Internet of Things Botnet Menace

Forget self-aware AI systems taking over the world. If you read the hype over DDoS attacks you’d be forgiven for thinking an army of internet connected devices was on the march, herded by a gang of amateur criminals – the IoT bites back!

This isn’t about anything new, but the fact it’s being used in recent record-breaking DDoS attacks has brought the matter to the fore.

And then yesterday the code for the two main botnets, Miari, turned up, posted on Hackerforums by its originator, probably. The other similar botnet is known as Bashlight, but I understand it works in the same way and attacks the same devices. Originators of such code usually dump them in the public domain when they feel that they’re about to be busted. It makes it harder to prove they’re behind an attack when other people have, and are likely using, the same code.

A look at the code itself confirms what many have suspected for a long time; some CCTV equipment can be appropriated for naughty purposes. Unfortunately the affected equipment originates in China and is sold to a wide variety of companies who put their own badge on it, and sometimes customise the software. It’s basically a generic network-enabled Digital Video Recorder (DVR), with the generic name H.264 Recorder. Getting it all patched isn’t going to happen as there is no update mechanism, but if people changed their password to something hard to guess, rather than leaving it as the default 1234, the world would be a better place.

I’ve been looking at this type of CCTV equipment for over decade, ordering an embaressing number of samples from Alibaba and the like and building up a collection to rival my disparate VoIP endpoints. They have a lot in common – very little I the way of security or robustness in the face of attack. My advice to anyone using such kit is to install it behind NAT and use a VPN to access it externally.

But getting back to my theme, the media hype suggests that all sorts of IoT things have been hijacked. Unless I see any evidence to the contrary, this is simply not true. The CODE released targets one type of network DVR, and, in reality, it can’t even persist if the device is power-cycled. However, reports suggest that the time taken for the botnet to re-establish itself is very short.

I’ll be updating this article in the next few days once I’ve checked out a few facts concerning the code.

How fraudulent sellers operate on Amazon

Mail order fraud is nothing new. There’s the apocryphal story from the 1950’s, and probably earlier, of the newspaper advert for Ever-lasting Slug Killer, “guaranteed to kill slugs indefinitely”. Respondents received two rocks, with instructions to place the slug on the first one and hit it with the second.

Consumer protection laws in the 1970’s and European distance selling regulations have rendered this kind of scam difficult. If the product you deliver isn’t what it’s cracked up to be, or even if it is, the purchaser has the right to reject it when they see it. Therefore there’s no point in delivering tat; you might as well not send anything. Ebay has been plagued by such scams, and there are now plenty on Amazon too.

To combat this, Ebay has policies that mean if the buyer complains, the seller doesn’t get the money. This has lead to the reverse-scam, where bogus buyers order something and then claim it didn’t arrive, and this has put a lot of sellers off using Ebay.

Amazon has a similar dispute resolution procedure, but in my experience, has a team of people with functional brains who can tell the difference between a wrong’un and a victim. Eventually.

You can see two common forms of scam on Amazon: Crazy price and Non-delivery.

Taking the second first; given that you don’t deliver the goods, how do you get the money? Without actually testing the theory I can’t prove this works, but I imagine it goes something like this:

  1. Set up as a seller, and pretend to be somewhere like China – long distance shipping.
  2. Find big-selling products and list them yourself, but at a slightly lower price than the other sellers.
  3. Wait for the orders to roll in, and then delay. Firstly, don’t ship immediately and then when you do, set as long a delivery window as allowed.
  4. Run off with the money.
Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

This works because of step 3. Amazon doesn’t allow you to report a seller when you spot something merely suspicious, so they can keep selling stuff for several weeks before Amazon has the chance to investigate. The complaints procedure only allows you to report non-delivery AFTER the last date specified by the bogus seller when they ship it.

The thing is that bogus sellers like this are possible to spot before this. The extended delivery time is a first warning, and you can then research the range of products sold and how plausible it is that they’re cheaper than anyone else for the same product. Picking the cheapest supplier is a perfectly reasonable thing to do, especially when there are several scammers offering similar prices for fast moving items. Who would check further?

The other scam involves putting small items on at a crazy price, often a hundred times their real value. It’s quite conceivable that someone in a hurry wouldn’t notice they’d bought a small item at completely the wrong price. I’ve been noticing these sellers for several years, and out of public spirit, I’ve reported them to Amazon staff and they’ve disappeared shortly afterwards, with a note thanking me for bringing them to their attention.

Having never fallen foul of a crazy-price scammer, I don’t actually know how the problem gets resolved if you do buy something. Under contract law, if you’ve agreed a price and they’ve delivered your picture hook for £120+£50 delivery, you don’t have a claim. I see nothing Amazon can actually do about this, other than refund the buyer out of its own pocket and strike the seller off. Amazon’s lawyers may have something more creative.

However, even if the scammer only has one sale before being shut down, if that nets them £200 it’s going to be worth it.

As for the non-delivery scam, I don’t know how possible it is for the criminals to get away with the money. Amazon can’t hold on to it indefinitely, and will have to hand it to the seller at some point. Even if Amazon holds it until the latest delivery date, people aren’t going to flag it as fraudulent immediately – especially as the latest delivery date could be months later.

It ought to be fairly easy to spot these bogus sellers automatically by heuristics, and it’s high time Amazon put some effort in it. Perhaps they’re making so much money they’d rather write it all off.

Talkmobile and security

I’m currently engaged in a bit of a strange dispute with talkmobile. They’re over-charging me, but for some reason I can’t log in to my account. No problem – they have on-line chat with customer services – how hard can it be to sort out?

Well, it’s proving impossible. They can’t even look at my broken account because I don’t know my date-of-birth. I don’t know my date-of-birth because, for obvious reasons, I don’t give the correct one out willy nilly to any company that asks for it – only government agencies and my bank. It’s easy enough to find someone’s DOB and it should never be used as a password.

So, there are a number of other dates I use for non-critical purposes. We’ve been through these; it wasn’t one of them.

Stop press – one of the more obscure ones worked. and I’m back in, thanks to the persistence of their help team.

But this is hardly the point; no one should use a piece of information that’s a matter of public record (i.e. on a birth certificate) as proof if identity. Birthdays are commonly found on social networking sites, your employers’ records and quite likely around the office. It’s mad to use it as a password.

So how did this come about? Well, until it’s purchase by Vodafone in 2015, TalkMobile was a virtual network run by Carphone Warehouse; the same group that that owned TalkTalk (see security blogs passim). TalkTalk was split off in 2010, but their culture of security has been questioned in the past; unfairly in my view as they’re no worse than most. What was lacking from inception was any common sense approach to security issues.

Unfortunately, you can no longer visit one of the remaining Carphone Warehouse shops to get these things sorted, which means if you’re locked out of your account there appears to be no way back in. I did threaten to cancel their direct debit rights with my bank; I bet they’d recognise me then!

To add insult to injury, TalkMobile’s representative tried to blame this policy on “The Data Protection Act”. It makes a change from blaming it on migrants, I suppose.

Sophos UTM sets ambitions goals; and fails to score

Okay, I’m being a bit unfair on singling out Sophos here, but they’re a current source of irritation. Like all security vendors they’re selling products that don’t work. Actually, Sophos is one of the few larger players that will talk about this honestly, which is why they have been my first choice recommendation for a long time.

The problem is that if you have companies selling “total security” products, which are nothing of the sort, the public are likely to believe such a thing is possible. If you describe your product realistically the idiots will look elsewhere, purchasing based on the most outrageous claims. A look at the Sophos customer base suggests they’re not selling to idiots.

So what’s my problem with Sophos at the moment. Well I’m falling foul of their UTM Web Defender at an educational establishments. Some of my information sites are unclassified on their list of web sites, and so they’re blocked. They contain educational material that I use when teaching. Not helpful.

Okay, this isn’t default behaviour and the establishments in question have made a decision to block anything that Sophos hasn’t classified yet. Some of these sites have been there since 1992, so presumably there’s a long backlog. And this illustrates the problem very nicely; there are over 300,000,000 domain names registered, with 1,000,000 being added every month. Web filtering companies have to look at all these web sites, and sub domain web sites, and classify them all. It’s an impossible task. I know Sophos does this manually, heroic but doom to failure.

The World Wide Web was created to allow the sharing of knowledge; particularly academic and research information. Unfortunately this is just the kind of web site that’s likely to remain unclassified by content filters; obscure links to non-commercial servers giving the information needed for research.

There is a solution. A few years ago I decided to write my own web search engine for a laugh. I then modified it to try and figure out what the web sites were about. Google has built an empire on doing this extremely well, but my quick heuristic solution did a pretty good job.

So here’s what Sophos et all should do. When their web defender appliance hits an unclassified site it should automatically submit it to them for evaluation. An automated system using heuristics can then figure out the likely classification, with a probability threshold for human checking.

This doesn’t have to be instant to be a hell of a lot better than their current system. To get past a Sophos filter (for example) you have to manually submit every site to them by filling in a form, and then they’ll go and classify it within a week. Possibly. And in reality, who’s going to submit such a request to access a web site they can’t actually view because it’s blocked as “unclassified”. There’s a hole in their bucket!

Edward Snowdon is a traitor – The Washington Post(?!?)

Edward_Snowden-sIn spite of the Washington Post being chosen by Snowdon to publish his “revelations” (a circulation-grabbing but arguably cyclical move), and in spite of accepting a Pulitzer prize for this irresponsible journalism, the paper is now calling for him to be prosecuted. Unlike the liberal Guardian in the UK, the US paper, which profited by his betrayal are now seeing the situation for what it is.

ECJ Hotspot Ruling Makes Free WiFi a NoNo

ECJ In Session - Source - Court of Justice of the European Union

The latest nutty ruling from the European Court of Justice is yet another example of judges and politicians failing to get the advice of anyone who knows how stuff works before opening their mouths and putting their foot in it.

This concerns a case where some digital rights lawyers tried to sue the owner of a lighting shop in Germany because some of his punters were downloading naughty stuff over his free WiFi. Article 12 of the EU E-commerce Directive says that an ISP isn’t usually responsible for the activity of its users, in the same way the local council isn’t responsible if a thief uses one of their footpaths to make a getaway. But thanks to some deep pocketed sharks lawyers and a defence mounted by some gonzo for the Pirate Party, the ECJ ruled otherwise:

The Court holds that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights.

Basically, until they roll the dice again, offering free WiFi is off the menu at your local coffee shop; customers have to register and get a password, so Sony etc know where to go knocking when their crooners are pirated.

This is going to cause great inconvenience to the majority of normal users, but not much to the pirates. In order to implement this, having a simple open WAP for your customers to use isn’t going to be possible. They’ll all need to be changed to stop and ask for a password before proceeding. You’ll have to give your name and address to the café owner, have an account created and be issued with a unique user-ID and password. The ruling doesn’t go in to any detail about how vociferate the ID check should be, but that’s a whole new boîte de Pandore.

However, if you’re a pirate, you just give false credentials. No problem. Or even easier, capture the unencrypted traffic and pinch someone else’s password, then sit back and snigger as the fuzz kick down their door instead.

You could, of course, insist that such networks are also encrypted using WPA. Not all endpoints support this, but lets leave that aside. Unlike WEP which can be broken in 30 seconds on a laptop, WPA2 takes a couple of hours on some fairly hefty dedicated kit (or 24 hours on a standard AWS compute server). So that’s alright then.

Once a fake account has been obtained, of course, you can provide lists of WPA2 keys, IDs and passwords on the pirate web. I predict there’ll be a huge list of fake credentials within a couple of days of it being implemented. Well I would predict it the ECJ ruleing could be implemented without major infrastructure changes and the enormous manpower needed to enforce it. But that’s not going to happen, is it?

But hang on a minute – doesn’t this all sound familiar? Well yes, there’s the UK’s Data Retention Regulations of 2009. This already requires service providers to keep a log of the name and address of users, and what IP address they were using at any given time. If you’ve noticed WiFi hotspots provided by some large companies asking for your name, address and password when you first log in, now you know why.

Is this effective? Of course not. Who’s going to give their real name and address? If you’re a legitimate user, you’re going to be wary of junk mail; if you’re a pirate you’d have to be crazy.

So once again, we have some complete idiots in the EU (in this case) flying in the face of technological reality, where the only practical response to their utterances is to ignore them.  What a waste of time and money. It’d be cheaper to stick to our own idiot politicians.

BT Internet mail is broken – Deferred: 421 Too many messages (1.5.6.1) from xxx.xxx.xxx.xxx

When Yahoo ran BT Internet’s customer email for them, it wasn’t great. We all know they had problems coping with spammers hammering away trying to deliver scams and marketing messages to BT’s punters, putting the whole system in to paranoid anti-spam mode on occasions. But it could have been worse, and now it is.

Since Critical Path (now owned by Openwave Messaging) took over running the shambles in May 2013, they appear to have hit on the bright idea of not accepting more than 49 emails a day from any one server. What? Yes, you read that correctly. If the server tries to send message fifty it gets a delayed email response:

Deferred: 421 Too many messages (1.5.6.1) from xxx.xxx.xxx.xxx

Sendmail (or other normal MTA) will simply continue trying to send it for a week, but if you have more than fifty messages a day on average to BT punters the queue is never going to empty. And fifty messages isn’t a lot. Suppose you’re a company and someone wants their work emailed forward to BT Internet? That could easily be fifty for one luser. And if you’re an web host, one of your customers is probably going to want all the email for a domain to go to a @btinternet.com address, and they’ll likely set it up without you even knowing about it.

This has being going on for over a year now, with a possible reduction in the limit last autumn. There was a theory going around that it would reject domains if the SPF record was inconclusive. Although SPF sounded like a good idea for the first five minutes, it’s rubbish when used as a naive check on mail that’s been forwarded.

I’ve been able to get some unsatisfactory information out of BT on this issue. Basically their policy is to “throttle” mail from an IP address if they think more than a certain proportion of it is spam, based on SPF records and suchlike. In the case of a user having all their mail forwarded to a BT Internet box, a high proportion of it is going to be spam; it’s inevitable. And a check of the SPF record is obviously going to fail (doah!)

BT luser forums are full of complaints about this, although the cause is misunderstood. Users get bounce messages, but it’s the server log that tells the whole picture, and as it’s often delayed they believe that a hokey “fix” has actually worked and others follow.

So what can be done about it? The obvious answer is to stop using BT Internet mail. They’ve shown a complete unwillingness to address this issue, and will doubtless make some excuse that most users are unaffected – that’s to say the other large ISPs and freemail services; direct business-to-BT Internet Luser is a small fraction. If that doesn’t work for you, the minimum you should do is ban anyone forwarding mail to @btinternet.com through your servers. Then make sure that domains you host have the correct SPF records. If you don’t, and one exceeds the limit, the IP address will be blocked and prevent your other customers from using it too.

No one who knows anything about spam control will rely on SPF, of course. But if there is someone who knows what they’re doing at Openwave, their voices are clearly being ignored.

If you’re a BT customer and you use email, based on the fact this problem has gone unresolved for a year now, the only advice I can give is to move away. Which is inrtersting, because this April BT announced plans to charge their ex-punters 60 to keep their (broken) @btinternet.com domain names – the same price as BT Internet’s broadband offering anyway. Done, you will be.

 

Why passphrases are a bad idea

Following my discussion of password lengths, it appears that NIST are concerned about naughty people brute-forcing hashes in stolen password lists. In order to make it more difficult, they’re recommending long passwords, like me. But unlike me, they’re suggesting that they should be made up of randomly chosen words to make them easier to remember because the users could connect them in their mind.

NCSC have their own version, which is basically the same. Originally it was suggested four words would be enough, but it’s often reported as just three.

Leaving aside the chances of someone actually picking random words that are genuinely random, I was curious as to how difficult this would be to crack.

Instead of having the 26 letters of the alphabet to play with, using words gives you a lot more symbols. I wondered how many, so I looked in the obvious place – the BSD spell-check dictionary. That’s a lot of words, but realistically you’d want them to be between three and nine characters long. If you make them too long it’ll take more time to type than people will be willing to spend. Also, looking at longer words, they tend to be made up of smaller ones, or common letter combinations (“anti”, “un”, “ly”, “able”).

So, with a bit of awk, I extracted all the words between three and nine characters. There are a LOT. But on closer inspection, they’re not words I’d have ever picked at random, mainly because I’ve never heard of them. They’re the kind of combinations that cause arguments among scrabble players.

To get some idea how many realistic words there were I extracted 200 at random, and went through to pick the ones I knew. I let proper names count, and it turns out that I knew about 20% of them overall. Whether I’d pick many of them if asked to think of a word at random is another matter; and one worthy of study. However, best-case this extrapolates to about 18,000 unique words in the symbol set. So for a three-word combination the best you’re going to get are 18,000^3 or 6E+12. That’s as good as an nine-character a-z password. A nine-character password can be broken in 14 seconds maximum.

Sorry NCSC, but I don’t like these odds. Let’s go up to the four-word version: That has 1E+17 combinations, which could take a couple of months to crack. But this is still being very optimistic about the choice of words being random.

The rationale behind using a passphrase is that it’s easier for users to remember, and this is a good point. People can create a mind map; a short story or scene using the four chosen words. It is certainly easier than remembering a sequence of random symbols. You can also create a mind map using symbols by giving them meaning (1 = flagpole, 2=swan) etc. But this misses an important point – the sheer number of passwords people have in the modern world. I suggest most people would struggle remembering more than half a dozen mind maps, yet probably have well over 100 unique passwords. The only way to manage so many unique passwords is to store them somewhere, encrypted with one master password.

In short, a passphrase instead of a password only makes sense if its pretty darn long. If you’re going for entropy, a random character password – if you can remember it – will be much, much quicker to type.

Barking Mad.com – Is Bark.com is going to the dogs?

Bark.com launched in 2014 as a web based service matching service providers with customers. Basically, you register as a client, say what you need done and it sends job leads to suitable businesses. A bit like computer dating.

And like any business relying on data matching, it will live or die by the accuracy of its data. It got off to an interesting start by purchasing the data from Dublin-based SkillsPages – 20M contacts of dubious pedigree. I know about this, because in the interests of research, someone registered as a supplier of a highly unlikely service in the name of a very well known science fiction character. No checks were made, but as no one needed  the dilithium crystals realigned in the warp drive in a Constitution-Class Federation starship, no offers of employment were ever received by Chief Engineer Scotty. Until, that is, Bark bought the dodgy data and decided Scotty was an electrician in south London and then the leads started rolling in.

Okay, so we all had a good laugh at their expense before the account is cancelled once the joke had worn thin, but it should be an object lesson in data validation if you’re trying to give potential customers confidence in your “Professionals”.

And then this morning, in the space of 90 minutes, I received a load of emails to a made-up address on one of the domains I look after, but using my name. The emails contained quotes for a job that I had apparently posted. How could this be? I scrolled back down the email and found a “Welcome to Bark” message, giving “my” username and password, and implying I’d just created an account and posted a job request. Obviously someone had, but it wasn’t me.

My first reaction was to read the email carefully, looking for the “I didn’t register this account” link, but there was nothing of the kind. Of course, what they should really do is verify any email address; i.e. check that it actually belongs to the person claiming to set up the account.

Out of respect to the people who’d bothered to quote for the job, I emailed them all back saying “Sorry – someone seems to have done this as a joke”. However, Bark bounced these all back, because I’d sent them from my real email address; one that obviously didn’t match the fake one. So Bark can check email addresses when they want to!

Bark.com is leaving itself open to all kinds of trouble by operating like this. The killer is that the professionals putting in the quotes have paid bark.com to do so, but could claim that bark.com hasn’t taken enough care to ensure the job leads are genuine. By not even verifying the email address, they could be said to be making absolutely no effort at all.

When I spoke to Bark.com and raised this very specific issue, the claim was this rarely, if ever, happens. I provided the details and they promised to refund the people who’d been charged for a false lead, and said “This is not how we operate, this should never happen”, and that “when it’s brought to their attention they close down the bogus account and refund the money.”