News

3653 Articles

An Out-Of-This-World Opportunity; Become An ESA Astronaut

February 9, 2021 by 25 Comments

In the six decades or so of human space exploration, depending on whose definition you take, only 562 people have flown in to space. We haven’t quite reached the state of holidaying in space that science fiction once promised us even though the prospect of sub-orbital spaceflight for the exceedingly well-heeled is very close, so that cadre of astronauts remains an elite group whose entry is not for the average person. Some readers might have an opportunity to change that though, as the European Space Agency have announced a fresh round of astronaut recruitment that will open at the end of March.

Sadly for our American readers the successful applicants have to hail from ESA member states, but since that covers a swathe of European countries we’re guessing that a lot of you might have your long-held dreams of spaceflight revived by it. You can learn more at a press conference to be held on the 16th of February, and streamed via ESA Web TV. Meanwhile whoever is recruited will be likely not only to participate in missions to the ISS, but maybe also more ambitious planned missions such as those to the planned Lunar Gateway space station in Lunar orbit. If you think you’ve got the Euro version of The Right Stuff, you’ll have the 8 weeks from the end of March until the 28th of May to get your application in. Good Luck!

Cyberattack On Florida City’s Water Supply

February 9, 2021 by 62 Comments

The city of Oldsmar, Florida was the source of disturbing news this week, among reports that someone gained unauthorized access to a water treatment facility. In an era where more systems than ever are connected to the Internet, the story is a sobering one for the vast majority of people reliant on grid utilties.

The hacker was first noticed to have gained remote access to a computer system at the plant at 8 a.m. on February 5. An operator at a workstation controlling chemical dosing at the plant observed a remote connection, though did not initially raise the alarm as such access is common practice at the facility for troubleshooting purposes. However, at 1:30 pm, the hacker connected again, this time commanding the dosing system to raise levels of sodium hydroxide in the water from 100 to 11,000 ppm – dangerous levels that would make the city’s water unsafe to drink. The increased level command was immediately overridden by the operator, who then raised the alarm.

The city notes that other safeguards such as pH monitors at the plant would have triggered in the event the original intrusion went undetected. However, the event raises renewed questions about the level of security around critical utility systems connected to the internet. In the last decade, cyberattacks on physical infrastructure have become a reality, not a vague future threat.

Nothing’s known yet about the perpetrator, or how secure the system was (or wasn’t?) before the event. It’s been long known that a lot of infrastructure is simply connected to the internet, as Dan Tentler has been showing us since at least 2012. (Video, ranting.)  Indeed, it’s amazing that we’ve seen so few malicious attacks.

Getting Ready For Mars: The Seven Minutes Of Terror

February 8, 2021 by 47 Comments

For the past seven months, NASA’s newest Mars rover has been closing in on its final destination. As Perseverance eats up the distance and heads for the point in space that Mars will occupy on February 18, 2021, the rover has been more or less idle. Tucked safely into its aeroshell, we’ve heard little from the lonely space traveler lately, except for a single audio clip of the whirring of its cooling pumps.

Its placid journey across interplanetary space stands in marked contrast to what lies just ahead of it. Like its cousin and predecessor Curiosity, Perseverance has to successfully negotiate a gauntlet of orbital and aerodynamic challenges, and do so without any human intervention. NASA mission planners call it the Seven Minutes of Terror, since the whole process will take just over 400 seconds from the time it encounters the first wisps of the Martian atmosphere to when the rover is safely on the ground within Jezero Crater.

For that to happen, and for the two-billion-dollar mission to even have a chance at fulfilling its primary objective of searching for signs of ancient Martian life, every system on the spacecraft has to operate perfectly. It’s a complicated, high-energy ballet with high stakes, so it’s worth taking a look at the Seven Minutes of Terror, and what exactly will be happening, in detail.

Continue reading “Getting Ready For Mars: The Seven Minutes Of Terror”

This Week In Security: Perl.com, The Great Suspender, And Google’s Solution

February 5, 2021 by 46 Comments

Perl has been stolen. Well, perl.com, at least. The perl.com domain was transferred to a different registrar on January 27, without the permission of the rightful owner. The first to notice the hack seems to have been [xtaran], who raised the alarm on a Reddit thread. The proper people quickly noticed, and started the process of getting control of the domain again. It seems that several other unrelated domains were also stolen in the same attack.

I’ve seen a couple of theories tossed around about how the domains were stolen. With multiple domains being moved, it initially seemed that the registrar had been compromised in some way. One of the other victims was told that a set of official looking documents had been supplied, “proving” that the attacker was the rightful owner of the domain. In any case, the damage is slowly being unwound. Perl.com is once again in the proper hands, evidenced by the proper SSL certificate issued back in December.

The Great Suspender, Suspended

I was greeted by a particularly nasty surprise on Thursday of this week. One of the Chrome extensions I’ve come to rely on was removed by Google for containing malware. The Great Suspender automatically hibernates unused tabs, saving ram and processor cycles that would otherwise be spent on those 150 open tabs that should really be bookmarks. What happened here?

I’ll point out that I’m extremely careful about installing extensions. It’s code written by a third party, often very difficult to inspect, and can view and modify the sites you visit. You can manage what sites an extension has access to, but for a tool like the Suspender, it essentially needs access to all of them. The solution is to use open source extensions, right? “Well yes, but actually no.” Suspender is open source, after all. The link above goes to the project’s Github page. In that repo you’ll find an announcement from last year, that the founding developer is finished with the project, and is selling the rights to an unknown third party, who took over maintainership. If this sounds familiar, there are echoes of the event-stream debacle.

It’s not clear exactly what malicious behavior Google found that led to the extension being pulled, but a more careful look at the project reveals that there were potential problems as early as October of 2020. An addition to the extension introduced execution of code from a remote server, never a good idea. For what it’s worth, the original maintainer has made a statement, defending the new owners, and suggesting that this was all an innocent mistake.

The lesson here? It’s not enough to confirm that an extension checks the “open source” box. Make sure there is an active community, and that there isn’t a 6 month old bug report detailing potentially malicious activity.

Libgcrypt

It’s not everyday you see a developer sending out a notice that everyone should stop using his latest release. That’s exactly what happened with Libgcrypt 1.9.0. Our friends over at Google’s Project Zero discovered an extremely nasty vulnerability in the code. It’s a buffer overflow that happens during the decryption process, before even signature verification. Since libgcrypt is used in many PGP implementations, the ramifications could be nasty. Receive an encrypted email, and as soon as your client decrypts it, code is executing. Thankfully, an update that fixes the issue has already been released.

Android Botnet

A new botnet is targeting Android devices in a peculiar way — looking for open ADB debug ports exposed to the Internet. Google makes it very clear that ADB over the network is insecure, and should only be used for development purposes, and on controlled networks. It’s astounding that so many vendors ship hardware with this service exposed. Beyond that, it’s surprising that so many people give their Android devices public IP addresses (or IPv6 addresses that aren’t behind a firewall). The botnet, named Matryosh, has another unique feature, as it uses Tor for command and control functions, making it harder to track.

Google Solution to Open-Source Security

Google published a post on their open source blog, giving an overview for their new framework for the security of open source projects. “Know, Prevent, Fix” is their name for the new effort, and it must have been written by management, because it’s full of buzzwords. The most interesting elements are their goals for critical software. They identify problems like the ability of a single maintainer to push bad code into a project, and how anonymous maintainers is probably a bad idea. It will be interesting to see how these ideas develop, and how Google will help open source communities implement them.

Microsoft in My Pi

And finally, I was amused by an article lamenting the inclusion of the VSCode repository in the default Raspberry Pi OS images. He does raise a couple legitimate points. Amont them, you do send a ping to Microsoft’s servers every time you check for new updates.

The larger point is that the official VSCode binaries have telemetry code added to them — code that isn’t in the open source repository. What is it doing? You don’t know. But it probably violates European law.

Want to use VSCode, but not interested in shipping info off to Microsoft? VSCodium is a thing.

This Isn’t Your Father’s Yellow Card

February 1, 2021 by 59 Comments

As the global vaccination effort rolls out in many countries, people will increasingly be required to provide evidence for various reasons, especially travelers. Earlier this month a coalition which includes Microsoft, the Mayo Clinic, Oracle, MITRE, and others announced an effort to establish digital vaccination records called the Vaccination Credential Initiative (VCI). This isn’t going to be a brand new thing, but rather an initiative to provide digital proof-of-vaccination to people who want it, using existing open standards:

  • Verifiable Credentials, per World Wide Web Consortium Recommendation (VC Data Model 1.0)
  • Industry standard format and security, per the Health Level Seven International (HL7) FHIR standard

In addition, the World Health Organization formed the Smart Vaccination Certificate Working Group in December. Various other countries and organizations also have technical solutions in the works or already deployed. If a consensus doesn’t form soon, we can see this quickly becoming a can of worms. Imagine having to obtain multiple certifications of your vaccination because of non-uniform requirements between countries, organizations, and/or purposes.

Older readers and international travelers may be wondering, “don’t we already have a vaccination card system?” Indeed we do: the Carte Jaune or Yellow Card. The concept of a “vaccination passport” was conceived and agreed upon at the International Sanitary Convention for Aerial Navigation in 1933. Over the years the names and diseases of interest have changed, but since 2007 it has been formally called the International Certificate of Vaccination or Prophylaxis (ICVP). In recent times, yellow fever was the only vaccination of interest to travelers, but other vaccinations or booster shots can be recorded as well. One problem with the paper Yellow Card is that it is ridiculously easy to forge. Nefarious or lazy travelers could download it from the WHO site, print it on appropriate yellow card stock, and forge a doctor’s signature. The push for a more secure ICVP is not completely unreasonable.

Reading the instructions on the Yellow Card brings up a couple of interesting points:

  • This certificate is valid only if the vaccine or prophylaxis used has been approved by the World Health Organization — Currently the Pfizer vaccine is the only one to be approved by WHO, and even that is only an emergency approval. If you receive a non-Pfizer vaccination, what then?
  • The only disease specifically designated in the International Health Regulations (2005) for which proof of vaccination or prophylaxis may be required as a condition of entry to a State Party, is yellow fever — This one is interesting, and suggests that member states cannot require proof of Covid19 vaccination as an entry requirement, a situation that will no doubt be quickly revised or ignored.

Note: This writeup is about vaccinations, not about immunity. While immunity certificates have been used from time to time throughout modern history, the concept of an international immunity passport is not well established like the ICVP.

This Week In Security: Sudo, Database Breaches, And Ransomware

January 29, 2021 by 27 Comments
We couldn't resist, OK?
Obligatory XKCD

Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

In response to this command, my machine throws this error, meaning it’s vulnerable:

malloc(): corrupted top size
Aborted (core dumped)

To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases. Continue reading “This Week In Security: Sudo, Database Breaches, And Ransomware”

Fire In The Palm Of Your Hand

January 29, 2021 by 15 Comments

For as long as super-heroes have existed, they have inspired hacker projects. For [Everett Bradford], emulating the character Pyro from X-Men has been an on and off project for the last decade. His latest version, Pyro System V4, integrates quite a bit of control electronics to give the rather convincing effect of mind-controlled fire in the palm of his hand. (Video, embedded below.)

The system is a motor-actuated slider strapped to [Everett]’s forearm, which pushes a pivoting end-effector with an integrated butane burner into the palm of his hand. The slider runs on 4 mm linear bearings actuated by a small geared DC motor using cables. The end effector is spring-loaded to push it into the palm and integrates a high voltage ignition arc generator circuit, nozzle, and capacitive activation button.

The butane gas canister and the valve was cannibalized from a small blow torch lighter, and the valve is actuated by another geared DC motor. The valve actuator, slide actuator, and end-effector hinge all integrate position feedback via hall effect sensors and magnets. The sensor in the hinge allows the slide to actively correct for the angle of the user’s wrist, keeping the end effector in the middle of the palm.

The control circuit is split into two parts. One PIC16 microcontroller runs all the motion control and position sensing, while a PIC18 connected to a small touch screen handles user interface, control parameters, and ignition. The touch screen proved especially useful for control parameters during development without needing to connect to a laptop.

Some of [Everett]’s previous version had a much more impressive (and dangerous) flame but was also very bulky. We think this latest version strikes a pretty good balance regarding compactness and achieving convincing illusion.

[Colin Furze] is another name commonly associated with fire-breathing contraptions, but they have a proven history of landing him in hospital.

Continue reading “Fire In The Palm Of Your Hand”