Posted on

Microsoft wipes out No-IP in botched cyber security move

Microsoft has accidentally taken down potentially millions of dynamic IP users while going after subdomains used by criminals taking advantage of the free No-IP service, run by Vitalwerks Internet Solutions in Nevada. Yesterday (US time) they used a court order to take control of domains belonging to no-IP, which their users map to their temporary dynamic addresses, and stopped them from all from working. According to No-IP themselves, what Microsoft tried to do is redirect the domain names to their own servers and filter off the bad ones, but they failed spectacularly because Microsoft’s servers weren’t up to the job (as per usual) and collapsed under the weight of traffic.

No-IP are decidedly hacked off by Microsoft, pointing out that they have a good reputation when it comes to dealing with abuse and had Microsoft but contacted them about the sub-domains in question they’d have done something about it. Instead, secretly, Microsoft goes and gets a court order and acts without warning.

According to, Richard  Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity”. He’s referring to Cisco here, as far as I know. The security community regularly reports on all anonymous free services, all of which are exploited by criminals. As yet, I’ve heard nothing from Microsoft to actually back his statement up. In another post, Microsoft’s Tom Rains, a marketing manager in the their Trustworthy Computing division, explains that they were after Bladabindi and Jenxcus, both of which use No-IP provided subnets in the C&C. He doesn’t imply any wrongdoing by Vitalwerks, or justify the way Microsoft has treated them.

Quite why Microsoft has any claim to be the world’s cyber-police is hard to see, given that most criminals (based on our research) prefer Microsoft’s free, no-checks, outlook.com email service. Perhaps Microsoft should try getting its own house in order first?

I’m still waiting for any official comment back from Microsoft.

 

Posted on

How to hack UNIX and Linux using wildcards

Leon Juranic from Croatian security research company Defensecode has written a rather good summary of some of the nasty tricks you can play on UNIX sysadmins by the careful choice of file names and the shell’s glob functionality.

The shell is the UNIX/Linux command line, and globbing is the shell’s wildcard argument expansion. Basically, when you type in a command with a wildcard character in the argument, the shell will expand it into any number of discrete arguments. For example, if you have a directory containing the files test, junk and foo, specifying cp * /somewhere-else will expand to cp test junk foo /somewhere else when it’s run. Go and read a shell tutorial if this is new to you.

Anyway, I’d thought most people knew about this kind of thing but I was probably naïve. Leon Juranic’s straw poll suggests that only 20% of Linux administrators are savvy.

The next alarming thing he points out is as follows:
Another interesting attack vector similar to previously described 'chown'
attack is 'chmod'.
Chmod also has --reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod):
--reference=RFILE
use RFILE's mode instead of MODE values

 

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Oh, er! Imagine what would happen if you created a file named “–reference=myfile”. When the root user ran “chmod 700 *” it’d end up setting the access permissions on everything to match those of “myfile”. chown has the same option, allowing you to take ownership of all the files as well.

It’s funny, but I didn’t remember seeing those options to chmod and chown. So I checked. They don’t actually exist on any UNIX system I’m aware of (including FreeBSD). On closer examination it’s an enhancement of the Linux bash shell, where many a good idea turns out to be a new vulnerability. That said, I know of quite a few people using bash on UNIX.

This doesn’t detract from his main point – people should take care over the consequences of wildcard expansion. The fact that those cool Linux guys didn’t see this one coming proves it.

This kind of stuff is (as he acknowledges) nothing new. One of the UNIX administrators I work with insists on putting a file called “-i” in every directory to stop wild-card file deletes (-i as an argument to rm forces an “Are you sure?” prompt on every file. And then there’s the old chestnut of how to remove a file with a name beginning with a ‘-‘. You can easily create one with:
echo test >-example
Come back tomorrow and I’ll tell you how to get rid of it!

Update 2nd July:

Try this:
rm ./-example

Posted on

Hotpoint FDW65A dishwasher recall

I should be happy with Hotpoint. They have identified a fault in one of the modules fitted to the FDW20 FDW60 and FDW65A dishwashers that could lead to them catching fire. They’ve also traced customers (such as myself), written to them and asked to replace the module, using a “qualified engineer”. Are they bothering to use qualified engineers rather than trained technicians for such a menial job? Well I’m for anyone employing qualified engineers (with an engineering degree; registered with the engineering council and so on). I do hope they’re not telling porky pies about their educational status. I’ll let you know when he/she turns up!

For I have been waiting at home since 8am for said engineer to arrive. Apparently, if you have a “mobile”, they’ll TXT U A MRE PRCSE TM. If you don’t, or you’re in a zero coverage area so can’t receive SMS, you’re reliant to them to call you with a time. And I’ve been waiting by the ‘phone for just such a call. Or email, as arranged last week with customer services.

You can, however, call the premium rate telephone number that is given on the on the original letter and repeated prominently on subsequent emails. I think not. Anyone pulling this stunt in complete contempt of their supposedly valued customers doesn’t deserve any. They don’t even give a “premium rate” warning when quoting it, so I’m writing to Ofcom after I’ve posted this.

If you have one of these machines, sold in the UK with a serial number greater than 60600xxxxxxx, you can email them on fdw@hotpoint.co.uk. Hotpoint is actually a “brand” owned by Indesit, and you can call them at normal rates on 01733 287691 and try to get to the right department. If and when this engineer turns up I’ll update with the actual nature of  the fault (for any other qualified engineers out there who may be curious!)

 

Update:

Well the guy turned up and he was very nice, helpful and I can’t complain at all about him – in fact I’d have him back! He discovered about the cellphone blackspot when trying to get his laptop to connect back to base though. It turns out that the “problem” is with discrete spade connectors to the control board. Apparently this has been known to cause problems, presumably when they’re strained. So, new control board with caged contacts. I pointed out that this was a tenuous design flaw at best, but it turns out that BBC Watchdog has featured it. It sounds like more shoddy journalism blowing it out of proportion again.

 

Posted on

Smart TVs attacked over the airwaves

A group of researchers from Columbia University have published the results of some experiments with mixed mode digital TV broadcasts here.

The problem is that the new but widely implemented HbbTV standard allows HTML to be embedded in with the picture data. What could possibly go wrong?

Well apart from the fact you only need an encoder and transmitter to mess up all the sets in range by sending them HTML spam, the Columbians reckon that with the right HTML you can turn people’s tellies into a botnet and attack targets through their internet connection. I’m not yet convinced this will work in practice, but building a web browser in to anything has always been risky when it implements more than plain HTM. It’s always been possible to broadcast alternative TV and radio signals over the top of legitimate channels, but generally, it doesn’t happen in practice.

 

Posted on

Anonymous to attack World Cup sponsors

According to an article in the Guardian, Anonymous is planning attacks on World Cup sponsors to coincide with the football tournament in a few days time. Whilst I certainly disapprove of all types of cybercrime, I have to admit that the rationale for such an escapade has my sympathy.

Someone calling himself Che Commodore has claimed to be part of the Anonymous collective, and is a name that popped up a lot last year in connection with Anonymous Brazil. He’s hacked off because the Brazilian government is spending loads of money on a football tournament while people in the country are starving (putting the case directly and emotively). Attacking the commercial sponsors for colluding with this is an obvious choice.

Is he serious about the threat? The Guardian figures he must be, because he wouldn’t be boasting about it early unless everything was in place. I’m less convinced. Forewarning allows sites to get ready to use scrubbing centres against DDoS attacks. Is it really a “watch this space”, or is it a bluff? In the absence of any evidence that the self-styled Anonymous Brazil has the capabilities to carry out such an attack, I have to disagree with the Guardian (once again) and go with it being a bluff. But it’s a good one, as it’s raised awareness of the warped priorities that lead to huge amounts of money being spent on sports tournaments, in excesses reminiscent of the circus maximus. But you can only bluff once, and I suspect Mr Commodore’s stunt isn’t going to go down well with other users of the anonymous Moniker.

Personally I’m already boycotting as many of the sponsors as I can, but the intrigue has got me marginally interested in the World Cup for the first time ever.

 

Posted on

The Kitchen Scrappage/Recycling Scheme (cold call scam)

They’re at it again – cold-calling households (or numbers they think are households) with recorded messages from abroad. If you hang up they are pretending this means you would like to hear more, and call back from the UK (judging by the accent) but withholding their CLI. They do this to avoid prosecution  under the  Privacy and Electronic Communications (EC Directive) Regulations 2003. They’re also not prepared to give any contact details when asked. They are obviously working a con.

Their choice of name suggests they’re connected with official government initiatives such as the widely publicised boiler and car scrappage schemes, but there’s no such scheme in reality.

So what’s their con? Are they trying to pressure sell dodgy kitchens? Or obtain personal details for sale for marketing purposes? This is what the Information Commissioner’s Office think. Certainly, if they were trying to sell kitchens they’d be able to at least tell you which company they were calling from. I’ve just tied the low-life calling me in knots on that one. “Contact details?”, “No, but are you interested in a new kitchen.”, “I might be, but I can’t buy one from anyone without contact details, can I?”, “Er….”

Previously I’d listened longer to the spiel, and they were asking details about your existing kitchen, and then moving on to household income and other dodgy stuff. I had to lie to keep them talking, as they were calling the office and we don’t have that kind of kitchen.

These people are not complying with the TPS block-lists, and going to some trouble to avoid prosecution for cold-calling. I doubt they’re legitimate in any way, but the foregoing is enough to demonstrate that you can’t trust them. The ICO doesn’t have a number trace to go on, but complain anyway (on this link) and leave them to do the leg-work with better resources.

 

Posted on

eBay security problem in February – just noticed!

Well, it had to happen. Today eBay announced a serious security compromise. Apparently someone’s got hold of employee login details that allowed access to databases containing customer names and contact details, together with a password hashes.

Should anyone be worried?

Well, a hashed password isn’t a password but it’s possible to crack, especially if it was a weak one (i.e. a word or two words conflated, with a digit on the end and possibly a full stop). eBay says that there’s no evidence of anything fraudulent transactions. Yeah, great. The problem is going to come when people have used the same password elsewhere, like on their PayPal account, bank account or somewhere important – armed with their contact details and a crackable password, those people could be in real trouble.

eBay is due to email everyone very soon to ask them to change their password. It’s called shutting the stable door once the horse has bolted – this data may have been in the hands of the criminals for a couple of months now. You don’t need to change your eBay password; you need to change the password on every system that used it.

The sooner this antiquated means of verifying identity was replaced by secure public certificates, the better – by the punters won’t understand how those work.

So what does this mean? Your password was secure but now it isn’t? No. It was only secure before if you trusted the eBay employees. And a find upstanding bunch they are.

Next, of course, the scammers are going to spam everyone with phishing eBay credential change emails. And when this hits the news, who’s going to disbelieve it. eBay really needed to manage the news dissemination better.

 

 

Posted on

New way to deal with cold callers

I’ve just had another cold-call from one of those idiots from a call centre located a long way to the East. “Hello, I am from Choice UK…”

It’s insulting that they’d be so stupid as to believe anyone would be so stupid as to believe they’re in the UK, or anywhere nearby.  But I found another way to turn the tables – “Prove it.”, I said. When he’d figure out what it meant he asked “How can I do that?”

“If you’re from the UK you can tell me the first line of the National Anthem?”. As usually happens eventually, he hung up.

So what are these people up to? Well, EU Law makes it illegal for companies to cold-call people without their permission. The is implied if there’s a pre-existing business relationship, but cold-calls are out. Great! A law from Brussels that we all like. Except it’s pointless – locate your call centre in Hyderabad and no EU member state can touch you. As a bonus, you can hire a load of cheap local labour to do the calling.

Now these outfits don’t try to sell you anything. To be honest, their English isn’t good enough anyway. What they’re doing is canvassing so they can sell your details on to companies in the UK. One you’ve said “yes” to a question like “Would you like to know how to save money on electricity?”, then, according to their interpretation, you’ve given permission for a UK company to call you with their latest special offer.

Of course, these are not honest people. They’ll sell your name on whether you said “yes” or “*$^@: Off!” And companies in the UK trying to mount a telephone marketing campaign within the law will buy the data and call you anyway.

I’ve spoken to a few companies buying false data about me (apparently I’ve been seriously injured in a car crash). They trace back to a company called Communication Avenue in Newark on Trent. If you talk to the caller nicely, often they’ll tell you – because remember – they’ve paid someone good money for something they thought was a sales lead and they’re not happy either. Communication Avenue declined to comment (or more precisely, ignored my email and failed to answer the phone). I have now left the matter with the ICO.

BT is powerless to help. So it says. They claim they can’t, technically, block calls from overseas numbers for you. As a “help” they gave me “free” caller-ID, so I could simply not answer foreign numbers. BT the BT caller display telephone didn’t display anything and to add insult to injury, after a year they started charging for it.

So what can be done? The solution to this one IS technical. All it needs is an option to block all calls coming from countries that do not subscribe to, and enforce, EU-wide telecoms regulations – including VoIP gateways. One has to ask why this hasn’t been done, but I dare say the answer is commercial.

 

 

Posted on

Internet Explorer scare

I’m getting a lot of calls about Internet Explorer. Apparently it’s got another security bug. It must be true because it was on the BBC.

Well it’s partly true. The bug is actually in ActiveX, which is Microsoft’s dodgy web browser application format. All browser application formats are dodgy. Allowing web sites to download code and run it on your PC is just a bad idea.

I’ve said it before and I will say it again: just turn off ActiveX. That said, looking at the details of this particular vulnerability it doesn’t appear very easy to exploit. I suspect it’s getting more of a mention than it deserves as Microsoft isn’t going to patch it for IE6 or Windows XP for the first time, or so they say.

Hmm. What can Microsoft be thinking? Either they patch this regardless, or lose a further share of the browser market to Chrome – and another nail in the coffin of Active-X.