This Week In Security: Fuzzing Fixes, Foul Fonts, TPM Timing Attacks, And More!

An issue was discovered in libarchive through Google’s ClusterFuzz project. Libarchive is a compression and decompression library, widely used in utilities. The issue here is how the library recovers from a malformed archive. Hitting an invalid header causes the memory in use to be freed. The problem is that it’s possible for file processing to continue even after that working memory has been freed, leading to all kinds of problems. So far an actual exploit hasn’t been revealed, but it’s likely that one is possible. The problem was fixed back in May, but the issue was just announced to give time for that update to percolate down to users.

Of note is the fact that this issue was found through Google’s fuzzing efforts. Google runs the oss-fuzz project, which automatically ingests nightly builds from around 200 open source projects and runs ClusterFuzz against them. This process of throwing random data at programs and functions has revealed over 14,000 bugs.
Continue reading “This Week In Security: Fuzzing Fixes, Foul Fonts, TPM Timing Attacks, And More!”

Credit Card Skimmers Evolve – Shimmers Are Here

Credit cards are loaded with security features, but the game of cat and mouse goes on. Nefarious syndicates continue to develop technology to steal data in new and innovate ways. After SparkFun did a teardown on some illicit hardware, they were visited by local law enforcement, who requested their help once more.

[Nick] from SparkFun refers to the device in question as a “shimmer”. It’s intended to be installed inside the chip reader of a credit card terminal, in between the terminal and the user’s credit card. Fabricated on a flexible film PCB, it’s thin enough to glue inside without being obvious even during maintenance.

The investigation begins with identification of the major components on board, followed by attempts to communicate with the device. Unfortunately, the hardware was largely unresponsive, even when connected to a card reader. In an effort to learn more, a schematic was produced. [Nick]’s analysis raised more questions than answers, and the suspicion is that the hardware may have been damaged at some point. However, the basic capabilities of the device are obvious, given the ability of the hardware to interact with a card via its contacts and offload the data through the onboard nRF24L01 radio module.

Thanks to people like [Nick], and earlier work from SparkFun, we all now have a better understanding of the risks when using payment terminals out in the wild. Unfortunately, unless your local gas station is willing to let you spend 20 minutes disassembling their card reader before paying, there’s not a whole lot the individual can do about it. Stay vigilant, and if you’ve got the skinny on a skimmer, drop us a line.

A Radio For The Apocalypse

There’s been a spate of apocalypse related articles over the last few weeks, but when I saw an AM radio made from a hand-wound coil and an oxidized British penny, I couldn’t help but be impressed. We’ve covered foxhole radios, stereotypical radios that are cobbled together from found parts during wartime.

This example uses a variable capacitor for tuning, but that’s technically optional. All that’s really needed is a coil and something to work as a diode. Surprisingly, copper oxide is a semiconductor, and the surface oxidation on a penny is enough to form a rudimentary diode. Though, note, not all pennies have that necessary coating of copper. If a penny has green oxide, it’s likely a candidate.

Need a quickly cobbled together AM radio? Have some wire and a penny? Yeah, watch the video below the break, and you’ll know how to make it happen. When the apocalypse comes, you’ll thank us.

Continue reading “A Radio For The Apocalypse”