Zoombombing The EU Foreign Affairs Council

Those with security clearance are capable of making foolish mistakes, just like the rest of us. So is the story of how a Dutch journalist made an appearance on video meeting of the European Union’s Foreign Affairs Council (Dutch language, Google Translate link).

Ank Bijleveld's Tweeted picture, with the access details blacked out by Daniël Verlaan.
Netherlands Defence MInister Ank Bijleveld’s Tweeted picture, with the access details blacked out by Daniël Verlaan.

Like any other video call, if you had the link you could enter the meeting. So when Netherlands Defence Minister Ank Bijleveld Tweeted a photo of a video call last Friday, the address bar of the browser gave away the secret to anyone with a keen eye. Dutch journalist Daniël Verlaan working for the broadcaster RTL saw the URL on the screen and deduced the login credentials for the meeting.

We say “deduced”, but in fact there were five of the six digits in the PIN in the clear in the URL, leaving him with the difficult task of performing a one-digit brute-force attack and joining with the username “admin”. He joined and revealed his presence, then was admonished for committing a criminal offence before he left.

On one level it’s an opportunity for a good laugh at the expense of the defence ministers, and we certainly wouldn’t want to be Ank Bijleveld or probably the EU’s online security people once the inevitable investigation into this gets under way. It seems scarcely credible that the secrecy on such a high-security meeting could have sat upon such a shaky foundation without for example some form of two-factor authentication using the kind of hardware available only to governments.

EU policy is decided not by individual ministries but by delicate round-table summits of all 27 countries. In a pandemic these have shifted to being half-online and half in-real-life, so this EU defence ministers’ meeting had the usual mosaic video feed of politicians and national flags. And one Zoom-bombing journalist.

Escalating Privileges In Ubuntu 20.04 From User Account

Ubuntu 20.04 is an incredibly popular operating system, perhaps the most popular among the Linux distributions due to its ease-of-use. In general, it’s a fairly trustworthy operating system too, especially since its source code is open. However, an update with the 20.04 revision has led to security researcher [Kevin Backhouse] finding a surprisingly easy way to escalate privileges on this OS, which we would like to note is not great.

The exploit involves two bugs, one in accountservice daemon which handles user accounts on the computer, and another in the GNOME Display Manager which handles the login screen. Ubuntu 20.04 added some code to the daemon which looks at a specific file on the computer, and with a simple symlink, it can be tricked into reading a different file which locks the process into an infinite loop. The daemon also drops its privileges at one point in this process, a normal security precaution, but this allows the user to crash the daemon.

The second bug for this exploit involves how the GNOME Display Manager (gdm3) handles privileges. Normally it would not have administrator privileges, but if the accountservice daemon isn’t running it escalates itself to administrator, where any changes made have administrator privileges. This provides an attacker with an opportunity to create a new user account with administrator privileges.

Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched. It’s also a good time to point out that the reason that open-source software is inherently more secure is that when anyone can see the source code, anyone can find and report issues like this which allow the software maintainer (or even the user themselves) to make effective changes more quickly.

Lowering The Bar For Exam Software Security

Most standardized tests have a fee: the SAT costs $50, the GRE costs $200, and the NY Bar Exam costs $250. This year, the bar exam came at a much larger cost for recent law school graduates — their privacy.

Many in-person events have had to find ways to move to the internet this year, and exams are no exception. We’d like to think that online exams shouldn’t be a big deal. It’s 2020. We have a pretty good grasp on how security and privacy should work, and it shouldn’t be too hard to implement sensible anti-cheating features.

It shouldn’t be a big deal, but for one software firm, it really is.

The NY State Board of Law Examiners (NY BOLE), along with several other state exam boards, chose to administer this year’s bar exam via ExamSoft’s Examplify. If you’ve missed out on the Examplify Saga, following the Diploma Privilege for New York account on Twitter will get you caught up pretty quickly. Essentially, according to its users, Examplify is an unmitigated disaster. Let’s start with something that should have been settled twenty years ago.

Continue reading “Lowering The Bar For Exam Software Security”

Hackaday Links: October 4, 2020

In case you hadn’t noticed, it was a bad week for system admins. Pennsylvania-based United Health Services, a company that owns and operates hospitals across the US and UK, was hit by a ransomware attack early in the week. The attack, which appears to be the Ryuk ransomware, shut down systems used by hospitals and health care providers to schedule patient visits, report lab results, and do the important job of charting. It’s not clear how much the ransomers want, but given that UHS is a Fortune 500 company, it’s likely a tidy sum.

And as if an entire hospital corporation’s IT infrastructure being taken down isn’t bad enough, how about the multi-state 911 outage that occurred around the same time? Most news reports seemed to blame the outage on an Office 365 outage happening at the same time, but Krebs on Security dug a little deeper and traced the issue back to two companies that provide 911 call routing services. Each of the companies is blaming the other, so nobody is talking about the root cause of the issue. There’s no indication that it was malware or ransomware, though, and the outage was mercifully brief. But it just goes to show how vulnerable our systems have become.

Our final “really bad day at work” story comes from Japan, where a single piece of failed hardware shut down a $6-trillion stock market. The Tokyo Stock Exchange, third-largest bourse in the world, had to be completely shut down early in the trading day Thursday when a shared disk array failed. The device was supposed to automatically failover to a backup unit, but apparently the handoff process failed. This led to cascading failures and blank terminals on the desks of thousands of traders. Exchange officials made the call to shut everything down for the day and bring everything back up carefully. We imagine there are some systems people sweating it out this weekend to figure out what went wrong and how to keep it from happening again.

With our systems apparently becoming increasingly brittle, it might be a good time to take a look at what goes into space-rated operating systems. Ars Technica has a fascinating overview of the real-time OSes used for space probes, where failure is not an option and a few milliseconds error can destroy billions of dollars of hardware. The article focuses on the RTOS VxWorks and goes into detail on the mysterious rebooting error that affected the Mars Pathfinder mission in 1997. Space travel isn’t the same as running a hospital or stock exchange, of course, but there are probably lessons to be learned here.

As if 2020 hasn’t dealt enough previews of various apocalyptic scenarios, here’s what surely must be a sign that the end is nigh: AI-generated PowerPoint slides. For anyone who has ever had to sit through an endless slide deck and wondered who the hell came up with such drivel, the answer may soon be: no one. DeckRobot, a startup company, is building an AI-powered extension to Microsoft Office to automate the production of “company compliant and visually appealing” slide decks. The extension will apparently be trained using “thousands and thousands of real PowerPoint slides”. So, great — AI no longer has to have the keys to the nukes to do us in. It’ll just bore us all to death.

And finally, if you need a bit of a palate-cleanser after all that, please do check out robotic curling. Yes, the sport that everyone loves to make fun of is actually way more complicated than it seems, and getting a robot to launch the stones on the icy playing field is a really complex and interesting problem. The robot — dubbed “Curly”, of course — looks like a souped-up Roomba. After sizing up the playing field with a camera on an extendable boom, it pushes the stone while giving it a gentle spin to ease it into exactly the right spot. Sadly, the wickedly energetic work of the sweepers and their trajectory-altering brooms has not yet been automated, but it’s still pretty cool to watch. But fair warning: you might soon find yourself with a curling habit to support.

Teardown: BlackBerry Smart Card Reader

Years before Steve Jobs showed off the first iPhone, the BlackBerry was already the must-have accessory for mobile professionals. Back then, nobody was worried about watching movies or playing the latest games on their mobile devices, they just wanted a secure and fast way to send and receive email on the go. For that, the BlackBerry was king.

Fast forward to today, and the company is just a shell of what it once was. They don’t even bother making their own hardware anymore. Over the last several years they’ve opted to partner with a series of increasingly obscure manufacturers to produce a handful of lackluster Android phones so they still have something to sell to their dwindling userbase. Anyone excited about the new 5G BlackBerry being built by Texas start-up OnwardMobility? Did you even know it was in the works before now?

A DoD Common Access Card

But this article isn’t about BlackBerry phones. It’s about something that’s even more irrelevant to consumers: the BlackBerry Smart Card Reader. Technically, this little device isn’t dependent on the phones of the same name, but it makes sense that Research In Motion (which eventually just renamed itself to BlackBerry Limited) would market the gadget under the brand of their most popular product. Though as you might expect, software was available to allow it to work with the BlackBerry phone that you almost certainly owned if you needed a dedicated smart card reader.

For those who might not be aware, a smart card in this context is a two-factor authentication token contained in an ID card. These are used extensively by organizations such as the Department of Defense, where they’re known as Common Access Cards, that require you to insert your ID card into a reader before you can log into a secure computer system. This sleek device was marketed as a portable reader that could connect to computers over USB or Bluetooth. Worn around your neck with the included lanyard, the battery-powered reader allowed the card itself to remain on the user’s body while still being readable by nearby devices.

Civilians will recognize the basic technology from modern “Chip and PIN” debit and credit cards, but we’ve never had to stick one of those into our laptop just to log in. To be sure, the BlackBerry Smart Card Reader was never intended for the average home computer user, it was sold to companies and organizations that had tight security requirements; which just so happened to be the same places that would likely already be using BlackBerry mobile devices.

Of course, times and technology change. These devices once cost $200 apiece and were purchased in vast quantities for distribution to trusted personnel, but are now all but worthless. Even in new and unopened condition, they can be had for as little as $10 USD on eBay. For that price, it’s certainly worth taking a peek inside. Perhaps the hacker community can even find new applications for these once cutting-edge devices.

Continue reading “Teardown: BlackBerry Smart Card Reader”

Displaying Incoming Server Attacks By Giving Server Logs A Scoreboard

In the server world, it’s a foregone conclusion that ports shouldn’t be exposed to the greater Internet if they don’t need to be. There are malicious bots everywhere that will try and randomly access anything connected to a network, and it’s best just to shut them off completely. If you have to have a port open, like 22 for SSH, it’ll need to be secured properly and monitored so that the administrator can keep track of it. Usually this is done in a system log and put to the side, but [Nick] wanted a more up-front reminder of just how many attempts were being made to log into his systems.

This build actively monitors attempts to log into his server on port 22 and notifies him via a numerical display and series of LEDs. It’s based on a Raspberry Pi Zero W housed in a 3D-printed case, and works by interfacing with a program called fail2ban running on the server. fail2ban‘s primary job is to block IP addresses that fail a certain number of login attempts on a server, but being FOSS it can be modified for situations like this. With some Python code running on the Pi, it is able to gather data fed to it from fail2ban and display it.

[Nick] was able to see immediate results too. Within 24 hours he saw 1633 login attempts on a server with normal login enabled, which was promptly shown on the display. A video of the counter in action is linked below. You don’t always need a secondary display if you need real-time information on your server, though. This Pi server has its own display built right in to its case.

Continue reading “Displaying Incoming Server Attacks By Giving Server Logs A Scoreboard”

Stealing Keys From The Sound Of The Lock

If you are smart, you wouldn’t hand your house key over to a stranger for a few minutes, right? But every time you use your key to unlock your door, you are probably broadcasting everything an attacker needs to make their own copy. Turns out it’s all in the sound of the key going into the lock.

Researchers in Singapore reported that analyzing metallic clicks as the key slides past the pins gives them the data they need to 3D print a working key. The journal published research is behind a paywall, but there is a copy on co-author [Soundarya Ramesh’s] website which outlines the algorithm used to decode the clicks of key teeth on lock pins into usable data.

The attack didn’t require special hardware. The team used audio capture from common smartphones. While pushing your phone close to the lock while the victim inserts a key might be problematic, it isn’t hard to imagine a hacked phone or smart doorbell picking up the audio for an attacker. Long-range mikes or hidden bugs are also possible.

There are practical concerns, of course. Some keys have a plateau that causes some clicks to skip, so the algorithm has to deal with that. It sounds like the final result be a small number of key possibilities and not just converge on one single key, but even if you had to carry three or four keys with you to get in, it is still a very viable vulnerability.

The next step is to find a suitable defense. We’ve heard that softening the pins might reduce the click, but we wondered if it would be as well to put something in that deliberately makes loud clicks as you insert the key to mask the softer clicks of the pins.

While a sound recording is good, sometimes a picture is even better. Of course, if you want to go old school, you can 3D print your lockpicks.

Continue reading “Stealing Keys From The Sound Of The Lock”