This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP

Microsoft’s Threat Intelligence group has announced a new naming scheme for threat actors. It sounds great, naming groups after weather phenomenon, based on the groups motivations or nation of origin. Then each discreet group is given an additional adjective. That’s where things get interesting.

It seems like the adjectives were chosen at random, giving rise for some suitably impressive names, like Ghost Blizzard, Ruby Sleet, or Granite Typhoon. Some of the other names sound like they should be desserts: Caramel Tsunami, Peach Sandstorm, Aqua Blizzard, or Raspberry Typhoon. But then there the really special names, like Wine Tempest and Zigzag Hail. But the absolute winner is Spandex Tempest. No word yet on whether researchers managed to keep a straight face when approving that name.

Chrome 0-day Double

A pair of Chrome browser releases have been minted in the past week, both to address vulnerabilities that are actively being exploited. Up first was CVE-2022-2033, type confusion in the V8 JS engine. That flaw was reported by Google’s Threat Analysis Group, presumably discovered in the wild, and the fix was pushed as stable on the 14th.

Then, on th 18th, yet another released rolled out to fix CVE-2023-2136, also reported by the TAG, also being exploited in the wild. It seems likely that both of these 0-days were found in the same exploitation campaign. We look forward to hearing the details on this one. Continue reading “This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP”

Ask Hackaday: Split Rail Op Amp Power Supply

Water cooler talk at the office usually centers around movies, sports, or life events. Not at Hackaday. We have the oddest conversations and, this week, we are asking for your help. It is no secret that we have a special badge each year for Supercon. Have you ever wondered where those badges come from? Sometimes we do too. We can’t tell you what the badge is going to be for Supercon 2023, but here’s a chance for you to contribute to its design.

What I can tell you is that at least part of the badge is analog. Part, too, is digital. So we were discussing a seemingly simple question: How do we best generate a bipolar power source for the op amps on a badge? Like all design requests, this one is unreasonable. We want:

  • Ideally, we’d like a circuit to give us +/- 9 V to +/- 12 V at moderately low current, say in the tens of milliamps. Actual values TBD.
  • Low noise: analog circuitry, remember?
  • Lightweight: it is going on a badge
  • Battery operated: the badge thing again
  • Cheap: we only have a couple bucks in the budget for power
  • Available in quantity: we’ll need ~600 of these

Continue reading “Ask Hackaday: Split Rail Op Amp Power Supply”

Last Chance To Re-engineer Education For The 2023 Hackaday Prize

The first round of the 2023 Hackaday Prize closes next Tuesday, March April 25th. If you’ve got an educational project – whether that’s a robot technique you just need to share, or an instructional radio build – you’ve got this weekend left to get your project into shape, whip up a Hackaday.io page in support, and enter. The top 10 projects get a $500 prize award, and a chance to win the big prizes in the final round. You want to get your project in now.

We’ve already seen some great entries into this first round of the Prize. Ranging from a trainer robot for First Robotics teams, through a complete learn-electronics kit on a PCB, building radios in High Schools, and all the way to an LED-and-lightpipe map to help teachers and students with their geography lessons, we’ve got a broad range of educational projects so far.

But there is still room for your project! And with the deadline closing in, your best bet at the $500 prize money relies on you burning a bit of the midnight oil this weekend, but Hackaday glory awaits those who do.

Linux Fu: Reading Your Memory’s Memory

Linux users have a lot of software to be proud of. However, there is the occasional Windows program that does something you’d really like to do and it just won’t run. This is especially true of low-level system programs. If you want to poke around your CPU and memory, for example, there are tons of programs for that under Windows. There are a few for Linux, but they aren’t always as complete or handy. Recently, I had half the memory in my main desktop fail and I wanted to poke around in the system. In particular, I wanted to read the information encoded in the memory chips configuration EEPROM. Should be easy, right? You’d think.

Not Really Easy

One nice tool a lot of Windows users have is CPU-Z. Of course, it doesn’t run on Linux, but there is a really nice imitator called CPU-X. You can probably install it from your repositories. However, the GitHub page is a nice stop if for no other reason than to enjoy the user name [TheTumultuousUnicornOfDarkness]. The program has a gtk or an ncurses interface. You don’t need to run it as root, but if you press the “start daemon” button and authenticate, you can see some extra information, including a tab for memory.

Continue reading “Linux Fu: Reading Your Memory’s Memory”

New Renewable Energy Projects Are Overwhelming US Grids

It’s been clear for a long time that the world has to move away from fossil energy sources. Decades ago, this seemed impractical, when renewable energy was hugely expensive, and we were yet to see much impact on the ground from climate change. Meanwhile, prices for solar and wind installations have come down immensely, which helps a lot.

However, there’s a new problem. Power grids across the US simply can’t keep up with the rapid pace of new renewable installations. It’s a frustrating issue, but not an insurmountable one.

Continue reading “New Renewable Energy Projects Are Overwhelming US Grids”

Hackaday Links Column Banner

Hackaday Links: April 16, 2023

The dystopian future you’ve been expecting is here now, at least if you live in New York City, which unveiled a trio of technology solutions to the city’s crime woes this week. Surprisingly, the least terrifying one is “DigiDog,” which seems to be more or less an off-the-shelf Spot robot from Boston Dynamics. DigiDog’s job is to de-escalate hostage negotiation situations, and unarmed though it may be, we suspect that the mission will fail spectacularly if either the hostage or hostage-taker has seen Black Mirror. Also likely to terrify the public is the totally-not-a-Dalek-looking K5 Autonomous Security Robot, which is apparently already wandering around Times Square using AI and other buzzwords to snitch on people. And finally, there’s StarChase, which is based on an AR-15 lower receiver and shoots GPS trackers that stick to cars so they can be tracked remotely. We’re not sure about that last one either; besides the fact that it looks like a grenade launcher, the GPS tracker isn’t exactly covert. Plus it’s only attached with adhesive, so it seems easy enough to pop it off the target vehicle and throw it in a sewer, or even attach it to another car.

Continue reading “Hackaday Links: April 16, 2023”

Sufficiently Advanced Tech: Has Bugs

Arthur C. Clarke said that “Any sufficiently advanced technology is indistinguishable from magic”. He was a sci-fi writer, though, and not a security guy. Maybe it should read “Any sufficiently advanced tech has security flaws”. Because this is the story of breaking into a car through its headlight.

In a marvelous writeup, half-story, half CAN-bus masterclass, [Ken Tindell] details how car thieves pried off the front headlight of a friend’s Toyota, and managed to steal it just by saying the right things into the network. Since the headlight is on the same network as the door locks, pulling out the bulb and sending the “open the door” message repeatedly, along with a lot of other commands to essentially jam some other security features, can pull it off.

Half of you are asking what this has to do with Arthur C. Clarke, and the other half are probably asking what a lightbulb is doing on a car’s data network. In principle, it’s a great idea to have all of the electronics in a car be smart electronics, reporting their status back to the central computer. It’s how we know when our lights are out, or what our tire pressure is, from the driver’s seat. But adding features adds attack surfaces. What seems like magic to the driver looks like a gold mine to the attacker, or to car thieves.

With automotive CAN, security was kind of a second thought, and I don’t mean this uncharitably. The first goal was making sure that the system worked across all auto manufacturers and parts suppliers, and that’s tricky enough. Security would have to come second. And more modern cars have their CAN networks encrypted now, adding layers of magic on top of magic.

But I’m nearly certain that, when deciding to replace the simple current-sensing test of whether a bulb was burnt out, the engineers probably didn’t have the full cost of moving the bulb onto the CAN bus in mind. They certainly had dreams of simplifying the wiring harness, and of bringing the lowly headlight into the modern age, but I’d bet they had no idea that folks were going to use the headlight port to open the doors. Sufficiently advanced tech.