Category Archives: Security

Scammers making use of Telstra landline bug – part 2

TL;DR(1) – Telstra has a bug in their landline system. It’s time to get rid of it for good.

TL;DR(2) – The bug is when someone calls your landline they can prevent you from hanging up. Find out how to test, and how to protect yourself from scams.

This is Part 2 of Scammers making use of Telstra landline bug. Read about the scam in Part 1.

Yes, it is a bug

Bug, n:
An error in software[1] that causes results to be different from expected.

Mug shot of mean-looking man

Section 7.2.1? Just gimme a phone that works[2]

Let’s get one thing straight: I’m calling it a bug … #CallASpadeASpade. I certainly understand the people who point out the phone network complies with Section 7.2.1 of BT SIN 721 [pdf] (or Australia’s equivalent), but that is extraordinarily unhelpful. Most people expect calls to disconnect when they hang up. Therefore (to most people) it is a bug.

Now that’s out of the way, on to checking your landline for the bug, and protecting yourself from scams.

Testing your landline (easy)

Instructions for testing:

  1. The most reliable test is from another landline,[3] within the same local calling area. So you should ask a friend or neighbour. The caller is the A-party, calling your landline (the B-party).
  2. The A-party calls the B-party who answers.
    RESULT: A & B parties talking.
  3. B-party hangs up.
    RESULT: A-party hears silence.
  4. [OPTIONAL] Using a mobile phone or similar, quickly call the B-party.
    RESULT: False busy tone.[4]
  5. B-party picks up (within 30 seconds).
    RESULT: They connect back to the A-party. A & B parties talking.
  6. B-party hangs up. The A-party should time how long it takes before they hear disconnect (beeping) tone.
    LIKELY RESULT: 30 or 90 seconds, but could be five minutes.
  7. Repeat the test, but A & B parties should swap roles.
    Here, you’re doing your friend a favour by testing their landline for the same bug.

Shocked?

The official term is CSH (Called Subscriber Held) or A-Party Hold Release[correction]. I call it a very nasty bug because the victim (having received an unusual call) believes they’re doing the right thing by initiating their own call to verify the circumstances, but in reality they are still connected to the A-party scammer. This bug can be used in many different ways by different scammers, particularly to glean private information from the victim, but it is also possible to simply cause confusion, or lure someone to their death.

Continue reading to learn if a scammer is still on your line after a call.

How to protect yourself

Every man and his dog is making calls[5] (video, 0m59s)

By now, every man and his dog will have called each other and concluded their landline is vulnerable. Based on discussions with Internode (my telephone provider), Telstra has informed them that there is “nothing that can be done”. Even if they change their mind, it might take three to six months.

So, in the meantime, if you get any strange call (or they hang up just as you answer) stop and think. If you call someone else quickly, you might fall victim. You have to check your landline is genuinely free.

Probably the best way is to use your mobile telephone to call your landline; you should hear ringing through your mobile, and hear the landline ringing[4]. You don’t have to answer your landline, so hang up (end call) on the mobile, to avoid being charged. If you can’t do that, there have been some other suggestions from various people.

  1. If you have a toll bar on your landline, call a barred number. The wording of the message should be exactly the same.
    Perhaps you should organise 1900 barring now, if you don’t have it already.
  2. Call a trusted friend or loved one. BEWARE: The scammer may still be on the line, eavesdropping.
  3. Sidestep the issue by using a different telephone (or mobile telephone) to make your outgoing call (to the bank/police).
  4. Wait five minutes for the line to clear
    The problem with this is clearing times vary significantly, and the scammer could simply defeat you by calling you again at the four-minute mark.

Complexity, complexity, complexity

Australians have a habit of making simple things complex (yes, train tickets in Melbourne are too complex for tourists and locals), but I am still stunned that the act of hanging up the telephone is this complex.

I am entitled to think that it will work as expected (as it does in New Zealand).

And I’m entitled to think that a scammer will not be able to interfere with the use of my telephone, or any other technology. CSH (as it is termed) should have died with the last mechanical exchange, and it is time to get rid of it for good, in order to protect people from fraud[6], as well as make the phone network simple to use.

Stay tuned for Part 3 – Facts and myths about this landline bug

Links and Footnotes

Update: Added Telstra link.

Scammers making use of Telstra landline bug – Part 1

TL;DR – When someone calls your landline, they can prevent you from hanging up, and intercept calls you make afterwards.

There is a bug lurking on Telstra’s landline telephone system which scammers are making use of. The scam is described in The Age; it usually runs like this, where a scammer (the A-party) calls a victim (the B-party):

IMPORTANT NOTE: If you are receiving malicious calls, speak with your telephone provider (most have procedures to trace calls). If these calls are life threatening, call the Police on 000, within Australia.

On the phone to the "bank"

Telephone fraud

A-party:
This is the Rolex Store manager here. Someone has attempted to use your credit card here. Please call your bank straight away and cancel your card.
B-party:
Thanks. (hangs up) [NOT TRUE: Call is still connected because A-party has not hung up]
B-party
(picks up receiver, hears dial tone) [NOT TRUE: Scammer is playing fake dial tone]
(Dials the number, hears the usual bank menus, and gets through to someone [Actually: the scammer’s mate].
A-party
The scammer’s mate tells a false story of an attempt to withdraw the entire victim’s savings account and pretends to place "Red Alerts" on the account.

Some days and several calls later, the victim is told the only way to protect the money is to transfer it to a "Safety Deposit" account with Barclays in the UK until Police investigations are concluded. Several victims have complied, losing $5m in the process.

While the Fairfax media (The Age) goes into the fraud in some detail, they only make cursory mention of a "long-held" cold-call scam, and they don’t even identify it as a bug.

A Software bug

The bug is that when the B-party hangs up, the call does not disconnect. It only disconnects if the A-party hangs up, or if a timeout expires[1].

It is a very nasty bug, because most people believe that if they initiate their own call to the bank (or Police), the call is safe. The bug does not occur in New Zealand; the call disconnects as soon as either party hangs up. This has always been the case (30+ years)[2] [3].

Like any security bug in Linux/Firefox/Windows/Oracle/etc, the question naturally arises: when can we expect a fix, and what are the precautions/workarounds?

It is Telstra’s responsibility to fix this bug.

UPDATE Part 2 – how to test your landline for the bug, and ways to protect yourself is now available

Links and Footnotes

Chrome starts blocking web sites using HTTPS over SSL3

It would seem some organisations still haven’t got the message on SSL vulnerabilities, even one with a publicity-friendly name like Poodle.

For instance, Swinburne University of Technology, which is actually one of Australia’s better universities to learn computer science, has its student portal still trying to use SSL 3.

MySwinburne SSL error

My son was trying to figure out why he couldn’t connect with Chrome. Only by clicking for details do you get the slightly cryptic error: “ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION”

It turns out Chrome has disabled fallback to SSL3. For now you can override it (though it’s easier for now just to use another browser), but soon it’ll be disabled completely. Site owners will need to make sure their servers support TLS instead.

They’ve also started giving a warning on SHA-1 certificates — no more green logo; it’s gone yellow, with a warning: “This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.” Again, it’s up to site owners to resolve this, by updating their certificates.

badges.del.icio.us malware

Interesting warning from Google when displaying some pages on this geekrant.org:

Malware warning

In response I’ve disabled the Socialize plug-in which was serving them. Hopefully that makes the warning go away — I’ll look for another way to display social media buttons.

Airliner shootdowns ought to be technically impossible

Using missile to shoot down an airliner ought to be made impossible.  It may be a lack of imagination on my part, but I can’t think of a circumstance where a military force needs the ability to shoot down civilian aircraft.  There aren’t a lot of manufacturers of surface-to-air missile systems, regardless of their level of sophistication and range – shoulder launched or vehicle-mounted – so changing those designs to prevent civilian shootdowns ought not be a big deal. Admittedly there are many more means of bringing down aircraft beyond SAMs, but not a lot of them have the reach to bring down cruising airliners.

Civilian airliners have carried IFF transponders since World War II, so there’s the infrastructure in place already for the identification of non-military aircraft.  Furthermore, it’s a violation of Article 37 1.c of the Geneva Conventions to pretend you’re a civilian – that is, it’s a war crime with all the international condemnation that goes with that, so it’s reasonable to make weapons that refuse to down aircraft that identify themselves as civilian.

So, why is this still happening?

Tap and Go causes crime: duh

Ken Lay says that in the last year in Victoria, 11500 extra crimes caused by Tap and Go cards have meant that the crime rate in Victoria has gone up (5%) rather than down.  These additional “crimes of deception” and are apparently tying up police.

It’s slack. Totally slack. There’s no control over it. And what are we finding? There’s been a huge spike in different offences committed to facilitate it; cars being broken into, mail stolen, handbags grabbed, purely because of industry introducing a new practice without any regard to security.

We have taken the view we should be taking on industry over this because our concern is they’ve introduced new practices with no regard to the implications on security and there’s no prevention measures, which is at times bogging down our members in work and time that could be better spent on some really serious type of investigations or responding to critical issues.

Assistant Commissioner Stephen Fontana

And the ABA says “no ways!” and says that dollar value of fraud is down since chip-in-card (neglecting that this isn’t about that) but allowing that losses following theft are up 35% (to only $20m/year).  And ignores all the crime that would be associated with obtaining the cards.

Programmatically create Django security groups

Django authentication has security roles and CRUD permissions baked in from the get-go, but there’s a glaring omission: those roles, or Groups, are expected to be loaded by some competent administrator post-installation.  Groups are an excellent method of assigning access control to broad roles, but they don’t seem to be a first-class concept in Django.

It seems that you can kind-of save these values in by doing an export and creating a fixture, which will automatically re-load at install time, but that’s not terribly explicit – not compared to code. And I’m not even sure if it will work.  So here’s my solution to programmatically creating Django Groups.

management.py, which is created in the same directory as your models.py and is automatically run during python manage.py syncdb:

from django.db.models import signals
from django.contrib.auth.models import Group, Permission
import models 

myappname_group_permissions = {
  "Cinema Manager": [
    "add_session",
    "delete_session",
    "change_ticket",
    "delete_ticket",         # for sales reversals
    "add_creditcard_charge", # for sales reversals
    ],
  "Ticket Seller": [
    "add_ticket",
    "add_creditcard_charge",
    ],
  "Cleaner": [ # cleaners need to record their work
    "add_cleaning",
    "change_cleaning",
    "delete_cleaning",
    ],
}

def create_user_groups(app, created_models, verbosity, **kwargs):
  if verbosity>0:
    print "Initialising data post_syncdb"
  for group in volunteer_group_permissions:
    role, created = Group.objects.get_or_create(name=group)
    if verbosity>1 and created:
      print 'Creating group', group
    for perm in myappname_group_permissions[group]: 
      role.permissions.add(Permission.objects.get(codename=perm))
      if verbosity>1:
        print 'Permitting', group, 'to', perm
    role.save()

signals.post_syncdb.connect(
  create_user_groups, 
  sender=models, # only run once the models are created
  dispatch_uid='myappname.models.create_user_groups' # This only needs to universally unique; you could also mash the keyboard
  )

And that’s it. Naturally, if the appropriate action_model permissions don’t exist there’s going to be trouble.  The code says: After syncdb is run on the models, call create_user_groups.

ANZ: The rodeo clowns of online security

For years now I’ve been… less than impressed with the ANZ bank’s concept of how a secure banking website should work. Finally they’ve taken steps to harden their site. They’ve introduced “secret questions”, like “who was your best friend in high school”, “what’s your partner’s nickname” and “what’s your nickname for your youngest child”. At last, my money is now safe from thieves who will never guess that my my partner’s nickname is Cathy, my best friend in High School was Robert, and my youngest’s nickname is Marky. Oh, darn! I accidentally disclosed the answers to those secret questions! It’s as if that information would be widely available to any thief who took the time to look me up on Facebook (don’t bother, I’m not on Facebook).

Because in providing answers to these questions the security on my account was going up, not down, I couldn’t possibly be allowed to opt-out, with dire warnings about being liable for losses if someone found out the answers. To these most basic of questions.

Most other banks have implemented two-factor authentication. Even G-mail has two-factor authentication. But not the ANZ, they’ve stepped things up a notch. They’ve eschewed two-factor, and gone for “You’ll never guess the name of my pet, which I post on Facebook all day long”.

So I took my standard defensive action: attack surface reduction and target-value minimisation. To reduce the attack surface, for each answer I mashed the keyboard – so thieves, remember my first Primary School was in the suburb of pwofkmvosffslkdflsifcmmsmclsefscdsfpsdfpefsdflsd, or something. To minimise the value of the target, I swept all the funds out of the account. What’s wrong the the technique of establishing identity by the production and examination of 100 points of identifying documents?  Why do I need to have a favourite colour?

Cathy worked for the ANZ until recently, and the day she received her final paypacket she shut the account. Hated their account with a passion, but the ANZ is incapable of paying their employees through anything other than an ANZ account. Because, you know, banking is hard.

Allow more JavaScript, maintain privacy

I’ve long regarded JavaScript in the browser to be one of the biggest security holes in web-browsing, and at the same time the Internet works less and less well without it. In 2008 Joel Spolsky made the observation that for some people the Internet is just broken:

Spolsky:   Does anybody really turn off JavaScript nowadays, and like successfully surf the Internets?

Atwood:   Yeah, I was going through my blog…

Spolsky:   It seems like half of all sites would be broken.

Which is not wrong.  Things have changed in the last five years, and now the Internet is even more broken if you’re not willing to do whatever random things the site you’re looking at tells you to, and whatever other random sites that site links off to tell you to, plus whatever their JavaScript in turn tells you to. This bugs me because it marginalizes the vulnerable (the visually impaired, specifically), and is also a gaping security hole.  And the performance drain!

Normally I rock with JavaScript disabling tools and part of my tin-foil-hat approach to the Internet, but I’m now seeing that the Internet is increasingly dependent on fat clients. I’ve seen blogging sites that come up empty, because they can’t lay out their content without client-side scripting and refuse to fall back gracefully.

So, I need finer granularity of control.  Part one is RequestPolicy for FireFox, similar to which (but not as fine-grained) is Cross-Domain Request Filter for Chrome.

The extensive tracking performed by Google, Facebook, Twitter et al gives me the willys. These particular organisations can be blocked by ShareMeNot, but the galling thing is that the ShareMeNot download page demands JavaScript to display a screenshot and a clickable graphical button – which could easily been implemented as an image with a href. What the hell is wrong with kids these days?

Anyway, here’s the base configuration for my browsers these days:

FireFox Chrome Reason
HTTPSEverywhere HTTPSEverywhere Avoid inadvertent privacy leakage
Self Destructing Cookies “Third party cookies and site data” is blocked via the browser’s Settings, manual approval of individual third party cookies. Avoid tracking; StackOverflow (for example) completely breaks without cookies
RequestPolicy Cross-Domain Request Filter for Chrome Browser security and performance, avoid tracking
NoScript NotScripts Browser security and performance, avoid tracking
AdBlock Edge Adblock Plus Ad blocking
DoNotTrackMe DoNotTrackMe Avoid tracking – use social media when you want, not all the time
Firegloves (no longer available), could replace with Blender or Blend In I’ve have had layout issues when using Firegloves and couldn’t turn it off site-by-site