If you're new here, you may want to subscribe to our RSS newsfeed so you don't miss out on all the information, news, tips and tricks.
Thanks for visiting!

Older computers may have been built during a time when the electronic components used in their construction were of poor quality. In particular, a large number of capacitors suffer from a syndrome called the “Capacitor Plague” where they swell, bulge, burst and may even blow up with quite a bang!

Photos: A motherboard with the Capacitor Plague

Before these components fail catastrophically, they will likely cause stability problems with the computer. frequent lock-ups and crashes. The computer may even fail to boot or fail POST, amongst all manner of other issues. 

How this came to pass is a story straight out of a James Bond movie. Several Taiwanese manufacturers used a stolen formula that had vital details missing, which resulted in the components not being manufactured to the correct construction or grade. The result was the supply of components to electronic device manufacturer that were destined to fail given some time and use!

The Wikipedia entry for the “Capacitor Plague” makes for interesting and comprehensive reading on this topic.

If you’ve got an older computer and are experiencing strange problems that don’t seem to be down to the usual Operating System, drivers and software causes then it is worth a quick inspection of your components for signs of this condition. Roundtrip Solutions can perform this inspection for you if you suspect it is the cause of your computer problems. This is a part of our computer support and repair service offering that covers Edinburgh, Fife, and Tayside. We will advise you of the necessary repair required to get your computer operating again both stably and safely.

Technorati Tags: capacitor, capacitor plague, computer repair, computer support, Edinburgh, Fife, Tayside, Wikipedia

The BBC is reporting the digital divide is lessening between rural and town communities and is even going so far as to say the “Rural Homes Dominate Broadband UK”

They report:

Ed Richards, Ofcom’s Chief Executive, said “Our report highlights a closing of the geographical digital divide in the UK. Rural households are today as well connected to broadband as their urban neighbours”..

Declan Curry of BBC Breakfast reported the release of the latest Ofcom report that is the trigger for the BBC news article. Our own John A Thomson sent in a comment that was read out in part online and we’ll expand upon these thoughts in this blog post. Thank you Declan.

Roundtrip Solutions, as a rural IT provider, uses and services both the rural and town communities of Fife. Our real world experience of typical broadband users of all denomination, geographies and providers gives us a real insight to the current state of play regarding broadband. What we do see on the front line isn’t necessarily the same as Ofcom’s interpretation of the higher rural take-up figures, performance levels and satisfaction ratings!

Let’s use a metaphor to describe the feeling of many rural broadband users:

The technologies of today, and more especially those coming in the future, will see broadband services supplied in towns running like formula one cars while the rural community relies on a horse and cart.

The share of homes getting broadband in the cities and rural areas isn’t the crux of the digital divide debate; this was the big problem some four or five years ago. The real issue has moved on as many people in rural areas struggle to get the fastest speeds available today due to their distance from the exchange, the age and quality of their telephone line, and the BT technology level available in their local exchange. Even when BT has rolled out their 21CN network (next generation), the last mile (the connection from the exchange to the home) in rural areas is liable to still be the same copper telephone lines that we have today.

Tim Hubbard, Head of 21CN Technology Futures for BT, gave a presentation to the Edinburgh branch of the British Computer Society in January 2008. He presented the vision for the next generation BT network during which it became evident that the last mile connection was liable to remain the same, especially so in rural areas where it is uneconomic to replace. John A Thomson of Roundtrip Solutions even questioned him on this very matter during the Q&A, resulting in the admission that without government subsidies then it is unlikely that BT would replace the last mile in rural areas.

There is a PPT presentation and an MP3 podcast available on the Edinburgh BCS website.

From an end users point of view, the town users will be able to access fast and faster broadband services as BT upgrades all elements of the telecommunications system, while the poorly serviced rural customers will look on in jealous amazement at the services available to them. To add to the teasing, the rural customers will have a local exchange with the latest generation broadband available, but they won’t be able to utilise it due to the “piece of [copper] string” connecting their home to the exchange.

The debate today is clouded by those people on a connection supplied by the big boy providers who have a sub standard service that cannot meet the demands of their customers especially at peak times.This is mainly down to the overselling of their services matched against the capacity they have in their networks. There are some very good broadband providers out there that supply very good experiences and decent speeds, but the next generation broadband services that rely on super fast broadband (24Mbps and above) will still be unavailable to rural customers simply due to the existing BT telephony  infrastructure not being up to the job - specifically, the last mile. 

We see many customers complaining about their broadband that are made extremely happy when they are migrated to a good supplier. If you would like to find out more about getting high speed broadband with UK based support at a reasonable monthly charge then please Contact Us.

Technorati Tags: BBC, broadband, BT, Declan Curry, digital divide, last mile, rural broadband

There appears to be limited / no stock of Vista Anytime Upgrades available in the UK. Even Microsoft has the same fulfillment problem and has responded to a customer inquiry with this email:

“We have to inform you that at present we do not have stock available for the ordered Upgrade Vista Home Premium to Ultimate. At present we are still awaiting the stock from our distributor and cannot provide an exact date when this will be received.

As soon as stock becomes available your credit card will be charged accordingly and your order reference xxxxxxx will be shipped by standard post. The delivery can in some cases take up to 28 calendar days.

Should you require the product urgently then you do have the option to cancel this order and check a retail shop of your choice in order to receive your Upgrade.

Please be further informed that the procedure for our Windows Anytime Upgrade has been changed in the way that the product key will no longer be accessible online. Now this will be sent directly with the installation CD.

This change has been made due to customer feedback.”

A very quick check online reveals zero stock availability at other suppliers. Having said that, we only checked a few, so there may be stock kicking around somewhere.

Looks like Microsoft has been caught out with their sales forecasting for this upgrade option or the changes they have made to the fulfillment process has created a temporary shortage. Someone at Microsoft needs to talk to someone at Microsoft about getting some licenses to the good folks at Microsoft!

Technorati Tags: Microsoft, Vista, Windows, Windows Anytime Upgrade

… and we’re going to enlighten you to what is going on in this blog post.

We’ve come across two instances over the last few week in Fife where BT Broadband personnel have failed to secure end customer equipment using their own recently updated and freely available advice and instructions.

What exactly is this newly discovered vulnerability that requires the advice to have been recently updated? Well, it isn’t the older discovery that WEP encryption can be cracked within a minute, a fact that has long since seen WEP being considered as NO security. It is the more recent discovery that sees the Home Hub being cracked with practically no effort due to its particularly bad WEP implementation.

As a slight side note, the Wikipedia entry for WEP makes an interesting statement:

Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks.

For those who’re unaware of what "deprecated" means, we’ll draw upon another Wikipedia entry:

In computer software standards and documentation, the term deprecation is applied to software features that are superseded and should be avoided.

Since the Home Hub uses WEP security by default, and appears to be left in this state by BT Broadband employees, then there is going to be a large number of Home Hubs vulnerable to all manner of criminal activity. Following the logic through on this one,  BT Broadband leaves their product in a state that has been superceded and should be avoided.

At least someone at BT has noticed this security issue and has tried to deal with it:

Automatic wireless security

To help you get set up quickly and help prevent unauthorised users access your wireless network, your BT Home Hub automatically provides some wireless security via a WEP (Wired Equivalent Privacy) key. However, using new technology, it may be possible for hackers to break this key and connect to your Hub, possibly accessing your computer or using your broadband service.

You can increase this basic level of security, at no extra cost, by changing your Hub’s security from WEP to WPA (Wi-Fi Protected Access). We recommend that you consider doing this, even if you don’t connect to your Hub wirelessly.

It is a shame that their installers and support people don’t seem to know about this issue and a travesty that they haven’t been trained to leave customer’s broadband in a more secure state.

Let’s now look at the two scenarios that led to us question the training and skills of personnel in the BT Broadband installation and support operation. 

Scenario 1:
A long standing BT customer signs up for BT Broadband after using their dial-up service for many years. They asked for an "engineer" install, at an additional charge, believing this would be the best way to achieve a problem free broadband connection. The day of the activation comes around and a BT installer turns up to setup their broadband. The installer starts on the installation,  the customer leaves him alone to complete the work and job done, he leaves the customer’s home.

Later, they try to use the shiny new broadband for the first time, but all that was observed was the computer trying to connect to the dial-up service and errors being generated when attempts were made to download emails. At this point they gave up and called us in.

We arrive on scene and notice the following issues within a few minutes:

1. WEP encryption in use, against the best practice advice from BT themselves.

2. Computer has been left to use the Dial-Up service by default.

3. The email program had been left configured to use the Dial-up connection. 

4. The customer security software was out of date.

5. New email addresses assigned to this broadband account wasn’t setup.

It looks very much like the engineer has opened up the box, plugged in the ADSL filters, powered up the Home Hub, before finally connecting the customer laptop using the default WEP encryption key. It would appear that no attempt was made to connect to a webpage or to try to access email.

The fourth issue can be forgiven if the customer hasn’t signed up for one of the BT options that comes with BT security software as part of the deal. We didn’t ask so cannot comment further on this one. However, any good computer engineer would have noticed the lack of up to date security software and informed the customer that someone needs to take a look at it.

Needless to say, the issues were fixed and the customer was left fully satisfied with their new broadband connection.

Scenario 2:

Careless cleaner allows the ADSL lead to be sucked up into the vacuum cleaner, thereby breaking at least one of the signal cores in the cable. At this point, all that was required was a simple replacement of the damaged ADSL lead and the customer would have been fully operational again.

Instead, they phoned BT Broadband for advice and struggle for forty minutes to understand the broken English and broad accent of the Asian call centre support representative. After 40 minutes on the telephone, the customer has been told to turn off the Home Hub, reset it to defaults and finally to replace the damaged cable.

A trip to the local electrical retailer sees a new cable in place, but the broadband is still broken. Why is it still broken? Simple, we had previously secured their wireless network with a decent WPA-PSK pass phrase and now the computers were trying to connect to the router with the pass phrase they knew, but the router was using WEP and a completely different pass phrase! To use an appropriate analogy: a case of the computers talking English when the router is talking Hindi!

Another support call out for Roundtrip Solutions from the disgruntled Fife based BT customer. Within minutes we had logged into the Home Hub, went through some router initiated security configuration changes, before making the all important, and BT recommended, wireless security encryption changes to use WPA-PSK with the same pass phrase as used before. Everything sprung into life instantly without any further intervention.

The customer was delighted with our prompt service and completely pissed off dissatisfied with British Telecom, their support personnel and the fault resolution advice provided by BT, which did appear to be a bit back to front! They were even more frustrated when we told them all they had to do was to replace the damaged ADSL lead to get everything working again and all the resetting of routers had been completely unnecessary.

Again, we couldn’t believe the customer support person had left the customer’s router using the super insecure Home Hub version of WEP.

The Crux of IT

The BT Broadband advice available on their website clearly recommends setting up their Home Hub wireless router using WPA. Actually, that should be WPA-PSK if BT wish to be technically correct, but we’ll not be too pedantic in this blog post as more important issues are being dealt with.

In general, all users of a wireless network should ensure it uses WPA-PSK or WPA2-PSK with a strong pass phrase as a minimum level of security. Do not, we repeat, DO NOT use WEP - replace everything that only supports WEP.

If you are a Home Hub user then double check your configuration is secure.

If BT Broadband is doing an engineering installation then ensure BT’s own security advice is followed. Same applies for anyone that phones their call centre for support and has their Home Hub reset as part of the fault finding process.

We certainly wouldn’t recommend or condone the "repair" procedure used by this BT Home Hub user.

Technorati Tags: ADSL, broadband, BT, BT Broadband, Home Hub, router, WEP, wireless, wireless security, WPA, WPA-PSK, WPA2-PSK

For a while now, Apple Software Update will tell you the related update for a Quicktime only install is iTunes + Quicktime! No it isn’t, it is Quicktime that is installed and it is Quicktime that should be kept up to date. Not everyone wants to use iTunes!

However, we suppose it could be argued that a dependency exists that makes for a better computer set-up, so we’ll concede that one. But, now for the real gripe of this post and it is a peach and a half!

When did all Apple customers/users install Safari?

For those who don’t know, Safari is Apple’s Internet browser, in competition with Internet Explorer and Mozilla Firefox. Why is this update being offered to everyone running Apple Software Update? Proof below of how this works even on a system that hasn’t even looked at the Safari webpage, never mind going to the length of downloading and installing the browser. 

The slightly good news is you can ignore the update by going into:

Tools -> Ignore Selected Update

We’re betting it won’t ignore the fact that we don’t want Safari and we’ll be offered it again and again and again as they release new versions!

However, the irritation isn’t over yet! Now Apple Software Update is popping up with a message inferring it can’t take a telling. No means NO! What part of that don’t you understand Apple?

This behaviour is totally unacceptable and reminds us of the kind of misleading approach used by the nasty people that peddle malware. Our message to Apple is to STOP this immediately and redesign your update application to be honest and only offer updates where updates apply and make it explicitly clear when the software install being offered is an optional (read as unnecessary) extra that doesn’t really affect the Apple software running on your computer at the moment.

The majority of computer users will simply install this Safari update when it is offered, even although they may never use it or even understand what it does. Perhaps we’re now starting to see the real face and business practices of Apple! The marketing droids at Apple want to be able to say they have a higher marketshare through the number of installs of iTunes, Quicktime and Safari, even if it is done in a deception and misleading way. Naught, very naughty indeed!

Apple is now betraying its customers and users. Mac fanboys feel free to convince us otherwise and comment on how this kind of behaviour wouldn’t make them flame if it was being done by Microsoft.

Update: John Lilly, CEO of the Mozilla Foundation, has posted a similar complaint about this issue on his blog. He makes some interesting points that expand upon our blog post… we heartedly recommend it to you.

Technorati Tags: Apple, Apple Software Update, iTunes, Quicktime, Safari

The Movie Playback Problem

Some versions of Windows Vista don’t come with an MPEG-2 decoder / addin for watching  movies, other MPEG-2 video sources and recorded TV. Vista Home Basic, Vista Business and Vista Enterprise customers are going to be a little upset when they try to play a DVD movie, watch certain TV channels or have a must see video clip and all they get is a message from Windows Media Player saying it can’t play the clip. Only Vista Home Premium and Vista Ultimate have support out the box!

However, there are a number of options available ranging from FREE to mega bucks. Let’s look at some of the common options.

MPEG-2 Playback Options

VLC Media Player
Free - yes, that’s correct, it costs £0. With versions available for many different platforms and operating systems. Simply install on the problem system and you’ll be able to use VLC Media Player to watch your movies and video clips. Unfortunately, it doesn’t have a DirectShow MPEG-2 Filter, so you can only watch MPEG-2 content using the player. 
 

"Microsoft Approved" DVD Decoders Plugins
A couple of plugins from Roxio and Cyberlink come with the blessing of Microsoft. Around about £10, these are an inexpensive option from a couple of the biggest companies in the 3rd party multimedia application marketplace.
 

NVIDIA PureVideo Decoder
Three different varieties ensure there is an option that suits both your wallet and your need.
 

3rd Party DVD Playback Software
Think PowerDVD and WinDVD, which most users of previous versions of Windows will be familiar with. 
 

Microsoft DVD Playback Pack
Recently announced, this option only looks to be available to Volume License customers. A word of warning straight from the mouth of Microsoft:

DVD Playback Pack for Windows Vista is designed to be used by IT professionals and should only be distributed as part of an operating system image.

Doesn’t sound like many people outside of corporate-land will be using this option!
 

Upgrade Windows
Order a Windows Vista Anytime Upgrade pack from Microsoft to allow you to  upgrade to one of the supported versions. Only worth pursuing if you require some of the other features and functions that are only available in a "higher" (more expensive) version  of Windows Vista.

Warning
You will need to run an upgrade set-up, which could result in the corruption or complete trashing of your current Windows Vista installation. Ensure you know what this involves and what options you need to select before performing this upgrade. And don’t forget to backup anything you can’t afford to lose before kicking off the upgrade.

Conclusions

For most people, we recommend going with VLC Media Player and consider donating some time or money to help support the project. Remember you need to watch the movie (clip) in the VLC Media Player application.

If you would like features that are only available in a higher version of Windows Vista then consider the Windows Vista Anytime Upgrade option.

Technorati Tags: Cyberlink, DVD, DVD decoder, DVD Playback Pack, Microsoft, MPEG-2, NVIDIA, PowerDVD, Roxio, Vista, VLC Media Player, Windows, Windows Vista Anytime Upgrade, WinDVD

Happy Easter everyone.

Since it is a holiday, we though you’d like to see this amusing little Apple Mac vs PC spoof that is performed South Park style.

Technorati Tags: Apple, Easter, Mac, PC, South Park

Approximately one year after Windows Vista went on general public release, Microsoft has now released the first major service pack for their latest desktop baby.

More information on Vista SP1 can be found HERE and in particular HERE.

The service pack can either be downloaded via Windows Update or the five language full service pack download directly from HERE, all 434MB of it! The most efficient and quickest way is to use Windows Update.

Unfortunately, it isn’t available through WSUS yet for those in a business environments that uses WSUS to control their Microsoft updates and patches! More information is available from this Microsoft Update Team Blog post.

… and don’t forget to backup all your important data and files before you kick off this upgrade!

Technorati Tags: Microsoft, Vista, Vista SP1, Windows, Windows Update, WSUS

On Wednesday evening, James Eaton-Lee of NGS Software and John A Thomson of Roundtrip Solutions presented to the IET South East Scotland Local Network.

The PDF version of the presentation is now available.

Please leave us a comment if you attended the event or have downloaded the presentation and have some comments or questions.

Technorati Tags: computer security, IET, NGS Software, Roundtrip Solutions

The FETA hacking incident fame is spreading. Here’s just some of the places we are being mentioned:

Website of UK landmark hacked to serve malware 
- TechWorld.com

Web site of U.K. landmark hacked to serve malware
- NetworkWorld

That’s Technical: Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- That’s Technical Blog

Forth Road Bridge hack redirects to smut bazaar
- Techie News Blog

Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- IT Analysis

Forth Road Bridge hack redirects to smut bazaar
- Global Security News

Website of UK landmark hacked to serve malware
- ComputerWorldUK

Website of UK landmark hacked to serve malware: related news
- Big Blog

Taking Guard
- Round the Wicket - The blog of Freuchie Cricket Club

Website of UK Landmark Hacked to Serve Malware
- Hack In The Box

Goodness this is becoming tedious :-). Go checkout Google for yourself to see just how big an issue this is in the online security community!

It would seem a company that makes security appliances, which protects from such attacks, is jumping on our bandwagon. They have pushed out press releases about this incident, but with a strong focus on their company and products! We have no problem with that as long as any reports show who really discovered the problem and link back to our discovery blog post on ever instance of the report. The title of the That’s Technical blog post is misleading at best. Come on guys, you could have made it much clearer in your press release who actually discovered the Forth Road Bridge break in and by the way, it was AVG’s LinkScanner Pro that was the real hero by way of the technology involved.

Technorati Tags: FETA, Forth Road Bridge, Freuchie Cricket Club, hacking

The Scotsman has now picked up The Register’s news story about the Forth Road Bridge hacking incident,

Go see it here or catch it on Page 21 of today’s paper.

Technorati Tags: Forth Road Bridge, hacking, Scotsman, The Register

It has been a busy few days for critical security updates for four common Windows applications. Go download and install the latest updates pronto if you’re running any of these applications:

1. Adobe Acrobat Reader
2. Apple Quicktime or Apple iTunes
3. Sun Microsystems Java
4. Skype

Click on any of the links above to go to the download location for that application.

Seems that Apple is pushing out security updates and fixed versions ever few weeks and have been doing this for quite some time now! Who said Apple’s software was safer!

Technorati Tags: Acrobat Reader, Adobe, Apple, Java, Quicktime, Skype, Sun Microsystems

Roger Thompson of AVG’s Exploit Preventions Labs has just produced this excellent video on how social engineering techniques are fooling people, even those who think they are safe using Firefox.

The bad guys are getting smarter! Be careful out there folks.

Technorati Tags: AVG, Exploit Labs, Firefox, MalwareAlarm, Roger Thompson, security, social engineering

The Forth Road Bridge website is back online and is clean again.

Roger Thompson of AVG has a comprehensive techie write-up of the nature of the exploit and how it worked. We’d recommend you go read his blog entry on this alongside our own earlier blog post. He came to pretty much the same conclusions as we have, which is nice.

It would be really great to get a copy of their forensic investigation tool Web Radar. Perhaps one day they will release it to the general public or maybe allow a select few “security consultants” to be armed with a copy (hint, hint).

Thanks Roger and thanks AVG UK for helping to make today a safer place for the visitors of the FETA website. The folks over at FETA also deserve praise for their prompt actions in taking the website down and getting it back up and running safely in such a short time.

To all our readers, we recommend getting yourself a copy of LinkScanner Pro now! It could save your bacon!

Technorati Tags: AVG, exploit, FETA, MDAC-RDS, Neospoilt, Roger Thompson

John A Thomson, MD of Roundtrip Solutions, has just finished investigating a reported issue with the website of the Forth Estuary Transport Authority (FETA), otherwise known as the Forth Road Bridge website. This blog post will make for interesting reading, highlighting the changing nature of the web and how legitimate websites can be compromised to serve nasties to visitors.

Photo by Martin Third

One of our customers phoned to ask about an adult themed pop-up that appeared when visiting the Forth Road Bridge website. Unfortunately, we were unable to confirm they had actually visited the website and hadn’t mistakenly went to some porn website in the first place, but what we could confirm was an alarming situation with the FETA website at that time.

Upon visiting the website our security systems immediately alarmed off with reports of the website serving a MDAC-RDS exploit using the Neosploit Hacking Toolkit - see the image below for more details.

LinkScanner Pro, a product from Exploit Labs (recently bought by AVG), also reported a problem when it was used to evaluate Google search result for FETA - see below.

The exact wording used by LinkScanner Pro in its Exploit log was:

NeoSploit

This is an MDAC-RDS exploit, wrapped in an attempted polymorphic script generator.

Yikes! Sounds pretty nasty, doesn’t it? There is more detail here.

The Google cached page seemed to be unaffected initially, but then Google’s bots came roaming past and now it is also showing an exploited website.The conclusion from all this: the hack took place sometime late January, early February.

Next check was to ensure the domain was indeed owned by FETA by doing a domain lookup. Although the actual result was inconclusive, enough information could be surmised to say with a reasonable level of certainty that it was indeed the legitimate website. They obviously had Concillium UK as the supplier involved with the delivery of the website way back in 2003. We do wonder why the registrant details aren’t an address somewhere close to the bridge!

Whois Record

Domain:
        feta.gov.uk
Registered For:
        Forth Estuary Transport Authority
Domain Owner:
        Forth Estuary Transport Authority
Registered By:
        Lumison Ltd
Servers:
        ns0.lumison.net        
        ns.as12703.net        
Registrant Contact:
        Richard Abrams
Registrant Address:
        Consilium UK Ltd
        Mirren Court One
        119 Renfrew Road
        PA3 4ED
        United Kingdom
        +44 1418471545 (Phone)
        +44 8703305882 (FAX)
Entry updated:
        Friday 11th May 2007
Entry created:
        Wednesday 17th September 2003

It was worth checking the IP address was assigned to FETA in case the problem was down to some kind of DNS issue.

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to ‘87.246.98.144 - 87.246.98.151′

inetnum:        87.246.98.144 - 87.246.98.151
netname:        LU4682
descr:          Internal infrastructure
country:        GB
admin-c:        LUMH-RIPE
tech-c:         LUMN-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20051111
source:         RIPE

role:           Lumison Hostmaster
address:        Lumison Ltd
address:        12 Dock Place
address:        Edinburgh
address:        EH6 6LU
address:        UNITED KINGDOM
remarks:        trouble:      For customer support please email support@lumison.net
remarks:        trouble:      or call +44 (0)845 1199 999
remarks:        trouble:      For abuse reports please send to abuse@lumison.net
remarks:        trouble:      For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
e-mail:         hostmaster@lumison.net
admin-c:        GA8874-RIPE
tech-c:         GA8874-RIPE
nic-hdl:        LUMH-RIPE
changed:        neil.saunders@lumison.net 20040816
changed:        neil.saunders@lumison.net 20040908
source:         RIPE
abuse-mailbox:  abuse@lumison.net

role:           Lumison NOC
address:        Lumison Ltd
address:        7 Claylands Road
address:        Newbridge
address:        EH28 8LF
address:        UNITED KINGDOM
remarks:        trouble: For customer support please email support@lumison.net
remarks:        trouble: or call +44 (0)845 1199 999
remarks:        trouble: For abuse reports please send to abuse@lumison.net
remarks:        trouble: For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
admin-c:        GT73-RIPE
admin-c:        GA8874-RIPE
admin-c:        IM1814-RIPE
tech-c:         RM7978-RIPE
tech-c:         GT73-RIPE
tech-c:         IM1814-RIPE
nic-hdl:        LUMN-RIPE
source:         RIPE
abuse-mailbox:  abuse@lumison.net
changed:        ian.mackinnon@lumison.net 20060727
e-mail:         noc@lumison.net

% Information related to ‘87.246.64.0/18AS12703′

route:          87.246.64.0/18
descr:          Lumison Limited IP allocation.
origin:         AS12703
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20050908
source:         RIPE

Again, we had to surmise this was indeed the IP address of the FETA website! The FETA domain is pointing at Lumison’s name servers and Lumison owns the IP address range that contains the FETA website server. The bits of the puzzle kind of link up.

Now it was worth sniffing the website traffic to see where the compromise was occuring. After a little digging around, the exploit code was found fairly easily: the obfuscated Javascript made it stand out like a sore thumb. Very nasty indeed!This code made the browser connect to a server in Turkey with an IP address of 88.255.90.130. Most of the time this server returned instructions to look at the BBC website, but occasionally it delivered another Javascript payload, which could have done anything it liked!

To confirm the problem was indeed a genuine website compromise we referred the incident to Roger Thompson over at AVG. He’s the person with all the experience in dealing with LinkScanner Pro detected exploits. In fact, he got a mentioned in a Baseline Magzaine 2006 article that detailed this very same exploit when it was first being seen in the wild. Expect to see a blog post from Roger very soon on his findings for this incident. We expect he will have completed the last piece of the puzzle and know the particular nasties being pushed out by the Turkish server.

Once the compromised website had been confirmed, we immediately informed FETA IT management about this incident. They took down the website within minutes, no hanging around waiting for any third party supplier to confirm the compromise. Kudos to them.

Our guess at this point would be one of the following:

1. A server patch hadn’t been applied allowing the full server to be compromised. This could potentially be very painful for the web server supplier if it turns out to be the case.

2. The website is built using a content management systems called “Joomla“. It is possible it is using an older insecure Joomla core or an older insecure module. Maybe someone has forgot or neglected to patch the Joomla files.

3. Something else on the web server has been compromised allowing access to the FETA website files.

4. One of the website developers has a compromised workstation computer that allowed hackers to gain the FTP username and password directly using a key logger.

Only the hackers know the exact nature of the compromise, but the FETA IT team should be able to investigate the nature of the compromise using a good forensics specialist and be able to evaluate the scale of the problem, thereafter putting in place the necessary fixes to ensure better security of the website in the future!

People who’ve visited the website over the last week need only panic if they are running a version of Microsoft Windows that hasn’t been patched or a version before Windows 2000. Security products may also have caught this nasty and blocked it from gaining a hold. This exploit was addressed in Microsoft Security bulletin MS06-014, released 11 April, 2006, along with updates to the affected MDAC versions. Customers running Windows Vista are unlikely to have been affected by this exploit.

Our advice to anyone who has visited the FETA website since about the 1st February is to run a variety of security products including antivirus, antispyware and antirootkits through your system to ensure nothing has slipped through. It is also vital to keep up with both Microsoft and 3rd party application patches and updates.

If you have any doubts or queries then feel free to Contact Us for advice.

Technorati Tags: exploit, FETA, Fife, Forth Estuary Transport Authority, Forth Road Bridge, hacked, Joomla, MDAC-RDS, Roger Thompson, Windows