New Bluetooth hack can unlock your Tesla—and all kinds of other devices

This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers. In the case of the locked Tesla, the first attacker, which we’ll call Attacker 1, is in close proximity to the car while it’s out of range of the authenticating phone. Attacker 2, meanwhile, is in close proximity to the legitimate phone used to unlock the vehicle. Attacker 1 and Attacker 2 have an open Internet connection that allows them to exchange data.

Source: New Bluetooth hack can unlock your Tesla—and all kinds of other devices | Ars Technica

Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.

Source: Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability | ZDNet

F-35’s Hacking Vulnerability | Could the F-35 Be Hacked?

Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation’s Central Point of Entry, which then passes it on to Lockheed’s central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations.

Source: F-35’s Hacking Vulnerability | Could the F-35 Be Hacked?

Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not.

It’s highly likely these vulnerabilities are a known detectable exploit vector.  Any military aircraft  should be able to perform its mission disconnected from a network — except for perhaps drones.

Meltdown and Spectre: clearing up the confusion

For a typical user, the browser presents the highest risk, but we have yet to see proof of concept code that exploits this vulnerability through JavaScript – and browser vendors have started issuing patches as well (for example, Mozilla has issued a new version of Firefox, 57.0.4, where they have decreased the precision of time sources to make attacks such as Spectre more difficult or impossible). If you run stuff as Administrator: Spectre makes no difference for you really.

In other words: the world will end over the weekend.

Source: Meltdown and Spectre: clearing up the confusion – SANS Internet Storm Center

The hackers who broke into Equifax exploited a flaw in open-source server software

That vulnerability, according to a report on the data breach by William Baird & Co., was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. One was announced in March, and another was announced earlier this week on Sept. 4. At the moment, it’s unclear which vulnerability the Baird report was referring to.

Source: The hackers who broke into Equifax exploited a flaw in open-source server software — Quartz

The bug specifically affects a popular plugin called REST, which developers use to handle web requests, like data sent to a server from a form a user has filled out. The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.

Offline attack shows Wi-Fi routers still vulnerable

The research, originally demonstrated at the PasswordsCon Las Vegas 2014 conference in early August, builds on previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most significantly, he found that the PIN needed to complete the setup of a wireless router could be broken into smaller parts and each part attacked separately. By breaking down the key, the number of attempts an attacker would have to try before finding the key shrunk from an untenable 100 million down to a paltry 11,000—a significant flaw for any access-control technology.

via Offline attack shows Wi-Fi routers still vulnerable | Ars Technica.

More on Heartbleed

This is a pretty serious problem so I’ll devote more space to  another collection of tidbits from various sources.

EDITED TO ADD (4/9): Has anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn’t going to be fun for anyone.

via Schneier on Security: Heartbleed.


The fact is that no programmer is good enough to write code which is free from such vulnerabilities. Programmers are, after all, trained and skilled in following the logic of their program. But in languages without bounds checks, that logic can fall away as the computer starts reading or executing raw memory, which is no longer connected to specific variables or lines of code in your program. All non-bounds-checked languages expose multiple levels of the computer to the program, and you are kidding yourself if you think you can handle this better than the OpenSSL team.

We can’t end all bugs in software, but we can plug this seemingly endless source of bugs which has been affecting the Internet since the Morris worm. It has now cost us a two-year window in which 70% of our internet traffic was potentially exposed. It will cost us more before we manage to end it.

Ironic how the above link uses https.  The Ars Technica article below has interesting screenshots.

From: Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

For an idea of the type of information that remains available to anyone who knows how to use open source tools like this one, just consider Yahoo Mail, the world’s most widely used Web mail service. The images below were recovered by Mark Loman, a malware and security researcher with no privileged access to Yahoo Mail servers. The plaintext passwords appearing in them have been obscured to protect the Yahoo Mail users they belong to, a courtesy not everyone exploiting this vulnerability is likely to offer. To retrieve them, Loman sent a series of requests to servers running Yahoo Mail at precisely the same time as the credentials just happened to be stored—Russian roulette-style—in Yahoo memory.

Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days

In terms of why Firefox was the most exploited browser at the 2014 Pw2Own event, money likely plays a key role.
“Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Stamm said. “Mozilla also offers financial rewards in our bug bounty program, and this program’s success has inspired other companies to follow suit.” –

via Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days.

World’s largest DDoS strikes US, Europe

The Network Time Protocol (NTP) Reflection attack exploits a timing mechanism that underpins a way the internet works to greatly amplify the power of what would otherwise be a small and ineffective assault.

via World’s largest DDoS strikes US, Europe – Security – Technology – News –

The OpenNTPProject can help administrators determine if their servers are vulnerable.

Setting up a man-in-the-middle device with Raspberry Pi, Part 1

The regular install on a Raspberry Pi is NOOBS (new out-of-box software) and contains several pre-packaged operating systems. However for the purpose of our MITM device we’ll be using a different Linux distro for our Pi: PwnPi. PwnPi is a distribution of the Raspbian OS that contains many pre-installed packages for security and penetration testing which is naturally right up our alley. So, go ahead and download PwnPi. Once it’s downloaded we’ll need to load it onto our SD card. First, format your SD card using the SD card formatter from the SD association. If the “size” value shown in the formatter is less than the size of your card, be sure to choose “format size adjustment” in the card.

via Setting up a man-in-the-middle device with Raspberry Pi, Part 1 | jeffq, published.