Posted on

Smart TVs attacked over the airwaves

A group of researchers from Columbia University have published the results of some experiments with mixed mode digital TV broadcasts here.

The problem is that the new but widely implemented HbbTV standard allows HTML to be embedded in with the picture data. What could possibly go wrong?

Well apart from the fact you only need an encoder and transmitter to mess up all the sets in range by sending them HTML spam, the Columbians reckon that with the right HTML you can turn people’s tellies into a botnet and attack targets through their internet connection. I’m not yet convinced this will work in practice, but building a web browser in to anything has always been risky when it implements more than plain HTM. It’s always been possible to broadcast alternative TV and radio signals over the top of legitimate channels, but generally, it doesn’t happen in practice.

 

Posted on

Anonymous to attack World Cup sponsors

According to an article in the Guardian, Anonymous is planning attacks on World Cup sponsors to coincide with the football tournament in a few days time. Whilst I certainly disapprove of all types of cybercrime, I have to admit that the rationale for such an escapade has my sympathy.

Someone calling himself Che Commodore has claimed to be part of the Anonymous collective, and is a name that popped up a lot last year in connection with Anonymous Brazil. He’s hacked off because the Brazilian government is spending loads of money on a football tournament while people in the country are starving (putting the case directly and emotively). Attacking the commercial sponsors for colluding with this is an obvious choice.

Is he serious about the threat? The Guardian figures he must be, because he wouldn’t be boasting about it early unless everything was in place. I’m less convinced. Forewarning allows sites to get ready to use scrubbing centres against DDoS attacks. Is it really a “watch this space”, or is it a bluff? In the absence of any evidence that the self-styled Anonymous Brazil has the capabilities to carry out such an attack, I have to disagree with the Guardian (once again) and go with it being a bluff. But it’s a good one, as it’s raised awareness of the warped priorities that lead to huge amounts of money being spent on sports tournaments, in excesses reminiscent of the circus maximus. But you can only bluff once, and I suspect Mr Commodore’s stunt isn’t going to go down well with other users of the anonymous Moniker.

Personally I’m already boycotting as many of the sponsors as I can, but the intrigue has got me marginally interested in the World Cup for the first time ever.

 

Posted on

The Kitchen Scrappage/Recycling Scheme (cold call scam)

They’re at it again – cold-calling households (or numbers they think are households) with recorded messages from abroad. If you hang up they are pretending this means you would like to hear more, and call back from the UK (judging by the accent) but withholding their CLI. They do this to avoid prosecution  under the  Privacy and Electronic Communications (EC Directive) Regulations 2003. They’re also not prepared to give any contact details when asked. They are obviously working a con.

Their choice of name suggests they’re connected with official government initiatives such as the widely publicised boiler and car scrappage schemes, but there’s no such scheme in reality.

So what’s their con? Are they trying to pressure sell dodgy kitchens? Or obtain personal details for sale for marketing purposes? This is what the Information Commissioner’s Office think. Certainly, if they were trying to sell kitchens they’d be able to at least tell you which company they were calling from. I’ve just tied the low-life calling me in knots on that one. “Contact details?”, “No, but are you interested in a new kitchen.”, “I might be, but I can’t buy one from anyone without contact details, can I?”, “Er….”

Previously I’d listened longer to the spiel, and they were asking details about your existing kitchen, and then moving on to household income and other dodgy stuff. I had to lie to keep them talking, as they were calling the office and we don’t have that kind of kitchen.

These people are not complying with the TPS block-lists, and going to some trouble to avoid prosecution for cold-calling. I doubt they’re legitimate in any way, but the foregoing is enough to demonstrate that you can’t trust them. The ICO doesn’t have a number trace to go on, but complain anyway (on this link) and leave them to do the leg-work with better resources.

 

Posted on

eBay security problem in February – just noticed!

Well, it had to happen. Today eBay announced a serious security compromise. Apparently someone’s got hold of employee login details that allowed access to databases containing customer names and contact details, together with a password hashes.

Should anyone be worried?

Well, a hashed password isn’t a password but it’s possible to crack, especially if it was a weak one (i.e. a word or two words conflated, with a digit on the end and possibly a full stop). eBay says that there’s no evidence of anything fraudulent transactions. Yeah, great. The problem is going to come when people have used the same password elsewhere, like on their PayPal account, bank account or somewhere important – armed with their contact details and a crackable password, those people could be in real trouble.

eBay is due to email everyone very soon to ask them to change their password. It’s called shutting the stable door once the horse has bolted – this data may have been in the hands of the criminals for a couple of months now. You don’t need to change your eBay password; you need to change the password on every system that used it.

The sooner this antiquated means of verifying identity was replaced by secure public certificates, the better – by the punters won’t understand how those work.

So what does this mean? Your password was secure but now it isn’t? No. It was only secure before if you trusted the eBay employees. And a find upstanding bunch they are.

Next, of course, the scammers are going to spam everyone with phishing eBay credential change emails. And when this hits the news, who’s going to disbelieve it. eBay really needed to manage the news dissemination better.

 

 

Posted on

New way to deal with cold callers

I’ve just had another cold-call from one of those idiots from a call centre located a long way to the East. “Hello, I am from Choice UK…”

It’s insulting that they’d be so stupid as to believe anyone would be so stupid as to believe they’re in the UK, or anywhere nearby.  But I found another way to turn the tables – “Prove it.”, I said. When he’d figure out what it meant he asked “How can I do that?”

“If you’re from the UK you can tell me the first line of the National Anthem?”. As usually happens eventually, he hung up.

So what are these people up to? Well, EU Law makes it illegal for companies to cold-call people without their permission. The is implied if there’s a pre-existing business relationship, but cold-calls are out. Great! A law from Brussels that we all like. Except it’s pointless – locate your call centre in Hyderabad and no EU member state can touch you. As a bonus, you can hire a load of cheap local labour to do the calling.

Now these outfits don’t try to sell you anything. To be honest, their English isn’t good enough anyway. What they’re doing is canvassing so they can sell your details on to companies in the UK. One you’ve said “yes” to a question like “Would you like to know how to save money on electricity?”, then, according to their interpretation, you’ve given permission for a UK company to call you with their latest special offer.

Of course, these are not honest people. They’ll sell your name on whether you said “yes” or “*$^@: Off!” And companies in the UK trying to mount a telephone marketing campaign within the law will buy the data and call you anyway.

I’ve spoken to a few companies buying false data about me (apparently I’ve been seriously injured in a car crash). They trace back to a company called Communication Avenue in Newark on Trent. If you talk to the caller nicely, often they’ll tell you – because remember – they’ve paid someone good money for something they thought was a sales lead and they’re not happy either. Communication Avenue declined to comment (or more precisely, ignored my email and failed to answer the phone). I have now left the matter with the ICO.

BT is powerless to help. So it says. They claim they can’t, technically, block calls from overseas numbers for you. As a “help” they gave me “free” caller-ID, so I could simply not answer foreign numbers. BT the BT caller display telephone didn’t display anything and to add insult to injury, after a year they started charging for it.

So what can be done? The solution to this one IS technical. All it needs is an option to block all calls coming from countries that do not subscribe to, and enforce, EU-wide telecoms regulations – including VoIP gateways. One has to ask why this hasn’t been done, but I dare say the answer is commercial.

 

 

Posted on

Internet Explorer scare

I’m getting a lot of calls about Internet Explorer. Apparently it’s got another security bug. It must be true because it was on the BBC.

Well it’s partly true. The bug is actually in ActiveX, which is Microsoft’s dodgy web browser application format. All browser application formats are dodgy. Allowing web sites to download code and run it on your PC is just a bad idea.

I’ve said it before and I will say it again: just turn off ActiveX. That said, looking at the details of this particular vulnerability it doesn’t appear very easy to exploit. I suspect it’s getting more of a mention than it deserves as Microsoft isn’t going to patch it for IE6 or Windows XP for the first time, or so they say.

Hmm. What can Microsoft be thinking? Either they patch this regardless, or lose a further share of the browser market to Chrome – and another nail in the coffin of Active-X.

 

Posted on

Thoughts on Infosec, 2014 – first day

I usually post a show report about Infosec somewhere, and for various painful reasons, this year it has to go here. And this year I’m at a bit of a loss.

Normally there’s a theme to the show; the latest buzzword and several companies doing the same thing. I wasn’t able to spend as long as normal there today, thanks to the RMT, but I think it’s probably “Cloud Security” this year. As with “cloud” anything, this is a pretty nebulous term.

Needless to say, the first day of the show lacked the buzz, with a smaller than usual number of visitors, haggared by disrupted journeys, mooched around the booths.

I was a bit surprised to see very little on the “heartbleed bug”, although there were a couple of instances. Either the marketing people didn’t understand it, or had uncharacteristically been put in their places.

One stand that’s always interesting is Bit9, a company after my own heart with alternatives to simple virus scanning. They went on a spending spree earlier in the year and have purchased and integrated Carbon Black. This is technology to allow their customers to monitor exactly what’s happening on all their (Windows) computers; which applications launch with others, what initiates a network connection and so on. It’s all very impressive; a GUI allows you to drill down and see exactly what’s happening in excruciating details. What worries me is the volume of data it’s likely to generate if its being used for IDS. There will be so much it’ll be hard to see the wood for the trees. When I questioned this I was told that software would analyse the “big data”, which is a good theory. It’s one to watch.

Plenty of stands were offering the usual firewalls. Or is that integrated solutions to unified threat management. Nothing has jumped out yet.

At the end of the day there was a very sensible keynote address by Google’s Dr Peter Dickman that was definitely worth a listen. All solid stuff, but from Google’s perspective as an operator of some serious data centre hardware. He pointed out that Google’s own company is run on its cloud services, so they’re going to take care of everyone’s data as they would their own. Apparently they also have an alligator on guard duty at one of their facilities.

I was a bit saddened to see a notice saying that next year’s show will now be in early June and Olympia. I’ve got fond memories of Earls Court going back more than thirty years to the Personal Computer World show. And Earls Court just has better media facilities!

 

Posted on

US judge tells Microsoft to hand over data on foreign servers

Yesterday, a judge in a New York court ordered Microsoft to hand over information stored on a server in Ireland following a US search warrant. Magistrate Judge James Francis reckons a search warrant for servers is different to a search warrant for anywhere else – more of a subpoena to hand over documents. Unsurprisingly, Microsoft plans to roll the dice again with a Federal judge this time.

Microsoft, of course, has recently been soothing its cloud customers by saying that if the data is held outside the US, Uncle Sam won’t be able to plunder it in violation of the users’ local rights. In particular, the EU legislation being drafted to prevent companies sharing EU citizens’ data with foreign powers unless explicitly allowed by international treaty or another EU law. The NSA, or US corporations, would not be allowed to just look at whatever they wanted.
This plays right in to Angela Merkel’s proposal for an EU communications network that can’t be legally snooped on by the yanks by avoiding the use of US-based servers.

In a statement to Reuters, Microsoft said:

“A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. (Microsoft) thinks the same rules should apply in the online world, but the government disagrees.”

Is Microsoft really so naive? Although the ruling followed its challenge of a search warrant concerning a Microsoft account, its implications apply to all US cloud service providers. Although they intend to appeal, in the mean time any US company holding your data off-shore might as well have its servers in America – they’ll be forced to hand over all your data either way.

This isn’t to say that data held in the UK, for example, is any more secure. There’s RIPA to worry about – the Act allows authorities can plunder what they like, although it does make it illegal for anyone other than the State to do this.

 

Posted on

Infosec 2014 set to be disrupted by tube strike

It could hardly come at a worse time for Infosec, the UK’s best Information Security show due to take place at Earls Court next week. The RMT is planning a tube strike through the middle of it. Infosec 2014 runs from 29th April to 1st May; the strike runs from the evening before and services aren’t expected to resume until the 1st May. As many exhibitors shut up early on that day and head for home, and the real networking happens in the evenings at the hostelries around Earl’s Court, this is something of a disaster.

On a personal note, the largest outlet for my scribblings on the show in recent years shut up shop at the end of 2013; I’ll be putting the trade stuff in the Extreme Computing newsletter and probably blogging a lot more of it here. If I can get there. I shall try my best, and blog live as the show continues.