Anyone who worked in the tech field and lived through the Y2K bug era will no doubt recall it as a time seasoned with a confusing mix of fear and optimism and tempered with a healthy dose of panic, as companies rushed to validate that systems would pass the rollover of the millennium without crashing, and to remediate systems that would. The era could well have been called “the COBOL programmers full-employment bug,” as the coders who had built these legacy systems were pulled out of retirement to fix them. Twenty years on and a different bug — the one that causes COVID-19 — is having a similarly stimulative effect on the COBOL programmer market. New Jersey is one state seeking COBOL coders, to deal with the crush of unemployment insurance claims, which are killing the 40-year-old mainframe systems the state’s programs run on. Interestingly, Governor Phil Murphy has only put out a call for volunteers, and will apparently not compensate COBOL coders for their time. I mean, I know people are bored at home and all, but good luck with that.
In another throwback to an earlier time, “The Worm” is back. NASA has decided to revive its “worm” logo, the simple block letter logo that replaced the 50s-era “Meatball” logo, the one with the red chevron bracketing a starfield with an orbiting satellite. NASA switched to the worm, named for the sinuous shape of the letters and which honestly looks like a graphic design student’s last-minute homework assignment, in the 1970s, keeping it in service through the early 1990s when the meatball was favored again. Now it looks like both logos will see service as NASA prepares to return Americans to space on their own launch vehicles.
Looking for a little help advancing the state of your pandemic-related project? A lot of manufacturers are trying to help out as best they can, and many are offering freebies to keep you in the game. Aisler, for one, is offering free PCBs and stencils for COVID-19 prototypes. It looks like their rules are pretty liberal; any free and open-source project that can help with the pandemic in any way qualifies. Hats off to Aisler for doing their part.
And finally, history appears to have been made this week in the amateur radio world with the first direct transatlantic contact on the 70-cm band was made. It seems strange to think that it would take 120 years since transatlantic radio became reduced to practice by the likes of Marconi for this accomplishment to occur, but the 70-cm band is usually limited to line of sight, and transatlantic contacts at 430 MHz are usually done using a satellite as a relay. The contact was between stations FG8OJ on Guadaloupe Island in the Caribbean — who was involved in an earlier, similar record on the 2-meter band — and D4VHF on the Cape Verde Islands off the coast of Africa, and used the digital mode FT8. The 3,867-km contact was likely due to tropospheric ducting, where layers in the atmosphere form a refractive tunnel that can carry VHF and UHF signals much, much further than they usually go. While we’d love to see that record stretched a little more on each end, to make a truly transcontinental contact, it’s still quite an accomplishment, and we congratulate the hams involved.
Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:
Samsung Galaxy from S3 through S8, inclusive
All Samsung Notes3. Nexus 5, 6, 6X and 6P
All iPhones after iPhone 5
So how did this happen? And how does a bug affect so many different devices?
A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.
Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.
It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.
Why was the UK’s NHS Hit So Badly?
According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.
Where Else Was Hit?
There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.
So is this the end for ransomware?
No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.
[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]
[Symantec] Reports Hajime seems to be a white hat worm that spreads over telnet in order to secure IoT devices instead of actually doing anything malicious.
[Brian Benchoff] wrote a great article about the Hajime Worm just as the story broke when first discovered back in October last year. At the time, it looked like the beginnings of a malicious IoT botnet out to cause some DDoS trouble. In a crazy turn of events, it now seems that the worm is actually securing devices affected by another major IoT botnet, dubbed Mirai, which has been launching DDoS attacks. More recently a new Mirai variant has been launching application-layer attacks since it’s source code was uploaded to a GitHub account and adapted.
Hajime is a much more complex botnet than Mirai as it is controlled through peer-to-peer propagating commands through infected devices, whilst the latter uses hard-coded addresses for the command and control of the botnet. Hajime can also cloak its self better, managing to hide its self from running processes and hide its files from the device.
The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.
So where is this all going? So far this is beginning to look like a cyber battle of Good vs Evil. Or it’s a turf war between rival cyber-mafias. Only time will tell.
We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read. (Edit: The link went dead. Here is our local copy.)
The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable. However, if you know where enough functions are located in flash, you can just use what’s there. These kind of return-oriented programming (ROP) tricks were enough for the researchers to write a worm.
In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.
Will this amount to anything in practice? Probably not. There are tons of systems out there with much more easily accessed vulnerabilities: hard-coded passwords and poor encryption protocols. Attacking all the Yuns in the world wouldn’t be worth one’s time. It’s a very cool proof of concept, and in our opinion, that’s even better.
Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.
Looking closely at the data, there was evidence of a second botnet that was significantly more sophisticated. Right now, they’re calling this worm Hajime.
With more and more research in the field of autonomous robotics, new methods of locomotion are coming on the scene at a rapid pace. Forget wheels and tracks, forget bi-, quad-, hexa- and octopods, and forget fancy rolling BB-8 clones. If you want to get a mini robot moving, maybe you should teach it to do the worm.
Neither the Gizmodo article nor the abstract of [David Zarrouk]’s paper gives too many details on the construction of this vermiform robot, but there are some clues to be gleaned from the video below. At the 1:41 mark we see the secret of the design – a long corkscrew in the center of the 3D-printed linkages. Continue reading “Single Motor Lets This Robot Do The Worm”→