Change your ISP WiFi Password in 2017

Here’s a rather odd New Years Resolution for you. If you have SKY Broadband, change your WiFi Password. If you have another ISP, read on. This is likley to apply to you too!

Why? Because the default passwords, while they look random, are pretty weak compared to the tools attackers have available in 2017.. As I found out by hacking my own sky wifi.

Mumble Mumble, WPA2, Secure, no flaws… right?

Well yes, modern wifi protection (WPA2) is very good, there are no known flaws to speak of, which leaves attackers one option: age old password guessing or ‘brute force cracking’.

So whats the problem?

All the Sky Wifi routers i’ve seen so far (friends houses, mine, etc) all have passwords of the following format;

  • 8 Upper Case A-Z characters.

‘be safe online, choose good passwords’ is drummed into us everywhere now, (I even saw some posters on the London underground!) so most of you will see the problem, 8 characters of uppercase A-Z requires a hell of a lot less guesses at the password than if we threw in some numbers, or some lower case characters, or some special characters (* ~ @ etc).

We could also make the password longer, or a mixture of all of the above.

How bad is it?

OK, looking at it technically, any combination of 8 A-Z characters gives you 208827064576 possible combinations.

26 ^ 8 = 208827064576

Sounds like a lot of guesses, but for a modern graphics card, 80,000 to 300,000 guesses a second is pretty trivial depending on the card.

208827064576 / 80000 = 2610339 seconds.
2610339 / 60 (minutes) / 60 (hours) = 725 Hours

So one entry-level graphics card at 80,000 guesses a second would take 725 hours (30 days) to guess every possible password the router could have by default.

Thats not very long considering your neighbours likley posses the computing power needed to be on your network in less than a month.

To the Cloud!

Someone with a graphics card can do the above, but more concerning, anyone with a bit of knowledge can actually guess much quicker for a fraction of the price!

Introducing Amazon web services (AWS), offering computing and number crunching power in the cloud, hired by the second/hour/day; A solution for millions of businesses and startups that don’t want to buy and manage their own server farms. AWS likley powers apps you use every day. Netflix being one example.

But these resources can also be used to speed up our guessing process, here we have an AWS instance (computer in the cloud) offering 16 graphics cards in one, for the low low price of £11.70 an hour.

Amazon AWS Graphics Card Instances.


16 times the power!

So now the guessing process just got 16 times quicker, without having to buy any graphics cards or have any computers running at home at all.

Here we can see the AWS instance running a brute force password guessing attack against my router, using all 16 graphics cards at once.

Knowing the password will be 8 upper case A-Z characters makes automating this attack much easier. This tool can just be left running.

We can see that each of the 16 graphics cards is producing over 80,000 guesses a second, giving us a total of 1394,000 guesses/second.

208827064576 / 1394000 = 149805 Seconds
149805 / 60 (minutes) / 60 (hours) = 41.7 Hours

So now we 100% know, that we will have found the password within 41.7 hours. It could take less (remember that 100% is every possible guess, chances are the actual password won’t be the last one we try.. so we could get lucky and find the password after 10%, 40% etc).

You see i’m 4% through, with 1 hour and 20 mins elapsed and 1 day and 15 hours to go. Thats slightly less than our calculator estimate above.

24 + 15 + 1hr20 = 40 Hours 20 Mins.

Say 41 hours in total (including setup of the Amazon AWS machine). Thats £480 and less than two days to guarantee I have access to your network.

Now this may sound like a lot of money, but consider malicious intent, be it corporate espionage, ransomware, spying, further hacking the computers on the network (e-mail, facebook, online banking etc).. £480 is actually affordable to most.

Not Just Sky

I feel it necessary to say i’m not having a go at Sky specifically here. They just happen to be my ISP and I noticed the default passwords were A-Z only.

There are many, many other broadband providers that ship WiFi routers with the same style of A-Z only 8 character passwords. Check yours and if necessary, log into the router and change your password to something more secure, see below for details.

Whats the solution?

So heres the thing about password guessing, knowing the format of the password ahead of time ( 8 characters, all A-Z uppercase for example) makes knowing the amount of guesses simple, as you saw with our easy calculations above.

Changing that length, or changing the ‘known format’, makes an attackers life much harder.

Lets say for example, the attacker knew the password was A-Z uppercase, and between 6 and 8 characters long. Suddenly, they would have to try guesses for

  • A-Z combinations with 6 characters (308915776 guesses)
  • A-Z combinations with 7 characters (8031810176 guesses)
  • A-Z combinations with 8 characters (or original 208827064576 guesses).

Thats an extra 8340725952 guesses on top of our original number in order to guarantee we crack the password.

8340725952 / 1394000 (guesses a second) = 1.67 hours
Costing the attacker an extra £19.53

Now obviously, i’m not suggesting making your WiFi password shorter. I’m just saying that not knowing the exact format and composition of a WiFi password can make the process harder, longer and less effective.

Lets look at what we should do, and the implications to an attacker…

A single extra character, still A-Z uppercase:

5429503678976 possible combinations = 45 Days on our AWS setup = £12,000

Two extra characters, still A-Z uppercase:

141167095653376 possible combinations = 1172 Days (3.2 years!) on our AWS setup = £329,098

8 characters, combination of A-Z upper and a-z lowercase.

54507958502660 possible combinations = 452.5 days on our AWS setup = £127,062

8 characters, combination of A-Z upper, a-z lower and numbers 0-9

221919451578090 possible combinations = 1842.5 days on our AWS setup = £517,387.5

So there you have it.. more characters is good, different ‘character sets’ (numbers, lowercase etc) is good.

I’d recommend not going for <Dictionary Word>123. or <Dictionary Word><Dictionary Word> as other ‘dictionary attacks not covered in this post will try combinations of words to crack the password instead.

Personally, I prefer the options above, random with more characters and character sets, or if you do want to use words to make it really long, add a good number of letters + numbers of randomness at the start, middle or end.

Either way, you’re going to be in a much better position than an attacker seeing a ‘SKYABCD’ style WiFi network and knowing he has a guaranteed way in.

Comments or corrections to twitter @mattdashj


Signing Exchange E-Mail on the iPhone 7 / 6 / 5 or iPad

Quick walkthrough for setting up signed outgoing e-mails on the iPhone / iPad

Scenario: You have a free E-Mail signing certificate such as the one from Comodo, you’ve set it up on your desktop/laptop e-mail, but you also send a lot of mail from your iPhone / iPad too.

There are two steps to getting signed mail working on the iPhone.

Step 1: Install your certificate and Private Key onto the iPhone using the ‘Apple Configurator version 2’.

Download the ‘apple configurator 2’ from the App Store onto your mac.
(This is a tool from apple that lets you create profiles and roll-out changes such as certificates to your iPhones/iPads/AppleTV’s.

Open it.

Goto File > new profile.

A new profile window appears, In the general tab, give the profile a name as below:


Then, go into your mac key store (The app is called ‘keychain access’). Goto certificates, you should find your imported Comodo cert listed with your e-mail address as the title as below:


Right click your mail certificate and chose export.

This will export your Certificate and Private key into one ‘.p12. file. You’ll be prompted to protect the exported certificate with a new password. (Don’t leave it blank. You’ll only need the password once in about a minutes time, so may as well make it strong!).



Now you should have a ‘.p12’ file in your documents. Yes? Good.

Back to the Apple Configurator Profile screen.. Click on the ‘Certificates’ section on the Left and click the ‘Configure’ Button. You will be prompted to add a certificate, use the finder window that appears to find and select your new .P12 file.


You will then need to give the Profile the password you just used for the P12 export. Type it in the ‘password:’ field, you’ll know if it’s right as the window will change from showing this:


To this:


Thats it! We can now save this profile and add it to our iPhone/iPad.

Save it by clicking the title at the top of the profile window and give it a name. Mine saved in my iCloud drive, this is fine.


Now, plug your phone into your Mac via USB. It will appear in the ‘Apple Configurator 2’ Main window.




Right click it, chose Add > Profile. Then select our new .mobileconfig file we’ve just saved.




Then, follow the instructions on the Mac and on your iPhone to install the certificate.. The iPhone will need your iPhone password and warn you the ‘Profile is unsigned’. This is fine.

Once done, you can unplug your phone from your Mac, you’re ready for step 2…

Step 2: Turn S/MIME E-Mail signing on within your iPhone settings and select the certificate you just uploaded.

This is the easy bit.

On your phone. Go into settings > Mail.

Chose ‘Accounts’, then select the account the certificate is for (Mine is my Exchange account).

Then, select the ‘Account [email protected]’ line at the top of the screen to drill into that accounts’ settings…


From here, Click ‘Advanced Settings’.

Finally, in Advanced settings, turn ‘SMIME’ to on. Then click on the new option ‘Sign’.


Turn the sign setting on, you’ll be asked to chose a certificate. The one from the profile we uploaded should be listed for you to select, as below:


Thats it, your e-mails should now be sent signed!


Google Nexus 4 Smartphone

I was going to write about the new Nexus 4 i’ve finally managed to get my hands on, and why, after many years of my mobile phones all having names beginning with ‘i’, I’m actually finding this new android device hard to fault…

But this guy pretty much 100% summaries my thoughts for me, right down to why previous attempts for me running android have failed.. and therefore saves me the trouble! Worth a read, whichever side of the fence you are on!


OpenSolaris / Solaris Express to Solaris 11 boot Issues

I have had a trusty Solaris box at home now for 5-6 years running a few things;
– ZFS for my files, sharing out through SMB for media, iSCSI for playing with Netbooting and VMware shared storage.

– Xen (More recently) running on a Solaris Dom0 hosting a number of Centos5 DomU’s for other linux server based stuff.

– Multicast/Bonjour spoofing and apple filesharing making an excellent ‘fake’ timemachine for backing up my Macbook pro onto ZFS (works flawlessly and doesn’t have a single disk prone to failure unlike the time capsules

Over that time, I’ve either in-place upgraded, or overwritten the OS and let the new version of Solaris import the ZFS pool from;

Solaris 10, Solaris SNV_8X (Sun Internal), Solaris SNV_9X (Sun Internal), OpenSolaris (SNV_1XX), Oracle Solaris Express (SNV_151).

And everything was pretty much good 🙂 Until now, now I tried to take the latest update, moving to the newly released Solaris 11.

Lots of things have changed in Solaris 11 compared to the SNV/OpenSolaris/SolarisExpress years (well, i’m not saying there hasn’t been a lot of changes during that time, just none that have negatively affected me, where as these do);

– Support removed for Linux branded Solaris Zones
– Support removed for Solaris 11 to be a Xen Dom0, or indeed be the base of any form of visualization solution apart from Solaris zones and VirtualBox (Guessing to allow Oracle to push it’s visualization product)
– No check in the ‘pkg update’ procedure as to wether the Xen kernel was in use before upgrade.

So, cutting to the POINT OF THE POST, I updated, a new boot environment was created, update successful, rebooted, boot fails!

You could just boot the previous Boot Environment, which works, but this is what you’ll need to do to boot the new BE;

1. Open the grub menu.lst from /rpool/boot/grub/menu.lst
2. Find the last entry in the file (named after the Boot Environment you’re having issues with)
3. Remove the references to Xen, as below;


title example-solaris-1
findroot (pool_rpool,0,a)
bootfs rpool/ROOT/example-solaris-1
kernel$ /boot/$ISADIR/xen.gz console=vga dom0_mem=2048M dom0_vcpus_pin=false watchdog=false
module$ /platform/i86xpv/kernel/$ISADIR/unix /platform/i86xpv/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive


title example-solaris-1
findroot (pool_rpool,0,a)
bootfs rpool/ROOT/example-solaris-1
kernel$ /platform/i86pc/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive

We have just removed the Xen kernel and options and instead told grub to boot the ‘normal’ Solaris kernel. It seems pkg update don’t check for this when upgrading.

Now reboot and try the Boot Environment from the grub menu, should load fine and after some information about upgrading the SMF versions, you’ll be ready to login.

The second issue I found after this is that my SMB shares were not available, seemed that the SMB service was stopped due to dependencies, starting the following services magically made my shares come back to life;

svcadm enable idmap
svcadm enable smb/client
svcadm enable smb/server

Verify with ‘share’;

[email protected]:~# share
IPC$ smb - Remote IPC
Matt /F43Datapool/Matt smb -
Public /F43Datapool/Public smb -
c$ /var/smb/cvol smb - Default Share

I hope this helps someone, the last thing I have to work out is whether VirtualBox will provide as stable a solution for my Linux VM’s as Xen (as it seems to be the only option I have now, apart from moving back to Linux and losing ZFS/SFM/Crossbow/Comstar etc which I really don’t want to do).

That said, it really annoys me that Oracle have removed such a simple and powerful combination of Xen Dom0 and ZFS in the base solaris image, it served a perfect need for people who don’t need a full, separate, virtualization product such as testing, home use, small businesses etc. Why remove Dom0 support but keep DomU support! Anyone know?

O2 exposing mobile number of website visitors?

Here’s something that seems a little interesting, O2 appear to be sending a header of the end users mobile number, to any website visited over their mobile data network.

Header is ‘x-up-calling-line-id’
Other networks don’t feel the need, I wonder what their reasoning is, either way, questionable privacy fail here!

More info here;

Lacking Something?.. It’s always customer service.

n So, it turns out i’m one of the lucky 46,524 ElReg (The Register) readers who has had their e-mail address spammed to a few thousand people… who have in turn, kindly placed it on PasteBin, random torrent sites, many forums, the side of the moon with a laser and other such annoying places!

And yet, i’m not that annoyed!

Here’s why… and I think in this day and age of everyone worrying about every bit of data, it’s important;

1. I’m called Matt and my blog is at Is it really that hard for a targeted phishing attack to work out an e-mail address in the first place?

2. It’s the register, a website that takes pride in highlighting technical cockups, basterdisations, IT Fo Pah’s and Comical! Yahoo! Related! Exclamation! Mark! Frenzy! Issues! before they’ve even sat down for the morning caffeine…. So no matter how annoyed we are all individually feeling, I’m pretty sure as an organization they’ll be feeling ten times worse for being beaten at their own game.

3. Did I mention it’s the register? I’m finding it quite hard (Maybe a psychologist wants to tell me why) to get annoyed with such an instutution within the industry, somewhere that generally gives you a good morning roundup of crap you need to concern your little head with.

But mainly because (and this is the important bit I was talking about at the beginning, the rest was just to test your stamina and determination!)…
They owned up, instantly, in an e-mail to everyone affected, disclosing figures that are far too un-rounded to be made up!

Yes, I think that’s it… Look at the recent Blackberry incident, it wasn’t that the service was down, it was that no-one from blackberry would give any of the circling vultures a single word for hours, even as speculation grew, nothing, twitter messages a-plenty… nothing! THAT’S the problem.

So ElReg, as much as you’ve amassed a million cocks to put yourself (and my e-mail address) in such a bastardy situation, it’s not going to stop me reading your news in a morning, fair play for making a hard decision.

And everyone else, I don’t claim to know much about business, but if you’re sucking at an all time low when competitors around you selling exactly the same service/product/moon etching laser are doing well, you may want to look at becoming more open and transparent with your customers.

Just my 10p, keep the change!


Step by Step Lync 2010 Enterprise Voice with Cisco Call Manager Express (or UC500) Part 2

The second part of our Lync CUCME /CME integration efforts, once again kindly written up by (I swear he doesn’t sleep!)

Usual Words of warning..

Be careful if you use these configurations on a live system and do not simply copy and paste this configuration in to a running CME or UC500 system, check your dial-peers and translation rule numbers (“show run” is your friend) otherwise you might overwrite something you later come to regret!

Call Manager Express Inbound Call Configuration

This first key to enterprise voice is to allow the users on Lync to dial our Cisco phone users as well as external numbers on the PSTN. The following example below is from my live running CME router:

Nothing clever above, the IP address above is that of your Lync mediation server and the standard mediation server port (5068), keep an eye on the port number and ensure it matches up with your mediation server port if you changed it and do not simply enter 5060 because it is your UC’s SIP port. This port number is the number the UC talks BACK to your Lync server on.

Although the above doesn’t appear to be mandatory as our UC still dialled a number coming out of Lync without this, we found that it was intermittent at best and we could no longer control things such as class of restrictions without it.

Call Manager Express Outbound Call Configuration

The next step is to allow a user to call a user who is on the Lync platform, to do this is a little bit more complicated. To make the experience a little easier on the user (and you can’t easily dial a + on a Cisco phone) we are going to create a translation rule and link this to our dial peer.

By creating this translation rule it will allow a user to dial simply 5xxx and the CME/UC500 router will automatically add the + to the extension as it exits the CME/UC500 system, remember Lync requires e.164 style numbers so this is going to give Lync what it wants.

Be aware single number reach will not work with this configuration, my next blog post will be on how to co-exist with Lync using Cisco Signal Number Reach on the CME/UC platform.

Translation Rules

A translation rule consists of 2 parts, the rule itself and a profile that the rule is linked to, below is the translation rule and translation profile created on our system to make this work. Be aware you need to create the rule first before creating a profile.

The rule below simply adds a + in front of anything dialled that starts with a 5 and is 4 digits long.

Translation Profile Creation

This profile simply calls the above translation rule.

Now that we have create the translation profile and translation rule it is time to create a dial peer that will call the Lync server when a user dials 5xxx.

Below is the live running configuration from our CME router, again be wary of the port as it needs to be the port of the mediation server.

Once you have done the above is you should now have a fully functional enterprise voice installation, ensure that you enable a user with Enterprise voice.

Enabling a User for Enterprise Voice

An example Lync user configuration is below, enabling Enterprise voice is simple just select the option. It is important to set the Line URI.

In the example below I have configured the “tel:” to be my Lync phone number so in my example below it is 5346 and have also included my Cisco desk phone which is “6346” it is important if you use the extension that you do not add the + to the front of it.

Adding your desk extension improves the Lync experience as Lync will recognise you from your desk phone when you dial in to things such as the conference centre.


Until next time have fun with Lync and Enterprise Voice!!


Step by Step Lync 2010 Enterprise Voice with Cisco Call Manager Express (or UC500) Part 1

Hot off the press from, who kindly found the time to write up our Lync Integration efforts, this article will shows how to integrate Lync 2010 and the Cisco Call Manager Express to offer Enterprise Voice capabilities to your Lync installation.

Lab Configuration
The installation has a 4 digit dial plan, all of our Cisco phones are in the 3… range and our Lync users are in the 5… range.

We currently run a UC560 running CME 8.1 so have no access to E.164 support although 8.5 will have support and is coming to the UC500 soon. This document will allow the configuration without using this support so will probably be updated once I can play with 8.5’s E.164 support.

Lync Configuration

Topology Updates
From topology builder we are going to create a new PSTN gateway, to do this expand your site Media Servers and then select your mediation server and select properties to open the following window.


Select the option “New” to create a PSTN gateway, type in the FQDN if you have an A record setup for your phone system OR type the IP address in. Override the port from the default port to 5060 which is the standard port for SIP and CME’s default configuration, finally ensure TCP is set (TLS is out of scope of this document).


Click OK and ensure you publish your topology to your environment.

Trunk Configuration

Now its time to create your PSTN routing


Create the first of our 2 rules, this rule will remove the +44 (UK dialling prefix, replace with your own if outside of the UK) from the beginning of the number dialled from Lync and replace it with a 0 so that the CME can understand the number we are trying to dial.


Our final translation rules is designed to remove the + sign from the from our extensions as they are being dialled, again this is so that the CME can understand what we are sending it.


Normalisation Rules

Normalisation rules are used to try and form an E.164 number from the digits dialled by an end user, for example if you were to dial 01234 567890 from your Lync client the normalisation rule will turn this in to an E.164 of +441234567890 .


Again we are going to create 2 normalisation rules, to create the first select “New” under the “Associated Normalization Rules”.

This rule is going to allow us to dial a PSTN call through the CME device, we are looking for any number that starts with a 0 and is at least 2 characters long, once we have this we are going to remove the 0 and add +44 to form a valid E.164 number.


Rule number 2 allows us to dial an extension on the CME, this rule finds and number beginning with 3 and is 4 digits long and appends + to it.


Now that your configuration is complete ensure that you select Commit All to upload your dial plans back in to Lync.

Route Configuration

The final piece of configuration on Lync is to create a route from Lync to the CME, below is a working configuration that allows all numbers starting +44 and +3 to be sent to the CME. Ensure that you select the previously configured PSTN gateway as well as a PSTN policy.


Now that the Lync configuration is completed, ensure you go to each section and ensure everything is committed. Once you have committed all of the changes leave your Lync installation, get a cup of coffee and let Lync simmer for around 10 minutes to ensure that everything has replicated around.

In Part 2 we will configure Cisco Call Manager Express to work with the above configuration. Part 2 either HERE or HERE.

P vs NP Solved?

Holy crap!

“Scott Aaronson, associate professor of computer science at the Massachusetts Institute of Technology, is so sceptical that he pledged in his blog to pay Mr Deolalikar an additional $200,000 (£125,000) if the solution is accepted by Clay.”

Crazy if this turns out to be true!


For the uninitiated: