Security Hacks

1425 Articles

Sneak Thieves Beware: A Pi Watcheth

July 13, 2017 by 8 Comments

Ever have that strange feeling that somebody is breaking into your workshop? Well, Hackaday.io user [Kenny] has whipped up a tutorial on how to scratch that itch by turning a spare Raspberry Pi you may have kicking around into a security camera system that notifies you at a moment’s notice.

The system works like this: a Raspberry Pi 3 and connected camera module remain vigilant, constantly scanning for motion and recording video. If motion is detected, it immediately snaps and sends a picture to the user’s mobile via PushBullet, then begins recording video. If there is still movement after a few seconds, the process repeats until the area is once again devoid of motion. This also permits a two-way communication with your Pi security system, so you can check in on the live feed whenever you feel the urge.

To get this working for you — assuming that your Pi has been recently updated — setup requires setting up a PushBullet account as well as installing it on your mobile and  linking it with an API. For your Pi, you can go ahead with setting up some Python PushBullet libraries, installing FFmpeg, Pi Camera Notifier, and others. Or, install the ready-to-go image [Kenny] has prepared. He gets into the nitty-gritty of the code in his guide, so check that out or watch the tutorial video after the break.

Continue reading “Sneak Thieves Beware: A Pi Watcheth”

Dropping Zip Bombs On Vulnerability Scanners

July 8, 2017 by 117 Comments

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

Hacking Into…. A Wind Farm?

July 6, 2017 by 21 Comments

Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.

There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally  in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.

[Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.

The team are presenting their findings from the five farms they accessed at the Black Hat security conference — manufacturers, company names, locations and etc. withheld for obvious reasons. One hopes that security measures are stepped up in the near future if wind power is to become an integral part of the power grid.

All this talk of hacking and wind reminds us of our favourite wind-powered wanderer: the Strandbeest!

[via WIRED]

New Ransomware Crippling Chernobyl Sensors

June 28, 2017 by 87 Comments

[The BBC] reports Companies all over the world are reporting a new ransomware variant of WannaCry. this time it has taken out sensors monitoring the Chernobyl nuclear disaster site.

We have all heard of the growing problem of ransomware and how Windows XP systems seem especially susceptible to WannaCry and it’s variants which were originally zero day vulnerabilities stored up by the NSA then leaked by WikiLeaks. Microsoft did release a patch. It’s been everywhere in the media but it still seems that some people didn’t get the memo.

Ukrainian state power plants and Kiev’s main airport, among others, have been affected. Probably most interesting and scary of all is that Chernobyl monitoring stations have been taken out, and monitors have to take radiation levels manually for the moment.

It seems that most reports are coming from old Soviet Bloc states (Ukraine, Russia, and Poland), which raises the question of where the attacker is based. Kaspersky Lab is reporting that it’s believed the ransomware was a “new malware that has not been seen before” with a close resemblance to Petya. So as a result, the firm has dubbed it NotPetya.

NotPetya is spreading rapidly affecting companies all over the world with no signs of slowing just yet. Will we see an end to WannaCry variants any time soon.

[Update Thanks to [getrekt] , It now seems that this is fake ransomware which just destroys your data whether you pay or not.]

 

Fake Your ID Photos – The 3D Way

June 24, 2017 by 43 Comments

Photographs for identification purposes have strict requirements. Lighting, expression, and framing are all controlled to enable authorities to quickly and effectively use them to identify individuals reliably. But what if you created an entirely fake photograph from scratch? That’s exactly what [Raphael Fabre] set out to do.

With today’s 3D modelling tools, human faces can be created in extreme detail. Using these, [Raphael] set out to create a 3D model of himself, which was then used to render images simulating a passport photograph. Not content to end the project there, [Raphael] put his digital doppelgänger to the test – applying for a French identification card. He succeeded.

While the technology to create and render high-quality human faces has existed for a while, it’s impressive that [Raphael]’s work passed for genuine human. Obviously there’s something to be said for the likelihood of an overworked civil servant catching this sort of ruse, but the simple fact is, the images made it through the process, and [Raphael] has his ID. Theoretically, this leaves open the possibility of creating entirely fictitious characters and registering them as real citizens with the state, for all manner of nefarious purposes. If you do this, particularly on a grand scale, be sure to submit it to the tip line.

We’ve seen other concerning ID hacks before, such as this attempt at hacking RFIDs in Passport Cards.

Practical IoT Cryptography On The Espressif ESP8266

June 20, 2017 by 44 Comments

The Espressif ESP8266 chipset makes three-dollar ‘Internet of Things’ development boards an economic reality. According to the popular automatic firmware-building site nodeMCU-builds, in the last 60 days there have been 13,341 custom firmware builds for that platform. Of those, only 19% have SSL support, and 10% include the cryptography module.

We’re often critical of the lack of security in the IoT sector, and frequently cover botnets and other attacks, but will we hold our projects to the same standards we demand? Will we stop at identifying the problem, or can we be part of the solution?

This article will focus on applying AES encryption and hash authorization functions to the MQTT protocol using the popular ESP8266 chip running NodeMCU firmware. Our purpose is not to provide a copy/paste panacea, but to go through the process step by step, identifying challenges and solutions along the way. The result is a system that’s end-to-end encrypted and authenticated, preventing eavesdropping along the way, and spoofing of valid data, without relying on SSL.

We’re aware that there are also more powerful platforms that can easily support SSL (e.g. Raspberry Pi, Orange Pi, FriendlyARM), but let’s start with the cheapest hardware most of us have lying around, and a protocol suitable for many of our projects. AES is something you could implement on an AVR if you needed to.

Continue reading “Practical IoT Cryptography On The Espressif ESP8266”

Raspberry Pi Malware Mines BitCoin

June 8, 2017 by 80 Comments

According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine BitCoins some form of cryptocurrency. The other trojan sets up a proxy server.

According to the site:

Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — BitCoin mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?

We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.