This Week In Security: Playing Tag, Hacking Cameras, And More

November 1, 2024 by Jonathan Bennett 3 Comments

Wired has a fascinating story this week, about the length Sophos has gone to for the last 5 years, to track down a group of malicious but clever security researchers that were continually discovering vulnerabilities and then using those findings to attack real-world targets. Sophos believes this adversary to be overlapping Chinese groups known as APT31, APT41, and Volt Typhoon.

The story is actually refreshing in its honesty, with Sophos freely admitting that their products, and security products from multiple other vendors have been caught in the crosshairs of these attacks. And indeed, we’ve covered stories about these vulnerabilities over the past weeks and months right here on this column. The sneaky truth is that many of these security products actually have pretty severe security problems.

The issues at Sophos started with an infection of an informational computer at a subsidiary office. They believe this was an information gathering exercise, that was a precursor to the widespread campaign. That campaign used multiple 0-days to crack “tens of thousands of firewalls around the world”. Sophos rolled out fixes for those 0-days, and included just a bit of extra logging as an undocumented feature. That logging paid off, as Sophos’ team of researchers soon identified an early signal among the telemetry. This wasn’t merely the first device to be attacked, but was actually a test device used to develop the attack. The game was on. Continue reading “This Week In Security: Playing Tag, Hacking Cameras, And More” →

Use PicoGlitcher For Voltage Glitching Attacks

October 30, 2024 by Dave Rowntree 5 Comments

We see a fair few glitcher projects, especially the simpler voltage glitchers. Still, quite often due to their relative simplicity, they’re little more than a microcontroller board and a few components hanging off some wires. PicoGlitcher by Hackaday.IO user [Matthias Kesenheimer] is a simple voltage glitcher which aims to make the hardware setup a little more robust without getting caught up in the complexities of other techniques. Based on the Raspberry Pico (obviously!), the board has sufficient niceties to simplify glitching attacks in various situations, providing controllable host power if required.

A pair of 74LVC8T245 (according to the provided BoM) level shifters allow connecting to targets at voltages from 1.8 V to 5 V if powered by PicoGlitcher or anything in spec for the ‘245 if target power is being used. In addition to the expected RESET and TRIGGER signals, spare GPIOs are brought out to a header for whatever purpose is needed to control a particular attack. If a programmed reset doesn’t get the job done, the target power is provided via a TPS2041 load switch to enable cold starts. The final part of the interface is an analog input provided by an SMA connector.

The glitching signal is also brought out to an SMA connector via a pair of transistors; an IRLML2502 NMOS performs ‘low power’ glitching by momentarily connecting the glitch output to ground. This ‘crowbarring’ causes a rapid dip in supply voltage and upsets the target, hopefully in a helpful way. An IRF7807 ‘NMOS device provides a higher power option, which can handle pulse loads of up to 66A. Which transistor you select in the Findus glitching toolchain depends on the type of load connected, particularly the amount of decoupling capacitance that needs to be discharged. For boards with heavier decoupling, use the beefy IRF7807 and accept the glitch won’t be as sharp as you’d like. For other hardware, the faster, smaller device is sufficient.

The software to drive PicoGlitcher and the hardware design files for KiCAD are provided on the project GitHub page. There also appears to be an Eagle project in there. You can’t have too much hardware documentation! For the software, check out the documentation for a quick overview of how it all works and some nice examples against some targets known to be susceptible to this type of attack.

For a cheap way to glitch an STM8, you can just use a pile of wires. But for something a bit more complicated, such as a Starlink user terminal, you need something a bit more robust. Finally, voltage glitching doesn’t always work, so the next tool you can reach for is a picoEMP.

Continue reading “Use PicoGlitcher For Voltage Glitching Attacks” →

The Pound ( Or Euro, Or Dollar ) Can Still Be In Your Pocket

October 27, 2024 by Jenny List 88 Comments

A British journalistic trope involves the phrase “The pound in your pocket”, a derisory reference to the 1960s Prime Minister Harold Wilson’s use of it to try to persuade the public that a proposed currency devaluation wouldn’t affect them. Nearly six decades later not so many Brits carry physical pounds in their pockets as electronic transfers have become more prevalent, but the currency remains. So much so that the governor of the Bank of England has had to reassure the world that the pound won’t be replaced by a proposed “Britcoin” cryptocurrency should that be introduced.

Normally matters of monetary policy aren’t within Hackaday’s remit, but since the UK is not the only country to mull over the idea of a tightly regulated cryptocurrency tied to their existing one, there’s a privacy angle to be considered while still steering clear of the fog of cryptocurrency enthusiasts. The problem is that reading the justification for the new digital pound from the Bank of England, it’s very difficult to see much it offers which isn’t already offered by existing cashless payment systems. Meanwhile it offers to them a blank regulatory sheet upon which they can write any new rules they want, and since that inevitably means some of those rules will affect digital privacy in a negative manner, it should be a worry to anyone whose government has considered the idea. Being at pains to tell us that we’ll still be able to see a picture of the King (or a dead President, or a set of bridges) on a bit of paper thus feels like an irrelevance as increasingly few of us handle banknotes much anyway these days. Perhaps that act in itself will now become more of an act of protest. And just when we’d persuaded our hackerspaces to go cashless, too.

Header: Wikitropia, CC BY-SA 3.0.

This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

October 25, 2024 by Jonathan Bennett 13 Comments

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

Continue reading “This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive” →

This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets

October 18, 2024 by Jonathan Bennett 13 Comments

Depending on who you ask, the big news this week is that quantum computing researchers out of China have broken RSA. (Here’s the PDF of their paper.) And that’s true… sort of. There are multiple caveats, like the fact that this proof of concept is only factoring a 22-bit key. The minimum RSA size in use these days is 1024 bits. The other important note is that this wasn’t done on a general purpose quantum computer, but on a D-Wave quantum annealing machine.

First off, what is the difference between a general purpose and annealing quantum computer? Practically speaking, a quantum annealer can’t run Shor’s algorithm, the quantum algorithm that can factor large numbers into primes in a much shorter time than classical computers. While it’s pretty certain that this algorithm works from a mathematical perspective, it’s not at all clear that it will ever be possible to build effective quantum computers that can actually run it for the large numbers that are used in cryptography.

We’re going to vastly oversimplify the problem, and say that the challenge with general purpose quantum computing is that each q-bit is error prone, and the more q-bits a system has, the more errors it has. This error rate has proved to be a hard problem. The D-wave quantum annealing machine side-steps the issue by building a different sort of q-bits, that interact differently than in a general purpose quantum computer. The errors become much less of a problem, but you get a much less powerful primitive. And this is why annealing machines can’t run Shor’s algorithm.

The news this week is that researchers actually demonstrated a different technique on a D-wave machine that did actually factor an RSA key. From a research and engineering perspective, it is excellent work. But it doesn’t necessarily demonstrate the exponential speedup that would be required to break real-world RSA keys. To put it into perspective, you can literally crack a 22 bit RSA key by hand.

Continue reading “This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets” →

This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild

October 11, 2024 by Jonathan Bennett 7 Comments

The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon. https://t.co/uRROXX1CF9

— Troy Hunt (@troyhunt) October 9, 2024

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Continue reading “This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild” →

The Internet Archive Has Been Hacked

October 10, 2024 by Lewin Day 33 Comments

There are a great many organizations out there, all with their own intentions—some selfish, some selfless, some that land somewhere in between. Most would put the Internet Archive in the category of the library—with its aim of preserving and providing knowledge for the aid of all who might call on it. Sadly, as [theresnotime] reports, it appears this grand institution has been hacked.

On Wednesday, users visiting the Internet Archive were greeted with a foreboding popup that stated the following:

Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!

The quote appears to refer to Have I Been Pwned (HIBP), a site that collates details of security breaches so individuals can check if their details have been compromised.

According to founder Brewster Kahle, the site was apparently DDOS’d, with the site defaced via a JavaScript library. It’s believed this may have been a polyfill supply chain attack. As for the meat of the hack, it appears the individuals involved made off with usernames, emails, and encrypted and salted passwords. Meanwhile, as Wired reports, it appears Have I Been Pwned first received the stolen data of 31 million users on September 30.

At the time of writing, it appears the Internet Archive has restored the website to some degree of normal operation. It’s sad to see one of the Internet’s most useful and humble institutions fall victim to a hack like this one. As is always the way, no connected machine is ever truly safe, no matter how much we might hope that’s not the case.

[Thanks to Sammy for the tip!]