security

465 Articles

Is My Password Safe? Practices For People Who Know Better

April 7, 2017 by 75 Comments

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices For People Who Know Better”

Friday Hack Chat: Breaking Security With Samy Kamkar

April 5, 2017 by 3 Comments

[Samy Kamkar] is a hardware hacker extraordinaire. This week, he’s joining us on Hackaday.io for this week’s Hack Chat.

Every week, we find someone interesting that makes or breaks the electronic paraphernalia all around us. We sit them down, and get them to spill the beans on how this stuff works, and how we can get our tools and toys to work for everyone. This is the Hack Chat, and it’s happening this Friday, April 7, at noon PDT (20:0 UTC).

Over the years, [Samy] has demonstrated some incredible skills and brought us some incredible hacks. He defeated chip and pin security on a debit card with a coil of wire, exploited locked computers with a USB gadget, and has more skills than the entire DEF CON CFP review board combined. If you want to know about security, [Samy] is the guy you want to talk to.

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

We’ve got a lot on the table when it comes to our Hack Chats. On April 14th we’ll be talking custom silicon with SiFive and on April 21st, we’re going to be talking magnets with Nanomagnetics. Making magnets, collecting magnets, playing with magnets, it’ll all be over on the Hack Chat.

2017: The Year Of The Dishwasher Security Patch

March 28, 2017 by 101 Comments

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.

A Red Teamer’s Guide To Pivoting

March 25, 2017 by 22 Comments

What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.

Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.

Is there anything that ssh and socat can’t do? Maybe not, but there are other tools (3proxy and Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside? ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby iodine to route arbitrary data over DNS queries, but [Artem] says dnscat2 works without root permissions. (And this code does the same on an ESP8266.)

Once you’ve set up proxies inside, the tremendously useful proxychains will let you tunnel whatever you’d like across them. Python’s pty shell makes things easier to use, and tsh will get you a small shell on the inside, complete with file-transfer capabilities.

Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of netcat and ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?

Thanks [nootrope] for the indirect tip!

From XP To 10, DoubleAgent Pwns All Your Windows?

March 22, 2017 by 39 Comments

The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.

Microsoft describes it as:

Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)

The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.

So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.

If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.)  This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?

[via The Hacker News]

Cheap Modules Upgrade Home Security System

March 19, 2017 by 6 Comments

[gw0udm] had an ancient monitored alarm system fitted to their home, and decided it was time to upgrade to something a little more modern. They chose a system from Texecom, but when it came time to hook it up to their computer, they were alarmed at the costs – £40 for what amounted to a USB-to-Serial cable! There were other overpriced modules too. But [gw0udm] wanted to upgrade, so it was time to hack the system.

The first step was grabbing a £4 USB-to-Serial board and wiring it up – a simple job for the skilled hacker.  As we always say – everything speaks serial. [gw0udm] then set their sights higher – they wanted the Ethernet interface but weren’t about to cough up the coin. After some research, it was determined that a Raspberry Pi could be used with a utility called ser2net with the existing serial interface to do pretty much the same job. It was a simple matter of figuring out the parity and messaging format to get things up and running.

From there, the project moves on to tackling the creation of a GSM module for monitoring in the absence of a local network, and on flashing the firmware of the system itself. It’s great to see a project continually grow and expand the functionality of a product over time.

We see a lot of security systems here at Hackaday – high prices and proprietary hardware tend to inspire the hacker spirit. Check out this reverse engineering of an obsolete 1980s system, resplendent with Eurostile font.

Paramotoring For The Paranoid: Google’s AI And Relationship Mining

March 10, 2017 by 116 Comments

My son approached me the other day with his best 17-year-old sales pitch: “Dad, I need a bucket of cash!” Given that I was elbow deep in suds doing the dishes he neglected to do the night before, I mentioned that it was a singularly bad time for him to ask for anything.

Never one to be dissuaded, he plunged ahead with the reason for the funding request. He had stumbled upon a series of YouTube videos about paramotoring, and it was love at first sight for him. He waxed eloquent about how cool it would be to strap a big fan to his back and soar with the birds on a nylon parasail wing. It was actually a pretty good pitch, complete with an exposition on the father-son bonding opportunities paramotoring presented. He kind of reminded me of the twelve-year-old version of myself trying to convince my dad to spend $600 on something called a “TRS-80” that I’d surely perish if I didn’t get.

Needless to say, the $2500 he needed for the opportunity to break his neck was not forthcoming. But what happened the next day kind of blew my mind. As I was reviewing my YouTube feed, there among the [Abom79] and [AvE] videos I normally find in my “Recommended” queue was a video about – paramotoring. Now how did that get there?

Continue reading “Paramotoring For The Paranoid: Google’s AI And Relationship Mining”