Category Archives: Vulnerabilities

Windows WannaCrypt attack

This is interesting, and perhaps not unexpected: a vulnerability in Windows SMB 1 (used for shared drives) which was patched by Microsoft in March April, has been exploited.

It’s hit unpatched computers in numerous countries – most infamously, the UK’s National Health Service.

Despite what some Australian media is reporting, this tracker shows we are not immune — though it may be a reduced impact for now thanks to the weekend. Could be a different story on Monday.

For now it appears to have stopped thanks to someone finding a “kill switch”, but no doubt it or another version will hit again.

The lesson here for any of your computers that are connected to a network:

Patch them. Keep them up to date — preferably set them to automatically install patches.

If you’re using XP or older, Microsoft has just issued a patch, which you can get here.

You can also disable SMB 1 — note there are server and client portions, and that later versions of Windows make this a lot easier than earlier ones.

If you’re using Vista or older, find out about getting an upgrade. Vista patches stopped being issued earlier this year. You’ll be safe from this specific attack if you’re patched, but maybe not the next one. (Windows 7 keeps going until 2020.)

My assumption is that home users who use a broadband modem of some kind may not be at immediate risk this time from outside attack, since the modem can function as a basic firewall, but accidentally running an infected file from an email or web site could bring it in.

This attack has been serious, and other future ones will be too. So stay up to date, and stay safe.

  • Blatant plug: If you’re in southeast Melbourne and have no idea how to fix your computer, my brother-in-law runs this company that may be able to help: Bayside PC Services
  • In this blog post, Microsoft basically tells governments that they shouldn’t keep discovered vulnerabilities secret and exploit them for themselves (as the NSA did in this case, until that information was stolen) — that they should instead tell vendors so they can be fixed quickly. Difficult to argue with that.
  • Update May 2021: This new article notes that it is still a threat

Scammers making use of Telstra landline bug – part 3

Oops, a change of plan

It is only just this week that it occurred to me that I was most likely an unwitting victim of this bug, 21 years ago (early 1995). The planned Facts and myths about this landline bug will now be Part 4.

This is Part 3 of Scammers making use of Telstra landline bug. Read about the scam in Part 1, and learn how to test your landline for the bug in Part 2.

An unwitting victim

I was not able to call for an ambulance to a neighbour’s kitchen knife accident.

Of the six people involved in the incident, only my wife and I understand English clearly, which added to the problems/confusion.

My mother-in-law was visiting neighbours when she called out to us there had been an accident in the kitchen (and then continued in Khmer[1], to my wife). I rushed into the house and saw the mother and son huddled together. The mother was clearly distressed, and there was quite a bit of blood, but there was no ongoing blood loss and they weren’t losing consciousness, so I picked up the phone to call 000. But there was an Asian voice on the line.

Queensland Ambulance Service vehicle


I hung up for a few seconds, but the voice was still there, saying “Hello, hello”. Despite saying “please hang up”, and “Emergency here, please hang up”, it was a case of message received but not understood. I asked the victims where the other telephone was (thinking the voice was on another telphone extension somewhere else in the house, unaware of the drama). And I raced around the house and into the bedroom, but found no-one and no other telephone. We had just moved in and didn’t have our own telephone, so after trying the telephone once more, I ran to the payphone down the street and called the Ambulance.

The Ambulance eventually came and took them to hospital.

In the days and weeks afterward

Me, my wife, and my mother-in-law had come from New Zealand a few months before, where one can disconnect a remote caller by simply hanging up, provided that no-one else on your line has another phone off-hook.

Diagram showing a telephone call from phone A to phone line B which has two phones, B-x and B-y. Phone B-y is off-hook talking to A. Phone B-x is on-hook (idle)

Diagram of telephone call[3]
In New Zealand, phone B-x can get dial-tone provided phone B-y also hangs up.
In Australia, phone A must also hang up.

Referring to the diagram above, I raced around the house looking for phone B-y. But my mother-in-law knew the neighbours quite well and clarified there’s only one phone in the house, and that it was working (the day after), leading me to assume that it was on a party line[4]. They were unusual in urban areas, but one of my own friends had a 2-party line in Johnsonville (NZ) in 1989 – so it definitely wasn’t impossible.

I will never be absolutely certain of the truth, but it wasn’t until a few weeks after the scam story broke, and a few days after I wrote Part 2 that I realised that this bug is a much more plausible explanation for the difficulties. It means that in Australia, both the A-party and other telephones on the B-party’s line must hang up before the B-party can get dial-tone.

This has to change.

UPDATE Part 4 – Facts and myths about this landline bug is now available.

Links and Footnotes

ANZ: The rodeo clowns of online security

For years now I’ve been… less than impressed with the ANZ bank’s concept of how a secure banking website should work. Finally they’ve taken steps to harden their site. They’ve introduced “secret questions”, like “who was your best friend in high school”, “what’s your partner’s nickname” and “what’s your nickname for your youngest child”. At last, my money is now safe from thieves who will never guess that my my partner’s nickname is Cathy, my best friend in High School was Robert, and my youngest’s nickname is Marky. Oh, darn! I accidentally disclosed the answers to those secret questions! It’s as if that information would be widely available to any thief who took the time to look me up on Facebook (don’t bother, I’m not on Facebook).

Because in providing answers to these questions the security on my account was going up, not down, I couldn’t possibly be allowed to opt-out, with dire warnings about being liable for losses if someone found out the answers. To these most basic of questions.

Most other banks have implemented two-factor authentication. Even G-mail has two-factor authentication. But not the ANZ, they’ve stepped things up a notch. They’ve eschewed two-factor, and gone for “You’ll never guess the name of my pet, which I post on Facebook all day long”.

So I took my standard defensive action: attack surface reduction and target-value minimisation. To reduce the attack surface, for each answer I mashed the keyboard – so thieves, remember my first Primary School was in the suburb of pwofkmvosffslkdflsifcmmsmclsefscdsfpsdfpefsdflsd, or something. To minimise the value of the target, I swept all the funds out of the account. What’s wrong the the technique of establishing identity by the production and examination of 100 points of identifying documents?  Why do I need to have a favourite colour?

Cathy worked for the ANZ until recently, and the day she received her final paypacket she shut the account. Hated their account with a passion, but the ANZ is incapable of paying their employees through anything other than an ANZ account. Because, you know, banking is hard.

Allow more JavaScript, maintain privacy

I’ve long regarded JavaScript in the browser to be one of the biggest security holes in web-browsing, and at the same time the Internet works less and less well without it. In 2008 Joel Spolsky made the observation that for some people the Internet is just broken:

Spolsky:   Does anybody really turn off JavaScript nowadays, and like successfully surf the Internets?

Atwood:   Yeah, I was going through my blog…

Spolsky:   It seems like half of all sites would be broken.

Which is not wrong.  Things have changed in the last five years, and now the Internet is even more broken if you’re not willing to do whatever random things the site you’re looking at tells you to, and whatever other random sites that site links off to tell you to, plus whatever their JavaScript in turn tells you to. This bugs me because it marginalizes the vulnerable (the visually impaired, specifically), and is also a gaping security hole.  And the performance drain!

Normally I rock with JavaScript disabling tools and part of my tin-foil-hat approach to the Internet, but I’m now seeing that the Internet is increasingly dependent on fat clients. I’ve seen blogging sites that come up empty, because they can’t lay out their content without client-side scripting and refuse to fall back gracefully.

So, I need finer granularity of control.  Part one is RequestPolicy for FireFox, similar to which (but not as fine-grained) is Cross-Domain Request Filter for Chrome.

The extensive tracking performed by Google, Facebook, Twitter et al gives me the willys. These particular organisations can be blocked by ShareMeNot, but the galling thing is that the ShareMeNot download page demands JavaScript to display a screenshot and a clickable graphical button – which could easily been implemented as an image with a href. What the hell is wrong with kids these days?

Anyway, here’s the base configuration for my browsers these days:

FireFox Chrome Reason
HTTPSEverywhere HTTPSEverywhere Avoid inadvertent privacy leakage
Self Destructing Cookies “Third party cookies and site data” is blocked via the browser’s Settings, manual approval of individual third party cookies. Avoid tracking; StackOverflow (for example) completely breaks without cookies
RequestPolicy Cross-Domain Request Filter for Chrome Browser security and performance, avoid tracking
NoScript NotScripts Browser security and performance, avoid tracking
AdBlock Edge Adblock Plus Ad blocking
DoNotTrackMe DoNotTrackMe Avoid tracking – use social media when you want, not all the time
Firegloves (no longer available), could replace with Blender or Blend In I’ve have had layout issues when using Firegloves and couldn’t turn it off site-by-site polls rigged

A poll over whether “football” or “soccer” was a better name for the world game resulted in 2006 votes for each.

IT’S OFFICIAL. Australia is completely split down the middle on the issue of whether to call the world’s most popular sport “soccer” or “football”.

A reader poll which has attracted 4,012 votes at the latest count reveals that exactly 2006 people voted for football, and 2006 for soccer.

What they apparently didn’t realise was that the poll was rigged. A user posted to Reddit that he had hacked the system and ensured this and other polls came out equal.

I actually wrote a program where for each option someone voted, my program would vote once for every other option, thus maintaining a deadlock.

Every now and then, they reported on poll results as if it were actual news. After emailing them alerting them to this, they are yet to retract any of their articles.

The whole saga was blogged here.

Just in case News remove the story above, here’s a screendump. — update Wednesday 8:50pm: it has now been removed. poll

PIN no longer required: Costs externalized as personal endangerment

Australian consumers can now use their Visa cards to pay for small value transactions of $35 or less without entering a PIN or signing a receipt, Visa announced today.

This requires the retailer to actively persue this strategy, but the payment network no longer demands identification for these “low value” transactions. They claim that security isn’t compromised by this. Their logic goes like this:

  1. $35 isn’t much.
  2. If someone steals your card, they can only obtain $35 worth of goods and services per transaction until the card is shut down.
  3. Your card issuer will eventually notice all of these transactions and phone you to make sure everything is okay.
  4. The retailer wears the risk of these unauthorised transactions

So what’s to stop your teenager borrowing your card to go buy snacks at McDonalds (one of the early adoptors of this security-flexibility) whenever they’re hungry? The card company’s logic goes like this:

  1. $35 isn’t much.
  2. If someone borrows your card without your knowledge, they can only obtain $35 worth of goods and services per transaction.
  3. The retailer wears the risk of these unauthorised transactions

So why would a retailer run the risk of a month’s worth of Coles supermarket purchases (another early adopter) – which could easily exceed $1000 with one or two purchases a day – being fraudently run up? Because when you compain to your card issuer, they require a police report. The police, being a diligent lot, will follow up these $35 thefts, go to the stores, look at the video footage, realise they don’t know what you look like, come around to your house and compare the picture against you and decide it’s not you. Then they’ll think “How did this person who isn’t the cardholder get hold of the card and the cardholder didn’t notice until they got the bill?” and they’ll suspect an inside job, and ask you if you recognise the person in the video footage. If you want your teenager to have a crimal record with 30+ theft convictions you’ll scream “Sarah! Come here!” and that will be that; otherwise you might stay quiet.

Of course, it might not be your teenage daughter with the munchies; somebody at work might borrow the card from the wallet on your desk to buy lunch when they’ve run out of cash, or friends when you’re out “dining” at McDonalds.

Worse yet is the organised criminals who can easily prove their expenditure is not their own – it was in another state!  Because there’s no motivation to Express Post your card to an interstate confederate for them to have a quick run around with it before Express Posting it back. In short order it can become quite a bill too – at Apple Stores it’s up to $150 without a signature being needed.  These expenditures can be book-ended by legit local purchases, leading the card holder to say “well, I never authorized that, I’ve still got the card, so you figure it out”.  The costs of these thefts, which all the video footage in the world isn’t going to connect to the cardholder, and with some precautions the confederate either, goes onto the general costs of running the retail operation, pushing up prices.

Retailers always had the option of skipping the need to sign for a transaction – be it on their own heads.  So presumably they think that the video footage will reduce the level of experienced loss.

Now, presumably this fraud will cost less than the expenditure saved – assuming a check-out chick costs $25/hour to employ it implies at least 1.4 person-hours are saved per fraud, and assuming a saving of four seconds per transaction, they’re expecting no more than 1 fraud in 1280 transactions.  But I ask: isn’t it better to pay $35 to Aussie Battlersworking Aussie families… our most valuable assets rather than hand over, say $30, to criminals through lax security?

With contactless payments finally with us, there’s even more reason to fear unauthorized transactions, per this video of a guy stealing the identifying information off a smart card:

It appears that in addition to annual fees, international conversion fees, interest charges and so forth, the price of a credit card is the same as freedom: eternal vigilance.

All of this is lovely and academic, but the activity by retailers and card issuers has the effect of turning every card in my wallet into many unchallenged $35 purchases. This acts as a motivator to steal my cards from me.  If my wallet is stolen, I can immediately cancel the cards, so no risk there. So to get at the lovely $35 goodness, the thief needs to stop me doing that – clonking the victim on the head is a good way of preventing reporting. I like my head. I don’t mind spending 4 seconds a transaction to prevent a increase in people getting brained.

The worst part is there’s no way to opt out of this reduced security; I can’t say to Visa: “No, for my card, only pay money when a PIN is supplied.”  It’s forced on everyone. I remember when these PIN things came out, and I was repeatedly assured that they were more secure than a signature, and I could assure them that it wasn’t – the damn PIN is encoded on the mag strip of the card (precisely copied in seconds!), and any fool can see you keying your PIN in. Now another layer of security has been whittled away, leaving… video investigation.

I feel so safe!

The logo doesn’t make it secure

See the protocol on the front? On the page, net to the big verisign logo:

We guarantee that every transaction you make on our website will be safe. Our secure server software (SSL) is the best software available today for secure commerce transactions. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read as the information travels over the Internet. When an order is received, SSL is again used to unscramble the message, check that it came from the correct sender, and verify that it has

Has what? It’s a mystery.

What is it with these half-baked web pages?

Common Passwords

A UK mob has collected Top 10 Most Common Passwords; soccer teams rate highly. German passwords are just as lame, with the f-word, hello and digits strings starting with 1234 rating very highly, as does treasure and, for some odd reason, Daniel (care to explain, mister?).

Dictionary based searching works – if you aren’t going through something that monitors that sort of thing. Ophcrack will break into a Windows system, by running through very large dictionaries, some of which are available only by purchase.

Perhaps to read the advice on Choosing a Pretty Good Password. Myself, most of my passwords are highly insecure. But that’s only because they’re on systems I don’t give a tinker’s cuss about. The ones I do are pretty tight.

Does anyone out there use multiple, changing, strong passwords? If so, how do you keep them straight? If not, why are you toying with your security like that?