Scammers ask for money for Ukrainian Government

We have intercepted a large number of spam e-mails sent from various compromised systems, pretending to be from the Ukrainian government and asking for donations to fight off those nasty Russian backed separatists. Having checked, there is a pretty good chance that the scammers are actually based in Russia. It’s unclear whether this is in fact the work of president Putin, but perhaps he is trying to collect extra cash before the sanctions come into effect.

We have yet to see any serious attempt at exploiting the situation in Gaza, which is something of a surprise. Most likely they’re not making it through the basic spam filters.

Malaysian flight MH17 “shot down” over Ukraine?

Updated 17th July at 2320

Since writing this, I’ve been watching the superior BBC journalism on Newsnight where they had the sense to interview someone from Jane’s. Apparently the separatists do have Buk missile launchers in the area, which is surprising. Did the Russian government really provide such a dangerous weapon? And apparently (I didn’t know this) a single launcher can operate in autonomous mode using on-truck forward-facing radar. Basically a goon with no overall tactical view – watching a blip on the radar can decide to shoot down the blip. There are rumours that the US tracked such a missile. This is scary, and derails the following conjecture. I’ve kept it for historical interest.


I’ve just been listening to the BBC reporting that “someone” in the Ukraine has shot down a Malaysian airliner flying overhead at 35,000′. Okay, it’s possible, and the fact it’s crashed is certainly a tragedy, but are any of these hacks aware that this is a long way up?

There are basically three kinds of Surface to Air Missiles. Before blaming the separatists, you have to realise that the hand-portable types (MANPADS) you’d associate with rebels aren’t really any good at shooting down much apart from attack helicopters or slow things close to the ground. Basically, don’t bother if it’s more than 10,000′ up. It’s possible that they have Igla Russian systems, but they couldn’t have used them.

There are portable systems that can hit targets that high – such as the Russian Buk. These are big beasts, built in to a truck. The separatists may have got tanks from somewhere, possibly with a nod and a wink from the Russian military – but are they going to really going to let a bunch of rebels have a Buk (SA-24)? It’s not something you’re going to miss like an old tank.

Could the Ukrainian government have done it? I don’t know whether the Ukrainian military has such a system; it probably does. But again, it’s not the kind of thing you’d fire off by mistake. Shooting at high-altitude jets isn’t going to be an accident, and why would they do it in purpose? Did they think it was a Russian military aircraft? I think not, but if they did, there are some complete idiots with dangerous weapons out there.

That leaves the Russian government – did they order it shot down? The same applies – why would they do that deliberately, and if it was an accident, it beggars belief.

The BBC is talking about missiles, but it could have been shot down “old school” with a fighter. Are the Ukrainians or Russians really going to shoot down a Malaysian airliner filling the windscreen of their MiG? That’d be crazy.

So I’m taking all this “shot down” news with a pinch of salt. Perhaps it suffered a failure and crashed; perhaps it was an on-board terrorist or bomb.

I think the BBC thinks the separatists (whom they don’t like) dunnit with a Stinger.

Air Conditioning at PMC of Pinner

Last spring I took my car to PMC of in Pinner to have the air condition serviced. They drained and refilled it and then noticed that the compressor wasn’t going around because the clutch had worn out (believable). It didn’t really need re-gassing. They decided that they couldn’t fix it unless I paid £600 for a new compressor, but that I should pay £80 for the re-gassing anyway.

Is this what you expect from a garage that calls itself an “Air Conditioning Specialist”? Well, yes, probably. I objected and said that if I paid the bill for their incompetent part-service it would be on the the basis that I’d also tell everyone I know what I though of them. Anyone with half a brain would have checked the compressor was turning before trying to cure the lack of performance by re-gassing. PMC decided to insist on payment, giving me the green to slag them off and see who’d listen.

Rather than actually slagging them off straight away, I took the car to a couple of real specialists (including the Volvo main agent), just to check my facts first, and by the time I’d confirmed the bad service I’d got better things to do than actively moan about them. Until now.

These idiots had the brass neck to send me a text message (without my permission) with a special offer on aircon servicing. I don’t think so, somehow!

 

 

Does freezing a broken hard disk help with data recovery?

The idea that freezing an unreadable hard disk could bring it back to life has been around for a long time. Ordinarily I’d say “No way, don’t do it”. If you’ve lost your hard disk the last thing you want to do is mess with it in any way. Take it to an expert; a real expert that is – not some shop on the high street with a sign up saying “Data recovery and virus removal”.

However, this story doesn’t go away. And there is a grain of truth in it. I remember some mid-1990’s drives did benefit from the freezer treatment – it shrunk the platters slightly and realigned the bearings. Or that was the theory. Anyway, it sometimes worked. Back then. However, luser forums are full of stories where people have used this technique on modern drives and claimed success.

On my desk at the moment I have a 160Gb SATA Maxtor, vintage 2002. And it wouldn’t read. This is partly because parts of the platter are now unreadable, and partly because the NTFS filing system is mangled. I know this kind of stuff. After a couple of days I reckon I’ve got all the blocks off it that it’s going to yield, but repeatedly retrying the bad sectors. Some read eventually, other’s don’t.

Now it’s an observable fact with dodgy platters on winchesters that they’ll sometimes, briefly, come good. It’s worth powering down the drive, letting it cool and trying again later. It’s even worth trying it at different angles. Having a few fans around it to keep it cool is a good idea anyway. Using these techniques I’ve recovered about 80% of the bad sectors, with about 2500 left that aren’t doing it. A good candidate for the freezer perhaps? Well, as a last resort – I’ve tried the drive at room temperature, working temperature (about 35C) – where’s the harm in trying it sub-zero?

I mus emphasise here – this is a last resort – 99.999% of the data is off it and it’s stuck a that. There’s nothing to lose.

So, in to an airtight box and into the freezer with it.

Did it work? No! In fact the whole drive ended up unreadable. I’d put that down to the condensation. If you want to knacker a drive without leaving marks, condensation on the platters is a good way to go.

Leaving it to get back to room temperature did result in it coming back to life, although I only got two more sectors back.

So why do all these people keep insisting it worked for them? Coincidence, I reckon. If they’d left the drive alone for 12 hours it might have started working anyway. They often do, even for a brief period. This drive had proved that some sectors were heat-sensitive; more could be read while it was still cool and the recovery rate dropped off when it was warm. If it didn’t help with this drive, I seriously doubt it would work on other candidates.

Getting Caller-ID with BT Inspiration or Pathway PABX

For years I’ve thought that caller-ID was broken on BT Inspiration switchboards (which are almost identical to BT Pathway, so this applies to both). More precisely, I assumed that BT’s Caller-ID signal was either not working on my POTS lines, or was not of a standard compatible with the Inspiration. It wouldn’t be the first one – note the nonsense with the default “Guarded Clear” mode, which isn’t actually implemented on any BT lines I’ve ever come across.

CLI on ISDN worked fine, incidentally. It was just an irritation that it didn’t on the POTS lines.

Well, it turns out that it does work just fine, except it’s called CDR, and for some reason, it’s not enabled by default! Technically, they’re right not to call it CLI, which technically, is the standard used on ISDN. However, in the real world the term is applied to caller ID on analogue lines too. As a user of the telephone, why should you care about such technicalities? But you do, and you will have to enable it separately, as CDR, for any lines you want it to work on. IN the menus go to  System Programming/Lines/PSTN Programming/CDS Detection and turn it on. After which it just works.

In other places the terms Caller-ID and CLI are used interchangeably (for example, the CLI History refers doesn’t care whether it was ISDN/CLI or POTS/CDS). Don’t let common sense put you off.

Do also make sure that Caller-ID is enabled on the line – from BT dial *234#. Sometimes this is a “paid for” service, and has to be enabled. If you ask them nicely, because you’re being plagued by nuisance calls, they’ll enable it for free. I think it’s free if you renew your contract for 12 months too, but I have caught them starting off  at no charge and then billing you for it later. Watch out.

 

No-IP back on-line

I’ve just had a note from No-IP that says that Microsoft has returned all twenty-tree of second level domains it had seized by court order. It’ll obviously take a while for DNS to propagate. I’ve been testing this periodically, and it’s been a right mess with the Microsoft DNS failing to return anything in many cases.

I actually use No-IP for a couple of non-critical purposes, but I don’t use the hostname under their second-level domain directly. Given recent events, others may wish to follow the same idea. It comes down to customer routers on domestic ISP lines, and how you get to them easily if they’re on a dynamic IP address.

Basically, the trick is to map yourname.no-ip.net to yourname.yourdomain.com using a CNAME in the zone file. You can then program to the router to register yourname.no-ip.net, but you refer to it as yourname.yourdomain.com. How does this help? Well when the problem happens you only have to mess with your zone file to make the changes. If you can find out the changeable dynamic IP you can set it as an A record directly. If (as was the case here) you needed to choose a new second-level domain from No-IP’s remaining stock, all you need to is change the zone file and the affected equipment. Anything else accessing it does so through yourname.yourdomain.com, and therefore can remain as-is.

It’s still a pain, and something for which Microsoft should probably pay (or their side of the story had better be spectacularly better than it has been thus far). But it’s somewhat less of a pain than if you’d programmed everything in your universe with the no-ip version.

 

 

Microsoft wipes out No-IP in botched cyber security move

Microsoft has accidentally taken down potentially millions of dynamic IP users while going after subdomains used by criminals taking advantage of the free No-IP service, run by Vitalwerks Internet Solutions in Nevada. Yesterday (US time) they used a court order to take control of domains belonging to no-IP, which their users map to their temporary dynamic addresses, and stopped them from all from working. According to No-IP themselves, what Microsoft tried to do is redirect the domain names to their own servers and filter off the bad ones, but they failed spectacularly because Microsoft’s servers weren’t up to the job (as per usual) and collapsed under the weight of traffic.

No-IP are decidedly hacked off by Microsoft, pointing out that they have a good reputation when it comes to dealing with abuse and had Microsoft but contacted them about the sub-domains in question they’d have done something about it. Instead, secretly, Microsoft goes and gets a court order and acts without warning.

According to, Richard  Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity”. He’s referring to Cisco here, as far as I know. The security community regularly reports on all anonymous free services, all of which are exploited by criminals. As yet, I’ve heard nothing from Microsoft to actually back his statement up. In another post, Microsoft’s Tom Rains, a marketing manager in the their Trustworthy Computing division, explains that they were after Bladabindi and Jenxcus, both of which use No-IP provided subnets in the C&C. He doesn’t imply any wrongdoing by Vitalwerks, or justify the way Microsoft has treated them.

Quite why Microsoft has any claim to be the world’s cyber-police is hard to see, given that most criminals (based on our research) prefer Microsoft’s free, no-checks, outlook.com email service. Perhaps Microsoft should try getting its own house in order first?

I’m still waiting for any official comment back from Microsoft.

 

How to hack UNIX and Linux using wildcards

Leon Juranic from Croatian security research company Defensecode has written a rather good summary of some of the nasty tricks you can play on UNIX sysadmins by the careful choice of file names and the shell’s glob functionality.

The shell is the UNIX/Linux command line, and globbing is the shell’s wildcard argument expansion. Basically, when you type in a command with a wildcard character in the argument, the shell will expand it into any number of discrete arguments. For example, if you have a directory containing the files test, junk and foo, specifying cp * /somewhere-else will expand to cp test junk foo /somewhere else when it’s run. Go and read a shell tutorial if this is new to you.

Anyway, I’d thought most people knew about this kind of thing but I was probably naïve. Leon Juranic’s straw poll suggests that only 20% of Linux administrators are savvy.

The next alarming thing he points out is as follows:
Another interesting attack vector similar to previously described 'chown'
attack is 'chmod'.
Chmod also has --reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod):
--reference=RFILE
use RFILE's mode instead of MODE values

 

Oh, er! Imagine what would happen if you created a file named “–reference=myfile”. When the root user ran “chmod 700 *” it’d end up setting the access permissions on everything to match those of “myfile”. chown has the same option, allowing you to take ownership of all the files as well.

It’s funny, but I didn’t remember seeing those options to chmod and chown. So I checked. They don’t actually exist on any UNIX system I’m aware of (including FreeBSD). On closer examination it’s an enhancement of the Linux bash shell, where many a good idea turns out to be a new vulnerability. That said, I know of quite a few people using bash on UNIX.

This doesn’t detract from his main point – people should take care over the consequences of wildcard expansion. The fact that those cool Linux guys didn’t see this one coming proves it.

This kind of stuff is (as he acknowledges) nothing new. One of the UNIX administrators I work with insists on putting a file called “-i” in every directory to stop wild-card file deletes (-i as an argument to rm forces an “Are you sure?” prompt on every file. And then there’s the old chestnut of how to remove a file with a name beginning with a ‘-‘. You can easily create one with:
echo test >-example
Come back tomorrow and I’ll tell you how to get rid of it!

Update 2nd July:

Try this:
rm ./-example

Hotpoint FDW65A dishwasher recall

I should be happy with Hotpoint. They have identified a fault in one of the modules fitted to the FDW20 FDW60 and FDW65A dishwashers that could lead to them catching fire. They’ve also traced customers (such as myself), written to them and asked to replace the module, using a “qualified engineer”. Are they bothering to use qualified engineers rather than trained technicians for such a menial job? Well I’m for anyone employing qualified engineers (with an engineering degree; registered with the engineering council and so on). I do hope they’re not telling porky pies about their educational status. I’ll let you know when he/she turns up!

For I have been waiting at home since 8am for said engineer to arrive. Apparently, if you have a “mobile”, they’ll TXT U A MRE PRCSE TM. If you don’t, or you’re in a zero coverage area so can’t receive SMS, you’re reliant to them to call you with a time. And I’ve been waiting by the ‘phone for just such a call. Or email, as arranged last week with customer services.

You can, however, call the premium rate telephone number that is given on the on the original letter and repeated prominently on subsequent emails. I think not. Anyone pulling this stunt in complete contempt of their supposedly valued customers doesn’t deserve any. They don’t even give a “premium rate” warning when quoting it, so I’m writing to Ofcom after I’ve posted this.

If you have one of these machines, sold in the UK with a serial number greater than 60600xxxxxxx, you can email them on fdw@hotpoint.co.uk. Hotpoint is actually a “brand” owned by Indesit, and you can call them at normal rates on 01733 287691 and try to get to the right department. If and when this engineer turns up I’ll update with the actual nature of  the fault (for any other qualified engineers out there who may be curious!)

 

Update:

Well the guy turned up and he was very nice, helpful and I can’t complain at all about him – in fact I’d have him back! He discovered about the cellphone blackspot when trying to get his laptop to connect back to base though. It turns out that the “problem” is with discrete spade connectors to the control board. Apparently this has been known to cause problems, presumably when they’re strained. So, new control board with caged contacts. I pointed out that this was a tenuous design flaw at best, but it turns out that BBC Watchdog has featured it. It sounds like more shoddy journalism blowing it out of proportion again.

 

Smart TVs attacked over the airwaves

A group of researchers from Columbia University have published the results of some experiments with mixed mode digital TV broadcasts here.

The problem is that the new but widely implemented HbbTV standard allows HTML to be embedded in with the picture data. What could possibly go wrong?

Well apart from the fact you only need an encoder and transmitter to mess up all the sets in range by sending them HTML spam, the Columbians reckon that with the right HTML you can turn people’s tellies into a botnet and attack targets through their internet connection. I’m not yet convinced this will work in practice, but building a web browser in to anything has always been risky when it implements more than plain HTM. It’s always been possible to broadcast alternative TV and radio signals over the top of legitimate channels, but generally, it doesn’t happen in practice.