This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More

February 12, 2021 by Jonathan Bennett 6 Comments

Code obfuscation has been around for a long time. The obfuscated C contest first ran way back in 1984, but there are examples of natural language obfuscation from way earlier in history. Namely Cockney rhyming slang, like saying “Lady from Bristol” instead of “pistol” or “lump of lead” instead of “head”. It’s speculated that Cockney was originally used to allow the criminal class to have conversations without tipping off police.

Code obfuscation in malware serves a similar purpose — hiding from security devices and applications. There are known code snippets and blacklisted IP addresses that anti-malware software scans for. If that known bad code can be successfully obfuscated, it can avoid detection. This is a bit of a constant game of cat-and-mouse, as the deobfuscation code itself eventually makes the blacklist. This leads to new obfuscation techniques, sometimes quite off the wall. Well this week, I found a humdinger of an oddball approach. Morse Code.

Yep, dots and dashes. The whole attack goes like this. You receive an email, claiming to be an invoice. It’s a .xlsx.hTML file. If you don’t notice the odd file extension, and actually let it open, you’re treated to a web page. The source of that page is a very minimal JS script that consists of a morse code decoder, and a payload encoded in Morse. In this case, the payload is simply a pair of external scripts that ask for an Office 365 login. The novel aspect of this is definitely the Morse Code. Yes, our own [Danie] covered this earlier this week, but it was too good not to mention here. Continue reading “This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More” →

Tesla Recalls Cars With EMMC Failures, Calls Part A ‘Wear Item’

February 11, 2021 by Lewin Day 150 Comments

It’s a problem familiar to anyone who’s spent a decent amount of time playing with a Raspberry Pi – over time, the flash in the SD card reaches its write cycle limits, and causes a cavalcade of confusing errors before failing entirely. While flash storage is fast, compact, and mechanically reliable, it has always had a writeable lifespan much shorter than magnetic technologies.

Flash storage failures in the computer behind Tesla’s famous touch screen are causing headaches for drivers.

Of course, with proper wear levelling techniques and careful use, these issues can be mitigated successfully. The surprising thing is when a major automaker fails to implement such basic features, as was the case with several Tesla models. Due to the car’s Linux operating system logging excessively to its 8 GB eMMC storage, the flash modules have been wearing out. This leads to widespread failures in the car, typically putting it into limp mode and disabling many features controlled via the touchscreen.

With the issue affecting important subsystems such as the heater, defroster, and warning systems, the NHTSA wrote to the automaker in January requesting a recall. Tesla’s response acquiesced to this request with some consternation, downplaying the severity of the issue. Now they are claiming that the eMMC chip, ball-grid soldered to the motherboard, inaccessible without disassembling the dash, and not specifically mentioned in the owner’s manual, should be considered a “wear item”, and thus should not be subject to such scrutiny. Continue reading “Tesla Recalls Cars With EMMC Failures, Calls Part A ‘Wear Item’” →

The $50 Ham: Digital Modes With WSJT-X

February 10, 2021 by Dan Maloney 33 Comments

As it is generally practiced, ham radio is a little like going to the grocery store and striking up a conversation with everyone you bump into as you ply the aisles. Except that the grocery store is the size of the planet, and everyone brings their own shopping cart, some of which are highly modified and really expensive. And pretty much every conversation is about said carts, or about the grocery store itself.

With that admittedly iffy analogy in mind, if you’re not the kind of person who would normally strike up a conversation with someone while shopping, you might think that you’d be a poor fit for amateur radio. But just because that’s the way that most people exercise their ham radio privileges doesn’t mean it’s the only way. Exploring a few of the more popular ways to leverage the high-frequency (HF) bands and see what can be done on a limited budget, in terms of both cost of equipment as well as the amount of power used, is the focus of this installment of The $50 Ham. Welcome to the world of microphone-optional ham radio: weak-signal digital modes.

Continue reading “The $50 Ham: Digital Modes With WSJT-X” →

Teardown: Bug Zapper Bulb

February 9, 2021 by Tom Nardi 17 Comments

Up here in the Northern Hemisphere, mosquitoes and other flying pests are the last thing on anyone’s mind right now. The only bug that’s hindering gatherings at the moment goes by the name of COVID-19, but even if we weren’t social distancing, insects simply aren’t a concern at this time of year. So it’s little surprise that these months are often the best time to find a great deal on gadgets designed to deter or outright obliterate airborne insects.

Case in point, I was able to pick up this “Bug Zapper LED Bulb” at the big-box hardware store for just a few bucks. This one is sold by PIC Corporation, though some press release surfing shows the company merely took over distribution of the device in 2017. Before then it was known as the Zapplight, and was the sort of thing you might see advertised on TV if you were still awake at 3 AM. It appears there are several exceptionally similar products on the market as well, which are likely to be the same internally.

In all fairness, it’s a pretty clever idea. Traditional zappers are fairly large, and need to be hoisted up somewhere next to an electrical outlet. But if you could shrink one down to the size of a light bulb, you could easily dot them around the porch using the existing sockets and wiring. Extra points if you can also figure out a way to make it work as a real bulb when the bugs aren’t out. Obviously the resulting chimera won’t excel at either task, but there’s certainly something to be said for the convenience of it.

Let’s take a look inside one of these electrifying illuminators and see how they’ve managed to squeeze two very different devices into one socket-friendly package.

Continue reading “Teardown: Bug Zapper Bulb” →

Getting Ready For Mars: The Seven Minutes Of Terror

February 8, 2021 by Dan Maloney 47 Comments

For the past seven months, NASA’s newest Mars rover has been closing in on its final destination. As Perseverance eats up the distance and heads for the point in space that Mars will occupy on February 18, 2021, the rover has been more or less idle. Tucked safely into its aeroshell, we’ve heard little from the lonely space traveler lately, except for a single audio clip of the whirring of its cooling pumps.

Its placid journey across interplanetary space stands in marked contrast to what lies just ahead of it. Like its cousin and predecessor Curiosity, Perseverance has to successfully negotiate a gauntlet of orbital and aerodynamic challenges, and do so without any human intervention. NASA mission planners call it the Seven Minutes of Terror, since the whole process will take just over 400 seconds from the time it encounters the first wisps of the Martian atmosphere to when the rover is safely on the ground within Jezero Crater.

For that to happen, and for the two-billion-dollar mission to even have a chance at fulfilling its primary objective of searching for signs of ancient Martian life, every system on the spacecraft has to operate perfectly. It’s a complicated, high-energy ballet with high stakes, so it’s worth taking a look at the Seven Minutes of Terror, and what exactly will be happening, in detail.

Continue reading “Getting Ready For Mars: The Seven Minutes Of Terror” →

Finishing Your Projects Hack Chat With Zack Freedman

February 8, 2021 by Dan Maloney 15 Comments

Join us on Wednesday, February 10 at noon Pacific for the Finishing Your Projects Hack Chat with Zack Freedman!

Try as we might, some of us are much better at starting projects than finishing them. Our benches — or all too often, our notebooks — are graveyards of good attempts, littered with the scraps of ideas that really sounded good at the time and clouded by a miasma of good intentions and protestations that “This time, it’ll be different.” Spoiler alert: no, it won’t.

Trying to pin the cause of this painfully common problem on something specific is probably a fool’s errand, especially when given the fact that some people mysteriously don’t suffer from it, it would appear brain chemistry plays a role. Maybe some people just really like the dopamine hit of starting something new, which gives them the rush of excitement while the idea is still fresh, only to have it wane rapidly as the project enters the churn.

Whatever it is, if you suffer from it, chances are good you’ve looked for a way out at least once. If so, you’ll want to hop into this Hack Chat, where “very serious hacker” Zack Freedman, proprietor of the Voidstar Labs channel on YouTube, will share his thoughts on project follow-through. We’ve enjoyed Zack’s projects for a while now, and covered a few, from his in-your-face (on-your-wrist?) smartwatch to his video editing keypad. He gets stuff done, perhaps in part due to his workshop organization, but however he does it, we’re eager to hear about it. Join us as we discuss the art of follow-through and getting stuff done.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, February 10 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Continue reading “Finishing Your Projects Hack Chat With Zack Freedman” →

Hackaday Links: February 7, 2021

February 7, 2021 by Dan Maloney 14 Comments

What’s that they say about death and taxes? Apparently that maxim doesn’t apply to Flash, at least when it comes to the taxman. As we noted last week, the end of the Adobe Flash era took with it a scheduling and routing app for the railway system in a Chinese city. This time around, it’s the unfortunately acronymed SARS, for South African Revenue Services, having Flash woes. They still have several online tax forms that haven’t been migrated to HTML5, so to keep the revenue flowing they built their own Flash-enabled browser. Taxpayers are free to download and use the browser while SARS works on getting the rest of their forms migrated. It sort of reminds us of those plans the Internal Revenue Service has to ensure tax collection continues after a nuclear apocalypse — death and taxes indeed.

Trouble for Nintendo in the EU? It looks that way, as consumer groups have made the case to EU regulators that Nintendo’s wildly popular Switch consoles are showing unacceptably premature obsolescence with the notorious “Joy-Con drift” issue. The problem, which manifests as players being unable to control a game due to constant movement despite no inputs on the joystick-like controller, requires a repair, one that Nintendo initially only did for free as warranty service for consoles less than a year old. For consoles out of the warranty period, Nintendo was charging €45, which is approximately the same as what a new controller would cost. This didn’t sit well with regulators, and now they’re breathing down Nintendo’s neck. They now offer free repairs for up to two years, but they’re still under the EU microscope. The interesting bit in the linked document is the technical reason for the problem, which is attributed to premature PCB wear — possibly meaning the traces wear away — and inadequate sealing of the Joy-Con mechanism against dust intrusion.

Last year looked as though it was going to be an exciting one with respect to some of our nearest solar and galactic neighbors. For a while there, it looked like the red giant Betelgeuse was going to go supernova, which would have been interesting to watch. And closer to home, there were some signs of life, in the form of phosphine gas, detected in the roiling atmosphere of our sister planet, Venus. Alas, both stories appear not to have panned out. The much-hoped-for (by me) Betelgeuse explosion, which was potentially heralded by a strange off-cycle dimming of the variable star, seems now to be due to its upper atmosphere cooling by several hundred degrees. As for Venus, the phosphine gas that was detected appears actually to have been a false positive triggered by sulfur dioxide. Disappointing results perhaps, but that’s how science is supposed to work.

Amateur radio often gets a bad rap, derided as a hobby for rich old dudes who just like to talk about their medical problems. Some of that is deserved, no doubt, but there’s still a lot of room in the hobby for those interested in advancing the state of the art in radio communications. In this vein, we were pleased to learn about HamSCI, which is short for Ham Radio Science Citizen Investigation. The group takes to heart one of the stated primary missions of amateur radio as the “ontinuation and extension of the amateur’s proven ability to contribute to the advancement of the radio art.” To that end, they’ll be holding HamSCI Workshop 2021, a virtual conference that will be focused on midlatitude ionospheric science. This appears to be a real science conference where both credentialed scientists and amateurs can share ideas. They’ve got a Call for Proposals now, with abstracts due by February 15. The conference itself will be on March 19 and 20, with free admission. The list of invited speakers looks pretty impressive, so if you have any interest in the field, check it out.

And finally, we got a tip this week about a collection of goofy US patents. Everything listed, from the extreme combover to baby bum-print art, is supposedly covered by a patent. We didn’t bother checking Google Patents, but some of these are pretty good for a laugh. We did look at a few, though, and were surprised to learn that the Gerbil Shirt is not a garment for rodents, but a rodent-filled garment for humans.