Well, think again. At least if you are using Chrome or Firefox. Don’t believe us? Well, check out Apple new website then, at https://www.apple.com . Notice anything? If you are not using an affected browser you are just seeing a strange URL after opening the webpage, otherwise it’s pretty legit. This is a page to demonstrate a type of Unicode vulnerability in how the browser interprets and show the URL to the user. Notice the valid HTTPS. Of course the domain is not from Apple, it is actually the domain: “https://www.xn--80ak6aa92e.com/“. If you open the page, you can see the actual URL by right-clicking and select view-source.
So what’s going on? This type of phishing attack, known as IDN homograph attacks, relies on the fact that the browser, in this case Chrome or Firefox, interprets the “xn--” prefix in a URL as an ASCII compatible encoding prefix. It is called Punycode and it’s a way to represent Unicode using only the ASCII characters used in Internet host names. Imagine a sort of Base64 for domains. This allows for domains with international characters to be registered, for example, the domain “xn--s7y.co” is equivalent to “短.co”, as [Xudong Zheng] explains in his blog.
Different alphabets have different glyphs that work in this kinds of attacks. Take the Cyrillic alphabet, it contains 11 lowercase glyphs that are identical or nearly identical to Latin counterparts. These class of attacks, where an attacker replaces one letter for its counterpart is widely known and are usually mitigated by the browser:
Continue reading “You Think You Can’t Be Phished?”
It seems the older I get, the density of broken and/or old laptops on my garage grows. That’s one of the reasons it’s interesting to know which projects are being made to bring back to life these things. [zigzagjoe] sent us an interesting project he made out of a Lenovo Yoga 2 motherboard: a pfsense router/firewall.
The laptop was damaged, but the main board was functioning just fine. What started as adding an old Pentium heatsink to it and see how good it would work, escalated to a fully working, WiFi, 4 port gigabyte NIC, 3D printed case firewall. The board had PCI-E via an M.2 A/E key slot for the WiFi module but [zigzagjoe] need a normal PCI-E slot to connect the quad-port NIC. He decided to hand solder the M.2 A/E (WiFi card) to have a PCI-E 1x breakout since his searches for an adapter came out empty or too expensive. For storage, he chose 16GB SanDisk U100 Server half-slim SSD for its power efficiency. Once again, the SSD cable had to be hacked as the laptop originally used a super-slim HDD with a non-standard connector. The enclosure was then designed and 3D printed.
But [zigzagjoe] went further to optimize his brand new router/firewall. On the project documentation, we can see a lot of different modifications went into building it, such as bios modification for new WiFi modules to work, an Attiny85 fan driver for extra cooling, a 45W PSU inside the case and other interesting hacks.
This is not your typical laptop to firewall hack, that’s for sure.
Continue reading “Broken Yoga Becomes Firewall”
Pi Time is a psychedelic clock made out of fabric and Neopixels, controlled by an Arduino UNO. The clock started out as a quilted Pi symbol. [Chris and Jessica] wanted to make something more around the Pi and added some RGB lights. At the same time, they wanted to make something useful, that’s when they decided to make a clock using Neopixels.
Neopixels, or WS2812Bs, are addressable RGB LEDs , which can be controlled individually by a microcontroller, in this case, an Arduino. The fabric was quilted with a spiral of numbers (3.1415926535…) and the actual reading of the time is not how you are used to. To read the clock you have to recall the visible color spectrum or the rainbow colors, from red to violet. The rainbow starts at the beginning of the symbol Pi in the center, so the hours will be either red, yellow, or orange, depending on how many digits are needed to tell the time. For example, when it is 5:09, the 5 is red, and the 9 is yellow. When it’s 5:10, the 5 is orange, the first minute (1) is teal, and the second (0) is violet. The pi symbol flashes every other second.
There are simpler and more complicated ways to perform the simple task of figuring out what time it is…
We are not sure if the digits are lighted up according to their first appearance in the Pi sequence or are just random as the video only shows the trippy LEDs, but the effect is pretty nice:
Continue reading “Pi Time – A Fabric RGB Arduino Clock”
Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.
Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.
The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device. The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.
Bosch downplays the issue a bit in their statement:
It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.
The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.
A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.
But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.
Continue reading “Is My Password Safe? Practices for People Who Know Better”
Back in the day, building a DIY radio was fun! We only had to get our hands at a germanium diode, make some coils, and with a resistor and long wire as an antenna maybe we could get some sound out of those old white earplugs. That was back then. Now we have things like the Si4703 FM tuner chip that can tune in FM radio in the 76–108 MHz range, comes with integrated AGC and AFC, controlled by I2C, as well as a bunch of other acronyms which seem to make the whole DIY radio-building process outdated. The challenges of the past resulted in the proven solutions of the present in which we build upon.
This little project by [Patrick Müller] is a modern radio DIY tutorial. With an Arduino Nano as the brains and controller for an Si4703 breakout board, he builds a completely functional and portable FM radio. A small OLED display lets the user see audio volume, frequency, selected station and still has space left to show the current available battery voltage. It has volume control, radio station seek, and four buttons that allows quick access to memorized stations. The source code shows how it is possible to control the Si4703 FM tuner chip to suit your needs.
As for ICs, not everything is new, [Patrick] still used the good old LM386 amp to drive the speaker, which is almost 35 years old by now. As we can listen in the demo video, it can still output some seriously loud
Continue reading “Modern DIY FM radio”
The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.
Microsoft describes it as:
Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)
The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.
So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.
If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.) This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?
[via The Hacker News]