wonder how to - null byteRetrieved title: Null Byte « WonderHowTo, 3 item(s)
You may be familiar with image-based or audio-based steganography, the art of hiding messages or code inside of pictures, but that's not the only way to conceal secret communications. With zero-width characters, we can use text-based steganography to stash hidden information inside of plain text, and we can even figure out who's leaking documents online. Image- and audio-based steganography has been covered several times on Null Byte, which involves changing the least significant digit of individual pixels on a photo or audio file. While plain text characters don't have a least significant... more
Few things are more important than search engine optimization when it comes to increasing a brand's visibility online. Regardless of whether you're launching a new business from scratch or working as a marketing professional at a major corporation, you need to ensure that you're drawing the most people to your website and affiliate links by utilizing the latest and most powerful SEO tools and methods. SSEOZI is a groundbreaking SEO platform that makes it easier than ever to measure and improve your site's traffic using intuitive tools and graphics, and lifetime access is currently available... more
the hackers newsRetrieved title: The Hacker News, 3 item(s)
Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its 'Sign in with Apple' system. The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using 'Sign in with Apple'
Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed. The findings are from a paper "DABANGG: Time for Fearless Flush based Cache Attacks" published by a pair of researchers, Biswabandan Panda and Anish Saxena, from the Indian
Mitron (means "friends" in Hindi), you have been fooled again! Mitron is not really a 'Made in India' product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords. I am sure many of you already know what TikTok is, and those still unaware, it's a
hackadayRetrieved title: Hackaday, 3 item(s)
We have headphones for your ears, and monitors for your eyes. Some computers even have tactile feedback. Now researchers have an output device for taste. The decidedly odd device uses five gels, one for each of the tastes humans can sense. If we understand the paper, the trick is that ionizing the gels inhibits the taste of that gel. By controlling the ionization level of each gel, you can synthesize any taste, just like you can make colors with three LEDs.
The five gels are made from agar and glycine (sweet), magnesium chloride (bitter), citric acid (acidic), salt (salty), and glutamic sodium (umami). If you didn’t learn about umami in school, that’s a savory taste likened to the taste of a broth or meat and often associated with monosodium glutamate.
The shape of the device is made like a sushi roll so that while the gels contact the tongue, a copper foil cathode can connect also. Using this will make you look even stranger than someone wearing Google Glass, but that’s the price of being on the cutting edge of technology, we suppose. There doesn’t seem to be any reason you couldn’t duplicate something like this, although we wonder about the hygiene of passing it around at parties. Maybe your next home movie could show a meal and let the viewer taste it too.
When building a new project, common wisdom suggests to avoid “reinventing the wheel”, or doing something simple from scratch that’s easily available already. However, if you can build a high-voltage wheel, so to speak, it might be fun just to see what happens. [Dan] decided to reinvent not the wheel, but the speaker, and instead of any conventional build he decided to make one with parts from a microwave and over 6,000 volts.
The circuit he constructed works essentially like a Tesla coil with a modulated audio signal as an input. The build uses the high voltage transformer from the microwave too, which steps the 240 V input up to around 6 kV. To modulate that kind of voltage, [Dan] sends the audio signal through a GU81M vacuum tube with the support of a fleet of high voltage capacitors. The antenna connected to the magnetron does tend to catch on fire somewhere in the middle of each song, so it’s not the safest device around even if the high voltage can be handled properly, but it does work better than expected as a speaker.
If you want a high-voltage speaker that (probably) won’t burn your house down, though, it might be best to stick to a typical Tesla coil. No promises though, since working with high voltages typically doesn’t come with safety guarantees.
Thanks to [David] for the tip!
There was a time when consumer electronics were statement items, designed to resemble quality furniture that would be shown off as a centerpiece of the home. Televisions in ornate wooden cabinets, or stereos looking for all the world like sideboards. [Zethus] had just such a huge record player and radio combo in a sideboard, and having little use for the cream of 1950s home entertainment technology, he rebuilt it as a concealed liquor cabinet with electronic controls and a much more modern stereo that forms part of a Logitech Media Server multi-room system.
After removing the tube-based radio chassis and Garrard jockey-wheel turntable it was time to gut their supporting woodwork and install the platform derived from a standing desk. With suitably impressive lighting and a pair of VFD displays for the music choice, there is the inevitable Raspberry Pi running the show. Control is achieved by a set of hidden capacitive buttons, and there’s a Web interface to allow both music and magical appearance of alcohol from the comfort of a smartphone. The whole can be seen in the video below the break.
Whenever a piece of vintage electronics is gutted in this way there will always be people who find it disquieting, but the truth is that these all-in-one stereos were made in huge quantities during the mid-century period and do not have a significant value. This one may have lost its original electronics, but it lives on safe from the dump that has claimed so many of its brethren. Happily this isn’t the first one we’ve seen saved with a Pi.
pen test partnersRetrieved title: Pen Test Partners, 3 item(s)
Six months ago the UK’s Glastonbury Town Council set up a 5g Advisory Committee to explore the safety of the technology, and last month the local paper reported their findings.
This statement is in their recommended measures report (page 31 of this PDF):
5G Bioshield https://5gbioshield.com/ We use this device and find it helpful.
We’re aware of people playing around with Shungite or setting up a ring of EMF shields to achieve this, but we’ve never seen someone saying it can be done with a USB stick.
We are not 5g specialists, nor are we health experts, but USB sticks are well within our skill-set.
We ordered three devices and set to it.
The stick comes in a velvety branded purple bag, with a lion logo.
It’s undoubtedly an interesting looking USB key, with an engraved ‘crystal’ holder and a circle on the metal unit. The engraved image appears only as a banner image on their website, we couldn’t find in any other of their marketing materials. We think it was probably made by Shenzen Tushi Technology Co. Ltd in China.
It also seems a lot like ones we’ve looked at from many online retailers:
When plugged in to our test machine we may have missed the bubble of “quantum holographic catalyzer technology” appearing.
The stick comes loaded with a 25 page PDF version of the material from 5GbioShield ‘s website. It included a Q&A of distances for the “bubble” and how to know if it is working. It’s an “always on” system apparently, is always working, powered or not, so no visual checks needed.
A review of the stick’s properties revealed nothing more that what you’d expect from a regular 128MB USB key. We weren’t even sure that 128s are still in production!
Usually with USB devices, one can look at the properties and it will list the manufacturer and extra information about the device. However, we found that all the default values remained. This is often an indication of cheap, unbranded devices.
Bus 003 Device 006: ID ffff:5678 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0xffff idProduct 0x5678 bcdDevice 2.00 iManufacturer 1 iProduct 2 iSerial 3 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 32 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 8 Mass Storage bInterfaceSubClass 6 SCSI bInterfaceProtocol 80 Bulk-Only iInterface 0
So far the stick appeared to be an average USB key, but once again 5GbioShield came to the rescue with an explanation:
As everyone is fully aware it is a USB key, we needed to tear the device down to see what else is within the casing.
First, we managed to pull the device off the crystal, which showed nothing other than an LED at the end of the stick, the same as the other ‘crystal’ USB keys we found made in Shenzen. There were no additional components or any connections.
The circular area on the main casing looked like it might be where the “quantum holographic catalyzer technology” transmitter might be. Carefully taking that off, not to damage the key components and, with crushing disappointment, it looked exactly like a regular sticker.
Now we cannot say this sticker does not have additional functionality unused anywhere else in the world, but we are confident you can make up your own mind on that.
Digging further into the device, there appeared to be no electrical or other connections between the device and the “sticker” and also no additional components other than the USB stick.
Here’s the back of the USB board with the serial number enhanced for reference:
In our opinion the 5G Bioshield is nothing more than a £5 USB key with a sticker on it. Whether or not the sticker provides £300 pounds worth of quantum holographic catalyzer technology we’ll leave you to decide.
We do not believe this product should be promoted by publicly-funded bodies until a full, independent, peer-reviewed scientific study has been undertaken on its effectiveness. We think trading standards bodies should investigate this product.
Contrary to alarmist stories in the press, it really isn’t practically possible to hack an airplane from the in-flight entertainment system (IFE/IFEC). The ‘C’ adds Connectivity, so internet access
Whilst earlier moving map systems did take a feed from the flight management system, particularly so prior to widespread adoption of GPS when we relied instead on inertial reference systems, there has been a one-way data diode in place on that connection for a long time.
That feed would report position, speed, altitude etc, populating the map so that passengers could see how many movies they still had time to watch.
You’ll be familiar with the ‘box’ under the seat that feeds the IFE screens. We have a couple here; they’re older versions and are simply a 386 PC.
More recently, you’ve probably seen Android based IFE screens, evident from the navigation buttons. These offer potential for significant weight saving as the under-seat box starts to become unnecessary.
So, if the Aircraft Control Domain (ACD – the flight controls) can’t be hacked from the IFE, why does everyone get animated about IFE security?
Primarily to stop passengers getting panicked!
Consider the following scenarios
All the IFE screens pop up with scary messaging, indicating that the plane has been hacked and will shortly crash
The moving map misreports its position whilst in cloud and shows the plane descending directly towards an iconic landmark
A ‘breaking news’ report is broadcast, indicating that the flight has been hijacked
At the least these incidents would be very unsettling for passengers. At worst, they might lead to an airborne riot as passengers attempt to break in to the cockpit in the belief that they are trying to ‘save’ a flight crew overpowered by hijackers.
Would reassuring words from the captain over the cabin PA placate anyone? I doubt it.
Would turning off the IFE simply appear even more alarming?
Alarmist, possibly misleading, media coverage would also likely do further damage to the industry. ‘Airplane hacked’ is a tough story to correct, even when the truth is that only the IFE was tampered with & there was no risk to the ACD.
So that’s one good reason why the security of in flight entertainment systems is important.
There are other good reasons too:
Internet access in flight is becoming more widespread. It’s rarely free of charge, certainly in economy/coach seating, so becomes a useful revenue stream for airlines.
Billing is typically handled by credit card, so there’s another good reason for the IFE to be secure. Placing keyloggers or other card-data related malware in to the IFE could be an interesting way of scraping card numbers for fraud.
Tampering with the system to gain increased bandwidth or avoid payment isn’t uncommon where internet access is metered/payable. Expect to see attempts to bypass payment systems.
Whilst satellite terminals on board are one of the few places where IFE and ACD/PIESD networks touch, they are very carefully segregated. ARINC 821 describes the requirements for segregation. However, defence in depth principles are wise here: why let the attacker bypass a layer of defence, so it’s worth keeping the IFE secure from attack.
Losing the IFE system through a hack in flight is also very irritating for passengers and crew alike. On long haul flights, complaints will be significant, often resulting in partial refunds or frequent flyer miles being issued to compensate customers for the lack of IFE. Whilst modern IFE systems are pretty robust and secure, it’s harder to defend against an airborne DoS of the network. Do we really expect an airplane to have on-board DoS mitigation?
Finally, it would be very disturbing if streamed content was tampered with. Even if not alarmist messaging, streaming unsavoury content to all pax screens would cause reputational damage.
One of the biggest challenges will be detection of a non-visual incident. Obviously, tampering with displayed content will be very obvious and trigger an investigation on the ground, however a more subtle attack would be very tough to detect.
Logs would have to be downloaded and analysed after landing, well after the incident. That assumes that logging is even sufficiently capable to monitor security incidents and note indicators of compromise.
Whist there is discussion of a SIEM-style system for the ACD and AISD, I’m not aware of anything similar for the PIESD. There may be an opportunity there for a suitable solution.
Real time analysis is always going to be difficult though: should one even attempt to monitor airborne PIESD activity for rogue activity remotely?
IFE security is important, but not for the reasons you might expect.
Fortunately the major vendors in this space take security very seriously; modern in flight entertainment systems are rigorously tested.
However, older systems are not so robust. One of the big challenges is maintaining security of IFE systems that weren’t designed with today’s security approaches in mind. It’s not uncommon to see 8-10 year old IFEs in older fleets. Indeed, we worked on a recently-decommissioned short-haul airframe that had a S-VHS VCR for the video screens and a C90 cassette for cabin music. Not so easy to hack, that one!
Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM. The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes.
The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process. Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.
Here’s a video of the PoC in action:
The vulnerability has been assigned CVE-2020-11492 and the latest Docker Desktop Community and Enterprise have fixed the issue.
When Docker Desktop for Windows is installed, a Windows service called Docker Desktop Service is installed. This service is always running by default, waiting idly by for the Docker Desktop application to start.
Once the Docker Desktop application is started many other child processes are created, which allow the management of various Docker behaviours from docker image creation to watchdog processes.
Here’s a typical Docker Desktop process tree after launch:
When applications launch child processes, it is not uncommon to use Windows named pipes as a form of inter process communication (IPC). Like TCP/IP, named pipes offer the ability to send and receive data down the pipe with application specific data. Named pipes also work over the network too. But in Dockers case, it connects to named pipes on the same machine as a form of IPC between the child processes.
Now this is where it starts to get interesting. Named pipes have a unique feature that allow the server side of the connection to impersonate the client account who is connecting. Why does this exist? Well it’s quite simple. Many services that are running on Window are offering functionality to users of the machine, be it local or remote. The impersonation functionality allows the service to drop its credentials in favour of the connecting client. When files or other various restricted operating system functionality is requested, the action is performed under the impersonated account and not the service account that the process was launched under.
First Impressions are Important
Impersonation is not something any standard user account can perform, it’s a special privilege that must be assigned to accounts. The specific right is called “Impersonate a client after authentication” and is part of the User Rights Assignment item within Group Policy Editor.
Here is the list of accounts by default that have the impersonate privileges enabled.
• Local Service
• Network Service
• IIS AppPool Account
• Microsoft SQL Server Account
Many of the accounts above are designed to be limited accounts with minimal privileges, for example Network Service has very little access to a machine’s resources. Same goes for the IIS AppPool accounts, these are usually used when serving applications from IIS web apps. The last one is the most interesting though. This is what the description in Group Policy Editor has for the built-in Service group.
Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.
Yes, you have read that correctly. Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service.
Impersonate the Dockmaster
OK, back to Docker. As mentioned above, when the Docker Desktop app starts, it spawns a bunch of child processes. When these are launched the main Docker service is expecting the child processes to create the named pipes for IPC purposes. The high privilege service will then connect to these named pipes as the client and is not serving them. So, if a malicious piece of code can execute under the context of a process with impersonate privileges, it can setup a pipe called \\.\pipe\dockerLifecycleServer and wait for it to connect.
The PoC waiting for connection:
OK I hear some of the sceptical out there: “But you need Administrator rights to create such a service”. Well let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows. This could be one example of a successful attack vector. The initial attack vector could utilise a vulnerability in the web application to perform code execution under the limited IIS App Pool account. Once that is achieved, our special Docker named pipe can be setup to perform the privilege escalation to SYSTEM.
Stealing the Ship
Once the pipe is listening, it’s just a matter of waiting for Docker Desktop to be started and connect to our malicious pipe. Once docker is connected, we impersonate the connecting client, which is SYSTEM, and launch a new process using the CreateProcessWithTokenW API.
Command prompt launched as SYSTEM:
Disclosure and Fix
When initially disclosing, Docker denied that the vulnerability even existed. Their stance was that impersonation is a Windows feature and that we should speak to Microsoft.
Whilst impersonation is certainly a Windows feature, when developing SYSTEM services that use named pipes as a client, it’s the developer’s responsibility to ensure that impersonation is disabled if such a feature is not needed. Unfortunately, the default behaviour when opening a named pipe as a client is to enable impersonation, which means the behaviour is often missed and overlooked.
After a few emails back and forth, then finally submitting a working PoC, Docker did agree that it was a security vulnerability and as such have now issued a fix. When the Docker service process connects to the named pipes of spawned child processes it now uses the SecurityIdentification impersonation level. This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation.
- 25th March 2020 – Details sent to Docker security team
- 25th March 2020 – Docker respond and do not consider it a security issue
- 26th March 2020 – Additional clarification sent to Docker to describe the risk
- 26th March 2020 – Docker respond suggesting we speak to Microsoft
- 26th March 2020 – Further clarification sent, describing Docker connecting as a named pipe client and not a server
- 26th March 2020 – Docker respond indicating that it will now be looked at by the development team
- 30th March 2020 – Requested a status update on whether Docker will be treating the report as a vulnerability
- 1st April 2020 – Docker respond, indicating that the report is still under discussion, but requested the PoC code. PoC code sent.
- 1st April 2020 – Docker attempt to run exploit using standard account without SeImpersonatePrivilege and indicate exploit failed.
- 1st April 2020 – Instructions sent on how to run the PoC with an account that has SeImpersonatePrivilege
- 1st April 2020 – Docker confirm it will be treated as a vulnerability
- 2nd April 2020 – Fixed pushed to Edge release of Docker and CVE-2020-11492 assigned
- 11th May 2020 – Docker release 184.108.40.206 which includes the fix for CVE-2020-11492
infosec writersRetrieved title: InfoSecWriters.com, 3 item(s)
Contributed by Andrew Price
The progression of wireless technology over the years has been steadily evolving, and with it, so has wireless hacking. The number of per user wireless devices is increasing every day, and most of these devices contain personal identifiable information (PII). The IEEE is responsible for the wireless standards (802.11) and setting the standards to secure the wireless medium. Since 1997 when wired equivalent privacy (WEP) was implemented, hackers have constantly identified vulnerabilities in wireless security technologies. With new security technologies being released, hackers consistently find new vulnerabilities. A Hackers sole purpose is to find vulnerabilities in technologies so they can obtain the encrypted information whether it be for personal benefit, political benefit, or any other type of benefit that would, in-turn, damage the hacked individual. Wireless security has been the focus of many companies that manufacture wireless devices because the customers information is considered a liability, and any exploit could lead to unwarranted consequences. Is the increase in wireless devices a basis for increasing wireless security? Is the most recent security standard as secure as we think it is? What is the next step in wireless security?
This document is in PDF format. To view it click here.
Contributed by Matthew Hester
In the summer of 2016 the United Nations declared that access to the internet is a basic human right when it amended article 19 of the Universal Declaration of Human Rights. With this declaration the UN affirmed the increasing roles that technology plays in our day to day lives. However technology advancements, like the internet, do not affect all populations equally. While some may benefit from the use of technology others may be left behind or shutout completely. One such group are individuals with intellectual disabilities (ID). Persons with ID represent two both sides of the technological coin, simultaneously they are a population that stand to benefit greatly from the use of technology, in the form of Adaptive Technologies (AT) while at the same time have the most to lose due to exploitations in the technology used. Due to these facts, a number of ethical issue are raised. This paper will examine the ethical issues that surround the use of technology in populations with ID.
This document is in PDF format. To view it click here.
Contributed by Richard Parker
Risk Management is the process whereby an organization identifies the risk, makes an assessment of the risk, identifies any mitigation that can be done to control the risk, and then decides to accept the risk or not to accept the risk. It applies to everything we do such as our personal lives, financial institutions, organizational operations, and information security. It is important in order to ensure the protection of the organization, it’s assets, and more specifically the organization’s Information Technology environment. There are a few variations of the risk management process which have been developed by both commercial and government organizations. All these processes may differ in implementation and labeling but have the same essential core steps. Those steps include identification of the risk, analysis and evaluation of the risk, mitigation of the risk, acceptance of the risk that can’t be mitigated, and monitoring. When done properly, risk management can greatly reduce the amount of risk taken on by an organization and the effects of the risk.
This document is in PDF format. To view it click here.
security weekRetrieved title: SecurityWeek RSS Feed, 3 item(s)
Google announced on Thursday that it’s taking action against misleading and malicious notifications in Chrome with the release of version 84, which is scheduled for July 14.
Browser notifications can be useful for certain types of services but some websites abuse them to mislead users, deliver malware, or phish personal information.
The United States Department of Justice (DoJ) this week announced that a New York City man was charged for his participation in a cybercrime scheme involving the theft and trafficking of payment card data.
The U.S. National Security Agency (NSA) on Thursday published information on the targeting of Exim mail servers by the Russia-linked threat actor known as Sandworm Team.
tech-wreck infosec blogRetrieved title: Tech-Wreck InfoSec Blog, 3 item(s)
Windows computers are being targeted by a new variant on the Sarwent malware that can create a backdoor using the Remote Desktop Protocol (RDP) port. Researchers with SentinelOne have also found that removing the malware does not close the backdoor but leaves it open for later use. According to HelpNetSecurity, the new Sarwent version can execute commands via the Windows Command Prompt and PowerShell utilities as well as create a new Windows user account on the infected host. Once the RDP is enabled for the new account, the intruder can change the firewall settings to allow external RDP access to the infected machine. It is speculated that the initial attackers are more interested in monetizing the access gained by selling it to ransomware groups rather than by exploiting it themselves.
A new cryptocurrency mining malware is being deployed against thousands of business systems, according to cloud security firm Red Canary. The attack from a group called Blue Mockingbird targets enterprise networks and devices to install a web shell that provides full access to the system. Once inside, the group installs XMRRig, a popular cryptocurrency miner that mines Monero (XMR). Monero has become a popular choice among cybercriminals since it is considered fully anonymous and untraceable. According to IT Pro Portal, some ransomware operators who have traditionally asked for fees to be paid in Bitcoin have switched to Monero.
Microsoft has issued warnings about a "massive" phishing campaign that attempts to install a remote access tool (RAT) onto PCs by tricking users into opening e-mail attachments containing malicious Excel 4.0 macros. The e-mail purports to be from the Johns Hopkins Center and contains the subject line "WHO COVID-19 SITUATION REPORT." The attached Excel file claims to provide a graphical representation of coronavirus data, but instead uses NetSupport Manager to gain remote access and run commands on compromised machines. "The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands," the company said, as reported by FirstPost. "The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload."
Security firm ESET uncovered a coordinated attack on a number of massively multiplayer online games that has stolen in-game currency and exposed players to malware infected apps. In its WeLiveSecurity blog, ESET says that the newly discovered backdoor, named PipeMon, is being used by the well-known Winnti Group against several video gaming companies in South Korea and Taiwan. According to ESET, "In at least one case, the attackers were able to compromise the company's build orchestration server, allowing them to take control of the automated build systems. This could have allowed the attackers to include arbitrary code of their choice in the video game executables." The PipeMon installers use a legitimate Windows signing certificate that was stolen from Nfinity Games during a 2018 hack of that gaming developer. PipeMon was able to then use the location of Windows print processors to survive reboots. ESET did not provide the names of the game developers targeted by the attack but says it has contacted each affected company and provided information to remediate the compromise.
xkcdRetrieved title: xkcd.com, 3 item(s)