News

3396 Articles

This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones

February 7, 2020 by 12 Comments

Google Photos is handy. You take pictures and videos on your cell phone, and they automatically upload to the cloud. If you’re anything like me, however, every snap comes with a self-reminder that “the cloud” is a fancy name for someone else’s server. What could possibly go wrong? How about some of your videos randomly included in another user’s downloads?

Confirmed by Google themselves, this bug hit those using Google Takeout, the service that allows you to download all your data from a Google application, as a single archive. Google Photos archives downloaded between November 21 and November 25 may contain videos from other users, according to a notice sent to the users who downloaded said archives. It’s notable that those notices haven’t been sent to users who’s videos were exposed.
Continue reading “This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones”

Laser Etches Solar Absorbing Material

February 6, 2020 by 19 Comments

Having a laser cutter these days isn’t a big deal. But [Chunlei Guo], a professor at the University of Rochester, has a powerful femto-second pulse laser and used it to create what might be the perfect solar absorber. You can see a video about the work, below.

It stands to reason that white materials reflect most light and therefore absorb less energy than black materials — this is part of what makes a radiometer work. Tungsten, in particular, is a good metal for absorbing solar power, but this new laser treatment — which builds nanostructures on the surface of the metal — increases efficiency by 130% compared to untreated tungsten.

Continue reading “Laser Etches Solar Absorbing Material”

China X86 Chips Hitting The Market

February 4, 2020 by 99 Comments

Last year, fabless chip maker Zhaoxin announced they were readying a multicore x86-compatible CPU. According to media reports, the chips are showing up on Chinese marketplaces like Taobao shipping around March.

The company is a joint venture between the Shanghai Municipal Government and VIA Technologies, a familiar name in the PC business. It makes even more sense if you remember that VIA bought Centaur who had built simple x86 chips and used the simplicity to add more cache that more complex Intel and AMD chips. These fell out of the hobby market, but they’ve still been pushing forward providing simple designs that are inexpensive and consume low power.

Continue reading “China X86 Chips Hitting The Market”

Lego Space Station Designed By Fan

February 2, 2020 by 9 Comments

It is no secret that most people like to play with Lego, but some people really like it to an extreme degree. Lego’s Idea platform lets people submit designs for review and also lets users vote on these designs. If accepted, the company works with the designer to put a kit in production and they share in the profits. [Christophe Ruge] submitted his design for the International Space Station and three years later, you can buy it on the Lego website.

The kit has 864 parts and the finished model is 12″ x 19″ x 7″ — probably will take longer than a coffee break to finish it. The model even includes the two rotating Solar Alpha Rotary Joints that allow the solar panels to align with the sun. You can see [Scott] building his on a recorded live stream below if you have 3 hours to kill.

Continue reading “Lego Space Station Designed By Fan”

This Week In Security: OpenSMTPD, Kali Release, Scareware, Intel, And Unintended Consequences

January 31, 2020 by 15 Comments

If you run an OpenBSD server, or have OpenSMTPD running on a server, go update it right now. Version 6.6.2, released January 28th, fixes an exploit that can be launched locally or remotely, simply by connecting to the SMTP service. This was found by Qualys, who waited till the update was released to publish their findings.

It’s a simple logic flaw in the code that checks incoming messages. If an incoming message has either an invalid sender’s username, or invalid domain, the message is sent into error handling logic. That logic checks if the domain is an empty string, in which case, the mail is processed as a local message, sent to the localhost domain. Because the various parts of OpenSMTPD operate by executing commands, this logic flaw allows an attacker to inject unexpected symbols into those commands. The text of the email serves as the script to run, giving an attacker plenty of room to totally own a system as a result.

Browser Locker

“Your browser has been locked to prevent damage from a virus. Please call our Windows help desk immediately to prevent further damage.” Sound familiar? I can’t tell you how many calls I’ve gotten from freaked-out customers, who stumbled upon a scare-ware site that locked their browser. This sort of scam is called a browlock, and one particular campaign was pervasive enough to catch the attention of the researchers at Malwarebytes (Note, the picture at the top of their article says “404 error”, a reference to a technique used by the scam. Keep reading, the content should be below that.).

“WOOF”, Malwarebyte’s nickname for this campaign, was unusual both in its sophistication and the chutzpah of those running it. Browsers were hit via ads right on the MSN homepage and other popular sites. Several techniques were used to get the malicious ads onto legitimate sites. The most interesting part of the campaign is the techniques used to only deliver the scareware payload to target computers, and avoid detection by automated scanners.

It seems that around the time Malwarebytes published their report, the central command and control infrastructure behind WOOF was taken down. It’s unclear if this was a coincidence, or was a result of the scrutiny they were under from the security community. Hopefully WOOF is gone for good, and won’t simply show up at a different IP address in a few days.

Kali Linux

Kali Linux, the distribution focused on security and penetration testing, just shipped a shiny new release. A notable new addition to the Kali lineup is a rootless version of their Android app. Running an unrooted Android, and interested in having access to some security tools on the go? Kali now has your back.

Not all the tools will work without root, particularly those that require raw sockets, and sending malformed packets. It’s still a potentially useful tool to put into your toolbox.

Cacheout, VRD, and Intel iGPU Leaks

Intel can’t catch a break, with three separate problems to talk about. First up is cacheout, or more properly, CVE-2020-0549, also known as L1DES. It’s a familiar song and dance, just a slightly different way to get there. On a context switch, data in the Level 1 cache isn’t entirely cleared, and known side-channel attacks can be used to read that data from unprivileged execution.

VRD, Vector Register Sampling, is another Intel problem just announced. So far, it seems to be a less exploitable problem, and microcode updates are expected soon to fix the issue.

The third issue is a bit different. Instead of the CPU, this is a data leak via the integrated GPU. You may be familiar with the most basic form of this problem. Some video games will flash garbage on the screen for a few moments while loading. In some cases, rather than just garbage, images, video stills, and other graphics can appear. Why? GPUs don’t necessarily have the same strict separation of contexts that we expect from CPUs. A group of researchers realized that the old assumptions no longer apply, as nearly every application is video accelerated to some degree. They published a proof of concept, linked above, that demonstrates the flaw. Before any details were released, Phoronix covered the potential performance hit this would cause on Linux, and it’s not great.

Unintended Legal Consequences

Remember the ransomware attack that crippled Baltimore, MD? Apparently the Maryland legislature decided to step in and put an end to ransomware, by passing yet another law to make it illegal. I trust you’ll forgive my cynicism, but the law in question is a slow-moving disaster. Among other things, it could potentially make the public disclosure of vulnerabilities a crime, all while doing absolutely nothing to actually make a difference.

GE Medical Equipment Scores 10/10

While scoring a 10 out of 10 is impressive, it’s not something to be proud of, when we’re talking about a CVE score, where it’s the most critical rating. GE Healthcare, subsidiary of General Electric, managed five separate 10.0 CVEs in healthcare equipment that they manufacture, and an 8.5 for a sixth. Among the jewels are statements like:

In the case of the affected devices, the configuration also contains a private key. …. The same private key is universally shared across an entire line of devices in the CARESCAPE and GE Healthcare family of products.

The rest of the vulnerabilities are just as crazy. Hard-coded SMB passwords, a network KVM that has no credential checking, and ancient VNC versions. We’ve known for quite some time that some medical equipment is grossly insecure. It will apparently take a security themed repeat of the Therac-25 incident before changes take place.

Odds’n’ends

The Windows 7 saga continues, as Microsoft’s “last” update for the venerable OS broke many users’ desktop backgrounds. Microsoft plans to release a fix.

Firefox purged almost 200 extensions from their official portal over the last few weeks. It was found that over 100 extensions by 2Ring was secretly pulling and running code from a central server.

The Citrix problems we discussed last week has finally been addressed, and patches released, but not soon enough to prevent the installation of future-proof backdoors on devices in the wild. There are already plenty of reports of compromised devices. Apparently the exploitation has been so widespread, that Citrix has developed a scanning tool to check for the indicators of compromise (IoCs) on your devices. Apply patch, check for backdoors.

This Is It For The Particle Mesh Network

January 30, 2020 by 24 Comments

The long-held dream of wireless network hackers everywhere is to dispense with centralised network infrastructure, and instead rely on a distributed network in which the clients perform the role of distribution and routing of traffic. These so-called mesh networks promise scalability and simplicity on paper, but are in practice never as easy to implement as the theory might suggest. Much venture capital has been burned over the years by startups chasing that particular dream, yet most of our wireless connectivity still follows a hub topology.

An exciting development in our sphere concerning mesh networking came in early 2018, when Particle, the purveyors of wireless-equipped dev boards, launched their third generation of products. These offered mesh networking alongside their other features, but this week they have announced that they’ll no longer be developing that particular side of their offering. The Wi-Fi-equipped Argon and Cellular-equipped Boron will remain on sale, but they will henceforth discontinue the mesh-only Xenon. Existing owners of the now orphaned board will be compensated with store credit.

Their rationale for discontinuing mesh networking is interesting, and reflects on the sentiment in our first paragraph. Mesh networking is hard, and in particular their attempt to make it work with zero configuration was simply not successful. But then they talk about the realisation that maybe mesh networking was not the right solution for the IoT applications the boards were being used in, and perhaps another technology such as LoRa would be more appropriate.

So the mesh experiment from Particle is over, but the company and its connected dev boards are very much still with us. We salute them for being bold enough to try it, and we wonder when we’ll next find a piece of similar mesh networking hardware.

DDR-5? DDR-4, We Hardly Knew Ye

January 29, 2020 by 32 Comments

This month’s CES saw the introduction of max speed DDR5 memory from SK Hynix. Micron and other vendors are also reportedly sampling similar devices. You can’t get them through normal channels yet, but since you also can’t get motherboards that take them, that’s not a big problem. We hear Intel’s Xeon Sapphire Rapids will be among the first boards to take advantage of the new technology. But that begs the question: what is it?

SDRAM Basics

Broadly speaking, there are two primary contenders for a system that needs RAM memory: static and dynamic. There are newer technologies like FeRAM and MRAM, but the classic choice is between static and dynamic. Static RAM is really just a bunch of flip flops, one for each bit. That’s easy because you set it and forget it. Then later you read it. It can also be very fast. The problem is a flip flop usually takes at least four transistors, and often as many as six, so there’s only so many of them you can pack into a certain area. Power consumption is often high, too, although modern devices can do pretty well.

Continue reading “DDR-5? DDR-4, We Hardly Knew Ye”