Skip to content

Ransomware scum build weapon from JavaScript

Quote

Demands $250, steals passwords for good measure

 

New ransomware written entirely in JavaScript has appeared encrypting users files for a US$250 (£172, A$336) ransom and installing a password-stealing application.

Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA.

Bleeping Computer malware man Lawrence Abrams described the ransomware noting it is shipped as a JS file and uses the CryptoJS library for AES encryption.

“RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js,” Abrams says.

“When the JS file is opened it will encrypt the computer and then demand a ransom of about US$250 USD to get the files back.

“To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim’s computer.”

The ransomware launches a word document that appears to be corrupted, and serves to distract users while the malware encrypts files.

Microsoft in April warned of a spike in malicious JavaScript email attachments shortly before virus writers behind Locky sent their ransomware in that format.

Trend Micro researchers say Locky and RAA use JavaScript files also as malware downloaders which obtain and install a malware.

“The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers,” they say . “… users are advised to avoid opening attachments with the filenames mentioned above, even if they’re enclosed in a .zip archive.”

No means yet exist for free decryption.

Rule of thumb, do not open attachments unless you are absolutely sure the sender is valid and actually sending you something for which you asked.

We receive many emails with malware attachments from ***known*** users because they are irresponsible and do not secure their passwords or systems with strong passwords and anti-malware software. So even if you recognize the sender, do not assume it is safe.

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Google IMAP losing old security protocols this month

Quote

Google’s ongoing elimination of the antediluvian SSLv3 and RC4 protocols is taking another step on June 16.
From that date, Gmail’s IMAP and POP services will join its SMTP services in rejecting connections using those protocols.
Recognising, perhaps, that not everybody’s been paying attention, Mountain View is giving users and sysadmins time to adjust. It may take “longer than 30 days for users to be fully restricted from connecting” using clients that still run those protocols, the company’s announcement states.
However, most clients already support more modern TLS versions.
Beyond the deprecation date, sysadmins will start to see errors if they try running SSLv3 or RC4 in connection, and app developers are likewise warned they need to push out upgrades.
It’s been a year since the IETF put a bolt into the skull of SSLv3, issuing RFC 7568 as a not-so-gentle reminder to the industry.
And as a cipher, RC4 has been a dead duck for years.
So if your favourite mail app tells you “upgrade now”, you might want to ask why they’ve taken so long.

Took long enough!

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Guilty till Proven Innocent

Quote

Oklahoma Highway Patrol officers can now seize funds from prepaid debit cards, without requiring a warrant or criminal charges.

The Electronic Recovery and Access to Data (ERAD) device can be used in the field, enabling officers to quickly drain cards found in vehicles or on drivers and passengers. Officers must merely establish a “reasonable suspicion” that a crime is being committed.

To get the money back, or counter initial suspicions, individuals must prove the money was obtained legitimately.ote

Civil-rights advocates claim officers frequently abuse the system and take money from law-abiding citizens. In many states, courts have agreed that “innocent until proven guilty” protects individuals, but not their possessions.

Raising further concerns, the company that owns the patent for the device, ERAD Group, receives a 7.7-percent cut of any funds seized using the tools. A larger portion can find its way back to police departments for new gear and other expenses, creating a potential conflict of interest.

“This is a capability that law enforcement has never had before and one that is very likely to land [Oklahoma’s Department of Public Safety] in litigation,” opined ACLU Oklahoma legal director Brady Henderson.

The United Police States. What a disgrace. How can we continue to hold this country as a model of freedom to the world and allow this?

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Google to kill passwords on Android, replace ’em with ‘trust scores’

Quote

Bad idea – basically adds new features for google to identify you, track you, and sell your private info to their empire. Yeah, I need protection from Google, not protection from them.

Google is planning to use “trust scores” to kill off traditional passwords on Android.

The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week.

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Chrome trumps all comers in reported vulnerabilities

Quote

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products. ….Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Wait, but isn’t Google itself a threat?

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Microsoft adds ‘non-security updates’ to security patches

Quote

The line between functional software and advertising junk is getting more blurred. Anyone else need a reasons to avoid Micro$oft?

MS16-023, billed as a “Security update for Internet Explorer” and issued on March 8, includes six “General distribution release (GDR) fixes”

Five are innocuous as they address glitches like “Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML.”

But the last item on the list item 3146449, has the rather more interesting title “Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7.”

Only once you visit 3146449’s knowledge base page you’ll find the following explanation for the patch:

This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Big data breaches found at major email services

Quote

Hold Security, a Wisconsin-based security firm famous for obtaining troves of stolen data from the hacking underworld, announced that it had persuaded a fraudster to give them a database of 272m unique email addresses along with the passwords consumers use to log in to websites. The escapade was detailed in a Reuters article.

It might sound bad, but it is also easily mitigated.

The passwords and email addresses, which include some from Gmail, Yahoo and Russia’s mail.ru service, aren’t necessarily the keys to millions of email accounts. Rather, they had been taken from various smaller, less secure websites where people use their email addresses along with a password to log in.

People who use a different password for both their email account and, say, Target.com, won’t be affected. But those who tend to use the same password for multiple sites as well as their email should change their email password.

“Some people use one key for everything in their house,” Hold Security founder Alex Holden says. “Some people have a huge set of keys that they use for each door individually.”

Holden said there is no way for consumers to check if their emails were included in his firm’s latest find. In 2014, when his firm tried to set up such a service after obtaining a billion hacked login credentials, his site crashed.

Sad to say, despite all tools available like password databases, people are real stupid when it comes to passwords. The takeaway from this is that you need to use a different password for each site. If the site allows it, use a different user name also. There is no excuse.

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Kuwaiti Government will DNA Test Everyone

Quote

There’s a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program “does not include genealogical implications or affects personal freedoms and privacy.”

I assume that “visitors” includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.

Despicable

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

United Air – Very Late Arrival at Security

Quote

United Airlines has renovated the security on its frequent flyer scheme “MileagePlus” by requiring users to answer one of five security questions and enter a password when they log on.
The airline sent emails to customers requesting they update their security from weak, short PINs to complex passwords.
The new codes require two special characters, a number, and five letters to reach the minimum of what United deems a strong password.
United customers will still need to use their PINs when they ring United customer contact centres until the changes are complete.
Users have 30 days to make the changes.
Five pull-down security questions need to be filled from pre-selected answers, reducing the chance users will lock themselves out. Those whose childhood dreams were journalism and to play the Huang won’t find their answers within, however.

 

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *

Lenovo’s file-sharing app uses hardwired password ‘12345678’ … or no password at all

Quote

Lenov-LOL!

Lenovo ShareIT users, get patching: the PC maker’s file-sharing app is pretty much unsecured.

The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.

In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there’s no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.

Core Security, which found the design flaw, also note that file transfers in Windows and Android aren’t encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.

The vulnerable versions are ShareIT for Windows version 2.5.1.1 and ShareIT for Android 3.0.18_ww. The bugs are designated CVE-2016-1489, CVE-2016-1490, CVE-2016-1491, and CVE-2016-1492.

Lenovo’s latest versions are available here. Get ’em.

That’s not the only issue. Their machines have come through with so much crapware lately that out of the box they are slower than the old XP machines we are replacing.

 

Leave a Comment

Hide Comment Form

Add a Comment

Your email address will not be published. Required fields are marked *