Skip to main content

tv   Click  BBC News  April 29, 2017 3:30am-3:46am BST

3:30 am
this is bbc world news, the headlines. north korea has launched another ballistic missile from a region north of its capital, pyongyang. but a us government source has told the reuters news agency the test failed and the us might speed up sanctions. it came hours after the us secretary of state called for a tougher international approach towards the north korean regime. rex tillerson warned of potentially catastrophic consequences if the world failed to deal with the country's nuclear programme. there've been violent scenes across brazil after the country's first general strike for 20 years. millions were protesting over proposed pension reforms, forcing schools and banks to close and paralysing public transport. a british surgeon has been warned to expect a jail sentence after being convicted of carrying out a series of unnecessary operations. ian paterson was found guilty of 20 counts of wounding with intent and unlawful wounding. in around ten minutes‘ time, newswatch with samira ahmed. but first on bbc news, click.
3:31 am
over the last few years, billions of e—mail accounts have been hacked. has yours? last year, yahoo announced that over 1.5 billion e—mail accounts were compromised between 2013 and 2014, the largest breach in history. then it emerged that russian hackers had gained access to 60,000 e—mails from hillary clinton's presidential campaign. some believe the resulting leaks helped swing the election for trump. and what it certainly did reveal
3:32 am
is something most of us already knew. we send, each of us, all the time, hugely personal information around the internet. information that we'd like to keep private, but others are all too often able to see. so how about something that guarantees to protect all of those e—mails? sounds like something you wanna have, doesn't it? well, this is nomx, a box which promises to secure your e—mails 100%. it was at ces that we came across this device as it was introduced to the world and it caught our eye. i met the boss, will donaldson, who has impressive security credentials himself. he's worked in computer security and built web applications for the pentagon, the marine corps and he was chief technology officer for the f35 joint strike fighter communications facility. so what does he think is wrong
3:33 am
with bog standard e—mail? well, the nomx promotional videos explain the problem. when you send an e—mail, copies of the message end up on several internet servers along the way. will says all of the recent big e—mail hacks have involved one of these servers being compromised and what's more through a known vulnerability. so those vulnerabilities, we've identified six core ones that encompass 100% of hacks that have occurred to date. will's solution is a $199 box that acts as your own personal e—mail server. it'll talk to other e—mail services, but where it comes into its own is when it connects directly to another nomx box at the other end, the pair of them replacing the cloud servers that your message would usually flow through. that means no copies are stored anywhere but on your box and the recipient's. the idea has caught the imagination
3:34 am
of some in the security industry, who've called it a "personal cloud on steroids" and will himself has become a bit of a star, being interviewed on us national television and elsewhere in the media as a security guru. so what you're pitching here is that you can make a black box, that black box there, that is more secure than a multibillion dollar compa ny‘s servers? absolutely. it's been proved they're vulnerable, my question is to you is, you're not a multibillion dollar company. not yet. why should i believe that your security is any better than theirs and why should i believe that there are no vulnerabilities that you have accidentally left in your box? what we've done is identify the categories of those vulnerabilities and all of the hacks have occurred have been in those traces vulnerabilities. by removing them from the equation, we've now negated them on our protocol.
3:35 am
so the theory sounds a good one, avoid making multiple copies of your messages across potentially vulnerable servers on the internet. you just have to rely on the nomx boxes themselves not being open to hacking. well... you all know this man, dan simmons, one of click‘s most experienced reporters and famously, if someone says something is unbreakable, you try and break it? yeah! well look, often on this programme we look at new things and we are as excited as anybody else to see them, but sometimes just sometimes, something seems a little bit too good to be true and absolute security, i've never heard anyone in the cyber security industry promise that, but that's exactly what this company are doing. so to prove a point, you're going to try and hack this box? yes. i think i've found somebody who may be able to do it. 0k! scott helm is one of the uk's most respected professional white hat hackers, or penetration testers. he's helped discover some big
3:36 am
security flaws in the past, including hacking home routers and electric cars. scott's had the nomx box in his hands forjust a few minutes and he's already suspicious. hey, scott. how's it going? how'd you get on? good, yeah. i've had a look over this device and i was quite surprised when you first gave it me. so when i flipped it over, we saw what we call the mac address here, which is the device's unique identifier and these first three segments identify the manufacturer, that tells you who builds the device. so i went away and i looked these up and they're actually registered to the raspberry pi foundation that make the raspberry pi computer. that's the hobbyists‘ computer we've seen on click. the credit—sized device. but nomx is the manufacturer, right? yeah. so what i did, i went ahead and opened this up and what we found inside... if i canjust open these parts here. is there is in fact a raspberry pi inside this, which is white felt, all white.
3:37 am
wow. there's nothing else they've done with this that we can see inside. that is just a standard £35 raspberry pi. correct. but what does that say to you when as a security guy when you look inside? i guess, there are further things to be found here that may surprise us. i've also asked professor alan woodward, a well—known cyber security expert, who's advised the uk government and europol to take a look at the nomx box to see how it works. so, how have you got on? well, already through the set—up process, there's a few things for a product that bills itself as being absolutely secure, there's a few things that we found that give rise for concern. and we certainly want to look a bit further into it. just plugging it in has sent alarm bells ringing for alan. the set up of the device is through a web application that wasn't particularly helpful. it doesn't ask alan to open up port 25. now, that's a key port on his router he will need to communicate with popular
3:38 am
e—mail servers like gmail or microsoft accounts. it's never going to receive e—mail from an external service. unless you change your router? unless you know to go to your router and change port 25. and does it tell you that? no, it doesn't, the documentation doesn't have it in there. it tells you all these other ports, but not port 25. so you're having a quiet life for a few years to come receiving no e—mails at all. but it gets better. hotmail instantly knows that you're sending it from a domestic ip address. it's what's called a dynamic address, because it changes. it's not yours for life. every time you turn your router on you get a new one. it spots that and says, we don't accept e—mails from dynamic addresses. because theyjust assume nobody's going to be running an e—mail server on a domestic system like this. so this box can't send an e—mail to hotmail? to any hotmail address? no. and if you try and send it to something like gmail, then what happens is, because of things like the way hotmail spots it,
3:39 am
as you'll see there, we are actually blacklisted already. spam house, which is one of biggest spam filters, says this is a spam box. it's blacklisted us. now, to be fair, nomx doesn't open port 25, it uses port 26. but as we've seen, without 25 open, it's going to be difficult to hear from the rest of the world. well, bearing in mind it's got one job to do, which is to be an e—mail server, that's a pretty poor show. and there were more surprises to come when alan opened the box. one of the simplest machines to break into is a raspberry pi. everything is on this one little card. it's on one of these tiny little cards. so all of your e—mails, all of your software, everything is running on one of these tiny little cards. now, actually, if somebody did have physical access to this what they could do is they could whip that card out, copy it, put the card back in, put it all back together and you'd be none the wiser and they've got a copy
3:40 am
of everything, including your e—mail. because one of the things about this is it's not encrypted in any way on the card. this is not using any encryption? for storage, none at all. and what we did was, you said the simplest thing to do, because it is a complete raspberry pi, the simplest thing to do was actually plug it into a monitor and see what came up. so this is an hdmi. hdmi cable. here we go. the first concern would be if it is actually running raspberry pi as an operating system, which it is, it immediately tells you it is. postfix is the mail transport agent, that's part of the mail server. it wasjust all totally standard stuff. so how old is the software on there at the moment? well, that's another thing that we found, which was really... i would say alarming. in that it's so old we couldn't actually get hold of some of the software. it's running raspberry pi's own operating system. it's a version called wizi, which you can no longer download
3:41 am
from the raspberry pi website. they've taken it off because they don't want people downloading it, it's that old. likewise all this postfix admin, there is another another piece of software called dovecot, all of which are free bits of software, but some of it dates back to 2009. it's inevitable that people will find bugs, flaws, in any bit of software and what people do is they release a later version with the bug fix. the problem with the way this is put together is there is no way of doing that. there is a whole series of things about the way this is put together that make you think, absolute security is... a stretch. now, it's important to say at this point, there's nothing wrong with the hardware or the software that you're talking about per se, raspberry pi is fine, the software used, postfix, admin, isjusta piece of off—the—shelf software. yeah, i mean, the raspberry pi is a great bit of hobbyist kit and postfix, as in the other programmes we have looked at, they do the job, if you've got the latest versions of them.
3:42 am
but this box doesn't run those. by a mile it doesn't run those. they're still selling this box right now as a finished product? it was being sold when you were testing it? absolutely, and as we're filming it is today. 0k, you've studied the box, what next? well, surprise, surprise, scott thinks he can hack it. i'm afraid because this is the short version of click, we're going to have to leave the story they're. if you want to know more details about the hack and if you'd like to hear from allen and scott about what happens after you hack a box like this you're going to have to watch the full version, which is on iplayer right now. follow follow us on twitter too @bbcclick. thanks for watching and we'll see you soon. hello and welcome to newswatch with me, samira ahmed. viewers say they want policy information, not personal insults. but has the bbc‘s general election coverage already got mired in mudslinging — mostly against jeremy corbyn? and criticisms too about how both french presidential candidates have been described on air. although the general election
3:43 am
campaign still hasn't officially started, there was no doubt this week about where the focus of politicians and broadcasters lay. all the party leaders were out on the stump and facing questions on a wide variety of subjects. after some pressure on the issue, tim farron of the liberal democrats told the bbc‘s eleanor garnier that he did not believe gay sex was a sin. i was asked the question early on and i didn't want to get into a series of questions, unpicking the theology of the bible. isn't itjust that it's your christian belief and you didn't want to admit it? no, that's not the case. what i want is to make sure that we deal with something that's become an issue. so this is blatant electioneering? it's a sense of understanding that the question was asked to me a week ago, i don't think people want political party leaders telling them what is and isn't sin. some viewers thought that line of questioning was excessive or inappropriate. maureen lancaster wrote... and here's kevin steele.
3:44 am
—— steel. and grace dalton put it like this, when she rang us this week. i think it was very, very wrong that the bbc really was interrogating him and trying to pressurise him into
3:45 am


info Stream Only

Uploaded by TV Archive on