back to article FBI warns of SIM-swap scams, IBM finds holes in visitor software, 13-year-old girl charged over JavaScript prank...

This week we had an NSA reverse-engineering toolkit released at the RSA Conference, a buffer bashed aboard British Airways, big trouble brewing for Citrix, plus much more. Along the way, a few other things happened: Alarms raised over IP cameras A new Internet of Things botnet could be in the works, as security outfit …

  1. Conundrum1885

    Research

    Hi, can someone tell me if the "Computer Misuse Act" or "Digital Economy Act" covers using an analogue device to hack say a car?

    Seems that many manufacturers simply put their heads in the sand and there was an article on BBC News about it this morning.

    I did actually test it on mine, got as far as proof of concept only.

    Technically this is a very fine line but "carpotting" as it is called ie setting off all the alarms in a given area has been done before.

    Incidentally this actually happened over here, wasn't my system but someone did set off 25 alarms in one go !

    1. Lee D Silver badge

      Re: Research

      I don't think the medium matters. It's unauthorised access to a system - whether or not that system relies on Morse code, default passwords, or radio waves - that's the legal boundary.

      That said, cars are notoriously vulnerable because people do stupid things like buy cars that let you start the engine by radio-signal. I am of the opinion that *access* to my car is nothing more than a window-smash away for someone who wants to do it. Thus a remote fob that unlocks the doors isn't the end of the world, and also requires a criminal act to happen. I don't keep anything in the car that's worth nicking.

      However, I would posit that, from there, making a car start would be much more difficult and likely to attract attention (at minimum I would think you'd have to open the bonnet, somehow bypass / compromise the immobiliser, which is coded to my *physical* key and not any radio fob). I still wouldn't put it past people to have a way to do it, but you can't just load up RTL-SDR, with a £20 TV-tuner dongle, a small laptop, and record/re-broadcast the 433MHz frequency from my keyfob in my house such that the car would start and you can drive off (which is what you *can* do with the new cars).

      For a start... my keyfob only broadcasts when I press the button, not when it's just sitting in my coat pocket in the coat on a hook inside my hallway.

      And for those wondering - yep, you can pick up the signal on 433MHz. It's a simple plugin for RTL-SDR software to show it. It doesn't mean you can *tinker* with it as easily but from there it's just a matter of finding the actually-dodgy software that interprets the Ford key protocol from the net.

      Guess how I know this is possible, and what dongle I bought last week, and what I've been using to look at everything from weather stations, to ATC voice and data traffic, to picking up Heart FM. I'm staying *strictly* on a receive-only device, however, but it's scarily easy to broadcast (e.g. a single GPIO on a RPi connected to an antenna and a different piece of SDR software - ugly, probably illegal because it's a squarewave broadcasting on all kinds of frequencies, but nothing a radio ham couldn't also do in seconds).

      If you don't want something to happen, don't allow it to happen even in theory. This goes for everything from buying receive-only devices when you don't want to get into trouble because someone reads a comment on the Internet and thinks you're hacking the neighbour's cars, to installing apps with permission to use the camera, to buying cars that let you start them from nothing more than a radio signal.

      My car can only open the doors on a radio signal. That's it. And that's nothing more than you could get in a few seconds with a skilled, or brazen, thief. If you don't allow the thing to be possible in the first place, then you don't need to worry about how to secure it.

      1. overunder
        Thumb Up

        Re: Research

        Tell us more about your keyfob.

    2. M.V. Lipvig

      Re: Research

      I used to do that on a regular basis. Drive by a car I knew was alarmed at about 30mph, drop to first gear, and let my blown out glasspacks do the rest. If I did it in a concrete car park, every car with an alarn on the level I was on went off.

      But, I was a stupid teen at the time and no longer do this. I prefer quieter systems these days as the plod doesn't pay nearly as much attention to quiet cars as they do noisy ones. Plus they give me headaches now.

  2. FuzzyWuzzys Silver badge
    Unhappy

    Arresting a 13 year old for a bit of iffy Javascript sharing? Jeez, I hope they never found the pranks my mates and I played with assembler at school. 4 hormone addled 14 year old nerds trying to outdo each other as to who could write the most malicious piece of assembler code just to piss the others off. Can't believe that was over 30 years ago.

    Here we are in 2019 and harmless tech pranks will land you in court, a nasty dose of community service and a criminal record. What a boring world we live in these days.

    1. b0llchit
      Black Helicopters

      Just wait...

      This piece of code will land you in jail too:

      main:

      jump main

      It is _the_ most malicious code in existence. It uses all your computer cycles to do absolutely nothing! It is an abuse of power and must be prosecuted to the meanest extent of the law. We should introduce mandatory flogging while being jailed for anybody using above code.

      1. doublelayer Silver badge

        Re: Just wait...

        A coworker recently wrote a piece of code that had a bit of a problem, and asked for my help debugging it. Its problem was that it tried to allocate about 300GB of memory and didn't check for errors after allocating. In order to debug it, I had to receive it. I think that guy is now guilty of various heinous crimes for sending me his diabolical malware which would have totally destroyed ... well temporarily disabled ... well made me press control C on a whole debugger session had I run it rather than just reading it. It's clearly a lot worse than what this person did. Which law enforcement office do I report him to, and how many decades in prison is he going to get?

        1. b0llchit
          Mushroom

          Re: Just wait...

          He'll get a raise for being incompetent.

          He'll get a fine for wasting resources.

          He'll get a slap on the wrist for asking for help.

          He'll get 25-to-life for sending you the code (heinous crime, this is trafficking of malicious software).

          You'll get a strike on your social record for assisting a known criminal.

          You'll get 10-to-20 next time you look at code in a debugger (intellectual property violation).

          1. bombastic bob Silver badge
            WTF?

            Re: Just wait...

            "a strike on your social record"

            'Social Record' - W.T.F. ???

            1. LewisRage

              Re: Just wait...

              He must have thought the guy he was replying too was in China.

    2. Version 1.0 Silver badge

      So society prosecutes a 13 year old for Javascript but lets Equifax sail off on vacation.

      1. Hans 1 Silver badge
        WTF?

        Charged for an infinite loop ? Crikey, Japan ?

        1. Mr Benny

          Lets hope they dont check Apples new address.

        2. Anonymous Coward
          Anonymous Coward

          I wonder if the manufacturers of the "useless box" are now worried!

        3. FlamingDeath Bronze badge
          Holmes

          For research purposes, of course

    3. Mr Benny

      s/boring/technically clueless/g

      When the assclowns in authority cant tell the difference between malicious hacking and kids playing with trivial code that is nothing more than slightly irritating, does no harm and can easily be stopped anyone with half a clue about how to use a browser or taskmgr.exe/kill, then its really time to start worrying.

      1. ds6 Bronze badge

        If it were that easy to stop, you'd think the crims that spam message boxes on you with a shoddy TTS voice reading "CRITICAL ERROR FROM MICROSOFT: YOUR COMPUTER HAS BEEN HACKED" wouldn't have any catches. Point is people are gullible.

        1. Mr Benny

          It is easy to stop. You're obviously a techno idiot so wtf are you doing on this site?

          And yes people are gullible but people in power are supposed to take advice from experts in their fields.

          1. Teiwaz Silver badge

            It is easy to stop. You're obviously a techno idiot so wtf are you doing on this site?

            Current advice seems to be resorting to taskmgr to kill the browser.

            I'm sorry, that's hardly a solution that gives the user much control at all..

            What happens when your dog pees on the carpet, you shoot it in the head???

          2. ds6 Bronze badge
            WTF?

            You've entirely missed my point, "idiot"

            For the average incompetent fool that uses a computer, there isn't an immediately visible way to deal with script-kiddie levels of phishing and scareware; and if they have their browser bring up the last session when they reopen it, then it will become undefeatable to them after restarting the computer in an attempt to "fix" the problem. Scammers rely on the fact that Jane the Soccer Mom doesn't know that ticking the "Stop showing alerts from this site" checkbox will render completely obsolete that obviously fake (to us) scam site, and that's why people are still falling for it.

            Chill out. Not everyone is a super-genius like you—and really, the majority aren't. Unfortunately hiring people both knowledgable in the law and techno-savvy would require a lot more soul-searching than I think most legal bodies care to do... That's what advisors are for, a resource they clearly didn't use this time (or their advisors were just useless).

      2. fajensen Silver badge

        It can be observed that Stupidity and Incompetence is uniformly distributed in any population! Thus we will find people that are given god-like authority possessing about as much common sense as a ferret on crystal meth!

    4. bombastic bob Silver badge
      Devil

      13yo girls' prank pales in comparison to some oldies

      I think the worst pranks of yesteryear involved the infinite browser windows playing a flash video like "you are an idiot, ha ha ha ha ha ha ha ha ha ha haaaaa" or "hey this guy is looking at gay porn" and so on.

      Killing those generally involved stopping the browser. on linux or BSD, 'killall firefox' (or whatever) from a console would make it die really fast. On windows, ctrl+alt+del and switch to task manager let you kill it from there (or you could log out, and that'd do it too). Seriously, though, not a major problem, just an irritant that you could enjoy laughing about later.

      Apparently the police in that girl's town didn't have a sense of humor. Still I imagine that girl will be _VERY_ popular in middle/high school, now.

      1. Teiwaz Silver badge

        Re: 13yo girls' prank pales in comparison to some oldies

        Killing those generally involved stopping the browser. on linux or BSD, 'killall firefox' (or whatever) from a console would make it die really fast. On windows, ctrl+alt+del and switch to task manager let you kill it from there

        Really should be a more controlled way of dealing with this type of nasty misuse to give power back to the user. Seems to me such loss of control is ripe for abuse from the get-go, and it's been around since the 90's so it has been abused from the very start and continues to be.

        What's wrong? Browser designers too bus having whizzes, bangs, crap ui's and extraneous features crammed in to deal with a flaw that's been in since the WWW new stone age?

        1. Mr Benny

          Re: 13yo girls' prank pales in comparison to some oldies

          "Really should be a more controlled way of dealing with this type of nasty misuse to give power back to the user."

          Do people like you ever delve deeper into your browsers options than the Bookmarks menu?

          1. Baldrickk Silver badge

            Re: 13yo girls' prank pales in comparison to some oldies

            I put javascript into my bookmarks sometimes, to create bookmarklets, as a cheap and dirty way of implementing a simple plugin :)

    5. This post has been deleted by its author

    6. werdsmith Silver badge

      If the 13 year old was arrested for a javascript loop then I would have been doing 30 years hard labour for my coding prank exploits as a teen.

      Oh wait, I did get that penalty and I'm still not free....

    7. GruntyMcPugh Silver badge

      @FuzzyWuzzys

      When I was a kid, I'd go into WH Smith, and write a little basic prog on their Oric~1, a loop just long enough so I could get out of the door, then a loop around 'PING ZAP SHOOT EXPLODE' pre-defined sounds. It was the computer equivalent of setting all the egg timers in 'Spoils'. probably get arrested for that these days.

      1. Tikimon Silver badge
        Devil

        I faked an early "AI" like that

        I lost interest in coding after BASIC, but I did something similar in stores. After a few fast minutes of typing I left the machine on a tempting text prompt. When a key was pressed, it would return STOP THAT. Further key presses got I MEAN IT. LEAVE ME ALONE DAMMIT. DO YOU EVER WASH THOSE HANDS? ALL RIGHT THAT'S IT, I'M CALLING SECURITY. and so on. Of course I only got to see the fruits of my labor a few times, but in them early days people didn't know the embryonic PC's limits and weren't sure to disbelieve or not.

        The moral, if there is one, might be that 30 years later people are still easily fooled by simple programming tricks into believing in machine intelligence.

    8. tiggity Silver badge

      She was doing a valuable service - illustrating why JavaScript enabled by default can be a really bad idea - might teach any "victims" of the harmless prank to take more care in future

      1. ds6 Bronze badge

        It's like you're implying the braindead Facebook-using cat-picture-posting "I just want my laptop to work" masses will actually learn, if they are even capable of understanding what a "java script" is. A friend of mine always said "I don't need to protect myself, I have nothing to hide" and then his credit card got stolen and he lost his life savings... still doesn't take any precautions.

    9. Anonymous Coward
      Anonymous Coward

      My educated guess is that they were looking to boost their statistics on cyber crime arrests ahead of the 2020 Olympics... but that they just don't have the skill to go for actual criminals.

      A 13 year-old sharing JavaScript is quite easier to identify and apprehend after all

  3. Lee D Silver badge

    "If you do run an IP-enabled camera, you would be wise to check for and install any available firmware updates, or firewall off TCP port 9527 just to be on the safe side."

    Sigh. Or run a "nothing by default" firewall, like almost every router in the world uses, and then be forced to punch holes for documented and acccesible reasons. i.e. if this was a debug port, then why would you be opening it. If the manual says you access the cameras over port 80, why would you be opening 9527 if just 80 worked? Literal idiocy. I bet these people also have UPnP running on their router such that ANYTHING can forward ANY port to ANY destination. Absolute madness and totally, 100%, absolute NOT REQUIRED AT ALL.

    Hell, my *home* CCTV box isn't accessible remotely like that - it actually pulls a specific RTSP stream into another program which I access remotely. Thus, even the if DVR *wanted to*, it literally cannot talk to the net or accept commands from even its own manufacturer (the only thing it can do is contact a local NTP server).

    Hospital machines being NETWORK ACCESSIBLE with no IP filter. It doesn't matter the OS that runs underneath if you just act on every packet that comes your way.

    "default admin credentials, enabled breakout keys that opened the Windows desktop, and had data leakage bugs "

    Amateur hour again!

    Honestly, it's 2019 people. Let's get with the program of not having "secret keys", forcing people to change their passwords, and having a default-on firewall on all machines, not to mention on the network as a whole (even if that's literally JUST on the incoming traffic, and all outgoing traffic is allowed).

    1. doublelayer Silver badge

      Wholeheartedly agree. I think we should take the people who have no firewall on incoming traffic and put them in a mixer with those people who block outgoing traffic on all ports*, then only use what survives. And all those security nightmares like UPNP should be off by default, especially as most consumer-facing routers simply have a page saying "Enable/disable UPNP", without explaining to them in any way what UPNP does and why you might want it or not.

      * Does anyone have a suggestion as to what port and protocol to run a VPN server on so traffic will generally be allowed through weirdly restrictive firewalls? No, I cannot use 443 as I already have something running on that, but virtually every other port is free and I like to avoid the times when my traffic simply doesn't go through on the default.

      1. Paul Martin

        993/tcp = IMAPS, used by most mail clients for IMAP over SSL.

      2. Baldrickk Silver badge

        And they default to having UPnP turned on by default in a distressingly large number of cases.

    2. james_smith

      I'm worried that someone will upload a rogue version of SCORPION STARE to those cameras...

  4. MiguelC Silver badge

    Why is "SIM swapping" a thing?

    From the article: "Either switch to physical hardware tokens to protect accounts, ideally, or authentication apps, and/or call your carrier and put SIM transfer protections on your plan." (my highlight)

    Ahh, it's so carriers can charge you for the privilege of not transferring your SIM to anyone that asks them nicely, without any evidence of ownership...

    (we need some sort of "because of money" icon, it would be used extensively, I believe)

    1. doublelayer Silver badge

      Re: Why is "SIM swapping" a thing?

      I suppose it could be that, but if you have a network that doesn't use physical SIMs (CDMA network on 3G devices, devices with ESIMs, CDMA networks sometimes just at random), your only way to switch service to a new device is to have the carrier do so with the IMEI of the new device. You can't do so yourself. If they don't have a physical location near to you, they can do it over the phone, though in my experience they asked for some verification that I had the previous device (I suppose if that was broken rather than just old and being replaced I would have had to show up at their office). I don't know if this works on networks without this, as I've never had to call up a service provider to switch phones around when I had a physical SIM that could be swapped into the new device.

  5. K Silver badge
    Pint

    Bruce..

    El Reg... How could you not have adopted him? Would have made an amazing mascot.

    If I lived on the US, I would have ran out of the conference with him in tow. I bet that fluffy fur ball is a right sod, but still, I can't understand how something as young or as cute gets put in a rescue shelter - before anybody says "he grows", yes I know, I have a 7 year old Malamute.

    The person who adopt him gets a beer from me ------>

    https://www.petfinder.com/dog/bruce-44147507/ca/stockton/finding-a-best-friend-rescue-ca2599/

    1. bombastic bob Silver badge
      Unhappy

      Re: Bruce..

      "I can't understand how something as young or as cute gets put in a rescue shelter"

      Well here are a few reasons:

      a) I can't take care of a dog any more because [fill in blank] and nobody would take him

      b) my dog had puppies and nobody wants them

      c) feral or abandoned animals [occasionally still happens]

      d) owner dies, nobody wanted the pets

      anyway, it's why you go to the animal shelters to find a pet FIRST.

  6. LateAgain

    How do you get close enough to scan contactless cards?

    Build a scanner into the collar of a cute little beasty and let people play with it.

    1. macjules Silver badge

      Re: How do you get close enough to scan contactless cards?

      Or better still, build a War Kitteh!

  7. cat_mara
    Facepalm

    So the Japanese cops...

    ... are basically arresting this kid for the modern day equivalent of typing

    10 PRINT "I AM COOL!"

    20 GOTO 10

    into a display machine in a computer shop? Blimey, I hope there's a statute of limitations... (looks around nervously, sweats profusely)

    1. The Pi Man

      Re: So the Japanese cops...

      I doubt there are enough prison cells to hold everyone who did that!

    2. macjules Silver badge

      Re: So the Japanese cops...

      I think you pretty much just condemned everyone who ever used a BBC Micro to a term at Her Majesty's pleasure.

  8. SVV Silver badge

    I'm dreading the knock at the door

    That time I typed "10 PRINT "WHSMITHS IS SHIT" 20 GOTO 10 RUN" on a ZX Spectrum in one of their shops once was obviously a dangerous criminal act.

    But compatred with some of the privacy and security violating Javascript being served up on company websites..............?

  9. Anonymous Coward
    Anonymous Coward

    Re. Keyfob

    A lot of the cheaper ones don't even fully turn off. I can detect mine 2" away just by looking for the dip in the background noise.

  10. sitta_europea

    Caution.

    After a long illness, on March 6th 2019 our sixth rescue dog, Bosco, died peacefully at the hands of the vet and in our arms.

    http://www.jubileegroup.co.uk/dogs/bosco.jpg

    He'd been with us for nearly twelve years, and we're heratbroken, but we've been through this before and we know we'll get over it eventually.

    The seventh and eighth rescues are running around outside as I write.

    No two ways about it, it's a big commitment. Please don't do it on a whim because that way you'll probably do more harm than good.

    But if you haven't rescued an animal, you really don't know what you're missing.

    1. Tikimon Silver badge
      Angel

      Re: Caution.

      I agonized for a year over whether to adopt a dog. In my case, that's the same as adopting a child, total integration as a family member and every bit of time and attention I would give to a human kid. Like so many other human-childless people the dog would BE my child. Last August I finally cracked and visited a shelter that a co-worker fosters dogs for. I found a sweet Coonhound/German Shedder mix, named her Kaylee and took her home.

      I've never known so much happiness. Every "obligation" I worried about has turned out to be a source of joy. We've walked hundreds of miles together in all weather at all hours, met many nice people and dogs, enjoyed the outdoors when I might have sat at home instead. I've learned that whatever I'm doing, if she wants to play, we play for at least a few minutes. Annoyance? Interruption? Hell no, I always end up smiling and laughing and feeling great! I've become a clock-watcher, I want to go home and see my best girl who's waiting for me.

      Dogs have complex personalities and every one different. Rescues either lost a good situation, or escaped a bad one and often have some baggage along. Love and patience can overcome those... same as we would give a hurt, unloved human child. Give someone like that a good loving home and they will blossom and love you forever. In many cases the question becomes, Who Rescued Who? Kaylee and I saved each other.

      It's NOT for everyone. However, if you're vacillating like I did for so long... wanting a dogly friend and family, but worried about holding up your part of it... GO FOR IT. I should have done this long ago, but denied myself and a dog or two years of happiness. I'll be crushed when I lose her someday, but I'll go rescue another mutt. There's no replacing Kaylee, but I'll never be without a dog again as long as I live.

      1. OssianScotland

        Re: Caution.

        I heartily agree with all of the above. My Pippin (not a rescue dog - I got him as a pup) is now nearly 5, a Bearded Collie who has the best temperament of any dog I have had. He is always there for you, tripping over my feet quite often, but happy to lie snuggled beside me when I am working at home, and even happier to go on a nice long walk (sometimes with protesting children in tow) or to respond to the magic word "Treats". His only vice is that when I am typing, and he feels I am not giving him enough attention, is that he sticks his nose under my elbow and nudges, causing the keyboard to go slightly haywire....

        He can sense my emotions and if I am feeling a bit gloomy, all I have to do is to sit on the floor and he will come over, flop mostly on my lap (he's a large dog) and give me a quick lick. My wife (correctly) says I love the dog more than her.

        I hope he has many long years left, and I know I will be devastated when he goes.

  11. Anonymous Coward
    Anonymous Coward

    I feel let-down by ElReg readers

    I came to the comments section confident that there'd be some creative comments and sexual innuendo based on Puppies and Pussies (esp the UK meaning of pussies). Disappointed.

    1. Tikimon Silver badge
      Facepalm

      Re: I feel let-down by ElReg readers

      Dude... that sort of activity is highly illegal and Just Plain Awful. Do you even KNOW any jokes like that? Yick!

    2. M.V. Lipvig

      Re: I feel let-down by ElReg readers

      Captain Peacock, I INSIST that my pussy be allowed to roam the floor freely and without restraint!

      Captain Peacock, I am late because it was so cold in my flat that my pussy was freezing! I had to warm it before the fire before it would settle down and I fear her fur will never be the same!

      - stuff Mrs Sloakum might have said.

  12. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019