Web

Web related security entries. Anything that has to do with PHP/ASP/JSP, including Apache, IIS, Macromedia flash, etc.

Why can’t my laptop figure out what time zone I’m in, like my cell phone does?

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:

http://stackoverflow.com/questions/8049912/how-can-i-get-the-network-time-from-the-automatic-setting-called-use-netw

and there seems to be an app for an Android phone:

https://play.google.com/store/apps/details?id=ru.org.amip.ClockSync&hl=en

(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.

 

SMS Apple (malware) spam on Bell Mobility (Canada)

SMS spam on Bell seems to have suddenly jumped.  On Tuesday, both Gloria and I got spam saying we had won something from Apple.  Today, we both got similar spam.

Today’s message came “from” 240-393-8527.  It asked us to visit hxxp://www.apple.com.ca.llhf.net [1]

Neither F-Secure nor VirusTotal had anything to say about it, but it is safe to assume that the site is dangerous.  Avast now blocks it.

In trying to contact Bell about this, I noted that Bell’s Website “contact” page lists a “Chat with us” function that simply does nothing if agents are busy, and no means of contacing Bell via email.  “How to escalate a complaint” returns the same page, with the same lack of response from the agent button.  When I finally did reach an agent, “he” was pretty clueless about the whole situation.  I strongly suspected “he” was a rather simplistic program.

Having Given the agent the information above, his response was to ask “Samuel: I understand. Have you registered under apple newsletter list?”  He then asked for my name and phone number (which I had previously given him at the beginning of the session), and then told me “Samuel: I unfortunately cannot unsubscribe that spam for you from here as I see in your account.”  He offered to cut the SMS/texting function on my account.

That’s it.  That’s the only solution.  Bell doesn’t have any spam filtering on SMS, even when the spam is as obvious, egregious, and malicious as this one.  (Yes, they do have a spam filtering option, if you want to pay them an extra $5 per month.  Given the quality of support, I think I’ll give that a miss.)

[1] Note that this isn’t apple.com, the trailing “domains” override that.  This domain is listed to:

Domain Name ………………… llhf.net
Name Server ………………… ns5.myhostadmin.net
ns6.myhostadmin.net
Registrant Name …………….. jun wang
Registrant Organization ……… wang jun
Registrant Address ………….. shang hai shi xu hui qu
Registrant City …………….. shang hai
Registrant Province/State ……. SH
Registrant Postal Code ………. 200087
Registrant Country Code ……… cn
Registrant Phone Number ……… 02178861511
Registrant Fax ……………… 02178861511
Registrant Email ……………. yaobing349@hotmail.com