News

3612 Articles

This Week In Security: Session Puzzling, Session Keys, And Speculation

April 28, 2023 by 7 Comments

Last week we briefly mentioned a vulnerability in the Papercut software, and more details and a proof of concept have been published. The vulnerability is one known as session puzzling. That’s essentially where a session variable is used for multiple purposes, or gets incorrectly set. In Papercut, it was possible to trigger the SetupCompleted class on a server that had already finished that initial setup process. And part of SetupCompleted validated the session of the current user. In a normal first-setup case, that might make sense, but as anyone could trigger that code, it allowed anonymous users to jump straight to admin.

The other half of the exploit leverages the “print script” feature, which lets admins write code that runs on printing. A simple java.lang.Runtime.getRuntime().exec('calc.exe'); does the trick to jump from web interface to remote code execution. The indicators of compromise are reasonable generic, including User "admin" logged into the administration interface. and Admin user "admin" modified the print script on printer "".. A Shodan search turns up around 1,700 Papercut servers accessible from the Internet, which prompts the painfully obvious observation that your internal print auditing solution’s web interface definitely should not be exposed online.

Apache Superset

Superset is a nifty data visualization tool for showing charts, graphs, and all sorts of pretty data sets on a dashboard. It also has some weirdness with using web sessions for user management. The session is stored on the user side in a cookie, signed with a secret key. This works great, unless the key used is particularly weak. And guess what, the default configuration of Superset uses a pre-populated secret key. thisismysecretkey is arguably a bad key to start with, but it turns out it’s also shared by more than 70% of the accessible Superset servers.

Continue reading “This Week In Security: Session Puzzling, Session Keys, And Speculation”

Generating Entangled Qubits And Qudits With Fully On-Chip Photonic Quantum Source

April 23, 2023 by 8 Comments

As the world of computing and communication draws ever closer to a quantum future, researchers are faced with many of the similar challenges encountered with classical computing and the associated semiconductor hurdles. For the use of entangled photon pairs, for example, it was already possible to perform the entanglement using miniaturized photonic structures, but these still required a bulky external laser source. In a recently demonstrated first, a team of researchers have created a fully on-chip integrated laser source with photonic circuitry that can perform all of these tasks without external modules.

In their paper published in Nature Photonics, Hatam Mahmudlu and colleagues cover the process in detail. Key to this achievement was finding a way to integrate the laser and photonics side into a single, hybric chip while overcoming the (refractive) mismatch between the InP optical amplifier and Si3N4 waveguide feedback circuit. The appeal of photon-based quantum entanglement should be obvious when one considers the relatively stable nature of these pairs and their compatibility with existing optical (fiber) infrastructure. What was missing previously was an economical and compact way to create these pairs outside of a laboratory setup. Assuming that the described approach can be scaled up for mass-production, it may just make quantum communications a realistic option outside of government organizations.

The Cyber Resilience Act Threatens Open Source

April 21, 2023 by 60 Comments

Society and governments are struggling to adapt to a world full of cybersecurity threats. Case in point: the EU CRA — Cyber Resilience Act — is a proposal by the European Commission to enact legislation with a noble goal: protect consumers from cybercrime by having security baked in during design. Even if you don’t live in the EU, today’s global market ensures that if the European Parliament adopts this legislation, it will affect the products you buy and, possibly, the products you create. In a recent podcast, our own [Jonathan Bennett] and [Doc Searles] interview [Mike Milinkovich] from the Eclipse Foundation about the proposal and what they fear would be almost a death blow to open source software development. You can watch the podcast below.

If you want some background, you can read the EU’s now closed request for comments and the blog post outlining the problems from opensource.org. At the heart of the issue is the need for organizations to self-certify their compliance with the act. Since open source is often maintained by a small loose-knit group of contributors, it is difficult to see how this will work.

Continue reading “The Cyber Resilience Act Threatens Open Source”

This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP

April 21, 2023 by 14 Comments

Microsoft’s Threat Intelligence group has announced a new naming scheme for threat actors. It sounds great, naming groups after weather phenomenon, based on the groups motivations or nation of origin. Then each discreet group is given an additional adjective. That’s where things get interesting.

It seems like the adjectives were chosen at random, giving rise for some suitably impressive names, like Ghost Blizzard, Ruby Sleet, or Granite Typhoon. Some of the other names sound like they should be desserts: Caramel Tsunami, Peach Sandstorm, Aqua Blizzard, or Raspberry Typhoon. But then there the really special names, like Wine Tempest and Zigzag Hail. But the absolute winner is Spandex Tempest. No word yet on whether researchers managed to keep a straight face when approving that name.

Chrome 0-day Double

A pair of Chrome browser releases have been minted in the past week, both to address vulnerabilities that are actively being exploited. Up first was CVE-2022-2033, type confusion in the V8 JS engine. That flaw was reported by Google’s Threat Analysis Group, presumably discovered in the wild, and the fix was pushed as stable on the 14th.

Then, on th 18th, yet another released rolled out to fix CVE-2023-2136, also reported by the TAG, also being exploited in the wild. It seems likely that both of these 0-days were found in the same exploitation campaign. We look forward to hearing the details on this one. Continue reading “This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP”

Native Alaskan Language Reshapes Mathematics

April 18, 2023 by 83 Comments

The languages we speak influence the way that we see the world, in ways most of us may never recognize. For example, researchers report seeing higher savings rates among people whose native language has limited capacity for a future tense, and one Aboriginal Australian language requires precise knowledge of cardinal directions in order to speak at all. And one Alaskan Inuit language called Iñupiaq is using its inherent visual nature to reshape the way children learn and use mathematics, among other things.

Arabic numerals are widespread and near universal in the modern world, but except perhaps for the number “1”, are simply symbols representing ideas. They require users to understand these quantities before being able to engage with the underlying mathematical structure of this base-10 system. But not only are there other bases, but other ways of writing numbers. In the case of the Iñupiaq language, which is a base-20 system, the characters for the numbers are expressed in a way in which information about the numbers themselves can be extracted from their visual representation.

This leads to some surprising consequences, largely that certain operations like addition and subtraction and even long division can be strikingly easy to do since the visual nature of the characters makes it obvious what each answer should be. Often the operations can be seen as being done to the characters themselves, instead of in the Arabic system where the idea of each number must be known before it can be manipulated in this way.

This project was originally started as a way to make sure that the Iñupiaq language and culture wasn’t completely lost after centuries of efforts to eradicate it and other native North American cultures. But now it may eventually get its own set of Unicode characters, meaning that it could easily be printed in textbooks and used in computer programming, opening up a lot of doors not only for native speakers of the language but for those looking to utilize its unique characteristics to help students understand mathematics rather than just learn it.

A New Commodore C128 Cartridge

April 17, 2023 by 18 Comments

A new Commodore C128 cartridge in 2023?  That’s what [idun-projects] set out to do and, as you can see in the video below, did. I did the original C128 hardware design and worked with the amazing team that turned this home computer out in 1985. Honestly, I am amazed that any of them are still working 38 years later, let alone that someone is making new cartridges for it.

I also never thought I would hear about someone’s in-depth experience designing for the ‘128. The post takes us through [idun-project’s] decision to use the ‘128 and how modern expectations apply to all computers, even the old ones. Hot on the list was connectivity and reasonable storage (looking at you, floppy disks).

Continue reading “A New Commodore C128 Cartridge”

Uranium-241 Isotope Created And Examined Via Multinucleon Transfer Reactions And Mass Spectrometry

April 15, 2023 by 11 Comments

A recent paper (PDF) in Physical Review Letters by T. Niwase and colleagues covers a fascinating new way to both create and effectively examine isotopes by employing a cyclotron and a mass spectrograph. In the paper, they describe the process of multinucleon transfer (MNT) and analysis at the recently commissioned KEK Isotope Separation System (KISS), located at the RIKEN Nishina Center in Japan.

Sketch of the KISS experimental setup. The blue- and yellow-colored areas are filled with Ar and He gases, respectively. Differential pumping systems are located after the doughnut-shaped gas cell as well as before and after the GCCB. (Credit: Niwase et al., 2023)
Sketch of the KISS experimental setup. The blue- and
yellow-colored areas are filled with Ar and He gases, respectively. Differential pumping systems are located after the doughnut-shaped gas cell as well as before and after the GCCB. (Credit: Niwase et al., 2023)

The basic process which involves the RIKEN Ring Cyclotron, which was loaded for this particular experiment with Uranium-238 isotope. Over the course of four days, 238U particles impinged on a 198Pt target, after which the resulting projectile-like fragments (PLF) were led through the separation system (see sketch). This prepared the thus created ions to be injected into the multi-reflection time-of-flight mass spectrograph (MRTOF MS), which is a newly installed and highly refined mass spectrograph which was also recently installed at the facility.

Using this method, the researchers were able to establish that during the MNT process in the cyclotron, the transfer of nucleons from the collisions had resulted in the production of 241U as well as 242U. Although the former had not previously been produced in an experimental setting, the mass of 242U had not been accurately determined. During this experiment, the two uranium as well as neptunium and other isotopes were led through the MRTOF MS instrument, allowing for the accurate measurement of the characteristics of each isotope.

The relevance of producing new artificial isotopes of uranium lies not so much in the production of these, but rather in how producing these atoms allows us to experimentally confirm theoretical predictions and extrapolations from previous data. This may one day lead us to amazing discoveries such as the famously predicted island of stability, with superheavy, stable elements with as of yet unknown properties.

Even if such astounding discoveries are not in the future for theoretical particle physics, merely having another great tool like MNT to ease the burden of experimental verification would seem to be more than worth it.