computer hacks

1328 Articles

computer hacks

Connecting New York City To The Backbone: Meet NYC’s Mesh Network

June 30, 2019 by 25 Comments

Access to fast and affordable internet is a big issue in the USA, even in a major metropolis such as New York City. Amidst a cartel of ISPs who simply will not deliver, a group of NYC inhabitants first took it upon themselves to ease this situation by setting up their own mesh-based internet connections way back in 2013. Now they will be installing a new Supernode to take the installation base far beyond the current 300 buildings serviced.

As a community project, NYC Mesh is run as a non-profit organization, with its community members supporting the effort through donations, along with partnerships with businesses. Its router hardware consists out of off-the-shelf equipment (with a focus on the Ubiquiti NanoStation NSM5) that get flashed with custom firmware containing the mesh routing functionality.

As this article by Vice mentions, NYC Mesh is one of 750 community-led broadband projects in the US. Many of those use more traditional fixed wiring with distribution lines, but NYC Mesh focuses fully on wireless (WiFi) links with wireless mesh networking. This has the obvious benefit that given enough bandwidth on the Supernodes that hook into the Internet exchange points (IXP) and an efficient mesh routing protocol, it’s quick and easy to hook up new clients and expand the network.

The obvious downsides of using WiFi and RF in general is that they are not immune to outside influences, such as weather (rain), RF interference (including from other WiFi stations) and of course fairly limited range if there’s no direct line of sight. In a densely populated city such as NYC this is not much of an issue, with short hops between roof tops.

This Week In Security: Invalid Curve Attacks, OpenSSH Shielded, And More Details On Coinbase

June 28, 2019 by 19 Comments

AMD Epyc processors support Secure Encrypted Virtualization (SEV), a technique that prevents even a hypervisor reading memory belonging to a virtual machine. To pull this off, the encryption and decryption is handled on the fly by the Platform Security Processor (PSP), which is an ARM core that handles processor start-up and many security features of modern AMD processors. The vulnerability announced this week is related to the encryption scheme used. The full vulnerability is math heavy, and really grokking it requires a deeper understanding of elliptical curve cryptography (ECC) than your humble author currently possesses.

During the process of starting a virtual machine, the VM process goes through a key-sharing process with the PSP, using an ECC Diffie-Hellman key exchange. Rather than raising prime numbers to prime exponents, an ECC-DH process bounces around inside an elliptical curve in order to find a shared secret. One of the harder problems to solve when designing an ECC based cryptographic system, is the design of the curve itself. One solution to this problem is to use a published curve that is known to be good. AMD has taken this route in their SEV feature.

The attack is to prime the key exchange with invalid data, and observing the shared key that is generated. A suitably simple initial value will leak information about the PSP’s secret key, allowing an attacker to eventually deduce that key and decrypt the protected memory. If you’d like to bone up on invalid curve attacks, here’s the seminal paper. (PDF)

OpenSSH Shielding

[Damien Miller] of OpenSSH was apparently tired of seeing that project tied to vulnerabilities like Rambleed and Rowhammer, so added a technique he’s calling key-shielding. OpenSSH now encrypts private keys in memory using a 16 kB pre-key. While an attacker with full knowledge of the process’s memory wouldn’t be deterred, the error rate of Rambleed and similar attacks is high enough that the 16 kB of randomness is likely to thwart the attempt to recover the secret key.

Firefox and Coinbase

We mentioned Firefox vulnerabilities and updates last week, and as anticipated, more information is available. [Philip Martin] from Coinbase shared more information on Twitter. Coinbase employees, as well as other cryptocurrency companies, were targeted with fishing emails. These lured employees to a malicious page that attempted to exploit a pair of Firefox vulnerabilities. Coinbase has a security system in place that was able to prevent the exploit, and their security team was able to reverse engineer the attack.

The first vulnerability has been dissected in some detail by a Google security researcher. It’s a weakness in Firefox’s Javascript engine related to type handling. An object is created with one data type, and when that data is changed to another type, not all the data handlers are appropriately updated. Under the hood, a value is assumed to be a pointer, but is actually a double-length value, controlled by the attacker.

The second vulnerability is in the functions used to prompt for user interaction. Specifically the call to “Prompt:Open” isn’t properly validated, and can result in the un-sandboxed Firefox process loading an arbitrary web location. I suspect the sandbox escape is used to run the initial exploit a second time, but this time it’s running outside the sandbox.

Odds and Ends

[Tom] wrote a great intro into how to Impersonate The President With Consumer-Grade SDR, go check it out!

Another city, more ransomware. Riviera Beach, Florida was hit with a ransomware attack, and paid $600,000 in an attempt to get their data back. For a city of 35,000 inhabitants, that’s $17.14 in ransom per man, woman, and child. According to the linked article, though, the city was insured.

How Do You Get PCI-E On The Atomic Pi? Very Carefully.

June 26, 2019 by 18 Comments

At this point, you’ve almost certainly heard about the Atomic Pi. The diminutive board that once served as the guts of a failed robot now lives on as a powerful x86 SBC available at a fire sale price. How long you’ll be able to buy them and what happens when the initial stock runs out is another story entirely, but there’s no denying that folks are already out there doing interesting things with them.

One of them is [Jason Gin], who recently completed an epic quest to add a PCI Express (PCI-E) slot to his Atomic Pi. Things didn’t exactly go according to plan and the story arguably has more lows than highs, but in the end he emerged victorious. He doesn’t necessarily recommend you try the same modification on your own Atomic Pi, but he does think this sets the stage for the development of a more refined upgrade down the line.

[Jason] explains that the board’s Ethernet controller was already communicating with the Intel Atom x5-Z8350 SoC over PCI-E, so there was never a question about whether or not the modification was possible. In theory, all you needed to do was disable the Ethernet controller and tack on an external PCI-E socket so you could plug in whatever you want. The trick is pulling off the extremely fine-pitch soldering such a modification required, especially considering how picky the PCI Express standard is.

In practice, it took several attempts with different types of wire before [Jason] was able to get the Atomic Pi to actually recognize something plugged into it. Along the way, he managed to destroy the Ethernet controller somehow, but that wasn’t such a great loss as he planned on disabling it anyway. The final winning combination was 40 gauge magnet wire going between the PCB and a thin SATA cable that is mechanically secured to the board with a piece of metal to keep anything from flexing.

At this point, [Jason] has tested enough external devices connected to his hacked-on port to know the modification has promise. But the way he’s gone about it is obviously a bit temperamental, and far too difficult for most people to accomplish on their own anyway. He’s thinking the way forward might be with a custom PCB that could be aligned over the Ethernet controller and soldered into place, though admits such a project is currently above his comfort level. Any readers interested in a collaboration?

Like most of you, we had high hopes for the Atomic Pi when we first heard about it. But since it became clear the board is the product of another company’s liquidation, there’s been some understandable trepidation in the community. Nobody knows for sure what the future looks like for the Atomic Pi, but that’s clearly not stopping hackers from diving in.

A TTL CPU, Minimising Its Chip Count

June 23, 2019 by 19 Comments

By now we should all be used to the astonishing variety of CPUs that have come our way created from discrete logic chips. We’ve seen everything from the familiar Von Neumann architectures to RISC and ever transport-triggered architecture done in 74 TTL derivatives, and fresh designs remain a popular project for many people with an interest in the inner workings of a computer.

[Warren Toomey]’s CSCvon8 is an interesting machine that implements an 8-bit computer with a 64-bit address space using only 17 chips, and without resorting to any tricks involving microcontrollers. It implements a fairly conventional Von Neumann architecture using TTL with a couple of tricks that use modern chips but could have been done in the same way in decades past. Instruction microcode is stored in an EEPROM, and the ALU is implemented in a very large EPROM that would probably once have been eye-wateringly expensive. This in particular removes many discrete TTL chips from the total count, in the absence of the classic 74181 single-chip part. To make it useful there is 32k each of RAM and EEPROM, and also a UART for serial access. The whole is brought together on a neat PCB, and there is a pile of demo code to get started with. Everything can be found in the project’s GitHub repository.

At the start of this article we mentioned a couple of unconventional TTL CPUs. The transport triggered one we featured in 2017, and the RISC one is the Gigatron which has appeared here more than once.

This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!

June 21, 2019 by 13 Comments

Netflix isn’t the first name to come to mind when considering security research firms, but they make heavy use of FreeBSD in their content delivery system and do security research as a result. Their first security bulletin of the year, not surprisingly, covers a FreeBSD vulnerability that happens to also affect Linux kernels from the last 10 years. This vulnerability uses SACKs and odd MSS values to crash a server kernel.

To understand Selective ACKs, we need to step back and look at how TCP connections work. TCP connections provide guaranteed delivery, implemented in the from of ACKnowledgement (ACK) packets. We think of a TCP connection as having a dedicated ACK packet for every data packet. In reality, the Operating System makes great effort to avoid sending “naked” ACK packets, and combines multiple ACKs in a single packet. An ACK is simply a flag in a packet header combined with a running total of bytes received, and can be included in a normal data packet. As much as is possible, the ACK for data received is sent along with data packets flowing in the opposite direction. Continue reading “This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!”

Open Source Headset With Inside-Out Tracking, Video Passthrough

June 15, 2019 by 4 Comments

The folks behind the Atmos Extended Reality (XR) headset want to provide improved accessibility with an open ecosystem, and they aim to do it with a WebVR-capable headset design that is self-contained, 3D-printable, and open-sourced. Their immediate goal is to release a development kit, then refine the design for a wider release.

An early prototype of the open source Atmos Extended Reality headset.

The front of the headset has a camera-based tracking board to provide all the modern goodies like inside-out head and hand tracking as well as the ability to pass through video. The design also provides for a variety of interface methods such as eye tracking and 6 DoF controllers.

With all that, the headset gives users maximum flexibility to experiment with and create different applications while working to keep development simple. A short video showing off the modular design of the HMD and optical assembly is embedded below.

Extended Reality (XR) has emerged as a catch-all term to cover broad combinations of real and virtual elements. On one end of the spectrum are completely virtual elements such as in virtual reality (VR), and towards the other end of the spectrum are things like augmented reality (AR) in which virtual elements are integrated with real ones in varying ratios. With the ability to sense the real world and pass through video from the cameras, developers can choose to integrate as much or as little as they wish.

Terms like XR are a sign that the whole scene is still rapidly changing and it’s fascinating to see how development in this area is still within reach of small developers and individual hackers. The Atmos DK 1 developer kit aims to be released sometime in July, so anyone interested in getting in on the ground floor should read up on how to get involved with the project, which currently points people to their Twitter account (@atmosxr) and invites developers to their Discord server. You can also follow along on their newly published Hackaday.io page.

Continue reading “Open Source Headset With Inside-Out Tracking, Video Passthrough”

This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist

June 14, 2019 by 5 Comments

It looks like Al was right, we should all be using Emacs. On the 4th of June, [Armin Razmjou] announced a flaw in Vim that allowed a malicious text file to trigger arbitrary code execution. It’s not every day we come across a malicious text file, and the proof of concept makes use of a clever technique — escape sequences hide the actual payload. Printing the file with cat returns “Nothing here.” Cat has a “-v” flag, and that flag spills the secrets of our malicious text file. For simplicity, we’ll look at the PoC that doesn’t include the control characters. The vulnerability is Vim’s modeline function. This is the ability to include editor options in a text file. If a text file only works with 80 character columns, a modeline might set “textwidth=80”. Modeline already makes use of a sandbox to prevent the most obvious exploits, but [Armin] realized that the “:source!” command could run the contents of a file outside that sandbox. “:source! %” runs the contents of the current file — the malicious text file.

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Taking this apart one element at a time, the “:!” is the normal mode command to run something in the shell, so the rest of the line is what gets run. “uname -a” is the arbitrary command, benign in this case. Up next is the OR operator, “||” which fully evaluates the first term first, and only evaluates what comes after the operator if the first term returns false. In this case, it’s a simple way to get the payload to run even though the rest of the line is garbage, as far as bash is concerned. “vi:” informs Vim that we have a modeline string. “:fen” enables folding, and “:fdm=expr” sets the folding method to use an expression. This feature is usually used to automatically hide lines matching a regular expression. “:fde=” is the command to set the folding expression. Here’s the exploit, the folding expression can be a function like “execute()” or “assert_fails()”, which allows calling the :source! command. This pops execution out of the sandbox, and begins executing the text file inside vim, just as if a user were typing it in from the keyboard. Continue reading “This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist”