Pages

Wednesday, 28 September 2016

Double trojan

Subject: There has been a change to your parcel delivery

I get a lot of email about parcels. I'd guess that a lot of people in the internet receive a lot of parcels, so an email about "your parcel" stands a good change of not being ignored. The interesting thing about this one, is that it came with two files.

encryption_key.zip
tracking_encrypted0928.doc

The explanation in the email was "The new privacy policy. All personal information is encrypted in attached document.".

Neat idea. Except that the encryption_key.zip file contained a javascript program, obfuscated, and I can't be bothered to reverse engineer it, oops, I mean stare at it until I understand it, but it references "http://worinmena.com/l.exe" which I'm guessing gets downloaded and does something unpleasant.

I sent encryption_key.zip to Virustotal, and no product flagged it. I also tried tracking_encrypted0928.doc, which was first submitted about an hour before I received it, and 4/55 products flag it as malware.


Monday, 26 September 2016

Pix log analysis

I've been logging all the Pix messages to the system log on a server, and I told that server to keep the Pix messages in a separate file. Today, I had a look at that file.

There were a third of a million messages, and that's just two day's worth. So I wrote a program.

#!/usr/bin/perl
# Analyse pixlog

open PIXLOG, "/var/log/pixlog";
while (<PIXLOG>) {
  if (/exceeds configured limit/) {$bigdns ++; next}
  if (/outside:outside-interface\/23/){$outsidetelnet ++; next}
  if (/outside:outside-interface\/2323/){$outsidetelnet ++; next}
  if (/outside:outside-interface\//){$outsideother ++; next}
  if (/\/23 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/\/2323 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/Deny tcp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyootcpgt1024 ++; next}
  if (/Deny udp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyooudpgt1024 ++; next}
  if (/Deny tcp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodtcpgt1024 ++; next}
  if (/Deny udp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodudpgt1024 ++; next}
  if (/Deny tcp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoitcpgt1024 ++; next}
  if (/Deny udp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoidpgt1024 ++; next}
  if (/Deny.*outside.*outside:212.58.55.(\d*)/ and $1 > 224) {$nosuchserver ++; next}

  if (/Deny.*outside.*(outside|dmz|inside).*\/445/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/111/) {$rpc ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/13[789]/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/587/) {$port587 ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/22/) {$ssh ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(343|433|995|500|444|161|1000|8[123456789]|123|17|19|523|520|456|623|417|135|389|990)/) {$ports ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(21|69)/) {$ftp ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(53)/) {$dns ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(25)/) {$email ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(143|110)/) {$imap ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(80|443)/) {$http ++; next}
  if (/Invalid destination for ICMP error message/){$invalidicmpdest ++; next}
  if (/dst outside:global-out/) {$globalout ++; next}

  if (/regular translation creation failed for icmp src dmz:nsint1-2/) {$regnsint1 ++; next}
  if (/regular translation creation failed for icmp src dmz/) {$regdmz ++; next}
  if (/Deny IP due to Land Attack from up-works-out to up-works-out/) {$land ++; next}
  if (/Denied ICMP type=0, from laddr/)  {$icmp0 ++; next}
  if (/Denied ICMP type=3, code=3/)  {$icmp3 ++; next}
  if (/No translation group found for udp src dmz:sadii.*53/) {$notrans ++; next}
  if (/Deny icmp src dmz:\d/) {$icmpfromd ++; next}
  if (/Deny tcp src dmz:\d/) {$tcpfromd ++; next}
  if (/Deny ucp src dmz:\d/) {$ucpfromd ++; next}
  if (/212.58.55.192/) {$accessto192 ++; next}
  if (/reason: MSS exceeded/) {$mssexceeded ++; next}
  $other ++;
  print $_;
}
close PIXLOG;

print "bigdns = $bigdns  telnet = $telnet outsidetelnet = $outsidetelnet  outsideother = $outsideother \n";
print "deny-oo-udpgt1024 = $denyooudpgt1024  deny-oo-tcpgt1024 = $denyootcpgt1024\n";
print "deny-od-udpgt1024 = $denyodudpgt1024  deny-od-tcpgt1024 = $denyodtcpgt1024\n";
print "deny-oi-udpgt1024 = $denyoiudpgt1024  deny-oi-tcpgt1024 = $denyoitcpgt1024\n";
print "nosuchserver = $nosuchserver samba = $samba port587 = $port587 ssh = $ssh ports = $ports ftp = $ftp http = $http dns = $dns rpc = $rpc\n";
print "invalidicmpdest = $invalidicmpdest global-out = $globalout icmp0 = $icmp0  icmp3 = $icmp3 email = $email imap = $imap \n";
print "voldsout = $voldsout regular translation nsint1 = $regnsint1  regular translation dmz = $regdmz land = $land\n";
print "notrans = $notrans icmp, tcp, udp from d = $icmpfromd, $tcpfromd, $ucpfromd accessto192 = $accessto192  mssexceeded = $mssexceeded \n";
print "other = $other\n";
exit;


That program eliminated the commonest logs. For example, more than half of the logs are telling me about an attempt to telnet to one of my servers. Which is not going to happen, but they wouldn't be doing it unless it works sometimes, so there most be a lot of unsecured things on the internet that you can telnet to. I'd guess that a lot of them are light bulbs or other stupid things that the vendor likes to claim "you can control it with your smartphone" and hasn't bothered with any silly security stuff. I mean, if your light bulb gets hacked, so what? Well, "so what" is that it can be used as part of a bot net, sending out spam of doing DDOS (distributed denial of service) attacks.

Anyway.

It got the 1/3 million logs down to under 1000, and I could actually check those, and in doing so, I did find some minor misconfigurations of my network.

- some of my servers were using the wrong place to get their daily time check
- some of my servers were being advertised as mail servers, but the firewall wasn't allowing inbound email - that's because it will *all* be spam, I'll explain why later
- one of the rules in my firewall was in the wrong place, after the "deny everything else" rule, and, obviously, there's no point in having a rule after that. So I moved the rule to where it should have been.

So, minor stuff (if there had been anything major, I'd have noticed it before). But it's nice to have everything hunky-dory.

Now, about that spam.

If you do "dig mx drsolly.com" then you'll see in the answer section:

drsolly.com.        3600    IN    MX    5 ns2.drsolly.com.
drsolly.com.        3600    IN    MX    2 ns1.drsolly.com.

Or you might see:

drsolly.com.        3600    IN    MX    2 ns1.drsolly.com.
drsolly.com.        3600    IN    MX    5 ns2.drsolly.com.

What a mail sender is supposed to do, is choose the lowest-numbered server (in this case,
ns1.drsolly.com) and send the mail to there. If that server isn't responding, then you go to the second highest, in this case ns2.drsolly.com. And you can have any number of these. Google has five.

But spammers don't care about the ranking, they just send the spam to the first on the list. So, if you have a list of ten mail servers, everything that goes to the ones that aren't the lowest numbered one, is spam!

Isn't that handy?

So for most of my email, I run a dozen mail servers. Anything that isn't sent to the first two, is 100% spam. It's a nice way to sort it out. And, of course, most of those servers can be fictitious.

Sunday, 25 September 2016

I get offers

These are from the last eight hours, to just one of my email addresses..






DEAR SIR/MADAM,

MY NAME IS THOMAS MANU, THE DIRECTOR OF OPERATIONS
AT THE GHANA NATIONAL PETROLEUM CORPORATION. I APPRECIATE THIS CHANCE TO
COMMUNICATE WITH YOU TO MOVE MY INVESTMENT FORWARD AS I VALUE YOUR
EXPERTISE IN THE PROCESS. IN MY QUEST TO ESTABLISH A VIABLE INVESTMENT, MY
SOLICITOR RECOMMENDED YOU AS A PERSON WITH INNOVATIVE PROGRAMS THAT HAVE
SEEN BUSINESSES SUCCEED IN YOUR COUNTRY.

FOR THIS REASON, I AM OPTIMISTIC
THAT YOU WILL FIND MY PROPOSAL OF MILLION, A GOOD INVESTMENT CAPITAL FOR AN
ESTABLISHMENT IN YOUR METROPOLIS WITH HIGH POTENTIAL RETURNS.I WOULD
GREATLY APPRECIATE THE CHANCE TO MEET WITH YOU SO WE CAN START NEGOTIATION
AND TRANSFER PROCESS. PLEASE ACKNOWLEDGE PROPOSAL SO THAT WE PROCEED WITH
DETAILS.

SINCERELY,
THOMAS MANU
DIRECTOR
GNPC










Dear Sir,

I write from the - ICPC (Independent Corrupt Practices Commission). The apex investigative
body saddled with the responsibility of fighting corruption and other related offences.
The ICPC was inaugurated on the 29th of September 2000.
Section 6 (a-f) of the ICPC Act 2000 sets out the duties of the Commission and other related
offences departments such as to receive and investigate complaints from members of the public
on allegations of corrupt practices and in appropriate cases, prosecute the offenders.
With respect to the prosecution of cases, the Corrupt Practices and Other Related Offences Act
2000
provide that every prosecution for offences under it shall be deemed to be done with the consent
of
the Attorney-General.

Your payment file was referred to our office for scrutiny by the Union Bank officials because
in the
process of verifying your status, a woman by name (MRS: KERRY MORTON) came to their office with
an
application stating that you gave her the power of attorney to be the beneficiary of your
outstanding
funds. She made them to believe that you are dead and that she is your next of kin.

The ICPC, officials of the Union Bank and officials from other related Offences have deliberated
and
resolved to treat your file as it appears, with strict and cautionary procedures. The
information is
as follows:
NAME OF BANK: FIRST NATIONAL BANK
  ADDR: 120 SO. 2nd. ST.
  BLYTHEVILLE, ARKANSAS 72315 USA
  ACCOUNT NUMBER: 482986
  ROUTING NUMBER:084107343
  Swift code # : WMSBUS66
  BENEFICIARY: KERRY MORTON

 We therefore want to verify if you are aware of the above information. You are advised to reply
this
message immediately before it will be late. Be informed that you are not allowed to correspond
or contact
any person or office with respect to this transfer other than this office to avoid any
complication, mistake
or leakage of information.

You are advised to contact the Chairman of ICPC on his direct line; +234-81-7559-0470, or email:
chairman_icpc_nig2016@outlook.com, for any discussions relevant to your payment file.

Yours faithfully,

Oglafa, Ebipamowei Elvis
(Secretary to the Commission)

ICPC NATIONAL HEADQUARTERS
Plot 802, Constitution Avenue, Zone A9,
Central Area, PMB 535, Garki,
Abuja, Nigeria.
______________________________________________________________________________
To fight corruption to a standstill and restore Nigeria to the enviable standard of
respectability and dignity
within the comity of nations.









Greetings!

I am Mariamma Akash, a Syrian widow. I lost my husband and 2 of my children to the jihadist
militants from the Islamic State in 2014. The Jihadist militants mostly target (we) the
Christians Minority.

I and my only surviving little daughter (Ninan) left in tears and walked for nine hours without
even knowing where we would end up, or how we would eat, or where we would sleep or find shelter
until we finally arrived Za'atari refugee camp on the Jordan-Syria border.

You can also visit this link for more details about the crisis in Syria:
http://www.bbc.co.uk/news/world-middle-east-26116868

We live in an empty tent here filled without possessions except the few cloths we received out
of charity. Ever since we arrived here, I have made several attempts to cross over to Jordan as
no Syrian is allowed to leave the camp, unless a Jordanian ^Ssponsors?any Syrian and can pay the
fee for their release/crossing.

I and Ninan do not have anyone to sponsor our crossing hence I decided to contact you to assist
us in retrieving 2 suitcases containing some monies that my late husband and I had courier out
of Syria in 2013 via a Private Secured Logistics Channel for safe keeping in the UK before they
get confiscated as Unserviced/Unclaimed deposits. Be informed that the REAL content of the
suitcases are UNKNOWN to anyone including the Cargo Handlers.

My late husband (Oommen Akash) and I had own a dairy farm and a factory in the second city of
Aleppo so the funds are clean, clear and of no criminal origin. You're not sending us any money
nor am I soliciting for any financial assistance whatsoever rather, I am prepared to compensate
you with 10% of the total face value of the 2 suitcases for your assistance in getting them
delivered to you for safe keeping pending when I and Ninan will be able to cross into Jordan and
thereafter relocate to your country.

I thank you for your time and look forward to read from you at your earliest convenience.

Note: Please note that my replies might always comes to you late as I do NOT have a personal
computer nor a personal phone here. This computer belongs to the Camp Manager here and he did
allowed me the use of it because I meet his sexual needs and more so, he's not always on
seat....It's never my intentions to use my body just to get access to the use of a computer, but
I got to do this just to be able to get my story across to you....please I will appreciate your
understanding.

Sincerely,
Mariamma Akash









POWER BALL LOTTERY PROMO.
P O Box 902 Plymouth, PL4 6AB UNITED
KINGDOM
(Customer Services)
Our Ref: AHK/WNL /Feb. /16
Your ReF: PBLP/7204H5/99  Batch: 081/04/LT216

We happily announce to you the draw (#601) of the POWER BALL LOTTERY PROMO,online Sweepstakes
International program held on 21st September,2016.Your e-mail address attached to ticket number:
367600316 299 with Serial number 9271/09 drew the lucky numbers: 1, 28, 63, 67, 69 (bonus no
17.),which subsequently won you the lottery in the 2nd category i.e  match5plus bonus.You have
therefore been approved to claim a total sum of £600,000.00(Six hundred thousand pound sterling)
in cash credited tofile XEW/2053918001/014.This is from a total cash prize of £4,800,000.00
shared amongs the(8) lucky winners in this category i.e Match 5 plus bonus.

All participants for the online version were selected randomly from World Wide Web sites through
computer draw system and extracted from over 100,000unions,associations, and corporate bodies
that are listed online. This promotion takes place weekly. Please note that your lucky winning
number falls within our European booklet representative office in Europe as indicated in your
playcoupon.

In view of this, your £600,000.00(Six hundred thousand pound sterling)  would be released to you
by any of our payment offices in Europe. Our european agent will immediately commence the
process to facilitate the release of your fundsas soon as you contact him or her. For security
reasons, you are advised  to keep your winning information confidential till your claims is
processed and your money remitted to you in whatever manner you deem fit to claim your prize.
Thisis part of our precautionary measure to avoid double claiming and unwarranted abuse of this
program. Please be warned.

CONGRATULATIONS!!!
You are advise d to keep this winning very confidential until you receive your lump prize in
your account. This is a protective measure to avoid double claiming by people that you may tell.

For further Information about your Winnings,contact our Lottery Claims Agent with the following
contact Address.

        Name: Tim Archer
        Tel: +44 705 385 7549
        Official Email: pball.processingdepartment2016@yahoo.com.tw

That way your winning certificate and all other relevant documents/paperwork can be prepared for
you. You would be required to show an instrument of identification when cashing your cheque i.e.
Drivers license or International passport.POWER BALL LOTTERY PROMO.

Please include your winning ticket number and your personal contact information,names, telephone
and fax data for the immediate processing of your claims All prizes must be claimed within three
weeks.

NOTE: If you are under the age of 18, you are automatically disqualified for this star prize.

Yours faithfully,
Rachel Maddow
Online coordinator for POWER BALL LOTTERY
PROMO Sweepstakes
International Program 2016

N.B. Any breach of confidentiality on the part of the winners will result to disqualification.
Contact your claims agent whose contact details are stated above

---
This email is free from viruses and malware because avast! Antivirus protection is active.
https://www.avast.com/antivirus














Attn: My Dear,

I am Mrs Alice Smith, 48 years Old From NewYork United state. I reside there in United state. Am
thinking of relocating to New Zealand, I am one of those that took part in the Compensation in
Africa (Benin, Nigeria) many years ago and they refused to pay me, I had paid over $60,000 while
in the United state trying to get my payment all to no avail.
So I decided to travel to Europe with all my compensation documents, And I was directed by the
(FBI) Director to contact Agent Kelvin Wallace who his a Private Detective representative of the
(FBI) and a member of the COMPENSATION AWARD COMMITTEE in Europe and I contacted him, he
explained everything to me.
he said whoever is contacting us through emails are fake.

He took me to the paying bank for the claim of my Compensation payment.

Right now I am the most happiest woman on earth because I have received my compensation funds of
15,Million US Dollars, Moreover, Mr.Kelvin Wallace showed me the full information of those that
are yet to receive their payment and I saw your email address as one of the beneficiaries,that
is why I decided to email you to stop dealing with those people that are contacting you they are
not with your fund, they are only making money from you i will advise you to contact Mr.Kelvin
Wallace.
Hello Dear, please read carefullyYou have to contact him directly on this information below.

COMPENSATION AWARD HOUSE
Name:Mr Kelvin Wallace
(Private Investigator)
mrkelvinwallace@gmail.com

You really have to stop dealing with those people that are contacting you and telling you that
your funds is with them, it is not in anyway with them they are only taking advantage of you and
they will dry you up until you have nothing.
Mr Kelvin Wallace with the information below so that he can quickly get your file and work on
them for you.

Your Full Name
:
Address:

Phone and Mobile Number:

The only money I paid after I met Mr.Kelvin Wallace was just $400 for the Legal paper works take
note of that.
Once again stop contacting those people, I will advise you to contact Mr.Kelvin Wallace so that
he can help you to Deliver your fund instead of dealing with those liars that will be turning
you around asking for different kind of money to complete your transaction.

Thank You and Be Blessed.
Yours Sincerely
Mrs Alice Smith










You have been Chosen by Warren Buffett to claim charity donation amount. Reply for details











My beloved.

My name is Mrs  marie Luc, I have been suffering from ovarian cancer
disease and the doctor says that i have just few weeks to leave.I am
from Belgium but based in Ivory Coast,Africa since ten years
ago as a business woman dealing with gold exportation,now that i am
about to end the race like this,without any family members and no
child.I have $3.2 Million US DOLLARS in COBACI BANK in Ivory Coast.

But my mind is not at rest because i am writing this letter now through
the help of my laptop beside my sick bed. I have decided to donate $3.2
Million US Dollars in Cobaci bank which i want to entrust into your hands
to use in helping the orphanage home in your country,but you must assure
me that you will take only 50% of the total money and give the rest 50% to
the orphanage home in your country for my
soul to be at rest.

As soon as i hear from you that you are competent to execute my desire, i
will instruct my lawyer and the bank management to make the immediate
transfer into your account.Kindly Contact Me Back please it is very
important
Regards,

Mrs marie Luc

































Hello, We wish to inform you that your email as been selected and awarded the sum of Eight
Million Pounds sterling (£8,000,000.00) with reference number 77100146. This compensation funds
is from the United Nations. To receive payment Send us your full personal details to deliver
your funds as soon as possible. Gloria Peter

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

















I have important transaction for you as next of kin to claim US$18.37m  Mail me on my private
email:   chimwiakim@gmail.com
 so I can send you more details

Thanks

Mr.Chim Wai Kim

===========================================================================

DISCLAIMER: This email and any files it contains are confidential and intended for the use of
the recipient(s) only. If you are not the intended recipient you should notify the sender
immediately and destroy the material from your system.








































FEDERAL REPUBLIC OF NIGERIA
COMMITTEE ON FOREIGN PAYMENT
(RESOLUTION PANEL ON CONTRACT PAYMENT)
ABUJA-NIGERIA
http://www.nassnig.org
Our Ref: FGN /SNT/STB Your ref:

I, The Senate Representative ,Federal Republic of Nigeria , DR GREG MARUME
(GCFR)
and the Governor of Central Bank Of Nigeria , Mr. EMEIFELE in
Conjunction with the EFCC Director , MR MAGU, held a meeting
last week concerning contract payment , both foreign and local contractors
and some inheritance funds.

On going through contractors file yesterday, we discovered that your file
was dumped untreated, so at this juncture, we apologize for the delay of
your contract payment and please stop communicating with any office now and
attention to the appointed office below for you to receive your payment
accordingly.

However,I wish to inform you now that your outstanding contract payment is
($15,000,000. fifteen Million United States dollars).

Now you?re new Payment Reference No.-35460021, Allocation No: 674632
Password No: 339331 , Pin Code No: 55674 and your Certificate of Merit
Payment
No : 103 , CBN Released Code No: 0763; Immediate Telex confirmation No:
-1114433 ; Secret Code No: XXTN013, Having received these vital payment
number , therefore You are qualified now to received and confirm Your payment with
the Federal Government of Nigeria immediately within the next week.

We the entire members of the house of senate are using this urgent medium to

advise you to make payment of your GNAB fee of $120 without any further
delay. Be rest assured that our appointment to handle and take care of the
movement of the fund will not be in vain as we are giving you 100% guarantee

to deliver the work as soon as your western union information reach us at
our house email addresses it is not less than 24hours that the order was
placed.
Note that your fund will be free to move from the bank without any delay if
you get the governments non assessment bonds (GNAB) which is $120 only to
make sure that no government monitor or agent can access the fund during the

delivery remittance. You have to get the gnab written on your name and
stamped before the fund credit to your bank account.
This was why we have not approved or sign off the bonds of your transfer
registry today as the bank insists on the GNAB.
Based on these explanations, you are hereby advised to send payment
information of $120 through our direct email address on or before ten
working days.as the closing date placed.
This gnab will show that the transaction was made through the full capacity
of the government and will not be queried for certain circumstance. Use the
information bellow for the payment of the $120 GNAB requirements:
Receiver name: Mr MODESTUS OZOEMENA
location: Lagos- Nigeria.
Text question---gnab,
Answer----final
Bear in mind that this is the final stage of this transfer.
As soon as this is done, it will take only 24hours for the fund to be
credited in your designated bank account, you will be contacted by your Bank
herself.
Best Regards.
DR DR GREG MARUME
Senate Representative
(Federal Republic of Nigeria)



Saturday, 24 September 2016

Pix - logging to syslog

I wanted my Pix to log to the system log on one of my servers. I thought it would be simple, but there were several things I had to get right.

On the Pix, you set the clock with

clock set 19:15:00 September 24 2016

On the Pix you tell it where you're going to log to

logging host inside xantl-in

and to timestamp the logs

logging timestamp


And that you want everything from warnings (usually some access that was denied) up to emergencies ("Your pix has caught fire" - no, I don't think there's a message for that).

logging trap warnings

So now, my Pix was sending all these messages to my server named xantl. Next, I had to tell xantl to listen out for them. To do that, I edited /etc/rsyslog.conf


# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514



Actually, those commands were already there, but commented out, so I just removed
the # in front of them.

Then

systemctl restart syslog

and the pix logs started appearing in /var/log/messages, which is where syslog puts everything. But I didn't want them all mixed up with the other messages, I want them in their own file. So I edited /etc/rsyslog.conf again

if $programname contains '%PIX-' then /var/log/pixlog
if $programname contains '%PIX-' then stop


And again systemctl restart syslog. And now all the pix logs go to /var/log/pixlog

There's going to be a lot of them! So I'll rotate the logs; a new log each week.  To do that, I edited /etc/logrotate.d/syslog and added:

/var/log/pixlog

at the start of the file.

So now  all the pix messages are saved on my server, and I can check them to see that everything is as I want it to be.

Job done!


Jpb done!

Friday, 23 September 2016

Yahoo got hacked

And 500 million account details were stolen. It's the biggest heist ever.

Yahoo are blaming it on state-sponsored hacking from an unnamed foreign country. I don't really see how they can know that. They can maybe see where the hack originated, but to leap from that to "state-sponsored" is a reach. But it sounds so much better than "Some kid in his bedroom in Bulgaria", so they went with state-sponsored.

Anyhow.

Yes, I have an email account on Yahoo. So I went there to change the password. What I'd really like to do is delete the account, but there's no way to do that, because Yahoo (and similar companies) like to boast about how many users they have.

So I deleted the phone number I'd given (although my phone number isn't a secret anyway) and I deleted the "security questions".

Actually, I don't care even if that account did get hacked. There's nothing that says it's me, I don't think I've *ever* used it, and the password was not something I've used elsewhere.

Which brings me to a couple of points.

1) I hope you see now, why it's a very bad idea to use the same password in more than one place. If you had a yahoo account, and used the same password there as elsewhere, your password elsewhere is compromised also.

2) Yahoo have a couple of "security questions". That's so they can verify your identity in case you forget your password, which must happen a lot. But if you think about it, those security questions amount to an alternative password.

So if a bad person knows either your Yahoo passord, *or* your mother's maiden name, they can access your account. So it follows that your mother's maiden name (or whatever other alternative they use) should not be the same on different places. On your bank site, for example, your mother's maiden name might be "Kennelworthy", on Paypal it might be "Horseposture" and on Yahoo it might be "Youvebeenhacked".  You can have a lot of fun making up mother's maiden names!

But how do you remember all these different passwords and all these different mother's maiden names? The answer is obvous, and I've been telling people this for 30 years. Write them down.

Yes, I know that this isn't 100% secure, but it's a lot more secure than using the same password, or mother's maiden name, at multiple places.

And you can make it more secure. What I do, is as well as letters, I have a few numbers. And I also have a "magic number", which I don't write down. I subtract the magic number from the numbers in the password, and write that down. So if someone steals my list of passwords, they'll be disappointed when they try them.

You can do something similar; some straightforward modification to what you write down, which you can mentally reverse when you use it.

Because Yahoo is the biggest so far, but won't be the last.

Thursday, 22 September 2016

My helpful bank

A long long time ago, I started accepting payments via credit card. Banks hadn't heard of the internet, so they called it "mail order". And what I did, was each week, I printed out all the billing details, onto actual paper, and we took them to my local branch. They signed for the batch, and forwarded the sheaf of paper to I know not where, at which place some poor sod typed it all in. I did offer to give them a floppy disk, but they didn't want that.

It worked quite well, until my bank lost a batch of about £5000 worth. They'd signed for it, but it had gone walkabout somewhere between my bank and wherever they processed it. They didn't notice for several months. At that point, they told me about it, and I suggested that since it was their fault, they should stump up the dosh. Their idea was that I should bill the people again, several months after they were expecting to be billed. I pointed out that this would result in a flood of people querying the billings, and I wasn't going to do it. So they stumped up the dosh.

20 years later, it's all very automated and streamlined. I transmit an encrypted stream of data to their server, they transmit back an encrypted stream of data telling me which cards were OK and which were declined.

But they keep changing it.

Most recently, they insisted that I move to the encryption system TLS 1.2, which I have, although I'd guess that 99% of their customers haven't done that, not least because they provided no test bed; they expected people to make the change and go straight to production, which is OK if you can write software flawless and error-free, but the number of people who can do that can be counted on my left thumb.

And now they've come up with two more hurdles. Now you have to send the AAV (Account holder Authentication Value, and I'm none the wiser for being told what the TLA expands to), or your "transactions will be downgraded to insecure", and I know the translation of that, it means they charge you an extra 0.85% for doing the billing.

And they're also introducing "authorisation decline fees". If an transaction was previously declined as R1 or R3 (and the info that I get back from them doesn't include that) then for every fourth and subsequent transaction request will be billed at 1 euro.

This all comes in a little leaflet "Welcome to Barclaycard business essentials" which is their Bad News Newsletter, with a perky, upbeat introduction by "Sharon Manikon" (in my experience, the people who sign these things often don't actually exist) in which she says "we'll continue to help you achieve your business' ambitions" (and yes, that's where she put the apostrophe, which might actually be correct, but doesn't look right to me - tricky buggers, apostrophes).

A more accurate statement would be "we'll continue to put obstacles in your path, just to make your life more interesting and the bank's business more profitable"

Telnet attacks and Pixes

I've recently installed my firewall. It's a Pix 515E (soon to be upgraded to a Pix 525), but since it's newly installed, I'm keeping a careful eye on it. In particular, I see the logs scrolling past, of all the attempts to connect  that it wouldn't allow.

What has surprised me, is that these attempts are very simple. I wasn't actually expecting to see anything clever, but what I'm actually seeing, is about 95% attempts to log in with telnet.

Telnet?

That's prehistoric. Does anyone still use it? I don't. Like (I think) everyone else, I use ssh.  But I see attempts to use the telnet port on all my computers from IP addresses all over the world.

What on earth do they think they're doing? Even if my firewall did allow telnet access through, none of my servers are set up to respond to telnet, and even if they were, you're going to need a username and password.

The other interesting thing I see, and again I have no explanation, is that occasionally there's a flood of UDP packets hitting the firewall, all from the same IP address, working through my range of IP addresses.

So, about that Pix 525.

The one I already had, was a failover device. It worked well, but it rebooted every 24 hours (as per design). So it was OK for a temporary measure, but not for the long term, becaue a reboot means no service for at least five minutes. But what was *very* nice about it, was the user interface for setting it up - web based, called ASDM, and very nice. It took much of the setup pain away.

So then I bid on Ebay for a Pix 525 with an "unrestricted" licence - that means it won't suffer from the rebooting problem. It arrived yesterday, and the parcel had an ominous rattle. When I opened the box, I could see why; it had been put through the Heathrow parcel-smashing machine. The plastic front panel was in smithereens, and the mounting brackets were bent. Inside the Pix, there were fragments of plastic from the catastrophe.

I told the seller that I'd be giving it a very thorough test before leaving feedback; the seller suggested that I report the issue to Ebay. I contacted Ebay, and they said that I should do a "refund request". They assured me that the seller wouldn't be the one to suffer, so I did that, including pictures of the smashed-up front, and the cardboard box, which was also somewhat damaged.

To my surprise, I got an immediate refund, which will come out of the carrier's pocket (the carrier at my end was Yodel, but I don't know where the damage happened). I wasn't actually after a refund, although I'm not going to refuse it. As far as I can tell, the Pix is working OK, although without its plastic front, it's a bit ... ugly.

But it's an old version of the software. Sigh. The version of the software is about halfway between the two versions that I know, so I had to adapt somewhat. But the configuration from my existing Pix 525 translated to the new Pix 525 quite well.