Security Hacks

1567 Articles

This Week In Security: Java’s Psychic Signatures, AWS Escape, And A Nasty Windows Bug

April 22, 2022 by 2 Comments

Java versions 15, 16, 17, and 18 (and maybe some older versions) have a big problem, ECDSA signature verification is totally broken. The story is a prime example of the dangers of unintended consequences, the pitfall of rolling your own crypto, and why to build a test suite for important code. In Java 15, the ECDSA verification code was re-written, moving the code from C++ to a Java-native implementation. The new code misses an important check, that the initialization and proof values are both non-zero.

Continue reading “This Week In Security: Java’s Psychic Signatures, AWS Escape, And A Nasty Windows Bug”

This Week In Security: OpenSSH, Git, And Sort-of NGINX 0-day

April 15, 2022 by 20 Comments

OpenSSH has minted their 9.0 release, and it includes a pair of security changes. Unlike most of the releases we cover here, this one has security hardening to prevent issues, not emergency fixes for current ones. First up, the venerable scp/rcp protocol has been removed. Your scp commands will now use SFTP under the hood. The more interesting security change is the new default key exchange, the NTRU algorithm. NTRU is thought to be quantum-hard.
Continue reading “This Week In Security: OpenSSH, Git, And Sort-of NGINX 0-day”

Just In Case You Want To Charge Your Neighbor’s Tesla

April 8, 2022 by 67 Comments

Tesla vehicles have a charging port that is under a cover that only opens on command from a charging station. Well, maybe not only. [IfNotPike] reports that he was able to replay the 315MHz signal using a software defined radio and pop the port open on any Tesla he happened to be near.

Apparently, opening the charging port isn’t the end of the world since there isn’t much you can do with the charging port other than charging the car. At least, that we know of. If history shows anything, it is that anything you can get to will be exploited eventually.

Continue reading “Just In Case You Want To Charge Your Neighbor’s Tesla”

This Week In Security: Vulnerable Boxes, Government Responses, And New Tools

April 8, 2022 by 1 Comment

The Cyclops Blink botnet is thought to be the work of an Advanced Persistent Threat (APT) from Russia, and seems to be limited to Watchguard and Asus devices. The normal three and four letter agencies publicized their findings back in February, and urged everyone with potentially vulnerable devices to go through the steps to verify and disinfect them if needed. About a month later, in March, over half the botnet was still online and functioning, so law enforcement took a drastic step to disrupt the network. After reverse-engineering the malware itself, and getting a judge to sign off on the plan, the FBI remotely broke in to 13 of the Watchguard devices that were working as Command and Control nodes. They disinfected those nodes and closed the vulnerable ports, effectively knocking a very large chunk of the botnet offline.

The vulnerability in WatchGuard devices that facilitated the Botnet was CVE-2022-23176, a problem where an “exposed management access” allowed unprivileged users administrative access to the system. That vague description sounds like either a debugging interface that was accidentally included in production, or a flaw in the permission logic. Regardless, the problem was fixed in a May 2021 update, but not fully disclosed. Attackers apparently reversed engineered the fix, and used it to infect and form the botnet. The FBI informed WatchGuard in November 2021 that about 1% of their devices had been compromised. It took until February to publish remediation steps and get a CVE for the flaw.

This is definitely non-ideal behavior. More details and a CVE should have accompanied the fix back in May. As we’ve observed before, obscurity doesn’t actually prevent sophisticated actors from figuring out vulnerabilities, but it does make it harder for users and security professionals to do their jobs. Continue reading “This Week In Security: Vulnerable Boxes, Government Responses, And New Tools”

Build A TPM Module For Your Server

April 6, 2022 by 62 Comments

One of the big stories surrounding the announcement of Windows 11 was that it would require support for TPM 2.0, or Trusted Platform Module, to run. This takes the form of an on-board cryptographic processor, which Microsoft claims will help against malware, but which perhaps more importantly for Redmond, can be used to enforce DRM.  Part of the standard involves a hardware module, and [Zane] has built a couple of them for ASrock server motherboards.

The chip in question is the Infineon SLB9965, which with a bit of research was found to map more or less directly to the pins of the TPM socket on the motherboard. The interesting thing here lies in the background research it gives into TPMs, and furthermore the links to other resources dealing with the topic. The chances are that most readers needing a TPM will simply buy one, but all knowledge is useful when it comes to these things.

Our weekly security roundup has been keeping an eye on the use of TPMs for a while, and has even shown us some ways that people have used to bypass the modules.

This Week In Security: More State-Sponsored Activity, Spring4Shell

April 1, 2022 by 4 Comments

[Editor’s note: There is a second, fake iteration of this column out today. This is obviously the real column.]

An alert from CISA, combined with an unsealed pair of indictments, sheds some new light on how Russian hackers pursue high-value targets. The key malware here is Triton, essentially a rootkit designed for the Tricon safety systems, widely deployed at refineries and other infrastructure facilities. One of the early deployments of this was to a Saudi oil plant in 2017. This deployment seems to have been botched, as it caused malfunctions and shut the plant down for about a week.

The new information is confirmation that the same operators, out of the “Central Scientific Research Institute of Chemistry and Mechanics”, attempted to target US facilities with the same campaign. The Wired coverage initially struck me as odd, as it detailed how these Russian attackers researched US refineries, looking for the most promising targets. How exactly did US intelligence agencies know about the research habits of agents in Russia? The details of the indictment has the answer: They were researching US refineries by downloading papers from the US Department of Energy. As the IP addresses of this Russian research group is known and tracked, it was easy enough for US agencies to make the connection.

Continue reading “This Week In Security: More State-Sponsored Activity, Spring4Shell”

This WeeΚ In Security: Hackerman, Twitter’s Best, And Signs To Watch Out For

April 1, 2022 by 6 Comments

[Editor’s note: There is a second, fake iteration of this column out today. This is obviously the real column.]

First off, there’s an amazing video tutorial from [Hackerman], embedded below the break. It’s a beginners guide to temporal displacement through GPU accelerated, cellular-connected partition board. The central flaw that makes this possible is a segmentation violation, accessible through a mode 6 cursor address reset. Watch out, though, because many mainframes actually have a core terminal capable of shutting such an attempt out of the grid altogether.

It’s a great guide, and definitely worth a watch if temporal security tickles your fancy. Watch out, though, because everyday objects can apparently act as bridges, infecting even users with temporal effects.

Continue reading “This WeeΚ In Security: Hackerman, Twitter’s Best, And Signs To Watch Out For”