STE WILLIAMS

A popular but malicious fake Instagram “who viewed your profile” app has been pulled from both Apple’s App Store and Google Play – but not until after between 500,000 and a million suckers downloaded it.

“Who Viewed Your Profile – InstaAgent” exploited peoples’ insecurity (it’s also a popular way for Twitter scam accounts to draw in the clicks) to get them to install an app that harvested user credentials, posted them to a remote server, and hijacked accounts to post unauthorised images to victims’ profiles.

German iOS developer David Layer-Reiss, who goes by the Twitter handle @PeppersoftDev, discovered the hijack.

Both Apple and Google have to be marked down for letting the app past their code review processes in the first place.

United Press International says the Android version got at least 100,000 downloads in spite of a 2.2 star rating. Other estimates give the possible Android download rate at close to the App Store’s half-a-million.

#InstaAgent is only able to post a image in your #Instagram account because they got your account password! #hacked pic.twitter.com/0vD1OJBY9l

— David L-R (@PeppersoftDev) November 10, 2015

I would say “Who Viewed Your Profile – InstaAgent” is the first malware in the iOS Appstore that is downloaded half a million times.

— David L-R (@PeppersoftDev) November 10, 2015

As a rule, El Reg would note, any third-party app promising to identify profile viewers on social media accounts should be treated as a scam. LinkedIn is a special case: there, it’s profile view reports is just a creepy feature. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/instascam_apple_yanks_phoney_app_google_follows/

The El Reg inbox has been flooded with reports of a serious cock-up by Microsoft’s patching squad, with one of Tuesday’s fixes causing killer problems for Outlook.

“We are looking into reports from some customers who are experiencing difficulties with Outlook after installing Windows KB 3097877. An immediate review is under way,” a Microsoft spokesperson told us.

The problem is with software in one of the four critical patches issued in yesterday’s Patch Tuesday bundle – MS15-115. This was supposed to fix a flaw in the way Windows handles fonts, but has had some unexpected side effects for some Outlook users.

“Today I’ve deployed latest Outlook patch to all of my clients, and now Outlook is crashing every 10 minutes and then restarting itself. I tried on fresh Win10, no AV with latest patches applied and here we go, Outlook crashing there too,” complained one TechNet user.

“Come on guys, do you EVER do proper QA before releasing anything Office 2013 related? This is the worst version of Outlook ever. Sorry for negative attitude but this is how things are.”

The break point appears to come not when an email that contains certain fonts is opened, but when it’s scrolled through. Outlook 2010 and 2007 seem affected, but the issue is reportedly fixed when the patch is uninstalled.

The SysAdmin sector of Reddit is awash with reports of problems with the patch, and it appears to be a cross-OS problem. The general consensus is to disable the patch on Windows Server Update Services and wait for a reissue.

But millions of consumer users could be in for a nasty shock when Windows prompts them to download yesterday’s patches. Anyone relying on Outlook for their email is in for a nasty surprise. ®

Kudos to IT consultant Brian Milnes and City of London support firm Pink Chalk for blowing the whistle.

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/11/patch_tuesday_downloads_buggy_ms_patch/

FastMail has become the latest web services company to get taken down by distributed denial of service (DDoS) raiders who are trying to extort Bitcoins in exchange for internet access.

The company reports that its servers were down briefly on DDoS attack Sunday 8 November, after the people responsible contacted the company with a ransom demand, asking for 20 Bitcoin (worth around $7,500) to make the assaults go away. Another attack occurred on Monday.

“First of all, we would like to make one thing clear. We do not respond to extortion attempts, and we will not pay these criminals under any circumstances,” the firm said in a blog post.

“We have dealt with DDoS attacks before, and have recently been strengthening our defenses to deal with such issues. However, there is still a chance that the attacks will cause some disruption for our users, so we are publishing this as an advance warning and to give as much information as we can on what to expect.”

The news comes after ProtonMail suffered a similar extortion attack, although in that case the marauders were only asking for 15 Bitcoin. Under pressure from companies caught up in the attack, ProtonMail paid up, but that didn’t stop the assaults coming in thick and fast on the firm.

The two companies are not the only ones to be targeted by the DDoS extorters. November 4 through 6, Runbox was hit by multiple DDoS attacks from a group calling itself the “Armada Collective,” also accompanied with extortion demands – although the group later dropped its request for payment and apologized.

On November 4 cloud office applications provider Zoho was also hit and the attack came with a ransom demand. Zoho spent the next six days fighting to keep its servers online. A day later secure webmail firm Hushmail came under a money-with-menaces DDoS attack, which is still ongoing.

Police in Europe are currently searching for the group or groups behind the assaults, but it’s going to be a tough job – DDoS attacks are easy and quite cheap to organize. In the meantime, the tech industry is holding firm and not paying up, unlike certain US police forces. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/11/fastmail_web_service_extortion/

Two studies this week show there’s a long way to go in securing credentials for risky accounts.

A pair of studies out this week illustrate how privileged account management remains the bane of infosecurity programs, as most enterprises still struggle to control these accounts in spite of the risk they pose.

The risk is significant, according to a study by CyberArk  that analyzed dozens of enterprise networks and found that 88% are significantly susceptible to attacks through privileged credentials theft and abuse. In about 40% of the cases, simple Windows hosts offer attackers all the credentials they need for a complete network takeover.

Meanwhile, a survey of IT security leaders conducted by Dimensional Research on behalf of Dell found that most understand the importance of managing privileged accounts. One in four believe better control over these accounts would reduce their likelihood for breach. And 80% of respondents say they do at least have a defined process for managing them. The problem is that in many instances that process is pretty unreliable.

For example, just about one in three of these respondents say that management process is tracking these accounts using Excel or other spreadsheets. Additionally, 37% of respondents report that default admin passwords on hardware and software are not consistently changed; and the same ratio of respondents report that multiple administrators share credentials.


”Privileged accounts really are the ‘keys to the kingdom,’ which is why hackers seek them out and why we’ve seen so many high-profile breaches over the past few years use these critical credentials,” says John Milburn, executive director and general manager of identity and access management for Dell Security.

This jibes with other statistics released elsewhere this year. For example, the Verizon Data Breach Investigations Report found that one in five security incidents is caused by privileged account misuse. Meanwhile, anecdotal evidence supports the evidence that these accounts are an Achilles heel of enterprise-class organizations. For example, the massive breach at the Office of Personnel Management earlier this year could be attributed to weaknesses in privileged account management at the agency and its associated contractors.

“With credentials for a privileged account, an attacker can gain complete control over the host or hosts that accept those credentials,” the CyberArk report said. “This allows the attacker not only to access and breach all the sensitive data on those hosts,
 but also to perform other malicious actions such as installing malware and disabling or reconfiguring security controls.”

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/endpoint/privileged-account-control-still-weak-in-most-organizations /d/d-id/1323097?_mc=RSS_DR_EDT

Guided by an organization’s internal security experts,’algorithmic assistants’ provide a powerful new way to find anomalies and patterns for detecting cyberthreat activity.

Machine learning has a perception problem. I recently met with a public company CEO who told me that “machine learning” has become an overused buzzword just like “big data” was a few years ago. Only it’s even worse with machine learning because no one really understands what it means.

In the most common misperception, machine learning is thought to be a magic box of algorithms that you let loose on your data and they start producing nuggets of brilliant insight for you. If you apply this misperception to the use of machine learning for cybersecurity, you might think that after deploying machine learning, your security experts will be out of a job since algorithms will be doing all their important threat detection and prevention work.

[Read why Simon Crosby thinks Machine Learning Is Cybersecurity’s Latest Pipe Dream.]

In Simon’s commentary, he argues (three times, even) that experts are a better choice than ML/AI (Machine Learning/Artificial Intelligence) for cybersecurity. But why choose between experts and machine learning at all? A more enlightened understanding of machine learning in cybersecurity sees it as an arsenal of  “algorithmic assistants” to help the security expert automate the analysis of data by looking for helpful anomalies and patterns — but under the direction of the security experts. 

Here’s an example: A security expert doing malware research reads an article that contains an analysis of a version of the infamous Framework POS malware that exfiltrates data over the DNS protocol. Knowing what kind of security infrastructure is already in place, she thinks, “Hmm, if that exfiltration was done slowly enough on our network, I’m not sure we’d be able to detect it.” Thinking a bit more, “Wow, I can really see how it could take some organizations months to detect a data breach that uses this method!”

She then configures her machine learning software to continually analyze DNS requests coming from all clients (POS and workstations) on their network, instructing the machine learning algorithms to create baselines of normal DNS request activity sent from each client, and to perform a population analysis across all clients in case some machines are already performing exfiltration when the analysis starts. The machine learning engine starts this analysis, and gives her an alert any time unusual behavior indicative of DNS “tunneling,” is detected. 

In this way, our security expert has just put one “algorithmic assistant” to work for her. It never sleeps, eats, or takes vacation, and it does exactly what she told it to do! Tomorrow, she thinks, “I’ll figure out a way to put another algorithmic assistant to work looking for unusual SSH sessions, another issue I’ve been losing sleep over.”

Machine Learning Algorithmic Assistants Have Several Skills
Almost all algorithmic assistants that utilize unsupervised machine learning have several skill sets based on modern data science. They can baseline normal behavior by accurately modeling time series data (any series of data with a time stamp on it – usually log data from servers, devices, endpoints, and applications); they can identify data points that are anomalous or “outliers;” and they can score the level of anomalousness of these outliers. Generally, you’ll hear this set of skills packaged up under the term “machine learning anomaly detection.”

More recent developments in machine learning-based security analytics have additional capabilities; think of these as “senior algorithmic assistants” that can take the work of their subordinate assistants and perform advanced functions such as influencer analysis, correlation, causation, and even forecasting, to provide even more context for the security experts.

Perception Problem: Maybe. Pipe Dream: No!
Here’s an interesting data point: In an April 2015 survey performed by Enterprise Management Associates, for the second year in a row security analytics (Advanced Security/Threat Analytics Anomaly Detection) scored in the top ranking for perceived value when compared to total cost of ownership (TCO), beating out 15 other security technologies.

For forward-thinking security pros, this kind of security analytics, powered by machine learning, is no pipe dream – and it’s so much more than just marketing spin. It’s a practical way to use newer technology to automate the analysis of log data to better detect cyberthreat activity, under the direction and guidance of an organization’s security experts.

Mike has more than 30 years of technology product development experience, including executive roles with several startups in the areas of consumer apps, mobile app ecosystems, and Security Information and Event Management (SIEM). Previously, he spent more than a decade in … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/machine-learning-perception-problem-maybe-pipe-dream-no-way!/a/d-id/1323076?_mc=RSS_DR_EDT

‘Twittor’ exploits the expanded capacity of Twitter DMs to replace traditional botnet command-and-control server infrastructure.

Turns out Twitter’s expansion of Direct Message capacity beyond 140 characters inadvertently gives botnet operators a stealthy and streamlined way to control their bots.

A new backdoor tool built by white hat security researcher Paul Amar uses Twitter DMs as a botnet command-and-control infrastructure. Amar says his so-called “Twittor” tool was inspired by a Gmail-based botnet CC tool called “Gcat.”

“I was looking at how third-party services could hide malicious traffic” and how botnets could maintain a command-and-control infrastructure that could avoid takedowns, for example, says Amar, a security analyst with SensePost Information Security.

His Python-based Twittor backdoor tool basically allows a botnet to operate and hide in plain sight. The machines would already be infected with the malware, and then controlled by the attacker via his or her malicious Twitter DMs. “It uses just one Twitter account that sends” the DMs, Amar says. “Everything is going through private messaging” of the attacker’s account, he says.

Amar says an attacker likely would use Tor to create the new Twitter account. With DMs longer than 140 characters, it leaves plenty of headroom for controlling the bots, he says. “It allows for more malicious activity.”

Some security experts have called out the potential for abuse of DMs with Twitter’s move in August to remove the 140-character limit, as well as the new option for any Twitter user to DM any other Twitter user even if they are not following one another.

Bad guys will use most any possible channel for CC, notes Dan Kaminsky, chief scientist with WhiteOps, who points out that social networks long have been abused that way. Researchers at DC949 created Twitter FS, a file system tool that used just the 140-character limit to store files, he notes. “Small channels have always been attractive to CC, which never needs much bandwidth to prosper,” Kaminsky says.

Kaminsky’s 2005 OzymanDNS project, meanwhile, demonstrated the potential for abuse of DNS by moving files and tunneling traffic over DNS.

Twit Bot Limit

Twitter limits users to 1,000 DMs per day, so Amar estimates that a Twittor botnet would max out at somewhere around 100 bot machines. “The best way to bypass that limitation would be to use different accounts and mesh them all together. So with three accounts, we can do around 3,000 DMs daily, which would be enough to control a few hundred boxes,” Amar says.

Since they communicate via the Twitter API, the bots don’t need their own Twitter accounts to be controlled, he notes. And since it uses the API, there’s no worries of IP-filtering for the attacker, he says. And “nothing’s public, [since it’s] only using Direct Messages, so there’s no public malicious activity,” he says.

A DM-controlled botnet complicates a bot-infected company’s defenses. “It’s quite complicated. You would have to block Twitter in a corporate environment,” says Amar, noting that such a ban obviously wouldn’t be realistic in most companies. The DM traffic would be difficult to distinguish from legitimate communications, he says.

Amar says he’s looking at adding a data exfiltration toolkit for his Twittor tool. Twittor is available on Github.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/tool-controls-botnet-with-twitter-direct-messages/d/d-id/1323110?_mc=RSS_DR_EDT

It isn’t just the White House that gets compromised more than once. Also, in a shifting trend, malicious insider attacks don’t cut quite as deep as outsiders’ do, report finds.

After a data breach, some organizations get up and redouble their defenses, while others get kicked while their down, again and again. Government agencies seem to be most prone to those relentless beatings, according to a report by Risk Based Security (RBS) that will be released Thursday.

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

By Risk Based Security’s count, over the 10 years they’ve been collecting breach data, 1,400 organizations have had their records exposed on several occasions. On their list of the Top 10 “Most Breached Organizations of All Time,” six are government entities: the U.S. Office of Veteran’s Affairs (39 incidents), the U.S. Postal Service (25), the United Kingdom’s Ministry of Defense (18), the U.S. Department of Defense (17), the U.S. Army (16), and the Internal Revenue Service (16).

Credit data company Experian holds the unfortunate title of most-breached, with 56 incidents.

The researchers also call out the U.S. Office of Personnel Management, which suffered one of the worst incidents of 2015. This year’s breach exposed personal data on 21.5 million current and former federal employees, contractors, job candidates, and employees’ relatives. It exposed data from background checks, Social Security numbers, residency history, employment history, family, health, financial history, and 5.6 million fingerprints. But that wasn’t the only blemish on OPM’s security record. OPM’s network was broken into in March 2014, and more data was exposed after credentials had been lifted from a third party. 

Why is government hit so often? Jake Kouns, CISO of RBS, attributes a variety a variety of factors. It’s “where the juicy information is right now,” the scale of the agencies’ environments and assets is “massive,” and they have countless vacancies in security positions. “Whether you believe that nation-states are always targeting them or not,” he says, “there’s some fire where there’s smoke.”

Government breaches are also, on average, bigger. Government accounted for only 12.3% of incidents, but 23.5% of exposed records — 232,956 records per incident. Federal agencies were the worst offenders.

Therefore, it’s no surprise that when broken down by state (counting the District of Columbia as a state), D.C. claimed the number 2 spot on the list of the sources of most exposed records in the United States. The only state responsible for more exposed records was Indiana, home to the corporate headquarters of Anthem Blue Cross Blue Shield, victim of 2015’s largest breach.

“Most government organizations do have a lot of data, so when they have a breach it’s going to be catastrophic,” Kouns says. 

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

Overall, across all sectors, hacking was responsible for 66.3% of breach incidents, and 83.2% of exposed records. Outside attackers committed 78.5% of incidents, accounting for 82.9% of exposed records. Meanwhile, malicious insiders committed 7.3% of incidents, accounting for only 1.0% of records.

The fact that hacking and outsiders are not only the source of the most attacks but the most damaging attacks is noteworthy. It’s a shift that Kouns says began began a couple years ago and has accelerated. Once upon a time, there might be loads of outside hackers trying to bang away at your network, but the severe attack would come from “the trusted insider” with malicious intentions. Now the reverse is true.

In the first nine months of 2015, 3006 incidents have been reported, exposing 366 million records. Although that’s far fewer records than 2014 numbers, it’s more incidents in a nine-month time frame than RBS has ever seen in the 10 years they’ve been collecting this data.

 

The good news is that most breaches are quite small. Forty percent expose only 100 records or less. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/analytics/federal-government-most-prone-to-repeat-breaches/d/d-id/1323104?_mc=RSS_DR_EDT

Max Schrems must be pleased.

He who rose up from the ranks of Facebook’s privacy-ravaged users to file complaints against what he said was Facebook’s illegal data collection/retention is now witnessing the fruits of his labor.

Or, as he tweeted in response to the Belgian court giving Facebook 48 hours to stop tracking those without Facebook accounts, lest it face substantial penalties, “*WOW*”:

*WOW* @SophieKwasny: episode Belgium v. Facebook. Judge gives 48 hours to conform to law or will be fined 250000 euros / day

— Max Schrems (@maxschrems) November 9, 2015

Max Schrems @maxschrems
*WOW* @SophieKwasny: episode Belgium v. Facebook. Judge gives 48 hours to conform to law or will be fined 250000 euros / day

As the AFP reports, Belgium set the clock ticking on Monday, saying that Facebook would face fines of up to €250,000 EUR ($267,000 USD) a day if it doesn’t comply within 48 hours.

Facebook said it will appeal.

The AFP quotes the court decision:

Today the judge… ordered the social network Facebook to stop tracking and registering internet usage by people who surf the internet in Belgium, in the 48 hours which follow this statement.

If Facebook ignores this order it must pay a fine of 250,000 euros a day to the Belgian Privacy Commission.

The court order is the latest salvo in the Europe v. Facebook privacy battle.

It follows a case lodged by Belgium’s privacy watchdog – the Belgian Privacy Commission (BPC) – which dragged Facebook into court in June for allegedly “trampling” over Belgian and European privacy law.

In June, the court said that Facebook indiscriminately tracks internet users – even non-Facebook users – when they visit its pages or pages on other sites with “like” or “share” buttons.

Since then, the BPC’s lawyers have called Facebook “as bad as the NSA [National Security Agency].”

The latest in a string of EU slap-downs

This 48 hours or-else decision is only the latest EU action against private data flowing into Facebook.

Last month, the EU’s highest court struck down the transatlantic Safe Harbor agreement, which had allowed companies to transfer European citizens’ personal data to the US, calling the agreement “invalid” because it didn’t protect data from US surveillance.

At the heart of the recent Belgian court case is a move Facebook made in June 2014 to give advertisers more ammunition to target users, by mixing data about what we do on its site with data about what we do on other sites.

The Belgian court on Monday said that Facebook does indeed use a special cookie that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook like or share code in it – all without the visitor having ever signed up for a Facebook account.

That cookie stays on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.

AFP quotes the court’s statement:

The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates.

Facebook calls that cookie the “datr” cookie and says it’s safe.

Safe, or maybe even some type of prophylactic infosec wonder cookie.

In the recent “Facebook is as bad as the NSA” rhetoric swap, Facebook claimed that its cookies keep Belgium from becoming “a cradle for cyber terrorism.”

AFP quotes a statement from Facebook about its appeal of Monday’s court decision:

We’ve used the datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world.

We will appeal this decision and are working to minimize any disruption to people’s access to Facebook in Belgium.

Back home in the US of A

Meanwhile, back on its home turf, Facebook is having a much easier time of it with a US regulator – the Federal Communications Commission (FCC) – having recently shrugged off the notion that it should trouble Google or Facebook with demands to honor “Do not track” requests.

The FCC dismissed a petition from rights group Consumer Watchdog, which had called on the commission to require “edge providers” – a catch-all term covering websites and apps, including Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn – to honor such requests from consumers.

The FCC’s rationale: it doesn’t have the authority.

Consumer Watchdog thinks otherwise, and it’s reportedly considering an appeal.

Follow @NakedSecurity

Follow @LisaVaas

Image of gavel on Belgium flag courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gvc_lSHtcgw/

Facebook’s testing a new feature for Messenger. Photo Magic – which sounds like something a costumed character at the Magic Kingdom would bestow with a twinkly wand – uses facial recognition to paw through your phone’s camera roll, ID your friends, and then nudge you to send photos to the people it spots.

David Marcus, head of Messenger, confirmed the news in a post on his Facebook wall Monday night.

Heaven forbid that people’s images should languish, forgotten, on your camera roll because you forgot about them, he said:

This is one of our upcoming features I’m really excited about as it’s still way too difficult to share photos with friends, and receive all the ones you’re in.

It’s currently testing in Australia, Marcus said.

TechCrunch reports that it rolled out on Android already and will be out on iOS later this week.

If people like it, it will be in the US soon, Marcus said.

This being facial recognition technology – the same that Facebook uses in its photo tag suggestions and standalone Moments app – some users are expressing creep-out.

A commenter on TechCrunch’s story:

Sonya Gaskell
Scary.( and I don’t scare easy.)

…as well as an “oh leave me the *^% alone” sentiment, like this comment on Engadget’s coverage:

Mark Doiron about 11 hours ago
Please, just let me turn it off. I’m smart enough to know with whom, when, where and how I want to share photos. I don’t need anymore nagging apps.

But, fortunately, this is opt-in: Photo Magic doesn’t scan your camera roll unless you give it permission.

As Engadget tells it, when you open the updated Messenger app, it will scan your mobile phone’s camera roll (after you give it permission) and select an image that features you and some Facebook friends.

Then it will give you the option of sending the photo to your friends with a single tap.

Don’t want to be tagged in your friends’ photos? You can always opt out of facial recognition in Facebook’s settings: head here.

Follow @NakedSecurity

Follow @LisaVaas

Image of chalk Facebook logo courtesy of K.N.V. / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eRx-zgYIi8M/

There are plenty of command line encryption tools for Linux and Unix computers.

There’s GPG, for example, which can do both symmetric and public-key encryption.

→ Symmetric encryption is where the same key, or password, locks and unlocks a file. Public-key encryption is where you have two keys, one to lock data and the other to unlock it. You can publish the locking key openly – indeed, it’s called the public key – so anyone can send you files securely, but you keep the unlocking key private, so that only you can read them back later on.

Then there’s the OpenSSL toolkit, which you can use in two ways: built in to your own software to give it encryption features, or as a command line tool for all sorts of encryption-related tasks.

And now, reports SophosLabs, there’s Linux/Ransm-C.

If you think that sounds like a very curious and malware-like name for an encryption toolkit, you’d be right.

Ransomware, plain and simple

The Linux/Ransm-C “product” is ransomware, plain and simple, built into a small command line program designed to help out crooks who want to practise a spot of extortion against Linux users.

Indeed, judging by some of the directories that this ransomware tool goes after, it’s not really aiming at Linux desktop users, though the malware, sadly, works just fine on a workstation.

The goal seems to be to go after web and database servers, creating what is effectively a Denial of Service (DoS) attack that holds your data, and even the software installed on the server, hostage.

Even though Sophos Anti-Virus detects this threat as Linux/Ransm-C, we’ve seen precompiled samples targeting five different system platforms:

• 32-bit Linux
• 32-bit System V Unix
• 64-bit FreeBSD
• 64-bit Linux
• 64-bit System V Unix

Unusually for a modern Linux/Unix program, the malware is statically linked, which means it contains absolutely everything it needs to do its dirty work, from the runtime library code that reads and writes files, to the encryption algorithms that it uses to scramble and unscramble your data.

Many, if not most, legitimate encryption tools these days are dynamically linked, meaning that they connect up with software components already on your computer, known as shared libraries on Unix, or DLLs on Windows.

For example, lots of encryption products use OpenSSL, but don’t actually build in their own copy of the OpenSSL software.

→ By sharing a central copy of a shared library amongst numerous products, you not only save disk space (they all share the same files) and memory (only one copy of the shared code needs to be loaded at a time), but also make version control and updating easier. The flipside is that a bug in a shared library typically affects lots of software at the same time, although patching the shared copy also fixes all programs that use it in one go.

Compact and self-contained

By making itself entirely self-contained, Linux/Ransm-C makes itself more dangerous: once a crook gets the malware program file onto your server, he’s not dependent on any other components you have installed, because he’s got all the software pieces he needs in one file.

If the crook only manages to run the malware in a restricted environment, for example where common system utilities are excluded and account privileges are limited (for techies, think of precautions such as chroot and setuid), it will still do as much damage as it can.

Even if the malware only manages to scramble your authentication database, or a few of your HTML web pages, that may be enough to stop you serving customers and doing business online.

To save space, Linux/Ransm-C doesn’t use the popular OpenSSL library, which is a rather large code project, but instead includes mbed TLS, formerly known as PolarSSL, an encryption library that was specifically designed to be small and easy to use. (One popular use is on embedded devices such as routers, where disk and memory space are usually tight.)

How it works

If a crook runs the “tool” like this…

$ ./ransom encrypt publickeyfile

…then it will scramble writable files on your computer, using a public key provided in a separate file for its encryption.

Later on, if you manage to acquire the corresponding private key from the crook, by whatever means he chooses, you can do this…

$ ./ransom decrypt privatekeyfile

…to reverse the effects.

Th details of how the crook generates the public-private key pairs, where he stores them, how he sells them, and how much he charges, is up to him.

Linux/Ransm-C just gives him the malicious mechanism he needs to do the actual scrambling that might squeeze you into paying up in order to get things up and running again.

Ouch.

What to do?

All our usual advice applies:

• Patch! To use this malware, a crook needs to sneak just two small files onto your computer: the malware program and a public key. Any remote code execution hole could be enough to lock you and your customers out of your own server.
• Backup! If you have a reliable way of restoring a ruined server, even if you lose a few recent changes, you can recover from this sort of attack without engaging with the crooks.
• Protect! Yes, a Linux anti-virus can help. On a Linux server protected by Sophos Antivirus, for example, Linux/Ransm-C would trigger an alarm as soon as the crook uploaded it – and then he wouldn’t be able to run the malware anyway, because the anti-virus would block it.

While you’re about it, make sure you pick proper passwords, to stop crooks logging in remotely without even needing to hack.

Also, consider using two-factor authentication so that a stolen or leaked password isn’t enough on its own for a crook to login.

And why not listen to our podcast, Malware on Linux – When Penguins Attack?

Let Sophos security expert Chester Wisniewski tell you what he found when he looked at how much help the Linux ecosystem is inadvertently giving to the cyberunderworld…

LISTEN NOW

Malware on Linux – When Penguins Attack

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

Follow @NakedSecurity

Follow @duckblog

Sophos Antivirus for Linux is available for free, with no time limit, for desktops and servers, at work and at home.

Jail bars incarcerating Tux courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-wkxXsE7hZ0/