This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP

April 21, 2023 by Jonathan Bennett 14 Comments

Microsoft’s Threat Intelligence group has announced a new naming scheme for threat actors. It sounds great, naming groups after weather phenomenon, based on the groups motivations or nation of origin. Then each discreet group is given an additional adjective. That’s where things get interesting.

It seems like the adjectives were chosen at random, giving rise for some suitably impressive names, like Ghost Blizzard, Ruby Sleet, or Granite Typhoon. Some of the other names sound like they should be desserts: Caramel Tsunami, Peach Sandstorm, Aqua Blizzard, or Raspberry Typhoon. But then there the really special names, like Wine Tempest and Zigzag Hail. But the absolute winner is Spandex Tempest. No word yet on whether researchers managed to keep a straight face when approving that name.

Chrome 0-day Double

A pair of Chrome browser releases have been minted in the past week, both to address vulnerabilities that are actively being exploited. Up first was CVE-2022-2033, type confusion in the V8 JS engine. That flaw was reported by Google’s Threat Analysis Group, presumably discovered in the wild, and the fix was pushed as stable on the 14th.

Then, on th 18th, yet another released rolled out to fix CVE-2023-2136, also reported by the TAG, also being exploited in the wild. It seems likely that both of these 0-days were found in the same exploitation campaign. We look forward to hearing the details on this one. Continue reading “This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP” →

Native Alaskan Language Reshapes Mathematics

April 18, 2023 by Bryan Cockfield 83 Comments

The languages we speak influence the way that we see the world, in ways most of us may never recognize. For example, researchers report seeing higher savings rates among people whose native language has limited capacity for a future tense, and one Aboriginal Australian language requires precise knowledge of cardinal directions in order to speak at all. And one Alaskan Inuit language called Iñupiaq is using its inherent visual nature to reshape the way children learn and use mathematics, among other things.

Arabic numerals are widespread and near universal in the modern world, but except perhaps for the number “1”, are simply symbols representing ideas. They require users to understand these quantities before being able to engage with the underlying mathematical structure of this base-10 system. But not only are there other bases, but other ways of writing numbers. In the case of the Iñupiaq language, which is a base-20 system, the characters for the numbers are expressed in a way in which information about the numbers themselves can be extracted from their visual representation.

This leads to some surprising consequences, largely that certain operations like addition and subtraction and even long division can be strikingly easy to do since the visual nature of the characters makes it obvious what each answer should be. Often the operations can be seen as being done to the characters themselves, instead of in the Arabic system where the idea of each number must be known before it can be manipulated in this way.

This project was originally started as a way to make sure that the Iñupiaq language and culture wasn’t completely lost after centuries of efforts to eradicate it and other native North American cultures. But now it may eventually get its own set of Unicode characters, meaning that it could easily be printed in textbooks and used in computer programming, opening up a lot of doors not only for native speakers of the language but for those looking to utilize its unique characteristics to help students understand mathematics rather than just learn it.

A New Commodore C128 Cartridge

April 17, 2023 by Bil Herd 18 Comments

A new Commodore C128 cartridge in 2023? That’s what [idun-projects] set out to do and, as you can see in the video below, did. I did the original C128 hardware design and worked with the amazing team that turned this home computer out in 1985. Honestly, I am amazed that any of them are still working 38 years later, let alone that someone is making new cartridges for it.

I also never thought I would hear about someone’s in-depth experience designing for the ‘128. The post takes us through [idun-project’s] decision to use the ‘128 and how modern expectations apply to all computers, even the old ones. Hot on the list was connectivity and reasonable storage (looking at you, floppy disks).

Continue reading “A New Commodore C128 Cartridge” →

Uranium-241 Isotope Created And Examined Via Multinucleon Transfer Reactions And Mass Spectrometry

April 15, 2023 by Maya Posch 11 Comments

A recent paper (PDF) in Physical Review Letters by T. Niwase and colleagues covers a fascinating new way to both create and effectively examine isotopes by employing a cyclotron and a mass spectrograph. In the paper, they describe the process of multinucleon transfer (MNT) and analysis at the recently commissioned KEK Isotope Separation System (KISS), located at the RIKEN Nishina Center in Japan.

Sketch of the KISS experimental setup. The blue- and yellow-colored areas are filled with Ar and He gases, respectively. Differential pumping systems are located after the doughnut-shaped gas cell as well as before and after the GCCB. (Credit: Niwase et al., 2023) — Sketch of the KISS experimental setup. The blue- and
yellow-colored areas are filled with Ar and He gases, respectively. Differential pumping systems are located after the doughnut-shaped gas cell as well as before and after the GCCB. (Credit: Niwase et al., 2023)

The basic process which involves the RIKEN Ring Cyclotron, which was loaded for this particular experiment with Uranium-238 isotope. Over the course of four days, ²³⁸U particles impinged on a ¹⁹⁸Pt target, after which the resulting projectile-like fragments (PLF) were led through the separation system (see sketch). This prepared the thus created ions to be injected into the multi-reflection time-of-flight mass spectrograph (MRTOF MS), which is a newly installed and highly refined mass spectrograph which was also recently installed at the facility.

Using this method, the researchers were able to establish that during the MNT process in the cyclotron, the transfer of nucleons from the collisions had resulted in the production of ²⁴¹U as well as ²⁴²U. Although the former had not previously been produced in an experimental setting, the mass of ²⁴²U had not been accurately determined. During this experiment, the two uranium as well as neptunium and other isotopes were led through the MRTOF MS instrument, allowing for the accurate measurement of the characteristics of each isotope.

The relevance of producing new artificial isotopes of uranium lies not so much in the production of these, but rather in how producing these atoms allows us to experimentally confirm theoretical predictions and extrapolations from previous data. This may one day lead us to amazing discoveries such as the famously predicted island of stability, with superheavy, stable elements with as of yet unknown properties.

Even if such astounding discoveries are not in the future for theoretical particle physics, merely having another great tool like MNT to ease the burden of experimental verification would seem to be more than worth it.

This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking

April 14, 2023 by Jonathan Bennett 9 Comments

You may not be familiar with the Microsoft Message Queuing (MSMQ) service, a store and forward sort of inter-process and inter-system communication service. MSMQ has become something of a legacy product, but is still available as an optional component in Windows. And in addition to other enterprise software solutions, Microsoft Exchange turns the service on by default. That’s why it’s a bit spooky that there’s a one packet Remote Code Execution (RCE) vulnerability that was just patched in the service.

CVE-2023-21554, also known as QueueJumper, is this unauthenticated RCE with a CVSS score of 9.8. It requires sending a packet to the service on TCP port 1801. The Check Point Research team scanned for listening MSMQ endpoints on the public Internet, and found approximately 360,000 of them. And no doubt far more are listening on internal networks. A one packet exploit is a prime example of a wormable problem, and now that the story has broken, and the patch is available, expect a rapid reverse engineering. Beware, the queue jumpers are coming.

JavaScript VM Escape

The VM2 library is a rather important JavaScript package that sandboxes code, letting a project run untrusted code securely. Or, that’s the idea. CVE-2023-29017 is an example of how hard sandboxing is to get right. It’s another CVSS 9.8 vulnerability, and this one allows a sandbox escape and code execution.

This one now has public Proof of Concept code, and this package has over 16 million monthly installs, so the attack surface is potentially pretty wide. The flaw is fixed in version 3.9.15. Continue reading “This Week In Security: QueueJumper, JS VM2 Escape, And CAN Hacking” →

Congratulations Low-Power Winners

April 13, 2023 by Elliot Williams 13 Comments

Congratulations to the winners of the 2023 Hackaday.io Low Power Contest! We challenged you to show us how much you could do with how little, and you did not disappoint. Our judges have put their heads together, and thanks to Digi-Key, our contest sponsor, the top three entries will be taking home a $150 gift certificate for yet more hacking supplies.

We saw a great diversity of ideas here, all on the low-power theme. So without further ado…

The Prize Winners

[Christoph]’s Ultra Low Power RF-Sensor arose out of necessity. Having just repaired a shower drain, he couldn’t be sure that it wouldn’t start leaking again at some point in the future, but couldn’t go ripping up the floor under the shower tray every week to check. He needed a remote moisture sensor that would do the job for a long time with no intervention.

This superb solution combines an Atmel ATmega328P, an HDC1080 humidity sensor, a 433 MHz radio transmitter, and an RTC to keep power consumption super-low when everything else is shut down. Idling at 600 nA total most of the time, taking a reading every 15 minutes, this device should last for 12 years, and it’s been installed and running for five so far, so we’d say that it’s already proven itself very worthy of taking home the prize here.

[BleakyTex]’s Compact, low-power Geiger counter is absolutely the lowest power Geiger counter we’ve ever seen and maybe also the cutest. With the ambitious goal of running up to two years on two tiny LR44 batteries and a proven runtime of about six months by now, this is the radiation detector you can take with you every day, should you need to. The key is a custom HV section that’s designed for efficiency and the screen – even today, it’s still hard to beat the low power consumption of the humble LCD screen. All this, and it still makes those satisfying clicks when it’s enabled. [BleakyTex] says he might make a kit from this, and we absolutely hope he does!

[mircemk]’s Microwatt Pulse Motor took one of our suggestions in the announcement of the contest and ran with it. This eight-pole handmade electric motor doesn’t actually do anything other than spin, but it does that when hooked up to a literal potato. Pulling around 40 mA at 600 mV, it can easily run on solar power with enough power left over to charge up a battery for when the sun doesn’t shine. All of this is made with extremely simple circuitry and parts scavenged from old relays with a sewing needle held up by a magnet for the bearing. This is pure ingenuity and a sweet low-power demo.

Continue reading “Congratulations Low-Power Winners” →

This Week In Security: Cookie Monster, CyberGhost, NEXX, And Dead Angles

April 7, 2023 by Jonathan Bennett 5 Comments

“Operation Cookie Monster” ranks as one of the best code names in recent memory. And it’s apropo, given what exactly went down. Genesis Market was one of those marketplaces where criminals could buy and sell stolen credentials. This one was a bit extra special.

Websites and services are getting better about detecting logins from unexpected computers. Your Google account suddenly logs in from a new computer, and a two-factor authentication challenge launches. Why? Your browser is missing a cookie indicating you’ve logged in before. But there’s more. Providers have started rolling out smart analytics that check for IP address changes and browser fingerprints. Your mix of time zone, user string, installed fonts, and selected language make a pretty unique identifier. So sites like Genesis offer Impersonation-as-a-Service (IMPaaS), which is session hijacking for the modern age.

A victim computer gets owned, and credentials are collected. But so are cookies and a browser fingerprint. Then a criminal buyer logs in, and runs a virtual browser with all that collected data. Run through a proxy to get a IP that is geolocated close enough to the victim, and Mr. Bad Guy has a cloned machine with all accounts intact.

And now back to Operation Cookie Monster, a multi-organization takedown of Genesis. It’s apparently a partial takedown, as the latest word is that the site is still online on the Tor network. But the conventional domains are down, and something like eight million credentials have been captured and added to the Have I Been Pwned database.

Another researcher team, Sector 7, has been working the case with Dutch authorities, and has some interesting details. The vector they cover was a fake activation crack for an antivirus product. Ironic. There are several extensions that get installed on the victim computer, and one of the most pernicious is disguised as Google Drive. This extension looks for a Command and Control server, using Bitcoin as DNS. A hardcoded Bitcoin address is polled for its latest transaction, and the receiving address is actually an encoded domain name, you-rabbit[.]com as of the latest check.

This extension will look for and rewrite emails that might be warning the victim about compromise. Get an email warning about a cryptocurrency withdrawal? It modifies it in the browser to be a sign-in warning. It also allows Genesis customers to proxy connections through the victim’s browser, bypassing IP address security measures. Continue reading “This Week In Security: Cookie Monster, CyberGhost, NEXX, And Dead Angles” →