipped it over, we saw what we call the Mac address | :05:25. | :05:29. | |
here, which is the device's unique identifier and these first three | :05:30. | :05:32. | |
segments identify the manufacturer, that tells you who builds | :05:33. | :05:35. | |
So I went away and I looked these up and they're actually registered | :05:36. | :05:40. | |
to the Raspberry Pi Foundation that make the Raspberry Pi computer. | :05:41. | :05:43. | |
That's the hobbyists' computer we've seen on Click. | :05:44. | :05:45. | |
But Nomx is the manufacturer, right? Yeah. | :05:46. | :05:50. | |
So what I did, I went ahead and opened this up | :05:51. | :05:53. | |
Is there is in fact a Raspberry Pi inside this, which is white | :05:54. | :05:59. | |
There's nothing else they've done with this that we can see inside. | :06:00. | :06:05. | |
That is just a standard ?35 Raspberry Pi. | :06:06. | :06:07. | |
But what does that say to you when as a security guy | :06:08. | :06:11. | |
I guess, there are further things to be found here that | :06:12. | :06:15. | |
I've also asked Professor Alan Woodward, a well-known cyber | :06:16. | :06:22. | |
security expert, who's advised the UK Government and Europol | :06:23. | :06:25. | |
to take a look at the Nomx box to see how it works. | :06:26. | :06:29. | |
Well, already through the set-up process, there's a few things | :06:30. | :06:33. | |
for a product that bills itself as being absolutely secure, | :06:34. | :06:37. | |
there's a few things that we found that give rise for concern. | :06:38. | :06:41. | |
And we certainly want to look a bit further into it. | :06:42. | :06:44. | |
Just plugging it in has sent alarm bells ringing for Alan. | :06:45. | :06:50. | |
The set up of the device is through a web application that | :06:51. | :06:53. | |
It doesn't ask Alan to open up port 25. | :06:54. | :06:58. | |
Now, that's a key port on his router he will need | :06:59. | :07:01. | |
to communicate with popular e-mail servers like Gmail | :07:02. | :07:03. | |
It's never going to receive e-mail from an external service. | :07:04. | :07:09. | |
Unless you know to go to your router and change port 25. | :07:10. | :07:14. | |
No, it doesn't, the documentation doesn't have it in there. | :07:15. | :07:18. | |
It tells you all these other ports, but not port 25. | :07:19. | :07:21. | |
So you're having a quiet life for a few years to come receiving no | :07:22. | :07:25. | |
Hotmail instantly knows that you're sending it | :07:26. | :07:29. | |
It's what's called a dynamic address, because it changes. | :07:30. | :07:34. | |
Every time you turn your router on you get a new one. | :07:35. | :07:39. | |
It spots that and says, we don't accept e-mails | :07:40. | :07:41. | |
Because they just assume nobody's going to be running an e-mail server | :07:42. | :07:46. | |
So this box can't send an e-mail to Hotmail? | :07:47. | :07:50. | |
To any Hotmail address? No. | :07:51. | :07:52. | |
And if you try and send it to something like Gmail, | :07:53. | :07:57. | |
then what happens is, because of things like the way | :07:58. | :08:02. | |
Hotmail spots it, as you'll see there, | :08:03. | :08:04. | |
Spam House, which is one of biggest spam filters, | :08:05. | :08:10. | |
Now, to be fair, Nomx doesn't open port 25, | :08:11. | :08:17. | |
But as we've seen, without 25 open, it's going to be | :08:18. | :08:22. | |
difficult to hear from the rest of the world. | :08:23. | :08:25. | |
Well, bearing in mind it's got one job to do, | :08:26. | :08:27. | |
which is to be an e-mail server, that's a pretty poor show. | :08:28. | :08:31. | |
And there were more surprises to come when Alan opened the box. | :08:32. | :08:35. | |
One of the simplest machines to break into is a Raspberry Pi. | :08:36. | :08:39. | |
Everything is on this one little card. | :08:40. | :08:42. | |
It's on one of these tiny little cards. | :08:43. | :08:45. | |
So all of your e-mails, all of your software, | :08:46. | :08:47. | |
everything is running on one of these tiny little cards. | :08:48. | :08:50. | |
Now, actually, if somebody did have physical access to this | :08:51. | :08:53. | |
what they could do is they could whip that card out, | :08:54. | :08:56. | |
copy it, put the card back in, put it all back together | :08:57. | :08:59. | |
and you'd be none the wiser and they've got a copy | :09:00. | :09:02. | |
of everything, including your e-mail. | :09:03. | :09:03. | |
Because one of the things about this is it's not encrypted in any way | :09:04. | :09:07. | |
This is not using any encryption? For storage, none at all. | :09:08. | :09:11. | |
And what we did was, you said the simplest thing to do, | :09:12. | :09:14. | |
because it is a complete Raspberry Pi, the simplest thing | :09:15. | :09:17. | |
to do was actually plug it into a monitor and see what came up. | :09:18. | :09:21. | |
So this is an HDMI. HDMI cable. | :09:22. | :09:23. | |
The first concern would be if it is actually running | :09:24. | :09:26. | |
Raspberry Pi as an operating system, which it is, it immediately tells | :09:27. | :09:30. | |
Postfix is the mail transport agent, that's part of the mail server. | :09:31. | :09:40. | |
It was just all totally standard stuff. | :09:41. | :09:43. | |
So how old is the software on there at the moment? | :09:44. | :09:46. | |
Well, that's another thing that we found, | :09:47. | :09:48. | |
In that it's so old we couldn't actually get hold of some | :09:49. | :09:55. | |
It's running Raspberry Pi's own operating system. | :09:56. | :09:59. | |
It's a version called Wizi, which you can no longer download | :10:00. | :10:02. | |
They've taken it off because they don't want people | :10:03. | :10:06. | |
Likewise all this Postfix admin, there is another another piece | :10:07. | :10:10. | |
of software called Dovecot, all of which are free bits | :10:11. | :10:12. | |
of software, but some of it dates back to 2009. | :10:13. | :10:16. | |
It's inevitable that people will find bugs, | :10:17. | :10:19. | |
flaws, in any bit of software and what people do is they release | :10:20. | :10:22. | |
The problem with the way this is put together is there is no way | :10:23. | :10:28. | |
There is a whole series of things about the way this is put together | :10:29. | :10:33. | |
that make you think, absolute security is... | :10:34. | :10:35. | |
Now, it's important to say at this point, | :10:36. | :10:40. | |
there's nothing wrong with the hardware or the software | :10:41. | :10:42. | |
that you're talking about per se, Raspberry Pi is fine, | :10:43. | :10:45. | |
the software used, Postfix, Admin, is just a piece | :10:46. | :10:48. | |
Yeah, I mean, the Raspberry Pi is a great bit of hobbyist kit | :10:49. | :10:55. | |
as in the other programmes we have looked at, they do the job, | :10:56. | :10:59. | |
if you've got the latest versions of them. | :11:00. | :11:02. | |
They're still selling this box right now as a finished product? | :11:03. | :11:08. | |
It was being sold when you were testing it? | :11:09. | :11:11. | |
Absolutely, and as we're filming it is today. | :11:12. | :11:13. | |
OK, you've studied the box, what next? | :11:14. | :11:15. | |
Well, surprise, surprise, Scott thinks he can hack it. | :11:16. | :11:20. | |
I'm afraid because this is the short version of Click, we're going to | :11:21. | :11:26. | |
have to leave the story they're. If you want to know more details about | :11:27. | :11:30. | |
the hack and if you'd like to hear from Allen and Scott about what | :11:31. | :11:33. | |
happens after you hack a box like this you're going to have to watch | :11:34. | :11:37. | |
the full version, which is on iPlayer right now. Follow follow us | :11:38. | :11:45. | |
on Twitter too @BBCclick. Thanks for watching and we'll see you soon. | :11:46. | :11:46. |
