Archive for 2018

Authorities in Innsbruck, Austria have shut down the Patscherkofelbahn ski lift after two security researchers managed to gain access to the controls for operating the lift.

Settings for controlling the ski lift’s speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.

Of course the big question is: How did the researchers get access? After all, a transportation “vehicle” carrying thousands of passengers a day is reasonably secured against tampering from the outside, right?

The two were surprised because there wasn’t any login screen to prevent Internet user from accessing and interacting with the HMI [Human Machine Interface] panel.

Oh, ok.

Researchers have used the officially available Alexa SDK from Amazon in order to hack the Amazon Echo and turn it into an eavesdropping device.

They created a calculator app and simply set a parameter called shouldEndSession to false, leading to the app expecting a second question from the user right after the reply to the first. The fun thing is that this does not require another command phrase like “Alexa, open calculator”. Effectively Alexa remained open and listening, converting the speech into words that were stored as text and visible to the app developers via the app’s logs.

Every day I am puzzled by the stupidity of people paying Amazon in order to place a bug in their appartments.

The German Supreme Court has published a press release (German) which explains the decision in a recent court case about the adblocking software AdBlock Plus. The digital publishing house Axel Springer, in Germany probably most known for its tabloid BILD which likes to publish fake news, sued the adblocking company behind AdBlock Plus, claiming its software is anticompetitive.

Luckily, the court did not see it that way and ruled that providing and using an adblocker is legal. One of those rare and important wins.

On a side note:

The BILD tabloid is a particularly nasty piece of crap made in Germany and its owner Axel Springer has already been sued numerous times for deffamation and the spreading of lies. They particularly like to focus on people that have to defend themselves in court and prejudge them before their case is even close to being ruled on. Even if they win their case, BILD might still keep on printing articles as if they had been found guilty. The most famous case, against the weather presenter Jörg Kachelmann, who was wrongfully accused of rape by his ex-wife (she was convicted herself for false accusations in the end), ended in BILD having to pay (German) 395,000 EUR to Kachelmann in damages. Note to readers from the US: For Germany this is actually quite a lot. We do not have punitive damages in law, only compensatory. Quite often you never get more than a few thousand EUR if you sue for damages. Those 395k are therefore pretty extreme by German court decision standards.

The OPCW has released a shortened version of their report on the investigation of the agent used to poison Sergej and Yulia Skripal.

The results of analysis by the OPCW designated laboratories of environmental and biomedical samples collected by the OPCW team confirm the findings of the United Kingdom relating to the identity of the toxic chemical that was used in Salisbury and severely injured three people.

This confirms what it was but not who used it. Sadly a couple German media outlets have problems grasping the difference between what and who. The OPCW further notes that

The TAV team notes that the toxic chemical was of high purity. The latter is concluded from the almost complete absence of impurities.

Apart from the great wording (the substance is considered pure because it was pure) this also means that it is actually quite difficult to pinpoint the origin of the agent. This is usually achieved by looking at the impurities which can be characteristic for a certain point of origin. Not unlike a fingerprint, if you like to look at it that way. A state actor seems likely as purifying such agents is something that is resource-intensive. However, every high technology country out there could manage that, including the UK themselves.

In a nutshell, this report says “It was novichok and we have no idea where it came from”. Of course this does not stop the UK from taking this as proof that the Russians are behind it all.

This statement of course came from the Boris Johnson, who has already proven during the pre-Brexit era that truthfulness is not one of his main traits. Fun times ahead!

Last week, 18 Palestinians were killed by Israeli forces during protests taking place at the Gaza “border”.

The UN of course disagrees with this tactic and UN secretary general António Guterres called for Israel to excercise extreme caution. The UN human rights spokeswoman Elizabeth Throssel also chimed in, stating that wilful killing of civilians constitutes a breach of the fourth Geneva convention.

In the following attempt to reconcile, Israel shot at least 7 more. What were the Palestinians doing there anyway?

Among those who turned up was Ali Bakroun, 19. “I came here with my friends to fly the kite we made this week,” he said. “I wrote our names on it. We got close to the fence to throw stones but we stayed in a low place so we would be under cover. I’m not afraid to be shot or killed because our land deserves our lives.”

Throwing stones and flying kites… more than enough reason for Israeli soldiers to use live ammo…

There is a new security vulnerability, affecting pretty much all Windows versions (CVE-2018-09886), which combines all things that make up for a great failure story. Using outdated open source software, not updating it despite the open source community basically handing you updates on a silver platter, fucking up the code yourself, and then mixing this with anti virus. What could possibly go wrong?

Microsoft has forked a very old version of the open source tool unrar, which is - as the name suggests - used to unpack rar files. They then incorporated the unrar code into their own anti virus solution Windows Defender. However, before doing so they changed parts of the code, in particular they modified signed integers into unsigned integers and removed some checks against values having negative values, even if those values were still unsigned integers.

What this means is that you can tell the software to start writing at address + offset, and if you set offset to -2 you end up in the memory space before your allocated buffer memory. With this you can not only make the av engine crash, but you can also execute arbitrary code. This code then gets executed with the rights of the av engine which runs as LocalSystem and can basically do pretty much everything that is of interest.

All you need is a compromised raw file that sets a negative offset and the victim only has to download it. No manual execution is required afterwards as the av engine will automatically scan the rar file, get its memory corrupted, and things proceed from there. If you do not use av, you are safe. Even if you open the rar manually with winrar, or anything that uses the official open source unrar code, you are safe because that bug is not present there and the code stops if offset < 0. This only works with the av engine enabled.

It also looks like this bug might have been around since 2012 and Sophos av was affected back then as well. Fun times with anti virus software, the modern version of snake oil. And some people even pay for this shit.

Apple Is on a Spree Again

Wed, Apr 4, 2018

One would think, that after the bug disaster of 2017, Apple would now be a little bit more careful before releasing patches. But Apple is on another bug spree and can not be stopped. This time they turn hundreds of thousands of external monitors connected via DisplayLink into heavy paperweights.