You Can Break Into a Linux System by Pressing Backspace 28 Times.

December 16, 2015 – 4:37 PM

Hitting a key over and over again actually works for once. Two security researchers in Spain recently uncovered a strange bug that will let you into most Linux machines just by hitting the backspace key 28 times. Here’s how to fix it and keep your data protected.

The researchers, Hector Marco and Ismael Ripoll from the Cybersecurity Group at Polytechnic University of Valencia, found that it’s possible to bypass all security of a locked-down Linux machine by exploiting a bug in the Grub2 bootloader. Essentially, hitting backspace 28 times when the machine asks for your username accesses the “Grub rescue shell,” and once there, you can access the computer’s data or install malware. Fortunately, Marco and Ripoll have made an emergency patch to fix the Grub2 vulnerability. Ubuntu, Red Hat, and Debian have all issued patches to fix it as well.

Linux is often thought of as a super secure operating system, but this is a good reminder to take physical security just as seriously as network security (if not more). Take extra care when your machine is around people you don’t know, especially if your system has sensitive data on it.

Source:
http://lifehacker.com/you-can-break-into-a-linux-system-by-pressing-backspace-1748370796

Updated Cryptowall Encrypts File Names, Mocks Victims

November 5, 2015 – 4:13 PM

Cryptowall has gotten a minor, but important facelift that might make it more difficult for researchers to tear apart and for victims to recover their encrypted data without paying a ransom.

Spotted two days ago, the latest update to the ransomware has begun not only encrypting data on victims’ machines, but also file names, a first according to independent researcher Nathan Scott, who examined the code along with researchers from Bleeping Computer.

“I’m surprised more don’t it; this makes it significantly harder to recover files except for paying the ransom,” Scott said. “If you try to do a forensic data recovery, the files show up with these weird names and the user doesn’t know what file is what. No one knows any structure in files any more.

“The only way to regain your data is a complete backup,” Scott said. “If you don’t backup, the only way to get the data back is to pay the ransom.”

The attackers behind Cryptowall have also updated the ransom note that victims are presented with. The note contains new mocking language, congratulating the victim for becoming part of the Cryptowall community, and the attackers have also assigned themselves a hashtag #CryptowallProject. The use of the hashtag, Scott speculates, is that victims may use it to commiserate on social media and if there is any kind of volume, it may lead them toward paying the ransom that much quicker.

Source:
https://threatpost.com/updated-cryptowall-encrypts-file-names-mocks-victims/115285/

New type of auto-rooting Android adware is nearly impossible to remove

November 4, 2015 – 4:25 PM

Researchers have uncovered a new type of Android adware that’s virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play. From the end user’s perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that’s usually reserved only for operating system-level processes.

“For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone,” researchers from mobile security firm Lookout wrote in a blog post published Wednesday. “Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy.”

The Lookout researchers said the apps appear to do little more than display ads, but given their system-level status and root privileges, they have the ability to subvert key security mechanisms built into Android. Under a model known as sandboxing, for instance, Android apps aren’t permitted to access passwords or most other data available to other apps. System applications with root, by contrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps can read or modify data and resources that would be off limits to normal apps.

Source:
http://arstechnica.com/security/2015/11/new-type-of-auto-rooting-android-adware-is-nearly-impossible-to-remove/

Zero-Day Attack Compromises a Half-Million Web Forum Accounts

November 4, 2015 – 4:14 PM

Forum software-makers vBulletin and Foxit Software may have been breached by a hacker claiming to have made off with personal data belonging to some 479,895 users between the two.

“Coldzer0” said in a post co-authored with @Cyber_War_News that he exploited the same zero-day vulnerability for both domains, and was able to access user IDs, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords for hundreds of thousands of users.

For its part, vBulletin has confirmed that an attack happened: “Very recently, our security team discovered a sophisticated attack on our network,” the company said in a post. “Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.”

The issue affects vBulletin versions 5.1.4 to 5.1.9, it said, and has issued a patch, presumably for the zero-day, and has also forced a password reset for all of its users.

Tod Beardsley, principal security research manager at Rapid7, said in an email that it looks like the vBulletin attack was due to an SQL injection bug in vBulletin’s forum software.

Source:
http://www.infosecurity-magazine.com/news/zeroday-attack-web-forum-accounts/

Ransomware’s new threat: if you don’t pay, we’ll publish your photos online

November 3, 2015 – 7:53 PM

The ‘scareware’ variant of the Chimera ransomware trojan has been spotted by the Cologne-based anti-botnet advisory centre, Botfrei (‘Botfree’).

The agency says Chimera is a classic blackmail trojan which is now targeting specific employees in German companies with fake emails about job applications or job offers.

The emails point them to a Dropbox address to get more information but if victims click on the link, Chimera instantly starts to encrypt their computer files and the data on their corporate network.

In an extra twist, Chimera also threatens to publish their photos and other personal information online if they fail to pay the 2.45 bitcoin (£450) ransom.

But in a 26 October blog, Botfrei says there is so far no evidence that the criminals have stolen or published any personal data, saying: “Fear and intimidation is their motivation.”

Independent security experts also see Chimera’s latest variant as “new and scary” but are divided on whether its promise to publish personal photos is a bluff.

Source:
http://www.scmagazine.com/ransomwares-new-threat-if-you-dont-pay-well-publish-your-photos-online/article/451473/