This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers

We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--

Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson. Continue reading “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers”

Building IoT Devices The Easy Way

Do you have a Raspberry Pi? What is it being used for right now? If you’re like the majority of people who replied to [Michael Hall’s] poll on Twitter, it’s likely yours is sitting on a shelf doing nothing too. So why not just turn it into an IoT device for your home?

[Michael] wrote an easy-to-follow guide focusing on getting the EdgeX Foundry IoT platform running on the Raspberry Pi. It is designed to be a unified multi-platform base for IoT devices hosted by the Linux Foundation, making it easy to control and integrate them into other systems. The framework for this consists of two parts, a Device Service running on your Pi, and the rest of the services running on a desktop or laptop where you’ll be monitoring it.

His guide goes into detail on how to get both parts working on your computer and your Pi using Docker for ease of installation. As for the IoT device, he uses the built-in PIR sensor example to show how to configure it without having to write any programming. You can then monitor the device’s sensors, which you can just connect straight to the Pi’s GPIO pins, from your desktop. Since the EdgeX software is designed to run on any flavor of Linux, this should make it easy to repurpose any forgotten single-board computer into the beginnings of a home automation system.

However, if you are confident in your programming skills, you’re probably looking for something slimmer such as the ESP8266 family of microcontrollers to do your bidding. Why not try an energy monitor or a smoke detector project with them?

This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker

Nvidia’s GeForce Experience (GFE) is the companion application for the Nvidia drivers, keeping said drivers up to date, as well as adding features around live streaming and media capture. The application runs as two parts, a GUI, and a system service, using an HTTP API to communicate. [David Yesland] from Rhino Security Labs decided to look into this API, searching for interesting, undocumented behavior, and shared the results on Sunday the 2nd.

The first interesting finding was that the service was written in Javascript and run using Node.js. Javascript is a scripting language, not a compiled language — the source code of the service was open for studying. This led to the revelation that API requests would be accepted from any origin, so long as the request included the proper security token. The application includes an update mechanism, which allows an authorized API call to execute an arbitrary system command. So long as the authentication token isn’t leaked to an attacker, this still isn’t a problem, right? Continue reading “This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker”

Howto: Docker, Databases, And Dashboards To Deal With Your Data

So you just got something like an Arduino or Raspberry Pi kit with a few sensors. Setting up temperature or motion sensors is easy enough. But what are you going to do with all that data? It’s going to need storage, analysis, and summarization before it’s actually useful to anyone. You need a dashboard!

But even before displaying the data, you’re going to need to store it somewhere, and that means a database. You could just send all of your data off into the cloud and hope that the company that provides you the service has a good business model behind it, but frankly the track records of even the companies with the deepest pockets and best intentions don’t look so good. And you won’t learn anything useful by taking the easiest way out anyway.

Instead, let’s take the second-easiest way out. Here’s a short tutorial to get you up and running with a database backend on a Raspberry Pi and a slick dashboard on your laptop or cellphone. We’ll be using scripts and Docker to automate as many things as possible. Even so, along the way you’ll learn a little bit about Python and Docker, but more importantly you’ll have a system of your own for expansion, customization, or simply experimenting with at home. After all, if the “cloud” won’t let you play around with their database, how much fun can it be, really?

Continue reading “Howto: Docker, Databases, And Dashboards To Deal With Your Data”

Web Development: What’s Big In 2019?

I try to keep up with web development trends but it’s hard to keep pace since it’s such a fast evolving field. Barely a week goes by without the release of a new JS framework, elaborate build tool or testing suite — all of them touted as the one to learn. Sorting the hype from the genuinely useful is no mean feat, so my aim in this article is to summarise some of the most interesting happenings that web development saw in the last year, and what trends we expect to see more of in 2019.

A technology or framework doesn’t have to be brand new to be on our list here, it just needs to be growing rapidly or evolving in an interesting way. Let’s take a look!

Continue reading “Web Development: What’s Big In 2019?”

This Bitcoin Price Tracking Traffic Light Isn’t Just A Red LED

Quick, what’s the price of Bitcoin? Is it lower today than yesterday? Are you overdrafting your Lamborghini account? What if you had an easy way to tell at a glance how much you could have made if you sold in December of last year? That’s what this Bitcoin price tracking traffic light is all about, and it’s a great use of existing electronics.

The hardware for this build is a traffic light table lamp available on Amazon for twenty bucks. Inside this traffic light, you get a PCB with three LEDs and a small microcontroller to control the LEDs. The microcontroller isn’t used in this case, instead the microcontroller is removed and a few wires are soldered up to the base of the transistors used to drive the LEDs. The other ends of these wires are attached to a trio of pins on a Raspberry Pi Zero W, giving this traffic light table lamp Linux and a connection to the Internet.

On the software side of things, we’re looking at a Docker container running a Python script that fetches the latest Bitcoin price from Coindesk and calculates the change from the previous fetch of the price of Bitcoin. This data is shuffled off to another Python script that actually changes the LEDs on the lamp.

Sure, these days a ‘bitcoin price tracking traffic light’ is as simple as connecting a red LED to a battery, and if you’re feeling extra fancy you can add a 220 Ω resistor. But this is a project that’s so well executed that we’ve got to give it a tip ‘o our hat.

Intro To Docker: Why And How To Use Containers On Any System

If you have your ear even slightly to the ground of the software community, you’ll have heard of Docker. Having recently enjoyed a tremendous rise in popularity, it continues to attract users at a rapid pace, including many global firms whose infrastructure depends on it. Part of Docker’s rise to fame can be attributed to its users becoming instant fans with evangelical tendencies.

But what’s behind the popularity, and how does it work? Let’s go through a conceptual introduction and then explore Docker with a bit of hands-on playing around.

Continue reading “Intro To Docker: Why And How To Use Containers On Any System”