If you're new here, you may want to subscribe to our RSS newsfeed so you don't miss out on all the information, news, tips and tricks.
Thanks for visiting!

Most people believe the banks will reimburse any losses from their accounts even when the fault lies squarely with the customer. This honourable position by the banks has been the case up until now, with many people seeing the banks reimburse losses  that are the result of fraudulent transactions on their accounts. But, this period of generosity may be coming to an end!

From the latest Banking Code:

Online banking
12.9 Online banking is safe and convenient as long as you take a number of simple precautions. Please make sure you follow the advice given below.
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access internet banking sites by typing the bank or building society’s address into your web browser. Never go to an internet banking site from a link in an e-mail and then enter personal details.

Lots of sound recommendations that everyone should be following today. However, the big one from a customer perspective is the requirement to keep your PC secure and using up to date security software. But, many people are simply users that don’t always understand if their computer is fully secure and meets the recommendations made in the Banking Code.  The vast majority of PCs will have at least one issue that could allow the banks to use their “get out of jail free card” and avoid having to reimburse the customer.  

The banks will likely publish new terms and conditions that limits their liability whenever they are able to show you haven’t been following their recommendations for keeping your computer secure. Now to see how long before we see them applying this new culture to secure their profitability… the credit crunch and challenge of bank charges may speed along the real world implementation of this new culture!

Roundtrip Solutions is able to provide a service to secure your systems on an ongoing basis through a support contract. The ongoing option ensures the latest security updates are applied, your computer is running up to date security software and the latest best practices are applied. Computer support customers in Dundee, Edinburgh, Fife and surrounding areas may find our service to be extremely useful.

Technorati Tags: anti-spyware, anti-virus, banks, Banking Code, firewall, online banking

The BBC’s Panorama show features an alarming report tonight to do with the seedy side of the online world. Every parent should be watching this important public service programme tonight on BBC1 at 8:30pm to ensure their kids don’t fall victim to the predatory nature of pedophiles.

Many parents will remember the “Charlie Says..” public service announcements of the late 70’s, so let’s take that advice and update it for today! Don’t remember it, well here’s a little reminder for you…

Our support staff have already provided assistance and support to Fife parents that have discovered grooming like activity in time and wanted to ensure their kids were safe in the future. The first few times we have came across such instances it was with some disbelief that we approached the issue and a feeling of remote detachment and denial as we tried to get our heads around the actions from the worst scum of society. Many parents will also go through these feelings and believe it won’t happen to their little darling! Be warned that it could unless you are vigilant.

We recently delivered an IT Security talk  to the Institution of Engineering and Technology in Edinburgh. One of the sections within that presentation was on Child Protection issues, along with all manner of advice to make computers and the Internet a safer environment for the children who reap great benefits from its use. Even taking our first hand experience into account, we were alarmed by some of the resources and statistics discovered to do with online grooming whilst performing further research for the presentation. Needless to say, the advice and protection resources form a vital section of our presentation. 

A copy of the presentation is available in pdf format (requires Acrobat Reader to view).

You shouldn’t believe banning your kids from using the Internet is the solution, when the key is education, how the computer is set-up and the trust relationship you have with your children. The benefits from the Internet are numerous and the risks can be mitigated thereby preventing these scumbags from depriving our children of the wonderful advantages of the online world. We must do everything possible to get these predators removed from society and banged up in prison for a very long time. Report any suspicious behaviour and preserve the evidence of the offense for the authorities.

Please feel free to contact us for further information, advice or help in securing your computer to better protect the children from this most deviant part of society.

Technorati Tags: BBC, BBC1, child protection, IET, Institution of Engineering and Technology, Panorama, pedophiles

… and we’re going to enlighten you to what is going on in this blog post.

We’ve come across two instances over the last few week in Fife where BT Broadband personnel have failed to secure end customer equipment using their own recently updated and freely available advice and instructions.

What exactly is this newly discovered vulnerability that requires the advice to have been recently updated? Well, it isn’t the older discovery that WEP encryption can be cracked within a minute, a fact that has long since seen WEP being considered as NO security. It is the more recent discovery that sees the Home Hub being cracked with practically no effort due to its particularly bad WEP implementation.

As a slight side note, the Wikipedia entry for WEP makes an interesting statement:

Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks.

For those who’re unaware of what "deprecated" means, we’ll draw upon another Wikipedia entry:

In computer software standards and documentation, the term deprecation is applied to software features that are superseded and should be avoided.

Since the Home Hub uses WEP security by default, and appears to be left in this state by BT Broadband employees, then there is going to be a large number of Home Hubs vulnerable to all manner of criminal activity. Following the logic through on this one,  BT Broadband leaves their product in a state that has been superceded and should be avoided.

At least someone at BT has noticed this security issue and has tried to deal with it:

Automatic wireless security

To help you get set up quickly and help prevent unauthorised users access your wireless network, your BT Home Hub automatically provides some wireless security via a WEP (Wired Equivalent Privacy) key. However, using new technology, it may be possible for hackers to break this key and connect to your Hub, possibly accessing your computer or using your broadband service.

You can increase this basic level of security, at no extra cost, by changing your Hub’s security from WEP to WPA (Wi-Fi Protected Access). We recommend that you consider doing this, even if you don’t connect to your Hub wirelessly.

It is a shame that their installers and support people don’t seem to know about this issue and a travesty that they haven’t been trained to leave customer’s broadband in a more secure state.

Let’s now look at the two scenarios that led to us question the training and skills of personnel in the BT Broadband installation and support operation. 

Scenario 1:
A long standing BT customer signs up for BT Broadband after using their dial-up service for many years. They asked for an "engineer" install, at an additional charge, believing this would be the best way to achieve a problem free broadband connection. The day of the activation comes around and a BT installer turns up to setup their broadband. The installer starts on the installation,  the customer leaves him alone to complete the work and job done, he leaves the customer’s home.

Later, they try to use the shiny new broadband for the first time, but all that was observed was the computer trying to connect to the dial-up service and errors being generated when attempts were made to download emails. At this point they gave up and called us in.

We arrive on scene and notice the following issues within a few minutes:

1. WEP encryption in use, against the best practice advice from BT themselves.

2. Computer has been left to use the Dial-Up service by default.

3. The email program had been left configured to use the Dial-up connection. 

4. The customer security software was out of date.

5. New email addresses assigned to this broadband account wasn’t setup.

It looks very much like the engineer has opened up the box, plugged in the ADSL filters, powered up the Home Hub, before finally connecting the customer laptop using the default WEP encryption key. It would appear that no attempt was made to connect to a webpage or to try to access email.

The fourth issue can be forgiven if the customer hasn’t signed up for one of the BT options that comes with BT security software as part of the deal. We didn’t ask so cannot comment further on this one. However, any good computer engineer would have noticed the lack of up to date security software and informed the customer that someone needs to take a look at it.

Needless to say, the issues were fixed and the customer was left fully satisfied with their new broadband connection.

Scenario 2:

Careless cleaner allows the ADSL lead to be sucked up into the vacuum cleaner, thereby breaking at least one of the signal cores in the cable. At this point, all that was required was a simple replacement of the damaged ADSL lead and the customer would have been fully operational again.

Instead, they phoned BT Broadband for advice and struggle for forty minutes to understand the broken English and broad accent of the Asian call centre support representative. After 40 minutes on the telephone, the customer has been told to turn off the Home Hub, reset it to defaults and finally to replace the damaged cable.

A trip to the local electrical retailer sees a new cable in place, but the broadband is still broken. Why is it still broken? Simple, we had previously secured their wireless network with a decent WPA-PSK pass phrase and now the computers were trying to connect to the router with the pass phrase they knew, but the router was using WEP and a completely different pass phrase! To use an appropriate analogy: a case of the computers talking English when the router is talking Hindi!

Another support call out for Roundtrip Solutions from the disgruntled Fife based BT customer. Within minutes we had logged into the Home Hub, went through some router initiated security configuration changes, before making the all important, and BT recommended, wireless security encryption changes to use WPA-PSK with the same pass phrase as used before. Everything sprung into life instantly without any further intervention.

The customer was delighted with our prompt service and completely pissed off dissatisfied with British Telecom, their support personnel and the fault resolution advice provided by BT, which did appear to be a bit back to front! They were even more frustrated when we told them all they had to do was to replace the damaged ADSL lead to get everything working again and all the resetting of routers had been completely unnecessary.

Again, we couldn’t believe the customer support person had left the customer’s router using the super insecure Home Hub version of WEP.

The Crux of IT

The BT Broadband advice available on their website clearly recommends setting up their Home Hub wireless router using WPA. Actually, that should be WPA-PSK if BT wish to be technically correct, but we’ll not be too pedantic in this blog post as more important issues are being dealt with.

In general, all users of a wireless network should ensure it uses WPA-PSK or WPA2-PSK with a strong pass phrase as a minimum level of security. Do not, we repeat, DO NOT use WEP - replace everything that only supports WEP.

If you are a Home Hub user then double check your configuration is secure.

If BT Broadband is doing an engineering installation then ensure BT’s own security advice is followed. Same applies for anyone that phones their call centre for support and has their Home Hub reset as part of the fault finding process.

We certainly wouldn’t recommend or condone the "repair" procedure used by this BT Home Hub user.

Technorati Tags: ADSL, broadband, BT, BT Broadband, Home Hub, router, WEP, wireless, wireless security, WPA, WPA-PSK, WPA2-PSK

Silicon.com is reporting the ICO reckons that government data breaches aren’t any worse of late! That means they’ve been losing data, putting the general public at risk, for some considerable time!

Fair enough the criminals are now using this data more effectively for their nefarious purposes, but it is alarming how far behind the government is in relation to protecting the most valuable assets of the general public - their identity and privacy.

Technorati Tags: data loss, ICO, security

Looks like the hackers have been in at the Cricket Scotland website - see image below.

The Associations Directory webpage has been filled full of links of a questionable nature.

Certainly looks like the hackers are going to town with Scottish websites at the moment!

Technorati Tags: cricket. Cricket Scotland, hackers, website defacement

The government is currently considering a plan to ban users that are caught illegally downloading copyrighted content. ISPs will have to monitor and ultimately terminate the customer’s internet access if they are found to be abusing copyright.

The BBC reports that “UK net firms are resisting government suggestions that they should do more to monitor what customers do online”.

Now for some Friday humour that complements this story nicely…

Further reading:

BBC Online

Times Online

Technorati Tags: anti-piracy, BBC, funny, humor, humour, Times Online, YouTube

On Wednesday evening, James Eaton-Lee of NGS Software and John A Thomson of Roundtrip Solutions presented to the IET South East Scotland Local Network.

The PDF version of the presentation is now available.

Please leave us a comment if you attended the event or have downloaded the presentation and have some comments or questions.

Technorati Tags: computer security, IET, NGS Software, Roundtrip Solutions

One of our earlier blog posts had Roger Thompson of AVG’s Exploit Preventions Labs running through MalwareAlarm in a well produced video. Well, XPantivirus is a new in the wild rogue security program, which comes from the same family of malware,

It uses some clever Javascript coding, just like MalwareAlarm, to force you down the road of running a fake security scan. In record breaking time, it comes back to announce the computer has some very scary looking malware installed, but their product can easily remove them for a nominal license fee. These results are completely bogus and have been faked by design to scare you into handing over your cash - a nice social engineering scam! No legitimate application would make it so hard to cancel out of installing it!

This one is so new that only 5 out of 32 security products used by VirusTotal can detect it. That means a significant proportion of people are currently running a system that cannot detect this nasty.

Don’t go near the website. Don’t install XPantivirus. Don’t give them payment details. Basically, don’t get caught out folks!

We’ll be keeping an eye on how the relevant security vendors respond to this one and will let you know in a follow-up post and vblog entry about security company response times.

Take care folks.

Technorati Tags: downloader, malware, MalwareAlarm, social engineering, Trojan, Virus Total, XP Antivirus, XPAntivirus

The FETA hacking incident fame is spreading. Here’s just some of the places we are being mentioned:

Website of UK landmark hacked to serve malware 
- TechWorld.com

Web site of U.K. landmark hacked to serve malware
- NetworkWorld

That’s Technical: Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- That’s Technical Blog

Forth Road Bridge hack redirects to smut bazaar
- Techie News Blog

Finjan reports Forth Road Bridge Web site serving up malware using code obfuscation techniques
- IT Analysis

Forth Road Bridge hack redirects to smut bazaar
- Global Security News

Website of UK landmark hacked to serve malware
- ComputerWorldUK

Website of UK landmark hacked to serve malware: related news
- Big Blog

Taking Guard
- Round the Wicket - The blog of Freuchie Cricket Club

Website of UK Landmark Hacked to Serve Malware
- Hack In The Box

Goodness this is becoming tedious :-). Go checkout Google for yourself to see just how big an issue this is in the online security community!

It would seem a company that makes security appliances, which protects from such attacks, is jumping on our bandwagon. They have pushed out press releases about this incident, but with a strong focus on their company and products! We have no problem with that as long as any reports show who really discovered the problem and link back to our discovery blog post on ever instance of the report. The title of the That’s Technical blog post is misleading at best. Come on guys, you could have made it much clearer in your press release who actually discovered the Forth Road Bridge break in and by the way, it was AVG’s LinkScanner Pro that was the real hero by way of the technology involved.

Technorati Tags: FETA, Forth Road Bridge, Freuchie Cricket Club, hacking

The Scotsman has now picked up The Register’s news story about the Forth Road Bridge hacking incident,

Go see it here or catch it on Page 21 of today’s paper.

Technorati Tags: Forth Road Bridge, hacking, Scotsman, The Register

It has been a busy few days for critical security updates for four common Windows applications. Go download and install the latest updates pronto if you’re running any of these applications:

1. Adobe Acrobat Reader
2. Apple Quicktime or Apple iTunes
3. Sun Microsystems Java
4. Skype

Click on any of the links above to go to the download location for that application.

Seems that Apple is pushing out security updates and fixed versions ever few weeks and have been doing this for quite some time now! Who said Apple’s software was safer!

Technorati Tags: Acrobat Reader, Adobe, Apple, Java, Quicktime, Skype, Sun Microsystems

Roger Thompson of AVG’s Exploit Preventions Labs has just produced this excellent video on how social engineering techniques are fooling people, even those who think they are safe using Firefox.

The bad guys are getting smarter! Be careful out there folks.

Technorati Tags: AVG, Exploit Labs, Firefox, MalwareAlarm, Roger Thompson, security, social engineering

John Leyden of The Register, one of the foremost IT news website on the Internet, has mentioned us in this news story. It was even a featured story at the top of their home page. Thank you John and thank you The Register.

So far there is no public notice on the FETA website of this incident. Perhaps they are working on the news that will inform their regular users that an incident occurred and it may have placed some of those folk’s computers at risk from all manner of malware.

This was a serious incident and don’t underestimate the impact it may have had on vulnerable computers out there! Public disclosure of the incident was only taken after the website had been taken down and fixed. We didn’t want to highlight the dangers only for curious users to go “have a look” and end up with even more systems being infected!

Technorati Tags: FETA, Forth Road Bridge, hack, John Layden, The Register

The Forth Road Bridge website is back online and is clean again.

Roger Thompson of AVG has a comprehensive techie write-up of the nature of the exploit and how it worked. We’d recommend you go read his blog entry on this alongside our own earlier blog post. He came to pretty much the same conclusions as we have, which is nice.

It would be really great to get a copy of their forensic investigation tool Web Radar. Perhaps one day they will release it to the general public or maybe allow a select few “security consultants” to be armed with a copy (hint, hint).

Thanks Roger and thanks AVG UK for helping to make today a safer place for the visitors of the FETA website. The folks over at FETA also deserve praise for their prompt actions in taking the website down and getting it back up and running safely in such a short time.

To all our readers, we recommend getting yourself a copy of LinkScanner Pro now! It could save your bacon!

Technorati Tags: AVG, exploit, FETA, MDAC-RDS, Neospoilt, Roger Thompson

John A Thomson, MD of Roundtrip Solutions, has just finished investigating a reported issue with the website of the Forth Estuary Transport Authority (FETA), otherwise known as the Forth Road Bridge website. This blog post will make for interesting reading, highlighting the changing nature of the web and how legitimate websites can be compromised to serve nasties to visitors.

Photo by Martin Third

One of our customers phoned to ask about an adult themed pop-up that appeared when visiting the Forth Road Bridge website. Unfortunately, we were unable to confirm they had actually visited the website and hadn’t mistakenly went to some porn website in the first place, but what we could confirm was an alarming situation with the FETA website at that time.

Upon visiting the website our security systems immediately alarmed off with reports of the website serving a MDAC-RDS exploit using the Neosploit Hacking Toolkit - see the image below for more details.

LinkScanner Pro, a product from Exploit Labs (recently bought by AVG), also reported a problem when it was used to evaluate Google search result for FETA - see below.

The exact wording used by LinkScanner Pro in its Exploit log was:

NeoSploit

This is an MDAC-RDS exploit, wrapped in an attempted polymorphic script generator.

Yikes! Sounds pretty nasty, doesn’t it? There is more detail here.

The Google cached page seemed to be unaffected initially, but then Google’s bots came roaming past and now it is also showing an exploited website.The conclusion from all this: the hack took place sometime late January, early February.

Next check was to ensure the domain was indeed owned by FETA by doing a domain lookup. Although the actual result was inconclusive, enough information could be surmised to say with a reasonable level of certainty that it was indeed the legitimate website. They obviously had Concillium UK as the supplier involved with the delivery of the website way back in 2003. We do wonder why the registrant details aren’t an address somewhere close to the bridge!

Whois Record

Domain:
        feta.gov.uk
Registered For:
        Forth Estuary Transport Authority
Domain Owner:
        Forth Estuary Transport Authority
Registered By:
        Lumison Ltd
Servers:
        ns0.lumison.net        
        ns.as12703.net        
Registrant Contact:
        Richard Abrams
Registrant Address:
        Consilium UK Ltd
        Mirren Court One
        119 Renfrew Road
        PA3 4ED
        United Kingdom
        +44 1418471545 (Phone)
        +44 8703305882 (FAX)
Entry updated:
        Friday 11th May 2007
Entry created:
        Wednesday 17th September 2003

It was worth checking the IP address was assigned to FETA in case the problem was down to some kind of DNS issue.

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to ‘87.246.98.144 - 87.246.98.151′

inetnum:        87.246.98.144 - 87.246.98.151
netname:        LU4682
descr:          Internal infrastructure
country:        GB
admin-c:        LUMH-RIPE
tech-c:         LUMN-RIPE
status:         ASSIGNED PA
remarks:        INFRA-AW
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20051111
source:         RIPE

role:           Lumison Hostmaster
address:        Lumison Ltd
address:        12 Dock Place
address:        Edinburgh
address:        EH6 6LU
address:        UNITED KINGDOM
remarks:        trouble:      For customer support please email support@lumison.net
remarks:        trouble:      or call +44 (0)845 1199 999
remarks:        trouble:      For abuse reports please send to abuse@lumison.net
remarks:        trouble:      For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
e-mail:         hostmaster@lumison.net
admin-c:        GA8874-RIPE
tech-c:         GA8874-RIPE
nic-hdl:        LUMH-RIPE
changed:        neil.saunders@lumison.net 20040816
changed:        neil.saunders@lumison.net 20040908
source:         RIPE
abuse-mailbox:  abuse@lumison.net

role:           Lumison NOC
address:        Lumison Ltd
address:        7 Claylands Road
address:        Newbridge
address:        EH28 8LF
address:        UNITED KINGDOM
remarks:        trouble: For customer support please email support@lumison.net
remarks:        trouble: or call +44 (0)845 1199 999
remarks:        trouble: For abuse reports please send to abuse@lumison.net
remarks:        trouble: For peering requests please send to peering@lumison.net
mnt-by:         EDNET-RIPE-MNT
admin-c:        GT73-RIPE
admin-c:        GA8874-RIPE
admin-c:        IM1814-RIPE
tech-c:         RM7978-RIPE
tech-c:         GT73-RIPE
tech-c:         IM1814-RIPE
nic-hdl:        LUMN-RIPE
source:         RIPE
abuse-mailbox:  abuse@lumison.net
changed:        ian.mackinnon@lumison.net 20060727
e-mail:         noc@lumison.net

% Information related to ‘87.246.64.0/18AS12703′

route:          87.246.64.0/18
descr:          Lumison Limited IP allocation.
origin:         AS12703
mnt-by:         EDNET-RIPE-MNT
changed:        dns@ednet.co.uk 20050908
source:         RIPE

Again, we had to surmise this was indeed the IP address of the FETA website! The FETA domain is pointing at Lumison’s name servers and Lumison owns the IP address range that contains the FETA website server. The bits of the puzzle kind of link up.

Now it was worth sniffing the website traffic to see where the compromise was occuring. After a little digging around, the exploit code was found fairly easily: the obfuscated Javascript made it stand out like a sore thumb. Very nasty indeed!This code made the browser connect to a server in Turkey with an IP address of 88.255.90.130. Most of the time this server returned instructions to look at the BBC website, but occasionally it delivered another Javascript payload, which could have done anything it liked!

To confirm the problem was indeed a genuine website compromise we referred the incident to Roger Thompson over at AVG. He’s the person with all the experience in dealing with LinkScanner Pro detected exploits. In fact, he got a mentioned in a Baseline Magzaine 2006 article that detailed this very same exploit when it was first being seen in the wild. Expect to see a blog post from Roger very soon on his findings for this incident. We expect he will have completed the last piece of the puzzle and know the particular nasties being pushed out by the Turkish server.

Once the compromised website had been confirmed, we immediately informed FETA IT management about this incident. They took down the website within minutes, no hanging around waiting for any third party supplier to confirm the compromise. Kudos to them.

Our guess at this point would be one of the following:

1. A server patch hadn’t been applied allowing the full server to be compromised. This could potentially be very painful for the web server supplier if it turns out to be the case.

2. The website is built using a content management systems called “Joomla“. It is possible it is using an older insecure Joomla core or an older insecure module. Maybe someone has forgot or neglected to patch the Joomla files.

3. Something else on the web server has been compromised allowing access to the FETA website files.

4. One of the website developers has a compromised workstation computer that allowed hackers to gain the FTP username and password directly using a key logger.

Only the hackers know the exact nature of the compromise, but the FETA IT team should be able to investigate the nature of the compromise using a good forensics specialist and be able to evaluate the scale of the problem, thereafter putting in place the necessary fixes to ensure better security of the website in the future!

People who’ve visited the website over the last week need only panic if they are running a version of Microsoft Windows that hasn’t been patched or a version before Windows 2000. Security products may also have caught this nasty and blocked it from gaining a hold. This exploit was addressed in Microsoft Security bulletin MS06-014, released 11 April, 2006, along with updates to the affected MDAC versions. Customers running Windows Vista are unlikely to have been affected by this exploit.

Our advice to anyone who has visited the FETA website since about the 1st February is to run a variety of security products including antivirus, antispyware and antirootkits through your system to ensure nothing has slipped through. It is also vital to keep up with both Microsoft and 3rd party application patches and updates.

If you have any doubts or queries then feel free to Contact Us for advice.

Technorati Tags: exploit, FETA, Fife, Forth Estuary Transport Authority, Forth Road Bridge, hacked, Joomla, MDAC-RDS, Roger Thompson, Windows