NHS not exactly target of “cyber-attack”

The Security and Intelligence Committee takes all this cyber-thingy stuff very seriously.

I got home, put on BBC News and there was some dope being interviewed about a “cyber-attack on the NHS”, blithering on about their M3 network and how secure it is. I turned over to Sky, and there was someone from Alienvault talking sense, but not detail. Followed by the chair of the Security and Intelligence Committee, Dominic Grieve, blustering on about how seriously the government took cyber-security but admitting he didn’t know anything about technology, in case it wasn’t obvious. I have never met anyone in parliament who does (see previous rants).

So what’s actually happening? It’s not an attack on the NHS. It’s a bunch of criminals taking advantage of a bug in Microsoft’s server software. Almost certainly MS17-010. An attack based on this exploit was used by NSA in America (Equation Group) until someone snaffled it and leaked it (allegedly Shadow Brokers). It’s been used in a family of ransomware called WannaCrypt, and it’s being used to extort money all over the place. I see no reason to believe the NHS has been targeted specifically. It’s targeting everyone vulnerable, all over the world. Poorer countries where they are running  more old software, or running bootleg version that don’t receive updates,  are worst hit.

So why is the news full of it being the NHS, and only the NHS? One reason is that Microsoft issued a patch for MS17-010 a good while back. And the NHS didn’t apply it. Why? Because they’re still using Windows XP and Microsoft didn’t issue the patch for Windows XP. Simple.

A lot (repeat A LOT) of companies use older Microsoft systems because (a) they’ve bought them, why should they pay again; and (b) Microsoft abandoned backward compatibility with Windows 7, so a lot of legacy software (dating back to the 1980’s) won’t run any more. Upgrading isn’t so simple.

There’s a lot of money (from Crapita Illogica (CGI), Atos and G4S – amongst others) in flogging dodgy Microsoft-based IT to government projects. Microsoft Servers are considered Job Security for people who can only understand how to use a wizard, but know it’ll break down regularly and they’ll be called upon to reinstall it.

No one who knows how computers work would ever use Microsoft servers except as a last resort.

Update 13-May-2017

Guess what? Microsoft has now released a patch for older versions of their server software (ie. Server 2003 and Windows XP). That was jolly quick; it’s like they had it already but didn’t release it to punish those who refused to “upgrade”.

Blue Whale Challenge

Blue Whale at the Marine Life Hall, American Museum of Natural History
This is a blue whale. Nothing to do with the latest chain letter hoax.
People seem to be getting really worked up about a so-called “Blue Whale Challenge” social media game. And understandably so – it’s a game where vulnerable children are targeted and given progressive challenge, culminating in something that will kill them.

I saw this first a couple of months ago, and each time it turns up the lurid details have been embellished further. It sounds too macabre to be true. And it’s not.

About a year ago someone in Russia published an on-line article hoping to explain the high number of teenage suicides in the country, and blaming it on the Internet. Apparently a statistically significant number of teenagers belonging to one particular on-line group had died; the on-line group must therefore be to blame.

Wrong! If you have an on-line group of depressed teenagers then you are going to have a higher proportion of suicides amongst them. The writers have confused cause and effect.

However, facts never got in the way of a good lurid story and this one seems to have bounced around Russia for most of 2016, where it morphed into an evil on-line challenge game. It then jumped the language gap to English in winter 2017.

The story spreads as a cautionary tale, with the suggestion that you should pass it on to everyone you know so they can check their kids for early signs they are being targeted (specifically, cutting a picture of a whale in to their arm). In other words, a classic email urban legend. It’s only a matter of time before the neighbourhood watch people add it to their newsletters.

Update:

The Daily Mail has reported this as fact, so I must be wrong and it must be true. Or perhaps I’m right and they have nothing to back their carefully worded account. Wouldn’t be the first time…

 

 

More Fraud on Amazon Marketplace

Fancy a roll of sellotape for £215.62? Amazon has this and 708,032 other products listed by a seller called linkedeu, who’s full range can be found here:
https://www.amazon.co.uk/s?merchant=AA722TCREQZHH.

This isn’t the first time sellers like this have appeared, and it won’t be the last. However, this time I’ve reported it to Amazon and I intend to time their response. How could they let some fraudster list nearly quarter of a million items without anyone checking?

The seller does have a business address in California, but I suspect this is fake too, and the name and address may well be a legitimate company.

 

ParentPay seriously broken (again)

400 Bad Request
ParentPay, the Microsoft-based school payment system that’s the bane of so many parents’ lives, has yet another problem. Since Saturday, every time I go to their web site I get a page back that displays as above. Eh? Where does this page come from – it’s not a browser message. A look at the source reveals what they’re up to:

<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

 

Okay, but what the hell is wrong? This is using Chrome Version 56.0 on a Windows platform. Can ParentPay not cope with its standard request header? If a cookie is too large, the only culprit can be ParentPay itself for storing too much in its own cookie.

I’ve given them three days to fix it.

Unfortunately, parents of children at schools are forced to use this flaky web site and hand over their credit card details. How much confidence do I have in their technology? Take a guess!

Solution

So what to do about this? Well they have the URL https://parentpay.com, so I tried that too. It redirected to the original site, with a slightly different error message sent from the remote server – one that omitted mention of cookies. So it was definitely Chrome’s header? Upgrade Chrome for 56.0 to 57.0, just in case…. No dice.

A look at the cookies it stored was interesting. 67 cookies belonging to this site? I know Microsoft stuff is flabby, but this is ridiculous! Rather than trawling through them, I just decided to delete the lot.

That worked.

It appears ParentPay’s bonkers ASP code had stored more data in my browser than it was prepared to accept back. Stunning!

 

BT Internet Mail Fail (again)

BT Internet’s email system is broken AGAIN. It rejects everything it gets as “spam” (554 Message rejected, policy (3.2.1.1) – Your message looks like SPAM or has been reported as SPAM please read…)

Having checked against blacklists, and sent perfectly innocuous test text messages to friends account, it’s definitely busted.

My advice to anyone using BT Internet for important email is to get a proper account with a proper provider (or handle your email in-house if your name is not Fred and you don’t work from a shed).

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

  1. Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
  2. Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

 

New DVLA on-line system is broken

Why can’t companies implementing government on-line systems actually get anything right? And if they must mess things up, why can’t they do it in private? The new DVLA system is broken. They ought to have tested it in-house, without launching a beta version on the public. Seriously, do they not know what a beta version is for?

My experience – I went through and entered all the details, paid, and got this:


It’s now impossible to tell whether it’s taken payment from the card or not. Okay, this appears to be an external system that’s screwed up BUT it’s not be handled properly. Basic rule of data communications – Assume the link will be corrupted and cope with it.

Baofeng DMR handheld – the DM-5R

DM-5R PlusIn 2016 Baofeng released the DM-5R – what sounded like a fantastic DMR radio at a very attractive price. One of the best features was that it maintained the same form factor as the UV-5R, meaning accessories were cheap and plentiful. In fact it was completely compatible as an analogue transceiver, but with DMR too.

Only one huge problem – it only implemented Tier-1, which basically meant it could only talk to other DM-5Rs – not to the Motorola or Motorola-compatible Tier-2 units.

Suppliers insisted that Baofeng was going to release a software update for it. I’m on record elsewhere as being sceptical of this, as I’ve never seen a way to update the software on any Baofeng radios, even when they’ve introduced killer bugs in to the wild.

Apparently I was wrong(-ish), and a firmware update has appeared for the promised $10. Furthermore, a DM-5R Plus has also turned up on the market, with Tier-2 software already. I don’t have confirmed specifications (i.e. the unit in my hand) but there’s some question about the battery. Sometimes its listed as 1.5Ah, other time 2Ah. BL-5 battery packs (the UV-5R standard) are 1.8mAh. I really hope they haven’t been crazy enough to come up with a new battery format.

Battery aside, what’s not to like? If if’s Tier-2/Motorola compatible, then I’m sure I’ll love it. But how compatible is it? Questions remain. Take this announcement from DMR-UK (target likely to expire) quoting a Phoenix Repeater Keeper:

“I have now heard a station using the DM-5R on the Phoenix network. I can confirm that although the radio appeared to work (apart from having very low audio) it was actually occupying both time slots on the originating repeater. This confirms that even though the so-called Tier 2 update had been done it was still working as a Tier 1 radio.”

This is unattributed, and it’s not clear whether the transceiver was a DM-5R Plus or an upgraded DM-5R. I don’t even know if an upgraded DM-5R becomes identical to a 5R Plus. This will become clear over time.

That Baofeng didn’t get the complex firmware right first time would come as no surprise. But do I want to risk it? Only if they promised to offer a free fix; but they really don’t have a good track record there.

AO.com extended warranty – the hard sell

Our 1997 AEG Lavamat washing machine is demised. The motor finally gave up the ghost, and Electrolux (AEG) no longer stocks the spares – and even if they did, the cost of buying a new motor for such an old machine is debatable. AEG and Samsung make the machines that clean the best (according to Consumers Association tests), so another AEG it was. Unfortunately our local shop, Ruislip Appliances, is shut for the holidays so on-line shopping it was, and  AO.com had a suitable replacement that can be delivered next day. And helpfully, they agreed to take away an old dishwasher too, having paid to take away the old washing machine.

To get the latter deal, I had to order by telephone. After concluding this, the guy on the end launched in to explaining the fabulous after-care service they offered – at a price. Basically they’ll fix stuff that’s “not covered by the warranty”, such as accidental damage and bits wearing out – like bearings and door seals. Eh? Doesn’t the AEG warranty cover premature failure of non-consumable items? If a car was warranted for a year and you wheel bearings wore out just because you were driving it (reasonable distances) then you’d expect it to be fixed. Tyres are another matter; they’re consumable.

I checked the AEG warranty exclusions, and nothing like this was excluded. Basically commercial use, improper use and accidental damage. Anything else they’d fix. And their warranty lasts five years – which tells me they reckon their product won’t break down and have the data to prove it.

AO.com’s warranty excludes stuff covered by the manufacturers warranty, so that leaves very little to cover. “Ah yes, but if we can’t fix it we’ll give you a new comparable model!”. AEG would have to do the same, if it came to it. But if you read their T+C, AO.com will only do this as a last resort and they will automatically cancel your policy.

So for this little extra protection, how much did they want? Well to cover this £500 washing machine for five years it worked out at £450. Basically, where their warranty takes over from AEG’s, you’ll have already paid out the cost of a new one. If the machine was a write-off after ten years (reasonable for an AEG machine), you’d have paid for a new one twice over.

The warranties are actually called product protection plans internally, and they’re sold by AO on behalf of a third party – Domestic and General Services Ltd. They administer the plans, collect the money from the customers and pay a commission to AO

In Y/E 2014, AO.com sold £18m worth of these dubious warranties, and the value is increasing. They’ve been a bit coy about mentioning the figures in subsequent published accounts. If you’re the kind of person that’s totally unable to save up for a new appliance, it may be worth it as a saving scheme – a sort of pre-paid expensive credit option. If you pay up-front for what you buy it’s as much use as a cardboard washing machine.

I feel an OFT investigation coming on. Followed by “haveigotao.com” and similar sites.

One of the significant risks to AO Group’s future is desertion by customers (according to their Annual Report and Accounts 2015). I’m afraid the hard-sell of a dodgy product on the telephone during my first order left me questioning whether I wanted to deal with these people then, or ever again. They don’t have a price advantage over local independent dealers, and I don’t get taken for a fool by the locals either.

Other impressions of AO were good. But the washing machine hasn’t turned up yet!