Christmas Come Early for Scammers – Thanks Microsoft

As a reminder that Microsoft never lets security considerations get in the way of a Good Idea, it’s emailed 50,000 gift cards to random addresses it has on file. To quote:

To help spread holiday cheer, Microsoft Store has surprised a total of 50,000 U.S. customers with virtual gift cards via email. 25,000 customers will receive a $100 Microsoft Gift Card while 25,000 others will receive a $10 Microsoft Gift Card ahead of this holiday season. These randomly selected recipients can redeem their gift card on Microsoft Store through December 31, 2021 and spend it within 90 days of redemption

Publications in the US are advising punters to check their spam folder in case they’ve got an e-voucher for free Microsoft goodies. Presumably these email address are of lusers with a Microsoft account of some kind.

With the media coverage starting to appear in the US, anyone phishing for Microsoft account credentials now has the perfect social engineering exploit, available between now and the New Year. Nice one Microsoft.

BBC plays the temperamental chef

Today the BBC hit back after being told to do its job. The white paper on its future told the public service broadcaster that it needed to produce public service output, rather than duplicating material ably produced by the commercial sector. The phrase used was “distinctive output”, and this was repeated ad nausium in its reporting of this morning’s story that it would be dropping its popular web recipe archive.

The reason given was that this was not “distinctive output”, and according to Radio 4’s Today programme, it was to save £15M/year from its on-line budget. Really? Anyone who knows anything about web publishing can tell you that publishing recipes is cheap, especially when you already have them. A quick look around the BBC more exotic on-line offerings will soon show where the money really goes.

So what are they up to? Politics, of course. The liberal elite running the BBC isn’t happy about being reminded how it is supposed to be spending our money, and is acting up in a disgraceful manner.

In its own on-line reporting of the matter, the BBC is linking this to the new requirement to publish details everyone having their celebrity lifestyle funded by more than 450K  of our license money. This is going to be be awkward for the luvvies and the star-struck BBC executives fawning over them.

It’s about time the BBC started serving the people who pay for it. It’s hardly impartial when it comes to politics; it’s right in there playing politics itself – albeit the playground variety.

Cybercriminals: Microsoft’s X-EIP is your friend.

Since January 2013, and without any fanfare, Microsoft has stopped including the originating IP address of Hotmail emails in the headers. Instead, an ominously named X-EIP has appeared in its place, consisting of random characters.

Originating IP addresses are the only means to verifying the source of an email. This is important to prevent fraud, detect crime and block spam. It can’t be used by a recipient to positively identify a sender, but by contacting the relevant ISP about it, the location can be pinpointed relatively quickly and the ISP can take action against a customer based on a complaint. Even home users can check that the IP address their friend’s email came from is in the right country, rather than a cyber-café in some remote and lawless part of the world.

So why has Microsoft done this? After much waiting for a reply, this is the best I have got:

My name is **** and I am a Senior Support Analyst for Microsoft. I am part of the Hotmail Escalations Team handling this issue.

In the pursuit of protecting the privacy of our users, Microsoft has opted to mask the X-Originating IP address. This is a planned change on the part of Microsoft in order to secure the well-being and safety of our customers.

Microsoft is in the path of continuously improving the online safety and security of its users. Any feedback regarding this concern would be treated with utmost attention.

We appreciate your patience and understanding regarding this matter.

Thank you.
Best Regards, etc.

Note the “wellbeing and safety of [their] customers” in the above. Which of their customers need this protection? Well paedophiles wishing transfer material with their mates anonymously will love it. As will fraudsters, cyber-bullies and anyone else wishing to send untraceable emails.

Having analysed the new encrypted codes, they’re not a one-to-one encryption of an IP address. Two emails from the same address will have different codes, so decoding them won’t be easy at all. It’s likely that it’s a one-way hash, meaning Microsoft will need to go back through its records to find out where an email came from, and they’re only going to do that with a court order, I suspect.

And that’s not good enough – tracking cybercrime is an immediate activity, so such things can be shut down quickly. The Internet is self-policing; there’s no time for court orders, and no point if you’re crossing international boundaries. If you know the IP address some malware came from, it’s possible to get hold of the sender’s ISP and have the feed quenched within minutes, or if coming from a commercial or academic institution, the network administrators could be around to catch them in the act. Microsoft has extended this process from minutes to weeks, losing any reputation for responsibility it had with Hotmail (not much I’ll grant you) and promoting its service to the cyber criminal.

However, Microsoft is not alone. Google has been doing this for years with Gmail. Is this a cynical attempt by Microsoft to follow Google’s shameful lead?

There are some cases where anonymous email is a good idea, such as when sending emails from a country where free speech is aggressively discouraged. There is no need for this with a mainstream email service; it’s just a feature provided to encourage new users with something to hide.


Spamhaus vs. Cyberbunker

There’s a real, genuine cyber-war going on over the Internet between Spamhaus and a Dutch company called Cyberbunker, and their connectivity provider A2B Internet. Spamhaus is a not-for-profit organisation that blacklists internet service providers that allow spammers to use their facilities, and Cyberbunker is an ISP which, according to their own web site, provides services to anyone for any purpose “except child porn and anything related to terrorism. Everything else is fine.” Spamming is okay by them; they’ve never denied it and basically take the view that all ISPs dealing with spammers: it’s none of Spamhaus’ business what they do and launching a denial-of-service attack against them is some kind of natural right. They’re known for hosting outfits like Pirate Bay when no one else would touch them, to give you some idea.

Pirate Bay
One of Cyberbunkers more high-profile customers – The Pirate Bay.

The war started on 19th March when a DDOS attack was launched against the Spamhaus servers in retaliation for them adding a range of IP addresses provided to Cyberbunker by A2B Internet.

A2B Internet’s view is that they’re not responsible for what Cyberbunkers’ customers do with the IP addresses and it’s no business of Spamhaus what anyone else on the Internet does. Spamhaus, and the users of the Spamhaus block-list (SBL) think it is, and after all, no one is forced to use the SBL – they use it to identify emails coming from outfits of the type often hosted by Cyberbunker. This didn’t stop A2B Internet going to the Dutch Police in outrage, accusing Spamhaus of extortion by blacklisting some of its IP addresses. Quite how this amounts to extortion isn’t clear. It pressures A2B  on who it sells connectivity to Cyberbunker, to stop doing so, but Spamhaus would argue that it was listing IP addresses used to send spam, and that’s all there is to it.

Although the SBL isn’t easy to disable by such methods, it was nonetheless annoying and Spamhaus called on the services of Californian-based CloudFlare to mitigate the attacks, which promptly got attacked themselves for their trouble. The attackers are using a feature of DNS to send gigabits of traffic towards the Spamhaus servers. Using a botnet, they’re sending zone transfer requests to poorly configured DNS servers claiming that Spamhaus has requested data on a zone (domain). The request is short, but the data returned can be very large and is sent directly to Spamhaus. People running a DNS should configure it such that it won’t accept zone transfer requests from “just anyone”, but many fail to do this – especially Microsoft installations, in my experience. By using a botnet to send the initial request the attackers have been generating traffic said to be in excess of 300Gbps.

But these attacks don’t just affect Spamhaus. The DNS servers hijacked for the purpose are consequently over-loaded when legitimate requests get through, and the traffic heading to Spamhaus is going to squeeze other legitimate traffic en route. There are stories about concerning disruption to Netflix and other high-bandwidth Internet services. Whether this is any great loss is a matter of opinion.

But is it fair to blame Cyberbunker for these attacks? Circumstantially they’re implicated. The New York Times quoted “Internet Activist” Sven Olaf Kamphuis, who claims to speak for the attackers, as saying that Cyberbunker was retaliating against Spamhaus for “abusing their influence using  one of the largest DDoS attacks the world had publicly seen.” However, it’s my understanding that Mr Kamphuis is the actually the Managing Director, and possibly owner, of Cyberbunker – so if the comments in the NYT are correct, it’s clearly them.

Kamphuis continued, “Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet, they worked themselves into that position by pretending to fight spam.”

He has a point, but possibly not a very good one. About 75% of the spam filters in the world use the SBL to drop mail from dodgy sources. They don’t have to; they choose to. If the SBL was no good, they wouldn’t use it. It’s not really a case of Spamhaus determining what goes on the Internet, it’s a case of the majority of the Internet trusting Spamhaus more than they do Cyberbunker when it comes to deciding what’s spam and what isn’t.

But it means that the maintainers of the SBL have a lot of power, because incorrectly listing an IP address has a seriously negative effect on its owner. It depends on your point of view as to whether a listing is deserved or not. Spammers say they’re within the law (or their moral rights); the recipients of their marketing messages may disagree.

Cyberbunker is what its name suggests: a data centre in a disused NATO bomb-proof bunker

This disagreement has been going on for years, but A2B Internet’s complaint to the police and the subsequent DDoS attack are probably a game changer. They’ve crossed a line and “the authorities” can no longer ignore Cyberbunker’s activities. Subsequent action could be interesting as Cyberbunker’s own web site boasts of them already having defeated a raid by a Dutch “SWOT team” – a bunch of heavily armed police with battering rams at least. As they’re holed up in an old NATO nuclear bunker with blast doors able to withstand a 20 Megaton atomic bomb, a bunch of coppers with a sledge hammer aren’t going to have much effect.

Turning off the up-stream link might, however, have the desired effect. They may have buried themselves with enough food, water and diesel for their generators to withstand a long siege, but there’d be no point once they’d been disconnected. I understand that A2B Internet have decided to turn off the tap already. According to Spamhaus, Cyberbunker is getting feeds from elsewhere, but on checking they’re not terribly good feeds – or someone is currently attacking Cyberbunker.

As to the collateral damage, I suspect it’s being somewhat over-blown. Operators of a DNS server should configure it properly to prevent this nonsense, and ISPs really ought to take the initiative and check their customers are secure. But this could be a seminal event where spammers are concerned, and the world will be watching the Dutch authorities with interest.

And before condemning Cyberbunker completely, it’s worth noting they’re providing hosting for legitimate users being hounded by illegitimate governments around the world. In principle, they’re possibly as often right as they are wrong by ignoring what their customers do. There’s reputedly a lot of cyber-crime taking place on AWS, don’t forget, and the world isn’t clamouring to shut Amazon down. The difference may only be scale.

South Korea attacked from Chinese IP address so it must be North Korea

On Wednesday, South Korea’s government said a malicious code from unknown hackers caused “massive” computer network failures at several banks, the police and TV stations. ATM machines ceased to function. The South Koreans seemed fairly quick to blame it all on the nasty people from the North.

This morning I woke up to the news that the attacks originated from an IP address in China; “apparently” it’s a favourite tactic of the North Koreans to work indirectly through Chinese IP addresses to cover their tracks.

The whole story is starting to pong.

Facts are scarce, but the suspicion is that that this malware was distributed by email in the traditional manner, using files called ‘KBS.EXE’ and ‘MBC.EXE’ (Page in Korean but you can get Google to translate). This doesn’t sound like a targeted attack on critical infrastructure, it sounds like a standard malware delivery to PCs. It’s claimed that the malware activated on Wednesday and wiped the hard disks, displayed skulls and so on. It possible, but another explanation is that malware often attempts to install itself on the boot partition and sometimes goes wrong, leading the luser to believe the disk has been maliciously wiped when in fact it’s just been made inaccessible accidentally, and it won’t boot. The synchronised timing could be accounted for by a botnet software upgrade that didn’t work as expected.

Now let’s consider the “plot”: To knock out critical South Korean infrastructure. If you wished to disrupt the Internet, that’s what you’d have to attack; not the endpoint PCs. Attacking PCs simply inconveniences individual users rather than taking down an organisation. The suggestion that an email virus could take down the ATM network is, frankly, ridiculous. How do you kill an ATM machine by emailing it? Or the bank’s mainframe? If there was ATM disruption, it could have been a side-effect of botnet traffic gone wild, but to say it was targeting the ATM network needs evidence to back it up before I’d take it remotely seriously. A DDoS attack may be possible if it’s not isolated from the Internet, but if that were true they were being very lax about things, and reports are talking about PC malware, NOT a DDoS attack.

And what of the attacking IP address traced back to China? No surprise there. China is botnet central. To be blunt, a lot of the software used on private computers in China is bootleg, which means it’s either supplied with botnet software pre-loaded, or isn’t able to receive security updates from Microsoft making it easy prey. It’s no coincidence that the incidence of zombie computers is higher in countries where interlectual property rights are less vigorously enforced, and that part of the world is a case in point. So, whilst it’s true that North Koreans would use botnets based in China, it also a meaningless statement. Everyone uses botnets based in China and the Far East.

Reports could be wrong, of course. This could be a DDoS attack against the South Korean Internet in general, and specific high profile targets. However, this does not square with the malware reports of computers not booting, and “skulls appearing on screens”.

The whole thing pongs. Here’s my theory: Social engineering emails were used to distribute malware in South Korea. Because the criminals were using emails in Korean, only Korea was affected. Either maliciously, or more likely through incompetence, the malware tried to install some botnet software and broke a number of PCs. The news media in Korea has been quick to blame this on a sinister North Korean plot, and the world’s media has picked this up as a story without enough people sanity-checking the whole scenario.

Another Yahoo mail account pwned

This is getting ridiculous. I don’t monitor Yahoo or other freemail accounts in any way, but it’s seems like almost every week I come across one that’s been taken over by criminals.  I got another email this morning from the account of an old friend sent by Yahoo webmail. He’s a a BT Internet customer, and I’ve no doubt from some features on it that it was sent out by someone sitting at a web browser, logged in as him. It wasn’t him, unless he’s moved to Hyderabad and taken up a life of crime – unlikely, he’s a retired fire officer in the north of England, and it’s not his style.

Yahoo obviously provides BT’s email service, so their customers get a Yahoo webmail account, like it or not.

This happens to other freemail users too, but the number of Yahoo accounts being hit is getting disproportionately ridiculous. Yahoo would need more customers than everyone else put together if this was just a random effect.

So what is going on? My assumption in cases like this is usually that the compromised accounts have been as a result of key loggers at Internet cafes or public Wi-Fi systems. It makes sense, and fits the facts in cases I’ve investigated. But not this time…

Earlier this year there was a problem with Yahoo involving cross-site scripting that could affect insecure web browsers (that includes all of the commonly used web browsers).  A character called Shahin Ramezany uploaded a video to YouTube  showing how to do this. Yahoo very quickly came back with a fix. They said. This just the latest in a long time of embarrassing problems – in Summer last year someone broke in to their computers and pinched a lot of confidential files.

Researchers at Bitdefender have also worked out how do to this, and it’s unclear whether Yahoo really has fixed the problem. For technical details, see CVE-2012-3414. It works by cookie harvesting, taking advantage of the way cookies are shared between different levels of a domain path.

Either this remains very much a problem, six weeks after Yahoo claimed to have fixed it, or the criminals have a large backlog of compromised user accounts and they’re just working through them. Users of freemail beware – how well do you think, with the best will in the world, that their operators will be able to provide technical assistance to hundreds of millions of advertising-supported punters?

If you have a Yahoo or BT Internet account, my advice is to log in and change the password right now, if you want to keep it.

787 Batteries Included – Why Li-Ion and aircraft shouldn’t mix

787 battery (over-cooked)

Poor Boeing – its 787 “Dream liner” fleet looks like it’s grounded for at least another month following fires in its Li-Ion battery. Many years ago I found myself researching and writing several articles on battery technology, and at the time I really didn’t like Li-Ion, even though it was being pushed as the latest thing. So I’m not that surprised that Boeing has had trouble. I’m only surprised that they used such risky technology in an aircraft, assuming it hadn’t been refined since I last looked at it. Given the problems they’ve had, it clearly hasn’t been refined.

Li-Ion batteries can actually be made from a very wide range of chemistries, all with different characteristics. The anode is normally carbon, but the cathode can be various metal oxides and the electrolyte a lithium salt – plenty of combinations to try. I understand that Boeing went for lithium cobalt oxide, which has one of the highest energy densities (better power-to-weight ratio) but is also considered one fo the most flaky. It’s the same chemistry as is commonly found in consumer devices with Li-Ion batteries. It’s the battery technology that the airlines felt so strongly was unsafe that they initially banned it from your luggage (only allowing later so business travellers could still use their laptops). It’s the type of cell that UPS won’t allow on international flights. And Boeing decides it’s a good idea to make a great big one and fit it in the heart of its new aircraft!

Apparently their plan is very much to mitigate the battery problems by encasing the cells in ceramic, put it in a strong metal box and venting it to the outside in case it starts smoking again. The FAA will be asked to sign this off as safe – potentially it could be considered unable to bring down the aircraft, although one has to wonder how well it will operate once the battery has self-destructed in a contained environment. If it’s not important to the operation of the aircraft, why’s it there at all?

Li-Ion does have an advantage over less exotic technologies in that you can store more power in a smaller, lighter package. But at a cost. Apart from the cells costing a lot more and needing fancy charge controllers to operate them safely(!), they’re also quite fragile in the short term; and in the long term they don’t survive for long.

Did you know, for example, that Li-Ion batteries decay badly when they’re fully charged? This means that if you keep your battery topped up it will lose capacity. If you leave it run down it will decay more slowly, but what’s the point of lugging a flat battery around? This characteristic makes it ideal for companies like Apple to fit into products like the iPhone. Whatever you do regarding charging the battery, your iPhone will die in a few years, forcing you to buy a new one (if you’re stupid enough).

Conventional battery technologies, like NiCd, are far more robust. You can discharge them, fast-charge them, trickle-charge them and generally abuse them. They last for years, with no need for fancy controlling electronics. Lead acid is even tougher, and has been used for decades in hundreds of millions of motor vehicles. Yes, it’s heavy but it’s cheap, there when you need it and has a very good record for not self-destructing.

Yet Boeing seems to be struggling on getting Lithium-Ion to work. They probably have a reason, but I can’t see what it is other than not wishing to back down on what’s looking like a bad decision.

FreeBSD, Wake-on-LAN and HP Microservers – WOL compatible Ethernet

I’ve been having some difficulties getting Wake-on-LAN (WOL) to work with an HP Microserver thanks to its Broadcom Ethernet adapter not doing the business with the FreeBSD drivers – setting WOL in the Microserver BIOS doesn’t have any effect. I’m pleased to report a solution that works.

The on-board Broadcom Ethernet adaptor still refuses to play ball, for reasons described in my earlier post. The pragmatic solution is to use a better supported chip set and I’ve had no difficulties with Realtek (at the low end of the market) so it was an obvious choice. Just bung a cheap Realtek-based card in and use it as a remote “on” switch – what could possibly go wrong?

First off, the HP Microserver has PCI-Express slots, but weird looking ones. I’d assumed one was PCI when I’d glanced it, but it’s a PCIe 1-channel slot with something strange behind it – possibly a second 1-channel slot. The documentation says its for a remote management card; presumably one which doesn’t need access to the back. There’s a 16-channel PCIe next to it.All very curious but irrelevant here. The point is that you’ll need a PCIe Ethernet card – a surplus 100M PCI one with a well supported, bog-standard chip, won’t do. The PCIe cards tend to be 1Gb, and are therefore not as cheap.

The first card I bought was a TP-Link TG-3458, which has standard Realtek 8168B adapter chip. Or at least mine did; I note that there is a Mk2 version out there. Mine’s definitely a revision 1.2 PCB, but if you buy one now it may have the newer chip (which is a problem – read on below). Anyway, this Mk1 card worked like a charm. On sending it the magic packet and the Microserver bursts in to life. There’s only one snag: It has a full-height bracket and the Microserver has a half-height slot, so you have to leave the card floating in its socket. This works okay as long as no one trips over the cable.

My second attempt was an Edimax EN-9260TX-E, ordered because it was (a) cheap-ish; (b) had a Realtek chip; and (c) had the all-important half-height bracket. It fitted in the Microserver all right, but refused to act on a WOL, at least to begin with…

It turns out there was a little bug-ette in the driver code (prior to 8.3 or 9.1), spotted and fixed by the maintainer about a year ago. If you want to fix it yourself the patch is here. I decided I might as well use the latest drivers rather than re-working those shipped with 8.2, so pulled them, compiled a new if_re.ko and copied it to /boot/kernel in place of the old one. It didn’t work. Ha! Was I naive!

Further investigation revealed that it was completely ignoring this kernel module, as it was using a driver compiled in to the kernel directly. There was no point having the module there, all it does is trick you in to believing that it’s installed. I only realised “my” mistake when, to my astonishment, removing the file completely didn’t disable the network interface. I solved the problem by compiling a new kernel with the built-in Realtek driver commented out, and I’m currently loading the new driver specifically in loader.conf. It works a treat. I could have changed the kernel Realtek driver, but while it’s under review it’s easier to have it loaded separately. Incidentally, the driver is for 9.1 onwards but it works fine on 9.0 so far.

The next task is to fix the Broadcom driver so it works. I may be gone some time…

Faith in Free Schools – Department of Education still hasn’t done its homework

The Department of Education has just lost in its bid to keep secret the “faith affiliation” of applicants planning to up Free Schools, and has been forced publish the figures by the Information Commissioner.It’s taken two years to get this information, and it’s interesting reading if you read them carefully.

Figures are not available for the first wave of 373 applications, but is (to an extent) for the second and third waves. I’ve been doing some number crunching.

Religion Wave 2 Wave 3 Total %
None 202 183 385 74.47%
Christian 45 21 66 12.77%
Muslim 17 18 35 6.77%
Plymouth Brethren 11 3 14 2.71%
Jewish 3 5 8 1.55%
Sikh 2 5 7 1.35%
Hindu 1 1 2 0.39%

The breakdown is a little strange. In Wave 3 the different Christian denominations are specified in some cases but left as “Christian” for others, as they all are on Wave 2. Except the Plymouth Brethren, who appear always to be separate from “Christian” for some reason in both sets of data. “Muslim” and “Islam” are also two different religions, apparently. Did the compiler of these statistics know anything about religions?

I also have my doubts about whether religion has been reported at all. We’re asked to believe schools like Noah’s Kingdom (Reading) isn’t religious. To quote from their ethos description: If life is based on human values then it is incomplete, but if we base our lives on the plan of God then we have a secure path.

It’s not just the Christians – how about  the Khalsa Science Academy in Leeds? Sounds Sikh to me! A quick look at their web site confirms my suspicions.

What about the Maharishi Free Schools? Non-faith? Yogi’s might fly! There’s even “Destiny Christian School” in Bedford that’s listed as secular. The clue should be in the name. It’s actually being proposed by “Miracle Church of God in Christ”, and part of the Christian Schools’ Trust who’s attitude to creationism is that it is science and they intend to teach it as such.

In short, a quick scan through the names on the list is enough to show any reasonable person that the published data is full of errors. Journalists like those at the BBC may have  taken them at face value, but they’re an insult to any thinking person.

Whatever you feel about so-called “Faith Schools”, having the data kept from us by Michael Gove and the Department of Education isn’t going help with an informed debate.

Wave 1+2 Freedom of Information data from DofE

Wave 3 Freedom of Information data from DofE


CPC charging for free delivery! Well, not quite…

CPC Farnell is great. Most of the time. They’re a well established supplier of electronic bits and pieces (components) and they’ve recently branched out in to various other items of hardware. The prices are good, the service is spot on, and they’re based in England with sensible people at the end of the ‘phone. Their catalogue and web site is best suited to professional purchasers who know what they want and can see behind the manufacturer’s marketing descriptions, but that’s just fine. They’re box shifters, but they’re very good box shifters.

Last week they had a “special offer” for free delivery, even for small orders. I needed some cables forgotten from an earlier main order, so took advantage of the offer, only to discover on the paperwork that I was nonetheless charged! Being a good company to deal with in the past, I gave them a call. Apparently some genius there made the “free delivery” offer, but the web site software knew nothing about it and has been telling everyone they’ve been hit with a handling charge ever since. I suspect their operators are getting a bit hacked off with the complaints, although they’re still professional and courteous and friendly.

So if you’re reading this, and are wondering about whether you’ve been stitched up, relax. They haven’t gone mad; their on-line ordering system is just a bit trailing-edge. I’m still happy to recommend them as a supplier. And as far as I know, they pay all their UK taxes.