Posted on

More Fraud on Amazon Marketplace

Fancy a roll of sellotape for £215.62? Amazon has this and 708,032 other products listed by a seller called linkedeu, who’s full range can be found here:
https://www.amazon.co.uk/s?merchant=AA722TCREQZHH.

This isn’t the first time sellers like this have appeared, and it won’t be the last. However, this time I’ve reported it to Amazon and I intend to time their response. How could they let some fraudster list nearly quarter of a million items without anyone checking?

The seller does have a business address in California, but I suspect this is fake too, and the name and address may well be a legitimate company.

 

Posted on

ParentPay seriously broken (again)

400 Bad Request
ParentPay, the Microsoft-based school payment system that’s the bane of so many parents’ lives, has yet another problem. Since Saturday, every time I go to their web site I get a page back that displays as above. Eh? Where does this page come from – it’s not a browser message. A look at the source reveals what they’re up to:

<html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>nginx</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

 

Okay, but what the hell is wrong? This is using Chrome Version 56.0 on a Windows platform. Can ParentPay not cope with its standard request header? If a cookie is too large, the only culprit can be ParentPay itself for storing too much in its own cookie.

I’ve given them three days to fix it.

Unfortunately, parents of children at schools are forced to use this flaky web site and hand over their credit card details. How much confidence do I have in their technology? Take a guess!

Solution

So what to do about this? Well they have the URL https://parentpay.com, so I tried that too. It redirected to the original site, with a slightly different error message sent from the remote server – one that omitted mention of cookies. So it was definitely Chrome’s header? Upgrade Chrome for 56.0 to 57.0, just in case…. No dice.

A look at the cookies it stored was interesting. 67 cookies belonging to this site? I know Microsoft stuff is flabby, but this is ridiculous! Rather than trawling through them, I just decided to delete the lot.

That worked.

It appears ParentPay’s bonkers ASP code had stored more data in my browser than it was prepared to accept back. Stunning!

 

Posted on

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

  1. Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
  2. Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

 

Posted on

It’s official – the Ruskies got Trump elected

This weekend the news has been full of the story that the CIA has accused Russia of swinging the US presidential election in favour of Donald Trump. Their evidence? Not much to speak of. Normally I’d be commenting on the technical merits of this kind of thing, but there are no technical details to back any of this up.

Apparently someone with “links to the Russian government” handed a bunch of pilfered emails to WikiLeaks that shed Hillary Clinton in a bad light. Let’s look at theses features in order.

  1. A lot of prominent people, companies and organisations have links to the Russian Government. They’re trying to imply Putin was behind it, but that’s hardly proof. In fact they’re rather coy about identifying the source of the leak anyway.
  2. WikiLeaks has a very good system in place to make it impossible to identify the source of any uploads. That’s the whole point. The identity of the uploader can only be conjecture.
  3. Hillary Clinton can come across as crooked without the help of the Russians. As can Trump, of course. Anyone could have obtained those emails and uploaded them. The most likely source is an insider; and it’s likely every foreign intelligence agency was reading them before long. And anyway, you could argue that someone has done the American people a great favour by exposing dodginess.

It’s worth remembering that largest number of cyber attacks originate from the USA, not Russia or China. Yet some people persist in blaming them any time something goes wrong. Doubtless they are behind some of it, but let’s get this in perspective.

It’s no secret that Putin and the Russian government are likely to prefer Trump to Clinton. Trump is telling it like it is on foreign policy, especially in the Middle East, whereas the American establishment is defending the indefensible corner they’ve painted themselves in to. Trump realises the Cold War is over, the CIA doesn’t. Whatever else you think about them, I’m sure both leaders recognise each other as being able to do business.

Trump dismissed the latest fluff pointing out that the information came from the same people as “Saddam Hussein’s Weapons of Mass Destruction”. He has a point.

 

Posted on

National Lottery Accounts compromised

This morning Camalot released the news that they’d detected suspicious logins on 26,000 of its on-line punter accounts, of which 50 had been altered. As far as they know. They’re keen to stress that this doesn’t affect their core system (i.e. can’t be used to fiddle the payouts).

It’s entirely possible that they haven’t been breached at all – people could be re-using passwords taken in an earlier heist. What’s odd is that someone has accessed thousands of accounts but done nothing with them. Why? Kiddies, possibly.

If this is as Camalot is currently reporting, well done to them for spotting the suspicious logins and acting fast.

Posted on

Enough with this “Trump Crashes Immigration Site” rubbish!

Ha Ha Ha! On Wednesday, Canada’s web site for prospective immigrants crashed due to the weight of American’s trying to escape from a USA run by Donald Trump. Really? Now other immigration sites such as New Zealand are reporting similar problems and certain some media outlets are lapping it up.

It’s a funny story, but I suspect that it’s too good for some people to check the facts.

There are two possibilities here:

  1. A load of American’s panicked suddenly.
  2. Some jokers decided a DDoS attack at this point to make it appear American’s were panicking would me funny

In the absence of any evidence to the contrary, I think option two is way more likely. People have been joking about the “move to Canada” option for months.

Posted on

Are you a Tesco bank customer? Please verify your details. Spam meets salami.

I’m surprised I haven’t seen any phishing emails targeting hapless Tesco Bank customers following the publicity surrounding the weekend’s account raids. Give them a few more minutes.

Details on what happened are very thin on the ground. This morning on R4 Today they were saying a few thousand, but less than 10K customers had been affected. Estimates are now going up to 20K. But what’s interesting is this appears to be close to a good old fashioned salami raid, a term that the newbies in security may not even have heard of.

A salami raid got its name from thinly cut salami (a kind of foul-smelling sausage). If you cut off a thin slice, no one will notice, and if you do this to a large number of unfortunately sausages, none of their owners are likely to spot it but you’ll end up with a lot of processed meat.

Traditionally this approach was employed by computer programmers diverting pennies from a large number of accounts in to their own, but its unlikely to be the case with Tesco. The spotlight is likely to fall on people making use of the on-line banking facility to enrich themselves using other people’s logins, although I find it curious that accounts weren’t emptied while they had the chance.

Posted on

Has LinkedIn had its data blagged again?

This could very well be related to the breach that occurred in May, but it might be a new one.

This morning a trap email account, known only to me and LinkedIn, started to receive a lot of spam of a similar nature. This hasn’t happened before. For anyone else to be aware of this addresses existence it had to be stolen from me or from LinkedIn, or possibly by monitoring an ISP if not encrypted en-route. I’m pretty confident that it wasn’t stolen from me; the system it exists on is pretty secure and under my nose. As an added measure, all addresses are stored with additional traps that aren’t known to a third party, and if none of these is used its reasonable to assume that the data wasn’t pinched from me.

Monitoring an ISP is possible, but I don’t think it’s likely.

This means the address was probably stolen from LinkedIn. It’s hard to know for sure whether this was in May or later, but there was no indication it had gone missing until this morning so it’s worth of more investigation.

Has anyone else suddenly started receiving spam on a linkedin-specific address?

Posted on

Google Drive Hacked to spew Spam

Early this morning (GMT) I intercepted emails trying to sell a Chinese business signage product that had been spammed to spambait addresses left on web pages. Nothing new there, but having analysed the source I discovered that the Google Drive “cloud” storage system was still being abused to sent them out. I saw the first such incident about a month ago.

Basically the crims are creating a Google Drive account and then sharing it with a large number of people using a custom message. The name of the file becomes the title, and the sales pitch goes in the body:

Dear Sirs,

From internet we know you are leading on AV/TV product reseller field.

Sysview is a digital signage software, capable change your existing smart TV to a digital signage . Sysview features following :

The only surprise about this is that no one has exploited it before. It’s going to be very difficult to filter out without hitting all Google could services, and Google’s “sign-up free without asking questions policy” is going to make it hard from them to tackle.

Come on Google! You’ve had at least a month to get this sorted, to my certain knowledge. Google could be forgiven for failing to secure the system against such abuse in the first place, but I’m not going to. This is a common sense failure.

Posted on

Internet of Things Botnet Menace

Forget self-aware AI systems taking over the world. If you read the hype over DDoS attacks you’d be forgiven for thinking an army of internet connected devices was on the march, herded by a gang of amateur criminals – the IoT bites back!

This isn’t about anything new, but the fact it’s being used in recent record-breaking DDoS attacks has brought the matter to the fore.

And then yesterday the code for the two main botnets, Miari, turned up, posted on Hackerforums by its originator, probably. The other similar botnet is known as Bashlight, but I understand it works in the same way and attacks the same devices. Originators of such code usually dump them in the public domain when they feel that they’re about to be busted. It makes it harder to prove they’re behind an attack when other people have, and are likely using, the same code.

A look at the code itself confirms what many have suspected for a long time; some CCTV equipment can be appropriated for naughty purposes. Unfortunately the affected equipment originates in China and is sold to a wide variety of companies who put their own badge on it, and sometimes customise the software. It’s basically a generic network-enabled Digital Video Recorder (DVR), with the generic name H.264 Recorder. Getting it all patched isn’t going to happen as there is no update mechanism, but if people changed their password to something hard to guess, rather than leaving it as the default 1234, the world would be a better place.

I’ve been looking at this type of CCTV equipment for over decade, ordering an embaressing number of samples from Alibaba and the like and building up a collection to rival my disparate VoIP endpoints. They have a lot in common – very little I the way of security or robustness in the face of attack. My advice to anyone using such kit is to install it behind NAT and use a VPN to access it externally.

But getting back to my theme, the media hype suggests that all sorts of IoT things have been hijacked. Unless I see any evidence to the contrary, this is simply not true. The CODE released targets one type of network DVR, and, in reality, it can’t even persist if the device is power-cycled. However, reports suggest that the time taken for the botnet to re-establish itself is very short.

I’ll be updating this article in the next few days once I’ve checked out a few facts concerning the code.