Crack Mike Tyson’s Punch Out Bang Bang Passwords

[Bisqwit] has feelings about games that use exclamation points in his idiosyncratic walkthrough of all the nuances of the passwords in the famous Punch Out Bang Bang.

As he states in his deeply weird (though in no way wrong) channel intro, when he’s not driving a bus or teaching Israeli dance, he works hard to understand the things around him. Naturally, a mysterious phone number shaped set of digits in a favorite game was a secret worth extracting.

The digits can represent every possible state in the game.  It uses a pretty simple decoding and encoding scheme, which he walks through. As he says, it all becomes clear when you can see the source code.

After working through all the quirks he is able to arbitrarily generate any state in the game and handle the exceptions (such as Nintendo USA’s phone number). You can see all his code here and try it out for yourself. Video after the break.

We’ve grown to respect [Bisqwit] as the explainer of all things console games. You will like his explanation of how to write a code emulator for an NES CPU.

Continue reading “Crack Mike Tyson’s Punch Out Bang Bang Passwords”

Botnet Recall of Things

After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)

Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)

Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.

Via threatpost.

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

Continue reading “Microsoft Live Account Credentials Leaking From Windows 8 And Above”

LastPass Happily Forfeits Passwords to Simple Javascript

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.

Hackaday Prize Entry: A Very Small Password Keeper

One of the more popular security builds in recent memory is USB password vaults. These small thumb drive-sized devices hold all the passwords you have to deal with, and are locked behind a authentication code on the drive itself. For their Hackaday Prize entry, [Miguel] and [Noel] asked how inexpensively one of these devices could be made. The answer, coming in the form of their Memtype project, is very inexpensively.

The Memtype project is based on the cheapest and most simplistic USB implementation on the planet. It’s built around an ATtiny85 and V-USB‘s software only implementation of a USB keyboard, requiring only a few resistors and diode in addition to the ‘tiny85 itself.

The device can only be unlocked with a four-digit pin, input through the clever use of a small SMD joystick. After inputting the correct code, the Memtype grants the user access to all the stored passwords. As far as security goes, [Miguel] and [Noel] have implemented NOEKEON in assembly, however it should be noted that all security is weaker than a pipe wrench. For managing the passwords, [Miguel] and [Noel] built a small, simple GUI app to set the PIN and write credentials to the device.

[Miguel] and [Noel] already have a demo video up for the Memtype, you can check that out below.

Continue reading “Hackaday Prize Entry: A Very Small Password Keeper”

Coolest, but Least Secure, Security Device

[Matikas] apparently forgets to lock the screen on his computer when he gets up to grab a coffee. And he apparently works with a bunch of sharks: “If you don’t [lock it], one of your colleagues will send email to the whole company that you invite them to get some beer (on your bill, of course).” Not saying we haven’t done similar, mind you. Anyway, forgetting to lock your screen in an office environment is serious business.

So [Matikas] built a great system that remotely types the keystrokes to lock his screen, or unlock it with his password. An off-the-shelf 433 MHz keyfob is connected to an Arduino micro that simulates a keyboard attached to his computer. It’s a simple system, but it’s a great effect. (See the video demo, below.)

Continue reading “Coolest, but Least Secure, Security Device”

TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever

This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.

The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.

Continue reading “TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever”