depicus

changing the digital world one bit at a time...

Blants (noun) the rants of a blogger

  1. Joint Waste Solutions – Piss Poor Security & Why Amey Nor Surrey Heath Borough Council Care

    June 14, 2018 by The Man

    I come across a few web sites with errors or issues and normally I’ll eventually find somebody to report those errors to and some are great, will fix and thank you, others will just fix and some never bother and their sites still have issues but the vast majority are not so piss poor secure I just move on. I don’t need to be thanked just for them to fix their sites.

    So over a month ago (may 2018) I came to https://www.jointwastesolutions.org so I could sign up for green waste collection, all pretty mundane until I tried to register on the redirect at https://jointwastesolutions.amcsgroup.com and it threw an error. Of course anybody who has ever worked with Windows, IIS and ASP.NET the first thing you should do is make sure custom errors are turned on, indeed they are now by default so somebody has gone out of their way to make the site less secure.

    The main reason for turning on custom errors is that without your site exposes information. In this case we can see that the site is running ASP.NET v4.6.1 which is currently 4 version out of date. It also shows that the server is using Windows 2012 which is “End of Life” in October 2018. So outdated software on a server running a nearly EoL operating system. A quick scan of the server shows it may not have been rebooted for over 400 days – so no Windows Updates !!!

    Well then let’s just hope it was set up securely….

    Nothing has been done to even remotely secure the server which leaves it open to all sorts of compromises e.g. cross site scripting. As you can see this cloud based server fails miserably.

    https://securityheaders.com/?q=jointwastesolutions.amcsgroup.com&followRedirects=on

    But at least it’s using SSL I hear you cry…. yes but much like the proverbial chocolate fireguard it’s so poorly configured as to make it almost pointless. It still uses SSL v3, is vulnerable to DROWN and POODLE, supports piss weak encryption. Now I never got as far as being able to put in credit card details or even bank details but this is clearly not PCI-DSS compliant.

    https://www.ssllabs.com/ssltest/analyze.html?d=jointwastesolutions.amcsgroup.com&latest

    You’d think that a company would be happy for somebody to quietly point out their errors but so far other a month I’ve been told by Amey’s social media team that they would pass on the information, and when nothing happened they just ignored me. Surrey Heath Borough Council originally told me as this was reported before 25th May 2018 it was not covered by the GDPR !!! So I emailed both data protection officers with the information and Amey have yet to reply and SHBC have sent two holding emails.

    I’m still trying to get to the ICO https://ico.org.uk but they seem very busy – let’s hope somebody else doesn’t or hasn’t found this childishly comically configured server. Personally I’d treat the server as compromised but then I’m averagely good at my job.


  2. Clever Scam & Why LinkedIn Is The Last Place To Look For Employees

    June 5, 2018 by The Man

    Received this email yesterday and it got me thinking why !?!?!

    Now it’s either a scam or hopefully a very clever person who was sacked from their last job. Let me explain.

    Imagine you were working at X company for a few years and one day they caught you stealing the one ply toilet rolls from the third floor loos. How are you going to get a job now ? Simple you just Google a list of companies that have closed in the last year as Digital Wired has. Add that to your C.V. and who’s going to query when you tell them the company went bust or lost a big contract etc. because who are they going to check with. Perfect and unless your HR department checked with the old directors who’s to ever know.

    I hope Daniel gets a job soon, if nothing but for his ingenuity 😊


  3. Plus Addressing (RFC 2822) and why it’s important

    January 15, 2018 by The Man

    The interweb is a scary place for even the most tech savvy users and handing out your personal information to all and sundry with their laissez faire attitude to data security is crazy. There are sites where you have to provide legitimate data, i.e. where you are purchasing something, so knowing which sites have poor data security can help you (and others) avoid them in the future. This is why I always use plus addressing.

    Plus addressing, username+siteyouarevisiting@emaildomain.com, is supported by many of the major mail vendors like Gmail and Outlook.com so plus addressing is available to most users. The genesis of plus addressing are from RFC 2822 and specifically s. 3.4.1 and s. 3.2.4 which basically define the part before the @ sign as the “local part” and should only be interpreted by the receiving domain. This allows for characters such as ! # $ % & ‘ * + – \ = ? ^ _ ` { | } ~

    Ok but why is this important, aren’t you just being anal ?

    Well the first time I knew it worked was when a company I’d booked a running event with sent me an email about buying email databases (the irony) now clearly there were two possible explanations. First they had sold my data or second that they had been hacked. Thankfully the credit card I’d used had expired. The second time was with Feiyu Tech who I suspect were hacked as they were sending me mail about buying womens bathroom products.

    Today I tried to make a donation on virginmoneygiving.com and got the following error.

    So a company as large as Virgin cannot get email validation right – what does that tell you. Well first that their developers probably just copied an email validation routine off the web without understanding what it does and their testers also signed it off. Secondly would you trust a company that cannot get the basics right with the storage of your data and credit card information ? I don’t.

     

     

     


  4. Carphone Warehouse Review

    June 11, 2017 by The Man

    I wonder why Craphone Warehouse wouldn’t publish my review ?


  5. The 0800 088 5480 scammers

    March 22, 2016 by The Man

    What’s disturbing is this 0800 088 5480 number has been used for scamming for nearly two years – thanks to BT for making it impossible to report this scam number and allowing people to get scammed while you earn money off them.

    0800 088 5480

    There is a more comprehensive report here but despite being over a year ago they still been to be working from the same number.

    So, like most scams, they want to control your pc so they can install malware and steal your bank details. They pray on the old and will continue to do so when it’s so hard to report this. http://www.actionfraud.police.uk should be the place to report such crimes but they are only interested in general types of scam for their statistics and seem to be disinterested in actually closing these numbers down.

    Scammers scam because good men do nothing !!!


  6. letsencrypt.org and XP – a bodge fix for chrome

    December 4, 2015 by The Man

    Ok as luck would have it the second site I set up letsenrypt.org‘s new certificates on the client was using Windows XP and Chrome and got this nasty error message when I redirected the http to https.

    Now I’m a firm believer of https everywhere – yes I know it doesn’t solve every problem but it helps. So the options were bleak according to a github issue but if you are using Apache it’s possible to bodge a solution so XP Chrome clients can still see your site.

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_USER_AGENT} !(Windows\ NT\ 5.1|Windows\ NT\ 5.2) [NC]
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

    So what are we doing here.

    First we check to see if https is off – not sure this is really needed as we are putting this in our :80 .conf file.

    Then we check its NOT XP with the !

    And finally we redirect to the https address.

    Now we could get really clever and just check for Chrome on XP and I may work on that as I plan to use letsencrypt.org wherever I can 🙂