BBC Lottery: Have you won too?

I must be the luckiest person on the planet – I keep winning lotteries!

Here’s the latest notification – straight from Aunty Beeb herself, the BBC.

Bogus BBC lottery email

Apparently the BBC is now deciding who has won the lottery based not upon who bought tickets, but instead simply by pulling email addresses out of a hat! That seems so much more efficient than the old way.

You may have thought that there had to be enough people putting a little bit of money *into* the lottery for a small number of people to get a lot *out* of it – but apparently not anymore! Maybe they’re just pleased I’ve been paying the TV license fee for the last twenty years or so.

Now, if you receive an email like this there are probably people out there who will try to convince you that it’s a scam, that it wouldn’t be a good idea to hand over your name, address, age, mobile number, date of birth (hang on – don’t they already have that?) to a complete stranger..

..especially to a complete stranger called “Mr Patetr Thomas” (# You say potato, I say Patetr #). And they may even try to warn you that Scottish screen lovely Jenni Falconer doesn’t actually present the Saturday lottery draw on BBC TV, that duty falling to chirpy cheeky chappy Nick Knowles instead.

Jenni Falconer and Nick Knowles

And I must admit I find it hard to confuse the two of them, but I’m sure it’s just an administrative mix-up.

After all, Mr Patetr Thomas (# Let’s call the whole thing off.. #) is probably a very busy chap. After all, it looks like I’m not the only winner of the £1,000,000.

That’s right – there’s lots of us. Just look at the subject line:

*** BULK *** Dear E-Mail User

I would like to imagine that there are no Naked Security readers out there who would fall for a scam email like this – but we must recognise that there are people more vulnerable to these sort of con-tricks than ourselves.

Do your bit to make sure that the vulnerable members of your family aren’t fooled into believing they are going to win a fortune in a lottery – if they are duped into believing they will be receiving a windfall they might get themselves into an expensive and upsetting pickle.

Naked Security colleague Paul Ducklin recently spoke at a conference dedicated to keeping others from getting ripped off online – especially seniors already on their retirement income, who can least afford it.

You can read more about this heart-wrenching aspect of cybercriminality in his writeup of the event.

As Duck says in his article, “Friends don’t let friends get scammed online.”


Nigerian government website falls at hands of Brazilian defacement

Here’s what the official website of the government of Nigeria normally looks like:

Nigerian government website

And here’s what it looks like today, with a title of “Fatal Error ownz you !!!!!”:

Defaced Nigerian government website

Fatal Error !
by Elemento_pcx & s4r4d0 ...
"Seja você mesmo mas não seja sempre o mesmo" ... G. o Pensador ...

The message in Portuguese translates as

"Be yourself but not always the same" ... G. The Thinker ...

Two email addresses are provided by the hackers if anyone needs any help (it’s uncertain whether you would contact them for help regarding the website defacement, or to have the profundity of the quote explained to you).

Of course, it’s perfectly possible that the email addresses listed belong to people who have no knowledge of the hack – but with the quote written in Portugeuse, it certainly wouldn’t be a surprise to see a Brazilian connection.

If you run a website make sure you are doing everything to keep it as secure as possible – for both your organisation’s sake, and that of your users. If you haven’t already done so, read this informative paper by SophosLabs, “Securing websites”, which covers some of the issues.


Security breach: Kernel.org and Linux Foundation remain "temporarily unavailable"

The Linux world is in a bit of a security spinout at the moment.

Last month, the brains behind the Linux kernel discovered malware on the PC of at least one kernel maintainer, as well as on some of the kernel.org servers themselves.

Now, the Linux Foundation, a not-for-profit which bankrolls the main developers of Linux so that they can remain independent of any particular vendor or commercial group, is in the security soup, too.

The Linux Foundation sites have been replaced with holding pages since late last week, suggesting that finding out what actually happened hasn’t been as easy as the Foundation’s techies might have hoped.

Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

The connection to the malware infection amongst the kernel maintainers themselves is echoed by the holding page for kernel.org, which says, simply, “Down for maintenance”. The Linux Foundation and Kernel.org sites are internet neighbours in the 140.211.169.0/25 network block.

In a creditable fit of caution, the Linux Foundation advises that you should consider the passwords and SSH keys used on its sites to be compromised. It also advises that “if you have reused these passwords on other sites, please change them immediately.” Of course, much better advice is never to reuse passwords on multiple sites in the first place.

(You might be wondering if this mention of possible password compromise means that the Linux Foundation failed to follow its own advice, and stored passwords in plaintext, rather than as an unreversible hash.

Remember, however, that this breach appears to involve a malware compromise, not merely the unauthorised retrieval of data from the servers. If a server is “owned” by malware, even the login process should be considered untrustworthy. Passwords could therefore have been stolen directly from memory during login, even though they were never written to disk.)

I’m still struggling to decide quite what the Loony Linux Lovers – those who insist that Linux is immune to malware – will make of this episode. Whilst Linux malware is not new, this is probably the closest it has ever come to the heart of their beloved operating system.

In a perversely back-handed sort of way, perhaps this incident is just what Linux needs to raise its profile outside the world of cloud service providers.

The “Linux has magic security smoke” proselytisers will be compelled to admit that insecurity isn’t just about Microsoft, and will be forced to improve their public attitude to security in general.

The “Linux is a nothing more than a hobby product” naysayers will be compelled to admit that the operating system really is part of the Big Time. Why else would kernel.org be in the sights of cybercrooks?

And Linux itself will emerge almost entirely unscathed because if any dodgy changes are found in the codebase, there will be a public record of them getting rolled back and order restored.

Mind you, the Linux brains trust could do with getting a move on fixing things.

In the meantime, if you’ve never considered it before, why not take a look at OpenBSD 🙂