News

3639 Articles

This Week In Security: Updraft, Termux, And Magento

February 25, 2022 by 7 Comments

One of the most popular WordPress backup plugins, UpdraftPlus, has released a set of updates, x.22.3, that contain a potentially important fix for CVE-2022-23303. This vulnerability exposes existing backups to any logged-in WordPress user. This bug was found by the guys at Jetpack, who have a nice write-up on it. It’s a combination of instances of a common problem — endpoints that lacked proper authentication. The heartbeat function allows any user to access it, and it returns the latest backup nonce.

A cryptographic nonce is a value that’s not exactly a cryptographic secret, but is only used once. In some cases, this is to mitigate replay attacks, or is used as an initialization vector. In the case of UpdraftPlus, the nonce works as a unique identifiers for individual backups. The data leak can be combined with another weak validation in the maybe_download_backup_from_email() function, to allow downloading of a backup. As WordPress backups will contain sensitive information, this is quite the problem. There are no known in-the-wild instances of this attack being used, but as always, update now to stay ahead of the game.

Continue reading “This Week In Security: Updraft, Termux, And Magento”

Homemade Toy Wind Tunnel Blows (Really Well)

February 18, 2022 by 6 Comments

Sometimes a kid wakes up on Christmas morning and runs downstairs, only hoping to see one thing: a shiny new wind tunnel. This past December, that’s exactly what [SparksAndCode]’s son found under beside the tree, complete with a bag of scarves, ping-pong balls, and other fun things to launch through it (in the name of physics, of course).

The real story here starts about a week before Christmas, when [SparksAndCode]’s son was enthralled by a similar device at a science museum. At his wife’s suggestion, [SparksAndCode] got to work designing a and building a wind tunnel with hardware-store parts, his deadline looming ahead. The basic structure of the tunnel is three rods which support plywood collars. The walls are formed by plastic sheets rolled inside the collars to make a tube. Underneath, a Harbor Freight fan supplies a nice, steady stream of air for endless entertainment.

After finding a few bugs during his son’s initial beta testing on Christmas morning, [SparksAndCode] brought the wind tunnel back into the shop for a few tweaks and upgrades, including a mesh cover on the air intake to stop things from getting sucked into the fan. The final result was a very functional (and fun!) column of air. Looking for even more function (but not necessarily less fun)? We’ve got you covered too with this home-built research wind tunnel from a few years back.

Continue reading “Homemade Toy Wind Tunnel Blows (Really Well)”

This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC

February 18, 2022 by 7 Comments

Running Chrome or a Chromium-based browser? Check for version 98.0.4758.102, and update if you’re not running that release or better. Quick tip, use chrome://restart to trigger an immediate restart of Chrome, just like the one that comes after an update. This is super useful especially after installing an update on Linux, using apt, dnf, or the like.

CVE-2022-0609 is the big vulnerability just patched, and Google has acknowledged that it’s being exploited in the wild. It’s a use-after-free bug, meaning that the application marks a section of memory as returned to the OS, but then accesses that now-invalid memory address. The time gap between freeing and erroneously re-using the memory allows malicious code to claim that memory as its own, and write something unexpected.

Google has learned their lesson about making too many details public too early, and this CVE and associated bug aren’t easily found in in the Chromium project’s source, and there doesn’t seem to be an exploit published in the Chromium code testing suite. Continue reading “This Week In Security: Chrome 0-day,Cassandra, And A Cisco PoC”

Bionic Eyes Go Dark

February 18, 2022 by 49 Comments

If you were blind, having an artificial retinal implant would mean the difference between seeing a few hundred pixels in greyscale and seeing all black, all the time. Imagine that you emerged from this total darkness, enjoyed a few years of mobility and your newfound sense, and then everything goes dark again because the company making the devices abandoned them for financial reasons.

This is a harrowing tale of close-source technology, and how a medical device that relies on proprietary hard- and software essentially holds its users hostage to the financial well-being of the company that produces it. When that company is a brash startup, with plans of making money by eventually pivoting away from retinal implants to direct cortical stimulation — a technology that’s in it’s infancy at best right now — that’s a risky bet to take. But these were people with no other alternative, and the technology is, or was, amazing.

One blind man with an implant may or may not have brain cancer, but claims that he can’t receive an MRI because Second Sight won’t release details about his implant. Those bugs in your eyes? When the firm laid off its rehab therapists, patients were told they weren’t going to get any more software updates.

If we were CEO of SecondSight, we know what we would do with our closed-source software and hardware right now. The company is facing bankruptcy, has lost significant credibility in the medical devices industry, and is looking to pivot away from the Argus system anyway. They have little to lose, and a tremendous amount of goodwill to gain, by enabling people to fix their own eyes.

Thanks to [Adrian], [Ben], [MLewis], and a few other tipsters for getting this one in!

This Week In Security: Zimbra, Lockbit 2, And Hacking NK

February 11, 2022 by 9 Comments

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK”

Making Light Of Superconductors

February 10, 2022 by 3 Comments

Once upon a time, making a superconductor required extremely cold temperatures. Scientists understood why superconducting materials could move electrons without loss, but the super cold temperatures were a problem. Then in 1986, a high-temperature superconductor was found. High temperature, of course, is a relative term. The new material works when cooled to a frosty temperature, just not a few degrees off of absolute zero like a conventional superconductor. Since then, the race has been on to find a room-temperature superconductor that doesn’t require other exotic conditions, such as extreme pressure. Department of Energy scientists may have found a different path to get there: X-ray light.

The problem is that scientists don’t fully understand why these high-temperature superconductors work. To study the material, YBCO, scientists chill a sample to it superconducting state and then use a magnetic field to disrupt the superconductivity to study the material’s normal state. The new research has shown that a pulse of light can also disrupt the superconductivty, although the resulting state is unstable.

The research shows that charge density waves, which can serve as markers for superconductivity, occur when the samples are exposed to a magnetic field or to high-energy light pulses. While this is a far cry from creating room temperature superconductors, further study of the mechanism that allows light and magnetic fields to cause similar changes in the material could lead to a better understanding of the physics and maybe — one day — room-temperature superconductors.

Want to make your own YBCO? Go for it! Of course, you can already get room-temperature superconductors if you can stand the pressure.

Ask Hackaday: What’s Going On With Mazdas In Seattle?

February 10, 2022 by 56 Comments

What hacker doesn’t love a puzzle? We have a doozy for you. According to KUOW — the NPR affiliate in Seattle — they have been getting an unusual complaint. Apparently, if you drive a Mazda made in 2016 and you tune to KUOW, your radio gets stuck on their frequency, 94.9 MHz, and you can’t change it.

According to a post from the radio station, it doesn’t just affect the FM radio. A listener named Smith reported:

“I tried rebooting it because I’ve done that in the past and nothing happened,” Smith said, “I realized I could hear NPR, but I can’t change the station, can’t use the navigation, can’t use the Bluetooth.”

Continue reading “Ask Hackaday: What’s Going On With Mazdas In Seattle?”