News

3651 Articles

This Week In Security: Zero Days, Notarized Malware, Jedi Mind Tricks, And More

September 4, 2020 by 5 Comments

Honeypots are an entertaining way to learn about new attacks. A simulated vulnerable system is exposed to the internet, inviting anyone to try to break into it. Rather than actually compromising a deployed device, and attacker just gives away information about how they would attack the real thing. A honeypot run by 360Netlab found something interesting back in April: an RCE attack against QNAP NAS devices. The vulnerability is found in the logout endpoint, which takes external values without properly sanitizing them. These values are used as part of an snprintf statement, and then executed with a system() call. Because there isn’t any sanitization, special characters like semicolons can be injected into the final command to be run, resulting in a trivial RCE.

QNAP has released new firmware that fixes the issue by replacing the system() call with execv(). This change means that the shell isn’t part of the execution process, and the command injection loses its bite. Version 4.3.3 was the first firmware release to contain this fix, so if you run a QNAP device, be sure to go check the firmware version. While this vulnerability was being used in the wild, there doesn’t seem to have been a widespread campaign exploiting it.

Continue reading “This Week In Security: Zero Days, Notarized Malware, Jedi Mind Tricks, And More”

World’s Only Flying Twin Mustang Goes On Sale

September 3, 2020 by 18 Comments

Given the incredible success of the P-51 Mustang during the Second World War, it’s perhaps no surprise that the United States entertained the idea of combining two of the iconic fighters on the same wing to create a long-range fighter that could escort bombers into Japan. But the war ended before the F-82 “Twin Mustang” became operational, and the advent of jet fighters ultimately made the idea obsolete. Just five examples of this unique piece of history are known to exist, and the only one in airworthy condition can now be yours.

Assuming you’ve got $12 million laying around, anyway. Even for a flyable WWII fighter, that’s a record setting price tag. But on the other hand, you’d certainly be getting your money’s worth. It took over a decade for legendary restoration expert [Tom Reilly] and his team to piece the plane, which is actually a prototype XP-82 variant, together from junkyard finds. Even then, many of the parts necessary to get this one-of-a-kind aircraft back in the sky simply no longer existed. The team had to turn to modern techniques like CNC machining and additive manufacturing to produce the necessary components, in some cases literally mirroring the design in software so it could be produced in left and right hand versions.

Recovering half of the Twin Mustang in 2008.

We first covered this incredible restoration project back in 2018, before the reborn XP-82 had actually taken its first flight. Since then the plane has gone on to delight crowds with the sound of two counter-rotating Merlin V-12 engines and win several awards at the Oshkosh airshow. The listing for the aircraft indicates it only has 25 hours on the clock, but given its rarity, we can’t blame [Tom] and his crew for keeping the joyrides to a minimum.

As important as it is to make sure these incredible pieces of engineering aren’t lost to history, the recent crash of the B-17G Nine-O-Nine was a heartbreaking reminder that there’s an inherent element of risk to flying these 70+ year old aircraft. A world-class restoration and newly manufactured parts doesn’t remove the possibility of human error or freak weather. While we’d love to see and hear this beauty taxiing around our local airport, it’s a warbird that should probably stay safely in the roost. Hopefully the $12 million price tag will insure whoever takes ownership of the world’s only flying F-82 treats it with the respect it’s due.

COVID-tracing Framework Privacy Busted By Bluetooth

September 3, 2020 by 60 Comments

[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)

The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.

In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet. Logging these allows one to associate rolling IDs over time. A large network of Bluetooth listeners could then trace people’s movements and possibly attach identities to chains of rolling IDs, breaking one of the framework’s privacy guarantees.

This timing issue only affects some phones, about half of the set that they tested. And of course, it’s only creating a problem for privacy within Bluetooth LE range. But for a system that’s otherwise so well thought out in principle, it’s a flaw that needs fixing.

Why didn’t the researchers submit a patch? They can’t. The Apple/Google code is mostly closed-source, in contrast to the open-source nature of most of the apps that are running on it. This remains troubling, precisely because the difference between the solid theory and the real practice lies exactly in those lines of uninspectable code, and leaves all apps that build upon them vulnerable without any recourse other than “trust us”. We encourage Apple and Google to make the entirety of their COVID framework code open. Bugs would then get found and fixed, faster.

Continue reading “COVID-tracing Framework Privacy Busted By Bluetooth”

“A Guy In A Jet Pack” Reported Flying Next To Aircraft Near LAX

September 1, 2020 by 63 Comments

In case you needed more confirmation that we’re living in the future, a flight on approach to Los Angeles International Airport on Sunday night reported “a guy in a jet pack” flying within about 300 yards of them. A second pilot confirmed the sighting. It’s worth watching the video after the break just to hear the recordings of the conversation between air traffic control and the pilots.

The sighting was reported at about 3,000 feet which is an incredible height for any of the jet packs powerful enough to carry humans we’ve seen. The current state of the art limits jet pack tech to very short flight times and it’s hard to image doing anything more than getting to that altitude and back to the ground safely. Without further evidence it’s impossible to say, which has been an ongoing problem with sightings of unidentified flying objects near airports.

While superheros (or idiots pretending to be superheros) flying at altitude over the skies of LA sounds far fetched, the RC super hero hack we saw nine years ago now comes to mind. At 300 yards, that human-shaped drone might pass for an actual person rather than a dummy. This is of course pure speculation and we don’t want to give the responsible members for the RC aircraft community a bad name. It could have just as easily been trash, balloons, aliens, or Mothra. Or perhaps the pilot was correct and it was “some guy” flying past at 3,000 feet. That’s not impossible.

We anxiously await the results of the FAA’s investigation on this one.

Continue reading ““A Guy In A Jet Pack” Reported Flying Next To Aircraft Near LAX”

What’s The Deal With Rolling Blackouts In California’s Power Grid?

August 31, 2020 by 148 Comments

A heat wave spreading across a large portion of the west coast of the United States is not surprising for this time of year, but the frequency and severity of these heat waves have been getting worse in recent years as the side effects from climate change become more obvious. In response to this, the grid operators in California have instituted limited rolling blackouts as electricity demand ramps up.

This isn’t California’s first run-in with elective blackouts, either. The electrical grid in California is particularly prone to issues like this, both from engineering issues and from other less obvious problems as well.

Continue reading “What’s The Deal With Rolling Blackouts In California’s Power Grid?”

Lithium Sulfur Batteries Slated For Takeoff

August 23, 2020 by 60 Comments

Spectrum recently published a post on a new lithium sulfur battery technology specifically targeting electric aviation applications. Although lots of electric vehicles could benefit from the new technology, airplanes are especially sensitive to heavy batteries and lithium-sulfur batteries can weigh much less than modern batteries of equivalent capacity. The Spectrum post is from Oxis Energy who is about to fly tests with the new batteries which they claim have twice the energy density of conventional lithium-ion batteries. The company also claims the batteries are safer, which is another important consideration when flying through the sky.

The batteries have a cathode comprised of aluminum foil coated with carbon and sulfur — which avoids the use of cobalt, a cost driver in traditional lithium cell chemistries. The anode is pure lithium foil. Between the two electrodes is a separator soaked in an electrolyte. The company says the batteries go through multiple stages as they discharge, forming different chemical compounds that continue to produce electricity through chemical action.

The safety factor is due to the fact that, unlike lithium-ion cells, the new batteries don’t form dendrites that short out the cell. The cells do degrade over time, but not in a way that is likely to cause a short circuit. However, ceramic coatings may provide protection against this degradation in the future which would be another benefit compared to traditional lithium batteries.

We see a lot of exciting battery announcements, but we rarely see real products with them. Time will tell if the Oxis and similar batteries based on this technology will take root.

FBI Reports On Linux Drovorub Malware

August 22, 2020 by 26 Comments

The FBI and the NSA released a report on the Russian-based malware that attacks Linux known as Drovorub (PDF) and it is an interesting read. Drovorub uses a kernel module rootkit and allows a remote attacker to control your computer, transfer files, and forward ports. And the kernel module takes extraordinary steps to avoid detection while doing it.

What is perhaps most interesting though, is that the agencies did the leg work to track the malware to its source: the GRU — Russian intelligence. The name Drovorub translates into “woodcutter” and is apparently the name the GRU uses for the program.

A look inside the code shows it is pretty mundane. There’s a server with a JSON configuration file and a MySQL backend. It looks like any other garden-variety piece of code. To bootstrap the client, a hardcoded configuration allows the program to make contact with the server and then creates a configuration file that the kernel module actively hides. Interestingly, part of the configuration is a UUID that contains the MAC address of the server computer.

The rootkit won’t persist if you have UEFI boot fully enabled (although many Linux computers turn UEFI signing off rather than work through the steps to install an OS with it enabled). The malware is easy to spot if you dump raw information from the network, but the kernel module makes it hard to find on the local machine. It hooks many kernel functions so it can hide processes from both the ps command and the /proc filesystem. Other hooks remove file names from directory listings and also hides sockets. The paper describes how to identify the malware and they are especially interested in detection at scale — that is, if you have 1,000 Linux PCs on a network, how do you find which ones have this infection?

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.