News

3541 Articles

Thingiverse Data Leaked — Check Your Passwords

October 14, 2021 by 40 Comments

Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.

Aside from the seriousness of a leak in itself, the choice of encryption should raise a few eyebrows. Both SHA-1 and bcrypt can be considered broken or at best vulnerable to attack here in 2021, so much so that for any website to have avoided migration to a stronger algorithm indicates a very poor attention to website security on the part of Thingiverse. We’d like to think that it would serve as a salutary warning to other website operators in our field, to review and upgrade their encryption, but we suspect readers will agree that this won’t be the last time we report on such a leak and nervously check our own login details.

Nicolas Bras and his homemade musical instruments

Hacked Set Of Instruments Saves Musician’s Gigs

October 8, 2021 by 19 Comments

Most of the horror stories you hear about air travel seem to center around luggage. Airlines do an admirable job of getting people safely to their destinations, but checked baggage is a bit of a crapshoot — it could be there when you land, it could end up taking the scenic route, or it could just plain disappear. That’s bad enough when it contains your clothes, but when it contains your livelihood? Talk about stress!

This was the position musician [Nicolas Bras] found himself in after a recent trip. [Nicolas] was heading for a gig, but thanks to Brussels Airlines, his collection of musical instruments went somewhere else. There was nothing he could do to salvage that evening’s gig, but he needed to think about later engagements. Thankfully, [Nicolas] specializes in DIY musical instruments, made mostly with PVC tubes and salvaged parts from commercial instruments, so the solution to his problem was completely in his hands.

Fair warning to musical instrument aficionados — harvest the neck from a broken ukelele is pretty gruesome stuff. Attached to a piece of pallet wood and equipped with piezo pickups, the neck became part of a bizarre yet fascinating hybrid string instrument. A selection of improvised wind instruments came next, made from PVC pipes and sounding equally amazing; we especially liked the bass chromojara, sort of a flute with a didgeridoo sound to it. The bicycle pump beatbox was genius too, and really showed that music is less about the fanciness of your gear and more about the desire — and talent — to make it with whatever comes to hand.

Here’s hoping that [Nicolas] is eventually reunited with his gear, but hats off to him in the meantime for hacking up replacements. And if he looks familiar, that’s because we’ve seen some of his work before, like his sympathetic nail violin and “Popcorn” played on PVC pipes.

Continue reading “Hacked Set Of Instruments Saves Musician’s Gigs”

This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll

October 8, 2021 by 14 Comments

The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.

# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>

The Day The Internet Stood Still

You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”

How Does A Sail Drone Bring Home Hurricane Footage In Record Time?

October 5, 2021 by 11 Comments

It is unlikely that as a young lad [Richard Jenkins] would had have visions of sailing into the eye of a Category-4 hurricane. Yet that’s exactly what he’s done with the Explorer 1045, an uncrewed sailing vehicle built by his company, Saildrone. If that weren’t enough, footage from the vessel enduring greater than 120 MPH (almost 200 km/h) winds and 50 foot (15 M) waves was posted online the very next day, and you can see it below the break.  We’re going to take a quick look at just two of the technologies that made this possible: Advanced sails and satellite communication. Both are visible on Explorer 1045’s sibling 1048 as seen below:

Saildrone Explorer 1048, a sibling of Explorer 1045, each one of five vessels equipped with a "hurricane wing"
Saildrone Explorer 1048, a sibling of Explorer 1045, each one of five vessels equipped with a “hurricane wing”

The most prominent feature of course is the lack of a traditional sail. You see, from 1999-2009, [Richard Jenkins] was focused on setting the land world speed record for a wind powered vehicle. He set that record at 126.1 mph by maturing existing sail wing technology. [Richard] did away with conventional rigging and added a boom with a control surface on it, much like the fuselage and empennage of a sailplane.

Instead of adjusting rigging, the control surface could be utilized to fly the wing into its optimal position while using very little energy. [Richard] has been able to apply this technology at his company, Saildrone. The 23 foot Explorer vessel and its big brothers are the result.

How is it that the world was treated to the view from inside the eye of a hurricane only a day after the video was recorded? If you look at the stern of the vessel, you can see a domed white cylinder. It is a satellite communication base station called the Thales VesseLINK. Thales is one of the partner companies that built the satellites for the Iridium NEXT fleet, which has 66 operational satellites in Low Earth Orbit. The Iridium Certus service uses its L-Band (1.6 GHz) signal to provide up to 352 kbps of upload speed and 704 kbps down. While not blazing fast, the service is available anywhere in the world and is reliable because it is not prone to rain fade and other weather based interference.

With just these two recent innovations, the Explorer 1045 was able to sail to the eye of a hurricane, record footage and gather data, and then ship it home just hours later. And we’re hardly exploring the tip of the iceberg. More than just sailboat based cameras, these scientific instruments are designed to survive some of the harshest environments on the planet for over a year at a time. They are a marvel of applied engineering, and we’re positive that there are some brilliant hacks hiding under that bright orange exterior.

If uncrewed sailing vessels float your boat, you might also enjoy this autonomous solar powered tugboat, or that time a submarine ran out of fuel and sailed home on bed sheets.

Continue reading “How Does A Sail Drone Bring Home Hurricane Footage In Record Time?”

Snails, Sensors, And Smart Dust: The Michigan Micro Mote

October 4, 2021 by 17 Comments

If you want to track a snail, you need a tiny instrumentation package. How do you create an entire data acquisition system, including sensors, memory, data processing and a power supply, small enough to fit onto a snail’s shell?

Throughout history, humans have upset many ecosystems around the world by introducing invasive species. Australia’s rabbits are a famous example, but perhaps less well-known are the Giant African land snails (Lissachatina fulica) that were introduced to South Pacific islands in the mid-20th century. Originally intended as a food source (escargot africain, anyone?), they quickly turned out to be horrible pests, devouring local plants and agricultural crops alike.

Not to be deterred, biologists introduced another snail, hoping to kill off the African ones: the Rosy Wolfsnail (Euglandina rosea), native to the Southeastern United States. This predatory snail did not show great interest in the African intruders however, and instead went on to decimate the indigenous snail population, driving dozens of local species into extinction.

A snail with a solar sensor attached to its shell
A Rosy Wolfsnail carrying a light sensing Micro Mote on its back. Source: Cindy S. Bick et al., 2021

One that managed to survive the onslaught is a small white snail called Partula hyalina. Confined to the edges of the tropical forests of Tahiti, biologists hypothesized that it was able to avoid the predators by hiding in sunny places which were too bright for E. rosea. The milky-white shells of P. hyalina supposedly protected them from overheating by reflecting more sunlight than the wolf snails’ orange-brown ones.

This sounds reasonable, but biologists need proof. So a team from the University of Michigan set up an experiment to measure the amount of solar radiation experienced by both snail types. They attached tiny light sensors to the wolf snails’ shells and then released them again. The sensors measured the amount of sunlight seen by the animals and logged this information during a full day. The snails were then caught again and the data retrieved, and the results proved the original hypothesis.

So much for science, but exactly how did they pull this off? Continue reading “Snails, Sensors, And Smart Dust: The Michigan Micro Mote”

Flaw In AMD Platform Security Processor Affects Millions Of Computers

October 1, 2021 by 30 Comments

Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.

As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.

Continue reading “Flaw In AMD Platform Security Processor Affects Millions Of Computers”

This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea

October 1, 2021 by 13 Comments

We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.

Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.

Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe. Continue reading “This Week In Security: OpenOffice Vulnerable, IOS Vulnerable, Outlook… You Get The Idea”