This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More

February 12, 2021 by Jonathan Bennett 6 Comments

Code obfuscation has been around for a long time. The obfuscated C contest first ran way back in 1984, but there are examples of natural language obfuscation from way earlier in history. Namely Cockney rhyming slang, like saying “Lady from Bristol” instead of “pistol” or “lump of lead” instead of “head”. It’s speculated that Cockney was originally used to allow the criminal class to have conversations without tipping off police.

Code obfuscation in malware serves a similar purpose — hiding from security devices and applications. There are known code snippets and blacklisted IP addresses that anti-malware software scans for. If that known bad code can be successfully obfuscated, it can avoid detection. This is a bit of a constant game of cat-and-mouse, as the deobfuscation code itself eventually makes the blacklist. This leads to new obfuscation techniques, sometimes quite off the wall. Well this week, I found a humdinger of an oddball approach. Morse Code.

Yep, dots and dashes. The whole attack goes like this. You receive an email, claiming to be an invoice. It’s a .xlsx.hTML file. If you don’t notice the odd file extension, and actually let it open, you’re treated to a web page. The source of that page is a very minimal JS script that consists of a morse code decoder, and a payload encoded in Morse. In this case, the payload is simply a pair of external scripts that ask for an Office 365 login. The novel aspect of this is definitely the Morse Code. Yes, our own [Danie] covered this earlier this week, but it was too good not to mention here. Continue reading “This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More” →

Nanotube Yarn Makes Strong Bionic Muscles

February 11, 2021 by Al Williams 17 Comments

What’s just a bit thicker than a human hair and has ten times the capability of a human muscle? Polymer-coated carbon nanotube yarn. Researchers at the University of Texas at Dallas created this yarn using carbon nanotubes coated with a polymer and coiled with a diameter of about 140 microns.

Passing a voltage through the fiber causes the muscle yarn to expand or contract. Previous similar fibers have to do both actions. That is, they expand and then contract in a bipolar movement. The polymer coating allows for unipolar fibers, critical to using the fibers as artificial muscles.

Continue reading “Nanotube Yarn Makes Strong Bionic Muscles” →

Tesla Recalls Cars With EMMC Failures, Calls Part A ‘Wear Item’

February 11, 2021 by Lewin Day 150 Comments

It’s a problem familiar to anyone who’s spent a decent amount of time playing with a Raspberry Pi – over time, the flash in the SD card reaches its write cycle limits, and causes a cavalcade of confusing errors before failing entirely. While flash storage is fast, compact, and mechanically reliable, it has always had a writeable lifespan much shorter than magnetic technologies.

Flash storage failures in the computer behind Tesla’s famous touch screen are causing headaches for drivers.

Of course, with proper wear levelling techniques and careful use, these issues can be mitigated successfully. The surprising thing is when a major automaker fails to implement such basic features, as was the case with several Tesla models. Due to the car’s Linux operating system logging excessively to its 8 GB eMMC storage, the flash modules have been wearing out. This leads to widespread failures in the car, typically putting it into limp mode and disabling many features controlled via the touchscreen.

With the issue affecting important subsystems such as the heater, defroster, and warning systems, the NHTSA wrote to the automaker in January requesting a recall. Tesla’s response acquiesced to this request with some consternation, downplaying the severity of the issue. Now they are claiming that the eMMC chip, ball-grid soldered to the motherboard, inaccessible without disassembling the dash, and not specifically mentioned in the owner’s manual, should be considered a “wear item”, and thus should not be subject to such scrutiny. Continue reading “Tesla Recalls Cars With EMMC Failures, Calls Part A ‘Wear Item’” →

Basic In 10 Lines Or Less

February 10, 2021 by Al Williams 17 Comments

For the last 11 years [Gunnar Kanold] has run the annual BASIC 10 Liner contest, and the rules for the 2021 edition are now available. There are four categories and each category has specific definitions of what constitutes a line. All entries must run on an 8-bit computer system that can be emulated.

The first three categories are for games but differ in the line length allowed. You can elect to compete with 80 character lines, 120 character lines, or 256 character lines. There’s also a category for demos, tools, and other applications that must constrain lines to 256 characters.

Continue reading “Basic In 10 Lines Or Less” →

An Out-Of-This-World Opportunity; Become An ESA Astronaut

February 9, 2021 by Jenny List 25 Comments

In the six decades or so of human space exploration, depending on whose definition you take, only 562 people have flown in to space. We haven’t quite reached the state of holidaying in space that science fiction once promised us even though the prospect of sub-orbital spaceflight for the exceedingly well-heeled is very close, so that cadre of astronauts remains an elite group whose entry is not for the average person. Some readers might have an opportunity to change that though, as the European Space Agency have announced a fresh round of astronaut recruitment that will open at the end of March.

Sadly for our American readers the successful applicants have to hail from ESA member states, but since that covers a swathe of European countries we’re guessing that a lot of you might have your long-held dreams of spaceflight revived by it. You can learn more at a press conference to be held on the 16th of February, and streamed via ESA Web TV. Meanwhile whoever is recruited will be likely not only to participate in missions to the ISS, but maybe also more ambitious planned missions such as those to the planned Lunar Gateway space station in Lunar orbit. If you think you’ve got the Euro version of The Right Stuff, you’ll have the 8 weeks from the end of March until the 28th of May to get your application in. Good Luck!

Cyberattack On Florida City’s Water Supply

February 9, 2021 by Lewin Day 62 Comments

The city of Oldsmar, Florida was the source of disturbing news this week, among reports that someone gained unauthorized access to a water treatment facility. In an era where more systems than ever are connected to the Internet, the story is a sobering one for the vast majority of people reliant on grid utilties.

The hacker was first noticed to have gained remote access to a computer system at the plant at 8 a.m. on February 5. An operator at a workstation controlling chemical dosing at the plant observed a remote connection, though did not initially raise the alarm as such access is common practice at the facility for troubleshooting purposes. However, at 1:30 pm, the hacker connected again, this time commanding the dosing system to raise levels of sodium hydroxide in the water from 100 to 11,000 ppm – dangerous levels that would make the city’s water unsafe to drink. The increased level command was immediately overridden by the operator, who then raised the alarm.

The city notes that other safeguards such as pH monitors at the plant would have triggered in the event the original intrusion went undetected. However, the event raises renewed questions about the level of security around critical utility systems connected to the internet. In the last decade, cyberattacks on physical infrastructure have become a reality, not a vague future threat.

Nothing’s known yet about the perpetrator, or how secure the system was (or wasn’t?) before the event. It’s been long known that a lot of infrastructure is simply connected to the internet, as Dan Tentler has been showing us since at least 2012. (Video, ranting.) Indeed, it’s amazing that we’ve seen so few malicious attacks.

Getting Ready For Mars: The Seven Minutes Of Terror

February 8, 2021 by Dan Maloney 47 Comments

For the past seven months, NASA’s newest Mars rover has been closing in on its final destination. As Perseverance eats up the distance and heads for the point in space that Mars will occupy on February 18, 2021, the rover has been more or less idle. Tucked safely into its aeroshell, we’ve heard little from the lonely space traveler lately, except for a single audio clip of the whirring of its cooling pumps.

Its placid journey across interplanetary space stands in marked contrast to what lies just ahead of it. Like its cousin and predecessor Curiosity, Perseverance has to successfully negotiate a gauntlet of orbital and aerodynamic challenges, and do so without any human intervention. NASA mission planners call it the Seven Minutes of Terror, since the whole process will take just over 400 seconds from the time it encounters the first wisps of the Martian atmosphere to when the rover is safely on the ground within Jezero Crater.

For that to happen, and for the two-billion-dollar mission to even have a chance at fulfilling its primary objective of searching for signs of ancient Martian life, every system on the spacecraft has to operate perfectly. It’s a complicated, high-energy ballet with high stakes, so it’s worth taking a look at the Seven Minutes of Terror, and what exactly will be happening, in detail.

Continue reading “Getting Ready For Mars: The Seven Minutes Of Terror” →