From XP to 10, DoubleAgent pwns all your Windows?

The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.

Microsoft describes it as:

Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)

The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.

So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.

If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.)  This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?

[via The Hacker News]

NASA’s 2017-2018 Software Catalog is Out

Need some help sizing your beyond-low-Earth-orbit vehicle? Request NASA’s BLAST software. Need to forecast the weather on Venus? That would be Venus-GRAM (global reference atmospheric model). Or maybe you just want to play around with the NASA Tensegrity Robotics Toolkit. (We do!) Then it’s a good thing that part of NASA’s public mandate is making their software available. And the 2017-2018 Software Catalog (PDF) has just been released.

Unfortunately, not everything that NASA does is open source, and a substantial fraction of the software suites are only available for code “to be used on behalf of the U.S. Government”. But still, it’s very cool that NASA is opening up as much of their libraries as they are. Where else are you going to get access to orbital debris engineering models or cutting-edge fluid dynamics modelers and solvers, for free?

We already mentioned this in the Links column, but we think it’s worth repeating because we could use your help. The catalog is 154 pages long, and we haven’t quite finished leaf through every page. If you see anything awesome inside, let us know in the comments. Do any of you already use NASA’s open-source software?

Storing Data on a Single Atom

In the electronics industry, the march of time brings with it a reduction in size. Our electronic devices, while getting faster, better and cheaper, also tend to get smaller. One of the main reasons for this is the storage medium for binary data gets smaller and more efficient. Many can recall the EPROM, which is about the size of your thumb. Today we walk around with SD cards that can hold an order of magnitude more data, which can fit on your thumb’s nail.

Naturally, we must ask ourselves where the limit lies. Just how small can memory storage get? How about a single atom! IBM along with a handful international scientists have managed to store two bits of information on two pairs of holmium atoms. Using a scanning tunneling microscope, they were able to write data to the atoms, which held the data for an extended period of time.

Holmium is a large atom, weighing in at a whopping 67 AMU. It’s a rare earth metal from the lanthanide series on the periodic table. Its electron configuration is such that many of the orbiting electrons are not paired. Recall from our article on the periodic table that paired electrons must have opposite spin, which has the unfortunate consequence of causing the individual magnetic fields to cancel. The fact that holmium has so many unpaired electrons makes it ideal for manipulation.

While you won’t be seeing atom-level memory on the next Raspberry Pi, it’s still neat to see what the future holds.

Thanks to [Itay] for the tip!

Via Gizmodo.

So Long, and Thanks for all the Crystals

There was a time when anyone involved with radio transmitting — ham operators, CB’ers, scanner enthusiasts, or remote control model fans — had a collection of crystals. Before frequency synthesis, became popular, this was the best way to set an accurate frequency. At one time, these were commonly available, and there were many places to order custom cut crystals.

One of the best-known US manufacturers of quartz crystals still around is International Crystal Manufacturing (ICM). Well, that is, until now. ICM recently announced they were ceasing operations after 66 years. They expect to completely shut down by May.

In a letter on their website, Royden Freeland Jr. (the founder’s son), committed to fulfilling existing orders and possibly taking some new orders, raw materials permitting. The company started making products out of Freeland’s father’s garage in 1950.

Another big name that might still be around is Jan Crystals. We say might, because although their website is live, there’s not much there and the phone number is not quite disconnected but it is “parked.” There are also some posts on the Internet (where everything is true) indicating they are out of business.

Even if you didn’t do radio work, crystals are a staple in digital systems where an accurate clock is necessary and some types of filters, too. Of course, you can still get them, you just may not be able to get them made in the United States soon.

If you want to know more about the technology behind crystals [Jenny] has you covered. Crystals are one of those things that have not changed much in a long time, so you might enjoy the very 1960’s vintage U. S. Air Force training film below.

Continue reading “So Long, and Thanks for all the Crystals”

WikiLeaks Unveils Treasure Trove of CIA Documents

The latest from WikiLeaks is the largest collection of documents ever released from the CIA. The release, called ‘Vault 7: CIA Hacking Tools Revealed’, is the CIA’s hacking arsenal.

While Vault 7 is only the first part in a series of leaks of documents from the CIA, this leak is itself massive. The documents, available on the WikiLeaks site and available as a torrent, detail the extent of the CIA’s hacking program.

Of note, the CIA has developed numerous 0-day exploits for iOS and Android devices. The ‘Weeping Angel’ exploit for Samsung smart TVs,  “places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.” This Fake-Off mode enables a microphone in the TV, records communications in the room, and sends these recordings to a CIA server. Additionally, the CIA has also developed tools to take over vehicle control systems. The purpose of such tools is speculative but could be used to send a moving car off the road.

It is not an exaggeration to say this is the most significant leak from a government agency since Snowden, and possibly since the Pentagon Papers. This is the documentation for the CIA’s cyberwarfare program, and there are more leaks to come. It will be a while until interested parties — Hackaday included — can make sense of this leak, but until then WikiLeaks has published a directory of this release.

Header image source (CC BY 2.0)

Nvidia Announces Jetson TX2 High Performance Embedded Module

The last year has been great for Nvidia hardware. Nvidia released a graphics card using the Pascal architecture, 1080s are heating up server rooms the world over, and now Nvidia is making yet another move at high-performance, low-power computing. Today, Nvidia announced the Jetson TX2, a credit-card sized module that brings deep learning to the embedded world.

The Jetson TX2 is the follow up to the Jetson TX1. We took a look at it when it was released at the end of 2015, and the feelings were positive with a few caveats. The TX1 is still a very fast, very capable, very low power ARM device that runs Linux. It’s low power, too. The case Nvidia was trying to make for the TX1 wasn’t well communicated, though. This is ultimately a device you attach several cameras to and run OpenCV. This is a machine learning module. Now it appears Nvidia has the sales pitch for their embedded platform down.

Continue reading “Nvidia Announces Jetson TX2 High Performance Embedded Module”

Another Day, Another “IoT” Backdoor

As if you needed any reason other than “just for the heck of it” to hack into a gadget that you own, it looks like nearly all of the GSM-to-IP bridge devices make by DBLTek have a remotely accessible “secret” backdoor account built in. We got sent the link via Slashdot which in turn linked to this story on Techradar. Both include the scare-words “Chinese” and “IoT”, although the devices seem to be aimed at small businesses, but everything’s “IoT” these days, right?

What is scary, however, is that the backdoor isn’t just a sloppy debug account left in, but rather only accessible through an elaborate and custom login protocol. Worse still, when the company was contacted about the backdoor account, they “fixed” the problem not by removing the account, but by making the “secret” login procedure a few steps more complicated. Which is to say, they haven’t fixed the problem at all.

This issue was picked up by security firm Trustwave, but they can’t check out every device on the market all the time. We may be preaching to the choir here, but if you’re ever wondering why it’s important to be able to break into stuff that you own, here’s another reminder.