This Week In Security: Zimbra, Lockbit 2, And Hacking NK

February 11, 2022 by Jonathan Bennett 9 Comments

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK” →

Sergiy Nesterenko giving his Remoticon 2021 talk

Remoticon 2021 // Sergiy Nesterenko Keeps Hardware Running Through Lightning And Cosmic Rays

February 10, 2022 by Robin Kearey 1 Comment

Getting to space is hard enough. You have to go up a few hundred miles, then go sideways really fast to enter orbit. But getting something into space is one thing: keeping a delicate instrument working as it travels there is quite another. In his talk at Remoticon 2021, [Sergiy Nesterenko], former Radiation Effects Engineer at SpaceX, walks us through all the things that can destroy your sensitive electronics on the way up.

The trouble already starts way before liftoff. Due to an accident of geography, several launch sites are located in areas prone to severe thunderstorms: not the ideal location to put a 300-foot long metal tube upright and leave it standing for a day. Other hazards near the launch pad include wayward wildlife and salty spray from the ocean.

Those dangers are gone once you’re in space, but then suddenly heat becomes a problem: if your spacecraft is sitting in full sunlight, it will quickly heat up to 135 °C, while the parts in the shade cool off to -150 °C. A simple solution is to spin your craft along its axis to ensure an even heat load on all sides, similar to the way you rotate sausages on your barbecue.

But one of the most challenging problems facing electronics in space is radiation. [Sergiy] explains in detail the various types of radiation that a spacecraft might encounter: charged particles in the Van Allen belts, cosmic rays once you get away from Low Earth orbit, and a variety of ionized junk ejected from the Sun every now and then. The easiest way to reduce the radiation load on your electronics is simply to stay near Earth and take cover within its magnetic field.

For interplanetary spacecraft there’s no escaping the onslaught, and the only to survive is to make your electronics “rad-hard”. Shielding is generally not an option because of weight constraints, so engineers make use of components that have been tested in radiation chambers to ensure they will not suddenly short-circuit. Adding redundant circuits as well as self-monitoring features like watchdog timers also helps to make flight computers more robust.

[Sergiy]’s talk is full of interesting anecdotes that will delight the inner astronaut in all of us. Ever imagined a bat trying to hitch a ride on a Space Shuttle? As it turns out, one aspiring space bat did just that. And while designing space-qualified electronics is not something most of us do every day, [Sergiy]’s experiences provide plenty of tips for more down-to-earth problems. After all, salt and moisture will eat away cables on your bicycle just as they do on a moon rocket.

Be sure to also check out the links embedded in the talk’s slides for lots of great background information.

Continue reading “Remoticon 2021 // Sergiy Nesterenko Keeps Hardware Running Through Lightning And Cosmic Rays” →

Keebin’ With Kristina: The One With The Ballpoint Typewriters

February 10, 2022 by Kristina Panos 7 Comments

So you want to minimize finger movement when you type, but don’t have three grand to drop on an old DataHand, or enough time to build the open-source lalboard? Check out these two concept keebs from [SouthPawEngineer], which only look like chord boards.

Every key on the home row is a five-way switch — like a D-pad with straight down input. [SouthPawEngineer] has them set up so that each one covers a QWERTY column. So like, for the left pinky switch, up is Q, right is A, down is Z, and left is 1. Technically, the split has 58 keys, and the uni has 56.

Both of these keebs use KB2040 boards, which are Adafruit’s answer to the keyboard-building craze of these roaring 2020s. These little boards are of course easy to program with CircuitPython, which supports KMK, an offshoot of the popular QMK. Thanks for the tip, [foamyguy]!

Continue reading “Keebin’ With Kristina: The One With The Ballpoint Typewriters” →

Mining And Refining: Lithium, Powering The Future With Brine

February 9, 2022 by Dan Maloney 28 Comments

Many years ago, I read an article about the new hotness: lithium batteries. The author opened with what he no doubt thought was a clever pop culture reference by saying that the mere mention of lithium would “strike fear in the hearts of Klingons.” It was a weak reference to the fictional “dilithium crystals” of Star Trek fame, and even then I found it a bit cheesy, but I guess he had to lead with something.

Decades later, a deeper understanding of the lore makes it clear that a Klingon’s only fear is death with dishonor, but there is a species here on earth that lives in dread of lithium: CEOs of electric vehicle manufacturing concerns. For them, it’s not the presence of lithium that strikes fear, but the relative absence of it; while it’s the 25th most abundant element in the Earth’s crust, and gigatons are dissolved into the oceans of the world, lithium is very reactive and thus tends to be diffuse, making it difficult to obtain concentrated in the quantities their businesses depend on.

As the electric vehicle and renewable energy markets continue to grow, the need for lithium to manufacture batteries will grow with it, potentially to the point where demand outstrips the mining industry’s production capability. To understand how that imbalance may be possible, we’ll take a look at how lithium is currently mined, as well as examine some new mining techniques that may help fill the coming lithium gap.

Continue reading “Mining And Refining: Lithium, Powering The Future With Brine” →

Industrial Sewing Machine: Acquired

February 8, 2022 by Kristina Panos 106 Comments

Well, it’s done. After weeks of trawling Craigslist, an hour-long phone call with an intelligent stranger about a different machine that wasn’t going suit my needs, and a two-week delay while the seller and I waited out their unintentional COVID exposure, I am the proud new owner of a vintage Consew 206RB-3 industrial sewing machine.

So far, it is exactly what I wanted — at least a few decades old, in decent shape, built by a reputable maker, and it has a clutch motor that I can upgrade to a servo motor if I wish. I even like the color of the head, the table, and the little drawer hiding on the left side. Connie Consew is perfect!

Decidedly Not Portable

The internet was right — these things are heavy. According to the manual, the machine head alone weighs 25.5 kg (56 lbs). The motor probably weighs another 50-60 lbs. There’s a small wooden peg sticking up from the table that has the job of holding the head whenever it is tilted back for maintenance or bobbin changes. I’ll admit I didn’t trust the little peg at first, but it does a fine job of supporting all that weight on a single point of contact about an inch in diameter.

Continue reading “Industrial Sewing Machine: Acquired” →

Crimping Tools And The Cost Of Being Cheap

February 7, 2022 by Maya Posch 113 Comments

Crimp connectors provide an easy and convenient way to connect electronics while still allowing for them to be removed and swapped without having to reach for a soldering iron and desoldering wick. While browsing one’s favorite cheap shopping site, you may get the impression that all one has to do to join the world of crimp-awesome is order a $20 crimp tool and some assorted ‘JST’ and ‘DuPont’ (a Mini-PV clone) connectors to go with it. After all, it’s just a bit of metal that’s squeezed around some stripped wire. How complicated could this be?

The harsh truth is that, as ridiculous as the price tag on official JST and Mini-PV crimping tools may seem at hundreds of dollars each, they offer precise, repeatable crimps and reliable long-term stability. The same is true for genuine JST, Mini-PV and Molex connectors. The price tag for ‘saving a buck’ may end up being a lot higher than the money originally saved.

Continue reading “Crimping Tools And The Cost Of Being Cheap” →

Pick And Place Hack Chat

February 7, 2022 by Dan Maloney No comments

Join us on Wednesday, February 9 at noon Pacific for the Pick and Place Hack Chat with Chris Denney!

We in the hacker trade are pretty used to miracles — we make them all the time. But even the most jaded among us has to admit that modern PCB assembly, where components that could easily hide under a grain of sand are handled by robots, borders on witchcraft. The pick and place machines that work these wonders not only have to hit their marks accurately and precisely, but they also do it at blinding speeds and for days on end.

Luckily, even those of us who design circuits for a living and depend on PCB assembly services to realize those designs can, at least to some degree, abstract the details of the pick and place phase of the process away. But making it “just work” isn’t a trivial task, and learning a little bit about what it takes to do so can make us better designers. Plus, it’s just plain cool to watch a pick and place do its thing. And to dive a little deeper into pick and place, Chris Denney, CTO of Worthington Assembly and co-host of “Pick, Place, Podcast” will stop by the Hack Chat. If you’ve ever wondered about the inner workings of PCB assembly and the role pick and place plays in it, or if you’re looking for tips on how to optimize your layouts for pick and place, this is one you won’t want to miss!

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, February 9 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Continue reading “Pick And Place Hack Chat” →