News

3659 Articles

This Week In Security: Ubiquity Update, PHP Backdoor, And Netmask

April 2, 2021 by 11 Comments

Back in January, we covered the news that Ubiquiti had a breach of undisclosed severity. One reader pointed out the compromise of a handful of devices as potentially related. With no similar reports out there, I didn’t think too much of it at the time. Now, however, a whistleblower from Ubiquiti has given Krebs the juicy details.

The “third party cloud provider” the original disclosure referred to was Amazon Web Services (AWS). According to the whistleblower, just about everything was accessible, including the keys to log in to any Ubiquiti device on the internet, so long as it was cloud enabled. The attackers installed a couple of backdoors in Ubiquiti’s infrastructure, and sent a 50 bitcoin blackmail threat. To their credit, Ubiquiti ignored the blackmail and cleaned up the mess.

To the claim that there was no evidence attackers had accessed user accounts, it seems that the database in question simply has no logging enabled. There was no evidence, because nothing was watching. So far, I’ve only seen the one report of device compromise that was potentially a result of the attack. If you had a Ubiquiti device go rogue around December 2020 – January 2021, be sure to let us know. Continue reading “This Week In Security: Ubiquity Update, PHP Backdoor, And Netmask”

JIT Vs. AM: Is Additive Manufacturing The Cure To Fragile Supply Chains?

April 1, 2021 by 46 Comments

As fascinating and frustrating as it was to watch the recent Suez canal debacle, we did so knowing that the fallout from it and the analysis of its impact would be far more interesting. Which is why this piece on the potential of additive manufacturing to mitigate supply chain risks caught our eye.

We have to admit that a first glance at the article, by [Davide Sher], tripped our nonsense detector pretty hard. After all, the piece appeared in 3D Printing Media Network, a trade publication that has a vested interest in boosting the additive manufacturing (AM) industry. We were also pretty convinced going in that, while 3D-printing is innovative and powerful, even using industrial printers it wouldn’t be able to scale up enough for print parts in the volumes needed for modern consumer products. How long would it take for even a factory full of 3D-printers to fill a container with parts that can be injection molded in their millions in China?

But as we read on, a lot of what [Davide] says makes sense. A container full of parts that doesn’t arrive exactly when they’re needed may as well never have been made, while parts that are either made on the factory floor using AM methods, or produced locally using a contract AM provider, could be worth their weight in gold. And he aptly points out the differences between this vision of on-demand manufacturing and today’s default of just-in-time manufacturing, which is extremely dependent on supply lines that we now know can be extremely fragile.

So, color us convinced, or at least persuaded. It will certainly be a while before all the economic fallout of the Suez blockage settles, and it’ll probably longer before we actually see changes meant to address the problems it revealed. But we would be surprised if this isn’t seen as an opportunity to retool some processes that have become so optimized that a gust of wind could take them down.

Raspberry Pi Zero Beams Back Video From 100,000 Feet

March 26, 2021 by 13 Comments

The Project Horus team routinely launches high-altitude balloons in Australia. However, despite their desire for it, they haven’t beamed back live video. Until now. Horus 55 beamed video back to the ground from over 100,000 feet using a Raspberry Pi and some software-defined radio gear. Be sure and check out their video, below.

You might think this is easy, but there are many technical hurdles. First, the transmitter needs some power, but the thin atmosphere creates problems with cooling. In addition a really good receiving station is required, and the project wanted to stream that video to the Internet, which they were able to do.

The balloon carried a Raspberry Pi Zero W to capture and compress video. A LimeSDR Mini provided the DVB-S transmission on 70cm along with a power amplifier to get to about 800mW. Power dissipation in the payload was about 6 watts and required a special heat sink system to operate. The payload was powered by eight lithium AA primary cells, which perform well at low temperatures.

Continue reading “Raspberry Pi Zero Beams Back Video From 100,000 Feet”

This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions

March 26, 2021 by 25 Comments

There seems to be a new trend in malware, targeting developers and their development and build processes. The appeal is obvious: rather than working to build and market a malicious application, an attacker just needs to infect a development machine. The hapless infected developers can now do the hard work to spread the malicious payload.

The newest example is XcodeSpy, discovered by a researcher who chose to remain anonymous. It works by using the Xcode IDE’s Run Script function to, well, run a script that completely backdoors your computer. The instance was found in a repackaged open source project, TabBarInteraction, but they’re just innocent victims. It was simple enough for someone to insert a script in the build process, and distribute the new, doped package. It’s probably not the only one out there, so watch out for Run Scripts with obfuscated payloads.

Continue reading “This Week In Security: XcodeSpy, Insecure SMS, And Partial Redactions”

Ask Hackaday: How Do You Prepare?

March 24, 2021 by 140 Comments

Last month, large parts of the southern United States experienced their coldest temperatures since the 1899 Blizzard. Some of us set new all-time lows, and I was right in the middle of the middle of it here in Southwestern Oklahoma. Since many houses in Texas and Oklahoma are heated with electricity, the power grids struggled to keep up with the demand. Cities in Oklahoma experienced some short-term rolling blackouts and large patches of the Texas grid were without power for several days. No juice, no heat.

In places where the power was out for an extended period of time, the water supply was potentially contaminated, and a boil order was in effect. Of course, this only works when the gas and power are on. In some places, the store shelves were empty, a result of panic buying combined with perishables spoiling without the power to keep them cold. For some, food and drinkable water was temporarily hard to come by.

There have been other problems, too. Houses in the south aren’t built for the extreme cold, and many have experienced frozen pipes, temporarily shutting off their water supply. In some cases, those frozen pipes break open, flooding the house once the water starts flowing again. For instance, here’s an eye-witness account of the carnage from The 8-bit Guy, who lives at ground zero in the DFW area.
Continue reading “Ask Hackaday: How Do You Prepare?”

Removing Supervisor Passwords And Learning Python

March 24, 2021 by 15 Comments

When learning a new programming language, it’s best to have a goal in mind and work towards it. [Timo] thought it was about time to learn python, and he also had a project in mind: removing the BIOS supervisor password from his old Thinkpad. From there it was just a few keystrokes (and some soldering) and he was able to change the BIOS password of this black box from the outside.

The build utilizes a BeagleBone to communicate with the laptop’s EEPROM via the I2C bus. An oscilloscope also monitors the bus to look for a specific window every four-seconds when the computer is not accessing the bus. During that short period, the EEPROM can be read and written to. Once the window opens, the BeagleBone executes the Python script, which attempts to read the EEPROM and can also perform actions such as removing or changing the BIOS supervisor password.

Of course, tinkering with the EEPROM on a laptop has a high risk of bricking the device, and not all laptops use the same security measures or even memory addresses for things like this, so documentation and precision are key. Also, with Thinkpads of this vintage it’s possible to replace the firmware on these chips entirely with a FOSS version called libreboot, and even though the process is difficult, it’s definitely recommended.

Continue reading “Removing Supervisor Passwords And Learning Python”

South Korean Mapping Satellite Reaches Orbit

March 24, 2021 by 4 Comments

South Korea’s space program achieved another milestone yesterday with the launch of the first Compact Advanced Satellite 500 (CAS500) in a planned series of five vehicles. A second-generation Russian Soyuz 2.1a lifted the Korean-made CAS500-1 from historic Baikonur Cosmodrome in southern Kazakhstan and successfully placed it into a 500 km sun-synchronous orbit, inclined by 97.7 degrees or 15 orbits/day. Living up to its reputation as a workhorse, the Soyuz then proceeded to deposit multiple other satellites into 600 km and 550 km orbits. The satellite is pretty substantial, being 2.9 m tall and 1.9 m diameter and topping the scales at 500 kg. (Don’t be confused, like we were, by this Wikipedia article that says it is a 1.3 kg CubeSat.)

South Korea already has over a dozen satellites in orbit, and the CAS500 adds a modular space platform to the mix. It was designed by the Korea Aerospace Research Institute (KARI) to provide a core backbone which can be easily adapted to other missions, not unlike a car manufacturer that sells several different models all based on the same underlying chassis. Another down-to-earth goal of the CAS500 program was to foster the transfer of core technologies from state-owned KARI to private industry. We wonder how such figures are calculated, but reportedly 91.3% of CAS500-1 was made in Korea. Subsequent flights will further involve local services and industry.

The purpose of the first two satellites is to provide images to the private sector, for example, online mapping and navigation platforms. How popular this will be is yet to be determined — as one local newspaper notes, the 2 meter image resolution (50 cm in monochrome) pales in comparison to Google’s advertised 15 cm resolution. The next three satellites will focus on space science imagery.

The Soyuz launch is shown below, and this short video clip from KARI shows a nice animation of the satellite. Try not to cringe at the simulated whooshing sound as two satellites pass each other in the vacuum of space — turn down the volume if you need to.

Continue reading “South Korean Mapping Satellite Reaches Orbit”