This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS

September 24, 2021 by 23 Comments

In case you needed yet another example of why your IoT devices shouldn’t be exposed to the internet, a large swath of Hikvision IP Cameras have a serious RCE vulnerability. CVE-2021-36260 was discovered by the firm Watchful_IP in the UK. In Hikvision’s disclosure, they refer to the problem as a command injection vulnerability in the device’s web interface. The vuln is pre-authentication, and requires no user interaction. This could be something as simple as a language chooser not sanitizing the inputs on the back-end, and being able to use backticks or a semicolon to trigger an arbitrary command.

Now you’re probably thinking, “I don’t use Hikvision cameras.” The sneaky truth is that a bunch of cameras with different brand names are actually Hikvision hardware, with their firmware based on the Hikvision SDK. The outstanding question about this particular vulnerability is whether it’s present in any of the re-labelled cameras. Since the exact vulnerability has yet to be disclosed, it’s hard to know for sure whether the relabeled units are vulnerable.  But if we were betting… Continue reading “This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS”

Spooky Coffin Bell Spooks Passers By On Halloween

September 21, 2021 by 3 Comments

Being buried alive isn’t fun, we imagine. Fear of it led to the development of various safety coffin ideas in the 18th and 19th centuries, and [Glen Akins] wonderful Halloween prop riffs on that tradition today. 

The safety coffin was a simple solution for those afraid that this might happen to them. One concept had a bell which was installed above freshly dug graves with a string extending into the coffin. One who found themselves accidentally buried alive could then pull the string to ring the bell and summon help.

[Glen’s] installation eliminates the coffin and the dead body, and simply mounts a bell on a post. Inside, there’s an ultrasonic rangefinder that detects passers by. When someone walks closely enough to the prop, a microcontroller triggers a servo which rings the bell with a haunting urgency.

It’s a simple build, but appropriately installed with its LED lighting, it really does pop. It would be a wonderful way to add atmosphere and mood to a Hallowe’en party or haunted house. We’ve seen some great Hallowe’en hacks over the years, and some of the best are pumpkins. Video after the break.

Continue reading “Spooky Coffin Bell Spooks Passers By On Halloween”

Farewell Sir Clive Sinclair; Inspired A Generation Of Engineers

September 16, 2021 by 74 Comments

It is with sadness that we note the passing of the British writer, engineer, home computer pioneer, and entrepreneur, Sir Clive Sinclair, who died this morning at the age of 81 after a long illness. He is perhaps best known among Hackaday readers for his ZX series of home computers from the 1980s, but over a lifetime in the technology industry there are few corners of consumer electronics that he did not touch in some way.

Sinclair’s first career in the 1950s was as a technical journalist and writer, before founding the electronics company Sinclair Radionics in the 1960s. His output in those early years was a mixture of miniature transistor radios and Hi-Fi components, setting the tone for decades of further tiny devices including an early LED digital watch at the beginning of the 1970s, miniature CRT TVs in the ’70s and ’80s, and another tiny in-ear FM radio which went on sale in the ’90s.

Continue reading “Farewell Sir Clive Sinclair; Inspired A Generation Of Engineers”

A flip-top foundry for metal casting

Flip-Top Foundry Helps Manage The Danger Of Metal Casting

September 11, 2021 by 18 Comments

Melting aluminum is actually pretty easy to do, which is why it’s such a popular metal for beginners at metal casting. Building a foundry that can melt aluminum safely is another matter entirely, and one that benefits from some of the thoughtful touches that [Andy] built into his new propane-powered furnace. (Video, embedded below.)

The concern for safety is not at all undue, for while aluminum melts at a temperature that’s reasonable for the home shop, it’s still a liquid metal that will find a way to hurt you if you give it half a chance. [Andy]’s design minimizes this risk primarily through the hands-off design of its lid. While most furnaces have a lid that requires the user to put his or her hands close to the raging inferno inside, or that dangerously changes the center of mass of the whole thing as it opens, this one has a fantastic pedal-operated lid that both lifts and twists. Leaving both hands free to handle tongs is a nice benefit of the design, too.

The furnace follows a lot of the design cues we’ve seen before, starting as it does with an empty party balloon helium tank. The lining is a hydrid of ceramic blanket material and refractory cement; another nice safety feature is the drain channel cast into the floor of the furnace in case of a cracked crucible. The furnace is also quite large, at least compared to [Andy]’s previous DIY unit, and has a sturdy base that aids stability — another plus in the safety column.

Every time we see a new furnace design, we get the itch to start getting into metal casting. And with the barrier to entry as low as a KFC bucket or an old fire extinguisher, why not give it a try? Although it certainly pays to know what can go wrong before diving in.

Continue reading “Flip-Top Foundry Helps Manage The Danger Of Metal Casting”

The Dark Side Of Package Repositories: Ownership Drama And Malware

September 8, 2021 by 77 Comments

At their core, package repositories sound like a dream: with a simple command one gains access to countless pieces of software, libraries and more to make using an operating system or developing software a snap. Yet the rather obvious flip side to this is that someone has to maintain all of these packages, and those who make use of the repository have to put their faith in that whatever their package manager fetches from the repository is what they intended to obtain.

How ownership of a package in such a repository is managed depends on the specific software repository, with the especially well-known JavaScript repository NPM having suffered regular PR disasters on account of it playing things loose and fast with package ownership. Quite recently an auto-transfer of ownership feature of NPM was quietly taken out back and erased after Andrew Sampson had a run-in with it painfully backfiring.

In short, who can tell when a package is truly ‘abandoned’, guarantee that a package is free from malware, and how does one begin to provide insurance against a package being pulled and half the internet collapsing along with it?

Continue reading “The Dark Side Of Package Repositories: Ownership Drama And Malware”

This Week In Security: Ransomware Decryption, OpenSSL, And USBGadget Spoofing

September 3, 2021 by 8 Comments

We’ve covered a lot of ransomware here, but we haven’t spent a lot of time looking at the decryptor tools available to victims. When ransomware gangs give up, or change names, some of them release a decryption tool for victims who haven’t paid. It’s not really a good idea to run one of those decryptors, though. The publishers don’t have a great track record for taking care of your data, after all. When a decryptor does get released, and is verified to work, security researchers will reverse engineer the tool, and release a known-good decryption program.

The good folks at No More Ransom are leading the charge, building such tools, and hosting a collection of them. They also offer Crypto Sheriff, a tool to identify which ransomware strain got your files. Upload a couple encrypted files, and it will inform you exactly what you’re dealing with, and whether there is a decryptor available. The site is a cooperation between the Dutch police, Interpol, Kaspersky, and McAfee. It may surprise you to know that they recommend reporting every ransomware case to the authorities. I can confirm that at the very least, the FBI in the US are very interested in keeping track of the various ransomware attacks — I’ve fielded a surprise call from an agent following up on an infection.

OpenSSL

The OpenSSL project has fixed a pair of vulnerabilities, CVE-2021-3711 and CVE-2021-3712 with release 1.1.11l. The first is a possible buffer overflow caused by a naive length calculation function. A “fixed” length header is actually dynamic, so a carefully crafted plaintext can overflow the allocated buffer. Continue reading “This Week In Security: Ransomware Decryption, OpenSSL, And USBGadget Spoofing”

The Postmortem Password Problem

September 1, 2021 by 82 Comments

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

A Bad Solution

Let’s start with the simplest solution: using the same password everywhere.  Great, all you need to do is put this on a Post-it note, stuff it in an envelope, and let someone know where to find it. Unfortunately, using a single password for many services is a terrible idea. Password breaches happen, and if you’re using a single password across the internet, they can be disastrous.

Password breaches are usually the result of an attacker finding a vulnerability that allows reading password data from an application’s database. Odds are high that your information has been leaked in one of these breaches. You can check if your email is on a list of known breaches with Have I Been Pwned. Don’t feel bad if you’ve been pwned, my email shows up on six different breaches, and this service only indexes publicly known breaches!

Depending on the competency of the company that was breached, your password may have been stolen in a few different formats. In the worst case, the passwords were stored as-is (i.e., cleartext), and the breach contains your actual password. Nowadays, storing passwords in cleartext is never considered acceptable. A hash of the password is stored instead. Attackers need to use a tool like hashcat to try to recover the passwords via brute force hash cracking. This is slow for complex passwords, but is always getting faster as GPUs improve.

So we really need to use different passwords everywhere, or our Tumblr account from 2013 could give access to our bank account. Given the large number of services we use and our inability to remember passwords, we’re going to need to use a password manager. Continue reading “The Postmortem Password Problem”