castleinthesky | matt’s home in the clouds

Oh, hello again. Long time no speak.

Been a while since my last post, so thought I should fill you all in on an odd experience I had lately.

Having split with Kate and moved into my new shiny apartment in Bradford I’d been spending a bit of time sorting out final bills, getting new suppliers and registering new addresses and such.
As happens with most big apartment blocks, a single supplier was awarded the contract for electricity supply when the build was complete - so it’s up to tenants to move. In this case the default supplier is nPower. With no gas being available however, it is actually cheaper with another provider, who (for sake of any libel) we’ll call ‘Grittish Bas’.

I was told of their offer when I received a courtesy call, after using the Royal Mail’s ‘moving home’ service to update addresses with various suppliers. I gave them my address details, supply number and pretty much everything went smoothly after that.

It wasn’t until last Friday that something quite odd happened.

I received a letter in the post from Grittish Bas confirming my new account details, with my bank account details (in plain-text) for the direct debit.

Only, they weren’t my details.

They were Kate’s.

Which is fairly odd. We never had a joint account. I paid for the bills at our previous address. She has nothing in relation to the address I live at now, and I gave Grittish Bas nothing other than my name and new address/supply number (no previous addresses, no previous account details) to verify who I was. And yet, I was sent, a complete randoms (essentially) account details (in plain-text, no obfuscation at all!).

How they managed to tie my name with my ex’s account details is beyond me.

What’s even worse. Kate is no longer a Grittish Bas customer. Hasn’t been in several years (remember, I paid for the bills in our last house, in my name).

So. Grittish Bas own all your personal data. Whether you like it or not.

Been a previous customer? Go call them. Go see if you can get your personal info and account details cleansed from their database. And tell me if you do.

I will add - I did call them to get the DD changed to my account. I don’t think Kate would appreciate paying for me to keep my Wii on 24/7 ;)

What’s the noise that tumbleweed makes?

Well, that’s the noise I expect people are hearing when reading this blog.

I’m on facebook a lot, so pm or friend me if you know me (if you already haven’t).

Sold the house aswell :) Not as much as we wanted, but good enough. Should be a few weeks before completion now.

Off out now, going to join the goths at the Wendy House (LUU).

Sayonara.

And in recent history….

I spent two weeks in Jury service. It was totally uneventful apart from a 2 day case about a mobile phone theft. What a complete waste of time and money (but I knew this already), 60 people being made to sit between 10:30 and 4pm receiving £60 a day to do /nothing/. I did come out with a few hundred quid (of taxpayers money) out of it tho.

Lots of house viewings. No offers (or second viewings) yet, but lots of positive reviews, and a general lack of negative feedback. Just awaiting the right person I suppose.

Neurosis this weekend. Nick, Phil and Me down to Shepherd’s Bush in London. Post-Rock Rocks! Went out with Phil to see friends from Humanfly (who kicked ass btw) last Sat. Arranging the first weekend in Aug for ShutFest currently.

Been doing lots at work recently. Apart from revising and gaining my CISSP accreditation i’ve been busily getting our new thinclient system out of the door. We have a shiny (new) server with the hardware virtualisation extension present on the recent AMD (and Intel) cpu’s and i’ve been using kvm to take advantage of this (there are lots of security/cost advantages of using hvm, if you think about it). Was talking with the devs a while back when the code was a little immature to work out some of the issues, but there have been some recent leaps in performance which have really helped - it’s now usable in the real world, and will only get better with the paravirt work being done.

Lots more has happened, but it’s not worth the effort to comment if you’re not a daily/mobile blogger (or ‘moblogger’). I’m not sure who reads this, so it could all be in vain anyway.

M

Did I happen to mention I took my CISSP exam a fortnight ago?

No?

Well, I passed anyway.

:)

I’m still alive, fyi.

I’ve been listening to lots of metal, going to gigs and documenting my exploits elsewhere.

I’ve taken about 10 viewings so far aswell. Had a few interested, but no offers so far.

House is online (they’ve still got ’septic’ spelt wrong).

I’m taking viewings today and Monday for those interested.

Yeah, so I haven’t posted in a while. I’ve been busy.

But then I feel okay knowing i’m not the only one with big news, an old friend also has ‘life-changing’ news and he keeps his blog going…

So you might want to know me and Kate have split up. And I’ve done a load of decorating and we’re selling the house (in fact it’s on the market already, but more about that later), and i’ll be moving closer to work (now we’ve moved into our spiffy new offices), and i’m not speaking to my family (’cos they interfere at the best of times). So, yeah.

Me and Kate are still friends though; you would be after 6 years. I didn’t want a repeat of the fall out we had last August. She’s going to be moving closer to her work aswell (rental cost being the major factor it’s more likely to be BD postcode) and we’ll continue going out to beer festivals and what-not as friends do.

I’ll be moving within walking distance from work (to save on the petrol/car insurance), but shall keep the house tidy and visit-able in the meanwhile. It should be online soon (i’ll update with a link) - but if anyone’s looking for a well presented 2 bedroom end-terrace in east ardsley in the region of £115,000, feel free to drop me an email if you want to arrange a viewing.

Lots of love.

M

I had a pretty productive week. I’ve been playing with getting kvm working well (fast/stable) on our brand new Dell AMD box - and I’m now using an guest environment under it full time as my thinclient server. We also found out this week that our offer on a new office had been accepted - so we’re looking to be moving out in the next month (which will be a great/overdue change).

So I found myself in a state of shock and awe when I arrived home tonight after a leaving late night from work. I had received a letter, purporting to be from HSBC, stating that my Internet Banking account had been suspended on the basis that there was evidence my account details had been compromised, probably due to me responding to a “phishing” email.

Now anyone who doesn’t know me might think ‘yeah, ok, I can see how the bank would close your account if there was any suspicion of you leaking your details to a phisher’ - but then those who do know me, know that I work for an IT security consultancy, and we do very real, original research into phishing attacks. So to me, the idea that I had leaked my details to someone through a phish is funny almost to the point of absurdity.

This automatically got me questioning the reality of the letter I received. It was a two sided letter - with an opening paragraph about why the account had been suspended, and then some actions for me to perform, and a reference off to HSBC’s “Security Matters” Page (this is interestingly enough the title of our - ECSC’s newsletter). Included in the letter was a form for me to write my name, address and internet banking details, aswell as pre-paid envelope for me to return the included form.

As I was already suspicious of the letter I decided to call the technical support number quoted on the letter. Even though the letter itself stated that they were only open 9am while 5pm, I was greeted with an answer, at 7.53pm. I had a short (~5 minute) chat with the guy at the other end of the phone - but what piqued my suspicions was how the call was answered. There was no ‘Welcome to HSBC - my name is john, how can I help?’ - all I received was an anonymous ‘hello’. I proceeded to explain to the guy how I’d received this letter, and I wasn’t convinced it was genuine and asked for more information about on what grounds, what their evidence was, that I had become a phishing victim. The guy, who wasn’t being defensive or attacking, explained that he wouldn’t be able to tell me those details without me giving him my account details.
I was paranoid before and this only made me more wary so I told him I wasn’t happy with giving any details out at this point. He told me I should complete the form and send it back - we reached a stalemate so I decided to end the conversation.

I started taking a close look at the letter, the paper, the quality of the print, the return address and the phone numbers stated. And my suspicion grew.
I immediately went to the HSBC website and found a contact number for their Internet Banking service. I called and was put through to another (presumably Indian at this point) call-centre. I was again greeted with a pleasent customer services advisor - I explained my situation and asked them to verify some details for me. I was asked for my account details - which I refused to give as I was still not happy my phone weren’t being intercepted (too paranoid?).

I asked the nice man whether they had any record of the signatory of the letter I received, or whether they knew of the phone number listed in the letter or whether they knew of the postcode listed in the letter. In all cases, the man had no record.

At this point I called the police.

I looked back through what I had received and started to notice things which were plainly wrong. The letter, with letterhead, but no watermark had a faint marking all the way down the left hand side (about a centimetre wide) - just like it had been through a roller (ie. copier). The letter it had arrived in was stamped as being from first direct. Even though first direct are a subsidiary of HSBC, I don’t bank with First Direct, they are very different, separate companies. The letter itself had a ’sheen’ on the seal - I suspect it had been opened (steam iron), and re-sealed. The biggest give-away was the return envelope. Like one would expect a pre-paid envelope (the ones with the ‘1′ mark in the top right) was included. It was the large blocks of ink to the right of the big ‘1′ which were suspect. There were visible (to the naked eye) streaks to the bar. There was pixelation on both sides, and they weren’t exactly straight. Anyone non-technical might’ve been fooled, but to me it was straight out an laserjet printer (and a bad quality one at that).

I utilised the technology at hand aswell and googled the address and phone number. The address turned up as somewhere in Belle Isle (not the nicest place in Leeds) - and the number was unknown apart from a ‘gmane.comp.web.netsurf-devel’ posting about a similar event (with the same number). The writers didn’t seem to know this was a scam - so I hope they weren’t duped too badly (google it yourself if you feel the need).

I am convinced at this point it is a sophisticated spear phishing attempt. I’m slightly worried that i’ve been targeted specifically; namely how the attacker knows who I bank with - it’s not a difficult thing to figure out (especially now), but I don’t bin my bank statements (I only bin the marketing junk) so I can’t see how ‘dumpster diving’ could’ve been used.

Well. I have a ‘copper’ coming round tomorrow morning - most likely to take a statement and the offending items. I’ll post the pictures for all to see should he agree with me.

Update: February 12

How stupid. It turns out it was a valid HSBC letter after all.

Even my bank manager thought it was odd until he passed it onto ‘back office’ who confirmed it was real.

Shocking. Really shocking. I’m going to leave HSBC at the next opportunity. What a bunch of lamers.

Banks really need to start getting a hold on physical and computer security. I guess i’m just over-paranoid; but then this kind of shit just teaches the un-knowing masses just to accept this kind of poor quality.

For those of you who didn’t know already it is Kate’s 21st birthday (again) on the 15th Jan.

I got Kate two separate presents. The first would be something I thought she would be quite chuffed with, flying lessons with the Leeds Flying School.
She used to be an RAF Cadet, so has lots of experience, but would not have been allowed to go any further than a technician profesionally due to her being red-green colour blind. As such, she does hanker a lot for getting back in the air, so I thought I could give her a bit of the taste again.
Now you might say I was giving the game away too soon (with it being the 13th); I had the flight booked for 1pm Sat, but I had a call around 11am today saying the flight had to be cancelled due to the weather.
I had been worrying about this all week as it has been very gale-y this week so wasn’t overly surprised. So, having built up the day so much I had to let the cat out of the bag and let her in on the secret.

So, in consolation, I let Kate have her secondary present early; it was, a ‘Nabaztag‘, also known as a ‘Wi-fi Rabbit’.
It’s a french product (though looking at it, you wouldn’t be far mistaken thinking it was quintisentially Japanese), and I bought it within 5 minutes of hearing about them (yes, I am that impulsive); aswell, it has been recently listed as one of the best gadgets of 2006.

For the non-technical, it’s a rabbit with multi-colour lights on it’s feet, belly and nose; rotating, inter-changeable ears and it speaks to you.

For the technical, it’s a small embedded (i’m pretty sure) linux device with a wi-fi card, some LED’s, a motor and a speaker. It connects to your wi-fi and then the world’s your oyster.
So far, I have it telling us the time (on the hour), reading us RSS news feeds, giving us the weather & traffic news in the morning, oh, as well as being the alarm clock and waking us up. Plus, you can email or text it and it will use text-to-speech to say whatever you want it to.

It does all this with an odd elegance, what you might expect from what the dev’s call a ‘Smart Device’. It jingles when you receive a message and rotates it’s ‘ears’ when relaying the message; but also performs some random background functions like performing ‘Tai Chi’ every now and then (this is pretty much just a choreographed light/audio/movement show), but also it pulsates quite subtely like it was ‘breathing’, so adds the the personality of the device, which humanises it even more.

Another present arrived this week aswell. My ‘Laputa Robot‘ finally arrived; obv. It was due for arrival before my birthday on the 25th Oct, so it is very late.

And so, by adding these two toys to our display unit we achieve the following:

I tend to leave the TV on in the background, even if i’m reading or ‘playing on my laptop’ (as Kate says), but usually leave the volume quite low.
I keep the subtitles on all the time so I don’t miss anything when I’m actually watching a program as I like to keep the volume down anyway.

So i’ve become quite obsessive over the correctness and coverage of the subtitling, which suits a grammar/spelling nazi like me, and often results in various levels of hilarity when errors are encountered.

So, the other day (I think it was Monday morning), when watching an advertorial for the BBC’s Tech Show, ‘Click’ (nee ‘Click Online’), I had both my computer and speling geek buttons pushed when the narrator, describing the introduction of ‘MS Home Server’, spoke of the innovation by Microsoft by at CES this year, whereas the subs spoke of the “invasion of Microsoft in the Home this year.”

I would’ve thought it an intentional joke on behalf of the subtitler, and thus quite an intelligent one, had they not corrected themselves.