Hackaday Links: April 5, 2020

Git is powerful, but with great power comes the ability to really bork things up. When you find yourself looking at an inscrutable error message after an ill-advised late-night commit, it can be a maximum pucker-factor moment, and keeping a clear enough head to fix the problem can be challenging. A little proactive social engineering may be in order, which is why Jonathan Bisson wrote git-undo, a simple shell script that displays the most common un-borking commands he’s likely to need. There are other ways to prompt yourself through Git emergencies, like Oh Shit, Git (or for the scatologically sensitive, Dangit Git), but git-undo has the advantage of working without an Internet connection.

Suddenly find yourself with a bunch of time on your hands and nothing to challenge your skills? Why not try to write a program in a single Tweet? The brainchild of Dominic Pajak, the BBC Micro Bot Twitter account accepts tweets and attempts to run them as BASIC programs on a BBC Microcomputer emulator, replying with the results of the program. It would seem that 280 characters would make it difficult to do anything interesting, but check out some of the results. Most are graphic displays, some animated, and with an unsurprising number of nods to 1980s pop culture. Some are truly impressive, though, like Conway’s Game of Life written by none other than Eben Upton.

The COVID-19 pandemic is causing all sorts of cultural shifts, but we didn’t expect to see much change in the culture of a community that’s been notoriously resistant to change for over a century: amateur radio. One of the most basic facts of life in the amateur radio world is that you need a license to participate, with governments regulating the process. But as a response to the pandemic, Spain has temporarily lifted licensing requirements for amateur radio operators. Normally, an unlicensed person is only allowed to operate on amateur bands under the direct supervision of a licensed amateur. The rules change allows unlicensed operators to use a station without supervision and is intended to give schoolchildren trapped at home an educational experience. In another change, some countries are allowing special callsign suffixes, like “STAYHOME,” to raise awareness during the pandemic. And the boom in interest in amateur radio since the pandemic started is remarkable; unfortunately, finding a way to take your test in a socially distant world is quite a trick. Our friend Josh Nass (KI6NAZ) has some thoughts about testing under these conditions that you might find interesting.

And finally, life goes on during all this societal disruption, and every new life deserves to be celebrated. And when Lauren Devinck made her appearance last month, her proud parents decided to send out unique birth announcement cards with a printed circuit board feature. The board is decorative, not functional, but adds a distinctive look to the card. The process of getting the boards printed was non-trivial; it turns out that free-form script won’t pass most design rule tests, and that panelizing them required making some compromises. We think the finished product is classy, but can’t help but think that a functional board would have really made a statement. Regardless, we welcome Lauren and congratulate her proud parents.

Tweet Your BBC Basic Code To The Cloud

From the “things we like, but can’t explain why file” comes the BBC-Micro-bot twitter robot. BBC Basic was a staple in the UK and if you tweet a BBC Basic program to @bbcmicrobot you’ll get a reply with a 30 second video of your program being emulated in all its glory.

As you can see in the above tweet, the code can get a bit terse, but if you look at the bot’s feed you can find some more legible examples. As the author, [@Dominic Pajak] said:

You might want to use fewer and smaller line numbers, fewer spaces and check out the minimum abbreviations for BBC BASIC keywords to achieve this.

Continue reading “Tweet Your BBC Basic Code To The Cloud”

This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

Be On Twitter Without Being On Twitter

Social media can connect us to a vibrant worldwide community, but it is also a huge time sink as it preys on both our need for attention and our insatiable curiosity. Kept on a leash by those constant notification sounds, we can easily look up from our phones to find half a day has gone and we’re behind with our work. [Laura Lytle] has a plan to tackle this problem, her OutBox project involves a single button press machine that posts a picture to Twitter of whatever is put in it. It’s not just another gateway to social media addiction though, she tells us it follows Design For Disuse principles in which it must be powered up and adjusted for each picture, and that it provides no feedback to satisfy the social media craving.

Under the hood of the laser-cut housing reminiscent of an older hobby 3D printer is a Raspberry Pi 3 Model A+ and a webcam, with a ring of LEDs for illumination. On top is the only interface, a small “arm” button to set things up and a big red arcade button to do the business. The software is in Python, and provides glue between resizing the photo, uploading it to a cloud service, and triggering ITTT to do the Tweeting. You can see the whole thing in the video below, and the result is a rather eye-catching device.

Of course, there are other ways to keep yourself off social media.

Continue reading “Be On Twitter Without Being On Twitter”

Tweetbot Expresses Twitter Emotions

When reading textual communications, it can be difficult to accurately acertain emotional intent. Individual humans can be better or worse at this, with sometimes hilarious results when it goes wrong. Regardless, there’s nothing a human can do that a machine won’t eventually do better. For just this purpose, Tweetbot is here to emotionally react to Twitter so you don’t have to.

The ‘bot receives tweets over a bluetooth link, handled by a PIC32, which also displays them on a small TFT screen. The PIC then analyses the tweet for emotional content before sending the result to a second PIC32, which displays emotes on a second TFT screen, creating the robot’s face. Varying LEDs are also flashed depending on the emotion detected – green for positive emotions, yellow for sadness, and red for anger.

The final bot is capable of demonstrating 8 unique emotional states, far exceeding the typical Facebook commenter who can only express unbridled outrage. With the ‘bot packing displays, multiple microcontrollers, and even motor drives, we imagine the team learned a great deal in the development of the project.

The project was the product of [Bruce Land]’s ECE 4760 course, which has shown us plenty of great hacks in the past – Bike Sonar being one of our favorites. Video after the break.

Continue reading “Tweetbot Expresses Twitter Emotions”

Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter

Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program. If you did, though, you’d wind up with a bunch of RAR files that you could unrar and get the complete works of the Immortal Bard in a single Tweet. You can also find the source code — where else — on Twitter as another image.

What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.

The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.

Continue reading “Shakespeare In A Zip In A RAR, Hidden In An Image On Twitter”

CD Image Via Twitter: A Handcrafted Game Disc

Humans can turn anything into a competition. Someone always wants to be faster or drive a ball farther. Technical pursuits are no different, which is why a lot of people overclock or play regular expression golf. [Alok Menghrajani] sets himself some odd challenges. A few years ago, he hand-built a bootable floppy image that had a simple game onboard and managed to fit it in a Twitter message. Twitter has increased their number of characters, so — you guessed it — this time he’s back with a CDROM image.

His tweet is a command line that starts with perl. The text is base64-encoded binary and if you run the Tweet from a shell — which is an odd thing to do with a Tweet, we grant you, you’ll be rewarded with a file called cd.iso. You could burn that to a CDROM, but it is more likely you’ll just mount in a virtual machine and boot that. [Alok] says it does work in QEMU, VirtualBox, and — yes — even a real CD.

Continue reading “CD Image Via Twitter: A Handcrafted Game Disc”