News

3651 Articles

This Week In Security: Echospoofing, Ransomware Records, And Github Attestations

August 2, 2024 by 5 Comments

It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the EchoSpoofing attack. Proofpoint offers an email security product, filtering spam and malicious incoming emails, and also handling SPF, DKIM, and DMARC headers on outgoing email. How does an external service provide those email authentication headers?

One of the cardinal sins of running an email server is to allow open relaying. That’s when anyone can forward email though an SMTP server without authentication. What we have here is two nearly open relays, that wound up with spoofed emails getting authenticated just like the real thing. The first offender is Microsoft’s Office365, which seems to completely skip checking for email spoofing when using SMTP relaying from an allowed IP address. This means a valid Office365 account allows sending emails as any address. The other half relies on the way Proofpoint works normally, accepting SMTP traffic from certain IP addresses, and adding the authentication headers to those emails. There’s an option in Proofpoint to add the Microsoft Office 365 servers to that list, and apparently quite a few companies simply select that option.

The end result is that a clever spammer can send millions of completely legitimate looking emails every day, that look very convincing even to sophisticated users. At six months of activity, averaging three millions emails a day, this campaign managed just over half a billion malicious emails from multiple high-profile domains.

The good news here is that Proofpoint and Guardio discovered the scheme, and worked with Microsoft to develop the X-OriginatorOrg header that is now applied to every email sent from or through the Office365 servers. This header marks the account tenant the email belongs to, giving vendors like Proofpoint a simple way to determine email validity. Continue reading “This Week In Security: Echospoofing, Ransomware Records, And Github Attestations”

A map of the US showing the potential changes to passenger rail service due to the Corridor ID Program

A New Era For US Passenger Rail?

July 31, 2024 by 115 Comments

Here in the United States, we’re lagging behind the rest of the world when it comes to shiny new passenger rail, despite being leaders in previous centuries. The Federal Railroad Administration (FRA) has just released a story map of how the US could close the gap (a little).

A new blue and white high speed train crosses a brick bridge. There is what looks like a park beneath and a cityscape in the background.The Corridor Identification and Development (CID) Program is a way for FRA to provide both funding and technical assistance as corridor sponsors (mostly state Departments of Transportation) evaluate either new intercity service or expansion of existing services. While it isn’t a guarantee of anything, it is a step in the right direction to rebuilding passenger rail capacity in the US.

Some cities would be getting rail service back for the first time in decades, and perhaps even more exciting is that several of the routes being studied are for high speed rail “primarily or solely on new trackage.” As any railfan can tell you, vintage rails aren’t the best for trains going fast (sorry, Acela). With recent polling showing strong public support for the build out of high speed rail, it’s an exciting time for those who prefer to travel by rail.

We don’t think you’ll be able to ride a gyro monorail, nuclear-powered, or jet train on these proposed routes, but we do hope that Amtrak and FRA are looking to the state-of-the-art when it comes to those high speed alignments. While you’re eagerly awaiting new passenger service, might we recommend this field guide to what all those different freight cars going by are for here in North America?

LightBurn Turns Back The Clock, Bails On Linux Users

July 31, 2024 by 219 Comments

Angry Birds, flash mobs, Russell Brand, fidget spinners. All of these were virtually unavoidable in the previous decade, and yet, like so many popular trends, have now largely faded into obscurity. But in a recent announcement, the developers of LightBurn have brought back a relic of the past that we thought was all but buried along with Harambe — popular software not supporting Linux.

But this isn’t a case of the developers not wanting to bring their software to Linux. LightBurn, the defacto tool for controlling hobbyist laser cutters and engravers, was already multi-platform. Looking forward, however, the developers claim that too much of their time is spent supporting and packaging the software for Linux relative to the size of the user base. In an announcement email sent out to users, they reached even deeper into the mid-2000s bag of excuses, and cited the number of Linux distributions as a further challenge:

The segmentation of Linux distributions complicates these burdens further — we’ve had to provide three separate packages for the versions of Linux we officially support, and still encounter frequent compatibility issues on those distributions (or closely related distributions), to say nothing of the many distributions we have been asked to support.

We’re not sure how much of their time could possibly be taken up by responding to requests for supporting additional distributions (especially when the answer is no), but apparently, it was enough that they finally had to put their foot down — the upcoming 1.7.00 release of LightBurn will be the last to run on Linux.

Continue reading “LightBurn Turns Back The Clock, Bails On Linux Users”

End Of An Era: Sony Cuts Production Of Writable Optical Media

July 25, 2024 by 64 Comments

The 1990s saw a revolution occur, launched by the CD burner. As prices of writeable media and drives dropped, consumers rushed to duplicate games, create their own mix CDs, and backup their data on optical disc. It was a halcyon time.

Fast forward to today, and we’re very much on downward curve when it comes to optical media use. Amidst ever-declining consumer interest, Sony has announced it will cut production of writeable optical media. Let’s examine what’s going on, and explore the near future for writable optical discs.

Continue reading “End Of An Era: Sony Cuts Production Of Writable Optical Media”

You Can Use LEDs As Sensors, Too

July 23, 2024 by 70 Comments

LEDs are a wonderful technology. You put in a little bit of power, and you get out a wonderful amount of light. They’re efficient, cheap, and plentiful. We use them for so much!

What you might not have known is that these humble components have a secret feature, one largely undocumented in the datasheets. You can use an LED as a light source, sure, but did you know you can use one as a sensor?

Continue reading “You Can Use LEDs As Sensors, Too”

Desiccants, Tested Side By Side

July 19, 2024 by 40 Comments

We’re so used to seeing a little sachet of desiccant drop out of a package when we open it, that we seldom consider these essential substances. But anyone who spends a while around 3D printing soon finds the need for drying their filament, and knowing a bit about the subject becomes of interest. It’s refreshing then to see [Big Clive] do a side-by-side test of a range of commonly available desiccants. Of silica gel, bentonite, easy-cook rice, zeolite, or felight, which is the best? He subjects them to exactly the same conditions over a couple of months, and weighs them to measure their efficiency in absorbing water.

The results are hardly surprising, in that silica gel wins by a country mile. Perhaps the interesting part comes in exploding the rice myth; while the rice does have some desiccant properties, it’s in fact not the best of the bunch despite being the folk remedy for an immersed mobile phone.

Meanwhile, this isn’t the first time we’ve looked at desiccants, in the past we’ve featured activated alumina.

Continue reading “Desiccants, Tested Side By Side”

This Week In Security: Snowflake, The CVD Tension, And Kaspersky’s Exit — And Breaking BSOD

July 19, 2024 by 37 Comments

In the past week, AT&T has announced an absolutely massive data breach. This is sort of a multi-layered story, but it gives me an opportunity to use my favorite piece of snarky IT commentary: The cloud is a fancy way to talk about someone else’s servers. And when that provider has a security problem, chances are, so do you.

The provider in question is Snowflake, who first made the news in the Ticketmaster breach. As far as anyone can tell, Snowflake has not actually been directly breached, though it seems that researchers at Hudson Rock briefly reported otherwise. That post has not only been taken down, but also scrubbed from the wayback machine, apparently in response to a legal threat from Snowflake. Ironically, Snowflake has confirmed that one of their former employees was compromised, but Snowflake is certain that nothing sensitive was available from the compromised account.

At this point, it seems that the twin problems are that big organizations aren’t properly enforcing security policy like Two Factor Authentication, and Snowflake just doesn’t provide the tools to set effective security policy. The Mandiant report indicates that all the breaches were the result of credential stealers and other credential-based techniques like credential stuffing. Continue reading “This Week In Security: Snowflake, The CVD Tension, And Kaspersky’s Exit — And Breaking BSOD”