Tag: security

Tunnel Detection

The sensors themselves are a mixture of accelerometers, which pick up vibrations, current detectors, which measure the electrical-resistance of rocks and soil, and subsurface radar. The square kilometer they picked contains more than 100 wells, many underground storage tanks and 10s of kilometers of steel pipeline. Resead made short work of this challenge. It produced an accurate map of the area in just 10 minutes. The system could be useful for detecting tunnels on the Mexican border.

see also the opposite:

The University of Arizona College of Engineering is testing an invisible border monitoring system that could revolutionize the way the US conducts homeland security. The border-monitoring system, known as Helios, consists of laser pulses transmitted through fiber-optic cables buried in the ground that respond to movements on the surface above. A detector at one or both ends of the cable analyzes these responses. Helios is sensitive enough to detect a dog and can discriminate between people, horses and trucks. The system can be set to avoid being triggered by small animals, and can also tell if people are running or walking, or digging, and in which direction. The location of a cut cable, or people, or vehicles, can be pinpointed instantly to within one meter along a section of cable up to 50 kilometers long.

Attack-resistant Hardware

Attacks often succeed by abusing the gap between program and machine-level semantics– for example, by locating a sensitive pointer, exploiting a bug to overwrite this sensitive data, and hijacking the victim program’s execution. In this work, we take secure system design on the offensive by continuously obfuscating information that attackers need but normal programs do not use, such as representation of code and pointers or the exact location of code and data. Our secure hardware architecture, Morpheus, combines 2 powerful protections: ensembles of moving target defenses and churn. Ensembles of moving target defenses randomize key program values (e.g., relocating pointers and encrypting code and pointers) which forces attackers to extensively probe the system prior to an attack. To ensure attack probes fail, the architecture incorporates churn to transparently re-randomize program values underneath the running system. With frequent churn, systems quickly become impractically difficult to penetrate. We demonstrate Morpheus through a RISC-V-based prototype designed to stop control-flow attacks. Each moving target defense in Morpheus uses hardware support to individually offer more randomness at a lower cost than previous techniques. When ensembled with churn, Morpheus defenses offer strong protection against control-flow attacks, with our security testing and performance studies revealing: i) high-coverage protection for a broad array of control-flow attacks, including protections for advanced attacks and an attack disclosed after the design of Morpheus, and ii) negligible performance impacts (1%) with churn periods up to 50 ms, which our study estimates to be at least 5000x faster than the time necessary to possibly penetrate Morpheus.

Morpheus went undefeated in a hacking challenge.

See also a related approach: Physically unclonable functions, or PUFs, exploit the fact that, at a microscopic level, even mass-produced computer chips have tiny differences. PUFs leverage that to let every chip in a computer, smartphone, or other device generate a signal that no other chip can generate.“ The SolarWinds hack that targeted the US government really got people thinking about how we’re going to be doing authentication and cryptography. We’re hopeful that this could be part of the solution.”

Destroying Cellebrite

By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters.

By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices. In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low % based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

SpaceX telemetry

Neat: due to some nuclear weapons treaty, rocket communications are transmitted more or less in the clear, and a group of enthusiasts have decoded additional internal sensor readings & pictures from spacex, but also some chinese ones(?). Kind of surprising that there’s not more industrial espionage going on, or if there is, others don’t seem to suspiciously catch up with spacex.

Toward Confidential Clouds

Imagine a future in which end users have complete and verifiable control over how their data is used by any cloud service. If they want their organization’s documents to be indexed, a confidential indexing service could guarantee that no one outside their organization ever sees that data. A confidential videoconferencing service could guarantee end-to-end encryption without sacrificing the ability to record the session or provide transcripts, with the output sent to a confidential file-sharing service, never appearing unencrypted anywhere other than the organization’s devices or confidential VMs. A confidential email system could similarly protect privacy without compromising on functionality such as searching or authoring assistance. Ultimately, confidential computing will enable many innovative cloud services, while allowing users to retain full control over their data.

Spectre web exploit

In this post, we will share the results of Google Security Team’s research on the exploitability of Spectre against web users, and present a fast, versatile proof-of-concept (PoC) written in JavaScript which can leak information from the browser’s memory. We’ve confirmed that this proof-of-concept, or its variants, function across a variety of operating systems, processor architectures, and hardware generations.

Apple should help Intel

Helping Intel stay in the semiconductor manufacturing game should be among one of the highest priorities for all US-based technology companies. While TSMC is the leader in manufacturing process technology, they remain a geo-political risk should China decide to enforce its will on the region. Samsung is not far behind, but being a Korean company, again, future politics guarantee no safe bets. Having a leading semiconductor company founded and based in the US is incredibly strategic given how critical semiconductors are to our digital future. Apple may be one of the only companies that can help Intel right the ship.

Parler self-own

as always, as we saw in the darknet marketplace days, the most fervent are also the most incompetent. the result is that parler was basically a honeypot for idiots.

Parler lacked the most basic security measures that would have prevented the automated scraping of the site’s data. It even ordered its posts by number in the site’s URLs, so that anyone could have easily, programmatically downloaded the site’s millions of posts. Parler also doesn’t require authentication to view public posts and doesn’t use any sort of “rate limiting” that would cut off anyone accessing too many posts too quickly.

Solarwinds

Solarwinds was ‘secured’ with the password solarwinds123

All 5 branches of the military. The NSA. The IRS. The USPS. DHS. The Treasury Department. Nearly every Fortune 500 company. All 10 of the top 10 telcos. The list goes on and on. And with this access, attackers could move laterally, using compromised credentials to eavesdrop on mutuals of targeted entities. And all of this “secured” by a password so simple an idiot could have created it.

Solarwinds sounds like security theater specifically set up to compromise the gullible.