News

3616 Articles

This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC

February 18, 2022 by 7 Comments

Running Chrome or a Chromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using apt, dnf, or the like.

CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.

Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in in the Chromium project’s source, and there doesn’t seem to be an exploit published in the Chromium code testing suite. Continue reading “This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC”

Bionic Eyes Go Dark

February 18, 2022 by 49 Comments

If you were blind, having an artificial retinal implant would mean the difference between seeing a few hundred pixels in greyscale and seeing all black, all the time. Imagine that you emerged from this total darkness, enjoyed a few years of mobility and your newfound sense, and then everything goes dark again because the company making the devices abandoned them for financial reasons.

This is a harrowing tale of close-source technology, and how a medical device that relies on proprietary hard- and software essentially holds its users hostage to the financial well-being of the company that produces it. When that company is a brash startup, with plans of making money by eventually pivoting away from retinal implants to direct cortical stimulation — a technology that’s in it’s infancy at best right now — that’s a risky bet to take. But these were people with no other alternative, and the technology is, or was, amazing.

One blind man with an implant may or may not have brain cancer, but claims that he can’t receive an MRI because Second Sight won’t release details about his implant. Those bugs in your eyes? When the firm laid off its rehab therapists, patients were told they weren’t going to get any more software updates.

If we were CEO of SecondSight, we know what we would do with our closed-source software and hardware right now. The company is facing bankruptcy, has lost significant credibility in the medical devices industry, and is looking to pivot away from the Argus system anyway. They have little to lose, and a tremendous amount of goodwill to gain, by enabling people to fix their own eyes.

Thanks to [Adrian], [Ben], [MLewis], and a few other tipsters for getting this one in!

This Week In Security: Zimbra, Lockbit 2, And Hacking NK

February 11, 2022 by 9 Comments

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK”

Making Light Of Superconductors

February 10, 2022 by 3 Comments

Once upon a time, making a superconductor required extremely cold temperatures. Scientists understood why superconducting materials could move electrons without loss, but the super cold temperatures were a problem. Then in 1986, a high-temperature superconductor was found. High temperature, of course, is a relative term. The new material works when cooled to a frosty temperature, just not a few degrees off of absolute zero like a conventional superconductor. Since then, the race has been on to find a room-temperature superconductor that doesn’t require other exotic conditions, such as extreme pressure. Department of Energy scientists may have found a different path to get there: X-ray light.

The problem is that scientists don’t fully understand why these high-temperature superconductors work. To study the material, YBCO, scientists chill a sample to it superconducting state and then use a magnetic field to disrupt the superconductivity to study the material’s normal state. The new research has shown that a pulse of light can also disrupt the superconductivty, although the resulting state is unstable.

The research shows that charge density waves, which can serve as markers for superconductivity, occur when the samples are exposed to a magnetic field or to high-energy light pulses. While this is a far cry from creating room temperature superconductors, further study of the mechanism that allows light and magnetic fields to cause similar changes in the material could lead to a better understanding of the physics and maybe — one day — room-temperature superconductors.

Want to make your own YBCO? Go for it! Of course, you can already get room-temperature superconductors if you can stand the pressure.

Ask Hackaday: What’s Going On With Mazdas In Seattle?

February 10, 2022 by 56 Comments

What hacker doesn’t love a puzzle? We have a doozy for you. According to KUOW — the NPR affiliate in Seattle — they have been getting an unusual complaint. Apparently, if you drive a Mazda made in 2016 and you tune to KUOW, your radio gets stuck on their frequency, 94.9 MHz, and you can’t change it.

According to a post from the radio station, it doesn’t just affect the FM radio. A listener named Smith reported:

“I tried rebooting it because I’ve done that in the past and nothing happened,” Smith said, “I realized I could hear NPR, but I can’t change the station, can’t use the navigation, can’t use the Bluetooth.”

Continue reading “Ask Hackaday: What’s Going On With Mazdas In Seattle?”

How Can 335 Horses Weigh 63 Pounds?

February 9, 2022 by 110 Comments

Koenigsegg, the Swedish car company, has a history of unusual engineering. The latest innovation is an electric motor developed for its Gemera hybrid vehicle. The relatively tiny motor weighs 63 pounds and develops 335 horsepower and 443 lb-ft of torque. Dubbed the Quark, the motor uses both radial and axial flux designs to achieve these impressive numbers.

There is a catch, of course. Like most EV motors, those numbers are not sustainable. The company claims the motor can output peak power for 20 seconds and then drops to 134 horsepower/184 lb-ft of torque. The Gemera can supplement, of course, with its internal combustion engine — a 3 cylinder design.

Continue reading “How Can 335 Horses Weigh 63 Pounds?”

As Light As Plastic; As Strong As Steel

February 7, 2022 by 38 Comments

Chemical engineers at MIT have pulled off something that was once thought impossible. By polymerizing material in two different directions at once, they have created a polymer that is very strong. You can read a pre-print version of the paper over on Arxiv.

Polymers owe many of their useful properties to the fact that they make long chains. Molecules known as monomers join together in strings held together by covalent bonds. Polymer chains may be cross-linked which changes its properties, but it has long been thought that material that had chains going through the X and Y axis would have desirable properties, but making these reliably is a challenge.

Part of the problem is that it is hard to line up molecules, even large monomers. If one monomer in the chain rotates a bit, it will create a defect in the 2D structure and that defect will grow rapidly as you add more monomers. The new technique is relatively easy to do and is irreversible which is good because reversible chains tend to have undesirable characteristics like low chemical stability. Synthesis does require a few chemicals like melamine, calcium chloride, pyridine, and trimesic acid. Along with N-Methyl-2-pyrrolidone, the mixture eventually forms a gel. The team took pieces of gel and soaked it in ethanol. With some filtering, ultrasonics, centrifuging, and washing with water and acetone, the material was ready for vacuum drying and was made into a powder.

The powder is dissolved in acid and placed on a spinning silicon wafer to form a polymerized nanofilm. Other 2D films have been produced, of course, such as graphene, but polymer films may have a number of applications. In particular, in contrast to conventional polymers, sheets of this material are impermeable to gas and liquid, which could make it very useful as a coating.

According to the MIT press release, the film’s elastic modulus is about four and six times greater than that of bulletproof glass. The amount of force required to break the material is about twice that of steel. It doesn’t sound like this material will be oozing out of our 3D printers anytime soon. But maybe one day you’ll be able to get 2D super-strong resin.

For all their faults, conventional polymers changed the world as we know it. Some polymers occur naturally, and some use natural ingredients, too.