Lincolnshire Council in £1M ransomware plot

Coat_of_arms_of_Lincolnshire_County_CouncilReports are that Lincolnshire Council has been shut down for four days because it’s been targeted by ransomware that has encrypted all its files. That they’ve been a victim of such a scam doesn’t surprise me – it’s all too common. What’s moving my eyebrows skyward is the fact that the criminals are asking for £1M to restore their data.

I’ve seen a lot of this before, and the criminals generally ask for a sum that it’s easier to pay than mess around trying to repair the damage. In other words, £500 is normal but £1M is not. For this to be credible, someone would have had to target them specifically, and come up with a plot to damage a lot of data in one go. This is possible if one PC has R/W access to a lot of files on a server, but for the criminals to expect to do this value of damage the council would have to be pretty incompetent and the criminals would have had to know this for certain. (What am I saying?)

From the BBC report there are a couple of interesting lines:

“The authority said it was working with its computer security provider to apply a fix to its systems.”

Hmm. So who is their computer security provider? If they have one that’s any good, the network would have been set up to avoid such wholesale damage. Serco took over the Council’s IT operations in April 2015. in a £70M+ deal. Whether the outsource company has outsourced the “security provision” is a little harder to know.

Further down the BBC article it says:

“Chief information officer Judith Hetherington-Smith said only a small number of files were affected.”

If that was true, restore them from a backup or take the hit – how can a small number of files be worth £1M?

Locking down the network after such an attack is a good idea, and this would disrupt office services for certain. But something just doesn’t add up here. It’s possible that the £1M ransom demand has been made up, to cover their embarrassment. Or it could just be sloppy journalism by the BBC – no facts checked and a story about some ransomware being blown out of all proportions. Serious news media haven’t had much to say on the subject. The Register has covered it, but has not repeated the £1M ransom claim.

Grant Shapps – need for speed?

Used with permission from http://www.communities.gov.uk/corporate/help/conditions/
Rt Hon Grant Shapps MP

People (e.g. the Guardian) are clearly out to get Grant Shapps MP, and given their bias you can see why. But he’s not helping with the publication of his recent report, which he and British Infrastructure Group of MPs have wittly titled “Broadbad” (PDF format).

It’s calling for Openreach to be made independent of the remainder of BT, in order for the public to get the “super-fast” broadband we need if we’re not to revert to the stone-age. They claim that BT has wasted 1.7Bn on rolling out this technological artery to rural areas, yet 5.7M household’s don’t have the “minimum required” speed of 10Mb.

I say wrong, wrong and wrong.

First off, Openreach hasn’t received 1.7Bn for the rural broadband project. It’s only received about a third of that, and it’s a project in progress.

Secondly, I’d dispute that 5.7M households have yet to be connected. This is based on an old Ofcom report using figures available before the project got under way.

Thirdly, the case for 10Mb+ Internet connections to homes  h as not been met. It’s justified because the UK will “lag behind” countries like Japan and South Korea. So what?

The UK lags behind the USA in gun crime; should we therefore relax restrictions on firearms ownership? “Lagging behind” per se does not matter a jot. Their justification as to why we need higher speeds amounts to “Ofcom have shown that as consumers get better download speeds, they consume more data”. No sh*t, Sherlock!

So what is this data people are consuming? Basically Netflix. Only video has the “need” for high throughput Internet connection, and although this might help the bottom line of OTT media providers, it’s hard to see any other economic benefits to anyone.

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

According to the report, Spain also has faster connections than our unlucky punters; so if they’re trying to correlate domestic broadband speeds with economic virility, they’ve shot their fox.

As I’ve said before, the whole concept is insane. Streaming video requires about 2Mbps. How many streams does a household need?

Most other high-usage domestic customers are, basically, pirating media. They need fast upload speeds for that, which aren’t really mentioned in the report. Why should the public purse be subsidising either OTT operators or pirates?

A few weeks ago I tackled someone from the Home Office about this crazy idea, and the reasoning behind it was more cynical than I thought. It’s only one civil servant’s opinion, but my contact has a pretty good idea about how government really works.

Consider all the infrastructure projects we could be working on; things that would benefit the country. There’s road and rail networks (HS2 is a drop in the ocean), the national grid, water supply and sewers. How about a sustainable transport network, as it’s a certainty we’re going to need one. All these cost serious money, with the exchequer hasn’t got. But the government has to be seen to be investing in infrastructure. The cheap option is to roll out mad-speed Internet. They can claim it’s needed for business; voters have no idea what a megabit of data can actually be used for. And the public want it. They don’t need it, but that’s not the point. They want it.

If you tell Mondeo Man his broadband is lagging behind the Spaniards, he’ll want something done about it. (If you tell him to wire up the house properly instead of using WiFi, it’d be in one ear and out the other.)

So, by making a fuss about broadband speeds and then demanding action from BT, and throwing relatively little money about, the government can look like it’s dealing decisively with a pressing issue.

As for Mr Shapps, he claims to have been in the Internet business before becoming an MP. He should know better, but it turns out he had a web development company so probably doesn’t know the difference between a kilobit and a megabit either. If only he’d asked.

How people get around the Netflix and iPlayer proxy block

The FSF thinks Netflix is wrong to protect artist’s right using DRM

Earlier this month at CES, Netflix’s chief product officer Neil Hunt stated that his company’s policy on subscribers accessing content over a VPN remained unchanged. That’s to say that they ask customers not to do it, as it can bust licensing restrictions on content. Neflix is probably the largest provider of streamed TV programmes around the world, now operating in a claimed 190 countries.

I’m not a fan of Netflix – they’re big campaigners for “Net Neutrality”, meaning that all content must be treated the same and ISPs can’t charge more or slow down particular traffic. As their content is not for the public good, and yet accounts for about  40% of the world’s public Internet traffic, they would say that, wouldn’t they? As media organisations such as the BBC (iPlayer) are in the OTT game, the fact that this is a business model where the bulk of the costs are paid for by all Internet users whereas the profits go to the streaming service is not generally mentioned in the popular press. In other words, they profit from the ISP’s investment without contributing anything back. Amazon Prime is another good example.

Anyway, the content that Netflix streams is licensed from content producers, who have good reasons for licensing it on a geographic basis. A TV programme broadcast in one country becomes harder to sell to networks abroad if it’s already available via streaming, and upsetting the status quo won’t be good for content producers. This will leading to less investment in good programming. Netflix is “campaigning” to change this, as though the public, including its customers, have some kind of rights that are being denied. It would, of course, help Netflix’s commercial interests if regional licensing didn’t exist – at least short-term.

That aside, I was amused to see that Neflix’s latest pronouncement, in a company blog post by David Fullagar (VP of Content Delivery Architecture) a week after the CES announcement, that it would now be clamping down on its customers use of proxies or VPNs to smuggle streamed data across boarders. One might surmise that the content providers, many of whom are also local broadcasters, didn’t appreciate Neil Hunt’s complacent sounding comments. The status quo he was defending was basically an weakly enforced contractual prohibition on its customers streaming through a proxy. A actual enforced ban would result in a loss of revenue to Netflix, or if you’re less cynical, would go against the company’s stated aim of “all content free to all (subscribers)”.

But in spite of the soothing words to calm the outrage of its content suppliers, what can Netflix actually do about this? How do you block your customers using a VPN?

It seems to me that it’s impossible to tell whether you’re sending UDP packets to an IP address that’s actually a VPN. It can’t be done. There can be any number of endpoints behind one IP address (an asymmetric NAT LAN), and any number of VPN connections to who-knows-where. And they’ll all appear as one IP address, and the traffic will be indistinguishable.

So how do streaming companies block VPNs now? By having a list IP addresses used by published ones, and that generally means commercial ones. Okay, that might work for the public/commercial VPNs. I shan’t be shedding too many tears if they’re blocked, because they’re making money out of license-busting, which is wrong.

But consider this. Supposing you pay the BBC for a TV license but live abroad for part of the year. You have a moral right to view the content you’ve paid for, and could do so using iPlayer. The only problem is that iPlayer may detect you’re outside the UK by your IP address, and stop you. The solution? Put a proxy server on the network in your house in the UK and connect to it when you’re abroad. I have evidence that this happens a lot.

This can also be done immorally. People in one country with relatives living abroad can set up such a proxy for their friends and relatives to use, and Netflix will be none the wiser. Even if Netflix did suspect an IP address of having too much traffic, what could they possibly do about it? Contact the owner and investigate? How would they even find the owner?

Many ISPs use dynamic addresses in order to charge more for a static one to business customers, with the effect that you don’t know who’s using what IP address today. If you do find a suspected VPN, tomorrow it’s IP address will have changed to one of millions, all used by normal domestic customers.

Finding the many small, private VPNs is going to be impossible. One method might be to probe an IP address to see if a VPN port was open. This is no proof that it’s in use, and no proof that it’s not used for one of the many purposes that a VPN was designed for. And even if they were to try it, it’s simple to restrict access to the VPN ports to your friends abroad. And besides, probing an IP address for an open port without permission is illegal.

The only other method I can think of that would work is to examine the traffic to/from an IP address and see if there’s a correlation between outgoing packets and incoming data from one of Netflix’s servers. But Netflix can’t do that; only an ISP has the technical ability to examine traffic on a particular subscriber’s line. And those are the ISPs that Netflix is abusing by loading them with 40% of their traffic without contributing to the cost. Good luck with that.

 

iZettle contactless payments on American Express (Amex)

Since I reviewed iZettle’s new contactless card reader there have been a few updates to the App, and after the initial teething problems I’m happy to report that it’s been working flawlessly hereabouts.

iZettle Bluetooth Card Reader
iZettle Bluetooth Card Reader

The latest update is to support contactless payments on American Express. This came as a bit of a surprise, as I assumed it already did! It just goes to show how important Amex is…

You need to do a firmware update. You get this by connecting to your tablet/phone and running the iZettle App. Then go to Settings/Card Readers and select Update. I’ll let someone else try it first, as I can live without the functionality for a while longer.

This does not, of course, work on the freebie iZettle reader – only the Bluetooth one that you pay money for. Don’t be cheap – it’s good!

This update means support for contactless covers Visa, MasterCard, Applepay and Amex. I have to say that I’ve yet to find a card in the UK it couldn’t use, one way or another.

ParentPay won’t support “insecure” browsers

This week that ParentPay, the Microsoftie payment system used by many schools, rolled out a web site update to support an even more limited range of browsers. This included dropping support Internet Explorer before 9 for “security reasons”.

By coincidence, in the same week Microsoft trumped their loyal fanobois at ParentPay by announcing that everything prior to version 10 was hereby deemed unsafe. ParentPay has yet to comment.

However, the notion that any version of Internet Explorer is “safe” is stretching the truth badly. All the mainstream browsers are dodgy; they all support unsafe scripting and embedded code. Microsoft may have the worst reputation, but they’re all undermined by their code and add-ons – and host operating system, to be fair. Only a few niche browsers, that don’t support things like JavaScript and ActiveX, can be considered safe; and those are the ones that ParentPay refuses to support because they don’t allow “rich content”. (And their developers are Microsoft fans). It’s definitely a case of form over security, yet again.

As an illustration of just how feeble their new browser support policy is, here’s a list  of those they’ll accept, taken from their web site:

  • Chrome 35 or higher
  • Firefox 30 or higher
  • Internet Explorer 9 or higher
  • Safari 6 or higher.

The the the the That’s All Folks!

Schools should be seriously considering their relationship with ParentPay, given the cost and inconvenience they’re forcing parents to go through in order to use it. Analysis of the traffic across my servers suggest that IE has around a third of the browser market. Of these, more than half are using IE 9 or earlier.

ParentPay’s assertion that this will only affect a “..small proportion of parents” may be literally true, but it’s disingenuous. Let’s do some simple arithmetic. Say there are 1500 parents in a secondary school. A third of these use IE – that’s 500. Half of these use an old IE (on an old PC) – that’s 250/1500 parents at each school who’ll be grossly inconvenienced. Cancel the fraction out and it’s 1/6, which could be described as a small proportion, but it’s still 250 per school.

The number of people who would be using”unsupported” browsers on tablets or mobile devices is probably very high. Anecdotally, parents have access to a PC somewhere that they currently have to go to in order to use ParentPay. Many would rather use a tablet.

It’s about time someone set up an alternative to ParentPay and schools were educated in to the benefits of open standards.

How to stop Microsoft Windows 10 upgrade

Famously, Microsoft announced that the “upgrade” to Windows 10 would be free of charge. How nice of them. Given that historically Microsoft has made a lot of money selling consumer upgrades, this is a little puzzling until you realise what happened to Windows 8 in the commercial IT world. Basically, it’s as popular as a rattlesnake in a bran tub. Commercial users are still demanding, and getting, Windows 7 whilst home lusers have had no choice – having only Windows 8 pre-installed.

Since then, Windows some users have been “encouraged” to “upgrade” to Windows 10 by having a pop-up nag screen turn up on top of their work at regular intervals. This is produced by an update called GWX (“Get Windows Ten” in Roman numerals). An update you don’t seem able to un-install. Nice!

However, Microsoft has bottled out of doing this on Enterprise versions of Windows. They’re not that crazy. Imagine what would happen if every corporate customer got “upgraded” to a version of Windows that didn’t support their bespoke CMS, all at once. Every IT support person in the world would be heading for Seattle with a pitch-fork and flaming touch. ARM and embedded Windows won’t auto-upgrade either; nor (I believe) will machines connected to a domain controller – indicative of being used in a business.

As usual, it’s the voiceless SMEs using Windows 7 Pro that left paying the price for choosing Microsoft, and I’ve heard of plenty of people falling for the nag screen and getting in to trouble.

In repose to customers’ requests, demands and threats of physical violence, Microsoft has told the world how to disable the activities of GWX, in a KB article found here. Basically you have to add the following registry keys and it should stop. To disable OS upgrading add:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And to stop the nag screen add:

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1

The free “upgrade” offer only extends until July this year, so it will be interesting to see what happens then. In spite of Microsoft’s threats to drop it, Windows 7 is still being used in new installations, and from where I’m sitting, it’s the default option.

Microsoft Security Essentials hangs during a full scan

First off, can I be clear about one thing – endpoint virus scanners don’t make your computer “secure”. A lot of the most dangerous stuff gets past them, but trusting lusers believe they’re safe and will therefore take risks they outerwise wouldn’t. See my posts and academic papers passim ad nauseam. Now that’s out of the way, I favour Microsoft Security Essentials (or Microsoft Endpoint Security) on Windows as I find it less likely to make the system unusable. I don’t recommend it, except as the least-worst option.

On with the problem…

Sometimes, especially in the last year or so, I’ve found Security Essentials will stall when its doing a background scan. You may not notice its done this, but some symptoms are that web browser file downloads won’t work (it’ll download 100% but never finish) and the PC won’t hibernate automatically using the power-saving settings.

I’ve looked for solutions to this, as well as searching the web for an answer. You’ll often see people posting (without references) that this is bug and Microsoft are working on, or have now fixed it. I’ve tried theories myself to see if it’s caused by compression or archive formats causing a decompresser to break (I’ve noticed this often fits the facts), but this is little help when finding a solution, and even then it sometimes still hangs when the option to check compressed files is turned off.

What I’ve yet to find is anyone giving a real solution, so here it is:

  1. Deinstall Security Essentials.
  2. Download and install Security Essentials.

I’ve never known this not to work. On the other hand, I’ve known all the other theories you see posted on forums fail to work pretty consistently.