News

3617 Articles

This Week In Security: SolarWinds And FireEye, WordPress DDoS, And Enhance!

December 18, 2020 by 11 Comments

The big story this week is Solarwinds. This IT management company supplies network monitoring and other security equipment, and it seems that malicious code was included in a product update as early as last spring. Their equipment is present in a multitude of high-profile networks, like Fireeye, many branches of the US government, and pretty much any other large company you can think of. To say that this supply chain attack is a big deal is an understatement. The blame has initially been placed on APT42, AKA, the Russian hacking pros.

The attack hasn’t been without some positive effects, as Fireeye has released some of their internal tooling as open source as a result. Microsoft has led the official response to the attack, managing to win control of the C&C domain in court, and black-holing it.

The last wrinkle to this story is the interesting timing of the sale of some Solarwinds stock by a pair of investment firms. If those firms were aware of the breech, and sold their shares before the news was made public, this would be a classic case of illegal insider trading. Continue reading “This Week In Security: SolarWinds And FireEye, WordPress DDoS, And Enhance!”

Stacked Material Makes Kitchen Temperature Superconductors

December 18, 2020 by 35 Comments

Belgian, Italian, and Australian researchers are proposing that by stacking semiconductor sheets, they should be able to observe superconducting behavior at what is known as “kitchen temperature” or temperatures you could get in a household freezer. That’s not quite as good as room temperature, but it isn’t bad, either. The paper is a bit technical but there is a very accessible write-up at Sci-Tech Daily that gives a good explanation.

Superconductors show no loss but currently require very cold temperatures outside of a few special cases. The new material exploits the idea that an electron and a hole in a semiconducting material will have a strong attraction to each other and will form a pair known as an exciton. Excitons move in a superfluid state which should exhibit superconductivity regardless of the temperature. However, the attraction is so strong that in conventional materials, the excitons only exist for the briefest blip of time before they cancel each other out.

Continue reading “Stacked Material Makes Kitchen Temperature Superconductors”

Russian Doomsday Radios Go Missing

December 15, 2020 by 42 Comments

Normally we like hearing about old military gear going on the surplus market. But if you encounter some late-model Russian radio and crypto equipment for sale you might want to make sure it isn’t hot (English translation). If you prefer not picking through the machine translation to English, the BBC also has a good write-up.

The Russians maintain four large planes set up as flying command and control bunkers in case of nuclear war — so-called “doomsday planes.” Like the U.S. ABNBC (better known as Looking Glass) fleet, the planes can provide the President or other senior leaders a complete command capability while in flight. As you might expect, the radios and gear on the plane are highly classified.

Continue reading “Russian Doomsday Radios Go Missing”

Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism

December 12, 2020 by 46 Comments

With all the trained academics who have pored over the Antikythera mechanism in the 120 years since it was pulled from the Mediterranean Sea, you’d think all of the features of the ancient analog computer would have been discovered by now. But the mechanism still holds secrets, some of which can only be appreciated by someone in tune with the original maker of the device. At least that what appears to have happened with the recent discovery of a hitherto unknown lunar calendar in the Antikythera mechanism. (Video, embedded below.)

The Antikythera mechanism is fascinating in its own right, but the real treat here is that this discovery comes from one of our own community — [Chris] at Clickspring, maker of amazing clocks and other mechanical works of art. When he undertook a reproduction of the Antikythera mechanism using nothing but period-correct materials and tools four years ago, he had no idea that the effort would take the direction it has. The video below — also on Vimeo — sums up the serendipitous discovery, which is based on the unusual number of divisions etched into one of the rings of the mechanisms. Scholars had dismissed this as a mistake, but having walked a mile in the shoes of the mechanism’s creator, [Chris] knew better.

The craftsmanship and ingenuity evidenced in the original led [Chris] and his collaborators to the conclusion that the calendar ring is actually a 354-day calendar that reflects a lunar cycle rather than a solar cycle. The findings are summarized in a scholarly paper in the Horological Journal. Getting a paper accepted in a peer-reviewed journal is no mean feat, so hats off to the authors for not only finding this long-lost feature of the Antikythera mechanism and figuring out its significance, but also for persisting through the writing and publication process while putting other projects on hold. Clickspring fans have extra reason to rejoice, too — more videos are now on the way!

Continue reading “Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism”

A Thousand Feet Under The Sea

December 11, 2020 by 15 Comments

If you were to plumb the depth of the oceans, you could only get so far with a snorkel or a SCUBA tank. We don’t know the price, but if you have enough money, you might consider the Triton 3300/6 — a six-person submersible that can go down to 3,300 feet (hence the name–get it–3300/6). Billed as “diving for the entire family,” we aren’t sure we can load grandma and the kids in something like this, but that doesn’t mean we wouldn’t like to try.

The machine can carry up to 1,760 pounds and can make 3 knots which isn’t going to set any speed records. At around 24,000 pounds, the two main thrusters are lucky to make that speed. The view bubble is apparently optically perfect acrylic made by a German company and the company claims the 100-inch diameter bubble is the world’s largest spherical acrylic pressure hull.

Continue reading “A Thousand Feet Under The Sea”

This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More

December 11, 2020 by 9 Comments

There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”

The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.

Microsoft Teams, And the Non-CVE

[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.

Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.

But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued. Continue reading “This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More”

Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma

December 10, 2020 by 37 Comments

In history there are people whose legacy becomes larger than life. Ask anyone who built and flew the first airplane, and you’d be hard-pressed to find someone who isn’t at least aware of the accomplishments of the Wright brothers. In a similar vein, Chuck Yeager’s pioneering trip into supersonic territory with the Bell X-1 airplane made his name essentially synonymous with the whole concept of flying faster than the speed of sound. This wasn’t the sole thing he did, of course: he also fought in WWII and Vietnam and worked as an instructor and test pilot, flying hundreds of different airplanes during his career.

Yeager’s insistence on making that first supersonic flight, despite having broken two ribs days earlier, became emblematic of the man himself: someone who never let challenges keep him from exploring the limits of the countless aircraft he flew, while inspiring others to give it their best shot. Perhaps ironically, it could be said that the only thing that ever held Yeager back was only having a high school diploma.

On December 7, 2020, Chuck Yeager died at the age of 97, leaving behind a legacy that will continue to inspire many for decades to come.

Continue reading “Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma”