Sponsored by..

Tuesday, 22 May 2018

Phishing and fraudulent sites hosted on 188.241.58.60 (Qhoster)

Nigerian registrants. Dodgy Eastern European  host offering bulletproof and anonymous hosting. Yup, I very much doubt there is anything legitimate at all hosted on 188.241.58.60.. or indeed any part of Qhoster's network.

237buzz.com
255page.ga
702mine.com
779999977.com
a1cargomovers.com
abtprinting.com
adassco.com
admincamac.co.uk
afazendaideal.ml
afflluenceindia.com
africheck.com
alamiranut.com
alexandrahospitals.com
alliarnce.org.uk
allseaship.com
amba-medias.com
amiicogroup.com
andrzejkupnopark.eu
anook.info
ansaexpress.com
antrackdiplomaticcs.com
apidexconstruction.com
aramexbe.com
arshland.com
artyschat.com
atlanticfforum.com
aughana.com
battlegrounds-arena.com
baugeruest-handel.com
bevadgmbh.com
billdiamondfinance.co.uk
binaryoptionsmonitor.com
binco-sale.com
bit-masters.com
bitcoincashold.com
bitcoinsdrugsrehab.com
bitmain-alliances.com
bitmamashop.com
blecoman.com
bmpro.info
bourseafrique.com
britannia-pharmaceutical.co.uk
btccap.biz
btctriplermachine.com
buycounterfeitmoneys.com
calvinscott.biz
cameroonianbeauties.com
candodvillahotel.com
carphonewarehouse-eu.com
centroculturadigital.com
certificatesshop.com
chainconnect.co
chaseoffshoreonline.tk
chondomonitor.com
citydiaryfarms.com
classicdeliverycourier.com
clickhereforgiveaway.site
clickhereforgiveaway.xyz
cloud-bigfile.com
cncoslight-zh.com
cnximgang.com
coca-colafinancedept.com
coflaxfluidhandling.com
coinminners.com
coinrxstore.com
compasseguip.com
confirmedsoft.us
cosm0-hk.com
cosmosport24.com
creditonfcu.com
crewlinked.com
criagent.com
crypto023.com
cryptominingtechnology.com
cryptoshifters.com
cs-oilfeild.com
cureonlinepharmacy.org
denverlaserhairremoval.co
divecastle.com
dlnamicatrade.com
double-bitcoins-legit.com
eastmanimpex.cam
ebid-tg.com
efceosaudi.com
elitecertifiedhack.com
emailtime.info
ethiopianairilines.com
eurocertificationcentre.eu
fabftifun.com
faircloths.co.uk
fastcoine.com
fastestfingersfirst.com
fidelity-investment.co.uk
findingthepropercode.com
firstsuorceinc.com
forvisitingthankyou.com
fotesale.com
front-dashboard.com
gdp-international.com
general-funds.com
generate-dcash.biz
gettinginonthelow.com
global-news.center
globalinkscobsult.com
globalinksconsult.com
gmb-trade.com
goimsa.info
grand-sale.com
grantersmultiservices.com
greetapex.com
guaranteecds.com
hackers-list.com.de
harpack-ulma.com
heraeu.com
hereweareonit.com
hlroyoung.com
horizonpartnerrsltd.com
houseofspells.com
hsbrands-int.ml
humer1adminka.com
hyip.co.in
hyipcave.com
idexpresscargo.com
inlinefornine.com
interseadrill.com
item-desc.com
jdfrencis.com
jonihoppershowcase.com
kcf-th.com
kececiprofile.com
kencanafishing.com
kiingsay.com
kindres.com
kindres.de
kippaskagit.com
kmsinfoservice.com
ks-prod.com
lane-pres.com
legitrxonline.club
lifegoalsdevelopmentschool.com
litbitcoinembassy.com
littlerockbitcoins.com
live-rx-store.com
loactrippleser.ga
loan-assistance.com
loan-dealer.com
loudiclear.com
lurnentum.com
luwiex.com
manarpso.com
mannhiem.in
maomanlodocs.cf
marshawoifesquire.com
mcmg-tech.com
meetcameroonians.com
meetup4real.com
megachemstoreonline.com
miamibeachcoin.com
microclicker.com
mile22-casting.com
miningcrux.com
mission4christministry.com
movimientorevolucionariodelpueblo.org
ms-fi.com
mst4sale.com
mysite111.com
neatwaytogettheninth.com
neusportltd.com
news-world.center
nexttys.com
nightcapdice.com
ninthinline.com
nlsteinweg.com
nomuta.com
noworri.com
obsgruop.com
offshoreseadrill.com
onehereisreservedforyou.com
online-citibankgroup.com
ontothenextgame.com
opcolage.com
orifiameglobal.com
ourskynet.com
oxfords-pay.com
parcelservicess.com
pharmas4plus.com
plccsolutions.com
psypharm.com
ptochart.com
quicktitletransfer.com
rashedal-wataniagroup.com
rawgarner.com
realbuyrx.com
recordspharm.com
researchchem4us.com
resumedatabase11.xyz
rnailb.com
rnarhaba.com
ro-noutati-mondene.ml
robnsaconsult.com
rock-sale.com
rosenbaumcontemporarygroup.com
royalstandard.ga
rumlt.in
rush-sale.com
seachiefs.com
seguradoravirtual.com
seosenior.com
service-infoo.com
she-afro.com
shippingdynamics.com
showbarghana.com
siglobal.org
simplyitaly.dk
simplyitaly.it
skillocademy.com
sms-red-online.ga
solid-sale.com
southchina-sea.net
srcoin.ca
srnec-cn.com
stacksign.ga
superenterprise.work
superwhiteningpills.org
svclnlk.com
tax-gov.com
tccholdng-th.com
tecebusiness.com
techfronst.com
thebinaryoptionmonitor.org
thecolumbiabanks.com
thefutureofkitchen.com
theninthisin.com
thewomoorsfestival.co.uk
thisistheninth.com
tienhongjs.com
timetorefillthestock.com
torromodel.de
trans-atlanticdrilling.com
trustedhackers.com
turkiyenews247.tk
turkiyenews27.tk
twhe48.online
uk-pharmcay.com
ulmaparkaging.com
ultronnews.com
unipharma.bz
urnalaxmi-organics.com
usr-acc-serv.com
vendadebitcoin.com
visteonogbonnagroup.com
vpox.ru
vwork.pw
walletsofcoolandhip.com
weather-livenews.com
webs-host.pro
xcesstel.com
xopen.cc
yahoomailservice.com
youngcompamies.com
yoyooo.xyz
zestcrypto.com

Thursday, 10 May 2018

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan.

From:    Barclays [service@barclaysdownloads.co.uk]
Date:    10 May 2018, 13:16
Subject:    New documents available for download
Signed by:    barclaysdownloads.co.uk
Security:    Standard encryption (TLS) Learn more

Barclays Bank PLC Has Sent You Important Account Documents to Sign

You can view the document in your Barclays Cloud account. For additional security, the sender has set an open password for this document.

Documents assigned to: jlines@[redacted]
Your unique download password: "CJ98oZOwye"

To view or download the document please click here.

The submission number is id: bc7729-272sec912-91navc.
Please quote this number in any communications with Barclays.

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Barclays IBE.

Copyright 2018 Barclays PLC. All rights reserved. 

The download password and submission number are the same in all cases I have seen. Clicking the link leads to a landing page at barclaysdownloads.com.


Entering the password downloads a document AccountDocuments.doc with a VirusTotal detection rate of 14/58, and Hybrid Analysis indicates that this uses an Equation Editor flaw to run a Powershell that downloads an additional component from:

http://basedow-bilder.de/kporto.bin
http://crimefiles.net/logo.bin


The .bin file is saved as %TEMP%\lovemete.exe and this currently has a detection rate of 15/65. Hybrid Analysis indicates this is Trickbot.

barclaysdownloads.co.uk and barclaysdownloads.com have both been registered for this purpose, the latter of which is hosted at Cloudflare.

Friday, 4 May 2018

"Best porno ever" Necurs spam

This spam (apparently from the Necurs botnet) promises much, but seems not to deliver.

From:    Susanne@victimdomain.tld [Susanne@victimdomain.tld]
Date:    4 May 2018, 10:22
Subject:    Best porno ever

Hi [redacted],

Best gay,teen,animal porno ever
Please click the following link to activate your account.

hxxp:||46.161.40.145:3314

Regards,
Susanne
The sender's name varies, but is always in the same domain as the victim.

I only saw four different links in the body text:
Warning live links - do not click
http://46.161.40.145:3314/
http://37.1.211.221:1699/
http://31.207.47.125/3FgtbvCf
http://77.72.84.115/

None of these sites were working when I tested them. Hosting IPs are:

46.161.40.145 (Ankas Ltd, Moldova)
37.1.211.221 (3NT Solutions, UK)
31.207.47.125 (Hostkey, Netherlands)
77.72.84.115 (Netup, UK)

3NT Solutions are a well-known purveyor of badness and I recommend blocking everthing, What the payload is here is unclear, but you can guarantee that's it's nothing good. And probably not smut either.


Sunday, 1 April 2018

New Traffic Light Protocol (TLP) levels for 2018

The Traffic Light Protocol should be familiar to anyone working with sensitive data, with levels RED, AMBER, GREEN and WHITE being used to specify how far information can be shared. In recent years it has become clear that these four levels are not enough, so the United Nations International Committee on Responsible Naming (UN/ICoRN) has introduced nine new TLP levels for implementation from the first day of April 2018.

It seems to me that these new levels do offer a much more nuanced approach to sensitive data and are in alignment with real-world needs. What do you think?


TLP Level
Description
RED
Information cannot be disclosed to anyone other than the current participants.
AMBER
Information can be disclosed within participant’s organisations where appropriate.
GREEN
Information can be shared within the community but not published.
WHITE
Information can be published subject to copyright.
BLACK
Information can be retained by participants until the end of the meeting when their minds will be wiped with a Neuralyzer.
BROWN
Knowledge of this information may cause recipients to soil themselves.
PINK
Information is intended to be TLP:RED but someone will inevitably treat it as TLP:WHITE.
BLUE
Knowledge of this information entitles recipients to a free ride in a police car.
BEIGE
Information is so unmemorable that participants will not be able to recall it even if they try (cf. TLP:BLACK)
TARTAN
Information is a complex mix of different TLP levels that cannot be easily separated.
YELLOW
Knowledge of this information may cause recipients to wet themselves. (cf. TLP:BROWN)
GREY
It is not known if participants should have knowledge of this information or not.
RAINBOW
Information pertains to the existence of unicorns.


Thursday, 8 March 2018

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here.

From:    Ravi [Redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [Redacted] <ravi@victimdomain.com-3.eu>
To:    accounts@victimdomain.com
Date:    23 February 2018 at 12:02
Subject:    Arrange this payment

Pleаsе make а £9,627.00 faster раyment for thе nеw contrаctor.

Sort сode: 30-62-15
Acc. numbеr: 10255956
Paуeе: Olivia Hаrris

I will send the doсs as soon аs i'll sort out my stuff.
Lеаve a rерly oncе сomрlеted or in casе you get аnу рroblеm while sеtting it up.


Rеgards
Ravi [Redacted]

Sent from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-0.eu>
To:    sarah@victimdomain.com
Date:    5 March 2018 at 10:31
Subject:    5 Mar. faster payment

Morning Sаrah

Plеаse sеtup a £9,736.00 fastеr рауmеnt in fаvour of the new bеnеfiсiаrу.

Sort code: 30-61-10
Acс. number: 10811231
Pауее: Thеa Smith

I will sеnd the doсs аs soon аs i'm lеss busу.
Leave a rерly once сomрletеd or if уou get аnу рroblеm whilе sеtting it uр.


Rеgаrds
Andreа [Redacted]

Sеnt from mу iPhone.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    karen@victimdomain.com
Date:    7 March 2018 at 11:08
Subject:    Arrange this payment

Hi Karеn

I nеed you to аrrаnge а £8,643.00 fastеr рауmеnt for the nеw bеnеficiarу.

Sort code: 30-62-12
Acc. numbеr: 10240298
Benefiсiarу: Beatriсe Evans

I will sеnd thе doсumеnts as soon as i'm less busу.
Lеavе а rеply oncе donе or if you get аnу problem whilе sеtting it uр.


Regаrds
Andrеа [Redacted]

Sеnt from my iPhonе.

-----------------

From:    Andrea [Redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [Redacted] <andrea@victimdomain.com-v.eu>
To:    mary@victimdomain.com
Date:    8 March 2018 at 11:03
Subject:    8 Mar. faster payment

Hi Mаrу

I neеd уou to mаke a £8,839.00 faster раymеnt for the new supрlier.

Sort codе: 30-62-12
Acс. numbеr: 10738345
Benеficiаry: Emmа Brown

I will send the рapеrwork onсе i'll sort out mу stuff.
Lеаve а reрly once donе or if you gеt аny рroblem whilе setting it up.


Rеgards
Andrea [Redacted]

Sent from mу iPhone.

"Andrea" and "Ravi" are not random people, they are both directors of a legitimate company with a name very similar (but unconnected) with one I blogged about years ago. In $dayjob the sample email I saw was from that company's chief counsel, so I believe these are targeted but just incorrect.

Normally with this sort of scam, the "boss" is asking for payment to be wired to the bank details in the email. But in this case, the sort codes for the banks (30-62-12, 30-61-10 and 30-62-15) don't exist. If you tried to wire money to them, the transfer would fail.

So, presumably when the bank transfer fails, the victim emails back the "fake boss", but it isn't all it seems. Although the "From" address looks to be genuine, there's a "Reply-To" address which goes to something a but more subtle.

For example in one of the examples about the email appears to come from andrea@victimdomain.com (i.e. whatever the victim's genuine domain is) but replies go back to something similar but different, for example andrea@victimdomain.com-v.eu - at which point the fraudsters probably then come up with different bank account details.

At the moment the email replies go to a server at 185.235.131.65 (hostname uk-v.eu) in the Netherlands, but these domains and servers get shut down quickly.

All these following domains are linked to the scam (there are probably more):
uk-0.eu
uk-1.eu
uk-2.eu
uk-3.eu
uk-4.eu
uk-5.eu
uk-8.eu
uk-9.eu
uk-f.eu
uk-v.eu
com-0.eu
com-1.eu
com-2.eu
com-3.eu
com-4.eu
com-5.eu
com-6.eu
com-7.eu
com-8.eu
com-f.eu
com-v.eu

This variation of an old scam seems to be quite new. Remember, if your boss emails you out of the blue and asks you to set up a payment without giving much information, always check that the request is valid and don't simply reply to the email.

UPDATE 2018-03-12

Another version..

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    helen@victimdomain.com
Date:    12 March 2018 at 12:57
Subject:    Handle this payment

Hi Hеlеn

Pleasе makе a £8,909.00 fastеr payment for the nеw vеndor.

Sort сodе: 30-64-15
Acс. number: 10576602
Pаyeе: Elizabeth Moore

I will send the paperwork oncе i'll sort out mу stuff.
Lеave a rерlу whеn thе oреration is сomplеtе or in cаsе уou gеt аnу problеm whilе setting it up.


Regаrds
Andrеа [redacted]

Sеnt from my iPhone.
This uses the domain com-w.eu and is hosted on 185.241.54.62 (hostname uk-w.eu) along with uk-b.eu.

UPDATE 2018-03-13

Two more examples with the same pattern:

From:    Ravi [redacted] <ravi@victimdomain.com>
Reply-To:    Ravi [redacted] <ravi@victimdomain.com-w.eu>
To:    keith@victimdomain.com
Date:    13 March 2018 at 09:52
Subject:    Payment due 13 mar.

Hi Keith

Plеase аrrange a £8,563.00 fаstеr paуment for the new benefiсiarу.

Sort code: 30-60-41
Acc. number: 10638574
Pауeе: Rosе Clarke

I will sеnd the pаperwork as soon аs i'm lеss busу.
Lеаvе а rеplу when the oрerаtion is сomрlеte or if уou gеt аny problem whilе setting it up.


Regаrds
Rаvi [redacted]

Sеnt from my iPhonе.

----------

From:    Andrea [redacted] <andrea@victimdomain.com>
Reply-To:    Andrea [redacted] <andrea@victimdomain.com-w.eu>
To:    emma@victimdomain.com
Date:    13 March 2018 at 09:26
Subject:    Settle up this payment

Hi Emmа

Please mаkе a £8,999.00 fаstеr pаymеnt for the nеw benеfiсiаrу.

Sort codе: 30-60-41
Aсс. numbеr: 10167445
Bеnеficiаrу: Aisha Robinson

I will forward the docs onсe i'll sort out my stuff.
Lеаve a rеply once completed or in cаse уou get аny problеm while setting it uр.


Regаrds
Andreа [redacted]

Sеnt from mу iPhonе.

What I hadn't noticed before is that the spam is using homoglyphs in the text to avoid filters. For example, the word "pаymеnt" in the email above does not acutally say "payment", but it uses a couple of cyrillic (i.e. Russian) characters in place of the "a" and "e" that just look the same.


For the latest spam messages, the email relays through various hosts but always seems to originate from 91.243.80.176 (hostname: lmasko22.example.com). As with the other infrastructure this belongs to a company called MoreneHost in Russia.


Monday, 15 January 2018

Swisscoin [SIC] cryptocurrency spam

Swisscoin is a fairly low-volume self-styled cryptocurrency that has been the target of a Necurs-based spam run starting on Saturday 13th January, and increasing in volume to huge levels on Monday.

From:    Florine Fray [Fray.419@redacted.tld]
Date:    15 January 2018 at 10:51
Subject:    Could this digital currency actually make you a millionaire?

Every once in a while, an opportunity comes around. What divides winners from losers is those who seize it and those who don't. By now, you must have heard about all the people who made a killing with bitcoin over the last year. Some of them made more than ten million with just an initial purchase of a thousand bucks. What I want to ask you though is: Did you know that there are hundreds of other digital currencies that have had even bigger gains over the last twelve months? This includes Ripple, Ethereum and Raiblocks – you may have heard about some of them. What is the next big one for 2018? The answer in my opinion is simple. It's Swisscoin [SIC]. The reason for that is very straight forward. It's because it is supported by the Switzerland government. It is already considered as legal in the country and it is entirely shielded from any political instability. It's the type of coin that you can buy a thousand bucks of, and sit on for a few months or even years and that few thousand will likely be worth a few million. SIC has already doubled in value since Saturday and it will double or triple again by this Friday. So, what are you waiting for? For the time being it can only be purchased on /coinexchange [dot] io/ (that's the website address of the exchange). You can set up an account in about thirty seconds, then you send bitcoins to it and you can easily buy swiss coin. If you don't have any bitcoin already you can just google how to get some, it's super simple and will just take you 10 minutes at most, then transfer them to coinexchange's website and get the SIC

----------------

From:    Jeffry Looper [Looper63@redacted.tld]
Date:    13 January 2018 at 18:42
Subject:    This crypto coin could go up fifty thousand percent this year

Dear [redacted],

If you don't already own a few coins of something, then surely at the very least, you must have heard about cryptocurrencies.

Bitcoin, the most famous one, minted countless multimillionaires but did you know that altcoins (bitcoin alternatives) are responsible for even more riches?

Among the "big" ones, NEM went up almost 10,000 percent and Ethereum, more than 4,000 percent

Among the small and unknown ones several gained more than 50,000 percent.

To put this in perspective, a small 1,000-dollar coin purchase in one of these small ones could have turned into more than 50 million bucks.

It seems crazy, doesn't it? Well, it's the reality of the cryptocurrency market today.

Raiblocks, a relatively obscure coin at the time, went from 0.20 on December first to $20 by New Year's Eve. It is now in the top 20 largest coins in the world.

All that to say, the next big winner could be found anywhere, and today I believe I've identified the next one.

After spending hundreds of hours looking at hundreds of different coins, I locked down on one specific target.

Swisscoin.

As the name says, this is a coin created and headquartered in Switzerland. It is one of the only coins in the world recognized as legal tender by the government.

Swisscoin is allowed by the Swiss government and has the potential to climb more than 5,000% before the end of January and more than 50,000% before the end of this year.

This is one of those rare buy-and-hold coins which you WANT to own, and hang onto for the long term, much like those people who bought bitcoin at $1 and kept it for 3 years. FYI, bitcoin is trading at $14,000 now. That's an increase of over 1 million percent.

I recommend you consider putting at least a thousand bucks in Swisscoin immediately. This could quickly turn into enough money to buy a new house, or at the very least a new car.

For those of you who already have bitcoins, all you need to do is open an account at coinexchange.io (this is the url/website, and it takes 1 minute to get setup), transfer some btc to your new account and buy SIC (Swisscoin).

For those of you who are still clueless about Cryptos, the process will be a little bit longer but well worth it.

Open an account at a large exchange such as Coinbase dot com or Coinmama dot com, then add some fund using your credit/debit card or Paypal.

That's the fastest way, but you will be limited to a few hundred bucks at most. It should be enough to get you quickly started but consider adding more funds using a bank transfer so that you can really have skin in the game.

Remember, every thousand bucks of SIC you buy today could easily turn into 500,000 by this time next year.

----------------

From:    Justine Mcfall [Mcfall0748@redacted.tld]
Date:    14 January 2018 at 16:42
Subject:    Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

If you took a chance on bitcoin early on, just a few years ago, your investment could have paid off in a big way.
According to digital-currency website CoinDesk the value of bitcoins was volatile at the beginning.

It was possible to purchase a single bitcoin for just a few cents. Had you bought just a thousand bucks' worth you would be sitting on millions right now.

Want to know what's even crazier? These types of returns have been replicated hundreds of times over so many different alternative coins and it continue happening all the time.

The trick is to buy into a coin very early on before the crowds notice it.

My research shows that Swisscoin (SIC) is going to be the next big one to blow up this year. It has already doubled since yesterday and as the trend continues it could be 10 times as high before the end of the coming week.

Swisscoin is one of the only coins approved by the government in Switzerland. It is 100% legal and useable in everyday life.

Switzerland's Swiss Franc has been one of the most stable and best performing currencies throughout history and Swisscoin aims to replicate this standard with the digital coin.

Could you turn a thousand bucks into a million before the end of 2018 with SIC? The answer is a clear yes.

For the time being SIC only trades on one exchange: coinexchange.io so you need to open an account there (takes about thirty seconds), and transfer bitcoin to it so you can make the purchase.

If you don't own any digital currency yet then you need to open an account at coinbase or coinmama and buy some btc (bitcoin) with your credit or debit card or bank account.

After you get bitcoins, just follow the instructions in the above paragraph.

One thing is for sure, you definitely don't want to miss out on Swisscoin.
Swisscoin trading was recently suspended and only started up again a few days ago. The chart at World Coin Index shows that this has been a real rollercoaster ride.



There are questions as to whether Swisscoin is actually a cryptocurrency or a Ponzi scheme. Honestly, I don't know and I'd advise you to do your own research. However, this has all the markings of a pump-and-dump scheme, so it's quite possible that someone who bought Swisscoins at their peak wants to pump the price up so they can sell off their holdings. Given that the spam is being sent out from a network of hacked machines and does not comply with anti-spam laws, you can pretty much guarantee that this is not legitimate and should be avoided.

UPDATE: a subsequent spam run looks like this:

From:    Trenton Manners [Manners.491@redacted.tld]
Date:    15 January 2018 at 18:42
Subject:    Forget about bitcoin, there's a way better coin you can buy.

It's probably not news to you at this point if I tell you that bitcoin has made tons of people tons of money. Something else you probably already know is that it will never go up like crazy again. Its time to shine is long gone. That's why we must look into what the next big thing is, and the truth is that there have been plenty over the last few months. Can you jump on the next huge one before it soars? Swiss coin {SIC} is the most likely candidate for a fifty thousand percent return this year. It has the support of the Switzerland government. It is already considered as legal in the country. It's the type of coin that you can buy a thousand bucks of right now, sit on for a small period of time and you could make out crazy wealthy when all is said and done. SIC has already doubled since Saturday. This long Martin Luther King weekend could bring you even more upside if you act quickly. For those of you who know what this means… you can get it for under 50 satoshi right now. And if you have no clue what this means, it basically means that you can get in on the ground floor How do you get some? You just need an account at coinexchange. Read the currency's official page to find out more info: https://swisscoin.eu/sic-deposits.html


Monday, 4 December 2017

Some random thoughts on Damian Green and those porn allegations

If you live in the UK then you might have noticed the somewhat bizarre furore over Damian Green MP and his alleged viewing of pornography on house his Parliament computer. Now, I don't know for certain if he did or didn't, but to put it in context his private email address also allegedly turned up in the Ashley Madison leak and on top of that there are sexual harassment allegations too. But let's stick to the porn for now.

Anybody who has been involved in forensic investigations of computers may well understand these comments:

Mr Lewis, who retired from the Metropolitan Police in 2014, said although "you can't put fingers on a keyboard", a number of factors meant that he was sure it was Mr Green, the MP for Ashford, Kent, who was accessing the pornographic material.

His analysis of the way the computer had been used left the former detective constable in "no doubt whatsoever" that it was Mr Green, who was then an opposition immigration spokesman but is now the first secretary of state.

"The computer was in Mr Green's office, on his desk, logged in, his account, his name," said Mr Lewis, who at the time was working as a computer forensics examiner for SO15, the counter-terrorism command.

"In between browsing pornography, he was sending emails from his account, his personal account, reading documents... it was ridiculous to suggest anybody else could have done it."  
To put this into context - the computer was seized in 2008 when Green was arrested over the suspected leaking of confidential material. Any investigation such as that will look at web browsing history, recently accessed or saved documents, cookies, bookmarks and stored documents and images. So, it is utterly credibly that the investigation would have found this type of activity if it had occurred.

Indeed, there seems to be no denial that this material had been accessed on the computer, but that Mr Green had not done so. But Mr Lewis's statement also says that things such as private email were accessed concurrently. If you were carrying out an investigation on behalf of a business, then this would indeed be enough to "place fingers on a keyboard".

But here is the surprise - why would this material be accessible at all? Nobody has claimed that it was not accessed, just that Mr Green himself did not access it. But any reasonably-sized business would usually have some sort of filter to stop this happening.

The House of Commons by itself employs over 2000 people. Add to that the staff of the House of Lords, the Lords themselves, MPs and other staff who are not directly employed by either House then you are looking at thousands of employees. That's quite a large organisation, and if there is no effective web filtering for any of them, then that introduces a serious security risk.

Anybody who works in IT in a relatively large organisation such as this will know that at least some of them will try to access pornography. My experience is that people who do this on their work computers are exclusively male, and there are 453 male MPs in the House of Commons. This is certainly a large enough group for some of them to be accessing porn, at least some of the time/


So we can surmise a couple of things - it certainly seems to be possible to access porn from a Parliament computer, and given the number of people working there it seems likely that somebody would try. The number of male MPs certainly seems enough for one of those to try to access porn. Given that it is likely that some of them try, there's no particular reason why it shouldn't be Damian Green. And if one MP is fired from his job because of porn, then you can bet there are other MPs who have done the same thing.

But why not implement some sort of filtering? The problem is that MPs are not employees - Parliament is the primary legislative body in the UK and it is essentially sovereign (despite there being a Queen). Imagine that you worked in an organisation where there were hundreds of C-level executives, and then try to police them from an IT point of view. MPs are probably amongst the worst users in the world to support.

As I said, most organisation of any size filter porn from corporate computers. Strategically, the main reason to do that is not to track down and fire errant employees, but to prevent embarrassment to that organisation. It's all very well to fire a low-level employee for viewing smut, but when it comes to the top of the food chain such terminations can also be damaging to the reputation of the organisation itself. If Parliament isn't filtering this sort of material then it is always likely to end up with this sort of scenario from time-to-time.

Mr Lewis's comments indicate that the material was found on the computer itself, not a proxy log or other external system. It's quite possible that whoever was accessing the material on Mr Green's computer could have saved themselves a lot of grief if they'd used private browsing (although a deep forensic investigation can often find artifacts even when this has happened).

Also, Nadine Dorries MP did state that she shared her password with staff who worked for her. This is terrible practice, and certainly in my organisation if you share your password and somebody abuses it, then you are liable for anything that they did.

Don't forget as well, the habit of porn sites infecting visitors with malware though malicious advertisements, and the habit of more "specialist" sites having been created specifically to infect visitor's computers. MPs might not think themselves to be important enough to hack, but they will have private correspondence with constituents and other parties that should remain private.. and not be leaked out.

Whatever the truth of Damian Green's surfing habits, it looks like Parliament is badly in need of proper regulation of its computer systems. But you really do have the nightmare users from hell in that job. I suspect it is going to take something more that one embarrassed MP to force a change.

Image credits: