This Week In Security: ALPACA, AN0M, Recovering Ransoms, And More

Let’s talk Alpacas. More specifically, “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in tls Authentication“. Although this is definitely a case of someone wanting their name to spell ALPACA, the research itself is pretty clever.

It’s a way to Man-In-the-Middle an HTTPS connection, without actually needing to break the encryption. There are two primary observations at the core of the attack. First, multiple subdomains will often share the same TLS certificate. Secondly, TLS is regularly used to protect more than just HTTPS. So what happens if an HTTPS request is redirected to an SFTP server run by the same company? The TLS handshake will complete successfully, but the data returned by the server is not at all what the browser expected.

The specific details are a little light on this one, but the authors identified three broad categories of attack. The first is an upload attack, where the attacker has privileges to upload files to an FTPS server. From what I can tell, an attacker initiates an FTP upload over SSL, using the control port, and then redirects the victim’s connection to the data port on that server. The entirety of the HTML request is then saved, decrypted, on the FTPS server. This request could contain session cookies and other secrets.

The second identified attack is the opposite, the attacker uploads a malicious file, initiates a download, and then redirects a browser’s request to the FTPS data port. The malicious file is grabbed and the browser may interpret it as code to be run. The third is a reflection technique. This one’s a bit different. Essentially the attacker sends a request for DoBadThings();, and then connects the victim browser to the data port. The response is sent,
Cannot find file: DoBadThings();and the browser might just execute the script fragment. This isn’t one of those attacks that are going to be applicable to just every server, but in just the right setup, it could lead to problems.

VMWare Flaw Exploited

There is a serious VMWare flaw under active exploit right now. It’s apparently in the VMware vCenter control program, and exploiting it is as simple as six curl commands. The flaw is pre-authentication and only requires access to HTTPS port 443. At least one researcher has already seen his VMware honeypot attacked and observed the web-shell the attacker installed. This one looks like a big deal, so make sure you’re up-to-date if you run VMware.

That Time the FBI Ran a Darknet

AN0M was a popular encrypted communication tool for the underworld, really a network consisting of locked down mobile devices with a specialized app running on them. The reality was a bit different, though, the tool was actually being run as Operation Ironside, a join operation by the FBI and the Australian Federal Police (AFP). The story is a weird one, and really raises some legal and ethical questions, so buckle up.

First off, things got started back in 2018 when Phantom Secure CEO Vincent Ramos was prosecuted for RICO charges, related to his company’s work on secure phones. They specialized in taking Blackberry phones, yanking out all the IO hardware, like camera, microphone, and even GPS chips, and then installing encrypted communication apps. In short, very similar to AN0M. Phantom Secure was walking a very thin line between being a legitimate provider of secure hardware, and actively supporting criminal enterprise. When Ramos told an undercover FBI agent that his phones were specifically for drug smuggling, it became obvious that he had strayed far onto the wrong side of the law. He and many in the company were charged for related crimes.

One employee already had drug charges on his record, and agreed to cooperate with the FBI in exchange for avoiding further charges. That developer had already been developing his own device, which he called AN0M. The deal he cut with the feds was to turn over his work for immunity. A scheme was hatched, apparently over beers between agents, to complete the development of AN0M and distribute the devices, but to include a complete back door for law enforcement. This is actually very similar to what was done with Crypto AG, under Project Rubicon.

The turned developer distributed the devices to his contacts, and law enforcement agencies around the world got involved, quietly helping to make them popular. The devices served their purpose of providing messaging to all recipients. It just wasn’t known at the time that law enforcement agents were BCC’d on every message. It’s not clear what triggered the raids and announcements, but this was definitely a coordinated action.

There is a lingering question, however. Namely, do law enforcement really have the legal authority to develop and distribute a malicious device and application? Did a warrant actually cover this? Can it? There is sure to be much consternation over such questions in the months to come. Just imagine that WhatsApp is eventually revealed to be an app secretly developed by the Chinese government, then how would you feel about it?

Ransomware and Bitcoin Seizure

And in another major victory for the FBI, The majority of the funds paid by the Colonial pipeline have been recovered. It’s not entirely known how the recovery happened, but you can read the FBI Affidavit that describes the path the Bitcoins took. There’s a strange little statment at the end of that document. “The private key for the Subject Address is in the possession of the FBI in the Northern District of California.” One has to wonder a couple of things. First, how was the FBI able to track those bitcoins? And second, just how did they happen to end up in a wallet that they knew the key for? Could The AN0M story be related?

The private key for the Subject Address is in the possession of the FBI in the Northern District of California

Now here’s another angle to this. Colonial was given the choice, to pay in Bitcoin or Ethereum, and they chose Bitcoin, even though there was a 10% extra fee for that currency. They had their networks mostly back up, and they knew the decryptor wouldn’t be very helpful. They were working with law enforcement, and they still paid. This raises the very real possibility that the payment was made specifically to trace the Bitcoin transactions.

Next, remember how proud JBS was of their incident response? Now we find out that they did indeed pay an $11 million ransom. However, that was in cooperation with federal officials, and was not necessary to recover files. Oh, and paid in Bitcoin. Sound familiar? At this point, it’s a fair guess that the FBI or another agency helping them has an angle on tracing Bitcoin transactions. AN0M is one possibility. Another is that the FBI is running a “mixer”, essentially a Bitcoin money laundering service. (Shoutout to @MalwareJake for that idea.) Regardless, there seems to be a more serious stance taken towards ransomware as a result of the high profile hacks of the last few weeks.

Rocket.Chat Goes Boom

Running a Rocket.Chat instance? Go update it! This popular Open Source messaging platform uses a NoSQL backend for managing users. If you thought getting rid of SQL means you don’t have injection vulnerabilities, think again.

The MongoDB database backend passes requests and data in a JSON-like format. The first attack is to stuff a regex pattern into that JSON, and leak the password hash one character at a time. The second vulnerability uses the $where operator in MongoDB in a clever way. Rather than try to leak information directly, they used error messages to get information out. Put both together, and you can go from simply knowing a user’s email address to a shell on the hosting server in seconds. All in all, it’s an impressive hack, and the video demonstration of it is worth the watch:

Agent Smith Takes Over The Matrix

Include Security found an interesting bug in the Unity engine, where a malicious game object can run arbitrary code on the machine running the engine. It’s the sort of thing that game designers don’t think too much about until it’s a problem. I couldn’t help but think of VR Chat, a multiplayer experience that allows players to upload their own avatars. It’s built in Unity, and uses game objects for those avatars. I haven’t been able to confirm whether it has this vulnerability one way or another, but I’m very much reminded of Agent Smith copying himself onto all the other citizens of the matrix. If VR Chat does indeed have this problem, it would be rather trivial to build an avatar worm to do the same thing. Life imitates art.

Don’t Use a Password Manager?

And finally, one of the hallowed bits of cybersecurity wisdom gets challenged by [Tavis Ormandy] of Google project Zero fame. His take? Don’t use a password manager! Well, actually, it’s that you shouldn’t use a password manager that is a browser extension, because websites can actually interact with the hooks that make them work. There’s more to his argument, and his conclusion is simple. Use the password manager built into Google Chrome. Or Firefox, if that’s what you use. His argument is rather compelling, that many of them aren’t as secure as they claim to be.

 

Survey Of Simple Logic Simulators

A few months ago, a tweet by [Ken Shirriff] asking about simple digital simulators caught my attention. The topic came up again in May when a repair video by [CuriousMarc] featured one such simulator called Logisim-evolution. It made me want to take a fresh look on what’s out there and which features set the different simulators apart.

So today, let’s take a quick survey of a few such simulators that I found. I’m focusing on plain logic simulators, analyzing ones and zeros using Boolean logic. They are not doing SPICE-like analog analysis of transistor logic gates, but they’re still quite handy for proofing out designs.

Continue reading “Survey Of Simple Logic Simulators”

Injection-Molded Glass Breakthrough Shatters Ceiling Of Work Methods

Glass is one of humanity’s oldest materials, and it is still used widely for everything from drinking vessels and packaging to optics and communications. Unfortunately, the methods for working with glass are stuck in the past. Most methods require a lot of high heat in the range of 1500 °C to 2000 °C, and they’re all limited in the complexity of shapes that can be made.

As far as making shapes goes, glass can be blown and molten glass pressed into molds. Glass can also be ground, etched, or cast in a kiln. Glass would be fantastic for many applications if it weren’t for the whole limited geometry thing. Because of the limitations of forming glass, some optic lenses are made with polymers, even though glass has better optical characteristics.

Ideally, glass could be injection molded like plastic. The benefits of this would be twofold: more intricate shapes would be possible, and they would have a much faster manufacturing time. Well, the wait is over. Researchers at Germany’s University of Freiburg have figured out a way to apply injection molding to glass. And it’s not just any glass — they’ve made highly-quality, transparent fused quartz glass, and they did it at lower temperatures than traditional methods. The team used x-ray diffraction to verify that the glass is amorphous and free of crystals, and were able to confirm its optical transparency three ways — light microscopy, UV-visible, and infrared measurements. All it revealed was a tiny bit of dust, which is to be expected outside of a clean room.

Continue reading “Injection-Molded Glass Breakthrough Shatters Ceiling Of Work Methods”

Historical Hackers: Ctesibius Tells Time

People are obsessed with the time and the weather. We’ve talked about the weather since we were all cave dwellers hunting with spears. But the time is a different matter. Sure, people always had the idea of the passage of time. The sun rising and setting gives a natural sense of days, but daylight and dark periods vary by the time of year and to get an accurate and linear representation of time turns out to be rather difficult. That is unless you are a Greek engineer living in Alexandria around 250 BC.

Legend has it that and engineer working in his father’s barbershop led him to discover not only the first working clock, but also the pipe organ, launching the field of pneumatics in the process. That engineer was named Ctesibius and while his story is mostly forgotten, it shows he has a place as a historical hacker.

You might think there were timekeeping devices before 250 BC, and that’s sort of true. However, the devices before Ctesibius had many limitations. For example, a sundial can tell time, but only if the sun is shining. At night or during a storm it is worthless.

Continue reading “Historical Hackers: Ctesibius Tells Time”

What Is Ultra Wideband?

If you’ve been following the world of mobile phone technology of late, you may be aware that Apple’s latest IPhones and AirTag locator tags bring something new to that platform. Ultra wideband radios are the new hotness when it comes to cellphones, so just what are they and what’s in it for those of us who experiment with these things?

An Apple AirTag being paired with an iPhone. Swisshashtag, CC BY-SA 4.0.
An Apple AirTag being paired with an iPhone. Swisshashtag, CC BY-SA 4.0.

Ultra wideband in this context refers to radio signals with a very high bandwidth of over 500 MHz, and a very low overall power density spread over that  spectrum. Transmissions are encoded not by modulation of discrete-frequency carriers as they would be in a conventional radio system, but by the emission of wideband pulses of RF energy across that bandwidth.  It can exist across the same unlicensed spectrum as narrower bandwidth channelised services, and that huge bandwidth gives it an extremely high short-range data transfer bandwidth capability. The chipsets used by consumer devices use a range of UWB channels between about 3.5 and 6.5 GHz, which in radio terms is an immense quantity of spectrum. Continue reading “What Is Ultra Wideband?”

Linux Fu: Databases Are Next-Level File Systems

It is funny how exotic computer technology eventually either fails or becomes commonplace. At one time, having more than one user on a computer at once was high tech, for example. Then there are things that didn’t catch on widely like vector display or content-addressable memory. The use of mass storage — especially disk drives — in computers, though has become very widespread. But at one time it was an exotic technique and wasn’t nearly as simple as it is today.

However, I’m surprised that the filesystem as we know it hasn’t changed much over the years. Sure, compared to, say, the 1960s we have a lot better functionality. And we have lots of improvements surrounding speed, encoding, encryption, compression, and so on. But the fundamental nature of how we store and access files in computer programs is stagnant. But it doesn’t have to be. We know of better ways to organize data, but for some reason, most of us don’t use them in our programs. Turns out, though, it is reasonably simple and I’m going to show you how with a toy application that might be the start of a database for the electronic components in my lab.

You could store a database like this in a comma-delimited file or using something like JSON. But I’m going to use a full-featured SQLite database to avoid having a heavy-weight database server and all the pain that entails. Is it going to replace the database behind the airline reservation system? No. But will it work for most of what you are likely to do? You bet. Continue reading “Linux Fu: Databases Are Next-Level File Systems”

ISS Artificial Gravity Study Shows Promise For Long Duration Spaceflight

The International Space Station is humanity’s most expensive gym membership.

Since the earliest days of human spaceflight, it’s been understood that longer trips away from Earth’s gravity can have a detrimental effect on an astronaut’s body. Floating weightless invariably leads to significantly reduced muscle mass in the same way that a patient’s muscles can atrophy if they spend too much time laying in bed. With no gravity to constantly fight against, an astronauts legs, back, and neck muscles will weaken from disuse in as little as a week. While this may not pose an immediate problem during spaceflight, astronauts landing back on Earth in this physically diminished state are at a higher risk of injury.

Luckily this problem can be largely mitigated with rigorous exercise, and any orbiting vessel spacious enough to hold human occupants for weeks or months will by necessity have enough internal volume to outfit it with basic exercise equipment such as a treadmill or a resistance machine. In practice, every space station since the Soviet Union’s Salyut 1 in 1971 has featured some way for its occupants to workout while in orbit. It’s no replacement for being on Earth, as astronauts still return home weaker than when they left, but it’s proven to be the most practical approach to combating the debilitating aspects of long duration spaceflight.

Early NASA concept for creating artificial gravity.

Of course, there’s an obvious problem with this: every hour spent exercising in space is an hour that could be better spent doing research or performing maintenance on the spacecraft. Given the incredible cost of not just putting a human into orbit, but keeping them there long-term, time is very literally money. Which brings us back to my original point: astronauts spending two or more hours each day on the International Space Station’s various pieces of exercise equipment just to stave off muscle loss make it the world’s most expensive gym membership.

The ideal solution, it’s been argued, is to design future spacecraft with the ability to impart some degree of artificial gravity on its passengers through centripetal force. The technique is simple enough: just rotate the craft along its axis and the crew will “stick” to the inside of the hull. Unfortunately, simulating Earth-like gravity in this way would require the vessel to either be far larger than anything humanity has ever launched into space, or rotate at a dangerously high speed. That’s a lot of risk to take on for what’s ultimately just a theory.

But a recent paper from the University of Tsukuba in Japan may represent the first real steps towards the development of practical artificial gravity systems aboard crewed spacecraft. While their study focused on mice rather than humans, the results should go a long way to codifying what until now was largely the stuff of science fiction.

Continue reading “ISS Artificial Gravity Study Shows Promise For Long Duration Spaceflight”