Category: IT Security

There’s an article on the BBC news website that popped up yesterday that took our interest. It states that a “hack” lets phones “eavesdrop and make premium calls”. This was obviously a great concern for us, as it named our primary vendor, snom, as the manufacturer whose phones were used in the research.

The article can be seen on the BBC website here: http://www.bbc.co.uk/news/technology-35579273

What we can’t understand is why the BBC chose to publish such a non-story. What this “security hack” boils down to is not changing the administration page password from the default. Yes, you heard right. The only security flaw is not setting an admin password for managing the settings on the phone.

In fact, if you ignore the fact they used old firmware to carry out their tests and you perform that exact same test on firmware that isn’t old (and was only a beta release) the phone itself prompts you on the screen at every opportunity to set an Admin password.

So really, if you’ve configured your VoIP phone for making and receiving calls and you haven’t bothered to set an admin password, more fool you.

Thankfully, all of the snom phones we provision for our clients have a secure password set on them prior to delivery on site. You can tell this is the case because if you take a quick glancing look at your screen it isn’t going crazy that a password isn’t set.

So for this “hack” to work:

1. You need to be running old firmware (by the way, when going to download it from the snom site, says “8.7.5.13 is a deprecated / unsupported versoin! Use at your own risk…”)
2. You then need to provision your phone to make calls on a VoIP platform whilst neglecting to set an admin password
3. You then need someone on your local network interested enough to take advantage of the fact you’ve done steps A and B and also wants to eavesdrop on you or make premium rate calls

VoIP is still an emerging technology and it’s such a shame that a business that’s meant to be on the forefront of technology has chosen to report on such a non-issue as this one. Compare it to setting up a new router for your internet connection without changing the default web admin password. It really is no different.

Lastly, just to touch on the Premium Calls part of their article where they suggest there could be toll fraud carried out (which is true), this isn’t the case on our Hosted VoIP Platform. Why? We block all premium rate numbers! 🙂

We are currently aware of a lot of malicious spam emails currently doing the rounds. As of posting this, few anti-viruses pick up the virus attachments.

The fake email pretends to come from e-mail address [email protected], but is actually a simple forgery and does not in fact come from Les Caves.

The contents of the e-mail message are as follows:

From:    Avril Sparrowhawk [[email protected]]
Date:    22 December 2015 at 11:14
Subject:    CWIH8974 PAYMENT RECEIVED

Good afternoon

Thanks very much for your payment we recently from you, however there was a missed invoice.  Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?

I have attached the invoice for your reference.

Kind regards

Avril

If you receive this e-mail, delete it immediately and contact your IT Support company. Do not open the attachment(s).

The attached file is a malicious document “CWIH8974.doc” which has a low detection rate. There are likely other variants of this virus going around but in the cases we’ve seen it downloads a malicious executable file from.

If you have already opened the attachment, contact your IT Support company after shutting down your computer. They will want to completely wipe it with a fresh reinstall.

The virus itself allows the hacker to compromise the web browser so that when the user tries to log in to their Internet Banking, the details are leaked to the hacker who attempts to withdraw funds from the user’s bank account.

Pressing the backspace key 28 times will let you circumvent a locked-down Linux machine researchers at Universitat Politechnica de Valencia recently discovered.

The GRUB bootloader used by most Linux distributions has the option to password protect boot entries. Not only will this prevent tampering but allows you to prevent peripherals such as CDs and USB ports from booting an OS. Without this protection an attacker could boot a system from a live USB key or CD, switching into their preferred operating system to download or access files stored on the machine’s hard drive.

This flaw with Grub2, of which versions 1.98 and 2.02 are affected, means a simple tap of the backspace key 28 times will bring up the prompt usually hidden behind the password screen.

In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.” (available here)

An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

• Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub’s console (grub rescue).
• Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
• Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.

To quickly check if your system is vulnerable, when the Grub ask you the username, press the Backspace 28 times. If your machine reboots or you get a rescue shell then your Grub is affected.

TalkTalk have once again shown their inability to keep customer data safe. Police are now investigating what TalkTalk term a “significant and sustained cyber-attack” on their website.

Their website currently shows the page above highlighting the fact the website is unavailable right now.

An official statement was released by TalkTalk on 22/10/2015: View Statement in Full.

What the statement doesn’t highlight is what customers of TalkTalk need to do now.

The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

• Names
• Addresss
• Dates of birth
• Email addresses
• Telephone numbers
• TalkTalk account information
• Credit card details and/or bank details

TalkTalk have also created a help page here for those who may have been affected: http://help2.talktalk.co.uk/oct22incident

Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.

Our Managing Director, Stuart Gilbertson, said: “This is the third time TalkTalk have been hacked in a year. Yes, they’re cheap, but is it really worth the hassle and inconvenience to consumers? At what point do we start heavily penalising big corporations for being inept at keeping their systems secure. Once is excusable, but three times really is pushing the boundaries of incompetence.”

On 14th July 2015 Microsoft will cease supporting Server 2003. This means that, going forward, there will be no more updates or patches for the Server Operating System, which will lead to a less stable and less secure server infrastructure for any businesses that choose to continue to use the system after this date.

Any organisation that is still currently using Microsoft Server 2003 needs to put in place a plan of action to migrate to a new server Operating System, or find an alternative IT infrastructure solution.

Edinburgh IT Support consultants, Consider IT, suggest getting in touch and we’ll provide options for moving forward to a secure and reliable solution.

SourceForge is a popular website that offers source-code repository, downloads mirrors, bug tracker and other features. It acts as a centralised location for software developers to control and manage free and open-source software development. What you might know it from is its usefulness in providing downloads of popular software, rather than having to go to the developer’s website to get it.

Since yesterday at least, SourceForge has now since started to distribute adware/malware in certain projects hosted on their site.

NMAP, an open-source network tool used extensively by IT Professionals has been hijacked by SourceForge and the developers have hit back on security notice boards:

Hi Folks! You may have already read the recent news about SourceForge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after SourceForge started tricking users with fake download buttons which lead to malware rather than GIMP. Then SourceForge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. …

Anyway, the bad news is that SourceForge has also hijacked the Nmap account from me.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are appearing on projects that have been taken over by SourceForge’s anonymous editorial staff.

FileZilla was an early participant in DevShare, SourceForge’s revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development.

But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project’s Windows installer after taking over the project’s page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do.

“This was done without our knowledge and permission, and we would never have permitted it,” Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: “We want to reassure you that we will never bundle offers with any project without the developers consent.”

SourceForge’s search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

Some of the software hosted on SourceForge are as follows:  openoffice, audacity, fedora, firefox, gimp, gnu privacy guard, joomla, libre office, multiwii, neverball, nmap, sqlite, simulationcraft, snort, texworks, transmission, vlc media player, wordpress, recaptcha, apache, mame, mysql, thunderbird.

We suggest avoiding SourceForge for the foreseeable!

PayPal and eBay have fallen out and are splitting up with each other on 1st July 2015. PayPal have published a new set of Privacy Policies that will come into force on the same day.

IF YOU DO NOT AGREE TO THE AMENDED USER AGREEMENT, PRIVACY POLICY OR ACCEPTABLE USE POLICY, YOU MAY CLOSE YOUR ACCOUNT BEFORE JULY 1, 2015 AND YOU WILL NOT BE BOUND BY THE AMENDED TERMS.

PayPal is nice enough to give its customers only two options when it comes to the new terms: begrudgingly accept them or close your account entirely.

There’s a temporary page showing all the new Privacy Policy changes in full with the highlighted points at the top. The top paragraph states several scenarios where PayPal may choose to automatically call or text you:

1. notify you regarding your account
2. troubleshoot problems with your account
3. resolve a dispute
4. collect a debt
5. poll your opinions through surveys or questionnaires
6. contact you with offers and promotions
7. as otherwise necessary to service your account or enforce this User Agreement, our policies, applicable law, or any other agreement we may have with you.

Some of these items are standard and fair, but the ones highlighted in red might start putting some of PayPal’s customers off the idea of using their service completely.

What are your thoughts on this? Pop a comment below!

The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.

Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.

The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.

Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.