Security Hacks

1532 Articles

iPhone pictured with a lock

Is Anything Really Private Anymore?

June 26, 2020 by 53 Comments

In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.

You may recall the unfortunate events, leading the FBI to ask Apple to unlock an iPhone belonging to a person of interest. Apple did not capitulate to the FBI’s request on the basis of their fundamental commitment to privacy. The FBI wasn’t really thrilled with Apple’s stance given the circumstances leading to the request. Nevertheless, eventually, the FBI was able to unlock the phone without Apple’s help.

You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.

Maybe we should take solace in knowing that Apple stood their ground for the sake of honoring their privacy commitment. But as we saw, it didn’t really matter in the end as the FBI was able to hire a third party to help them unlock the phones and were later able to repeat the process in-house. The article also noted that there are other private companies capable of doing exactly what the FBI did. We understand that no encryption is 100% safe. So it begs the question, “Is anything really private anymore?” Share your thoughts in the comments below.

This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers

June 19, 2020 by 27 Comments

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson. Continue reading “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers”

Copy And Paste Deemed Insecure

June 18, 2020 by 23 Comments

Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives.  Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.

[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:

  1. Visit a malicious site.
  2. Copy something to the clipboard which allows the site to put in a dangerous payload.
  3. Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
  4. Paste the clipboard into the editor.

Continue reading “Copy And Paste Deemed Insecure”

Disable Intel’s Backdoor On Modern Hardware

June 16, 2020 by 42 Comments

While the Intel Management Engine (and, to a similar extent, the AMD Platform Security Processor) continues to plague modern computer processors with security risks, some small progress continues to be made for users who value security of the hardware and software they own. The latest venture in disabling the ME is an ASRock motherboard for 8th and 9th generation Intel chips. (There is also a link to a related Reddit post about this project).

First, a brief refresher: The ME is completely removable on some computers built before 2008, and can be partially disabled or deactivated on some computers built before around 2013. This doesn’t allow for many options for those of us who want modern hardware, but thanks to a small “exploit” of sorts, some modern chipsets are capable of turning the ME off. This is due to the US Government’s requirement that the ME be disabled for computers in sensitive applications, so Intel allows a certain undocumented bit, called the HAP bit, to be set which disables the ME. Researchers have been able to locate and manipulate this bit on this specific motherboard to disable the ME.

While this doesn’t completely remove the firmware, it does halt all execution of code in a way that is acceptable for a large governmental organization, so if you require both security and modern hardware this is one of the few ways to achieve that goal. There are other very limited options as well, but if you want to completely remove the ME even on old hardware the process itself is not as straightforward as you might imagine.

Header image: Fritzchens Fritz from Berlin / CC0

OmniBallot, Another Flawed Attempt At Online Voting

June 14, 2020 by 49 Comments

Although online voting in elections has been a contentious topic for decades already, it is during the current pandemic that it has seen significant more attention. Along with mail-based voting, it can be a crucial tool in keeping the world’s democratic nations running smoothly. This is where the OmniBallot software, produced by Democracy Live, comes into play, and its unfortunate unsuitability for this goal.

Despite already being used by multiple US jurisdictions for online voting, a study by MIT’s [Michael Specter] and University of Michigan researchers points out the flaws in this web-based platform. Their recommendations are to either avoid using OmniBallot completely, or to only use it for printing out a blank ballot that one then marks by hands and sends in by mail.

One of the issues with the software is that it by default creates the marked ballot PDF on the Democracy Live servers, instead of just on the user’s device. Another is that as a web-based platform it is hosted on Amazon Web Services (AWS), with JavaScript sources pulled from both CloudFlare and Google servers. Considering that the concern with electronic voting machines was that of unauthorized access at a polling station, it shouldn’t require a lengthy explanation to see this lack of end-to-end security with OmniBallot offers many potential attack surfaces.

When Ars Technica contacted Democracy Live for commentary on these findings, Democracy Live CEO [Bryan Finney] responded that “The report did not find any technical vulnerabilities in OmniBallot”. Since the researchers did not examine the OmniBallot code itself that is technically true, but misses the larger point of the lack of guarantee of every single voter’s device being secured, as well as every AWS, CloudFlare and Google instance involved in the voting process.

As a result, the recommended use of OmniBallot is to use it for the aforementioned printing out of blank ballots, to save half of the trip time of the usual mail-in voting.

This Week In Security: Crosstalk, TLS Resumption, And Brave Shenanigans

June 12, 2020 by 2 Comments

Intel announced CrossTalk, a new side-channel attack that can leak data from CPU buffers. It’s the same story we’ve heard before. Bits of internal CPU state can be inferred by other processes. This attack is a bit different, in that it can leak data across CPU cores. Only a few CPU instructions are vulnerable, like RDRAND, RDSEEED, and EGETKEY. Those particular instructions matter, because they’re used in Intel’s Secure Enclave and OpenSSL, to name a couple of important examples.
Continue reading “This Week In Security: Crosstalk, TLS Resumption, And Brave Shenanigans”

Quantum Computing And The End Of Encryption

June 11, 2020 by 58 Comments

Quantum computers stand a good chance of changing the face computing, and that goes double for encryption. For encryption methods that rely on the fact that brute-forcing the key takes too long with classical computers, quantum computing seems like its logical nemesis.

For instance, the mathematical problem that lies at the heart of RSA and other public-key encryption schemes is factoring a product of two prime numbers. Searching for the right pair using classical methods takes approximately forever, but Shor’s algorithm can be used on a suitable quantum computer to do the required factorization of integers in almost no time.

When quantum computers become capable enough, the threat to a lot of our encrypted communication is a real one. If one can no longer rely on simply making the brute-forcing of a decryption computationally heavy, all of today’s public-key encryption algorithms are essentially useless. This is the doomsday scenario, but how close are we to this actually happening, and what can be done?

Continue reading “Quantum Computing And The End Of Encryption”