Posted on

Criminals using self-assessment tax filing deadline to drop Trojans

I’ve intercepted rather a lot of these:

From: <gateway.confirmation@gateway.gov.uk>
To: <**************>
Date: Mon, 3 Feb 2014 20:33:49 +0100
Subject: Your Online Submission for Reference 485/GB6977453 Could not process

The submission for reference 485/GB6977453 was successfully received and was not processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

Someone (via France, and the sender certainly does not speak proper English) is taking advantage of people’s panic about getting self-assessment tax forms in before the 31st January deadline to avoid a fine The attached ZIP file contains an executable with a .scr extension. It doesn’t show as being anything recognisable as nasty, so someone’s planned this well. Be careful; this is slipping through ISP malware scanners (and all the Windoze desktop scanners I’ve checked it against).

 

Posted on

FreeBSD 10.0 and ZFS

It’s finally here: FreeBSD 10.0 with ZFS. I’ve been pretty happy for many years with twin-drive systems protected using gmirror and UFS. It does what I want. If a disk fails it drops it out and sends me an email, but otherwise carries on. When I put a replacement blank disk it can re-build the mirror. If I take one disk out, put it into another machine and boot it, it’ll wake up happy. It’s robust!

So why mess around with ZFS, the system that puts your drives in to a pool and decides where things are stored, so you don’t have to worry your pretty little head about it? The snag is that the old ways are dying out, and sooner or later you’ll have no choice.

Unfortunately, the transition hasn’t been that smooth. First off you have to consider 2Tb+ drives and how you partition them. MBR partition tables have difficulties with the number of sectors, although AF drives with larger sectors can bodge around this. It can get messy though, as many systems expect 512b sectors, not 4k, so everything has to be AF-aware. In my experience, it’s not worth the hassle.

The snag with the new and limitless “GPT” scheme is that it keeps safe copies of the partition at the end of the disk, as well as the start. This tends to be where gmirror stores its meta-data too. You can’t mix gmirror and GPT. Although the code is hackable, I’ve got better things to do.

So the good new is that it does actually work as a replacement for gmirror. To test it I stuck two new 3Tb AF drives into a server and installed 10.0 using the new procedure, selecting the menu option zfs on root option and GPT partitioning. This is shown in the menu as “Experimental”, but seems to work. What you end up with, if you select two drives and say you want a zfs mirror, is just that.

Being the suspicious type, I pulled each of the drives in turn to see what had happened, and the system continues without a beat just like gmirror did. There were also a nice surprises when I stuck the drives back in and “onlined” them:

First-off the re-build was almost instant. Secondly, HP’s “non-hot-swap” drive bays work just fine for hot-swap under FreeBSD/ZFS. I’d always suspected this was a Windoze nonsense. All good news.

So why is the re-build so fast? It’s obvious when you consider what’s going on. The GEOM system works a block level. If the mirror is broken it has no way of telling which blocks are valid, so the only option is to copy them all. A major feature of ZFS, however, is that the directories and files have validation codes in the blocks above, going all the way to the root. Therefore, by starting at the root and chaining down, it’s easy to find the blocks containing changed data, and copy them. Nice! Getting rid of separate volume managers and file systems has its advantages.

So am I comfortable with ZFS? Not yet, but I’m a lot happier with it when its a complete, integrated solution. Previously I’d only been using on data drives in multi-drive configurations, as although it was possible to install root on ZFS, it was a real PITA.

Posted on

Advertorial in Process Engineering Control & Maintenance

The relationship between journals and advertisers has always been tricky, with many of them forced to say nice things, or at least avoid saying anything bad concerning major advertisers. In my day as an editor I was free to say what I liked, as no advertiser could afford to stop advertising because it was the best route to reaching potential customers before the Internet.

Times have certainly changed, and today marks a new low. We’ve intercepted several spammed messages offering to sell editorial in Process Engineering Control and Maintenance. Normally I wouldn’t draw attention to this, but they were sent to a spamming list and picked up by no less than six honeypots – addresses than no legitimate sender of bulk mail should be using. Therefore they’re fair game.

Dear Public Relations Manager

I deal with the editorial content for the Process Engineering Control & Maintenance publication, and are just putting together our editorial feature pages within our February edition, this is a very special edition as this will not only be distributed to our exclusive 100,000 named circulation but an extra 5,000 copies will also be distributed at MAINTEC, Sustainability Live & National Electronics Week to the wide range of purchasing professionals that attend.

I wanted to contact you to see if you would be able to provide some editorial content for this special edition.

The only cost to include a press release within this special edition would be a small editorial set up fee of just £85…

…As I am only able to offer this editorial opportunity to the first few companies to respond to this offer, please email me the editorial content that you would like to include, and please confirm that you would be happy to pay the £85 set up fee.

Kind Regards

******* ******** CIE

[name and telephone number deleted]

If you’re one of the 105,000 people “lucky” enough to get a copy of the magazine, you have been warned.

 

 

 

Posted on

Direct Response monitored alarms fail to show

Not to an alarm call out, but they had an appointment at 9am today to talk about their monitoring service. At 9:30 they called to say they weren’t coming with the excuse that they’d tried to call to confirm the appointment but couldn’t get through. Except they confirmed it yesterday afternoon and there’s someone on the hot-line number they claim to have used since 6am today.

Okay, they double booked slots and got caught with their pants down and this is the best they could come up with, but a company trying to sell an ARC service, not showing for an appointment has to be the biggest no-no going. LOL!

They’re actually possibly worth talking to, because they use the rather interesting Risco panels. Risco is an Israeli company, and they’re upping the game by integrating CCTV and IDS in one system with PIR detectors that will take a snapshot of what triggered them and sending to the ARC. The lady on the phone said they just wanted to demonstrate this, and I couldn’t resist even though we’re happy with the British-made Texecom kit (although we use Risco beam sensors already).

However, this is the same Direct Response that got hauled before the OFT and clobbered in 2009 for telling porky pies about their monitored alarms getting a priority response from the police. The caller also claimed the alarms were made in Iran (“or somewhere like that”). And they’re still using the same old sales tactics (“We are calling as part of an awareness campaign, and four people in your area will be selected at random for a free alarm worth £999”, without mentioning the £400 installation fee up front and claiming a £5/week monitoring fee – I’ll be pleasantly surprised if this bit is true).

The appointment’s been re-made for 9am on Monday. Let’s see. In fairness, I did warn the first and second callers that they hadn’t called a normal householder. All they gotta do is Google me.

Posted on

BBC pulls Queen’s Christmas message

The BBC iPlayer is supposed to “make the unmissable, unmissable”, according to the BBC itself. That only applies if the BBC itself wants you (the license payers) to see something.

Even before Christmas was over, the Queen’s Christmas Message was removed from the playlist. What’s the excuse? I’m still waiting for a reply to that one (and ITV don’t feature it either). It was produced by the BBC this year, and there doesn’t seem to me to be any technical reason why they can’t keep it there for the duration of Christmas, if not the whole year. it’s not just iPlayer; it’s been dropped from the BBC web site too.

The BBC is, of course, embroiled in allegations of left-wing political and social bias, and this seems a likely explanation. At the very least, lefty decision makers will have regarded the Queens Message as unimportant and dropped it quickly.

The BBC once had a monopoly on the Royal Christmas Message, but this was ended in 1997 when it was announced that ITN would alternate with it (and Sky joined the rotation in 2011). At the time it was speculated that this decision reflected the Palace’s displeasure with the low-brow coverage of Royal matters within BBC News and Current Affairs. You can’t argue with that, although it was denied by Buckingham Palace. Subsequent revelations tend to back this up, and show it was the right decision.

It comes to something when the state broadcaster, funded by the nation, fails in its duty to make the Queen’s message available, forcing everyone on to YouTube to watch it. Perhaps its time to drop the BBC from the production rota and replace them with Google.

 

 

Posted on

Botnet shows itself with New Year spam :)

The crims have been at it again this Christmas season (more elsewhere). The latest interesting activity has been a flood of emails with :) as the subject and “Happy new year !” as the text-only payload. Don’t feel left out if you didn’t get one, as they’re only being sent to email addresses made of random numbers at various domains I monitor.

What are the crims up to? Probably testing out mail servers to see if they’ll accept things to random addresses. Every domain should, and deliver them to a human postmaster (not that many net newbies are even aware of this rule). However, there’s nothing to say they can’t also go to analysis tools.

What makes this latest caper interesting is that the botnet they’re coming from doesn’t show up on the usual lists of such things – it’s either new or extended rapidly from an old one. New botnets popping up after Christmas aren’t uncommon as the seasonal fake greeting cards and amazon purchase confirmation trojans are relentless in the days before, together with the lack of staff available over the holiday to deal with them. However, I find this one unusual as most of the IP addresses used to send out the probes are from Europe (Germany and Spain in particular).

 

Posted on

Faulty screen on Lenovo S10-3 10″ laptop

My trusty and very portable S10-3 – one of the best laptops ever made in my opinion – died a couple of months ago. Well its screen went black. Or it went all-white, to be precise. And I mean black OR white; every pixel was either full-on or full off.

The rest of the machine appeared to be fine – it could be heard booting and it appeared on the network – you just couldn’t use the screen.

Today I fixed it. There was a loose connection where the LCD panel cable joins the motherboard. Unfortunately, it’s been lying in a pile waiting to go to Lenovo’s service centre in Germany all this time because I couldn’t figure out how to check for loose connections. Like most laptops, dissassembly isn’t obvious. Fortunately, like most Lenovo (nee IBM) laptops, it’s actually built with servicing in mind. So here’s the trick:

Remove the battery and undo all obvious screws on the back cover. There four captive screws on the cover plate, behind which lurk the winchester, DIMM and cellular modem (if fitted). Don’t be fooled; they don’t come out! You can remove the winchester if you wish, but watch out – it has two of its own retaining screws and two more screws that are part of the cover you’ve just removed. You could go mad looking for them if you miss this point.

There are then six black M2 screws to remove to the case, and three very small screws under where the battery fits. Remove them all, and it will look like nothing’s changed.

Next you have to lever the keyboard off. It’s actually very easy if you lever in the right place, which is along the top edge. It ‘snaps in’ at the corners; gentle levering with a small flat screwdriver and finger nails pops it off easily.

To disconnect the ribbon cable connector, pull the black bit of the PCB socket clip forward and up. (Good luck getting the cable back in, from underneath, and closing the clip again with adult sized-hands!) You can then put the keyboard aside, and undo three further black M2 screws, which are found at either edge and the centre of the silver plate thing you’re looking at. Then you need to prise the top of the case off – the sliver bit comes with it. Again, this is much easier than it sounds if you lever with a small screwdriver and get your fingernails underneath.

The planar (motherboard if you’re younger than a certain age), is now laid before you. The LCD cable is obvious at the top left; they’ve even labelled it. Although it looks like it’s taped down, it just pulls in and out; reseating it did the trick for me.

If you need to dismantle the screen/lid assembly (or if you’re curious, like me), you can detach the power cables that come in on the right hinge and undo a couple of screws at each side to remove it completely. To open it you need to remove the screws hidden under the self-adhesive rubber pads in the corners. Then you need to flex the screen frame quite dramatically, working around the edge, until it un-snaps (if you see what I mean). Let’s just say it’s easier to replace the lid as one unit if you’re breaking for spares.

Anyway, my little friend is back and I’m happy. It’s just a shame the manufactures are pandering to the craze for fondleslabs and had dropped the 10″ form factor for truly portable “proper” computers, able to run software other than games, Facebook and surfing the web. Now that ASUS has dropped the Eee book you’re looking at something like the ThinkPad E145, which I was about to buy in spite of its extra bulk, weight and cost.

Unfortunately, the S10-3 and closely related models in the field  are currently not replaceable until fashion swings back.

Posted on

Google shoots own foot in war on child abuse images

If you believe the Daily Mail and the BBC, Google and Microsoft have buckled under pressure from the Government to block images of child abuse on the Internet. What they’ve actually done is block around 100,000 search terms that are used by peodphiles looking for material, whether such search terms could be used to locate other content or not. Great.

Actually, this is rubbish. Google (about which I know more) has not even been indexing such sites, so search terms won’t have found any that it knew about anyway. I’m sure the other search engines have similar programmes in place. This is a public relations exercise, with a piece by Eric Schmidt in the Mail today. It’s a desperate PR stunt that will back-fire on Google.

Eric Schmidt of Google, seeming desperate (from Wikipedia)
Eric Schmidt of Google, seeming desperate

The fact is that household names like Google don’t have a case to answer here. They’re not ISPs, they’re not providing hosting space for illegal material and they’re not actually responsible for it in any way. The only thing they can do is spend their money researching such sites, dropping them from there indices and alerting the relevant authorities to their research. This they already do. So when the likes of Mr Cameron criticize them, as an easy target, the correct response is “Don’t be silly, it’s not us, and it’s the job of your Police to catch the criminals whether they’re using the Internet or not”. What Google has done with this move is give legitimacy to the original false accusation.

As anyone concerned with cybercrime will tell you, the major criminal activity takes place in areas outside the World Wide Web – areas not indexed by Google or any legitimate company. It travels around the Internet, encrypted and anonymous; and the peodophiles seem to be able to find it anyway. All this move will achieve is pushing the final remnants underground, where they’ll be much harder to track.

Looking at the comments that have appeared on the Daily Mail site since it was published is depressing. They’re mostly from people who have been taken in by this line (originally spun by the Daily Mail, after all), and they clearly don’t understand the technical issues behind any of this. I can’t say I blame them, however, as the majority of the population has little or no understanding of what the Internet is or how it works. They simply see a web browser, normally with Google as a home-page, and conflate the Internet with Google. The Prime Ministers advisors are either just as simple-minded, or are cynically exploiting the situation.

 

Posted on

Skype under investigation for NSA links

According to today’s Guardian, Skype is being tackled by the data protection commissioner in Luxembourg over concerns it has secret links with the US National Security Agency, and its Prism communications intercept programme. Like many “interesting” companies such as eBay, Amazon and even Starbucks, Skype chose to be be based in the Luxembourg  in the hope it would be left alone. However, the infamous tax haven’s constitutionally enshrined right to privacy might turn around and bite Skype.

Skype Login PageMicrosoft bought Skype a couple of years ago; it had once been owned by eBay and, as a separate division, Microsoft has presumably decided to keep it in Luxembourg for the tax advantages. However, while Microsoft was allegedly one of the first large technology group to be pulled in to Prism, Skype has been widely thought of as a secure communications channel. If Luxembourg-based Skype has been passing intercepts to the NSA, its users and the local authorities will not be pleased.

I understand that the local law does allow this kind of thing, and for it to remain secret, if it’s specially negotiated by the government. And as such the data commissioner may not have been in the loop.

But, you may wonder, how does an encrypted peer-to-peer system like Skype get intercepted anyway? The protocol was designed to pirate media files in such a way that lawful authorities were unable to track or disrupt it (which is why no network administrators would ever want it on their LANs). If it has weaknesses, they must have been there from the start. And I believe they were.

A few years back I was talking to someone from Facetime, a manufacturer of firewalls. They’ve since found that flogging their domain to Apple for an iPhone product is also lucrative, and now they’re called Actiance. But I digress.

Facetime had struck a deal with eBay to get details of the secret protocol so that they could manage Skype on local networks. As it’s obfuscated and designed to avoid firewalls, this is a neat trick, and they were the only people able to do it at the time. As an example, they were able to determine which versions of Skype were in use and block those that didn’t fit with company policy. In other words, they could positively recognise the obfuscated protocol and make sense of it.

According to the files the Guardian claims to have seen, Skype was ordered to cooperate with the NSA in February 2011, and it only took them a few months to have call intercepts in place. I’m not that surprised; given the Facetime firewall’s abilities I suspected that payload decryption was going to be possible if you asked the right questions whilst brandishing a big enough stick.

Making this information public, as is now the case, is simply going to push the people that should be intercepted on to systems not under the influence of the USA. How about a Chinese Skype-alike instead? Perhaps not, as it’s widely believed that the Chinese version has a back-door for the local authorities to plunder. But there are plenty of anarchist outfits out there with the ability to write a VoIP system that isn’t compromised by big business’s need to cooperate with governments if they want to make a profit.

Meanwhile, let’s see how Luxemburg’s data protection commissioner gets on.