Cracking A GBA Game With NSA Tools

[Wrongbaud] is a huge fan of Japanese kaiju-style movies, including Godzilla and King Kong. In honor of the release of a new movie, he has decided to tackle a few projects to see how both of these monsters can hold their own against other legendary monsters. In this project, he is using Ghidra, named after another legendary kaiju, against the password system of the Game Boy Advance game Kong: King of Atlantis.

Since this project is a how-to, [wrongbaud] shows how to search Ghidra for existing scripts that might already have the functionality needed for GBA analysis and emulation. When not, he also illustrates how to write scripts to automate code analysis, and then moves on to cracking the level password system on the game.

The key to finding the passwords on this game was looking for values in the code that were seven characters long, and after some searching [wrongbaud] is finally able to zero in on the code responsible for handling passwords. Once found a brute force method was automated to find viable passwords, and from there the game was officially pwned. For anyone interested in security, reverse engineering, or just the way that binaries work, it’s quite the detailed breakdown. Of course, it’s not the only example we have seen that uses this software tool to extract passwords.

Removing Supervisor Passwords And Learning Python

When learning a new programming language, it’s best to have a goal in mind and work towards it. [Timo] thought it was about time to learn python, and he also had a project in mind: removing the BIOS supervisor password from his old Thinkpad. From there it was just a few keystrokes (and some soldering) and he was able to change the BIOS password of this black box from the outside.

The build utilizes a BeagleBone to communicate with the laptop’s EEPROM via the I2C bus. An oscilloscope also monitors the bus to look for a specific window every four-seconds when the computer is not accessing the bus. During that short period, the EEPROM can be read and written to. Once the window opens, the BeagleBone executes the Python script, which attempts to read the EEPROM and can also perform actions such as removing or changing the BIOS supervisor password.

Of course, tinkering with the EEPROM on a laptop has a high risk of bricking the device, and not all laptops use the same security measures or even memory addresses for things like this, so documentation and precision are key. Also, with Thinkpads of this vintage it’s possible to replace the firmware on these chips entirely with a FOSS version called libreboot, and even though the process is difficult, it’s definitely recommended.

Continue reading “Removing Supervisor Passwords And Learning Python”

Better Security, Harry Potter Style

We all know we shouldn’t use 1234 as our password. But we often don’t do the absolute best practice when it comes to passwords. After all, you should have some obscure strange password that is unique for every site. But we all have lots of passwords, so most of us use $pock2020 or something like that. If you know I’m a Star Trek fan, that wouldn’t be super hard to guess. [Phani] writes about a technique called Horcruxing — a term taken from the literary realm of Harry Potter that allowed Voldemort to preserve life by splitting it into multiple parts, all of which were required to bring an end to his villany. [Phani’s] process promises to offer better security than using a single password, without the problems associated with having hundreds of random passwords.

Most people these days use some form of password manager. That’s great because the manager can create 48 character passwords of random words or symbols and even you don’t know the password. Of course, you do know the master password or, at least, you better. So if anyone ever compromised that password, they’d have all your passwords at their fingers. Horcruxing makes sure that the password manager doesn’t know the entire password, just the hard parts of it.

Continue reading “Better Security, Harry Potter Style”

$100k To Crack A Bitcoin Wallet

When Bitcoin peaked a few years ago, with single coins reaching around $18,000 USD, heartbreaking stories began circulating about people who had tens or hundreds of coins they mined in the early days when coins were worth just a few dollars or cents. Since then, they owners of these coins had lost the private key, or simply thrown away the drive or computer the coins were on. It’s next to impossible to recover this key in most situations, but for the right amount of money it can sometimes be done.

About 20 years ago, [Mike] was working as a cryptography expert and developed a number of interesting algorithms for breaking various forms of encryption, one of which involved .zip files with poor entropy. A Bitcoin owner stumbled across the paper that [Mike] wrote and realized that it could be a method for recovering his lost key from 2016. [Mike] said it would take a GPU farm and $100,000 USD, but when the owner paid the seemingly enormous price [Mike] was able to recover around $300,000 worth of Bitcoin.

While this might not be financially feasible for you if you have a USB stick with a single coin on it you mined as a curiosity in 2010, the cryptography that is discussed in the blog entry is the real story here. We never know where the solutions to our problems are going to come from, like a random .zip file exploitation from two decades ago, but we can be sure that in the future it will be much easier to crack these keys.

Thanks to [Darmstatium] for the tip!

Password Keeper Uses Off-The-Shelf Formfactor

With every website these days demanding the creation of an account, it can become difficult to remember so many logins. Each password should ideally be unique, lest a leak from your fantasy football game cost you thousands in stolen bitcoins. To help, [vcch] developed a password vault, using an interesting off-the-shelf platform.

The platform in question is the M5stickC, which packs an ESP32, color LCD, and battery into an attractive orange enclosure. It’s even got USB-C, making it a tool with an eye on the future. It serves as a quick way to get a basic IOT project up and running, without having to fuss about designing your own enclosure or basic power supply hardware.

On this platform, [vcch] created a tool to make keeping track of passwords easy. The PassStrong, as it’s called, can store a huge number of passwords, and communicates with the host PC over Bluetooth. The interface makes good use of the LCD, displaying the current mode and function of each button on the device for the user. It’s capable of working in both QWERTY and AZERTY environments, which should appeal to European users.

The M5StickC is a perfect choice in this regard, packing enough buttons and the required Bluetooth hardware to get the job done. No need to spend any time integrating modules – simply open the box and get to coding. We expect to see more developments in this space in future, and look forward to the efficiency gains this will bring to all kinds of projects!

USB Password Keeper Runs On Tiny Chip

The most important rule of password use, especially when used for online logins, is to avoid reusing passwords. From there, one’s method of keeping track of multiple passwords can vary considerably. While memorization is an option in theory, in practice a lot of people make use of a password manager like Lastpass or KeePass. For those with increased security concerns, though, you may want to implement a USB password keeper like this one based on an ATtiny.

This password keeper, called “snopf”, is a USB device with an ATtiny85 which adds a layer of separation to password keeping that increases security substantially. Passwords are created by the USB device itself using a 128-bit key to generate the passwords, which are physically detached from the computer. Password requests are made by the computer to the USB device, but the user must push a button on the snopf in order to send the password to the computer. It does this by emulating a keyboard, keeping the password information off of the computer’s clipboard.

Of course, snopf isn’t perfectly secure, and the project’s creator [Hajo] goes into detail on the project’s page about some of the potential vulnerabilities. For most use cases, though, none of these are of serious concern. Upgrading your password keeper to a physical device is likely to be a huge security improvement regardless, and one was actually developed on Hackaday a few years ago.

This Week In Security: Facebook Hacked Your Email, Cyber On The Power Grid, And A Nasty Zero-day

Ah, Facebook. Only you could mess up email verification this badly, and still get a million people to hand over their email address passwords. Yes, you read that right, Facebook’s email verification scheme was to ask users for their email address and email account password. During the verification, Facebook automatically downloaded the account’s contact list, with no warning and no way to opt out.

The amount of terrible here is mind-boggling, but perhaps we need a new security rule-of-thumb for these kind of situations. Don’t ever give an online service the password to a different service. In order to make use of a password in this case, it’s necessary to handle it in plain-text. It’s not certain how long Facebook stored these passwords, but they also recently disclosed that they have been storing millions of Facebook and Instagram passwords in plain-text internally.

This isn’t the first time Facebook has been called out for serious privacy shenanigans, either: In early 2018 it was revealed that the Facebook Android app had been uploading phone call records without informing users. Mark Zuckerberg has recently outlined his plan to give Facebook a new focus on privacy. Time will tell whether any real change will occur.

Cyber Can Mean Anything

Have you noticed that “cyber” has become a meaningless buzz-word, particularly when used by the usual suspects? The Department of Energy released a report that contained a vague but interesting sounding description of an event: “Cyber event that causes interruptions of electrical system operations.” This was noticed by news outlets, and people have been speculating ever since. What is frustrating about this is the wide range of meaning covered by the term “cyber event”. Was it an actual attack? Was Trinity shutting down the power stations, or did an intern trip over a power cord?
Continue reading “This Week In Security: Facebook Hacked Your Email, Cyber On The Power Grid, And A Nasty Zero-day”