TalkMobile GPDR security weirdness

I needed a pair of talkMobile SIMs to fit new handsets, so used their recommended option of Web Chat.:

Why do people on the phone think they can use GDPR in the same bonkers way they used to use the DPA 1998? Probably because most of the people they talk to have never read it.

Info at 9:50, Jul 27: Thank you for choosing to chat with us. An agent will be with you shortly.

Info at 9:50, Jul 27: You are now chatting with AbdAllah.

AbdAllah at 9:50, Jul 27: Hello, you’re chatting with AbdAllah, one of Talkmobile’s Help Team. How may we assist you today?

Frank at 9:50, Jul 27: Need a new smaller SIM. Please send one. Thanks.

AbdAllah at 9:51, Jul 27: Sure, no worries.

AbdAllah at 9:51, Jul 27 We’ll check that for you straight away.

AbdAllah at 9:51, Jul 27: For the security of the account, could you please confirm the full name, first line of your address and post code along with your date of birth?

Frank at 9:52, Jul 27: Frank J Leonhardt, XXXXXXXXXXX, PINNER, Middx XXX XXX

Frank at 9:52, Jul 27: I never give anyone I don’t know my DOB for security reasons, so you don’t have it anyway.

AbdAllah at 9:53, Jul 27: We have it, of course, that’s why we asking as we want to make sure that we talk to the account holder.

AbdAllah at 9:54, Jul 27: All chats are 128-byte SSL (Secure Socket Layer) encrypted. This helps to protect the confidentiality of all information provided.

Frank at 9:55, Jul 27: No, you don’t have it. You might have a date but it won’t be my DOB. And this chat is TLS v3.0 encrypted. SSL has been defunct for a while now.

Frank at 9:55, Jul 27: Is it perchance the first of january 1970?

Frank at 9:55, Jul 27: The time zero on Unix?

AbdAllah at 9:57, Jul 27: I quite sure that this chat is completely secured and there’s nothing to worry about, It’s a major company and out IT and data protection team are up to date.

Frank at 9:57, Jul 27: Great!

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Frank at 9:58, Jul 27: However, it’s very unlikely I would ever have told you my real DoB.

AbdAllah at 9:59, Jul 27: No problem.

Frank at 9:59, Jul 27: So is it 1/1/1970?

Frank at 9:59, Jul 27: Might be 1/6/66

Frank at 9:59, Jul 27: (the mark of the antichrist)

AbdAllah at 10:01, Jul 27: Actually, we have to pass the security questions first.

Frank at 10:02, Jul 27: So it’s none of the above?

Frank at 10:02, Jul 27: In which case it’s something random.

AbdAllah at 10:02, Jul 27: Excuse me, we need to be accurate, please?

Frank at 10:02, Jul 27: Try another question. How about payment details?

Frank at 10:03, Jul 27: I DO NOT KNOW what DoB you might have for me. It’s not my real one.

AbdAllah at 10:04, Jul 27: We can not go further before the security questions.

Frank at 10:05, Jul 27: How about I call the bank and cancel the DD?

AbdAllah at 10:06, Jul 27: Why?

Frank at 10:06, Jul 27: I need to prove I am who I say I am, right?

Frank at 10:06, Jul 27: Only I could cancel the DD.

AbdAllah at 10:06, Jul 27: It’s all about your data protection, Mr Frank.

Frank at 10:07, Jul 27: You mean GDPR?

AbdAllah at 10:07, Jul 27: Yes, exactly.
AbdAllah at 10:08, Jul 27:I do apologize but if you do not answer the question we can not go any further.
Frank at 10:10, Jul 27: So how do we get passed this point? Using DoB as ID is a very bad thing, as I’ve said may times.
At this point their representative hung  up so I called instead and spoke to someone reasonable, who sorted it out immediately using an alternative question. And someone who understood the implications herself! So I’m still happy with TalkMobile and I’ll probably be with them for another ten years.
But someone really needs to sort out their GPDR training, and point out that it’s no blanket excuse.

If I had a pound for every time someone asked me about BitCoin

IFrank Leonhardtt was no surprise when people started asking me about Bitcoin. Money is of great interest to a lot of people; mix it with technology and they want to talk about it.

The main question asked is “Should I buy some?”, closely followed by “Is it safe?”, and “Do you think it’s a bubble?”

To answer the last one first: “Of course it’s a bubble you idiot”. I don’t think there’s anyone who believes it isn’t, but greed conquers common sense. And investing in a bubble can be a rational strategy as long as you make sure you take your capital out before it bursts. You could say the same about any form of investment to some extent. The value of shares will rise and fall in the long term, and everyone knows you should spread the risk. Seeing the return for a punt on Bitcoin at the moment persuades some to abandon this golden rule and put all their funds at risk.

As to whether the technology is safe: No way! It’s as safe as the security of the computers it is stored on, and the integrity of those storing it. Good luck with that. Technically, blockchain technology itself looks very secure but that isn’t where the risk lies.

And now we get back to the main question: Should I buy some? Well I wouldn’t, simply because it’s immoral.

Yes folks, if you can see beyond the chance of a fast buck, Bitcoin is sleaze. There are a few fundamental truths about cash it might be worth reiterating.

Back at the dawn of history, humans realised they’d be better off if they traded. If you had a lot of grain but no apples, find someone with apples and no grain who wanted to do a swap. Cash emerged so you could defer a transaction; or enter in to multi-party deals more easily by extracting the value from the item and placing it in to something more convenient (small pieces of soft shiny metal).

A coin’s value depends on whether you can buy what you need with it at a later date. If you exchange your grain for a coin you have to be convinced that the apple dealer will exchange the coin for your apples. Coins are a matter of confidence; confidence that they can be exchanged for something useful later.

If coins were easy to make, people would just make coins and the apple dealer would end up with a load of inedible shiny metal fragments; so there must be a finite supply for cash to work if the cash has representative rather than commodity value. Prisoners have often used cigarettes as they also have commodity value in that you can smoke them. Leaves, on the other hand, are a poor choice of currency as they grow on trees.

With no commodity value, you might ask why Bitcoin works at all? There are effectively a finite number of valid bitcoins, so you can’t make your own. And people have confidence that they can be exchanged for the goods they need at a later date. Perhaps not as much confidence as they do with regulated currencies, but their big advantage is that they are outside the regulatory system, and like cash or cigarettes, are ideal for black market transactions.

The bottom line is that criminals accept Bitcoin for the purchase of drugs, weapons and extortion payments. Like the legitimate world using BACS/CHAPS/CHIPS (electronic Bank payments), organised crime in the 21st Century benefits from a black money clearing system: Bitcoin. Cryptocurrency has a value because it can be used for buying drugs in large quantities across international borders far more conveniently than using the old-school suitcase of dollar bills. No questions asked. If you want to buy narcotics, you need to buy Bitcoin to pay the dealers with.

Like any currency with a floating exchange rate, the value of a Bitcoin should fluctuate based on the supply and demand for the illegal goods and services it represents. If the demand goes up and supply remains the same, the value of Bitcoin would rise as purchasers out-bid each other to secure enough Bitcoin to pay their dealer. I strongly suspect that knee-jerk (or just jerk) investors are seeing a rise in cost, and not looking too deeply at the tangible commodities backing it. Or perhaps city speculators are not being greedy and stupid; perhaps they really do need Bitcoin to pay for their coke habits.

So, as to whether I think Bitcoin is a good investment, they only answer is: “Yes – it’s can be just as profitable other parts of the drugs trade if you can get it right.”

NHS not exactly target of “cyber-attack”

The Security and Intelligence Committee takes all this cyber-thingy stuff very seriously.

I got home, put on BBC News and there was some dope being interviewed about a “cyber-attack on the NHS”, blithering on about their M3 network and how secure it is. I turned over to Sky, and there was someone from Alienvault talking sense, but not detail. Followed by the chair of the Security and Intelligence Committee, Dominic Grieve, blustering on about how seriously the government took cyber-security but admitting he didn’t know anything about technology, in case it wasn’t obvious. I have never met anyone in parliament who does (see previous rants).

So what’s actually happening? It’s not an attack on the NHS. It’s a bunch of criminals taking advantage of a bug in Microsoft’s server software. Almost certainly MS17-010. An attack based on this exploit was used by NSA in America (Equation Group) until someone snaffled it and leaked it (allegedly Shadow Brokers). It’s been used in a family of ransomware called WannaCrypt, and it’s being used to extort money all over the place. I see no reason to believe the NHS has been targeted specifically. It’s targeting everyone vulnerable, all over the world. Poorer countries where they are running  more old software, or running bootleg version that don’t receive updates,  are worst hit.

So why is the news full of it being the NHS, and only the NHS? One reason is that Microsoft issued a patch for MS17-010 a good while back. And the NHS didn’t apply it. Why? Because they’re still using Windows XP and Microsoft didn’t issue the patch for Windows XP. Simple.

A lot (repeat A LOT) of companies use older Microsoft systems because (a) they’ve bought them, why should they pay again; and (b) Microsoft abandoned backward compatibility with Windows 7, so a lot of legacy software (dating back to the 1980’s) won’t run any more. Upgrading isn’t so simple.

There’s a lot of money (from Crapita Illogica (CGI), Atos and G4S – amongst others) in flogging dodgy Microsoft-based IT to government projects. Microsoft Servers are considered Job Security for people who can only understand how to use a wizard, but know it’ll break down regularly and they’ll be called upon to reinstall it.

No one who knows how computers work would ever use Microsoft servers except as a last resort.

Update 13-May-2017

Guess what? Microsoft has now released a patch for older versions of their server software (ie. Server 2003 and Windows XP). That was jolly quick; it’s like they had it already but didn’t release it to punish those who refused to “upgrade”.

Blue Whale Challenge

Blue Whale at the Marine Life Hall, American Museum of Natural History
This is a blue whale. Nothing to do with the latest chain letter hoax.
People seem to be getting really worked up about a so-called “Blue Whale Challenge” social media game. And understandably so – it’s a game where vulnerable children are targeted and given progressive challenge, culminating in something that will kill them.

I saw this first a couple of months ago, and each time it turns up the lurid details have been embellished further. It sounds too macabre to be true. And it’s not.

About a year ago someone in Russia published an on-line article hoping to explain the high number of teenage suicides in the country, and blaming it on the Internet. Apparently a statistically significant number of teenagers belonging to one particular on-line group had died; the on-line group must therefore be to blame.

Wrong! If you have an on-line group of depressed teenagers then you are going to have a higher proportion of suicides amongst them. The writers have confused cause and effect.

However, facts never got in the way of a good lurid story and this one seems to have bounced around Russia for most of 2016, where it morphed into an evil on-line challenge game. It then jumped the language gap to English in winter 2017.

The story spreads as a cautionary tale, with the suggestion that you should pass it on to everyone you know so they can check their kids for early signs they are being targeted (specifically, cutting a picture of a whale in to their arm). In other words, a classic email urban legend. It’s only a matter of time before the neighbourhood watch people add it to their newsletters.

Update:

The Daily Mail has reported this as fact, so I must be wrong and it must be true. Or perhaps I’m right and they have nothing to back their carefully worded account. Wouldn’t be the first time…

 

 

More Fraud on Amazon Marketplace

Fancy a roll of sellotape for £215.62? Amazon has this and 708,032 other products listed by a seller called linkedeu, who’s full range can be found here:
https://www.amazon.co.uk/s?merchant=AA722TCREQZHH.

This isn’t the first time sellers like this have appeared, and it won’t be the last. However, this time I’ve reported it to Amazon and I intend to time their response. How could they let some fraudster list nearly quarter of a million items without anyone checking?

The seller does have a business address in California, but I suspect this is fake too, and the name and address may well be a legitimate company.

 

ParentPay seriously broken (again)

400 Bad Request
ParentPay, the Microsoft-based school payment system that’s the bane of so many parents’ lives, has yet another problem. Since Saturday, every time I go to their web site I get a page back that displays as above. Eh? Where does this page come from – it’s not a browser message. A look at the source reveals what they’re up to:

<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

 

Okay, but what the hell is wrong? This is using Chrome Version 56.0 on a Windows platform. Can ParentPay not cope with its standard request header? If a cookie is too large, the only culprit can be ParentPay itself for storing too much in its own cookie.

I’ve given them three days to fix it.

Unfortunately, parents of children at schools are forced to use this flaky web site and hand over their credit card details. How much confidence do I have in their technology? Take a guess!

Solution

So what to do about this? Well they have the URL https://parentpay.com, so I tried that too. It redirected to the original site, with a slightly different error message sent from the remote server – one that omitted mention of cookies. So it was definitely Chrome’s header? Upgrade Chrome for 56.0 to 57.0, just in case…. No dice.

A look at the cookies it stored was interesting. 67 cookies belonging to this site? I know Microsoft stuff is flabby, but this is ridiculous! Rather than trawling through them, I just decided to delete the lot.

That worked.

It appears ParentPay’s bonkers ASP code had stored more data in my browser than it was prepared to accept back. Stunning!

 

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

  1. Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
  2. Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

 

It’s official – the Ruskies got Trump elected

This weekend the news has been full of the story that the CIA has accused Russia of swinging the US presidential election in favour of Donald Trump. Their evidence? Not much to speak of. Normally I’d be commenting on the technical merits of this kind of thing, but there are no technical details to back any of this up.

Apparently someone with “links to the Russian government” handed a bunch of pilfered emails to WikiLeaks that shed Hillary Clinton in a bad light. Let’s look at theses features in order.

  1. A lot of prominent people, companies and organisations have links to the Russian Government. They’re trying to imply Putin was behind it, but that’s hardly proof. In fact they’re rather coy about identifying the source of the leak anyway.
  2. WikiLeaks has a very good system in place to make it impossible to identify the source of any uploads. That’s the whole point. The identity of the uploader can only be conjecture.
  3. Hillary Clinton can come across as crooked without the help of the Russians. As can Trump, of course. Anyone could have obtained those emails and uploaded them. The most likely source is an insider; and it’s likely every foreign intelligence agency was reading them before long. And anyway, you could argue that someone has done the American people a great favour by exposing dodginess.

It’s worth remembering that largest number of cyber attacks originate from the USA, not Russia or China. Yet some people persist in blaming them any time something goes wrong. Doubtless they are behind some of it, but let’s get this in perspective.

It’s no secret that Putin and the Russian government are likely to prefer Trump to Clinton. Trump is telling it like it is on foreign policy, especially in the Middle East, whereas the American establishment is defending the indefensible corner they’ve painted themselves in to. Trump realises the Cold War is over, the CIA doesn’t. Whatever else you think about them, I’m sure both leaders recognise each other as being able to do business.

Trump dismissed the latest fluff pointing out that the information came from the same people as “Saddam Hussein’s Weapons of Mass Destruction”. He has a point.

 

National Lottery Accounts compromised

This morning Camalot released the news that they’d detected suspicious logins on 26,000 of its on-line punter accounts, of which 50 had been altered. As far as they know. They’re keen to stress that this doesn’t affect their core system (i.e. can’t be used to fiddle the payouts).

It’s entirely possible that they haven’t been breached at all – people could be re-using passwords taken in an earlier heist. What’s odd is that someone has accessed thousands of accounts but done nothing with them. Why? Kiddies, possibly.

If this is as Camalot is currently reporting, well done to them for spotting the suspicious logins and acting fast.

Enough with this “Trump Crashes Immigration Site” rubbish!

Ha Ha Ha! On Wednesday, Canada’s web site for prospective immigrants crashed due to the weight of American’s trying to escape from a USA run by Donald Trump. Really? Now other immigration sites such as New Zealand are reporting similar problems and certain some media outlets are lapping it up.

It’s a funny story, but I suspect that it’s too good for some people to check the facts.

There are two possibilities here:

  1. A load of American’s panicked suddenly.
  2. Some jokers decided a DDoS attack at this point to make it appear American’s were panicking would me funny

In the absence of any evidence to the contrary, I think option two is way more likely. People have been joking about the “move to Canada” option for months.