This Week In Security: CVSS 4, OAuth, And ActiveMQ

November 3, 2023 by Jonathan Bennett 4 Comments

We’ve talked a few times here about the issues with the CVSS system. We’ve seen CVE farming, where a moderate issue, or even a non-issue, gets assigned a ridiculously high CVSS score. There are times a minor problem in a library is a major problem in certain use cases, and not an issue at all in others. And with some of those issues in mind, let’s take a look at the fourth version of the Common Vulnerability Scoring System.

One of the first tweaks to cover is the de-emphasis of the base score. Version 3.1 did have optional metrics that were intended to temper the base score, but this revision has beefed that idea up with Threat Metrics, Environmental Metrics, and Supplemental Metrics. These are an attempt to measure how likely it is that an exploit will actually be used. The various combinations have been given names. Where CVSS-B is just the base metric, CVSS-BT is the base and threat scores together. CVSS-BE is the mix of base and environmental metrics, and CVSS-BTE is the combination of all three.

Another new feature is multiple scores for a given vulnerability. A problem in a library is first considered in a worst-case scenario, and the initial base score is published with those caveats made clear. And then for each downstream program that uses that library, a new base score should be calculated to reflect the reality of that case. Continue reading “This Week In Security: CVSS 4, OAuth, And ActiveMQ” →

This Week In Security: Signal, WhatsApp, Oauth Fishing, And More State-Sponsored Attacks

October 11, 2019 by Jonathan Bennett 10 Comments

A bug was recently fix in Signal that allowed a caller to force a call connection without any user interaction on the receiving side. We’ve seen this sort of problem in other chat applications, most recently the Zoom debacle.

The Signal client uses the same function to connect an outgoing call as an incoming call. This bit of code re-use allows a malicious client to initiate a call, and then send the “Accept Call” message. Because of the code re-use, this message triggers the same code as the accept call button on the receiving side. It’s as if the attacker uses reverse psychology to trick the other client into connecting.

It seems this bug only affected the Android client, and didn’t trigger a video call. It’s unclear whether the bug was discovered and exploited before it was fixed, but now that it has been announced, be sure to get Signal up to date. Continue reading “This Week In Security: Signal, WhatsApp, Oauth Fishing, And More State-Sponsored Attacks” →

Using Gmail With OAUTH2 In Linux And On An ESP8266

December 14, 2017 by Sean Boyce 21 Comments

One of the tasks I dread is configuring a web server to send email correctly via Gmail. The simplest way of sending emails is SMTP, and there are a number of scripts out there that provide a simple method to send mail that way with a minimum of configuration. There’s even PHP mail(), although it’s less than reliable.

Out of the box, Gmail requires OAUTH2 for authentication and to share user data, which has the major advantage of not requiring that you store your username and password in the application that requires access to your account. While they have an ‘allow less secure apps’ option that allows SMTP access for legacy products like Microsoft Outlook, it just doesn’t seem like the right way forward. Google documents how to interact with their API with OAUTH2, so why not just use that instead of putting my username and password in plaintext in a bunch of prototypes and test scripts?

Those are the thoughts that run through my head every time this comes up for a project, and each time I’ve somehow forgotten the steps to do it, also forgotten to write it down, and end up wasting quite a bit of time due to my own foolishness. As penance, I’ve decided to document the process and share it with all of you, and then also make it work on an ESP8266 board running the Arduino development environment.

Continue reading “Using Gmail With OAUTH2 In Linux And On An ESP8266” →

Control Nest Devices With Amazon Echo

July 25, 2015 by Rick Osgood 15 Comments

[ZPriddy] was looking for a way to control his Nest thermostats with Amazon Echo. He didn’t want to settle for using AWS or some other hosted service. [ZPriddy] wanted something that he could host and manage completely on his own. The end result is what he calls EchoNestPy.

[ZPriddy] started by learning how to use the Alexa Skills Kit (ASK). ASK is the official SDK that allows enthusiasts to add functionality to their Amazon Echo. Unfortunately for [ZPriddy], most of the example code he found was designed to be used on Amazon Lambda, but that didn’t stop him. After finding a few examples of Amazon Echo requests and responses, he was on his way.

[ZPriddy] chose to implement a simple web server using Flask. The web server listens for the Amazon requests and responds appropriately. It also Oauth2 authentication to ensure some level of security. The server is capable of synchronizing the temperature of multiple Nest devices in the same home, but it can also increment or increment the temperature across the board. This is accomplished with some simple voice commands such as “Tell Nest that I’m a little bit chilly”. If you like Amazon Echo hacks, be sure to check out this other one for controlling WeMo devices. Continue reading “Control Nest Devices With Amazon Echo” →

Tuitwall Uses PHP-fed Arduino To Display Tweets

September 18, 2012 by Mike Szczys 4 Comments

[Santiago] recently completed this project which he calls Tuitwall. It will display your Twitter feed on an LED matrix. The method he used to put it together will come in handy for any project where you need to scrape information from the Internet.

The project does require a server in addition to the Arduino hardware seen above. On the Arduino side [Santiago] uses an Ethernet shield and an LED matrix which is addressed via SPI. The server is running a PHP script which takes advantage of the twitteroauth library to handle authentication.

There’s a little bit of configuration to be done, most of it having to do with how Twitter handles 3rd party applications. But once everything is set up you can take the hardware with you and plug it into any network (as long as it offers DHCP). With this framework as a guide it’s a snap to bend it to your will. It could be used as an RSS reader, time and temperature, server farm status, a prank ticket displaying fake headlines, etc.