Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Reporting hack attempts, phishing and spam

Over the years, I’ve tried to be a good Internet citizen and report abuse (hack attempts, spam, etc.) This can be a daunting task, and the results are often less than satisfactory. For most people, the time wasted on spotting and deleting spam is bad enough; the extra work of reporting spam can seem like a tedious chore.

Reporting abuse can produce wildly varying results. Here are a few examples from my own recent experience:

BT Italy

Over the past couple of months, one of the WordPress sites I manage has seen a steady stream of ‘admin’ login attempts from computers in Italy, most of which connect to the Internet via the ISPs albacom.net and fastweb.it. Literally thousands of different albacom.net and fastweb.it IP addresses were being used in the attacks.

Since the majority of these login attempts were from albacom.net, I initially focused on Albacom. I discovered that most of the devices at the other end of these attacks were Aethra BG1242W ISDN modem/routers. These appear to be the standard modem/router provided by Albacom to their customers. I was horrified to find that I could log into these devices via their web interface. Clearly Albacom’s dedication to security is severely lacking. Of course it’s difficult to know for sure whether the attacks were coming directly from these (presumably hacked) routers, or from (also presumably hacked) computers connected to them.

Apparently, British Telecom (BT Italy) is in the process of acquiring Albacom. This is undoubtedly creating some confusion there, but that’s really no excuse for any of this.

I tried various methods for reporting this to Albacom:

  • sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
  • sent email to the technical contact on record for albacom.net, but this was ignored;
  • tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted.

This is a terrific example of how not to handle abuse reports. I don’t know what’s going on with BT ITaly, but clearly they are having serious issues.

I also reported this on the Wordfence support forum, to see if anyone else might be seeing this problem. Wordfence is an excellent WordPress security plugin, and it was Wordfence that was detecting (and blocking) these login attempts. Sure enough, several other people reported seeing this problem on their sites.

A few weeks later, the login attempts from Italy stopped – for my own site and for others. Then they started up again for some sites, but luckily not for mine.

SpamCop

I recently signed up at SpamCop.net and started submitting the numerous spam messages I receive daily for one particular address. SpamCop’s submission process analyzes submitted email and makes recommendations about where to report it. Note: you must configure your email client so that you can see the entire message source, including all headers, for this to work.

The submission process is well explained at each stage, and provides useful warnings to the submitter about making sure that the submission is actually spam, and so on. A lot of technical information is displayed with the analysis, but much of that can be hidden if you prefer to concentrate on the basics.

SpamCop uses spam submissions to create a block list, which is used in conjunction with similar lists from other sources, by ISPs and other mail providers, to help filter out spam before it reaches user inboxes.

If you’re willing to put in the effort, I highly recommend signing up.

Moonfruit

A few days ago, I received this (admittedly very lame) phishing attempt in my inbox:

Your mailbox is full of, 00.1 GB, Please reduce your mailbox size.
Delete any items you don't need from your mailbox and expand your
email quota (size) with the below web links: CLICK HERE
http://REMOVED.moonfruit.com/
Thank you for your understanding.
©2015 Helpdesk

I went to the site in question (with NoScript enabled and blocking all scripts) and confirmed that this was indeed an attempt to con me into entering private information into a form.

A bit of searching revealed that Moonfruit is a web-based service that allows clients to set up web sites with minimal effort. It’s a totally legitimate company. Customer web sites hosted by Moonfruit have URLs like this: whatever.moonfruit.com. Whoever set up the phishing site just happened to use Moonfruit as the host.

So I decided to try reporting this to Moonfruit support. I easily found the contact page on their web site and submitted a general query about the phishing attempt, including the text of the email. I wasn’t sure this would amount to anything, especially since I’m not a Moonfruit customer. I immediately received a confirmation of my submission, and was then delighted to receive the following response from Moonfruit, within an hour of my submission:

Thanks for bringing this to our attention.
We have closed the site and the associated accounts, and banned the user.

Now THAT’S how you deal with abuse reports. Nice work, Moonfruit!

Another stealth Firefox release: version 36

Mozilla quietly slipped a new version of Firefox to the public yesterday. Firefox 36.0 fixes at least 17 security issues, adds more HTML5 compatibility, and adds HTTP/2 functionality to the browser.

As usual, I learned about the new version from a non-Mozilla source, this time a post on the CERT alerts blog. There was no announcement at all on the Mozilla blog.

The release notes and security advisories (aka known vulnerabilities) pages provide additional details on the new release.

Update 2015Feb25: I did receive an email alert from Mozilla that could conceivably be considered an announcement for the new version. The Firefox download page includes a ‘Get Firefox news’ signup form, and I was able to confirm the email I received was sent via this mechnism. Sounds good, right? Not really. The email talks exclusively about Firefox’s new(ish) ‘Hello’ chat feature. It never mentions anything about a new version, or even the version in which ‘Hello’ first appeared. It only says that if you want to try it, you should install the latest version of Firefox.

Superfish/Komodia update

News about the recent Lenovo/Superfish/Komodia security issue keeps getting worse.

The Komodia software at the core of Superfish is even more of a security concern than was originally thought. Not only is its root certificate’s password trivially easy to crack, and common to all Superfish installs, it engages in some certificate validation trickery by which invalid certificates are simply deemed valid – without any warning to the user. Worse still, Komodia hides itself using rootkit techniques normally associated with the worst kinds of malware.

To top off this tale of ever-increasing woe, Komodia has been discovered in at least twelve more applications, including some that are supposed to make users more secure, like Comodo’s PrivDog and Lavasoft’s Ad-Aware Web Companion.

The companies involved in this mess are still scrambling. Lenovo has apologized for their actions, and has published Superfish removal instructions. Superfish is still denying there’s a problem. Komodia’s web site is off line, supposedly because of a DDoS attack, but that may be a smokescreen. Lavasoft has provided information about its use of Komodia, and will be issuing an update for Web Companion that will remove Komodia.

Stay tuned; this is likely to get much worse before it gets better.

Update 2015Feb27: The EFF has uncovered evidence showing that Superfish-related attacks have already occurred. Meanwhile, a hacker group briefly took over a Lenovo domain, causing corporate email to be misdirected. This was apparently done in the spirit of revenge against Lenovo for its actions in relation to Superfish.

Update 2015Feb28: Lenovo is now fully in damage control mode. They just released a statement patting themselves on the back for handling this problem so well, and they are promising to include less crapware on future computers. I wonder how long that promise will last.

Update 2015Mar08: It looks like Lenovo hasn’t done nearly enough to resolve this issue. It’s still possible to buy a new Lenovo laptop with Superfish installed.

Google beefs up protection against unwanted software

A recent post on Google’s Online Security Blog describes security improvements to the Chrome browser, Google’s search engine, and Google’s advertising platform. The changes should make it easier for users to stay away from web sites known to contain unwanted (and presumed harmful) software.

Chrome now detects when you are about to visit a web site known to contain unwanted software, and displays a large red warning message.

Google’s search engine now decreases ranking for sites known to contain unwanted software. That means these kinds of sites should be less likely to appear in the first few pages of Google search results.

Google now checks all advertisements provided by its AdWords system, and disables any with links to sites with unwanted software. Additional details are available on Google’s Advertising Policies site. Google’s primary source of income is AdWords, so it’s comforting to see that they’re willing to take a financial hit (however small) to protect users.

Analysis shows people are using stronger passwords

A recent post on Ars Technica provides an interesting look at the strength of passwords.

People seem to be getting the message about using strong passwords, because the worst passwords are being used less frequently. For example, the notoriously bad password ‘123456’ was used in less than 1% of the sample data, down from 8.5% in previous studies.

But while these findings are encouraging, it’s important to recognize that the data is likely skewed, because it is mostly obtained from public dumps of data taken from compromised systems.

If you needed another reason to stop using iTunes on a PC…

Even diehard Mac users are increasingly frustrated with the bloated mess that is Apple’s iTunes. If ever a piece of software needed a total rewrite, it’s iTunes.

The Windows version of iTunes is even worse. My own early evaluation left me wondering whether Apple had intentionally made the software buggy and unstable, as a ploy to get people to ditch their PCs in favour of Macs. Suffice to say that I haven’t let it anywhere near any of my PCs since then.

Now, security researchers have discovered that iTunes for Windows includes ancient software libraries that contain numerous security vulnerabilities.

Recommendation: do not use iTunes on any Windows PC. Doing so is just asking for trouble.

A warning to Lenovo PC users

PC manufacturer Lenovo has been shipping PCs with an extraordinarily nasty piece of adware called Superfish.

The basic concept is bad enough: Superfish watches your Internet activity and injects advertisements into web pages. But Superfish is much worse than that, since in the process of hijacking your web sessions, it opens your PC to ‘man in the middle’ attacks.

Lenovo has been downplaying the risks involved, while analysts continue to demonstrate just how bad this situation really is.

Affected models include:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30]

You can confirm that your computer is affected using the Superfish CA test (offline as of 2016Jan06).

Anyone who owns or uses one of these models should follow the Superfish removal instructions or ask their IT/support person to look into it.

Update 2015Feb21-1: Lenovo is may be starting to recognize and admit their mistake. Meanwhile, Superfish (developers of the adware) remains defiant, and Komodia (who develop spyware that is apparently at the heart of this issue) is saying nothing at all.

Update 2015Feb21-2: Microsoft has added Superfish detection and automatic removal to Windows Defender.

Update 2015Feb21-3: Lenovo’s CTO is still in denial, saying the vulnerability is ‘theoretical’.

Update 2015Feb21-4: Ars Technica takes a closer look at the Komodia software and the risks related to the way it was used by Superfish.

Update 2015Feb21-5: Superfish (the company) has a history of annoying people with their intrusive technologies. That hasn’t stopped them from making a ton of money, however. The company’s CEO is insisting that they did nothing wrong, but doesn’t address the specific technical concerns.

WordPress 4.1.1 released

A new version of WordPress, described as a maintenance release by the developers, was announced yesterday.

The new version includes fixes for several minor bugs, none of which are related to security. The announcement page includes a link to the list of tickets corresponding to the changes in this release.

WordPress sites that are configured for automatic updates should have the new version installed automatically over the next couple of days.

Netgear routers vulnerable to attack

Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.

From the original report, posted by Peter Adkins on the Full Disclosure mailing list:

Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24

Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.

A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.