News

3639 Articles

This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware

January 28, 2022 by 15 Comments

The CIA Hacktivists have launched a sort of ransomware campaign against the Belarusian rail system, but instead of cryptocurrency, they want the release of political prisoners and removal of Russian soldiers. This could be called an example of cyber-terrorism, though there is a reasonable theory that this is a state-sponsored hack, masquerading as hacktivism. What does seem certain is that something has interrupted rail transit, and a group on Twitter has produced convincing proof of a breach.

Your Antivirus Now Includes a CryptoMiner

Don’t look now, but your latest update of Norton 360 or Avira may have installed a cryptocurrency mining module. The silver lining is that some sanity has been retained, and you have to opt-in to the crypto scheme before your machine starts spending its spare cycles on mining. For users who do, they’re put into a mining pool, making for small payouts for most hardware. Norton, naturally, takes a 15% fee off the top for their trouble.

The State of Linux Malware

There used to be an adage that Linux machines don’t get malware. That’s never really been quite true, but the continued conquest of the server landscape has had the side effect of making Linux malware an even greater danger. Crowdstrike has seen a 35% increase in Linux malware in 2021, with three distinct categories leading the charge: XorDDoS, Mozi, and Mirai. Continue reading “This Week In Security: Geopolitical Hacktivism, Antivirus Mining, And Linux Malware”

SHERLOC And The Search For Life On Mars

January 27, 2022 by 24 Comments

Humanity has been wondering about whether life exists beyond our little backwater planet for so long that we’ve developed a kind of cultural bias as to how the answer to this central question will be revealed. Most of us probably imagine that NASA or some other space agency will schedule a press conference, an assembled panel of scientific luminaries will announce the findings, and newspapers around the world will blare “WE ARE NOT ALONE!” headlines. We’ve all seen that movie before, so that’s the way it has to be, right?

Probably not. Short of an improbable event like an alien spacecraft landing while a Google Street View car was driving by or receiving an unambiguously intelligent radio message from the stars, the conclusion that life exists now or once did outside our particular gravity well is likely to be reached in a piecewise process, an accretion of evidence built up over a long time until on balance, the only reasonable conclusion is that we are not alone. And that’s exactly what the announcement at the end of last year that the Mars rover Perseverance had discovered evidence of organic molecules in the rocks of Jezero crater was — another piece of the puzzle, and another step toward answering the fundamental question of the uniqueness of life.

Discovering organic molecules on Mars is far from proof that life once existed there. But it’s a step on the way, as well as a great excuse to look into the scientific principles and engineering of the instruments that made this discovery possible — the whimsically named SHERLOC and WATSON.

Continue reading “SHERLOC And The Search For Life On Mars”

Better Farming Through Electricity

January 26, 2022 by 28 Comments

Chinese researchers are reporting that applying an electric field to pea plants increased yields. This process — known as electroculture — has been tested multiple times, but in each case there are irregularities in the scientific process, so there is still an opportunity for controlled research to produce meaningful data.

This recent research used two plots of peas planted from the same pods. The plants were tended identically except one plot was stimulated by an electric field. The yield on the stimulated plot was about 20% more than the control plot.

The actual paper is paywalled in the journal Nature Food, but the idea seems simple enough. If you search for the topic, you’ll find there have been other studies with similar findings. There are also anecdotal reports of electrical plant stimulation going back to 1746.

Continue reading “Better Farming Through Electricity”

Flying Sausage Rescues Pooch, Drone Pilots Save The Day

January 21, 2022 by 8 Comments

When we write about drone stories from the United Kingdom, they often have a slightly depressing air to them as we relate tales of unverified air proximity reports closing airports or bungled official investigations that would make the Keystone Kops look like competent professionals.

But here’s a drone story from this rainswept isle sure to put a smile on the face of multirotor enthusiasts worldwide, as Denmead Drone Search And Rescue, an organisation who locate missing pets using drones, enticed lost dog Millie from a soon-to-be-engulfed tidal mudflat by the simple expedient of dangling a sausage from a drone for the mutt to follow (Facebook).

Lest you believe that Hackaday have lost their marbles and this isn’t worthy of our normal high standards, let us remind you that this is not our first flying sausage story. Behind the cute-puppy and flying meat product jokes though, there’s a serious side. Drones have received such a bad press over recent years that a good news story concerning them is rare indeed, and this one has garnered significant coverage in the general media. Maybe it’s too late to reverse some of the reputational damage from the Gatwick fiasco, but at this point any such coverage is good news.

For anyone wondering what lies behind this, let us take you back to Christmas 2018.

This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

January 21, 2022 by 2 Comments

Let’s imagine a worst case situation for home routers. It would have to start with a port unintentionally opened to the internet, ideally in a popular brand, like Netgear. For fun, let’s say it’s actually a third-party kernel module, that is in multiple router brands. This module would then need a trivial vulnerability, say an integer overflow on the buffer size for incoming packets. This flaw would mean that the incoming data would write past the end of the buffer, overwriting whatever kernel data is there. So far, this exactly describes the NetUSB flaw, CVE-2021-45608.

Because red teams don’t get their every wish, there is a catch. While the overflow is exceptionally easy to pull off, there isn’t much wiggle room on where the data gets written. There’s no remote code execution Proof of Concept (PoC) yet, and [Max Van Amerongen], who discovered the flaw, says it would be difficult but probably not impossible to pull off. All of this said, it’s a good idea to check your router for open ports, particularly non-standard port numbers. If you have a USB port on your router, check for updates.

Windows HTTP.sys Problem

A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered. Continue reading “This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back”

Congratulations Winners Of The 555 Timer Contest!

January 20, 2022 by 25 Comments

Sometimes the best inspiration is limitation. The 555 timer does “one thing” — compares a voltage to a couple thresholds and outputs a signal accordingly. It’s two comparators, a voltage ladder, and a flip-flop. And yet, it’s the most sold single chip of all time, celebrating its 50th birthday this year! So when Hackaday runs a 555 Timer Contest, hackers of all stripes come out with their best work to show their love for the Little DIP That Could.

The Winners

Far and away the favorite entry was the Giant 555 Timer by [Rudraksha Vegad]. Every one of our judges rated it in the top five, and it took top honors twice. On its face, this is a simple “giant 555 in a box” build, but have a look under the hood. Each sub-module that makes up the 555 — comparators, flip-flop, and amplifier — are made from salvaged discrete parts in actual breadboard fashion, soldered to brass nails hammered into wood. As an end product, it’s a nice piece of woodworking, but as a process of creation, it’s a masterwork in understanding the 555 at its deepest level. We should all make one!

The Menorah555 is a simple design with some very nice tricks up its sleeve. Perhaps the cutest of which is pulling the central candle out and lighting the others with it — a trick that involves a supercapacitor and reed switches. Each of the candle lighting circuits, however, use a 555 timer both for its intended purpose of providing a timed power-on reset pulse, and another 555 is used as a simple flip-flop. It’s a slick design, and a great user interaction.

The Cyclotone Mechanical Punk Console Sequencer is a rotating tower of circuit sculpture and noisemakers. This one looks great, is amazingly well documented in the video series, and uses a billion clever little tricks along the way. The 555’s role? Each of the four levels is the classic Atari Punk Console circuit.

All three of these projects win a $150 shopping spree at Digi-Key. That’s a lot of timers!

Continue reading “Congratulations Winners Of The 555 Timer Contest!”

SGX Deprecation Prevents PC Playback Of 4K Blu-ray Discs

January 18, 2022 by 72 Comments

This week Techspot reported that DRM-laden Ultra HD Blu-ray Discs won’t play anymore on computers using the latest Intel Core processors. You may have skimmed right past it, but the table on page 51 of the latest 12th Generation Intel Core Processor data sheet (184 page PDF) informs us that the Intel Software Guard Extensions (SGX) have been deprecated. These extensions are required for DRM processing on these discs, hence the problem. The SGX extensions were introduced with the sixth generation of Intel Core Skylake processors in 2015, the same year as Ultra HD Blu-ray, aka 4K Blu-ray. But there have been numerous vulnerabilities discovered in the intervening years. Not only Intel, but AMD has had similar issues as we wrote about in October.

This problem only applies to 4K Blu-ray discs with DRM. Presumably any 4K discs without DRM will still play, and of course you can still play the DRM discs on older Intel processors. Do you have a collection of DRM 4K Blu-ray discs, and if so, do you play them via your computer or a stand-alone player?