The most important rule of password use, especially when used for online logins, is to avoid reusing passwords. From there, one’s method of keeping track of multiple passwords can vary considerably. While memorization is an option in theory, in practice a lot of people make use of a password manager like Lastpass or KeePass. For those with increased security concerns, though, you may want to implement a USB password keeper like this one based on an ATtiny.
This password keeper, called “snopf”, is a USB device with an ATtiny85 which adds a layer of separation to password keeping that increases security substantially. Passwords are created by the USB device itself using a 128-bit key to generate the passwords, which are physically detached from the computer. Password requests are made by the computer to the USB device, but the user must push a button on the snopf in order to send the password to the computer. It does this by emulating a keyboard, keeping the password information off of the computer’s clipboard.
Of course, snopf isn’t perfectly secure, and the project’s creator [Hajo] goes into detail on the project’s page about some of the potential vulnerabilities. For most use cases, though, none of these are of serious concern. Upgrading your password keeper to a physical device is likely to be a huge security improvement regardless, and one was actually developed on Hackaday a few years ago.
Is it just me or did January seem to last for about three months this year? A lot has happened since the turn of the decade 31 days ago, both in the normie world and in our space. But one of the biggest pieces of news in the hacker community is something that won’t even happen for four more months: Hackaday Belgrade. The annual conference in Hackaday’s home-away-from-home in Serbia was announced, and as usual, one had to be a very early bird to score discount tickets. Regular tickets are still on sale, but I suspect that won’t last long. The call for proposals for talks went out earlier in the month, and you should really consider standing up and telling the world what you know. Or tell them what you don’t know and want to find out – there’s no better way to make connections in this community, and no better place to do it.
Someone dropped a tip this week about the possible closing of Tanner Electronics, the venerable surplus dealer located in Carrollton, Texas, outside of Dallas and right around the corner from Dallas Makerspace. The report from someone visiting the store is that the owner has to either move the store or close it down. I spoke to someone at the store who didn’t identify herself, but she confirmed that they need to either downsize or close. She said they’re actively working with a realtor and are optimistic that they’ll find a space that fits their needs, but the clock is ticking – they only have until May to make the change. We covered Tanner’s in a 2015 article on “The Death of Surplus”. It would be sad to lose yet another surplus store; as much as we appreciate being able to buy anything and everything online, nothing beats the serendipity that can strike walking up and down aisles filled with old stuff. We wish them the best of luck.
Are you finding that the smartphone in your pocket is more soul-crushing than empowering? You’re not alone, and more and more people are trying a “digital detox” to free themselves from the constant stimulation. And there’s no better way to go about this than by turning your smartphone into a not-so-smart phone. Envelope, a paper cocoon for your phone, completely masks the screen, replacing it with a simple printed keypad. A companion app allows you to take and make phone calls or use the camera, plus provides a rudimentary clock, but that’s it. The app keeps track of how long you can go before unwrapping your phone and starting those sweet, sweet dopamine hits again. It reminds us a bit of the story we also saw this week about phone separation anxiety in school kids, and the steps schools are taking to mitigate that problem.
We saw a lot of articles this week on a LoRaWAN security vulnerability. The popular IoT network protocol has been billed as “secure by default”, but a white paper released by cybersecurity firm IOActive found a host of potential attack vectors. Their main beef seems to be that client devices which are physically accessible can be reverse engineered to reveal their encryption keys. They also point out the obvious step of taking the QR code off of client devices so an attacker can’t generate session keys for the device.
And finally, the mummy speaks! If you ever wondered what the voice of someone who lived 3,000 years ago sounded like, wonder no more. Using computed tomography (CT) data, scientists in the UK and Germany have recreated the vocal tract of Nesyamun, an Egyptian scribe and priest from the time of pharaoh Rameses XI. He died in his mid-50s, and his mummified remains have been studied since the 1800s. CT data was used to 3D-print Nesyamun’s larynx and nasopharynx, which was then placed atop a “Vocal Tract Organ”, possibly the strangest musical instrument in existence. The resulting vowel-like utterance is brief, to say the least, but it’s clear and strong, and it’s pretty impressive that we can recreate the voice of someone who lived and died three millennia ago.
Unfortunately not all consumers place high value on the security of their computers, but one group that tends to focus on security are businesses with a dedicated IT group. When buying computers for users, these groups tend to have higher demands, like making sure the Intel Management Engine (IME) has been disabled. To that end, Reddit user [netsec_burn] has outlined a pretty simple method to where “normal people” can purchase one of these IME-disabled devices for themselves.
For those unfamiliar with the IME, it is a coprocessor on all Intel devices since around 2007 that allows access to the memory, hard drive, and network stack even when the computer is powered down. Intel claims it’s a feature, not a bug, but it’s also a source of secret, unaudited code that’s understandably a desirable target for any malicious user trying to gain access to a computer. The method that [netsec_burn] outlined for getting a computer with the IME disabled from the factory is as simple as buying a specific Dell laptop, intended for enterprise users, and selecting the option to disable the IME.
Of course Dell warns you that you may lose some system functionality if you purchase a computer with the IME disabled, but it seems that this won’t really effect users who aren’t involved in system administration. Also note that this doesn’t remove the management engine from the computer. For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible. In the meantime, it’s good to see that at least one company has a computer available that allows for it to be disabled from the factory.
If you need to make sure your computer isn’t being messed with, you’ll have a look at the log files. If something seems fishy, that’s grounds for further investigation. If you run a large network of computers, you’ll probably want to look over all of the logs, but you won’t want to run around to each computer individually. Setting up a central server to analyze the logs exposes an additional attack surface: the logs in transit. How do you make sure that the attackers aren’t also intercepting and sanitizing your log file reports?
The answer to this question, and nearly everything else, is blockchain! Or maybe it’s not, but in this short presentation from the 2019 Hackaday Superconference, Shanni Prutchi, Jeff Wood, and six other college students intend to find out. While Shanni “rolls her eyes” at much of blockchain technology along with the rest of us, you have to admit one thing: recursively hashing your log data to make sure they’re not tampered with doesn’t sound like such a bad idea. Continue reading “Bringing The Blockchain To Network Monitoring”→
In our community it is common for ancient laptops to be used way beyond their usual service life, held together by stickers and lovingly upgraded to their maximum capabilities. We hope it’s unusual for such a venerable machine to be stolen, but it seems that grab-and-run thefts are very much a thing for owners of much shinier hardware. [Michael Altfield] has a solution to this problem, in the form of a kill cord that when broken by the crook making off with the loot, triggers a set of scripts that can wipe the device or otherwise make it useless.
Hardware-wise it’s simple enough, a USB magnetic breakaway adapter and a USB extension cable to a drive clipped to the laptop owner’s belt. On the software side it’s as straightforward as a udev rule to launch the disaster script of your choice. Perhaps you could link it to something like a glitter bomb and fart spray. But we can’t help worrying that it might be too easy to get up and accidentally detach yourself from the laptop, making it deploy whatever anti-theft measure you’d installed in error. If this goes some way to reducing theft though, it has to be worth a second look.
Home automation is a popular project to undertake but its complexity can quickly become daunting, especially if you go further than controlling a few lights (or if you’re a renter). To test the waters you may want to start with something like this home safety monitor, which is an IoT device based on an Arduino. It allows remote monitoring of a home for things such as temperature, toxic gasses, light, and other variables, which is valuable even if you don’t need or want to control anything.
The device is built around an Arduino Nano 33 IOT which has WiFi and Bluetooth capabilities as well as some integrated security features. This build features a number of sensors including pressure/humidity, a gas/smoke detector, and a light sensor. To report all of the information it gathers around the home, an interface with Ubidots is configured to allow easy (and secure) access to the data gathered by the device.
The PCB and code for the project are all provided on the project page, and there are a number of other options available if Ubidots isn’t your preferred method of interfacing with the Internet of Things. You might even give Mozilla’s WebThings a shot if you’re so inclined.
All computers are vulnerable to attacks by viruses or black hats, but there are lots of steps that can be taken to reduce risk. At the extreme end of the spectrum is having an “air-gapped” computer that doesn’t connect to a network at all, but this isn’t a guarantee that it won’t get attacked. Even transferring files to the computer with a USB drive can be risky under certain circumstances, but thanks to some LED lights that [Robert Fisk] has on his drive, this attack vector can at least be monitored.
Using a USB drive with a single LED that illuminates during a read OR write operation is fairly common, but since it’s possible to transfer malware unknowingly via USB drives, one that has a separate LED specifically for writing operations will help alert a user to any write operations that might be trying to fly under the radar. A recent article by [Bruce Schneier] pointed out this flaw in USB drives, and [Robert] was up to the challenge. His build returns more control to the user by showing them when their drive is accessed and in what way, which can also be used to discover unique quirks of one’s chosen operating system.
[Robert] is pretty familiar with USB drives and their ups and downs as well. A few years ago he built a USB firewall that was able to decrease the likelihood of BadUSB-type attacks. Be careful going down the rabbit hole of device security, though, or you will start seeing potential attacks hidden almost everywhere.
