Copy And Paste Deemed Insecure

Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives. ¬†Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.

[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:

  1. Visit a malicious site.
  2. Copy something to the clipboard which allows the site to put in a dangerous payload.
  3. Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
  4. Paste the clipboard into the editor.

Continue reading “Copy And Paste Deemed Insecure”

Mitigating Con Deprivation: Disobey 2020

While the Coronavirus-induced lockdown surely makes life easier for the socially anxious and awkward ones among us, it also takes away the one thing that provides a feeling of belonging and home: conferences. Luckily, there are plenty of videos of past events available online, helping to bypass the time until we can mingle among like-minded folks again. To put one additional option on the list, one event you probably never even heard of is Disobey, Finland’s annual security conference that took place for its fifth time in Helsinki earlier this year, and they recently published the playlist of this year’s talks on their YouTube channel.

With slightly under 1500 hackers, makers, and generally curious people attending this year, Disobey is still on the smaller side of conferences, but comes with everything you’d expect: talks, workshops, CTF challenges, and a puzzle-ridden badge. Labeling itself as “The Nordic Security Event”, its main focus is indeed on computer and network security, and most of the talks are presented by professional security researchers, oftentimes Red Teamers, telling about some of their real-world work.

In general, every talk that teaches something new, discusses important matters, or simply provides food for thought and new insight is worth watching, but we also don’t want to give everything away here either. The conference’s program page offers some outline of all the talks if you want to check some more information up front. But still, we can’t just mention a random conference and not give at least some examples with few details on what to expect from it either, so let’s do that.

Continue reading “Mitigating Con Deprivation: Disobey 2020”

The United States Air Force Would Like You To Hack Into Their Satellite

The Air Force is again holding its annual “Space Security Challenge” where they invite you to hack into a satellite to test their cybersecurity measures. There are actually two events. In the first one, $150,000 is up for grabs in ten prizes and the final event offers a $100,000 purse divided among the three top participants (first place takes $50,000).

Before you get too excited, you or your team has to first qualify online. The qualification event will be over two days starting May 22. The qualifying event is set up a bit like the TV show Jeopardy. There is a board with categories. When a team solves a challenge in a category it receives a flag that is worth points as well as getting to unlock the next challenge. Once a challenge is unlocked however, any team could potentially work on it. There are more rules, but that’s the gist of it. At the end of the event, the judges will contact the top 10 teams who will then each have to submit a technical paper.

Continue reading “The United States Air Force Would Like You To Hack Into Their Satellite”

Hackaday Links: August 11, 2019

By the time this goes to press, DEFCON 27 will pretty much be history. But badgelife continues, and it’d be nice to have a way of keeping track of all the badges offered. Martin Lebel stepped up to the challenge with a DEF CON 27 badgelife tracker. He’s been tracking the scene since March, and there are currently more than 170 badges, tokens, and shitty add-ons listed. Gotta catch ’em all!

Nice tease, Reuters. We spotted this story about the FAA signing off on beyond-visual-line-of-sight, or BVLOS, operation of a UAV. The article was accompanied by the familiar smiling Amazon logo, leading readers to believe that fleets of Amazon Prime Air drones would surely soon darken the skies with cargoes of Huggies and Tide Pods across the US. It turns out that the test reported was conducted by the University of Alaska Fairbanks along an oil pipeline in the Last Frontier state, and was intended to explore medical deliveries and pipeline surveillance for the oil industry. The only mention of Amazon was that the company reported they’d start drone deliveries in the US “in months.” Yep.

Ever wonder what it takes to get your widget into the market? Between all the testing and compliance requirements, it can be a real chore. Nathaniel¬†tipped us off to a handy guide written by his friend Skippy that goes through the alphabet soup of agencies and regulations needed to get a product to market – CE, RoHS, WEEE, LVD, RED, CE for EMC. Take care of all that paperwork and you’ll eventually get a DoC and be A-OK.

A French daredevil inventor made the first crossing of the English Channel on a hoverboard on Sunday. Yes, we know it’s not an “actual” hoverboard, but it’s as close as we’re going to get with the physics we have access to right now, and being a stand-upon jet engine powered by a backpack full of fuel, it qualifies as pretty awesome. The report says it took him a mere 20 minutes to make the 22-mile (35-km) crossing.


We had a grand time last week around the Hackaday writing crew’s secret underground lair with this delightful Hackaday-Dilbert mashup-inator. Scroll down to the second item on the page and you’ll see what appears to be a standard three-panel Dilbert strip; closer inspection reveals that the text has been replaced by random phrases scraped from a single Hackaday article. It looks just like a Dilbert strip, and sometimes the text even makes sense with what’s going on in the art. We’d love to see the code behind this little gem. The strip updates at each page load, so have fun.

And of course, the aforementioned secret headquarters is exactly what you’d picture – a dark room with rows of monitors scrolling green text, each with a black hoodie-wearing writer furiously documenting the black arts of hacking. OpenIDEO, the “open innovation practice” of global design company IDEO, has issued a challenge to “reimagine a more compelling and relatable visual language for cybersecurity.” In other words, no more scrolling random code and no more hoodies. Do you have kinder, gentler visual metaphors for cybersecurity? You might win some pretty decent prizes for your effort to “represent different terms and ideas in the cybersecurity space in an accessible and compelling way.”

Microphones Listen To Your… Monitor?

A song by Rockwell, “Somebody’s Watching Me” might be the anthem for the tin foil hat crowd. But a new paper reveals that it might be just as scary to have someone listening to you. Researchers have used common microphones to listen in on computer monitors. The demonstration includes analyzing audio to determine input from virtual keyboards and even a way to tell if people are surfing the web during a Google Hangout session.

Reading monitors based on electronic emissions is nothing new — ask Wim van Eck or read about TEMPEST. What makes this worrisome is that we constantly have live microphones around our computers. Webcams, phones, the latest smart assistant. Even some screens have built-in microphones. According to the paper, you could even pick up data from recorded audio. The paper has three main goals: extract display text, distinguish between different websites on screen, and extracting text entered with a virtual keyboard.

The analysis looked at 31 different screens. There were 12 distinct models from 6 different vendors. They did use a special VGA cable to tap the vertical sync to help manage the data, but they claim this was only an aid and not essential. They also used a high-end sound setup with a 192 kHz sampling rate.

Measuring the sound made by different display patterns was empirical. The authors think the mechanism is from subtle changes in the vibrations of the power supply components due to changes in current consumption. The refresh rate of the monitor also plays a part.

Armed with the proof of concept, the team went on to use an LG V20 cellphone and via a Hangouts call. Imagine if the person on the other end of your call could tell when you were reading Hackaday instead of paying attention to the call.

Different types of monitors need to be learned for best accuracy. It appears that reading small text may have problems, too. Even website detection depends on training. Still, maybe the tin hat people aren’t exactly wrong.

If you want to try your hand at reading the RF emissions, software defined radio is your friend. We’ll be interested to see if anyone duplicates the acoustic method in this paper, though.

Office Depot And OfficeMax Find Malware That Isn’t There

Sometimes we are rebuilding a RAID array or replacing a BIOS chip and we wonder how ordinary people keep their computes running. Then we realize that most of them come to someone like us for help. But what if you don’t have a family member or friend who is computer savvy? No problem! Plenty of stores — including big box office stores such as Office Depot and OfficeMax — will be glad to help you. Why most of them will be willing to test your computer for free. Sounds nice until you find out that at least in some cases these tests were showing problems that didn’t need fixing so users would pay for services they didn’t need. The Federal Trade Commission (FTC) has fined Office Depot (who owns OfficeMax) $25 million and plans to use the funds to issue refunds. In addition, a vendor, Support.com, will pay $10 million to support the refunds.

The free check used software to detect problems on a PC. However, during the scan the user is asked if their computer has any of the following symptoms. For example, if their PC has become slow or frequently reboots. If you said yes to any of these questions, the software would produce a report claiming to have found evidence of malware and offering fixes that could cost significant amounts of money even if there was no other evidence.

Continue reading “Office Depot And OfficeMax Find Malware That Isn’t There”

Would You Like To Play A Game? WOPR Summit Is This Weekend

During the summer months it might be known as “America’s Playground”, but around this time of year, Atlantic City is generally the destination of choice for bus loads of seniors looking to burn up some of that fixed income. Of course, that was before the WOPR Summit came to town. From March 1st to the 3rd, it promises to transform Bally’s Hotel and Casino on the famous Atlantic City Boardwalk into a high-tech oasis in a sea of oxygen tanks and walkers. There might not be any fun in the sun to be had at this time of year, but a full schedule of talks and workshops covering everything from penetration testing to ham radio is more our speed anyway.

There’s still a couple days to register for WOPR online at a discount, but naturally they’ll be happy to take your money at the door if you miss the cutoff. As of this writing, there’s even still rooms left at Bally’s for the special WOPR rate, which you’ll probably want to take advantage of as the schedule has events running until well past our normal bedtime.

WOPR looks like it will be a nice mix between hardware and software, with a generous sprinkling of InfoSec. Presentations such as “Strategies for your projects: Concept to Prototype” and “Being Q. — Designing Hacking Gadgets” sound like classic Hackaday fare. But even if you aren’t normally into the security scene, talks such as “Ham Hacks: Breaking into Software Defined Radio” and “An Introduction to IoT Penetration Testing” seem like they’ll be an excellent way to cross the divide. In between the talks, they promise to have a hackerspace up and running for you to check out, complete with soldering classes and contests.

It’s not often that you get to witness the birth of a new hacking conference, especially one on the East Coast, so Hackaday will be shaking off the last bits of our long winters nap as I catch the next bus out of the Senior Center that’s headed towards the Boardwalk. Track me down and you might even be able to take some of our Jolly Wrencher stickers home along with your slot machine winnings. But even if you can’t make it to America’s rather chilled and blustery playground this weekend, I’ll be sure to report on all the highlights so you can live vicariously through the comforting flicker of your favorite screen.