Thursday, 31 January 2013

Cold call virus scams are still alive and well

Thursday, 31 January 2013

Regular readers of this blog would have seen sagas such as Anatomy of a virus call centre scam, Scamming the scammers – catching the virus call centre scammers red-handed and my personal favourite, “Type www.” – “Ok, w-w-w-d-o-t”; antagonising call centre scammers. That’s not an exhaustive list, indeed there are more videos on this blog and yet more phone calls that never made it here.

A few months back there was a bunch of news around the FTC cracking down on these scams. Problem is, the FTC has about zero jurisdiction in India where the scams are originating from! They also have zero jurisdiction in anywhere that isn’t America so the effectiveness of the “crack down” is unlikely to make much difference. Consequently, it should come as no surprise that once again, this evening I enjoyed the company of a couple of gentlemen willing to help me out with my PC.

As a seasoned recipient of this scam I keep a VM ready for just such events. Unfortunately, in this case I had a tennis game to get to and frankly that was more important then listening to crooks on the other side of the world. I pushed them harder earlier this time and inevitably got hung up on but not before listening to the usual drivel and exactly the same modus operandi as usual.

If you want to see this scam run all the way through to where they want dollars (including having them remotely control my PC), take a look at the Scamming the scammers video (get a nice drink and find a comfy chair first). If you just want to see how the scam still looks today, here’s what my mates are up to:

Wednesday, 30 January 2013

102 simple steps for installing and configuring a new Windows 8 machine

Wednesday, 30 January 2013

As sure as night turns into day, sooner or later your PC will descend into an unrecoverable abyss where it no longer boots, stays booted or can’t even get booted to begin with. I’ve had memory go bad, motherboards die, CPUs fried, many mechanical disks develop bad sectors and now for the second time, an SSD gradually turn itself into nothing more than a paperweight.

I now have a very robust backup strategy which I’ll come back to (courtesy of previously losing data and deciding that was never going to happen again!), but having a disk fail is about more than just restoring from backup, it’s about rebuilding the whole damn thing. This is my perfect world scenario:

Restoring an iPhone from iCloud

Automatic daily backup of everything to iCloud then a lost device or an upgrade just means authenticating and waiting. Job done.

Unfortunately this is not the PC world we live in and particularly for folks like me involved in building software, getting from zero to where you were when everything went wrong is a very high friction exercise. I reckon it’s the better part of a day’s effort to reinstall, reconfigure and restore files and you’ll still be finding missing things a month later.

Now I could actually still slave the faulty disc and read from it (it just wasn’t stable to boot from), so in theory I could have used the likes of Acronis or Ghost to image the old disk to the new one and viola – the old machine is back. Problem is though, you inevitably get that OS rot through continuous installations, uninstallations, driver updates, toying around and otherwise just doing what us devs tend to do. A clean install – although tedious – is a fresh start.

So for my own benefit (because I know it’s just a matter of time until I need to do this again) and to demonstrate the many, many, many (etc) steps involved in getting back to somewhere close (but not exactly) where I was before things went bad, here’s the whole end-to-end process


Read more

Tuesday, 29 January 2013

What is LOIC and can I be arrested for DDoS’ing someone?

Tuesday, 29 January 2013

It’s the Low Orbit Ion Cannon and yes, you can be arrested and sentenced to a prison term for using it to mount a distributed denial of service attack on a website. But let’s not get ahead of ourselves, there are a few things to understand first.

LOIC has shot to fame in recent years as the tool of choice for what we colloquially refer to as hacktivists, or in other words, folks with an axe to grind – usually for political purposes – who use the web to express their displeasure. They’ll usually be anonymous (that’s with a little “a”) and may associate themselves with groups such as Anonymous (with a big “A”) or others such as LulzSec and UGNazi. The names or how active they presently are isn’t really the point though, I’m interested in looking at the nature of DDoS as this is where I see a lot of misunderstanding.

Here’s how it often begins, with a call to action for hacktivists to join in an organised DDoS:

@Anon_operation Current Target: | Grab your weapons here: and FIRE!!! #ddos #wikileaks #payback

The result can be devastating for the target; MasterCard suffered major outages on at least two different occasions as a result of this a couple of years back. There have been countless DDoS attacks by hacktivists since, the latest newsworthy event being the takedown of the US sentencing commission website just this weekend in retaliation for the legal action against Aaron Swartz, undoubtedly a contributing factor to his recent tragic suicide.

But the results can also be devastating for those involved in orchestrating these attacks. This is Christopher “Nerdo” Weatherhead:

Christopher Weatherhead

Chris was 20 years old when he was involved in the MasterCard attack. Last month (two years after the attack) he was convicted of conspiracy to impair the operation of computers and faced the prospect of up to 10 years in jail. Last week he was sentenced to 18 months imprisonment. Prosecutors described Chris as “a cyber-criminal who waged a sophisticated and orchestrated campaign of online attacks on the computer systems of several major companies" and alleged the actions he was a part of caused damages of £3.5 million.

Hopefully that sets the scene as to the significance of this kind of attack, let’s take a look at the mechanics of LOIC, DDoS and the possible ramifications for those who want to get involved.

Read more

Thursday, 24 January 2013

20 simple tips for safer internet banking

Thursday, 24 January 2013

A few months back I had another chat to Today Tonight, a national prime time current affairs program I’ve previously appeared on in relation to call centre scammers taking over unsuspecting victim’s PCs. This time it was about the security of internet banking which gave me a chance to collate some good practices, many of which didn’t go to air but I kept hold of with the intention of sharing in the context of the video.

Firstly, for background, here’s the story that went to air:

Today Tonight video

The victims covered in the story obviously succumbed to different scams of varying sophistication but most of the time, some very simple practices will protect you from online criminals.

Here’s my top tips broken into a few different categories. I’ll keep them brief with the expectation that some people may need a little help on the more technical items, but at least they’re a starting point to have a discussion with a technology savvy friend.

Read more

Monday, 21 January 2013

The impending crisis that is Windows XP and IE 8

Monday, 21 January 2013

Do you remember what you were doing in October, 2001? You weren’t watching videos on YouTube, updating your Facebook status or even using the term “social media”. It was still the days of web 1.0 and REST was something you did when you were tired. If you had a puppy, it’s probably no longer with us.

This was a cutting edge device:

Palm m500

Websites were “Best viewed in Internet Explorer 5” and looked like this: loaded in Internet Explorer 5

That 800x600 image was the typical resolution too, it was the most your common 15” CRT screen (in 4:3 aspect, of course) could display. Advanced users might see 1024x768 on a 17” screen, but it wasn’t mainstream.

This was a different era, the era in which Windows XP was born. XP was a very good thing back then, no doubt about it. But so was Everybody Loves Raymond and Britney Spears. (Let me rephrase – they were popular things!) They were also things that feel like a lifetime ago because in technology terms, they were.

But unlike Raymond and Britney, Windows XP refuses to move on (well at least unlike Raymond), in fact it has hung around until well after its due date. Whilst “we” have been able to get away with holding onto the past until now, all that’s about to change, and Internet Explorer 8 is a key catalyst.

Read more

Thursday, 17 January 2013

The problem with website security is us!

Thursday, 17 January 2013

I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks.

My belief – and one of the key reasons I so frequently write publicly about security – is that the best way to combat risks in software is to educate developers. All the security scans and penetration tests in the world won’t help when it can take just a single line of bad code or a solitary configuration setting made by the developer to bring everything undone. Of course it’s frequently much more than just one mistake too, ultimately, dear developer friends, it’s “us” that build mechanisms such as the one behind Tesco’s password recovery system:

Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

You need to proactively help developers understand what these risks involve if you’re to mitigate them in code. Security education for developers is paramount! I’ll come back to the education piece, but let me first draw on some recent blog posts and other non-documented experiences just to put things into context.

Read more

Wednesday, 16 January 2013

People Talking Tech talking security

Wednesday, 16 January 2013

It was a few months back now, but last year I spent a little time with fellow MVP Denny Cherry on his podcast People Talking Tech. We had a great talk about security in general with a lot of focus on SQL Injection in particular. It’s a nice light-hearted 24 minute chat that I enjoyed doing and I hope you enjoy listening to.

You can listen online or download from People Talking Tech, Episode 18 – Troy Hunt.

Oh – and I did end up recording that session with my 3 year old using Havij, it’s online on my blog under the title Hacking is child’s play – SQL injection with Havij by 3 year old.

Tuesday, 15 January 2013

Is Java the root of all evil and can you really live without it in the browser?

Tuesday, 15 January 2013

Last week something a bit unusual happened; Java was found to have a serious vulnerability. Ok, stop laughing, Java has obviously had many serious vulnerabilities over many years, what’s different this time though is that the US government’s Computer Emergency Response Team (CERT) took the unprecedented step of telling folks to stop using it altogether.

Here’s the word from Homeland Security:

Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers


This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. We are currently unaware of a practical solution to this problem.

Ok, so that’s not great and for me, it’s the final nail in the coffin. I say final nail because I’m well aware of the reported risks but until now, simply hadn’t been driven to the point of uninstalling Java. When I finally got down to thinking about it, I couldn’t put my finger on what sites I actually used that required Java in the browser. Oh sure, I know the damn thing pops up every other week with a security update but other than that, I rarely, rarely see it.

So on the weekend I nuked it. Gone from my 2 Windows 8 machines, gone from my Windows 7 machine, gone from my wife’s MacBook Air. So did this mean the web became unusable? Or was it business as usual, only more secure? Here’s my experience.

Read more

Monday, 14 January 2013

Inviting hackers into our homes via the internet of things

Monday, 14 January 2013

I was at the Web Directions South conference the other day and you know what really struck me? There is a lot of very cool, very connected stuff either here now or coming very soon. Hackable stuff!

So there’s this term going around which is The Internet of Things (it has its own Wikipedia page so it must be real), or in human speak, stuff that’s connected to the web. Unusual stuff like domestic appliances and cars – literally “things” rather than devices as we know them such as PCs and phones. The term isn’t new, but the rapid emergence of “things” is.

One of the best presentations I saw was from Tom Coates who talked extensively about all sorts of “things” that were connected to services. In fact Tom had gotten his “things” so organised that his house even has its own Twitter account called @TheHouseOfCoates which tells you everything that’s going on in, well, Tom’s house:

Twitter timeline of @TheHouseOfCoates

I harboured a brief pipedream of setting up something along the lines of which would provide would-be burglars with an easy notification system to identify prime periods where Tom’s house was unoccupied. This was partly inspired by but I ended up thinking better of it partly because Tom’s a nice bloke who I don’t want to see robbed and partly because it gave me grander, more devious ideas; just what opportunities is all this connectedness of “things” opening up to the evil-minded?

Clearly these “things” have the ability to improve our lives in all sorts of wonderful ways, but frankly, that’s a bit boring. Well at least it’s boring compared to the potential for misuse. That’s the exciting frontier; it’s one thing having your passwords breached on a website, it’s quite another when bad guys are controlling physical devices in your house. Let me speculate on just where this might be leading us…

Read more

Monday, 7 January 2013

Please login to your Facebook account: the execution of a data mining scam

Monday, 7 January 2013

So someone sends you a link to the latest Gangnam parody / cat meme / man jumping on frozen pool video and the link looks something like this:

Nothing unusual about this, every second link shared these days uses a or (or comparable) URL shortener. Because you have an insatiable desire to participate in the latest social phenomenon, you click through and see this:

Login page

Read more