This Week In Security: Drama At The C-Level, Escape Injection, And Audits

There was something of a mystery this week, with the root DNS server falling out of sync with it’s 12 siblings. That’s odd in itself, as these are the 13 servers that keep DNS working for the whole Internet. And yes, that’s a bit of a simplification, it’s not a single server for any of the 13 entities — the C “server” is actually 12 different machines. The intent is for all those hundreds of servers around the world to serve the same DNS information, but over several days this week, the “C” servers just stopped pulling updates.

The most amusing/worrying part of this story is how long it took for the problem to be discovered and addressed. One researcher cracked a ha-ha-only-serious sort of joke, that he had reported the problem to Cogent, the owners of the “C” servers, but they didn’t “seem to understand that they manage a root server”. The problem first started on Saturday, and wasn’t noticed til Tuesday, when the servers were behind by three days. Updates started trickling late Tuesday or early Wednesday, and by the end of Wednesday, the servers were back in sync.

Cogent gave a statement that an “unrelated routing policy change” both affected the zone updates, and the system that should have alerted them to the problem. It seems there might room for an independent organization, monitoring some of this critical Internet Infrastructure.

Continue reading “This Week In Security: Drama At The C-Level, Escape Injection, And Audits”

Mailblocks Makes Your Phone Work More Like The Post, Kinda?

Phones can be distracting, with notifications popping up all the time to snare our attention and maybe even ruin our lives. [Guy Dupont] wishes to be no slave to the machine, and thus built a solution. Enter Mailblocks.

The concept is simple. It’s a physical mailbox which [Guy] can put his phone in. All notifications on the phone are blocked unless he puts his phone into the box. When the phone is inside and the box is closed, the little red flag goes up, indicating “DOPAMINE” is available, and [Guy] can check his notifications.

To achieve this, [Guy] is running a custom DNS server. It redirects all the lookups for push notifications on Android so they go nowhere. Placing the phone in the mailbox turns the re-directions off, so the phone can contact the usual servers and get its notifications as normal.

It’s a novel way of fighting against the constant attention suck of modern smartphones. Rather than being bombarded by notifications in real time, [Guy] instead has to take a significant intentional physical action to check the notifications. It cuts the willpower required and the interruptions to his work in a fell swoop.

We’ve featured [Guy’s] innovative and outside-the-box projects before, too. His smart pants were an absolute tour de force, I might add.

Continue reading “Mailblocks Makes Your Phone Work More Like The Post, Kinda?”

This Week In Security: Traingate, DNS, And JMP Slides

Remember Dieselgate, the scandal where certain diesel vehicles would detect an emissions test, and run cleaner for it, “cheating” the test? Traingate may just put that one into perspective. We’ll tell the story from the beginning, but buckle up for a wild and astonishing ride. It all starts with Polish trains getting a maintenance overhaul. These trains were built by Newag, who bid on the maintenance contract, but the contract was won by another company, SPS. This sort of overhaul involves breaking each train into its components, inspecting, lubricating, etc, and putting it all back together again. The first train went through this process, was fully reassembled, and then refused to move. After exhausting all of the conventional troubleshooting measures, SPS brought in the hackers.
Continue reading “This Week In Security: Traingate, DNS, And JMP Slides”

This Week In Security: LogoFail, National DNS Poison, And DNA

When there’s a vulnerability in a system library, we install updates, and go on with our lives. When there’s a vulnerability in a Java library, jars get rebuilt, and fixed builds slowly roll out. But what happens when there’s a vulnerability in a library used in firmware builds? And to make it even more fun, it’s not just a single vulnerability. All three major firmware vendors have problems when processing malicious images. And LogoFail isn’t limited to x86, either. UEFI Arm devices are vulnerable, too.
Continue reading “This Week In Security: LogoFail, National DNS Poison, And DNA”

Going To Extremes To Block YouTube Ads

Many users of YouTube feel that the quality of the service has been decreasing in recent years — the platform offers up bizarre recommendations, fails to provide relevant search results, and continues to shove an increasing amount of ads into the videos themselves. For shareholders of Google’s parent company, though, this is a feature and not a bug; and since shareholder opinion is valued much more highly than user opinion, the user experience will likely continue to decline. But if you’re willing to put a bit of effort in you can stop a large chunk of YouTube ads from making it to your own computers and smartphones.

[Eric] is setting up this adblocking system on his entire network, so running something like Pi-hole on a single-board computer wouldn’t have the performance needed. Instead, he’s installing the pfSense router software on a mini PC. To start, [Eric] sets up a pretty effective generic adblocker in pfSense to replace his Pi-hole, which does an excellent job, but YouTube is a different beast when it comes to serving ads especially on Android and iOS apps. One initial attempt to at least reduce ads was to subtly send YouTube traffic through a VPN to a country with fewer ads, in this case Italy, but this solution didn’t pan out long-term.

A few other false starts later, all of which are documented in detail by [Eric] for those following along, and eventually he settled on a solution which is effectively a man-in-the-middle attack between any device on his network and the Google ad servers. His router is still not powerful enough to decode this information on the fly but his trick to get around that is to effectively corrupt the incoming advertising data with a few bad bytes so they aren’t able to be displayed on any devices on the network. It’s an effective and unique solution, and one that Google hopefully won’t be able to patch anytime soon. There are some other ways to improve the miserable stock YouTube experience that we have seen as well, like bringing back the dislike button.

Thanks to [Jack] for the tip!

This Week In Security: WinRAR, DNS Disco, And No Silver Bullets

So what does WinRAR, day trading, and Visual Basic have in common? If you guessed “elaborate malware campaign aimed at investment brokers”, then you win the Internet for the day. This work comes from Group-IB, another cybersecurity company with a research team. They were researching a malware known as DarkMe, and found an attack on WinRAR being used in the wild, using malicious ZIP files being spread on a series of web forums for traders.

Among the interesting tidbits of the story, apparently at least one of those forums locked down the users spreading the malicious files, and they promptly broke into the forum’s back-end and unlocked their accounts. The vulnerability itself is interesting, too. A rigged zip file is created with identically named image file and folder containing a script. The user tries to open the image, but because the zip is malformed, the WinRAR function gets confused and opens the script instead.

Based on a user’s story from one of those forums, it appears that the end goal was to break into the brokers’ trading accounts, and funnel money into attacker accounts. The one documented case only lost $2 worth of dogecoin.

There was one more vulnerability found in WinRAR, an issue when processing malicious recovery volumes. This can lead to code execution due to a memory access error. Both issues were fixed with release 6.23, so if you still have a WinRAR install kicking around, make sure it’s up to date! Continue reading “This Week In Security: WinRAR, DNS Disco, And No Silver Bullets”

Punycodes Explained

When you’re restricted to ASCII, how can you represent more complex things like emojis or non-Latin characters? One answer is Punycode, which is a way to represent Unicode characters in ASCII. However, while you could technically encode the raw bits of Unicode into characters, like Base64, there’s a snag. The Domain Name System (DNS) generally requires that hostnames are case-insensitive, so whether you type in,, or just, it all goes to the same place.

[A. Costello] at the University of California, Berkley proposed the idea of Punycode in RFC 3492 in March 2003. It outlines a simple algorithm where all regular ASCII characters are pulled out and stuck on one side with a separator in between, in this case, a hyphen. Then the Unicode characters are encoded and stuck on the end of the string.

First, the numeric codepoint and position in the string are multiplied together. Then the number is encoded as a Base-36 (a-z and 0-9) variable-length integer. For example, a greeting and the Greek for thanks, “Hey, ευχαριστώ” becomes “Hey, -mxahn5algcq2″. Similarly, the beautiful city of München becomes mnchen-3ya. Continue reading “Punycodes Explained”