Posted by stuart.gilbertson

Pressing the backspace key 28 times will let you circumvent a locked-down Linux machine researchers at Universitat Politechnica de Valencia recently discovered.

The GRUB bootloader used by most Linux distributions has the option to password protect boot entries. Not only will this prevent tampering but allows you to prevent peripherals such as CDs and USB ports from booting an OS. Without this protection an attacker could boot a system from a live USB key or CD, switching into their preferred operating system to download or access files stored on the machine’s hard drive.

This flaw with Grub2, of which versions 1.98 and 2.02 are affected, means a simple tap of the backspace key 28 times will bring up the prompt usually hidden behind the password screen.

In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.” (available here)

An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

• Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub’s console (grub rescue).
• Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
• Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.

To quickly check if your system is vulnerable, when the Grub ask you the username, press the Backspace 28 times. If your machine reboots or you get a rescue shell then your Grub is affected.

TalkTalk have once again shown their inability to keep customer data safe. Police are now investigating what TalkTalk term a “significant and sustained cyber-attack” on their website.

Their website currently shows the page above highlighting the fact the website is unavailable right now.

An official statement was released by TalkTalk on 22/10/2015: View Statement in Full.

What the statement doesn’t highlight is what customers of TalkTalk need to do now.

The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

• Names
• Addresss
• Dates of birth
• Email addresses
• Telephone numbers
• TalkTalk account information
• Credit card details and/or bank details

TalkTalk have also created a help page here for those who may have been affected: http://help2.talktalk.co.uk/oct22incident

Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.

Our Managing Director, Stuart Gilbertson, said: “This is the third time TalkTalk have been hacked in a year. Yes, they’re cheap, but is it really worth the hassle and inconvenience to consumers? At what point do we start heavily penalising big corporations for being inept at keeping their systems secure. Once is excusable, but three times really is pushing the boundaries of incompetence.”

On 14th July 2015 Microsoft will cease supporting Server 2003. This means that, going forward, there will be no more updates or patches for the Server Operating System, which will lead to a less stable and less secure server infrastructure for any businesses that choose to continue to use the system after this date.

Any organisation that is still currently using Microsoft Server 2003 needs to put in place a plan of action to migrate to a new server Operating System, or find an alternative IT infrastructure solution.

Edinburgh IT Support consultants, Consider IT, suggest getting in touch and we’ll provide options for moving forward to a secure and reliable solution.

SourceForge is a popular website that offers source-code repository, downloads mirrors, bug tracker and other features. It acts as a centralised location for software developers to control and manage free and open-source software development. What you might know it from is its usefulness in providing downloads of popular software, rather than having to go to the developer’s website to get it.

Since yesterday at least, SourceForge has now since started to distribute adware/malware in certain projects hosted on their site.

NMAP, an open-source network tool used extensively by IT Professionals has been hijacked by SourceForge and the developers have hit back on security notice boards:

Hi Folks! You may have already read the recent news about SourceForge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after SourceForge started tricking users with fake download buttons which lead to malware rather than GIMP. Then SourceForge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. …

Anyway, the bad news is that SourceForge has also hijacked the Nmap account from me.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are appearing on projects that have been taken over by SourceForge’s anonymous editorial staff.

FileZilla was an early participant in DevShare, SourceForge’s revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development.

But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project’s Windows installer after taking over the project’s page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do.

“This was done without our knowledge and permission, and we would never have permitted it,” Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: “We want to reassure you that we will never bundle offers with any project without the developers consent.”

SourceForge’s search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

Some of the software hosted on SourceForge are as follows:  openoffice, audacity, fedora, firefox, gimp, gnu privacy guard, joomla, libre office, multiwii, neverball, nmap, sqlite, simulationcraft, snort, texworks, transmission, vlc media player, wordpress, recaptcha, apache, mame, mysql, thunderbird.

We suggest avoiding SourceForge for the foreseeable!

PayPal and eBay have fallen out and are splitting up with each other on 1st July 2015. PayPal have published a new set of Privacy Policies that will come into force on the same day.

IF YOU DO NOT AGREE TO THE AMENDED USER AGREEMENT, PRIVACY POLICY OR ACCEPTABLE USE POLICY, YOU MAY CLOSE YOUR ACCOUNT BEFORE JULY 1, 2015 AND YOU WILL NOT BE BOUND BY THE AMENDED TERMS.

PayPal is nice enough to give its customers only two options when it comes to the new terms: begrudgingly accept them or close your account entirely.

There’s a temporary page showing all the new Privacy Policy changes in full with the highlighted points at the top. The top paragraph states several scenarios where PayPal may choose to automatically call or text you:

1. notify you regarding your account
2. troubleshoot problems with your account
3. resolve a dispute
4. collect a debt
5. poll your opinions through surveys or questionnaires
6. contact you with offers and promotions
7. as otherwise necessary to service your account or enforce this User Agreement, our policies, applicable law, or any other agreement we may have with you.

Some of these items are standard and fair, but the ones highlighted in red might start putting some of PayPal’s customers off the idea of using their service completely.

What are your thoughts on this? Pop a comment below!

The ICO has issued South Wales Police with a £160,000 fine for losing a video recording which formed part of the evidence in a sexual abuse case.

Despite the DVDs containing a graphic and disturbing account, the discs were unencrypted and left in a desk drawer.

The recorded interview took place in August 2011 and the loss was discovered by staff after an office move in October 2011 but the security breach then went unreported for nearly two years due to lack of training. Although the DVDs were stored in a secure part of the police station, South Wales Police had no specific force-wide policy in place to deal with the safe storage of victim and witness interviews in its police stations.

A second interview had to be abandoned due to the victim’s distress and the DVDs have still not been recovered. The defendants were eventually convicted in court.

Anne Jones, Assistant Commissioner for Wales said: “Without any doubt we would expect a professional police force, in a position of trust, dealing with this type of highly sensitive information from victims and witnesses on a daily basis to have robust procedures to keep track of the personal data in their care.