This Week In Security: Invalid Curve Attacks, OpenSSH Shielded, And More Details On Coinbase

AMD Epyc processors support Secure Encrypted Virtualization (SEV), a technique that prevents even a hypervisor reading memory belonging to a virtual machine. To pull this off, the encryption and decryption is handled on the fly by the Platform Security Processor (PSP), which is an ARM core that handles processor start-up and many security features of modern AMD processors. The vulnerability announced this week is related to the encryption scheme used. The full vulnerability is math heavy, and really grokking it requires a deeper understanding of elliptical curve cryptography (ECC) than your humble author currently possesses.

During the process of starting a virtual machine, the VM process goes through a key-sharing process with the PSP, using an ECC Diffie-Hellman key exchange. Rather than raising prime numbers to prime exponents, an ECC-DH process bounces around inside an elliptical curve in order to find a shared secret. One of the harder problems to solve when designing an ECC based cryptographic system, is the design of the curve itself. One solution to this problem is to use a published curve that is known to be good. AMD has taken this route in their SEV feature.

The attack is to prime the key exchange with invalid data, and observing the shared key that is generated. A suitably simple initial value will leak information about the PSP’s secret key, allowing an attacker to eventually deduce that key and decrypt the protected memory. If you’d like to bone up on invalid curve attacks, here’s the seminal paper. (PDF)

OpenSSH Shielding

[Damien Miller] of OpenSSH was apparently tired of seeing that project tied to vulnerabilities like Rambleed and Rowhammer, so added a technique he’s calling key-shielding. OpenSSH now encrypts private keys in memory using a 16 kB pre-key. While an attacker with full knowledge of the process’s memory wouldn’t be deterred, the error rate of Rambleed and similar attacks is high enough that the 16 kB of randomness is likely to thwart the attempt to recover the secret key.

Firefox and Coinbase

We mentioned Firefox vulnerabilities and updates last week, and as anticipated, more information is available. [Philip Martin] from Coinbase shared more information on Twitter. Coinbase employees, as well as other cryptocurrency companies, were targeted with fishing emails. These lured employees to a malicious page that attempted to exploit a pair of Firefox vulnerabilities. Coinbase has a security system in place that was able to prevent the exploit, and their security team was able to reverse engineer the attack.

The first vulnerability has been dissected in some detail by a Google security researcher. It’s a weakness in Firefox’s Javascript engine related to type handling. An object is created with one data type, and when that data is changed to another type, not all the data handlers are appropriately updated. Under the hood, a value is assumed to be a pointer, but is actually a double-length value, controlled by the attacker.

The second vulnerability is in the functions used to prompt for user interaction. Specifically the call to “Prompt:Open” isn’t properly validated, and can result in the un-sandboxed Firefox process loading an arbitrary web location. I suspect the sandbox escape is used to run the initial exploit a second time, but this time it’s running outside the sandbox.

Odds and Ends

[Tom] wrote a great intro into how to Impersonate The President With Consumer-Grade SDR, go check it out!

Another city, more ransomware. Riviera Beach, Florida was hit with a ransomware attack, and paid $600,000 in an attempt to get their data back. For a city of 35,000 inhabitants, that’s $17.14 in ransom per man, woman, and child. According to the linked article, though, the city was insured.

A Physical Knob For Browser Tabs

If you’re like most of us, you have about twenty browser tabs open right now. What if there were a way to move through those tabs with a physical interface? That’s what [Zoe] did, and it’s happening with the best laptop ever made.

The hardware for this build is simply an Arduino and a rotary encoder, no problem there. The firmware on the Arduino simply reads the encoder and sends a bit or two of data over the serial port. This build gets interesting when you connect it to a Firefox extension that allows you to get data from a USB or serial port, and there’s a nice API to access tabs. Put all of this together, and you have a knob that will scroll through all your open tabs.

This build gets really good when you consider there’s also a 3D printed mount, meant to attach to a Thinkpad X220, the greatest laptop ever made. At the flick of a knob, you can scroll through all your tabs. It’s handy if you’re reading three or four or five documents simultaneously, or if you’re just editing video and trying to go through your notes at the same time. A great invention, and we’re waiting for this to become a standard device on keyboards and mice. Check out the video below.

Continue reading “A Physical Knob For Browser Tabs”

Firefox Reality, A Browser For VR Devices

The browser you are reading this page in will be an exceptionally powerful piece of software, with features and APIs undreamed of by the developers of its early-1990s ancestors such as NCSA Mosaic. For all that though, it will very probably be visually a descendant of those early browsers, a window for displaying two-dimensional web pages.

Some of this may be about to change, as in recognition of the place virtual reality devices are making for themselves, Mozilla have released Firefox Reality, in their words “a new web browser designed from the ground up for stand-alone virtual and augmented reality headset“. For now it will run on Daydream and GearVR devices as a developer preview, but the intended target for the software is a future generation of hardware that has yet to be released.

Readers with long memories may remember some of the hype surrounding VR in browsers back in the 1990s, when crystal-ball-gazers who’d read about VRML would hail it as the Next Big Thing without pausing to think about whether the devices to back it up were on the market. It could be that this time the hardware will match the expectation, and maybe one day you’ll be walking around the Hackaday WrencherSpace rather than reading this in a browser. See you there!

They’ve released a video preview that disappointingly consists of a 2D browser window in a VR environment. But it’s a start.

Continue reading “Firefox Reality, A Browser For VR Devices”

Messing Around With Naenara, North Korea’s Web Browser

[Robert] has been snooping around Naenara in order to learn more about how North Korea’s intranet might work. Naenara is the web browser that comes bundled with North Korea’s official Linux-based operating system known as Red Star OS. [Robert] once saw a screenshot of the browser and found it interesting that the browser seemed to automatically load a non-routable IP address immediately upon start-up. This made him curious about what other oddities one might uncover from the software.

Upon start-up, the browser tries to load a page located at IP address 10.76.1.11, which is a reserved IP address for private use. This indicated that North Korea’s “Internet” is actually more of in intranet. [Robert] suspects that the entire country may be running in private address space, similar to how your home or business likely runs.

[Robert’s] next thoughts were that the browser looks like a very old version of Mozilla Firefox, but with some default configuration changes. For one, all crashes are automatically transmitted to “the mothership”, as [Robert] calls it. He suspects this is to fix not only bugs, but also to find and repair any security vulnerabilities that may allow users more control.

There are some other interesting changes as well, such as the supported security certificates. The Naenara browser only accepts certificates issued by the DPRK, which would make it very easy for them to snoop on encrypted HTTPS traffic. there is also evidence suggesting that all traffic for the entire country is routed through a single government controlled proxy server.

None of these findings are all that surprising, but it’s still interesting to see what kind of information can be gleamed from poking around the browser and operating system. [Robert] has found more than just these few findings. You can check out the rest of his findings on his blog.

[via Reddit]

Advanced Transcend WiFi SD Hacking: Custom Kernels, X, And Firefox

[Dmitry] read about hacking the Transcend WiFi cards, and decided to give it a try himself.   We already covered [Pablo’s] work with the Transcend card. [Dmitry] took a different enough approach to warrant a second look.

Rather than work from the web interface and user scripts down, [Dmitry] decided to start from Transcend’s GPL package and work his way up. Unfortunately, he found that the package was woefully incomplete – putting the card firmly into the “violates GPL” category. Undaunted, [Dmitry] fired off some emails to the support staff and soldiered on.

It turns out the card uses u-boot to expand the kernel and basic file system into a ramdisk. Unfortunately the size is limited to 3MB. The limit is hard-coded into u-boot, the sources of which transcend didn’t include in the GPL package.

[Dmitry] was able to create his own binary image within the 3MB limit and load it on the card. He discovered a few very interesting (and scary) things. The flash file system must be formatted FAT32, or the controller will become very upset. The 16 (or 32)GB of flash is also mounted read/write to TWO operating systems. Linux on the SD card, and whatever host system the card happens to be plugged in to. This is dangerous to say the least. Any write to the flash could cause a collision leading to lost data – or even a completely corrupt file system. Continue reading “Advanced Transcend WiFi SD Hacking: Custom Kernels, X, And Firefox”

Hacking Facebook To Remove The Social Value Facade

We see [Ben Grosser’s] point that all the metrics found on the Facebook user interface make the experience somewhat of a game to see if you can better your high score. He thinks this detracts from the mission of having social interactions that themselves have a value. So he set out to remove the ‘scores’ from all Facebook pages with a project he calls the Facebook Demetricator.

You can see two UI blocks above. The upper offering is what a normal user will see. The lower is the page seen through the lens of the Demetricator. [Ben’s] feels it doesn’t matter how many people like something or share something, but only that you are genuinely interested in it. With the numbers removed you’re unlikely to follow the herd mentality of only clicking through to things that are liked by a huge number of people. He explains this himself in the clip after the break.

The Demetricator works much like the Reddit Enhancement Suite. It’s a browser add-on for Chrome, Firefox, and Safari that selectively strips out the metrics as the page renders.

Hacking Hack A Day With Greasemonkey

had-script

Ever since Hack a Day first emerged on the scene in 2004, the site’s design has been pretty consistent. The black background with its green and white text, while a bit dubious looking at work, is fine by me. For others however, the site’s design is a constant eyesore both figuratively and literally. [James Litton] is one of those readers, and he wrote in to share a tip that helps him read up on the latest hacks without killing his eyes.

[James] uses Firefox to browse the web, so he whipped up a small Greasemonkey script that tweaks Hack a Day’s style sheet once it reaches his browser. His script inverts the background while changing a few other items, making for a much more comfortable read. Overall we found the change to be pretty reasonable, but go ahead and judge for yourself – you can see the before and after screen shots in greater detail on his site.

[James] also points out that the script should work just fine in Chrome, for those of you who prefer that browser instead.

So if your eyes are a bit on the sensitive side, feel free to grab his script and customize away – I don’t think we’ll be changing the theme any time soon.