BBC repeating mindless nonsense

I’ve just read a report from the BBC that simply repeats some mindless drivel about SQL Injection Attacks from a spokesman for the US Department of Justice. According to the BBC:

Edward Wilding, a fraud investigator, told the BBC that this method was “a pretty standard way” for fraudsters to try to access personal data.

It “exploits any vulnerability in a firewall and inserts a code to gather information,” he explained.

It, however, does not point out that Mr Wilding is incorrect. It simply regurgitates the standard patter about firewalls without question. SQL Injection attacks have absolutely nothing to do with firewalls. They are all to do with leveraging mistakes in the way the application communicates with the database. An application which already has valid rights to communicate with the database. Firewalls may be in place to stop direct access to the database, but a SQL Injection attack takes a secondary route to get there.

In short, SQL Injection Attacks are the result of poor software development practices. Something, the prevalence of which, I’ve blogged about previously. I’ve also blogged about how to reduce the attack surface of the application with respect to SQL Injection attacks. In fact, it is so mind-numbingly easy to reduce the ability for someone to launch a SQL Injection Attack on an application I’m surprised developers are still allowed to get away with it.

But back to the article:

Mr Wilding said that chip-and-pin did provide some protection against SQL attacks, but there was little consumers could do to protect themselves against this kind of fraud.

You have to be kidding me! Chip-and-pin also has nothing to do with a SQL Injection attack. It cannot protect you from one. A SQL Injection Attack is an attack on a database, not the actual physical card. All chip-and-pin can do is ensure that a person using a credit or debit card knows the pin. Chip and pin is not used in online transactions. It is not used in telephone transactions.

“The real vulnerability, I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls,” he said.

Back to the firewall nonsense again. I repeat that firewalls cannot protect against SQL Injection Attacks because the route to the database is a valid one via a third process. (My machine runs the first process, the database is the second process the application being attacked is the third process) However, the BBC is still blithely repeating this misattribution of blame.

If blame is to be placed anywhere then it must surely be at the door of the developers who wrote the payment system that could so easily be hacked in order to gain sufficient access to the database to get all this data. This, of course, is if you believe that it was a SQL Injection Attack. The BBC could have got that bit wrong too!

UPDATE (@ 19:30)

I’ve just noticed that the BBC have reworked the article and it was last updated an hour ago. It does now contain a side box that I didn’t see before that at least, in some small way, explains that a SQL Injection Attack are “weaknesses in companies’ programming which allows them to get behind firewalls”. The main article now contains the paragraph:

The method is believed to involve exploiting errors in programming to get behind compnay [sic]  frewall’s [sic] and accessing [sic] data.

As you can see by the spelling and grammatical mistakes it must have been rather hastily put together. One quote from Mr Wilding has also changed from being reported as:

“The real vulnerability, I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls,” he said.


“The real vulnerability [for cardholders], I suspect, is Internet and telephone transactions using credit cards were most vulnerable, he said, though added it was a failure of corporations, not customers.

Yet again, this looks like it was hastily put together because of the poor punctuation.

Come on, BBC, this is not journalism but reactive rubbish! Do you even understand what you are actually reporting?


Are people really this gullible

I just got this in my email:

Let your email come to you.
With Yahoo! Mail Alerts, you’ll know
the instant you get one.
Account Alert
Dear Valued Member,

Due to the congestion in all Yahoo users and removal of all unused Yahoo Accounts,Yahoo would be shutting down all unused accounts,You will have to confirm your E-mail by filling out your Login Info below after clicking the reply botton, or your account will be suspended within 24 hours for security reasons.

UserName: ………………………………


Date Of Birth: …………………………………..

Country Or Territory:..……………………….

After Following the instructions in the sheet,your account will not be interrupted and will continue as normal.Thanks for your attention to this request.We apologize for any inconvinience.


Are people really this gullible as to send their password unencrypted in a plain text email?! Not only that but in a manner that outwith the bounds of any previous interaction with the alleged company in question.

Well, I suppose if people are willing to hand over their passwords for £5 I shouldn’t be surprised.



Banking Scams

Just now I got a spam email purporting to be from my bank. In fact, I get lots of these because I obviously have accounts with Barclays, NatWest, HSBC, HBOS, RBS, CitiBank, WellsFargo, Clydesdale, Caja Madrid, ING, and a whole host of others.

Obviously some people are still fooled by them, otherwise they wouldn’t still be sending them out after all those years. In fact, the mails do look like they could be authentic. The from address appears to be from the right place, the wording looks like it could be from my bank, and it gives me a link that looks like the one I log on with. However, it is still a scam.

I’m guessing the normal readership of my blog, mostly software developers, would be able to spot a scam like this fairly easily, but for anyone arriving via Google direct to this page and are looking for some tips for spotting a scam here goes:

Here is the body of a scam email I received:

Dear Customer,
Royal Bank. always look forward for the high security of our clients. During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your account information.This might be due to either of the following reasons:
1. A recent change in your personal information.
2. Submitting invalid information during the initial sign in process.
Due to this, you are requested to please update and verify your information by clicking the link below:


We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.
We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Security Advisor
Royal Bank Of Scotland.

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your Royal Online Bank account and choose the “Help” link on any page.
Royal Bank Email ID # 1009


I’ve highlighted some of the text in red, as I’m going to talk about it.

First off, “Dear Customer”, really?! – how impersonal, surely you already know who I am? If the email is so general that they’ve used “Dear Customer” then they’ve obviously sent it to everyone and they really haven’t a clue what there systems are doing. No bank should be that clueless.

Next is the dot after “Royal Bank”. That’s not the end of a sentence. It isn’t even a sentence (it contains no verb). Perhaps they are using the “.” to signify an abbreviation of sorts, but I’ve never seen any Royal Bank communication do that. In fact, I’ve never seen anybody do that for “Royal Bank”.

“Look forward for” is grammatically incorrect, you look forward to things, not “for” them. And why would they be looking forward to the high security of their customers. Surely that already exists. The bank has been around for about 300 years, I imagine after all that time they must be doing something right with regards to security.

You also have to ask yourself, why would the banks processes be so bad as to cause an error for the reasons stated?

Next is the URL (the web address) given to you in order to log in. Hover over it and look in your browser’s status bar. Did you notice that the status bar says something different to what you see on the page? I’ve altered the real address so people don’t inadvertently use it, but you can see it doesn’t match the bank’s real address.

Now, they are asking for additional security information during the log in process. Many banks only ask for random bits of information during the log in process. Like one time they’ll ask for your mother’s name, the next they’ll ask what the first school you went to was, and so on. The spammers obviously need to know all the information so that when they get presented with the real random question they’ll be able to answer correctly.

Finally, why would they close your account temporarily? A bank would never actually close an account for a potential security violation. They may suspend it, or remove access to it, but never actually close it.

So, here are some tips:

  • If you receive an email purporting to be from your bank, don’t click on any links in it.
  • If your banks log on procedure appears to be different from the previous time, check with the bank themselves. They may have updated their website, or it may be a scam, best to check.
  • When you log in, ensure that the address in your address bar is the one you expect, and that it is a properly secure connection. There will be a padlock on the address bar or in the status bar (depending on which browser you have)
  • Banks are generally fastidious about grammar and spelling in any communication they send out. It makes them look highly unprofessional if they weren’t. So check any emails for grammatical or spelling errors.
Technorati Tags: ,,,

Data Protection Muppets

I’ve mentioned this topic on my blog before with regard to the Royal Bank of Scotland and Intelligent Finance but this time it was related to an insurance claim. The insurance company put me in contact with a company that would do the repairs and all they had to do was arrange a time and date. However, it wasn’t that simple.

Initially things seemed to be going well until the company in question phoned me to change the date because they wouldn’t have the materials in time. However, first they wanted to go through security screening.

Now, the conversation to this point had gone something like this:

Me: Hello
Them: Hello, is that Colin Mackay [pronounced kae – I HATE that!]
Me: Mackay [pronounced correctly – its a diphthong, a sliding or gliding vowel that goes from ‘ah’ to ‘ee’] Yes.
Them: This is Martindales. We just need to ask you some security questions before we proceed.
Me: How do I know you are who you say you are?
Them: We are Martindales, your insurance company has appointed us…

The conversation went from bad to worse as I tried to explain that what they are doing is socially conditioning people to hand out sensitive information and was then told that they “had to” ask these questions because of the data protection act. The act makes no such requirement. What they have to do is ensure that they are speaking to the correct person so they don’t divulge potentially sensitive information to the wrong person. However, the way they are going about it, while technically in line with the act, is most certainly not within the spirit of the act.

What made it worst was that when I was asked how they could continue the conversation and I gave the solution they had to ask me no fewer than 3 times how they were going to continue the conversation even although I had given them a solution. After that incident they decided they must not have like my simple solution and refused to communicate with me at all for a while.

My solution, incidentally, was this. They would phone me and indicate that they need to speak to me. I would then get the phone number from existing documentation (i.e. a trusted source) and phone their switchboard and ask to be put through to the person that needed to talk to me. They can then go through the security questions as I will then know I am talking to the correct party. When they phone me I have no way of knowing who I am talking to. They could be making it up. If they give me a phone number to use I won’t use it. I will only use trusted sources like documentation from my insurance company, or from the booklet that the insurance assessor left me.

Anyway, Martindales eventually decided that they did need to communicate with me about yet another change in date and sent me a letter. Pity it didn’t arrive until two days after the guy was supposed to show up. In fact he did almost arrive, and I only knew about it because they phoned me just to say that he was running a little late. Muppets!



Aye! Right!

I just got this email purporting to be from PayPal. I don’t believe the email.

Dear valued PayPal member:

It has come to our attention that your PayPal account information needs to be
updated as part of our continuing commitment to protect your account and to reduce
the instance of fraud on our website.  If you could please take 5-10 minutes out
of your online experience and update your personal records you will not run into
any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records on or before July 06, 2007.

Once you have updated your account records, your PayPal session will not be
interrupted and will continue as normal.

To update your PayPal records click on the following link:

Thank You.

What makes me think it is a fake? The URL does not contain PayPal’s domain name. It is a simple IP address.

So, who owns the IP Address?

OrgName:    Road Runner HoldCo LLC
OrgID:      RRSW
Address:    13241 Woodland Park Road
City:       HerndonState
Prov:       VA
PostalCode: 20171
Country:    US

And what about the real PayPal. Their IP Address is

Also, the email didn’t have my address in the “TO” box (So I’m guessing all the recipients were BCC’d into the list) and the reply address is no-reply@google.com.

I have sent an appropriate email to Road Runner letting them know that someone is using their servers to host phishing sites. Hopefully it can be taken down promptly to prevent any less savvy people falling victim to this really quite amaturish attempt at a phishing scam.



Screensavers that attack spammers

While I hate receiving spam, I feel that the latest offering from Lycos to try and tackle spam by hitting Spammers where it hurts – Right in the bandwidth – is highly irresponsible.

If you are not aware of what I am talking about then I am talking about the Make Love Not Spam[^] website by Lycos. It offers you a Screensaver to download which, while running, will hit spammers’ websites. It works by the screensaver requesting from a central database a spammer to attack. The central system monitors the spammers website so that it isn’t completely disabled (how thoughtful) and if one site is getting near the brink will instruct the screensavers to go elsewhere. It doesn’t take too much of the user’s bandwidth as it only sends the request and then ignores the response.

To me this smacks of vigilantism. While some people welcome that someone is “finally doing something” the problem is that it is unregulated. Some might argue the case that it is just an “eye for an eye and a tooth for a tooth”, but many vigilantes end up hurting their targets or innocent bystanders more than the vigilante’s target ever inflicted on others.

I don’t know what the law is in your part of the world, but I would like to warn anyone in the UK that use of this screensaver may be illegal (I want to emphasise MAY BE illegal – I am not a lawyer). I am referring specifically to Section 3 of the 1990 Misuse of Computers Act.

To quote from guidance from the Home Office website[^]:

Section 3 – Unauthorised modification of computer material
Where a person does any act that causes the unauthorised modification of the contents of any computer a section 3 offence is committed. There must have been the intent to cause the modification and knowledge that the modification has not been authorised. The offence does not have to be preceded by a section 1 offence. This offence covers the introduction of harmful worms and viruses to a system, and denial of service attacks. The offence is punishable on summary conviction for a term not exceeding five years.

While the Lycos screensaver does not completely disable a website it does cause “modification” to the service by slowing down the servers almost to the point of breaking. Any user of Lycos’ screensaver does so with the knowledge that their actions are “harmful”

The advice goes on to say that an offence is committed when the person committing the offence is in England, Wales, Scotland or Northern Ireland at the time of the attack, or that the target computer was in England, Wales, Scotland or Northern Ireland. So, potentially even people outside the UK who hit a spammer’s website that is located within the UK may be convicted under this law.

Finally, let me remind you that I am not a lawyer and this is just my interpretation of the law. If you want to use the screensaver then that is up to you.

NOTE: This was rescued from the Wayback Machine. The original was dated Monday, 29th November, 2004.


Sony DRM Hides Trojan

Further to my post last week about Sony’s malware disguised as DRM it seems that a trojan is now taking advantage of the Sony malware.

From The Register: “This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit,” warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro.

The full story can be found here: First Trojan using Sony DRM spotted

This was rescued from the Google Cache. The original date was Thursday 10th November, 2005.