If you’ve ever had to use SMD components on tape outside the realm of the automated assembly machines for which they were designed, you’ll know that one tape looks very like another and it can be very annoying to keep track of which is which. We can’t help admiring [Yvo de Haas’] inkjet printer for SMD tapes then, which efficiently prints whatever identifying marks you need on the back of your tapes.
The printer uses the venerable HP45 inkjet cartridge, and teams it with a 3D printed mechanism and [Yvo]’s self-designed driver board. A worm gear motor and a sprocket take care of advancing the tape through the mechanism past the printhead, and there is a well-assembled piece of software to drive it all. With extremely comprehensive build instructions it should be within the reach of anyone who handles component tape, and from our experience of hand-labeling tape for kits we can see that it could be a Godsend. Take a look at it in action in the video below.
For every very clever security protocol that keeps people safe, there’s a stupid hack that defeats it in an unexpected way. Take OAuth for instance. It’s the technology that sites are using when they offer to “log in with Facebook”. It’s a great protocol, because it lets you prove your identity using a trusted third party. You don’t have to use a password at whatever site you’re trying to use, you just to be logged in to your Google/Facebook/Apple account, and click the button to allow access. If you’re not logged in, the pop-up window prompts for your username and password, which of course is one way phishing attacks try to steal passwords. So we tell people to look at the URL, and make sure they are actually signing in to the proper site.
The stupid hack that isn’t stupid, because it works: Recreating the browser window in HTML/CSS. Yep, it’s pretty straightforward to add a div to your site, and decorate it to look just like a browser window, just like an OAuth pop-up. In the appropriate place goes an iframe pointing to the actual phishing form. It looks convincing, but once you’re aware of the game, there’s a dead giveaway — try to move the OAuth window outside the browser window that spawned it. Websites can’t draw outside the browser window or over its window decorations, so this limitation makes it easy to confirm whether this hack is in play. The other saving grace is that a password manager isn’t fooled by this trick at all.
There’s a typo-squatting campaign going on at NPM, primarily targeted at Azure users. NPM has a packaging feature called “scoped packages”. A scope starts with the at sign, and indicates packages intentionally grouped together. In this case the scope is @azure, including packages like @azure/core-tracing, with over 1.5 million weekly downloads. The typo? Just drop the scope. NPM considers it completely acceptable to have both the @azure/core-tracing and core-tracing packages — in fact, it’s a feature of the scoping system. But forget to include the scope, and you may get a malicious package instead. Over 200 packages were targeted in this way, but have since been pulled by NPM.
The payload was strictly reconnaissance, grabbing directory listings, IP addresses, and the like. It’s likely that the information would be used to craft more malicious future updates, though no such behavior has been observed. This is likely due to how rapidly these packages were caught and removed — after only about two days. The domain used for data collection is 425a2.rt11.ml, so that string showing up in a DNS log somewhere is an indicator that one of these packages were installed.
Lapsus$ Strikes Again, Again
The loose collection of hackers knows as Lapsus$ have potentially scored breaches at both Microsoft and Okta. KrebsonSecurity has a bit more information about the group and the Microsoft case. The group seems to be doing some of their coordination over a Telegram channel, which is open for anyone to join. The group boasted of their exploits on this channel, and Microsoft respondents found and cut their access during the data exfiltration. A 10 GB file has been released containing partial source to Bing search, Bing Maps, and Cortana.
The Okta situation is even murkier, as the released screenshots indicate access back in late January. The access seems to have been limited to a administrative portal, via a Support Engineer’s account. Okta has gone out of their way to assure everyone that there was no actual breach, and the rogue access was quickly dealt with. This seems to be a bit disingenuous, as Lapsus$ was after companies making use of Okta services, and didn’t need to compromise their systems any further. Okta provides access management for other companies, like Cloudflare. There’s likely been some quiet infiltration happening in the months since this happened.
Linux Gets More Random
[Jason Donenfeld], kernel hacker and main developer of Wireguard, has worked recently on the Linux random number generator. A few changes landed in release 5.17, and more are coming in 5.18. He was kind enough to write up some of the interesting changes for our education. He considers his most important contribution to be documentation. I can confirm, among the most frustrating problems a programmer can face is when the documentation has bit-rotted to uselessness.
One of the biggest user-facing changes was the attempt to unify /dev/random and /dev/urandom. We say attempt, because this change caused multiple failures to boot on the kernel’s test setup. Apparently some architectures, specifically when being virtualized, have no method of generating high quality randomness during boot. There next killer feature is the new add_vmfork_randomness() call, that allows a newly cloned virtual machine to request a regeneration of its randomness pool. Without a call like this, the first few random numbers generated by the kernel after a VM fork would be identical — obviously a problem.
Internally, the randomness code retires the venerable SHA-1 algorithm, replacing it with the more modern BLAKE2 hash function. An interesting advantage is that BLAKE2 is intentionally a very fast algorithm, so the kernel gains a bit of performance when generating random numbers. The rest of the changes delve into more complicated cryptography considerations. Definitely worth reading if you’re interested.
Western Digital NAS RCE
We’ve covered plenty of vulnerabilties and attacks in NAS boxes from QNAP and Synology, but this week it’s Western Digital getting in on the action. Thankfully it’s research from NCC Group, demonstrated at Pwn2Own 2021, and fixed in a January update. This Remote Code Execution (RCE) vulnerability is in how the NAS handles the Apple Filing Protocol (AFP), and was actually a problem in the Netatalk project. AFP supports storing file metadata as a separate file, for the sake of compatibility. These files are in the AppleDouble format, are take the name of their parent file, prepended with a ._. The kicker is that these files can also be accessed using the Windows SMB protocol, allowing direct manipulation of the metadata file. The function that parses the metadata file does indeed detect a malformed data structure, and logs an error to that effect, but fails to fail — it goes ahead and processes the bad data.
This continue-on-error is the central flaw, but actually building an exploit required a data leak to defeat the address layout randomization in place on the device. A simpler first step was to write memory locations into the AppleDouble file, and use SMB access to read it. With the leaked address in hand, the full exploit was easy. This would be bad enough, but these devices ship with a “Public” share world-accessible over SMB and AFP. This configuration makes it a pre-auth RCE. And this demonstrates the purpose of Pwn2Own — it was discovered, made the researchers a bit of money, and was fixed before the details were made public.
While the phrase “I built my own computer” might sound impressive to the uninitiated, anyone with an interest in modern computer hardware knows that there’s really not much to it: buy a case, a motherboard with a CPU, some RAM and peripherals, and you’re pretty much there. What’s way more impressive is designing a complete computer system from the ground up, as [Joshua Coleman] just did when he built the Coleman Z80.
And when we say “from the ground up”, we mean it: everything down to the system bus was hand-drawn by [Joshua] himself. It does share something with modern PCs though: a strictly modular design. There’s a Z80 CPU board, a ROM and RAM board, and even two modules that you could describe as a video card and a sound card. All of these are built on prototyping boards with a 40-pin edge connector and hooked up to a single backplane carrying the main system bus.
Designed as an experimentation platform, the Coleman Z80 has many features that enable testing and debugging, such as an adjustable clock generator and a few beautiful vintage LED displays that show the status of the main bus. Input and output are mainly through a serial link and a 16×2 LCD, but [Joshua] is already planning a keyboard interface and composite video output to give it that proper 1980s home computer vibe. The software is currently limited to a ROM monitor that enables basic I/O commands, but with 256 KB of RAM there’s plenty of potential for writing useful software.
Heat Pumps are an extremely efficient way to maintain climate control in a building. Unlike traditional air conditioners, heat pumps can also effectively work in reverse to warm a home in winter as well as cool it in summer; with up to five times the efficiency of energy use as a traditional electric heater. Even with those tremendous gains in performance, there are still some ways to improve on them as [Martin] shows us with some modifications he made to his heat pump system.
This specific heat pump is being employed not for climate control but for water heating, which sees similar improvements in efficiency over a standard water heater. The problem with [Martin]’s was that even then it was simply running much too often. After sleuthing the energy losses and trying a number of things including a one-way valve on the heating water plumbing to prevent siphoning, he eventually found that the heat pump was ramping up to maximum temperature once per day even if the water tank was already hot. By building a custom master controller for the heat pump which includes some timing relays, the heat pump only runs up to its maximum temperature once per week.
While there are some concerns with Legionnaire’s bacteria if the system is not maintained properly, this modification still meets all of Australia’s stringent building code requirements. His build is more of an investigative journey into a more complex piece of machinery, and his efforts net him a max energy usage of around 1 kWh per day which is 50% more efficient than it was when it was first installed. If you’re looking to investigate more into heat pumps, take a look at this DIY Arduino-controlled mini heat pump.