News

3612 Articles

This Week In Security: CVSS 4, OAuth, And ActiveMQ

November 3, 2023 by 4 Comments

We’ve talked a few times here about the issues with the CVSS system. We’ve seen CVE farming, where a moderate issue, or even a non-issue, gets assigned a ridiculously high CVSS score. There are times a minor problem in a library is a major problem in certain use cases, and not an issue at all in others. And with some of those issues in mind, let’s take a look at the fourth version of the Common Vulnerability Scoring System.

One of the first tweaks to cover is the de-emphasis of the base score. Version 3.1 did have optional metrics that were intended to temper the base score, but this revision has beefed that idea up with Threat Metrics, Environmental Metrics, and Supplemental Metrics. These are an attempt to measure how likely it is that an exploit will actually be used. The various combinations have been given names. Where CVSS-B is just the base metric, CVSS-BT is the base and threat scores together. CVSS-BE is the mix of base and environmental metrics, and CVSS-BTE is the combination of all three.

Another new feature is multiple scores for a given vulnerability. A problem in a library is first considered in a worst-case scenario, and the initial base score is published with those caveats made clear. And then for each downstream program that uses that library, a new base score should be calculated to reflect the reality of that case. Continue reading “This Week In Security: CVSS 4, OAuth, And ActiveMQ”

The Taylor and Amy Show

The Avon Computer Goth Challenge

November 2, 2023 by 9 Comments

Hot off the heels of their musical debut 6502 song the good folk at the Taylor and Amy Show are at it again. This time instead of assaulting our auditory senses, they play with our perception of color all while keeping the spirit of retro computing alive.

To back up a bit, I had the pleasure of witnessing the discovery of the Avon Beauty Vision Computer while at the Vintage Computer Festival Mid-West (VCFMW) this past September. We had visited the home of our friend [Jim W] from VCFMW who nonchalantly pulled down from the shelf the reddest computer I have ever seen.

A crowd quickly gathered at this newfound treat, designed and built before the invention of the Blue LED, was fallen upon and the process of prying out its secrets began. I was not privy to the negotiations, but I did notice a brightly colored red suitcase being exfiltrated by highly trained operatives later that night.

Continue reading “The Avon Computer Goth Challenge”

Toy Gaming Controller Makes The Big Leagues

November 1, 2023 by 5 Comments

Some of the off-brand video game consoles and even accessories for the major brands can leave a lot to be desired. Whether it’s poor build quality or a general lack of support or updates, there are quite a few things on the market not worth anyone’s time or money. [Jonathan] was recently handed just such a peripheral, a toy game controller originally meant for a small child, but upon further inspection it turned into a surprisingly hackable platform, capable of plenty of IoT-type tasks.

The controller itself was easily disassembled, and the functional buttons within were wired to a Wemos D1 Mini instead of the originally-planned ESP32 because of some wiring irregularities and the fact that the Wemos D1 Mini having the required amount of I/O. It’s still small enough to be sealed back inside the controller as well, powered by the batteries that would have powered the original controller.

For the software, [Jonathan] is using MQTT to register button presses with everything easily accessible over Wi-Fi, also making it possible to update the software wirelessly. He was able to use it to do a few things as proof-of-concept, including playing a game in PyGame and controlling a Sonos speaker, but for now he’s using it to control an LED sculpture. With something this easily modified, though, it would be pretty straightforward to use it instead for a home automation remote control, especially since it is already set up to use MQTT.

Continue reading “Toy Gaming Controller Makes The Big Leagues”

Black 4.0 Is The New Ultrablack

October 31, 2023 by 104 Comments

Vantablack is a special coating material, moreso than a paint. It’s well-known as one of the blackest possible coatings around, capable of absorbing almost all visible light in its nanotube complex structure. However, it’s complicated to apply, delicate, and not readily available, especially to those in the art world.

It was these drawbacks that led Stuart Semple to create his own incredibly black paint. Over the years, he’s refined the formula and improved its performance, steadily building a greater product available to all. His latest effort is Black 4.0, and it’s promising to be the black paint to dominate all others.

Continue reading “Black 4.0 Is The New Ultrablack”

The UK Online Safety Bill Becomes Law, What Does It Mean?

October 29, 2023 by 64 Comments

We’ve previously reported from the UK about the Online Safety Bill, a piece of internet safety legislation that contains several concerning provisions relating to online privacy and encryption. UK laws enter the statutes by royal assent after being approved by Parliament, so with the signature of the King, it has now become the law of the land as the Online Safety Act 2023. Now that it’s beyond amendment, it’s time to take stock for a minute: what does it mean for internet users, both in the UK and beyond its shores? Continue reading “The UK Online Safety Bill Becomes Law, What Does It Mean?”

Ham Radio May Speed Up Soon

October 29, 2023 by 14 Comments

The FCC is circulating a proposal for new rules pertaining to amateur radio in the United States. In particular, they want to remove certain baud rate restrictions that have been in place since 1980. It appears the relaxed rules would apply only to some bands, notably some VHF and UHF bands along with the 630 meter and 2200 meter bands, which — we think — are lightly used so far. We’ll save you from grabbing the calculator. That’s around 475 kHz and 136 kHz.

Ham radio operators have long used digital modes like radio teletype and with restrictions on antennas and increasing interference from wireless networking to solar panels and more, digital has become even more popular than in the past. Besides that, cheap computer soundcards make it easier than ever and sophisticated digital modulation techniques have long left the old, clunky TeleType in the dust.

However, the FCC currently limits the baud rate to 300 baud or less, ostensibly to restrict signal bandwidth. No one wants to have an entire band consumed by a 10 Gb RF network. However, modern techniques often squeeze more into less and the FCC will finally recognize that by converting the limit to signal bandwidth, not baud rate.

What’s the bandwidth? For the common bands, it sounds like 2.8 kHz is the answer. For the VLF bands, they are asking for suggestions. The 2200 meter band isn’t even 2.8 kHz wide to start with!

All this talk makes us want to build something for the 2200 meter band. We better start winding the coil now. Then again, maybe we should go piezo. You know, just in case Thomas Dolby tells us that one of our submarines is missing.

This Week In Security: 1Password, Polyglots, And Roundcube

October 27, 2023 by 12 Comments

This week we got news of a security incident at 1Password, and we’re certain we aren’t the only ones hoping it’s not a repeat of what happened at LastPass. 1Password has released a PDF report on the incident, and while there are a few potentially worrying details, put into context it doesn’t look too bad.

The first sign that something might be amiss was an email from Okta on September 29th — a report of the current list of account administrators. Okta provides authentication and Single Sign-On (SSO) capabilities, and 1Password uses those services to manage user accounts and authentication. The fact that this report was generated without anyone from 1Password requesting it was a sign of potential problems.

And here’s the point where a 1Password employee was paying attention and saved the day, by alerting the security team to the unrequested report. That employee had been working with Okta support, and sent a browser session snapshot for Okta to troubleshoot. That data includes session cookies, and it was determined that someone unauthorized managed to access the snapshot and hijack the session, Firesheep style.

Okta logs seemed to indicate that the snapshot hadn’t been accessed, and there weren’t any records of other Okta customers being breached in this way. This pointed at the employee laptop. The report states that it has been taken offline, which is good. Any time you suspect malicious action on a company machine, the right answer is power it off right away, and start the investigation.

And here’s the one part of the story that gives some pause. Someone from 1Password responded to the possible incident by scanning the laptop with the free edition of Malwarebytes. Now don’t get us wrong, Malwarebytes is a great product for finding and cleaning the sort of garden-variety malware we tend to find on family members’ computers. The on-demand scanning of Malwarebytes free just isn’t designed for detecting bespoke malicious tools like a password management company should expect to be faced with.

But that turns out to be a bit of a moot point, as the real root cause was a compromised account in the Okta customer support system, as revealed on the 20th. The Okta report talks about stolen credentials, which raises a real question about why Okta support accounts aren’t all using two-factor authentication.

Continue reading “This Week In Security: 1Password, Polyglots, And Roundcube”