SoylentNews is people
SoylentNews
Proving that the more complex the OS, the easier it is to hack, and how root really isn't required to attack a device a malicious app bypassed Ubuntu Phone security checks to give the attacker full control over the phone.
Luckily only 15 people are known to have downloaded the app but one has to wonder if Ubuntu Phone is already being targeted so successfully in its infancy what does that bode when its a more juicy target?
An educated guess for the unreleased sales statistics can be found on Riccardo Padovani's blog.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
It's raisins that make Post Raisin Bran so raisiny ...
(Score: 2) by frojack on Tuesday October 20 2015, @10:14PM
This attack vector (malware in a distro) has been used already. [zdnet.com]
Not only in distros but also in commonly used packages, not to mention the Kernel itself [arstechnica.com].
The long expected explanation of the kernel.org never really materialized as far as I can remember.
No, you are mistaken. I've always had this sig.
(Score: 2) by jmorris on Wednesday October 21 2015, @03:05AM
Not what I'm worried about. Hacking a server hosting a repo isn't nearly as dangerous as somebody with the rights to quietly commit a patchset. Packages are signed so anything other than the machine that signs packages means any damage is going to be limited. I'd suspect the more important distros have protections against poisoning of the source trees by most of the crude smash and inject paths. Now imagine what damage could be done by a well used package that adds evil bits with no smashed security to attract attention. Imagine an httpd that responds to a special query with the private ssh keys. A pam plugin that harvests passwords and makes the file available to the outside when given a crafted query. A kernel with a preinstalled cloaking rootkit that would even survive booting recovery media and verifying the packages against the official signatures.
Basically any package that has access to trusted info is an obvious candidate but even unimportant ones run their install scripts as root so an unimportant one that can be counted on to be installed on the chosen targets is almost as good, maybe better since it will attract fewer eyeballs. Do we really trust both the authors and package maintainers of every perl module? Every Apache add on? How many packages are in Debian? Ubuntu Universe? Fedora? And cowsay installs as root. Yea, that is a problem. Sooner or later.. BOOM!