Posted on

Daily Telegraph and The Independent web sites compromised by “Syrian Electronic Army”

I’m getting reports from people reading the Daily Telegraph web site saying that a dialog box saying “You have been hacked by the Syrian Electronic Army (SEA)”. The implication is that their PCs have been compromised, but I have no evidence that this is actually true. The web sites of the newspapers do appear to have been breached, however, in order to cause the pop-ups to appear.

Reports already exist of the problems with the Independent and the Evening Standard, with a time of 12:20 GMT, but the Telegraph problem appears to be new.

The problems don’t appear on all pages of the Telegraph – in fact the problem seems to be on the Alex cartoon only. The Independent has been off-line, but at time of writing is back – but slow.

Given the preponderance of adverts on this page, one possible method of attack could be via the advert feed. It certainly doesn’t happen of every access. However, reports suggest of a redirect to a page showing the Syrian logo. This could be JavaScript, a server change or a DNS hijack. People at the papers probably know which, but they’re a bit busy right now…

 

Posted on

Google Apps for Schools – how safe are they?

So-called Group Work is probably the bane of every tutor in higher education, myself included. As to the poor students having to collaborate; it’s always the motivated one dragging the hangers-on and possibly university’s resident idiot along with them. It’s a nightmare. The most common complaint is that they never turn up to meetings to work on the project because it’s too difficult to organise. Yeah, right!

So this week, one of my colleges persuaded me to get them all working with Google Apps. The theory is that they don’t need to be co-located in time or space to work on a common document. I suspect the lack of physical presence will actually make it easier for some of the group to loaf off, but perhaps I’ve been at this too long to be optimistic.

Google Apps, on the other hand, is gaining ground in education. Cloud-based applications that allow easy sharing of documents has to be a good thing, and I have to say I’m very impressed at the ability of several people to edit the same document at once. And it comes with the ultimate feature that will guarantee sales – it’s free.

When I say “free”, that means that Google gets to harvest your personal data instead of hard cash, and feed you targeted advertising. And this is a worry. You may be okay with this, but if it’s to be adopted in colleges or schools, supposing some students aren’t as relaxed about it? Those in the know keep away from Facebook for just this reasons, but it’s optional. If you make Google Apps part of coursework you’re forcing students to accept terms they’d otherwise reject.

So, in 2006, Google announced Google Apps for Education, with the advertising stripped out. It’s actually a pretty good deal. Features may change over time, but it’s basically business version of Google Apps with one difference – it’s also free.

Unsurprisingly, Microsoft is really hacked off about this. They’ve been giving their Windows and Office software to educational establishments at a huge discount (or free) in order to get kids hooked on it, and as a result we have a generation that believes Microsoft Office is necessary to do anything. Kids come out of education knowing nothing else, which forces companies to purchase Microsoft Office at the full price in order to make them feel at home.

So, free or otherwise, Google Apps is probably more suited to college use, and Microsoft isn’t going to like it, so is fighting back with lawyers (no surprise there).

For example, last year Microsoft backed a bill in the US state of Massachusetts to block the use of Google Apps in schools.

To quote: “An Act prohibiting service providers who offer cloud computing services to K-12 educational institutions from processing student data for commercial purposes.”

Pernicious as Microsoft’s education offering is, this bill does have a point and I find myself siding with Microsoft for once. In fact I’d go further – no one should be forced to use applications collecting personal data, even in further or higher education.

This is becoming more relevant as I understand many schools are now considering the use of Google for Education. If their students are under 18, how can they even give informed consent? And once the parents understand the issues, who would give consent on their behalf? In most Judistictions, you need to be 13 or over (or 16+ in some parts of Europe) before you are allowed by Google to have a Google account, so it’s not like Google isn’t sensitive to the issue.

My sources inside the chocolate box tell me that the new Apps for Education will be advert free. When pushed, there was no guarantee that tracking wouldn’t happen – only that no adverts would be shown in the Apps themselves. Whether they will appear, based on tracking data, on other web sites remains to be seen and when the child reaches an “appropriate” age they’ll come with years of profile data. I’m awaiting clarification from Google on this matter.

(Update: Google has now publically declared that they will not scan Apps for Education data for advertising purposes, however the devil is in the detail. They don’t say that they don’t scan it for other profiling reasons. And then I found this court document, unearthed by SafeGov, in which Google’s own lawyers admit that they do profile students email and suchlike, meaning they can target adverts in other circumstances.)

And then there’s the question of whether it’s a secure environment. Well, no, it’s not. But that applies to Office 365, most LMS (see blogs passim) and anything else that has public messaging – in this case GMail. Given the problems I’ve had with users of freemail accounts, including GMail, I can’t help but question of the wisdom of allowing children access to it. When you’re signed up for Apps for Education you are supposed to be getting 24/7 support from Google, unlike Joe Public. Whether this helps resolve the issues remains to be seen. It’s also possible to turn off features centrally, such as Chat (an obvious thing to disable). Unfortunately, if you do turn off GMail there’s no other closed
messaging system to use instead.

As with my earlier papers and articles concerning LMS systems, I’m not saying that Google Apps are inherently insecure. In fact, I’ve got a lot of confidence that Google data centres, in particular, are robust. If Google does deliver on it’s data use policy, and is providing this service free of charge and with no strings attached, that’s great news. Microsoft has had their way for far to long for it to be healthy. Google has stated that as Google was born out of a research project at Stanford, they now want to give something back to education and that’s their only motive. It’s nothing to do with scuppering Microsoft; how could you possibly think that?

Like all Internet connect IT for use in schools, it’s the social risks that worry me the most, such as abuse of Internet email. If your school plans to use Google Apps, Office 365 or any other system with open email, just ask to see the risk assessment first.

That said, I’d still prefer to see educational establishments return to the open source model; Linux if you must, and OpenOffice. Computing by and for the people. Or perhaps those days are gone. We’re already stuck with a generation that now believes computing comes from large companies like Google and Microsoft. Sadly, I feel that it’s unlikely that most will have the technical talent in-house to make it happen.

Update:

Some of the concerns expressed here about data usage have now been addressed after Google signed up to this code of conduct IN THE USA.

Posted on

Barclays launches biometric finger scanner

In a headline-grabbing move, Barclays bank has launched a finger-scanner for its customers to use when identifying themselves on-line. It’s not an easy-to-fool fingerprint scanner; this one examines the veins in the user’s finger to determine a match.

Like most biometric identity verification methods, I think this is anything more than a gimmick – at least as it’s being reported (encouraged by Barclays) as some kind of future for consumer banking. They’re actually launching it for corporate users, where it probably does have a niche.

The problem with biometric identification is that it’s just as susceptible attack as a password, but a lot more expensive. In fact, if someone uses a secure password, fooling biometrics is often quite easy in comparison.

Imagine how it works: The scanner examines the finger and passes metrics to the bank – just like a password. Because fingers are squishy and organic, the metrics will vary each time so the bank’s computer is only looking for a “close enough” match. Passwords have to be spot on.

So how can a vein scanner be fooled? Well, I’m sure they’re encrypting the data end-to-end to make a replay attack difficult (sending the same scan data twice). At least I hope they are! But at some point the data is unencrypted – it’s coming from analogue sensors looking at the finger. Hack the sensor and you’re away.

Barclays may have done something very cleaver, and I will watch to see if this is true with interest, but however it works, I can’t see it being any more secure.

So why bother? Simple – it’s more convenient. If you’ve got a load computers in a corporation with different employees wandering around making bank transfers, you really want to know who’s doing what. Passwords in the public are one thing, but within an organisation, they get passed around. Usually the employees do this willingly, but someone with crooked intent can find they by other methods.

You can use smart-cards to identify employees, but these can be “borrowed” too. Using a finger makes sense. Vein scanners don’t work on dead fingers, so you an be fairly confident that the user is who you think it is. Weighed against the cost and reduction in total security, it’s probably a good thing.

As an ID form for the public, I think not! A corporate environment is controlled; it’s not the Internet. I would hope that companies can avoid having thousands of criminals trying to defraud them 24/7 working on the inside, but that’s exactly what you have on the wider Net.

(more to come)

Posted on

Leaky iCloud

As I picked up my copy of Private Eye at the station Newsagent just now I noticed the headlines on certain of the dailies going on about hackers stealing naked photos of celebrities from their Apple on-line storage areas. The fact that they were (apparently) celebrities and that the weren’t wearing clothes was the main point for the tabloids, but the big story is really the security of cloud storage.

Personally, I’d be very surprised if attackers had actually compromised Apple’s servers. More likely explanations would be an inside job, or the lusers endpoints. But my money would be a phishing attack.

It does highlight, however, the danger of outsourcing your sensitive data to anyone.

In the 1980’s the fad for outsourcing really took off. Professional engineers all said it was a bad idea then. If your company data is important, the last thing any business should do is trust it to someone else.

The term ‘cloud’ has become a trendy marketing concept in recent years. What it really means is “I have no idea and don’t care.”. It was used in context as follows:

“Where is that service your using actually running?”

“Don’t know, somewhere up in the clouds!”

It’s was ironic. In the real would, admitting you’ve lost control of your data is hardly something anyone would be proud of. But suits heard the new buzzword and wanted some of it. And the punters quickly accepted the benefits (free stuff) without a thought to the risks.

So has Apple’s on line storage been compromised? I doubt it’s been hacked. The technology is fairly robust. If you want to access iCloud data, Apple’s servers themselves are not the soft attack vector. The obvious method is to trick users into handing out their passwords. After all, any coy celebrity foolish enough to (a) take pictures of themselves in the buff; and (b) store them on someone else’s computer, are hardly going to be the brightest stars in the sky.

The fact that fanbois seem to have been the victims in this case is irrelevant. They may have been easier targets if, indeed, it was a phishing attack. However, the general principle remains the same whoever is providing the service – Amazon, Google, Dropbox, Microsoft or one of the many startups trying to get a bit of the action. And the same goes for Facebook and the like – anyone uploading anything remotely sensitive to their servers needs to consider the implications. If you wouldn’t publish something directly on your web page for all to see, don’t send it to “the cloud” either.

The American gun-selling industry has long used the argument that firearms in themselves aren’t dangerous. It’s the users that are the problem. They’re right, in so far as the argument goes. Unfortunately, adding the human factor to cloud services makes the encryption, data centre security and other precautions taken by the providers irrelevant in the same way. People will be hurt. And “celebrities” will caught with their pants down.

Posted on

Windstream spammers

Poor old Windstream, or should that be Spamstream? Okay, perhaps not a laughing matter for them as stuff is coming from their outgoing mail cluster thick and fast, but we’ve just sent off a dozen samples and are awaiting a response. Pretty unremarkable, really, except they have an on-line help/chat facility and we just had to have a go…

Wendy: Hello, I am Wendy our Virtual Agent. I am here to help you with your support questions on High-Speed Internet, Digital TV and Home Phone.
You: We’re getting a lot of spam from a couple of your SMTP servers. Is there any reason why we shouldn’t blacklist all your IP addresses?
Wendy: I would be happy to help you set up your e-mail. Choose what you would like help with from the options below:
– Server and port settings for Windstream e-mail
– Detailed instructions to set up e-mail
Ho hum! Let’s help their abuse department is better than their on-line support service. And sorry guys, but you are spewing…
Posted on

Scammers ask for money for Ukrainian Government

We have intercepted a large number of spam e-mails sent from various compromised systems, pretending to be from the Ukrainian government and asking for donations to fight off those nasty Russian backed separatists. Having checked, there is a pretty good chance that the scammers are actually based in Russia. It’s unclear whether this is in fact the work of president Putin, but perhaps he is trying to collect extra cash before the sanctions come into effect.

We have yet to see any serious attempt at exploiting the situation in Gaza, which is something of a surprise. Most likely they’re not making it through the basic spam filters.

Posted on

No-IP back on-line

I’ve just had a note from No-IP that says that Microsoft has returned all twenty-tree of second level domains it had seized by court order. It’ll obviously take a while for DNS to propagate. I’ve been testing this periodically, and it’s been a right mess with the Microsoft DNS failing to return anything in many cases.

I actually use No-IP for a couple of non-critical purposes, but I don’t use the hostname under their second-level domain directly. Given recent events, others may wish to follow the same idea. It comes down to customer routers on domestic ISP lines, and how you get to them easily if they’re on a dynamic IP address.

Basically, the trick is to map yourname.no-ip.net to yourname.yourdomain.com using a CNAME in the zone file. You can then program to the router to register yourname.no-ip.net, but you refer to it as yourname.yourdomain.com. How does this help? Well when the problem happens you only have to mess with your zone file to make the changes. If you can find out the changeable dynamic IP you can set it as an A record directly. If (as was the case here) you needed to choose a new second-level domain from No-IP’s remaining stock, all you need to is change the zone file and the affected equipment. Anything else accessing it does so through yourname.yourdomain.com, and therefore can remain as-is.

It’s still a pain, and something for which Microsoft should probably pay (or their side of the story had better be spectacularly better than it has been thus far). But it’s somewhat less of a pain than if you’d programmed everything in your universe with the no-ip version.

 

 

Posted on

Microsoft wipes out No-IP in botched cyber security move

Microsoft has accidentally taken down potentially millions of dynamic IP users while going after subdomains used by criminals taking advantage of the free No-IP service, run by Vitalwerks Internet Solutions in Nevada. Yesterday (US time) they used a court order to take control of domains belonging to no-IP, which their users map to their temporary dynamic addresses, and stopped them from all from working. According to No-IP themselves, what Microsoft tried to do is redirect the domain names to their own servers and filter off the bad ones, but they failed spectacularly because Microsoft’s servers weren’t up to the job (as per usual) and collapsed under the weight of traffic.

No-IP are decidedly hacked off by Microsoft, pointing out that they have a good reputation when it comes to dealing with abuse and had Microsoft but contacted them about the sub-domains in question they’d have done something about it. Instead, secretly, Microsoft goes and gets a court order and acts without warning.

According to, Richard  Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity”. He’s referring to Cisco here, as far as I know. The security community regularly reports on all anonymous free services, all of which are exploited by criminals. As yet, I’ve heard nothing from Microsoft to actually back his statement up. In another post, Microsoft’s Tom Rains, a marketing manager in the their Trustworthy Computing division, explains that they were after Bladabindi and Jenxcus, both of which use No-IP provided subnets in the C&C. He doesn’t imply any wrongdoing by Vitalwerks, or justify the way Microsoft has treated them.

Quite why Microsoft has any claim to be the world’s cyber-police is hard to see, given that most criminals (based on our research) prefer Microsoft’s free, no-checks, outlook.com email service. Perhaps Microsoft should try getting its own house in order first?

I’m still waiting for any official comment back from Microsoft.

 

Posted on

How to hack UNIX and Linux using wildcards

Leon Juranic from Croatian security research company Defensecode has written a rather good summary of some of the nasty tricks you can play on UNIX sysadmins by the careful choice of file names and the shell’s glob functionality.

The shell is the UNIX/Linux command line, and globbing is the shell’s wildcard argument expansion. Basically, when you type in a command with a wildcard character in the argument, the shell will expand it into any number of discrete arguments. For example, if you have a directory containing the files test, junk and foo, specifying cp * /somewhere-else will expand to cp test junk foo /somewhere else when it’s run. Go and read a shell tutorial if this is new to you.

Anyway, I’d thought most people knew about this kind of thing but I was probably naïve. Leon Juranic’s straw poll suggests that only 20% of Linux administrators are savvy.

The next alarming thing he points out is as follows:
Another interesting attack vector similar to previously described 'chown'
attack is 'chmod'.
Chmod also has --reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod):
--reference=RFILE
use RFILE's mode instead of MODE values

 

Oh, er! Imagine what would happen if you created a file named “–reference=myfile”. When the root user ran “chmod 700 *” it’d end up setting the access permissions on everything to match those of “myfile”. chown has the same option, allowing you to take ownership of all the files as well.

It’s funny, but I didn’t remember seeing those options to chmod and chown. So I checked. They don’t actually exist on any UNIX system I’m aware of (including FreeBSD). On closer examination it’s an enhancement of the Linux bash shell, where many a good idea turns out to be a new vulnerability. That said, I know of quite a few people using bash on UNIX.

This doesn’t detract from his main point – people should take care over the consequences of wildcard expansion. The fact that those cool Linux guys didn’t see this one coming proves it.

This kind of stuff is (as he acknowledges) nothing new. One of the UNIX administrators I work with insists on putting a file called “-i” in every directory to stop wild-card file deletes (-i as an argument to rm forces an “Are you sure?” prompt on every file. And then there’s the old chestnut of how to remove a file with a name beginning with a ‘-‘. You can easily create one with:
echo test >-example
Come back tomorrow and I’ll tell you how to get rid of it!

Update 2nd July:

Try this:
rm ./-example

Posted on

Smart TVs attacked over the airwaves

A group of researchers from Columbia University have published the results of some experiments with mixed mode digital TV broadcasts here.

The problem is that the new but widely implemented HbbTV standard allows HTML to be embedded in with the picture data. What could possibly go wrong?

Well apart from the fact you only need an encoder and transmitter to mess up all the sets in range by sending them HTML spam, the Columbians reckon that with the right HTML you can turn people’s tellies into a botnet and attack targets through their internet connection. I’m not yet convinced this will work in practice, but building a web browser in to anything has always been risky when it implements more than plain HTM. It’s always been possible to broadcast alternative TV and radio signals over the top of legitimate channels, but generally, it doesn’t happen in practice.