PAU L OCKENDEN
Paul laughs at some lost-in-translation Arabic meatballs and explains how small businesses can use Excel to fight hackers
Paul laughs at some lost-in-translation Arabic meatballs and explores how small businesses can use Excel to fight hackers.
I’ve always been fascinated by the concept of computer-based language translation. At first glance, you might think it’s just a simple case of word substitution. Replace “dog” with “chien”, or “cat” with “chat”. This sounds like a task suited to simple software, but what about a word like “bark”? Is it the noise that a dog makes ( aboiement) or the stuff that lines the trunk of a tree ( écorce)? And it can get much more confusing – according to Guinness World Records, the word “set” has 430 different meanings. You soon start to realise that simple word replacement doesn’t even begin to address the needs of machine translation. And that’s just individual words – imagine how difficult it gets when you introduce phrases, gender, tenses, idioms and dialects.
That’s why I’m slightly in awe of what machine translation can do. Yes, over the years there have been some notable faux pas attributed to computer-based translation. One that sticks in my mind was seen in the buffet at the Erbil International Hotel, which is in the Kurdistan Region in northern Iraq. A dish of meatballs had been translated into Arabic as “”. Actually, that’s not a translation at all – apparently there’s no Arabic word for meatballs. Instead it’s a “transliteration”, showing how the original word would sound in a different alphabet – those Arabic words are pronounced “mayit bul”. The trouble is, when you ran that Arabic phrase through Google Translate, it came out as “Paul is dead” and so that’s what the sign said on the buffet table in the hotel restaurant. The final chapter to this is that Google has subsequently updated its algorithm so that “” now comes out as meatball – all because for a few months in 2014
this story went viral. That’s a good example of a feedback loop!
Google Translate is the translation engine that most of us are familiar with. Its web interface works well, and if you use the Chrome browser, it will also dive in when needed and translate whole websites for you – in fact, some websites link back through Google Translate as a cheapskate way of providing alternative languages. Microsoft offers similar facilities with its Bing Translator and goes one better with a “Conversations” service, where a group of people can connect up remotely and each speak or type in their language. The system supports up to 100 participants, although I’d imagine that could become quite unwieldly and difficult to manage.
A good test for machine translation is to convert a phrase from English to another language, and then to translate it back to English. A few years ago, the results were usually quite humorous (for instance, “native speakers” became “Aborigines” after the round trip translation), but these days it’s normally spot on.
Both companies also have mobile translation apps, available on Android and iOS. The great thing about these is that they work with the device’s camera. With Microsoft Translator, you take a picture and it translates any text it spots. Google Translate goes even better, replacing text in real-time in a live view. It’s clever to watch, but I don’t think it’s as accurate as Microsoft’s approach. For spoken text, both apps have a conversation mode but they work differently. With Microsoft, both parties speak into their own phone, whereas with Google one phone will translate both sides of the chat.
“A few years ago, the results were usually quite humorous but these days it’s normally spot on”
Pucker up
I’ve recently been looking at an
alternative: a device called Travis Touch. It has a small LCD screen, but it’s puck-shaped so doesn’t look like an expensive phone – an advantage if you need to use it to converse with total strangers in an unfamiliar city. It supports shedloads of languages and it has multiple translation engines available so accuracy is good.
Setup is clunky, especially as the screen is small and hard to read. But in conversation mode, it’s easy to use. Each party has a dedicated button that they press when they speak, and then the translated text is repeated back. Since I’ve been testing a newer version has been released called Travis Touch Plus, which has a conversation mode that works more like Google’s app. It has offline support for simple phrases in a few languages, but for the full potential you need a data connection. You can use Wi-Fi or the device supports a SIM card (Travis will sell you a data SIM with global roaming for €29).
I can see the advantages of Travis Touch, especially when it comes to the multitude of languages it supports. But I can’t help thinking that for most people the various phone apps are perfectly adequate, and the fact that they’ll translate text as well as speech is a massive bonus, especially when it comes to things such as menus and hotel room folders.
Under attack
I caught a news report the other day that said that a third of UK businesses had identified a cyber attack in the past 12 months. It was reported as a huge thing, but I’m surprised the number is that low. Perhaps the clue is in the word “identified”. I reckon most businesses will have been attacked, it’s just that some aren’t aware of it – particularly smaller ones.
There are two main types of attack. The first type targets a particular business or person, and it’s still relatively rare. And then there are scattergun attacks just looking for anyone who bites. I reckon most businesses will have been subject to this latter type of random attack, whether they realise it or not.
Such attacks take many forms. Most of us are aware of phishing emails, for example. Those aimed at the general public are usually very easy to spot, full of bad English and spelling mistakes. I have a theory that this is deliberate – it’s a filter. If someone doesn’t have the brain power to spot the obvious scams, they’re probably also going to be slow at reporting the issue to their bank or the police, giving the bad guys more time to extract any funds before their scam gets shut down.
However, business phishing scams tend to be much more sophisticated. Cleverly designed to look like genuine Xero invoices, for example. And with sensible domain names. Think you’re good at spotting these things? I did until I took a Google quiz ( phishingquiz. withgoogle.com). withgoogle.com I assumed I’d get top marks but one example caught me out. If you’re responsible for the IT infrastructure of a medium to largesized company, you probably have a whole
LEFT Travis Touch has the security advantage that it doesn’t look like an expensive phone suite of network protection and security tools, including things such as intrusion detection systems to defeat anyone trying to probe the gateways onto your network.
Smaller companies, though, will have more limited resources – and, as I mentioned, they probably don’t realise they’re under attack just as much as the bigger firms. One place you may spot it is if you have a contact form on your website. Sometimes you’ll see people trying to add SQL commands, typically something like password' or 1=1 returned in one of the fields. This will be a script going through your website hoping to find and bypass a login check. How does it work? Well, the attack is relying on you doing a very simple database lookup to log people in. Something like: SELECT id FROM users WHERE user='%user' AND pass='%pass' Where “%user” and “%pass” are the username and password typed in to the login form. But if the attacking script enters a password of “password' or 1=1” then the SQL becomes: SELECT id FROM users WHERE user='fred' AND pass='password' or 1=1 That’s always going to return an ID – the “or 1=1” at the end means that the test will never fail – so this will completely bypass the username and password lookup. It will actually return the ID of the first user in the logins table, and nine times out of ten that will be the website developer, so the account that gets logged in will have maximum privileges.
This form of attack is known as SQL injection and there are all kinds of things that you can do to protect against them. Hopefully, your web team will have done so, which is great, but in most cases these attempts are simply thrown in the bin. Nobody will know that someone tried to gain access to your website.
Instead, you should consider logging them. Be careful if you log them to a database, though, because some attacks are aware of this and will try a second level of injection attack! A key bit of information to record is the IP address of the attacking machine.
You may start to notice that you’ve been attacked on several occasions from the same IP address – this will usually be an infected PC that’s part of a botnet. But sometimes you’ll also
“I reckon most businesses have been attacked, it’s just that some aren’t aware of it”
notice a whole range of similar addresses, perhaps with just the last part (octet) of the IP address changing.
I’ve discovered that this is often one of two things: a professional botnet or else just someone that offers cheap “no questions asked” servers (physical or virtual). Professional botnets are a relatively new thing. In the past, botnets relied on infected machines right across the internet, all taking commands from a central controller somewhere. These systems are run on a commercial basis – you can hire them with a starting price of around £5 per hour for 1,000 machines, although that’s the lower end of the scale – there are many operators charging significantly more. Some people realised there are big bucks to be made, especially if they can offer something a bit more reliable than a bunch of infected machines that are likely to get switched off or “cleaned” at some point. So more professional outfits have emerged.
It started with them hiring cheap virtual or physical servers in data centres around the world, but they’d often have their services suspended when the hosting company received abuse complaints. So it’s now reached a new level, with data centres specifically designed to host machines used for malware or DDoS attacks. One of the most well-known is Region 40 – also known as Qualitynetwork, which originally operated out of Kuluga, Russia, but now has servers in other countries such as Estonia.
Although these services will often try to hide where they are, using incorrect registration data for the IP blocks (claiming to be in France, for example), ping tests can be used as a form of echolocation. If you ping a server from around the world and compare the return trip times with a list of known locations, you can start to estimate where it actually sits.
The odd thing is that the outfits leave behind other clues that point to their network. Take the IP address 188.68.3.10 – if you look that up on the WHOIS page on the RIPE site (RIPE looks after IP allocations for a region that includes Europe and Russia), you’ll find that it claims that the IP address is in the Czech Republic, which is nonsense. But it also lists the owner as QUALITYNETWORK, which is part of the Region 40 setup.
I mentioned that these professional botnet networks are one of the two reasons you’ll find clumps of similar IP addresses in your attack logs. The other is because of the stupidly cheap data centres that are springing up around the world. These are usually operated on a shoestring – hardly any staff, old and unreliable hardware, oversubscribed IP feeds. Being so cheap causes a couple of problems. First, they’re the first port of call for people looking to run nasty things and, second, because there’s no network protection or staff to monitor things, many of the other machines in the same data centre get infected too. There’s usually no isolation between the machines.
Shut that door
So back to the problem of network attacks. If you discover that you’re getting hit repeatedly, you’ll want to block those addresses in your firewall, and, if you’re seeing lots of nearby addresses, it makes sense to close the door to that whole netblock, rather than just the individual IP addresses.
A netblock is the range of IP addresses you get with any internet connection. A typical medium-sized organisation might have a Class C (classful notation was depreciated in 1992 – people still talk about it), also known as a “/24”. This means that they get full use of the last part of the IP address. There are 256 addresses available but you can’t use .0 or .255, so there are 254 usable addresses. Or maybe a company has a /23 (which means two adjacent values in the third octet of the IP address plus full use of the last octet).
So given the IP address I spoke about, 188.68.3.10, what’s the relevant netblock? Well, you could try looking at the RIPE WHOIS page ( pcpro.
link/298ripe) where the “inetnum” is listed as 188.68.3.0 – 188.68.3.255 and the route as 188.68.3.0/24. The trouble is, there are different registries for various regions, so a US address won’t show up in the RIPE database.
There are lots of tools that search globally, but I like DShield, which is provided by the SANS Internet Storm Center, a respected resource. If you go to pcpro.link/298dshield, you’ll see more information such as the name behind the AS number (used to route traffic). In this case, you’ll see it’s the notorious Region 40 – something that wasn’t obvious from the RIPE lookup.
The great thing about DShield is that it’s available as an API service. If you go to pcpro.link/298xml you’ll see the important data returned in XML format.
A nice trick is to load the list of IP addresses into Excel, and then using a combination of the built-in WEBSERVICE and FILTERXLM functions, you can pull in the data from the WEBSERVICE. So if you have an IP address in cell A1 you can use: =FILTERXML(WEBSERVICE("https://dshield.org/ api/ip/"&A1),"//network") to look up the fill network range. Or use “//country” or “//asname” to find other useful bits.
Having all of this in a spreadsheet makes it easy to pull out suitable netblocks to ban at the firewall level. Just one word of warning – Excel’s FILTERXML and WEBSERVICE functions only work on the Windows version of Excel, so you can’t use them on a Mac or with Excel Online.
“Having all this in a spreadsheet makes it easy to pull out suitable netblocks to ban”