NEWS - November 16, 2015

BadBarcode: Poisoned barcodes can be used to take over systems

Researchers from Tencent's Xuanwu Lab have proved that a specially crafted barcode can be used to execute commands on a target system, saddle it with malware, or perform other malicious operations.

Yang Yu, the founder of the Lab, and his colleague Hyperchem Ma, who did most of the work and presented it at PacSec 2015 held last week in Tokyo, have demonstrated how the fact that most barcodes also contain ASCII characters can be exploited to do things like open a shell and execute commands in it. [...]

Many barcode scanners are keyboard emulation devices. The ASCII characters in the BadBarcode - as the attack has been dubbed by the researchers - are there to make the barcode reader "press" the system's combinations keys (e.g. Ctrl) and other keys that make hotkeys (e.g. CTRL+0), effectively activating a particular function.


One BadBarcode Spoils Whole Bunch
Hackers could use BadBarcode to launch attacks on systems
Discussion is locked
Reply to: NEWS - November 16, 2015
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 16, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Flaw in the Android Gmail app opens to email spoofing attack

"A security loophole in the official Gmail Android app opens the email spoofing attacks allowing anyone to change the sender email name."

The independent security researcher Yan Zhu has discovered a serious security issue in the Gmail Android app allows ill-intentioned to send an email pretending to be someone else. Clearly a similar loophole could represent a gift for phishers and scammers, the issue dubbed Email Spoofing, enable the forgery of an e-mail header so that the email appears to have originated from someone else than the legitimate sender.

In a classic email spoofing attack, threat actors need an SMTP (Simple Mail Transfer Protocol) server to send the email and a mailing application.

The researchers Yan Zhu, discovered a flaw in the Gmail Android app that allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.


Related :
Bug in Android Gmail app allows effective email spoofing
Gmail Android App Lets Anyone Fake Their Email Address with Incredible Ease

- Collapse -
Linux.Encoder.1 Ransomware Spreads to 3,000 Websites

The Linux.Encoder.1 ransomware, a special strand that has a taste for Web hosting and source code repositories, has managed to spread to almost 3,000 websites, despite being highly publicized in the media.

The ransomware that spreads only to Linux operating systems has been seen only targeting specific OS distributions, the ones set up to handle Web traffic.

According to Dr.Web, the Russian security vendor who first detected it, the ransomware infects websites via known security vulnerabilities in common CMS solutions. Dr.Web's staff has seen infections commonly affect WordPress and Magento installations.

Because the ransomware leaves a txt file on all infected machines, and since it targets Web hosting environments, a quick Google search reveals that today, at the moment of this article, Linux.Encoder.1 has infected at least 2,920 hosts. Dr.Web previously reported over 2,000 targets only three days ago.


Linux ransomware spreading faster than initial reports
Linux ransomware rising? Linux.Encoder.1 now infects thousands of websites

- Collapse -
Beware of ads that use inaudible sound to link your phone,
.. TV, tablet, and PC

"Privacy advocates warn feds about surreptitious cross-device tracking."

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

- Collapse -
Google plans 'not encrypted' user alert for Gmail

"Inter-server technology worries - STARTTLS stripping forces a user's sending machine to skip encryption"

The thorny world of email encryption throws up another spike this month with Google discussing when it will alert users when messages are not encrypted.

According to Google's own Online Security Blog, “To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.”

Continued :

Related: Google wants to add 'not encrypted' warnings to Gmail

- Collapse -
Chipotle Serves Up Chips, Guac & HR Email

The restaurant chain Chipotle Mexican Grill seems pretty good at churning out huge numbers of huge burritos, but the company may need to revisit some basic corporate cybersecurity concepts. For starters, Chipotle’s human resources department has been replying to new job applicants using the domain “” — a Web site name that the company has never owned or controlled.

Translation: Until last week, anyone could have read email destined for the company’s HR department just by registering the domain “”. Worse, Chipotle itself has inadvertently been pointing this out for months in emails to everyone who’s applied for a job via the company’s Web site.

This security oversight by Chipotle was brought to light by reader Michael Kohlman, a professional IT expert who discovered the bug after applying for a job at the food retailer.


CNET Forums