Slider

4955 Articles

This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

July 12, 2019 by 24 Comments

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!

Learning About Wearable Engineering While Trying To Un-Taboo A Topic

July 11, 2019 by 28 Comments

When you build a machine you can usually count on having precise dimensions for an organized and orderly set of parts, one fitting into the next exactly as you have designed them. You can count on cause and effect — when the user pushes a button or flips a switch a specific behavior will take place. But the She Bon project shows that adding the human body to the mix quickly turns an easy design into a challenging one.

During her Hackaday Superconference talk Sarah Petkus discusses her latest project that uses wearable technology to sense and react to her own body. She Bon is reminiscent of the French for “so good” and is a project whose aim transcends the technical challenges. Sarah uses engineering as a way to facilitate adults having healthy dialogs with one another about sex.

Depending on your profession, this discussion is likely not appropriate for work — it’s not sexual, but it’s fundamentally about sex — so don’t click through the video without thinking twice. But we respect Sarah’s courage for leading a project that wants to make sure there actually are places where it is possible to have these conversations and a way to get them started.

How Do You Begin an Intelligent Conversation?

Mixing an engineering challenge with a somewhat taboo topic works surprisingly well, as you can see in the video below. It’s a technical talk about sensing body temperature, heart rate, galvanic response, blush response, facial expression, and muscle tension. But it’s also a story of her attempt at creating a Suit of Amour, her tongue-in-cheek “Sexual Gundam”. Don’t be fooled, this is no gimmick. The discussions quickly leads to the real life challenges facing prosthetics designers and those developing wearable products. There’s a ton to be learned here.

Join me below for more on the hardware covered in Sarah’s talk. This out-of-the-ordinary hardware creation adventure made it a great entry in the 2018 Hackaday Prize and a particularly delightful talk at the 2018 Hackaday Superconference. We’re once again on the hunt for hardware creators to present at the 2019 Hackaday Superconference — and we can’t do it without you. Submit a talk proposal, or just grab a ticket and join us in Pasadena this November. Bonus points for those who have also entered their projects in the 2019 Hackaday Prize. Okay, now onto the hardware talk.

Continue reading “Learning About Wearable Engineering While Trying To Un-Taboo A Topic”

Robotic Dishwashers And Dishwashing As A Service

July 11, 2019 by 53 Comments

There’s a story that goes back to the 1980s or so about an engineering professor who laid down a challenge to the students of his automation class: design a robot to perform the most mundane of household tasks — washing the dishes. The students divided up into groups, batted ideas around, and presented their designs. Every group came up with something impressive, all variations on a theme with cameras and sensors and articulated arms to move the plates around. The professor watched the presentations respectfully, and when they were done he got up and said, “Nice work. But didn’t any of you idiots realize you can buy a robot that does dishes for $300 from any Sears in the country?”

The story may be apocryphal, but it’s certainly plausible, and it’s definitely instructive. The cultural impression of robotics as a field has a lot of ballast on it, thanks to decades of training that leads us to believe that robots will always be at least partially anthropomorphic. At first it was science fiction giving us Robbie the Robot and C3PO; now that we’re living in the future, Boston Dynamics and the like are doing their best to give us an updated view of what robots must be.

But all this training to expect bots built in the image of humans or animals only covers a narrow range of use cases, and leaves behind the hundreds or thousands of other applications that could prove just as interesting. One use case that appears to be coming to market hearkens back to that professor’s dishwashing throwdown, and if manufacturers have their way, robotic dishwashers might well be a thing in the near future.

Continue reading “Robotic Dishwashers And Dishwashing As A Service”

Maker Media Reboots Itself As Make Community

July 10, 2019 by 55 Comments

At a community meeting this week, Dale Dougherty, former CEO of Maker Media announced the relaunch of the Make brand. Maker Media is dead, but the brand may live on as Make Community, LLC. Dougherty will remain the CEO of Make Community, and Todd Sotkicwicz, former CFO of Maker Media, was identified as the current CFO of Make Community. This is the same organization that brought you Make Magazine and the Maker Faires gearing up to give you even more Make Magazines and more Maker Faires.

Early this year, we heard rumors about the future of Maker Media and its flagship Maker Faires. Then in May, just before the Bay Area Maker Faire, Dougherty told the San Francisco Chronicle that it was ‘quite possible this could be the last Bay Area Maker Faire’. The Bay Area Faire came and went, and early last month we received news that employees were let go and Maker Media had ceased operations.

Now, according to Dougherty’s summary at the meeting, what remained has now been reformed into a new LLC, Make Community, and he was holding this meeting to gauge how much the community would be willing to contribute. The official launch of Make Community will supposedly be next week, but you can check out the future home of the Make Community at make.co.
Continue reading “Maker Media Reboots Itself As Make Community”

Ask Hackaday: What Are Your Apollo Memories?

July 10, 2019 by 62 Comments

This month will mark the 50th anniversary of the Apollo 11 mission that brought to a successful conclusion the challenge laid down by President Kennedy only eight years earlier. Three men went to the Moon, two walked on it, and they all came back safely, in a dramatic eight-day display of engineering and scientific prowess that was televised live to the world.

If you’ve made more than 50 trips around the sun, chances are good that you have some kind of memories of the first Moon landing. An anniversary like this is a good time to take stock of those memories, especially for something like Apollo, which very likely struck a chord in many of those that witnessed it and launched them on careers in science and engineering. We suspect that a fair number of Hackaday readers are in that group, and so we want to ask you: What are your memories of Apollo?

A Real American Hero

My memory of the Moon landing is admittedly vague. I had just turned five the month before, hadn’t even started kindergarten yet, but I had already caught the space bug in a big way. I lived and breathed the space program, and I knew everything about the Mercury missions that were over by the time I was born, and the Gemini missions that had just wrapped up. Apollo was incredibly exciting to me, and I was pumped to witness the landing in the way that only a five-year-old can be.
Continue reading “Ask Hackaday: What Are Your Apollo Memories?”

Raspberry Pi 4 Benchmarks: Processor And Network Performance Makes It A Real Desktop Contender

July 10, 2019 by 87 Comments

The new Raspberry Pi 4 is out, and slowly they’re working their way from Microcenters and Amazon distribution sites to desktops and workbenches around the world. Before you whip out a fancy new USB C cable and plug those Pis in, it’s worthwhile to know what you’re getting into. The newest Raspberry Pi is blazing fast. Not only that, but because of the new System on Chip, it’s now a viable platform for a cheap homebrew NAS, a streaming server, or anything else that requires a massive amount of bandwidth. This is the Pi of the future.

The Raspberry Pi 4 features a BCM2711B0 System on Chip, a quad-core Cortex-A72 processor clocked at up to 1.5GHz, with up to 4GB of RAM (with hints about an upcoming 8GB version). The previous incarnation of the Pi, the Model 3 B+, used a BCM2837B0 SoC, a quad-core Cortex-A53 clocked at 1.4GHz. Compared to the 3 B+, the Pi 4 isn’t using an ‘efficient’ core, we’re deep into ‘performance’ territory with a larger cache. But what do these figures mean in real-world terms? That’s what we’re here to find out.

Continue reading “Raspberry Pi 4 Benchmarks: Processor And Network Performance Makes It A Real Desktop Contender”

The Saga Of 32-Bit Linux: Why Going 64-Bit Raises Concerns Over Multilib

July 9, 2019 by 137 Comments

The story of Linux so far, as short as it may be in the grand scheme of things, is one of constant forward momentum. There’s always another feature to implement, an optimization to make, and of course, another device to support. With developer’s eyes always on the horizon ahead of them, it should come as no surprise to find that support for older hardware or protocols occasionally falls to the wayside. When maintaining antiquated code monopolizes developer time, or even directly conflicts with new code, a difficult decision needs to be made.

Of course, some decisions are easier to make than others. Back in 2012 when Linus Torvalds officially ended kernel support for legacy 386 processors, he famously closed the commit message with “Good riddance.” Maintaining support for such old hardware had been complicating things behind the scenes for years while offering very little practical benefit, so removing all that legacy code was like taking a weight off the developer’s shoulders.

The rationale was the same a few years ago when distributions like Arch Linux decided to drop support for 32-bit hardware entirely. Maintainers had noticed the drop-off in downloads for the 32-bit versions of their distributions and decided it didn’t make sense to keep producing them. In an era where even budget smartphones are shipping with 64-bit processors, many Linux distributions have at this point decided 32-bit CPUs weren’t worth their time.

Given this trend, you’d think Ubuntu announcing last month that they’d no longer be providing 32-bit versions of packages in their repository would hardly be newsworthy. But as it turns out, the threat of ending 32-bit packages caused the sort of uproar that we don’t traditionally see in the Linux community. But why?

Continue reading “The Saga Of 32-Bit Linux: Why Going 64-Bit Raises Concerns Over Multilib”