This Week In Security: A Digital Café Américain, The Linux Bugs That Weren’t, The Great Nation, And More

October 18, 2019 by Jonathan Bennett 16 Comments

A government is going after a human rights activists in Morocco. It sounds familiar, but I don’t think Humphrey Bogart is running the gin joint this time around.

Questionable Casablanca references aside, Amnesty International has reported another attack against human rights workers. In this case, a pair of Moroccan activists were targeted with what appears to be NSO’s Pegasus malware suite. Researchers identified text message phishing that led to malicious web pages, as well as HTTP man in the middle attacks against their mobile devices. Once the target was successfully directed to the malicious site, A collection of zero-day vulnerabilities were used to compromise the phone with the NSO malware.

NSO is an Israeli company that specializes in building malware and other cybersecurity tools for governments. As you can imagine, this specialization has earned NSO the scorn of quite a few organizations. NSO claims to have a policy framework in place that allows them to evaluate and terminate the use of their software when it is deemed illegal or abusive, but due to the nature of their contracts, that process is anything but transparent. Continue reading “This Week In Security: A Digital Café Américain, The Linux Bugs That Weren’t, The Great Nation, And More” →

A Tamagotchi For WiFi Cracking

October 16, 2019 by Bryan Cockfield 8 Comments

OK, let’s start this one by saying that it’s useful to know how to break security measures in order to understand how to better defend yourself, and that you shouldn’t break into any network you don’t have access to. That being said, if you want to learn about security and the weaknesses within the WPA standard, there’s no better way to do it than with a tool that mimics the behavior of a Tamagotchi.

Called the pwnagotchi, this package of artificial intelligence looks for information in local WiFi packets that can be used to crack WPA encryption. It’s able to modify itself in order to maximize the amount of useful information it’s able to obtain from whatever environment you happen to place it in. As an interesting design choice, the pwnagotchi behaves like an old Tamagotchi pet would, acting happy when it gets the inputs it needs.

This project is beyond a novelty though and goes deep in the weeds of network security. If you’re at all interested in the ways in which your own networks might be at risk, this might be a tool you can use to learn a little more about the ways of encryption, general security, and AI to boot. Of course, if you’re new to the network security world, make sure the networks you’re using are secured at least a little bit first.

Thanks to [Itay] for the tip!

This Sentence‌‌‌‌‍‌ Isn’‌‌‌‌‍‌‬t Just ‌‌‌‌‌‬‌‌a‌‌‌‌‍‬‬‍ Sentence‌‌‌‌‍‌‌‌‌‌‌‬‌‌‌‌‌‌‍‬‬‍‌‌‌‌‍‍‌‌‌‌‌‌

October 10, 2019 by Sharon Lin 22 Comments

Some sentences have more than meets the eye, and we’re not talking about interpretive nonsense. Rather, some sentences may contain up to four paragraphs’ worth of hidden text, invisible to readers.

Thanks to Zero Width Obfuscation, it is possible to use Zero Width Characters – Unicode characters that are invisible even when you try to highlight them. They’re typically used for abstract foreign languages that require separators that don’t take up an entire space. In this case, they’re used to obfuscate and de-obfuscate hidden messages sent through text.

[inzerosight] published a browser extension that identifies, de-obfuscates, and obfuscates these messages for you on the web. It does this by querying each page for the Unicode of the Zero Width Characters (U+FEFF, U+200C, U+200D, U+200E, U+2060, U+180E) and highlighting where they’ve been spotted. The encoding replaces each Unicode character with a permutation of two of the Zero Width Characters, essentially doing a find and replace across the text message.

I’m just waiting to see how long it takes for Zero Width Obfuscation to become the next Konami Code Easter Egg.

This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem

October 4, 2019 by Jonathan Bennett 24 Comments

Ever wondered what “cyberwar” looks like? Apparently it’s a lot of guessing security questions and changing passwords. It’s an interesting read on its own, but there are some interesting clues if you read between the lines. A General in the know mentioned that Isis:

clicked on something or they did something that then allowed us to gain control and then start to move.

This sounds very similar to stories we’ve covered in the past, where 0-days are used to compromise groups or individuals. Perhaps the NSA supplied such an exploit, and it was sent in a phishing attack. Through various means, the U.S. team quietly compromised systems and collected credentials.

The article mentions something else interesting. Apparently the targets of this digital sting had also been compromising machines around the world, and using those machines to manage their efforts. The decision was made by the U.S. team to also compromise those machines, in order to lock out the Isis team. This might be the most controversial element of the story. Security researchers have wanted permission to do this for years. How should the third parties view these incursions?

The third element that I found particularly interesting was the phase 2 attack. Rather than outright delete, ban, and break Isis devices and accounts, the U.S. team installed persistent malware that emulated innocuous glitches. The internet connection is extremely laggy on certain days, certain websites simply don’t connect, and other problems. These are the sort of gremlins that networking pros spend all day trying to troubleshoot. The idea that it’s intentional gives me one more thing to worry about. Continue reading “This Week In Security: Is RSA Finally Broken? The Push For Cloud Accounts, Encrypted DNS, And More Mobile Mayhem” →

Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds

October 3, 2019 by Donald Papp 38 Comments

When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.

push button to reset safe fingerprint reader — Small button used to register a new fingerprint. It can be reached by inserting a thin shim in the gap between the door and the frame while the safe is closed and locked.

[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.

This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.

It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.

As for fooling sensors in a more traditional sense, here’s a reminder that we’ve seen a 3D printer and a photo of a fingerprint used to defeat a fingerprint sensor.

Continue reading “Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds” →

Keeping Kids In School The Smart Way

September 30, 2019 by Sharon Lin 44 Comments

For institutions with high traffic, such as schools and movie theaters, it can be difficult to keep track of individuals moving in and out, especially without a critical mass of security. For schools especially, keeping track of student attendance and preventing kids from leaving campus in the middle of the day can be a costly problem.

The solution that Tunisian engineers [Michael Djimeli], [Darius Koliou], and [Jinette Tankoua] came up with was to create a smart gate that only turns when checks are carried out by designated security officers. The design is retrofitted to existing school turnstiles in his hometown of Monastir, Tunisia, and uses an RFID card, biometric devices, and a host of access controls to ensure that the student attempting to turn the turnstile is validated first.

The smart gate uses a few methods for identification – either by RFID, fingerprint, facial recognition, or by reading a QR code. An external database stores each user’s data and their transaction history, effectively storing their attendance data. In addition to relaying the information to an administrator, the smart gate also checks the credit of the user — whether they’ve paid the entrance fee for a movie theater, or whether they’re permitted to exit school grounds as a student.

A Raspberry Pi is used as the card collector, relaying information on transaction data over WiFi. Meanwhile local identification information via biometric devices and key fobs are relayed to the processor over Bluetooth. There are also plans to develop a mobile app to track the status of the smart gate remotely.

While the full systems integration isn’t published yet, there are several photos of the control box, which shows the components used for the first smart gate. The mechanical design was successfully tested on the IUC Douala Cameroon university campus (with 35-45 students identified per minute), and the project will hopefully be repeated within more schools in the coming year.

USB Armory MkII: A USB-C Thumb Drive Based Linux Computer For Pentesters

September 29, 2019 by Tom Nardi 16 Comments

While it might look like a disrobed flash drive or RTL-SDR dongle, the USB Armory Mk II is actually a full-fledged open hardware computer built into the ubiquitous USB “stick” format. But more than just that, it’s optimized for security research and boasts a list of features that are sure to get the attention of any pentesters in the audience. Fine tuned thanks to the feedback developer [Inverse Path] received about the original version of the hardware, the Mk II promises to be the last word in secure mobile computing.

Compared to the original hardware, the most obvious change is the switch to USB-C. The previous USB Armory used traces on the PCB to plug directly into a USB Type-A port, but this time around [Inverse Path] has put a proper male connector on the front of the board. Nominally, the USB Armory is plugged into a host computer to provide it with power and a network connection, though it also has the ability to disguise itself as a storage or input device for more stealthy applications. There’s also a female USB-C port on the Mk II, which can be used to connect additional devices, a feature the previous version lacked.

The USB Armory Mk II is powered by an upgraded 900 MHz ARM Cortex-A7 processor, though it retains the same 512 MB of RAM from the previous version. Like the original, there’s a micro SD slot to hold the Linux operating system, but this time it’s supplemented with an onboard 16 GB eMMC chip. There’s even a physical switch that allows the user to choose which storage device they want to boot from. Other additions for the Mk II include Bluetooth connectivity, and a hardware true random number generator (TRNG).

We first brought you word of the original USB Armory back in 2014, and it’s always good to see an open hardware project thriving and iterating years later. While the $149 price tag arguably puts the MKII out of the tinkering budget for many of us, there’s clearly a market for niche devices like this and we can’t wait to see what [Inverse Path] comes up with next.