Upgrade to LTE Will Let Phones Talk without Cell Towers, Allowing New Forms of Social Apps and Advertising

Posted on September 30, 2014 by mea

Facebook is exploring how the technology could be used with its mobile app. “LTE Direct would allow us to create user experiences around serendipitous interactions with a local business or a friend nearby,” said Jay Parikh, Facebook’s vice president of infrastructure engineering. “You could find out about events or do impromptu meet-ups.”

via Upgrade to LTE Will Let Phones Talk without Cell Towers, Allowing New Forms of Social Apps and Advertising | MIT Technology Review.

However, carriers will control which devices on their networks can use LTE Direct because it uses the same radio spectrum as conventional cellular links. Wireless carriers might even gain a new stream of revenue by charging companies that want to offer services or apps using the technology, Qualcomm says.

Why the Z-80’s data pins are scrambled

Posted on September 28, 2014 by mea

I have been reverse-engineering the Z-80 processor using images and data from the Visual 6502 team. The image below is a photograph of the Z-80 die. Around the outside of the chip are the pads that connect to the external pins. (The die photo is rotated 180° compared to the datasheet pinout, if you try to match up the pins.) At the right are the 8 data pins for the Z-80’s 8-bit data bus in a strange order.

via Ken Shirriff’s blog: Why the Z-80’s data pins are scrambled.

The motivation behind splitting the data bus is to allow the chip to perform activities in parallel. For instance an instruction can be read from the data pins into the instruction logic at the same time that data is being copied between the ALU and registers. The partitioned data bus is described briefly in the Z-80 oral history[3], but doesn’t appear in architecture diagrams.

The complex structure of the data buses is closely connected to the ordering of the data pins.

Shellshock: How does it actually work?

Posted on September 27, 2014 by mea

env x='() { :;}; echo OOPS' bash -c :
The “env” command runs a command with a given variable set. In this case, we’re setting “x” to something that looks like a function. The function is just a single “:”, which is actually a simple command which is defined as doing nothing. But then, after the semi-colon which signals the end of the function definition, there’s an echo command. That’s not supposed to be there, but there’s nothing stopping us from doing it.

via Shellshock: How does it actually work? | Fedora Magazine.

But — oops! When that new shell starts up and reads the environment, it gets to the “x” variable, and since it looks like a function, it evaluates it. The function definition is harmlessly loaded — and then our malicious payload is triggered too. So, if you run the above on a vulnerable system, you’ll get “OOPS” printed back at you. Or, an attacker could do a lot worse than just print things.

I copied and pasted the above env command and it echos back OOPS. This web server has been (I suspect) scanned already once with the scanner placing a ping command in the User Agent HTTP field. Apparently User Agent gets passed to a shell environmental variable which will then get executed. The only problem is that they need some kind of script to execute which there are none on this site. This site simply returned 404, file not found to the scanner.

This could be problematic on sites with a lot of cgi scripts. There is some exploit that can affect a client using dhcp to obtain an IP address from a malicious server. I’ll find an explanation of that and put that up in its own post. This story is evolving and even has its own brand name now — shellshock.

The Great Lightbulb Conspiracy

Posted on September 26, 2014 by mea

The cartel’s grip on the lightbulb market lasted only into the 1930s. Its far more enduring legacy was to engineer a shorter life span for the incandescent lightbulb. By early 1925, this became codified at 1,000 hours for a pear-shaped household bulb, a marked reduction from the 1,500 to 2,000 hours that had previously been common. Cartel members rationalized this approach as a trade-off: Their lightbulbs were of a higher quality, more efficient, and brighter burning than other bulbs. They also cost a lot more. Indeed, all evidence points to the cartel’s being motivated by profits and increased sales, not by what was best for the consumer. In carefully crafting a lightbulb with a relatively short life span, the cartel thus hatched the industrial strategy now known as planned obsolescence..

via The Great Lightbulb Conspiracy – IEEE Spectrum.

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Posted on September 25, 2014 by mea

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability “shellshock” since it affects computer command interpreters known as shells.

via Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild – Slashdot.

This is a very confusing issue. I found the above comment to be the most informative right now as this issue unfolds.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a “web server” in the sense of a server providing content of interest to the casual or “normal” user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

Heatmiser WiFi thermostat vulnerabilities

Posted on September 24, 2014 by mea

Scanning for Heatmiser thermostats on port 8068 really just requires a quick check for port 8068 being open – we can be fairly confident that anything with this port open is one of their devices. We can then make detailed check on port 80.
nmap -p 8068 -Pn -T 5 --open 78.12.1-254.1-254
nmap can easily do this scan. If you want to scan large blocks of addresses though, masscan is much faster.

via » Heatmiser WiFi thermostat vulnerabilities.

You need to forward ports at your local router so if you try and access this thermostat from the Internet and you come in on (per above example) port 8068 that the router knows to forward all that traffic to whatever IP it has associated with that port. This allows users to access things inside their local network from anywhere on the Internet. It also allows anyone on the Internet to access that internal device.

Here is my opinion on this matter. As the world moves towards self driving cars and self driving planes, extremely complicated devices that you would think need human intervention, the world is also moving to take very simple devices, like household appliances and making them so they need human intervention. A thermostat should be set and forget. It should have simple intelligence to figure out what temperature to set a room. If a human must get involved in messing with a thermostat then perhaps something went wrong but it’s not an emergency like this:

Should Airplanes Be Flying Themselves? | Vanity Fair.

A thermostat can certainly wait until you get home to physically figure out the problem and put it back on auto. The Internet of Things can certainly be useful for read only, like buzzing your phone when the dishes or laundry finishes. You can’t load laundry or dishes into these devices via the Internet so how do benefits from controlling them remotely, especially from remote Internet locations, outweigh the risks from allowing bad guys get into your local network.

Finally, here’s a link to a site that does port scanning on the Internet for you. Seems like a useful resource to know.

Plugging this into Shodan we get over 7000 results. That’s quite a lot. (note, you might need to register to use filters like this).

All Circuits Aren’t Busy

Posted on September 22, 2014 by mea

Network neutrality came from the telephone business. With electronic phone switching (analog, not digital) it was possible to give phone company customers who were willing to pay more priority access to trunk lines, avoiding the dreaded “all circuits are busy, please try your call again later.” Alas, some folks almost never got a circuit, so the FCC put a halt to that practice by mandating what it called “network neutrality” – first-come, first-served access to the voice network. When the commercial Internet came along, network neutrality was extended to digital data services, lately over the objection of telcos and big ISPs like Comcast, and the FCC is now about to expand those rules a bit more, which was in this week’s news. But to give network neutrality the proper context, we really should go back to that original analog voice example, because there are more details there worth telling.

via I, Cringely All Circuits Aren’t Busy – I, Cringely.

Tools for a Safer PC

Posted on September 21, 2014 by mea

EMET, short for the Enhanced Mitigation Experience Toolkit, is a free tool from Microsoft that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

via Tools for a Safer PC — Krebs on Security.

By creating a free account at OpenDNS.com, changing the DNS settings on your machine, and registering your Internet address with OpenDNS, the company will block your computer from communicating with known malware and phishing sites. OpenDNS also offers a fairly effective adult content filtering service that can be used to block porn sites on an entire household’s network.

TrueCrypt Getting a New Life

Posted on September 20, 2014 by mea

TrueCrypt Lives on

Despite this, a new Swiss TrueCrypt website that claims to be “the gathering place for all up-to-date information” on TrueCrypt has sprung up. The site is the home of a new project which is taking the TrueCrypt code forward and evolving it into a new application called CipherShed.

via TrueCrypt Getting a New Life – eSecurity Planet.

Bucktown Bell

Cut to the chase.