This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race

In what’s being described as a Humpty-Dumpty incident, Rackspace customers have lost access to their hosted Exchange service, and by extension, lots of archived emails. The first official word of trouble came on December 2nd, and it quickly became clear that this was more than the typical intern-tripped-over-the-cable incident. Nearly a week later, Rackspace confirmed what observers were beginning to suspect, it was a ransomware attack. There’s not a lot of other answers yet, and the incident FAQ answers are all variations on a theme.

Our investigation into the incident is ongoing and will take time to complete. To ensure the integrity of the ongoing investigation, we do not have additional details to share at this time.

Knowing the security issues that have plagued Microsoft Exchange over the last couple of months, one has to wonder if Rackspace was breached as a result of the PowerShell problems. What’s staggering is that a week after the incident, Rackspace still has no timeline for service restoration.

Rackspace isn’t the only major ransomware attack this week, as a hospital in Versailles has partially shut down due to another ransomware attack. Operations were canceled, and work has to be done the old fashioned way, without the network to support.

Continue reading “This Week In Security: Rackspace Falls Over, Poison Ping, And The WordPress Race”

This Week In Security: Pacman, Hertzbleed, And The Death Of Internet Explorer

There’s not one, but two side-channel attacks to talk about this week. Up first is Pacman, a bypass for ARM’s Pointer Authentication Code. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. If the hash is not set correctly, the program simply crashes. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. The PAC is actually indicated in the unused bits of the pointer itself. The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. This leaves 11 bits for the PAC value. Keep in mind that the application doesn’t hold the keys and doesn’t calculate this value. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys.

What Pacman introduces is an oracle, which is a method to gain insight on data the attacker shouldn’t be able to see. In this case, the oracle works via speculation attacks, very similar to Meltdown and Spectre. The key is to attempt a protected pointer dereference speculatively, and to then observe the change in system state as a result. What you may notice is that this requires an attack to already be running code on the target system, in order to run the PAC oracle technique. Pacman is not a Remote Code Execution flaw, nor is it useful in gaining RCE.

One more important note is that an application has to have PAC support compiled in, in order to benefit from this protection. The platform that has made wide use of PAC is MacOS, as it’s a feature baked in to their M1 processor. The attack chain would likely start with a remote execution bug in an application missing PAC support. Once a foothold is established in uprivileged userspace, Pacman would be used as part of an exploit against the kernel. See the PDF paper for all the details.

Continue reading “This Week In Security: Pacman, Hertzbleed, And The Death Of Internet Explorer”

Hard(er) Drives: Impractical, Slow, Amazing, And Incredible

Computer memory is a problem that has been solved for many years. But early on, it was more than just a small problem. We’ve many of the different kinds at Hackaday over the years, and we’ll link to some of them later on. But one of the original types of memory was called Delay Line memory, which worked by waiting for a signal to propagate slow enough through a device that it was essentially stored in the device. This was highly inefficient, but still a neat concept- one that [Tom7] has taken to entirely new levels of amazing and impractical as seen in the video below the break.

Such factors as “harm to society” are artfully considered

Starting with a demonstration of orbiting chainsaws, he then moves on to explaining how radio propagation waves could be used to temporarily store data while it’s in transit. He missed the opportunity to call it cloud storage, but we’ll forgive him. Extrapolating that further, he decided to use the Entire Internet to store data without its permission, utilizing large ICMP packets and even making it available as block storage in Linux.

Not content to use the entire Internet to store a few kb of data, he moved on to several thousand virtualized NES game systems which are all playing “an inventory management survival horror game” commonly known as Tetris. [Tom7] deconstructs Tetris, analyzing its Random Number Generator, gaming the system to store data in virtual NES consoles by the thousands. What data did he store? The source code to Tetris for the NES. And what did he do with it? Well, he mounted it and ran the program, of course!

The last Harder Drive we’ll leave for those who want to watch the video, because it’s a bit on the “ewww gross!” side of things but is also a bit less successful due to some magic smoke being released.

If none of these things we’ve mentioned were enough, then watch the video for an excellent breakdown of the cost, efficiency, and even the harm to society. For fun, he also tosses blockchain into the mix to see how it fares against the Harder Drives. There’s also at least one easter egg in the video, and the whimsical discussion of engineering is both entertaining and inspiring. How would you implement a Harder Drive?

[Tom7] also gives you the opportunity to follow along with the fun and mayhem by making much of the code available for your perusal. For more fun reading, check out this walk down computer memory lane that we covered last year, as well as a look into Acoustic Delay Line memory.

Continue reading “Hard(er) Drives: Impractical, Slow, Amazing, And Incredible”

That Clock On The Wall Is Actually A Network Ping Display

We’ve all been online from home a bit more than usual lately, in ways that often stretch the limits of what our ISP can muster. You know the signs — audio that drops out, video sessions that make you look like [Max Headroom], and during the off-hours, getting owned in CS:GO by pretty much everyone. All the bandwidth in the world won’t make up for high latency, and knowing where you stand on that score is the point of this ping-tracking clock.

This eye-catching lag-o-meter is courtesy of [Charl], who started the build with a clock from IKEA. Stripped of pretty much everything but the bezel, he added a coaxial clock motor and a driver board, along with a custom-printed faceplate with logarithmic scale. The motors are driven by an ESP32, which uses internet control message protocol (ICMP) to ping a trusted server via WiFi, calculates the proper angles for the hands, and drives the motors to show you the bad news. There’s also an e-paper display in the face, showing current server and WiFi settings.

We really like how this clock looks, and if it wasn’t for the fact that the numbers it displays would often be too depressing to bear, we’d build one in a snap. If facing the painful truth isn’t your style, there are other neat ICMP tricks that you can try instead.

IPv6 Christmas Display Uses 75 Internet’s Worth Of Addresses

We’ve seen internet-enabled holiday displays before, and we know IPv6 offers much more space than the older IPv4 addressing scheme that most of us still use today, but the two have never been more spectacularly demonstrated than at jinglepings.com. The live video stream shows an Internet-connected Christmas tree and an LED display wall that you can control by sending IPv6 ICMP echo request messages, more commonly known as pings.

Reading the page, you quickly parse the fact that there are three ways to control the tree. First, you can type a message in the box and press send – this message gets displayed on the crawl at the bottom of the LED screen.  Second, you can light up the tree by sending a ping to the IPv6 address 2001:4c08:2028:2019::RR:GG:BB, where RR, GG, and BB are 8-bit hex values for red, green, and blue. This is a neat abuse of the IPv6 address space, in that the tree has 224 (around 16.8 million) IPv6 addresses, one for each color you can set. We were impressed by this brute-force use of address space, at least until we read on a little further.

You can also make your own drawings on the LED wall, again by sending pings. In this case, the address to set a pixel to a particular color is: 2001:4c08:2028:X:Y:RR:GG:BB, where X and Y are the pixel coordinates. This seems easy enough: to set pixel (10, 11) to magenta, the RGB value (0xFF, 0x00, 0xFF), you’d simply ping the IPv6 address 2001:4c08:2028:10:11:FF:00:FF. Having  an array of addressable LEDs is commonplace in hacker circles today, although each of them having their own live IPv6 address on the Internet seems a little excessive at first. Then it hits you – each LED has an IPv6 address for every possible color, just like the tree: 16.8 million addresses for each LED. The LED display is 160×120 pixels in size, so the total number of IPv6 addresses used is 160x120x224, which is 75 times larger than all possible IPv4 addresses!  This is a hack of monstrous proportions, and we love it.

In case you’re not running IPv6 yet, we’ve got you covered. To send individual pings using your browser, you can use a site like Ipv6now. If you want to send pixels to the display wall, you’re better off using a 6in4 tunnel that lets you access IPv6 sites using your current IPv4 connectivity.  Hurricane Electric offers a free 6in4 tunnel service that we’ve found useful. Then it’s just a matter of writing some code to send pixel values as pings.  The python scapy module is perfect for this sort of thing. But, first you’ll have to fill out the form on jinglepings.com and wait to get your IPv6 address whitelisted before you can draw on the display; evidently the usual bad actors have found the site and started drawing inappropriate things.

If you think this use of addresses seems wasteful, you needn’t worry. There are around 3.4×1038 IPv6 addresses, enough for 1027 such displays. We’re going to go out on a limb here and say it: nobody will ever need more than 2128 IP addresses.

If you’re looking to build an LED holiday display on a smaller budget, check out this one that re-purposes normal LED strings.

Thanks to [Ward] for the tip!

Measuring Web Latency In The Browser

We’ll go out on a limb and assume that anyone reading these words is probably familiar with the classic ping command. Depending on which operating system you worship the options might be slightly different, but every variation of this simple tool does the same thing: send an ICMP echo request and wait for a response. How long it takes to get a response from the target, if it gets one at all, is shown to the user. This if often the very first step to diagnosing network connectivity issues; if this doesn’t work, there’s an excellent chance the line is dead.

But in the modern web-centric view of networking, ping might not give us the whole picture. But nature it doesn’t take into account things like DNS lookups, and it certainly doesn’t help you determine what (if any) services the target has available to you. Accordingly, [Liu Zhiyong] has come up with a tool he calls “pingms”, which allows you to check web server latency right from your browser.

Rather than relying on ICMP, pingms performs a more realistic test. It takes the list of targets from the file “targets.js” and connects to each one over HTTP. How does it work? The code [Liu] has come up with will take each target domain name, append a random number to create a gibberish filename, and then calculate how long it takes to get a response when trying to download the file. Obviously it’s going to be getting a 404 response from the web server, but the important thing is simply that it gets the response.

With this data, [Liu] has come up with a simplistic but very slick interface which shows the user the collected data with easy to understand color-coded graphs. As interesting as it is to see how long it takes your favorite web sites or service providers to wake up and start talking, watching the colored bars hop up and down the list to sort themselves is easily our favorite part of pingms.

[Liu] has released pingms under the GPLv3 license, so if you’re looking to utilize the software for your own purposes you just need to provide a list of test targets. If you need to perform low-level diagnostics, check out this handy network tester you can build for cheap.

Colorful Display Keeps Track Of Your Network

So you’ve built out your complete home automation setup, with little network-connected “things” scattered all around your home. You’ve got net-connected TVs, weather stations, security cameras, and whatever else. More devices means more chances for failure. How do you know that they’re all online and doing what they should?

[WTH]’s solution is pretty simple: take a Raspberry Pi Zero, ping all the things, log, and display the status on an RGB LED strip. (And if that one-sentence summary was too many words for you, there’s a video embedded below the break.)

Continue reading “Colorful Display Keeps Track Of Your Network”