Security Hacks

1527 Articles

Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper

July 23, 2020 by 34 Comments

Remembering passwords is one of those things which one just cannot seem to escape. At the very least, we all need to remember a single password: namely the one for unlocking a password manager. These password managers come in a wide variety of forms and shapes, from software programs to little devices which one carries with them. The Mooltipass Mini BLE falls into the latter category: it is small enough to comfortably fit in a hand or pocket, yet capable of remembering all of your passwords.

Heading into its crowdfunding campaign, the Mooltipass Mini BLE is an evolution of the Mooltipass Mini device, which acts as a USB keyboard by default, entering log-in credentials for you. With the required browser extension installed, this process can also be automated when browsing to a known website. Any new credentials can also be saved automatically this way.

Where the Mooltipass Mini BLE differs from the original is in that it also adds a Bluetooth (BLE) mode, enabling it to be used easily with any BLE-capable device, including laptops and smartphones, without having to dig around for a USB cable and/or OTG adapter.

I have already been using the original Mooltipass Mini for a while, and the Mooltipass team was kind enough to send me a prototype Mooltipass Mini BLE for evaluation and comparison. Let’s take a look.

Continue reading “Hands-On: Wireless Login With The New Mooltipass Mini BLE Secure Password Keeper”

This Week In Security: Twitter, Windows DNS, SAP RECON

July 17, 2020 by 8 Comments

Twitter just had their biggest security breach in years. Mike warned us about it on Wednesday, but it’s worth revisiting a few of the details. The story is still developing, but it appears that malicious actors used social engineering to access an internal Twitter dashboard. This dashboard, among other interesting things, allows directly changing the email address associated with an account. Once the address is changed to the attacker’s, it’s simple to do a password reset and gain access.

The bitcoin address used in the crypto scam ended up receiving nearly $120,000 USD worth of bitcoin, all of which has been shuffled off into different accounts. It’s an old and simple scam, but was apparently rather believable because the messages were posted by verified Twitter accounts.

Screenshot from Motherboard

A series of screenshots have been posted, claiming to be the internal Twitter dashboard used in the attack. More than a few eyebrows have been raised, as a result of that dashboard. First off, the fact that Twitter employees can directly change an account’s email address is asking for trouble. Even more interesting are the tags that can be added to an account. “Trends Blacklist” and “Search Blacklist” do call to mind the rumors of shadow-banning, but at this point it’s impossible to know the details. Motherboard is reporting that Twitter is removing that screenshot across the board when it’s posted, and even suspending accounts that post it. Of course, they’d do that if it were faked as well, so who knows? Continue reading “This Week In Security: Twitter, Windows DNS, SAP RECON”

Exposing Computer Monitor Side-Channel Vulnerabilities With TempestSDR

July 15, 2020 by 12 Comments

Having been endlessly regaled with tales of side-channel attacks and remote exploits, most of us by now realize that almost every piece of gear leaks data like a sieve. Everything from routers to TVs to the power supplies and cooling fans of computers can be made to give up their secrets. It’s scary stuff, but it also sounds like a heck of a lot of fun, and with an SDR and a little software, you too can get in on the side-channel action.

Coming to us via software-defined radio buff [Tech Minds], the video below gives a quick tour of how to snoop in on what’s being displayed on a monitor for almost no effort or expense. The software that makes it possible is TempestSDR, which was designed specifically for the job. With nothing but an AirSpy Mini and a rubber duck antenna, [Tech Minds] was able to reconstruct a readable black and white image of his screen at a range of a few inches; a better antenna and some fiddling might improve that range to several meters. He also shares a trick for getting TempestSDR set up for all the popular SDRs, including SPRplay, HackRF, and RTL-SDR.

Learning what’s possible with side-channel attacks is the key to avoiding them, so hats off to [Tech Minds] for putting together this simple, easy-to-replicate demo. To learn even more, listen to what [Samy Kamkar] has to say about the subject, or check out where power supplies, cryptocurrency wallets, and mixed-signal microcontrollers are all vulnerable.

Continue reading “Exposing Computer Monitor Side-Channel Vulnerabilities With TempestSDR”

This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

July 10, 2020 by 5 Comments

The big story of the last week is a problem in F5’s BIG-IP devices. A rather trivial path traversal vulnerability allows an unauthenticated user to call endpoints that are intended to be restricted to authenticated. That attack can apparently be as simple as:

'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

A full exploit has been added to the metasploit framework. The timeline on this bug is frighteningly quick, as it’s apparently being actively exploited in the wild. F5 devices are used all over the world, and this vulnerability requires no special configuration, just access to the opened management port. Thankfully F5 devices don’t expose the vulnerable interface to the internet by default, but there are still plenty of ways this can be a problem.

Freta

Microsoft has made a new tool publicly available, Freta. This tool searches for rootkits in uploaded memory snapshots from a Linux VM. The name, appropriately, is taken from the street where Marie Curie was born.

The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging.

The impetus behind the project is the realization that once a malicious actor has compromised a machine, it’s possible to compromise any security software running on that machine. If, instead, one could perform a security x-ray of sorts, then a more reliable conclusion could be reached. Freta takes advantage of the VM model, and the snapshot capability built into modern hypervisors.

Continue reading “This Week In Security: F5, Novel Ransomware, Freta, And Database Woes”

The Cheap Way To Glitch An STM8 Microcontroller

July 4, 2020 by 18 Comments

Reverse engineering or modifying a device often requires you to access the firmware stored on a microcontroller. Since companies are usually not fond of people who try to peek into their proprietary data, most commercial devices are readout protected. [rumpeltux] ran into this problem when he tried to dump the firmware on an HC-12 wireless serial communication module for yet undisclosed reasons. Hacking into the device was a challenge that he gladly accepted and in the end, he succeeded by building a low-cost setup for voltage glitching.

Voltage glitching is a form of fault injection that has, e.g., been successfully used to hack the Playstation Vita. It involves the injection of voltage spikes on the power line in order to force the bootloader to skip security checks. The hard thing is trying to find the right shape of the waveform and the best way to inject the signal.

While there are already open-source boards for fault injection like ChipWhisperer, [rumpeltux] chose to build his own setup around an FPGA. By using a cheap EPM240 board, some MOSFET, and a USB-to-Serial converter, the total costs of the glitching setup were under 20 Euros. [rumpeltux] then recorded a larger number of voltage traces on the VCC pin around the reset phase and analyzed the differences. This helped him to pinpoint the best time for injecting the signal and refine the search space. After some unsuccessful attempts to glitch the VCC and GND pins, he got lucky when using one of the voltage regulator pins instead.

Be sure not to miss Samy Kamkar’s talk at Supercon 2019 if you want to know more about hardware attacks or how to eavesdrop on people using a bag of potato chips.

This Week In Security: Palo Alto Scores A 10, Cursed Images, VM Escapes, And Malicious Music

July 3, 2020 by 12 Comments

We’ve looked at many vulnerabilities over the years here on Hackaday, but it’s rather rare for a CVE to score a perfect 10 severity. This is reserved for the most severe and exploitable of problems. Palo Alto announced such a vulnerability, CVE-2020-2021, on the 29th. This vulnerability affects Palo Alto devices running PAN-OS that have SAML authentication enabled and a certain validation option disabled. The vulnerability is pre-authentication, but does require access to a service protected by SAML authentication. For example, a Palo Alto device providing a web-based VPN could be vulnerable. The good news is that the vulnerable settings aren’t default, but the bad news is that the official configuration guide recommends the vulnerable settings for certain scenarios, like using a third party authentication service.

The issue is in the Security Assertion Markup Language (SAML) implementation, which is an XML based open standard for authentication. One of the primary use cases for SAML is to provide a Single Sign On (SSO) scheme. The normal deployment of SAML SSO is that a central provider handles the authentication of users, and then asserts to individual services that the connecting user is actually who they claim to be.

The setting needed for this vulnerability to be exploitable is ‘Validate Identity Provider Certificate’ to be disabled. If this option is enabled, the SSO provider must use a CA signed SAML certificates. This doesn’t appear to mean that unsigned SSL certificates would be accepted, and only applies to certificates inside the SAML messages. It seems to be widely accepted that these certificates don’t need to be CA signed. In the official announcement, the vulnerability type is said to be “CWE-347 Improper Verification of Cryptographic Signature”. Continue reading “This Week In Security: Palo Alto Scores A 10, Cursed Images, VM Escapes, And Malicious Music”

Easy, Secure HTTPS With An ESP8266

July 2, 2020 by 34 Comments

Security has always been an issue with IoT devices. Off the shelf devices often have terrible security while DIY solutions can be complicated, needing recompilation every time a website’s fingerprint changes. [Johannes] wrote in to let us know he’s been working on a way to make HTTPS requests easier to do on ESP devices.

The normal ways to do HTTPS with an ESP8266 is to either use Fingerprints, or to use client.setInsecure(). Fingerprints require the user to know exactly which pages the ESP will connect to and extract the Fingerprints from each of those websites. Since the fingerprints change yearly, this means the fingerprint will have to be re-extracted and the code recompiled each time a fingerprint changes. The use of client.setInsecure() is, obviously, insecure. This may not be an issue for your project, but it might be for others.

[Johannes’] solution is to extract the trusted root certificates and store them in PROGMEM. This allows access to any web page, but the root certificates do expire as well. As opposed to the fingerprints, though, they expire after 20 years, rather than every year, so the program can run for a long time before needing recompilation. This solution also doesn’t require any manual steps – the build process runs a script that grabs the certificates and stores them in files so that they can be uploaded to the SPIFFS written to PROGMEM to be used during HTTPS requests.

He’s come up with a fairly straightforward way to have your IoT device connect to whichever web page you want, without having to recompile every once in a while. Hopefully, this will lead to better security for your IoT devices. Take a look at some previous work in this area.