Category Archives: Security

WordPress Collapse-o-matic plugin retired

For anybody using the very handy Collapse-o-matic plugin on WordPress, according to a (slightly vague, and difficult to find) support post, it’s being retired due to ongoing security issues.

The plugin provides an expandable section in blog posts.

Fortunately WordPress now supports this natively via the Display block type. Some people are hunting around for other plugins with additional functionality, but Display looks good to me.

One issue I had was finding which blog posts used Collapse-o-matic.

The solution I found was in the WordPress admin posts page, search for [expand

Then it’s hopefully easy enough to move the relevant content into a Display block, and deactivate the plugin.

For anybody else using WordPress, this is probably a nice reminder to review WP plugins and check for any other vulnerabilities that haven’t been widely advertised.

Setting up a public facing webserver behind a Netcomm NF18ACV

Note: this will move your Broadband Router’s web-configuration to an unexpected port :8080, instead of the :80 your browser expects.

Navigate to Management | Access Control | Services then disable the WAN side HTTP service (why would you even expose this?), change the port for the LAN side to the Alternate HTTP port of 8080, and hit Apply/Save.

Navigate to Advanced Setup | NAT | Virtual Servers and hit Add. Select the correct interface, fill in the other details including the Web Server’s LAN address, ensure you’ve got Status: Enabled for the port forwarding, and hit Apply/Save.

Run up a trial HTTP server using something like
sudo python -m SimpleHTTPServer 80
and check for access from outside. Kill the server, because that isn’t safe for production use.

Taco Bill’s loyalty database hacked

A couple of weeks ago I noticed a suspicious-looking email that purported to be from Mexican restaurant chain Taco Bill.

I’m on their loyalty database (“Club Taco“), so I suspected their systems had been compromised.

Today they’ve confirmed it.

I’ll post the full statement, interspersed with some notes from me.

Data Breach – Taco Bill database

Taco Bill respects your privacy and values your ongoing business and, for this reason, would like to let you know, as a precautionary measure, about a data security incident that may involve your personal information.

On Friday, 22 September 2017, the Taco Bill email database managed by our external service provider was hacked by an unknown person or persons. This database contains personal information that you have provided to us when requesting to subscribe to our mailing system. This may include full name, postal address, email, phone number, date of birth, and additional linked account members’ details, if applicable (including spouse and/or childrens’ names).

By default, Club Taco asks for name and date of birth (the latter to send special offers on your birthday). Optional details include your address and phone number/s. I think — I hope — I didn’t enter those.

At present, they seem to have disabled the Club Taco joining page. Probably just as well.

The hacker uploaded approximately 1.75 million further subscribers to our database and then sent out two emails to our valued customers on our database and to the further 1.75 million subscribers that were uploaded. These emails do not appear to contain any viruses, but we recommend deleting them.

Sure, the email itself appeared to be clean. However, it did include a link to docx file on a hacked web site, multimixconcrete.com.au — hopefully they’ve figured out that they too were compromised.

From a trusted source:

At the time of writing, the multimixconcrete.com.au web site has been suspended by its ISP. It appears it belongs to a company in Western Australia.

We have been informed by our external provider that no information was copied off our database, however this does not mean that information may not have been copied.

Hedging their bets there a bit.

Taco Bill is undertaking a thorough review of the potentially affected database and its computers. We have also taken steps to protect your privacy and make sure this does not happen again, including scans of our computers, as well as changing our external service provider to provide us with faster response times on security issues, extra security measures for protection of your data and around the clock monitoring and alerts. We will let you know if there are any significant developments.

We suggest that you remain vigilant and, as a precautionary measure, review account statements and monitor credit reports. We also suggest you retain a copy of this letter for your records in case of any future concerns.

If you think your identity may have been stolen please immediately contact the relevant financial institution or company with which the account is held. We also suggest you immediately report any suspicious activity or identify theft to the proper law enforcement agency (for example, the police).

Please do not hesitate to contact Taco Bill head office on email admin@tacobill.com.au if you have any queries or require any additional information or assistance in relation to the above

If you are not satisfied with our response in resolving this issue, you can make a complaint to the Office of the Australian Information Commissioner, whose contact details are located at www.oaic.gov.au .

We sincerely apologise for this incident occurring. Taco Bill values your privacy and ongoing support of our business.

I wonder precisely what happened, and just how insecure their database was?

It’s a reminder that even big companies can mess up their security, and one should be wary of how much information we give them.

Windows WannaCrypt attack

This is interesting, and perhaps not unexpected: a vulnerability in Windows SMB 1 (used for shared drives) which was patched by Microsoft in March April, has been exploited.

It’s hit unpatched computers in numerous countries – most infamously, the UK’s National Health Service.

Despite what some Australian media is reporting, this tracker shows we are not immune — though it may be a reduced impact for now thanks to the weekend. Could be a different story on Monday.

For now it appears to have stopped thanks to someone finding a “kill switch”, but no doubt it or another version will hit again.

The lesson here for any of your computers that are connected to a network:

Patch them. Keep them up to date — preferably set them to automatically install patches.

If you’re using XP or older, Microsoft has just issued a patch, which you can get here.

You can also disable SMB 1 — note there are server and client portions, and that later versions of Windows make this a lot easier than earlier ones.

If you’re using Vista or older, find out about getting an upgrade. Vista patches stopped being issued earlier this year. You’ll be safe from this specific attack if you’re patched, but maybe not the next one. (Windows 7 keeps going until 2020.)

My assumption is that home users who use a broadband modem of some kind may not be at immediate risk this time from outside attack, since the modem can function as a basic firewall, but accidentally running an infected file from an email or web site could bring it in.

This attack has been serious, and other future ones will be too. So stay up to date, and stay safe.

  • Blatant plug: If you’re in southeast Melbourne and have no idea how to fix your computer, my brother-in-law runs this company that may be able to help: Bayside PC Services
  • In this blog post, Microsoft basically tells governments that they shouldn’t keep discovered vulnerabilities secret and exploit them for themselves (as the NSA did in this case, until that information was stolen) — that they should instead tell vendors so they can be fixed quickly. Difficult to argue with that.
  • Update May 2021: This new article notes that it is still a threat

Installing a secure Apache webserver to run Perl

So, you want to run Perl on the web, because it’s the 90s all over again. You want HTTPS, because… no, there’s no because.  You want HTTPS.  Who wouldn’t?  Here’s what you do on a Debian Linux such as Ubuntu:
sudo apt-get install apache2 libapache2-mod-perl2
mod-perl is an Apache module that allows Perl programs to be executed from Apache.

Our goal is to get /var/www/html/index.pl running at http://www.example.com/index.pl:

#!/usr/bin/perl
print "Hello World"

Disable the default Apache virtual host:

sudo a2dissite 000-default.conf

Create an example.com.conf file in /etc/apache2/sites-available with your text editor, replacing instances of example.com with your own domain name in both the configuration file and in the file name /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerName example.com
     ServerAlias www.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/>
              Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
              AllowOverride None
              AddHandler cgi-script .pl
              Require all granted
     </Directory>
</VirtualHost>
</IfModule>

If you have multiple sites, you’ll want to do things with DocumentRoot to isolate them from each other. But that’s for another post.

You might add in DirectoryIndex /index.pl to make http://www.example.com/ execute your program.

The Directory section above allows you to isolate executable code from served code, which is good practice. For this example we’re dumping the executable in with everything else, which is questionable.

Repeat this process for any other domains you host.

sudo a2ensite example.com.conf
sudo ln -r -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/example.com.conf
sudo service apache2 restart

Punch holes in your firewall for ports 80 and 443.  Navigate to http://www.example.com/index.pl to check all is okay. You ought to see Hello World displayed for your website.

Having security used to be a pain.  SSL certificates signed by a recognised CA cost money, and then you’d have to keep them up to date, and there wasn’t process automation, so you’d do all that stuff by hand.  LetsEncrypt address all these problems, handing out free certificates and scripted everything.

Now it’s time for the S part of HTTPS:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache

certbot renew
If that works, we’ll automatically renew our 90-day certificates every month:
echo '@monthly root /usr/bin/certbot renew >> /var/log/letsencrypt/letsencrypt-auto-update.log' | sudo tee --append /etc/crontab

Done.  You’ll never have to worry about certificates again. Now alter your Apache sites-available file (look in /etc/apache2/sites-available/) to include the (optional) redirect HTTP to HTTPS and the mandatory location of the SSL certificates:

<VirtualHost *:80>
....
# Only allow HTTPS
RewriteEngine on
RewriteCond %{SERVER_NAME} = example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
...
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Now make the secure version live, and in the process the insecure one… shy? When a request is made for a http page, like http://example.com/index.html, the response will be “Here’s https://example.com/index.html where what you asked for has moved to… forever!”:
sudo service apache2 restart
Now requesting http://www.example.com/index.pl ought to deliver you to https://www.example.com/index.pl

Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see example.com, swap in your Fully Qualified Domain Name. That may be mail.example.com
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see 1.2.3.4, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v "127.0.0.1"

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for example.com

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine.  After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

  • pick “Internet site”
  • system mail name is example.com
  • IP address is 1.2.3.4 (the one returned by ifconfig, not the externally accessable one)
  • Other destinations: example.com
  • No relays
  • No smarthost
  • No Dial-on-Demand
  • mbox format (or whatever)
  • Split the files
  • ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 1.2.3.4:25 0.0.0.0:* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine.  You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to ubuntu@example.com – you should be able to read it by typing
mail

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = no

before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/example.com/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/example.com/privkey.pem

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from your.home.ip.com (IcePlanet) [5.6.7.8] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s example.com -au test -ap '<>'
=== Trying example.com:25...
=== Connected to example.com.
< - 220 your.vps.host.com ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet
< - 250-your.vps.host.com Hello your.home.ip.com [5.6.7.8]
STARTTLS
< ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT
< - 221 your.vps.host.com closing connection
=== Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/cert1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/chain1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/privkey1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/fullchain1.pem
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/example.com/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from me.at.home.com ([1.2.3.4]) [5.6.7.8] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s example.com -au test -ap '<>'
There shouldn’t be any obvious complaining.

Done!

Scammers making use of Telstra landline bug – part 4

It is a good idea to keep your computer systems up-to-date, by installing the latest software fixes. But there is one fix that Telstra needs to request and install, to fix a bug lurking on Telstra’s landline telephone system which scammers are making use of.

This is Part 4 of 4 of Scammers making use of Telstra landline bug.

  • To learn about the scam, read Part 1
  • to learn more about testing your landline and protecting yourself, read Part 2
  • To find out how I became an unwitting victim 21 years ago, read Part 3.

Here, we explore some myths and facts about this bug, and I have some requests for information (please comment if you can answer any of the questions).

Facts and myths

Fact:
Scammers can intercept calls you make (shortly after they call you)
Myth:
They’re intercepting all calls that everyone is making to 000, or the bank
The truth: there’s been a few crimes like this in the past (against radio stations), but not this time. Only one person’s calls get intercepted.
Fact:
An evil caller can control your landline, preventing you from making calls, for up to five minutes.
Myth:
Scammers can make calls to sex lines in Nigeria from your line
The truth: They cannot; if you see such calls on your bill, it was probably a family member or employee.
Fact:
Scammers can imitate the bank’s phone menu (or they could make a temporary, actual connection which they cut off at the right time)
Myth:
This bug enables them to fake my Caller ID
The truth: A separate hack applies to Caller ID, which the scammer might also use as part of their fraud.
Fact:
An evil caller can prevent other callers from getting through to you (they get busy tone).
Myth:
They can listen in on everyone who calls you
The truth: They have to physically wire a listening device across your line to do that. The method described here only allows a scammer to intercept calls you make, shortly after their call.
Fact:
There is no indication if a call is still connected on the line after you hang up.
Myth:
A scammer can be secretly connected to your line at any time
The truth: It doesn’t “just happen”. They have to call you first, and the effect only lasts for five minutes (maximum, in Australia).
Fact:
Mechanical exchanges also had this characteristic

Map of Australia showing various towns.

Land of the Long Held Call[1]

Map of New Zealand showing various towns

Land of the Long White Cloud[2]

Myth:
Every country operates like this
The truth: Only a few countries have this bug. New Zealand, Canada, the U.S., and many other countries do not have this bug. And mobile phone systems do not have this bug, either.
Fact:
Various scams and tricks arising from this bug have been in use for some time. In the past, there was no five-minute timer, so it was possible to lock out someone’s line for weeks. Journalists and reporters, having interviewed someone for a story, would leave the call open preventing competeting journalists from calling their victim and getting the same story.
Myth:
Surely the Police would speak to Telstra about this?
The (horrible) truth: I’m not convinced it’s even occurred to them that it’s a bug, nor am I convinced that they’ve actually spoken to Telstra about it. But I am sending information to the Police about this, firstly to ascertain what has transpired, and secondly, (from a crime prevention perspective) to persuade them to be more on the front foot with Telstra on this issue.
The only sign of action by the authorities I can find is the British Financial Ombudsman Service has called for action by (British) telecoms companies to remedy the flaw in hanging up phone lines.

Where is the bug?

It is in the telephone exchanges – specifically, the software running inside the exchange. This has to be fixed, either by the manufacturer of the telephone exchanges (Ericsson), or by someone changing a configuration setting. Telstra has to request this in either case, and it is likely to take 3-6 months to fix.

The official term for this is CSH (Called Subscriber Held) or A-party Release. I call it a nasty bug, but unfortunately, it is hard to convince Telstra that this needs fixing.

I have some questions

While researching anything like this, it is natural for questions to arise. Does anyone have information on anything below, or anything else? Please leave a comment.

Note that comments usually require approval before appearing, which I generally check three times a day … agree or disagree, I approve “anything” on-topic.

  • Australia: Does anybody using Optus Cable (or other HFC services) experience the problem? Please do the test to find out.
  • New Zealand: Did CSH apply on Crossbar or Step-by-Step exchanges (say, before 1980)?
  • New Zealand – TelstraClear subscribers: Can someone do a test, to see if CSH applies to Telstra’s exchanges in NZ?
    You are probably a TelstraClear subscriber if your telephone number begins with 9xx xxxx, and if your TelstraClear bill shows a line item for Telephone Line Rental or Monthly Charges.
  • Britain: There was a proposal to reduce the CSH hold period to 10 seconds. Was this implemented?
  • U.S.: I don’t want to believe the movies too much 🙂 but they frequently show the B-party hanging up and the A-party receiving dial tone. Is that true?
  • All countries: Please do the test. It’s for your benefit to be aware of the situation, as well as our curiosity 🙂

If you have information, please fill out a comment (note: DELAY before it appears, for most people).

Footnotes

Scammers making use of Telstra landline bug – part 3

Oops, a change of plan

It is only just this week that it occurred to me that I was most likely an unwitting victim of this bug, 21 years ago (early 1995). The planned Facts and myths about this landline bug will now be Part 4.

This is Part 3 of Scammers making use of Telstra landline bug. Read about the scam in Part 1, and learn how to test your landline for the bug in Part 2.

An unwitting victim

I was not able to call for an ambulance to a neighbour’s kitchen knife accident.

Of the six people involved in the incident, only my wife and I understand English clearly, which added to the problems/confusion.

My mother-in-law was visiting neighbours when she called out to us there had been an accident in the kitchen (and then continued in Khmer[1], to my wife). I rushed into the house and saw the mother and son huddled together. The mother was clearly distressed, and there was quite a bit of blood, but there was no ongoing blood loss and they weren’t losing consciousness, so I picked up the phone to call 000. But there was an Asian voice on the line.

Queensland Ambulance Service vehicle

Ambulance[2]

I hung up for a few seconds, but the voice was still there, saying “Hello, hello”. Despite saying “please hang up”, and “Emergency here, please hang up”, it was a case of message received but not understood. I asked the victims where the other telephone was (thinking the voice was on another telphone extension somewhere else in the house, unaware of the drama). And I raced around the house and into the bedroom, but found no-one and no other telephone. We had just moved in and didn’t have our own telephone, so after trying the telephone once more, I ran to the payphone down the street and called the Ambulance.

The Ambulance eventually came and took them to hospital.

In the days and weeks afterward

Me, my wife, and my mother-in-law had come from New Zealand a few months before, where one can disconnect a remote caller by simply hanging up, provided that no-one else on your line has another phone off-hook.

Diagram showing a telephone call from phone A to phone line B which has two phones, B-x and B-y. Phone B-y is off-hook talking to A. Phone B-x is on-hook (idle)

Diagram of telephone call[3]
In New Zealand, phone B-x can get dial-tone provided phone B-y also hangs up.
In Australia, phone A must also hang up.

Referring to the diagram above, I raced around the house looking for phone B-y. But my mother-in-law knew the neighbours quite well and clarified there’s only one phone in the house, and that it was working (the day after), leading me to assume that it was on a party line[4]. They were unusual in urban areas, but one of my own friends had a 2-party line in Johnsonville (NZ) in 1989 – so it definitely wasn’t impossible.

I will never be absolutely certain of the truth, but it wasn’t until a few weeks after the scam story broke, and a few days after I wrote Part 2 that I realised that this bug is a much more plausible explanation for the difficulties. It means that in Australia, both the A-party and other telephones on the B-party’s line must hang up before the B-party can get dial-tone.

This has to change.

UPDATE Part 4 – Facts and myths about this landline bug is now available.

Links and Footnotes

Scammers making use of Telstra landline bug – part 2

TL;DR(1) – Telstra has a bug in their landline system. It’s time to get rid of it for good.

TL;DR(2) – The bug is when someone calls your landline they can prevent you from hanging up. Find out how to test, and how to protect yourself from scams.

This is Part 2 of Scammers making use of Telstra landline bug. Read about the scam in Part 1.

Yes, it is a bug

Bug, n:
An error in software[1] that causes results to be different from expected.

Mug shot of mean-looking man

Section 7.2.1? Just gimme a phone that works[2]

Let’s get one thing straight: I’m calling it a bug … #CallASpadeASpade. I certainly understand the people who point out the phone network complies with Section 7.2.1 of BT SIN 721 [pdf] (or Australia’s equivalent), but that is extraordinarily unhelpful. Most people expect calls to disconnect when they hang up. Therefore (to most people) it is a bug.

Now that’s out of the way, on to checking your landline for the bug, and protecting yourself from scams.

Testing your landline (easy)

Instructions for testing:

  1. The most reliable test is from another landline,[3] within the same local calling area. So you should ask a friend or neighbour. The caller is the A-party, calling your landline (the B-party).
  2. The A-party calls the B-party who answers.
    RESULT: A & B parties talking.
  3. B-party hangs up.
    RESULT: A-party hears silence.
  4. [OPTIONAL] Using a mobile phone or similar, quickly call the B-party.
    RESULT: False busy tone.[4]
  5. B-party picks up (within 30 seconds).
    RESULT: They connect back to the A-party. A & B parties talking.
  6. B-party hangs up. The A-party should time how long it takes before they hear disconnect (beeping) tone.
    LIKELY RESULT: 30 or 90 seconds, but could be five minutes.
  7. Repeat the test, but A & B parties should swap roles.
    Here, you’re doing your friend a favour by testing their landline for the same bug.

Shocked?

The official term is CSH (Called Subscriber Held) or A-Party Hold Release[correction]. I call it a very nasty bug because the victim (having received an unusual call) believes they’re doing the right thing by initiating their own call to verify the circumstances, but in reality they are still connected to the A-party scammer. This bug can be used in many different ways by different scammers, particularly to glean private information from the victim, but it is also possible to simply cause confusion, or lure someone to their death.

Continue reading to learn if a scammer is still on your line after a call.

How to protect yourself

Every man and his dog is making calls[5] (video, 0m59s)

By now, every man and his dog will have called each other and concluded their landline is vulnerable. Based on discussions with Internode (my telephone provider), Telstra has informed them that there is “nothing that can be done”. Even if they change their mind, it might take three to six months.

So, in the meantime, if you get any strange call (or they hang up just as you answer) stop and think. If you call someone else quickly, you might fall victim. You have to check your landline is genuinely free.

Probably the best way is to use your mobile telephone to call your landline; you should hear ringing through your mobile, and hear the landline ringing[4]. You don’t have to answer your landline, so hang up (end call) on the mobile, to avoid being charged. If you can’t do that, there have been some other suggestions from various people.

  1. If you have a toll bar on your landline, call a barred number. The wording of the message should be exactly the same.
    Perhaps you should organise 1900 barring now, if you don’t have it already.
  2. Call a trusted friend or loved one. BEWARE: The scammer may still be on the line, eavesdropping.
  3. Sidestep the issue by using a different telephone (or mobile telephone) to make your outgoing call (to the bank/police).
  4. Wait five minutes for the line to clear
    The problem with this is clearing times vary significantly, and the scammer could simply defeat you by calling you again at the four-minute mark.

Complexity, complexity, complexity

Australians have a habit of making simple things complex (yes, train tickets in Melbourne are too complex for tourists and locals), but I am still stunned that the act of hanging up the telephone is this complex.

I am entitled to think that it will work as expected (as it does in New Zealand).

And I’m entitled to think that a scammer will not be able to interfere with the use of my telephone, or any other technology. CSH (as it is termed) should have died with the last mechanical exchange, and it is time to get rid of it for good, in order to protect people from fraud[6], as well as make the phone network simple to use.

UPDATE (and change of plan) Part 3 is now available as How I was an Unwitting Victim – 21 Years Ago.
The planned Facts and myths about this landline bug will now be Part 4.

Links, Footnotes, and Updates

Scammers making use of Telstra landline bug – Part 1

TL;DR – When someone calls your landline, they can prevent you from hanging up, and intercept calls you make afterwards.

There is a bug lurking on Telstra’s landline telephone system which scammers are making use of. The scam is described in The Age; it usually runs like this, where a scammer (the A-party) calls a victim (the B-party):

IMPORTANT NOTE: If you are receiving malicious calls, speak with your telephone provider (most have procedures to trace calls). If these calls are life threatening, call the Police on 000, within Australia.

On the phone to the "bank"

Telephone fraud

A-party:
This is the Rolex Store manager here. Someone has attempted to use your credit card here. Please call your bank straight away and cancel your card.
B-party:
Thanks. (hangs up) [NOT TRUE: Call is still connected because A-party has not hung up]
B-party
(picks up receiver, hears dial tone) [NOT TRUE: Scammer is playing fake dial tone]
(Dials the number, hears the usual bank menus, and gets through to someone [Actually: the scammer’s mate].
A-party
The scammer’s mate tells a false story of an attempt to withdraw the entire victim’s savings account and pretends to place "Red Alerts" on the account.

Some days and several calls later, the victim is told the only way to protect the money is to transfer it to a "Safety Deposit" account with Barclays in the UK until Police investigations are concluded. Several victims have complied, losing $5m in the process.

While the Fairfax media (The Age) goes into the fraud in some detail, they only make cursory mention of a "long-held" cold-call scam, and they don’t even identify it as a bug.

A Software bug

The bug is that when the B-party hangs up, the call does not disconnect. It only disconnects if the A-party hangs up, or if a timeout expires[1].

It is a very nasty bug, because most people believe that if they initiate their own call to the bank (or Police), the call is safe. The bug does not occur in New Zealand; the call disconnects as soon as either party hangs up. This has always been the case (30+ years)[2] [3].

Like any security bug in Linux/Firefox/Windows/Oracle/etc, the question naturally arises: when can we expect a fix, and what are the precautions/workarounds?

It is Telstra’s responsibility to fix this bug.

UPDATE Part 2 – how to test your landline for the bug, and ways to protect yourself is now available

Links and Footnotes