News

3667 Articles

This Week In Security: Twitter, Windows DNS, SAP RECON

July 17, 2020 by 8 Comments

Twitter just had their biggest security breach in years. Mike warned us about it on Wednesday, but it’s worth revisiting a few of the details. The story is still developing, but it appears that malicious actors used social engineering to access an internal Twitter dashboard. This dashboard, among other interesting things, allows directly changing the email address associated with an account. Once the address is changed to the attacker’s, it’s simple to do a password reset and gain access.

The bitcoin address used in the crypto scam ended up receiving nearly $120,000 USD worth of bitcoin, all of which has been shuffled off into different accounts. It’s an old and simple scam, but was apparently rather believable because the messages were posted by verified Twitter accounts.

Screenshot from Motherboard

A series of screenshots have been posted, claiming to be the internal Twitter dashboard used in the attack. More than a few eyebrows have been raised, as a result of that dashboard. First off, the fact that Twitter employees can directly change an account’s email address is asking for trouble. Even more interesting are the tags that can be added to an account. “Trends Blacklist” and “Search Blacklist” do call to mind the rumors of shadow-banning, but at this point it’s impossible to know the details. Motherboard is reporting that Twitter is removing that screenshot across the board when it’s posted, and even suspending accounts that post it. Of course, they’d do that if it were faked as well, so who knows? Continue reading “This Week In Security: Twitter, Windows DNS, SAP RECON”

Today’s Twitter Hack Is New Take On “Nigerian Prince” Scam

July 15, 2020 by 52 Comments

Don’t send bitcoin to celebrities… or to random people for that matter. This afternoon a number of high profile Twitter accounts were taken over, including Joe Biden, Bill Gates, Elon Musk, Apple, Jeff Bezos, and Kanye West, and the event appears to be ongoing. Each displayed a message saying they wanted to “give back” by doubling the bitcoin that they are sent. The messages all appear to have the same bitcoin wallet address.

This is reminiscent of the “Nigerian prince” scams, a form of advance-fee scam where an email asks for help with a small sum of money in order to obtain a larger sum. Those usually come in as spam emails which most people are wise to at this point. However, blindly following celebrities on Twitter may still deliver a good dose of naïveté when those platforms are misused.

Bitcoin transactions can be viewed publicly and this wallet is showing 11.8 BTC in and 5.8 BTC out in a total of 288 transactions. The net is roughly 6 bitcoin or $55k USD at the time of writing. Twitter’s response appears to have locked down all verified accounts from publishing new tweets. They retain the ability to retweet and delete existing tweets.

Main image screenshot sources:

The Many Methods Of Communicating With Submarines

July 15, 2020 by 36 Comments

It sometimes seems hard to believe that we humans have managed to explore so little of what we have so much of: the seas. Oceans cover something like 70 percent of the world’s surface, but we’ve only mapped 20 percent of the ocean floor. The 228,000 ocean-dwelling species that we know about represents about ten percent of the estimated total aquatic species. And almost all the life we know about, and the area that we’ve explored thoroughly, is limited to the first few hundred meters from the surface.

The paucity of our deep-water investigatory efforts has a lot to do with the hostility of the sea to those who haven’t evolved to survive in it. It takes extreme engineering and fantastically expensive machines to live and work even a few meters down, and even then submariners quickly become completely isolated from the rest of the world once they’re down there. Underwater communication is particularly challenging, since the properties of seawater confound efforts to use it as a communications medium.

Challenging though it may be, underwater communication is possible, and in this article we’ll take a look at a few modalities that have made operating under the sea possible, and a new technology that might just extend the Internet below the waves.

Continue reading “The Many Methods Of Communicating With Submarines”

Roboticist Grant Imahara Of Mythbusters Fame Dies Of Aneurysm At Age 49

July 14, 2020 by 45 Comments

We awake this morning to sad news of the premature passing of Grant Imahara at the age of 49 due to a brain aneurysm. Grant was best known for his role on the wildly popular Mythbusters television show on which he starred and built test apparatus for seasons three through twelve. He landed this role because he was a badass hardware hacker as much as he was an on-camera personality.

Grant received his degree in electrical engineering from USC in 1993 and landed a job with Lucasfilm, finding his way onto the Industrial Light and Magic team to work on blockbuster films like the Star Wars prequels (R2-D2 among other practical effects) and sequels to Terminator and The Matrix. Joining the Mythbusters team in 2005 was something of a move to rapid prototyping. Each of the 22-minute episodes operated on a 10-day build and a film cycle in which Grant was often tasked with designing and fabricating test rigs for repeatable testing with tightly controlled parameters.

After leaving the show, Grant pursued several acting opportunities, including the Kickstarter funded web series Star Trek Continues which we reported on back in 2013. But he did return to the myth busting genre with one season of The White Rabbit Project on Netflix. One of the most genuinely geeky appearances Grant made was on an early season of Battlebots where his robot ‘Deadblow’ sported a wicked spiked hammer. Video of his appearance in the quarter-finals is like a time-capsule in hacker history and guaranteed to bring a smile to your face.

Grant Imahara’s legacy is his advocacy of science and engineering. He was a role model who week after week proved that questioning how things work, and testing a hypothesis to find answers is both possible and awesome. At times he did so by celebrating destructive force in the machines and apparatus he built. But it was always done with observance of safety precautions and with a purpose in mind (well, perhaps with the exception of the Battlebots). His message was that robots and engineering are cool, that being a geek means you know what the heck you’re doing, and that we can entertain ourselves through creating. His message lives on through countless kids who have grown up to join engineering teams throughout the world.

Grant was the headliner at the first Hackaday Superconference in San Francisco back in 2015. I’ve embedded the fireside chat below where you can hear in his own words what inspired Grant, along with numerous stories from throughout his life.

Continue reading “Roboticist Grant Imahara Of Mythbusters Fame Dies Of Aneurysm At Age 49”

Mergers And Acquisitions: Analog Devices Snaps Up Maxim Integrated For $21 B

July 13, 2020 by 25 Comments

Analog Devices will acquire Maxim Integrated for $20.9 billion dollars in stock, as reported by Bloomberg this morning.

Perhaps the confusing part of the news is that the Bloomberg article mentions the acquisition will let Analog Devices better compete with Texas Instruments. Wait, didn’t Texas Instruments acquire Maxim back in 2015? Actually, no. There were rumors (reported then by Bloomberg) that TI was nearing an acquisition deal but it fell through in January of 2016.

You may remember that Analog Devices snapped up Linear Tech in a $30 B acquisition back in 2017. Considering this morning’s news, how will they compare to the might of TI? Looks like 2019 revenue for TI was $14.38 B while Analog reported $5.99 B. Add in Maxim’s revenue of $3.1 B and there’s still a David and Goliath scenario here. Although revenue doesn’t tell the whole story and the proverbial slingshot for Analog may be its existing portfolio of high-margin devices, grown even larger with this acquisition.

Considering how the last half decade played out, this might mark the beginning of another wild cycle of mergers and acquisitions. The consolidation trend continues as we approach a world where just a few gigantic semiconductor companies turn production lines up to eleven to fill the world’s insatiable appetite for more powerful electronics (and more electronics in general).

This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

July 10, 2020 by 5 Comments

The big story of the last week is a problem in F5’s BIG-IP devices. A rather trivial path traversal vulnerability allows an unauthenticated user to call endpoints that are intended to be restricted to authenticated. That attack can apparently be as simple as:

'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

A full exploit has been added to the metasploit framework. The timeline on this bug is frighteningly quick, as it’s apparently being actively exploited in the wild. F5 devices are used all over the world, and this vulnerability requires no special configuration, just access to the opened management port. Thankfully F5 devices don’t expose the vulnerable interface to the internet by default, but there are still plenty of ways this can be a problem.

Freta

Microsoft has made a new tool publicly available, Freta. This tool searches for rootkits in uploaded memory snapshots from a Linux VM. The name, appropriately, is taken from the street where Marie Curie was born.

The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging.

The impetus behind the project is the realization that once a malicious actor has compromised a machine, it’s possible to compromise any security software running on that machine. If, instead, one could perform a security x-ray of sorts, then a more reliable conclusion could be reached. Freta takes advantage of the VM model, and the snapshot capability built into modern hypervisors.

Continue reading “This Week In Security: F5, Novel Ransomware, Freta, And Database Woes”

Bridge Over Trebled Water: How The Golden Gate Bridge Started To Sing

July 8, 2020 by 28 Comments

Throughout the spring, some Bay Area residents from Marin County to the Presidio noticed a sustained, unplaceable high-pitched tone. In early June, the sound reached a new peak volume, and recordings of the eerie noise spread across Twitter and Facebook. Soon after, The Golden Gate Bridge, Highway, & Transportation District, the agency responsible for the iconic suspension bridge’s maintenance, solved the mystery: The sound was due to high winds blowing through the slats of the bridge’s newly-installed sidewalk railing. Though a more specific explanation was not provided, the sound is most likely an Aeolian tone, a noise produced when wind blows over a sharp edge, resulting in tiny harmonic vortices in the air.

The modification of the Golden Gate Bridge railing is the most recent and most audible element of a multi-phase retrofit that has been underway since 1997. Following the magnitude 6.9 Loma Prieta Earthquake in 1989, The Golden Gate Bridge, Highway, & Transportation District (The District) began to prepare the iconic bridge for the wind and earthquake loads that it may encounter in its hopefully long life. Though the bridge had already withstood the beating of the Bay’s strong easterly winds and had been rattled by minor earthquakes, new analysis technology and construction methods could help the span hold strong against any future lateral loading. The first and second phases of the retrofit targeted the Marin Viaduct (the bridge’s north approach) and the Fort Point Arch respectively. The third and current phase addresses the main span.

Continue reading “Bridge Over Trebled Water: How The Golden Gate Bridge Started To Sing”