Support wouldn’t change his password, so he mailed them a bomb

by Lisa Vaas, Sophos

Read Article at Naked Security

On 8 March, Cryptopay co-founder Wesley Rashid began to open a padded package addressed to two of his employees.

Something about it struck him the wrong way, though, so he didn’t open it all the way. That was a fortunate decision. The package held a bomb that could have injured or even killed him.

London’s Metropolitan Police announced on Friday that the sender, a 43-year-old Swedish man named Jermu Michael Salonen, has been sentenced to six and a half years in prison for sending the potentially lethal homemade bomb.

It turns out that the package had been delivered months earlier, around November 2017, to an office unmanned by Cryptopay employees. The UK crypto-wallet business had at one point employed an accounting firm that did have an office in that location, but fortunately nobody at the accounting company opened it on behalf of its client. The letter bomb just sat there, unopened, for five months.

Forensic specialists managed to retrieve some DNA samples from the package, but no matches were found in the UK. Investigators turned next to Interpol, and that’s when they hit a match, turning up Salonen’s DNA sample in Sweden.

Police said he was known to Swedish authorities. In addition to being found guilty of attempted murder by Stockholm District Court, Salonen was also convicted of mailing threatening letters to Swedish lawmakers and government officials.

Finally, he was also found guilty of 20 counts of threats in relation to letters filled with a mysterious white powder that was sent to Swedish lawmakers. According to the Associated Press, Prime Minister Stefan Lofven received some of that powder in August 2017, along with a handwritten letter that said: “you will soon be dead.”

When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb – or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package – the only thing the company could think of was that it had declined his request for a password change.

In August 2017, Salonen, a customer of Cryptopay, emailed their customer services team to ask for a new password. They refused, given that it was against the company’s privacy policy.

A fair point, as it’s never a good idea to send a new password in an email. A password-reset link is safer all round, although it’s not clear if Cryptopay offered this option to Salonen.

Commander Clarke Jarrett, head of the Met Police Counter Terrorism Command:

Salonen seemingly made and sent a device that had the capability to seriously harm and even kill over something as inconsequential as a change of password.

Fortunately the bomb did not detonate. It was due to sheer luck that the recipient ripped opened the package in the middle rather than using the envelope flap which would have activated the device.

Sheer luck, sheer four-leaf clover, sheer good sense to stop when things seem a bit off.

Next time you have to deal with a customer service rep, or your help desk staffers, or anybody who deals with opening your organization’s mail, be gentle. It’s shocking to think that any of them could one day risk their life at the hands of a mentally unstable, disgruntled customer, all over the most trivial of help-desk requests.

by Danny Bradbury, Sophos

Microsoft Windows 10 users were left livid late last week after Microsoft mistakenly told them that their licenses were invalid.

On Thursday, Windows 10 Pro and Enterprise customers began complaining online that Microsoft was declaring their license keys invalid. The users, who confirmed that they had legal copies of the operating system, were told that they were actually using Windows Home. When they checked, the Pro version was still installed.

The problem led to Windows deactivation, according to some:

My digital entitlement is gone from my Microsoft account and I have a Windows 10 Home key now. Windows is deactivated because I went from Windows 10 Pro to Home and it doesn’t match anymore.

The issue affected both Pro and Home versions of Windows 10 that had been upgraded from earlier versions of the operating system, along with clean Windows 10 installs, according to posters on Reddit.

One Windows user reported that purchasing a Windows 10 Pro key in the Microsoft store was listed as an option for him, even though he had already upgraded to Windows 10 Pro years ago. When he tried to repurchase the key, it would not let him.

Customers were confused by what seemed to be inconsistent responses from Microsoft. Microsoft Support’s Twitter account denied any knowledge of a problem with Windows activation:

@x_rus_x Hi there! Thank you for alerting us about this. There are no known issues regarding license deactivation.… twitter.com/i/web/status/1…
—
Microsoft Support (@MicrosoftHelps) November 08, 2018

It then fell to a mixture of customers and volunteer moderators to tell the rest of the customer base what was happening. One of them posted this response from a Microsoft live chat support agent:

I am very sorry to inform you that there is a temporary issue with Microsoft’s activation server at the moment and some customers might experience this issue where Windows is displayed as not activated. Our engineers are working tirelessly to resolve this issue and it is expected to be corrected within one to two business days.

An actual Microsoft employee then commented on the customer’s post to offer an official explanation, and a volunteer moderator on the company’s forums also stepped in to relay information about the issue.

By the end of the day on Thursday, the company had indeed fixed the problem, according to reports.

Users also said that they were able to run the Activation Troubleshooter program manually to fix the problem if Microsoft’s changes didn’t correct it automatically.

Some customers were irked by Microsoft’s regular online checks for operating system legitimacy. “And someone please once again explain why DRM for an operating system was a good idea?” quipped one. Another complained that Microsoft had created a system to deter pirates with its regular online checks but ended up causing trouble for paying users.

Unfortunately, this isn’t the first time that Microsoft has let users down with its constantly connected operating system, which also offers the ability to install updates automatically for users. Just last month, the company had to stop offering its October 2018 update after users complained that it was deleting files.