Frank Leonhardt's Blog

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

13-January-1710-February-17

New DVLA on-line system is broken

Why can’t companies implementing government on-line systems actually get anything right? And if they must mess things up, why can’t they do it in private? The new DVLA system is broken. They ought to have tested it in-house, without launching a beta version on the public. Seriously, do they not know what a beta version is for?

My experience – I went through and entered all the details, paid, and got this:

It’s now impossible to tell whether it’s taken payment from the card or not. Okay, this appears to be an external system that’s screwed up BUT it’s not be handled properly. Basic rule of data communications – Assume the link will be corrupted and cope with it.

11-January-17

Baofeng DMR handheld – the DM-5R

DM-5R Plus In 2016 Baofeng released the DM-5R – what sounded like a fantastic DMR radio at a very attractive price. One of the best features was that it maintained the same form factor as the UV-5R, meaning accessories were cheap and plentiful. In fact it was completely compatible as an analogue transceiver, but with DMR too.

Only one huge problem – it only implemented Tier-1, which basically meant it could only talk to other DM-5Rs – not to the Motorola or Motorola-compatible Tier-2 units.

Suppliers insisted that Baofeng was going to release a software update for it. I’m on record elsewhere as being sceptical of this, as I’ve never seen a way to update the software on any Baofeng radios, even when they’ve introduced killer bugs in to the wild.

Apparently I was wrong(-ish), and a firmware update has appeared for the promised $10. Furthermore, a DM-5R Plus has also turned up on the market, with Tier-2 software already. I don’t have confirmed specifications (i.e. the unit in my hand) but there’s some question about the battery. Sometimes its listed as 1.5Ah, other time 2Ah. BL-5 battery packs (the UV-5R standard) are 1.8mAh. I really hope they haven’t been crazy enough to come up with a new battery format.

Battery aside, what’s not to like? If if’s Tier-2/Motorola compatible, then I’m sure I’ll love it. But how compatible is it? Questions remain. Take this announcement from DMR-UK (target likely to expire) quoting a Phoenix Repeater Keeper:

“I have now heard a station using the DM-5R on the Phoenix network. I can confirm that although the radio appeared to work (apart from having very low audio) it was actually occupying both time slots on the originating repeater. This confirms that even though the so-called Tier 2 update had been done it was still working as a Tier 1 radio.”

This is unattributed, and it’s not clear whether the transceiver was a DM-5R Plus or an upgraded DM-5R. I don’t even know if an upgraded DM-5R becomes identical to a 5R Plus. This will become clear over time.

That Baofeng didn’t get the complex firmware right first time would come as no surprise. But do I want to risk it? Only if they promised to offer a free fix; but they really don’t have a good track record there.

28-December-1628-December-16

AO.com extended warranty – the hard sell

Our 1997 AEG Lavamat washing machine is demised. The motor finally gave up the ghost, and Electrolux (AEG) no longer stocks the spares – and even if they did, the cost of buying a new motor for such an old machine is debatable. AEG and Samsung make the machines that clean the best (according to Consumers Association tests), so another AEG it was. Unfortunately our local shop, Ruislip Appliances, is shut for the holidays so on-line shopping it was, and AO.com had a suitable replacement that can be delivered next day. And helpfully, they agreed to take away an old dishwasher too, having paid to take away the old washing machine.

To get the latter deal, I had to order by telephone. After concluding this, the guy on the end launched in to explaining the fabulous after-care service they offered – at a price. Basically they’ll fix stuff that’s “not covered by the warranty”, such as accidental damage and bits wearing out – like bearings and door seals. Eh? Doesn’t the AEG warranty cover premature failure of non-consumable items? If a car was warranted for a year and you wheel bearings wore out just because you were driving it (reasonable distances) then you’d expect it to be fixed. Tyres are another matter; they’re consumable.

I checked the AEG warranty exclusions, and nothing like this was excluded. Basically commercial use, improper use and accidental damage. Anything else they’d fix. And their warranty lasts five years – which tells me they reckon their product won’t break down and have the data to prove it.

AO.com’s warranty excludes stuff covered by the manufacturers warranty, so that leaves very little to cover. “Ah yes, but if we can’t fix it we’ll give you a new comparable model!”. AEG would have to do the same, if it came to it. But if you read their T+C, AO.com will only do this as a last resort and they will automatically cancel your policy.

So for this little extra protection, how much did they want? Well to cover this £500 washing machine for five years it worked out at £450. Basically, where their warranty takes over from AEG’s, you’ll have already paid out the cost of a new one. If the machine was a write-off after ten years (reasonable for an AEG machine), you’d have paid for a new one twice over.

The warranties are actually called product protection plans internally, and they’re sold by AO on behalf of a third party – Domestic and General Services Ltd. They administer the plans, collect the money from the customers and pay a commission to AO

In Y/E 2014, AO.com sold £18m worth of these dubious warranties, and the value is increasing. They’ve been a bit coy about mentioning the figures in subsequent published accounts. If you’re the kind of person that’s totally unable to save up for a new appliance, it may be worth it as a saving scheme – a sort of pre-paid expensive credit option. If you pay up-front for what you buy it’s as much use as a cardboard washing machine.

I feel an OFT investigation coming on. Followed by “haveigotao.com” and similar sites.

One of the significant risks to AO Group’s future is desertion by customers (according to their Annual Report and Accounts 2015). I’m afraid the hard-sell of a dodgy product on the telephone during my first order left me questioning whether I wanted to deal with these people then, or ever again. They don’t have a price advantage over local independent dealers, and I don’t get taken for a fool by the locals either.

Other impressions of AO were good. But the washing machine hasn’t turned up yet!

12-December-1612-December-16

No More Mr Nice Guy

Ever since I was Tech Ed on PCW (1991?), strange people have beaten a path to my door with a their domestic computer problems. Solving them was, for ten years, a good source of material for my column but that was in the 1990’s. Yet still them come. And still I help them. Why? Well I know if they took their precious data anywhere else it’d either cost more than they could afford, or they’d be ripped off and lose their data too. And I’d rather recover it before the mobile phone unlockers on the High Street made it harder.

So why is it that when you’re doing some people a favour they feel they have the right to telephone you for progress reports? Talk about looking a gift horse in the mouth,

One recent example is an elderly lady who’s PC World special laptop threw a shoe. I don’t know her, but a we had a mutual friend who asked if I’d help her out. This is not uncommon.

So along I go and take a look at it. Standard stuff – Windows is a mess and it won’t boot. After about an hour of trying, it almost boots but I opt for a System Restore as I really can’t stay any longer. “Call me in the morning and let me know what it says.”

I make it a rule NEVER to have a freebie fix in my workshop. People used to turn up and leave broken kit on my doorstep for “when I have time”. I also have to figure out what’s wrong with it the hard way. I don’t mind making the odd house-call for a worthy cause, but the kit stays with its owner. Period.

So what does she do? Call me in the morning? No! It turns out she’d get around my rule of not taking freebies back to base by leaving the laptop with our mutual friend. Then some time later she called me to see how I was getting on. Eh? First I’d heard she left it.

At the next opportunity I picked it up, against my better judgement, an spent an overnight session trying to sort it. I then had my proper work to do. And she called again. And after I’d spent all that time and effort on it came out with the immortal words “Well I don’t want to take your time up so why don’t I just take it to the [mobile phone unlockers] in the High Street. In other words, I know this is a freebee but so I’m going to use emotional blackmail to get you to hurry up.

I’m fed up of this game. I’ve seen it often enough. So I called her bluff. Let our mutual friend sort it out – I’m not touching it again with a barge pole. I’ve wasted about ten hours on it, I shall waste not a second more. Except I couldn’t help myself; someone told me she’d been unwell in hospital and I went soft.

And today she called me again. I could feel myself losing my cool, so I ended up asking her to sort out out with our friend and hung up before I blew. Ironically, her disk had been on the analyser, in place of paid work, for the last couple of days (as you may or may not know, data recovery systems can take long time to run if the disk is trashed).

And as I write this, she calls again (perfect timing) with more emotional blackmail. I apologize she caught me at a bad time earlier, but that she needed to understand… Then she gets down-right rude. I point out I’ve spent ten hours working on her machine and she might consider she’s out of order; she says “I beg your pardon…” so I just have to hang up. Her attitude is not pardonable.

I really don’t need all this. So if anyone is thinking of dumping some kit on my doorstep for a freebee, think again!

12-December-16

It’s official – the Ruskies got Trump elected

This weekend the news has been full of the story that the CIA has accused Russia of swinging the US presidential election in favour of Donald Trump. Their evidence? Not much to speak of. Normally I’d be commenting on the technical merits of this kind of thing, but there are no technical details to back any of this up.

Apparently someone with “links to the Russian government” handed a bunch of pilfered emails to WikiLeaks that shed Hillary Clinton in a bad light. Let’s look at theses features in order.

A lot of prominent people, companies and organisations have links to the Russian Government. They’re trying to imply Putin was behind it, but that’s hardly proof. In fact they’re rather coy about identifying the source of the leak anyway.
WikiLeaks has a very good system in place to make it impossible to identify the source of any uploads. That’s the whole point. The identity of the uploader can only be conjecture.
Hillary Clinton can come across as crooked without the help of the Russians. As can Trump, of course. Anyone could have obtained those emails and uploaded them. The most likely source is an insider; and it’s likely every foreign intelligence agency was reading them before long. And anyway, you could argue that someone has done the American people a great favour by exposing dodginess.

It’s worth remembering that largest number of cyber attacks originate from the USA, not Russia or China. Yet some people persist in blaming them any time something goes wrong. Doubtless they are behind some of it, but let’s get this in perspective.

It’s no secret that Putin and the Russian government are likely to prefer Trump to Clinton. Trump is telling it like it is on foreign policy, especially in the Middle East, whereas the American establishment is defending the indefensible corner they’ve painted themselves in to. Trump realises the Cold War is over, the CIA doesn’t. Whatever else you think about them, I’m sure both leaders recognise each other as being able to do business.

Trump dismissed the latest fluff pointing out that the information came from the same people as “Saddam Hussein’s Weapons of Mass Destruction”. He has a point.

30-November-1630-November-16

National Lottery Accounts compromised

This morning Camalot released the news that they’d detected suspicious logins on 26,000 of its on-line punter accounts, of which 50 had been altered. As far as they know. They’re keen to stress that this doesn’t affect their core system (i.e. can’t be used to fiddle the payouts).

It’s entirely possible that they haven’t been breached at all – people could be re-using passwords taken in an earlier heist. What’s odd is that someone has accessed thousands of accounts but done nothing with them. Why? Kiddies, possibly.

If this is as Camalot is currently reporting, well done to them for spotting the suspicious logins and acting fast.

28-November-1624-August-21

Putin the Boogy Man

Vladimir Putin in KGB Uniform I’ve been listening to Today on Radio 4. Francois Fillon has won the conservative presidential candidacy for the French president. Apparently, shock horror, he likes Margret Thatcher and is friendly with VLADIMIR PUTIN. That sounds a bit like Vlad the Impaler!

The presenter also had a jibe about Donald Trump; he also wants to do business with this monster.

He is a monster, right? He’s a Rusky, like Starlin, and therefore wants to take over the world. And he’s done all these terrible things to prove his evil intent. Lets just remind ourselves…

First off, Russian troops put down a “revolution” in Chechnya. Actually, this was an Islamist uprising, but before the West had experienced Islamist uprisings so at the time Mr Putin was portrayed as Mr Nasty. Now we don’t really want to talk about it.

Then he backed the Assad “regime” in Syria against the “rebels”. Assad was and remains the democratically elected president of the country. Sure, he tried to make war against Israel at every opportunity but that’s normal around there. Not a nice person, but democratically elected. The so-called rebels were self-appointed, and unsurprisingly, have long-since disappeared and Islamists have filled the vacuum. The West continues to condemn Russia for backing the democratically elected government against, you guessed it, the Islamist insurgents (Islamic state and the like).

“Ah”, the liberal media wail, “Russia is bombing Aleppo and civilians in the ‘rebel’ held areas are being killed.” Well there’s a war on. The “rebels” are bombing the government-held areas and killing civilians, and this is okay? And non-Russian forces are bombing rebels in Mosul, yet there they’re called Islamic State, and there is little mention of civilians.

Okay, what about annexing Crimea. Russian tanks in a foreign country. What actually happened there?

Well in 2010 Viktor Yanukovych won the presidential election in Ukraine, beating Yulia Tymoshenko. It was considered a fair election. He won. Some people in Ukraine didn’t agree and started fighting about it a couple of years later. Reports vary, but Yulia Tymoshenko’s supporters have neo-Nazi overtones.

Ukraine was split in to the Russian-speaking Crimea and the rest, and the Russian-speaking population in Crimea was in trouble from the violence, so Putin sent in the troops to protect them, and support the democratically elected government. The West sided with the neo-Nazi rebels.

For historic reasons, Russians do no like neo-Nazis. Strangely the Western liberal media reckons they’re okay if they’re fighting against Russia.

Now I’m no more a fan of Putin than I am of most politicians. He’s got his hands dirty, to say the last. Rising up through the KGB is hardly an ideal career path for a benevolent leader, although this is how it’s been done for a long time. But when you look at the situation in Russia, there are plenty of worse candidates for president. You could say he’s the least-worst option. The Russian people like the guy; he looks out for their interests. And with the West pushing hard against Russia, who can blame them? And to cap it all, Putin is actually the defender of democracy in his foreign policy; how does he keep snatching the moral high ground from Obama?

The reason is that Obama and the West still have the “reds under the beds” attitude. Putin, on the other hand, has a different understanding of who the real enemies to freedom (or his cushy way of life) are. As do Trump and Fillon.

Let me be clear – Putin may be a gangster president and a malign influence on the world, but he’s not a lunatic and his actions are not crazy. There are actually worse candidates for the job, which should be remembered before rolling the dice.

And while we’re obsessing about Putin, we’re ignoring the real lunatics in other countries – and regimes like China.

10-November-1610-November-16

Enough with this “Trump Crashes Immigration Site” rubbish!

Ha Ha Ha! On Wednesday, Canada’s web site for prospective immigrants crashed due to the weight of American’s trying to escape from a USA run by Donald Trump. Really? Now other immigration sites such as New Zealand are reporting similar problems and certain some media outlets are lapping it up.

It’s a funny story, but I suspect that it’s too good for some people to check the facts.

There are two possibilities here:

A load of American’s panicked suddenly.
Some jokers decided a DDoS attack at this point to make it appear American’s were panicking would me funny

In the absence of any evidence to the contrary, I think option two is way more likely. People have been joking about the “move to Canada” option for months.

7-November-167-November-16

Are you a Tesco bank customer? Please verify your details. Spam meets salami.

I’m surprised I haven’t seen any phishing emails targeting hapless Tesco Bank customers following the publicity surrounding the weekend’s account raids. Give them a few more minutes.

Details on what happened are very thin on the ground. This morning on R4 Today they were saying a few thousand, but less than 10K customers had been affected. Estimates are now going up to 20K. But what’s interesting is this appears to be close to a good old fashioned salami raid, a term that the newbies in security may not even have heard of.

A salami raid got its name from thinly cut salami (a kind of foul-smelling sausage). If you cut off a thin slice, no one will notice, and if you do this to a large number of unfortunately sausages, none of their owners are likely to spot it but you’ll end up with a lot of processed meat.

Traditionally this approach was employed by computer programmers diverting pennies from a large number of accounts in to their own, but its unlikely to be the case with Tesco. The spotlight is likely to fall on people making use of the on-line banking facility to enrich themselves using other people’s logins, although I find it curious that accounts weren’t emptied while they had the chance.