News

3660 Articles

Microsoft Bug Tracking Hacked

October 17, 2017 by 15 Comments

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]

Bad RSA Library Leaves Millions Of Keys Vulnerable

October 17, 2017 by 20 Comments

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The researchers found and analysed vulnerable keys in various domains including electronic citizen documents (750,000 Estonian identity cards), authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but could be up to two to three orders of magnitude higher.

Devices dating back to at least 2012 are affected, despite being NIST FIPS 140-2 and CC EAL 5+ certified.. The vulnerable chips were not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.

Continue reading “Bad RSA Library Leaves Millions Of Keys Vulnerable”

Dubai Police Test Quadcopter Motorcycle

October 16, 2017 by 69 Comments

If you ever wish you could be on your quadcopter when you fly it, you will really want to see the video showing the Dubai police department testing the Hoverbike. The Russian company Hoversurf that markets the device doesn’t provide a lot of technical details, but it looks fairly simple. It is basically a motorcycle seat along with a big quadcopter. From the videos about the device, you can deduce that the pilot can control it or you can fly it remotely. You can see one of the videos, below.

There are a few things that worry us here. Of course, the huge spinning propellers as the pilot’s knee level should give you sweaty palms. In the demo, they even show the removal of the propeller guards before the test flight but let’s be honest, those don’t look like they would keep a falling pilot out of the rotors at all anyway. When looking beyond the hype we find it curious that the demo doesn’t show many (if any) shots of the pilot making a turn. The benefit of a vehicle like this to police should be maneuverability and from what we saw the Hoversurf is still limited.

So is it real? Hard to say. The short videos mostly show vertical or horizontal flight with no maneuvering. Is it hard to turn? Is the battery life really short? One other oddity: When we first saw a letter from the US Patent Office on their site, we thought they might have some new technology. However, that letter is simply showing they registered a trademark and doesn’t reference a patent. If there is a patent we want to know what is new and novel here.

Of course, we know it’s possible to build such a machine since we saw [Colin Furze] do it with two rotors instead of four. The US Department of Defense is working on something with a company called Malloy and there are other practical examples. There are also some less practical examples. What we’re really on the lookout for is a product that works so well it will actually be used. You know, like those Segways that airport police use, right?

We hope Hoversurf can bring this to market because we definitely want one. There’s no reason to think they can’t, but we do wish there were more details forthcoming.

Carbon Quantum Dots In Your Favorite Color

October 13, 2017 by 13 Comments

Citizen scientist extraordinaire [Thought Emporium] put out a new video about colorful quantum dots which can be seen below the break. Quantum dots are a few nanometers wide and you can tell which size they are by which color they fluoresce. Their optical and electrical properties vary proportionally with size so red will behave differently than purple but we doubt they will taste like “cherry” and  “grape.” Let’s not find out. This makes sense when you realize that a diamond will turn into black powder if you pulverize it. Carbon is funny like that.

[Thought Emporium] uses the video for two purposes. The first is to demonstrate the process he uses to make different size quantum dot in his home lab. The second purpose is to implore the scientific community, in general, to take better care when publishing scientific papers. A flimsy third reason is to show that the show must go on. Partway through, all the batteries for his light were dead so he hastily soldered a connection for his benchtop power supply.

We’ve mentioned [Thought Emporium] a few times before. Another of his carbon-based experiments involved graphene creation. How about magnetic DNA extraction? [Thought Emporium] did that too. If you can’t get enough magnets, how about implanting one?

Continue reading “Carbon Quantum Dots In Your Favorite Color”

Happy Ada Lovelace Day!

October 10, 2017 by 74 Comments

Today is Ada Lovelace Day, a day to celebrate and encourage women in the fields of science and technology. The day is named after Augusta Ada King-Noel, Countess of Lovelace, born Byron. (You can see why we just call her Ada Lovelace.) She was a brilliant mathematician, and the writer of what’s probably the first real computer program — it computed the Bernoulli series. At least according Charles Babbage, in correspondence to Michael Faraday, she was an “enchanted math fairy”. Not only a proto-coder, she wrote almost all of the existing documentation about Babbage’s computation engine. She’s a stellar example of a brilliant and unique individual. If you were looking for a superhero to represent women in science and tech, Ada’s a good pick.

In our minds, she gets stiff competition from Marie Curie. Curie did fundamental research on radioactivity, is one of two people with Nobel Prizes in two different sciences, and got to name the two elements that she discovered. 2011 was the Year of Marie Curie in France and Poland. She has her own year in addition to her own unit. Even Spiderman doesn’t have those radioactive super powers!

Don’t Need Another Hero?

But on a day dedicated to getting more women into the technical arts, it’s also a little bit daunting to pick Lovelace or Curie as a symbol. Are you ever going to have something that equals “first computer program” or “two Nobel Prizes” on your résumé? We aren’t. It’s great to have heroes, but maybe we need more than just heroes — we also need mentors.

Continue reading “Happy Ada Lovelace Day!”

Screwdriving

October 9, 2017 by 1 Comment

Screwdriving! It’s like wardriving but instead of discovering WiFi networks, the aim is to discover Bluetooth Low Energy (BLE)  devices of a special kind: adult toys. Yes, everything’s going to be connected, even vibrators. Welcome to the 21st century.

Security researcher [Alex Lomas] recently found that a lot of BLE-enabled adult toys are completely vulnerable to malicious attacks. In fact, they are basically wide open to anyone by design.

“Adult toys lend themselves to being great testbeds for IoT research: they’re BLE, they’re relatively cheap, they’re accessible and have companion apps for the full spectrum of testing.”

Yes… great test beds… Erm, anyway, [Alex Lomas] found that there is no PIN nor password protection, or the PIN is static and generic (0000 / 1234) on every Bluetooth adult toy analysed. Manufacturers don’t want to go through the hassle, presumably because sex toys lack displays that would enable a classic Bluetooth pairing, with random PIN and so on. While this might be a valid point, almost all electronic appliances have an “ON/OFF” button for input and some LED (or even vibration in these cases) that allow some form of output. It could be done, and it’s not like vibrators are the only minimalistic appliances out there in the IoT world.

Although BLE security is crippled by design (PDF), it is possible to add security on top of flawed protocols. The average web-browser does it all the time. The communications don’t have to be clear-text where you can literally see “Vibrate:10” flying around in packets. Encryption could be implemented on top of the BLE link between the app and the device, for instance. Understandably, security in some devices is not absolutely critical. That being said, the security bar doesn’t have to be lowered to zero — it’s not safe for work or play.

[via Arstechnica]

Project Loon Will Float LTE To Puerto Rico

October 9, 2017 by 18 Comments

Some of the biggest names in technology have offered their help in rebuilding Puerto Rico’s infrastructure. The newest name on the list? The X division of Alphabet, who want to help fill the huge communications gap using Project Loon, their high-altitude balloon network. It looks like X is going to get their wish, as they have just been granted license from the FCC to deploy LTE cell coverage to both Puerto Rico and the US Virgin Islands.

The plan is to launch 30 balloons that will act as a network of floating cell towers to radiate an LTE signal originating from the ground. This coverage would be a great boon to a devastated communications infrastructure, but it won’t be a cakewalk to implement. Some handsets of both major persuasions will require a temporary over-the-air update before they can use Project Loon’s network. For phones that can’t operate on Band 8, it won’t work at all. Even so, it’s a great start.

Now you would think that an emergency communications restoration plan like this would be met by all parties with open arms and a circle of pats on the back, but this solution requires a lot of cooperation. One of the major hurdles was to secure spectrum rights from some if not all of the incumbent wireless carriers. Miraculously, eight of them have agreed to hand over their bandwidth. Another issue is that the FCC license is only good for six months, although they would probably entertain an extension given the circumstances. Finally, the dual ownership of the Virgin Islands makes the situation even more complicated, as X must agree not to infringe upon the wireless coverage footprint of the British Virgin Islands.

Via r/Futurology