Daily Archives: May 30, 2019

Docker Bug Allows Root Access to Host File System

Posted on by

All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there’s a fix in the works, it has not yet been integrated.

The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the “docker cp” command, which copies files to and from containers.

“The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client),” Sarai said in his advisory on the problem.

“If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of ‘docker cp’ this gives you read and write access to any path on the host.”

Sarai notified the Docker security team about the vulnerability and, after talks with them, the two parties agreed that public disclosure of the issue was legitimate, even without a fix available, in order to make customers aware of the problem. Sarai said researchers were aware that this kind of attack might be possible against Docker for a couple of years. He developed exploit code for the vulnerability and said that a potential attack scenario could come through a cloud platform.

“The most likely case for this particular vector would be a managed cloud which let you (for instance) copy configuration files into a running container or read files from within the container (through “docker cp”),,” Sarai said via email.

“However it should be noted that while this vulnerability only has exploit code for “docker cp”, that’s because it’s the most obvious endpoint for me to exploit. There is a more fundamental issue here — it’s simply not safe to take a path, expand all the symlinks within it, and assume that path is safe to use.”

Source: Docker Bug Allows Root Access to Host File System | Decipher

Flipboard hacked and open for 9 months – fortunately passwords properly salted and encrypted so not much damage

Posted on by

In a series of emails seen by ZDNet that the company sent out to impacted users, Flipboard said hackers gained access to databases the company was using to store customer information.

Most passwords are secure

Flipboard said these databases stored information such as Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.

The good news appears to be that the vast majority of passwords were hashed with a strong password-hashing algorithm named bcrypt, currently considered very hard to crack.

The company said that some passwords were hashed with the weaker SHA-1 algorithm, but they were not many.

“If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1,” Flipboard said.

[…]

In its email, Flipboard said it is now resetting all customer passwords, regardless if users were impacted or not, out of an abundance of caution.

Furthermore, the company has already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to your Flipboard accounts,” the company said.

Extensive breach

But despite some good news for users, the breach appears to be quite extensive, at least for the company’s IT staff.

According to Flipboard, hackers had access to its internal systems for almost nine months, first between June 2, 2018, and March 23, 2019, and then for a second time between April 21 and April 22, 2019.

The company said it detected the breach the day after this second intrusion, on April 23, while investigating suspicious activity on its database network.

Source: Flipboard says hackers stole user details | ZDNet

Laboratory Black Hole Shows Stephen Hawking Was Right, – wait they make black holes in labs now?!

Posted on by

Physicists have confirmed predictions of Stephen Hawking’s namesake theory of black holes using a black hole they constructed in their lab, according to a new paper.

This black hole isn’t like the black holes out in space, where gravity creates a region of spacetime so warped that light can’t escape. Instead, the researchers built a black hole analog using a strange quantum material called a Bose-Einstein condensate, in which the point of no return is for sound rather than light. Still, it’s an important verification Hawking’s work.

“I’m interested in learning whatever we can about real black holes and real gravity,” study author Jeff Steinhauer, physicist at the Technion-Israel Institute of Technology, told Gizmodo.

Stephen Hawking’s landmark theory is called Hawking radiation. When trying to apply the physical laws governing heat to black holes, he realized that black holes must emit radiation from their surfaces. The mechanism marks a combination of quantum mechanics (the science of the smallest things) with gravity (the science of interactions between the most massive things). But astronomers haven’t been able to peer close enough to a black hole to prove or disprove the theory. Some scientists have instead turned to analogues in the lab.

The scientists created an elongated Bose-Einstein condensate by trapping 8,000 rubidium atoms in a focused laser beam. Bose-Einstein condensates are systems of ultra-cold atoms where strange quantum physical phenomena become more visible on larger scales. They are often used for analog-type experiments like these.

A second laser increases the potential energy on one side of the Bose-Einstein condensate, making it denser on that side. A sharp transition separates the denser area (considered to be outside the black hole) and the less dense area (inside the black hole). This transition moves at a constant speed through the condensate, but from the point of view of the experimenters, it appears to be stationary; instead, it looks as if all of the rubidium atoms are moving. Outside the black hole in the denser region, the speed of sound is faster than the speed of this flow, so sound waves can move in either direction. But in the less dense region—inside the black hole—the speed of sound is slower, so sound waves only travel away from the sharp transition and further into the black hole, as described in the paper published in Nature.

This experiment mimics one of the most important features of the black hole—outside the black hole, light can either move away from or into the black hole. But once inside the black hole, it cannot escape. The laboratory analogue replaces light with sound, and the researchers can measure sound waves both outside and inside inside their black hole’s “event horizon.” The signal of the Hawking radiation is a correlation between these two kinds of waves.

Steinhauer’s team previously observed Hawking radiation in this system back in 2016. But this time around, they made at least 21 improvements to the system in order to get a better signal. This was enough to pull out important information about the system’s radiation, namely that it has a thermal spectrum with a temperature determined only by the system’s analogous equivalent to gravity, a relationship between the speed of sound and its flow. This means that it emitted a continuous spectrum of wavelengths, rather than preferred wavelengths. These observations, and the temperatures, were exactly as predicted in Hawking’s theories.

“The way I see it, what we saw was that Hawking’s calculations were correct,” Steinhauer said. By correct, he means that they’re a real effect that happens in these kinds of systems. Whether they happen in real black holes in space, well, we don’t quite know yet. But they do show that if Hawking was correct, then any information that falls into a black hole is lost, the subject of an important black hole paradox.

Mathematician Silke Weinfurtner at the University of Nottingham in the United Kingdom wrote in a Nature commentary that the research was “promising” and that the scheme the researchers used to extract the temperature of the radiation was “clever.” Perhaps, she wrote, the setup will be useful in measuring other interesting quantum phenomenon expected to occur near the black hole’s event horizon.

This research is yet another example of scientists using analogues to access physical phenomena that might otherwise be impossible to observe. It can serve as an important verification of the theories that drive our understanding of inaccessible things.

Next up, the researchers hope to repeatedly redo the experiment in order to determine how this Hawking radiation changes over time. And who knows, maybe one day we really will be able to measure these properties in actual black holes.

Source: Laboratory Black Hole Shows Stephen Hawking Was Right, Obviously

Apple’s privacy schtick is just an act, say folks suing the iGiant: iTunes ‘purchase histories sold’ to highest bidders

Posted on by

Apple has been hit with a class-action complaint in the US accusing the iGiant of playing fast and loose with the privacy of its customers.

The lawsuit [PDF], filed this month in a northern California federal district court, claims the Cupertino music giant gathers data from iTunes – including people’s music purchase history and personal information – then hands that info over to marketers in order to turn a quick buck.

“To supplement its revenues and enhance the formidability of its brand in the eyes of mobile application developers, Apple sells, rents, transmits, and/or otherwise discloses, to various third parties, information reflecting the music that its customers purchase from the iTunes Store application that comes pre-installed on their iPhones,” the filing alleged.

“The data Apple discloses includes the full names and home addresses of its customers, together with the genres and, in some cases, the specific titles of the digitally-recorded music that its customers have purchased via the iTunes Store and then stored in their devices’ Apple Music libraries.”

What’s more, the lawsuit goes on to claim that the data Apple sells is then combined by the marketers with information purchased from other sources to create detailed profiles on individuals that allow for even more targeted advertising.

Additionally, the lawsuit alleges the Music APIs Apple includes in its developer kit can allow third-party devs to harvest similarly detailed logs of user activity for their own use, further violating the privacy of iTunes customers.

The end result, the complaint states, is that Cook and Co are complacent in the illegal harvesting and reselling of personal data, all while pitching iOS and iTunes as bastions of personal privacy and data security.

“Apple’s disclosures of the personal listening information of plaintiffs and the other unnamed Class members were not only unlawful, they were also dangerous because such disclosures allow for the targeting of particularly vulnerable members of society,” the complaint reads.

“For example, any person or entity could rent a list with the names and addresses of all unmarried, college-educated women over the age of 70 with a household income of over $80,000 who purchased country music from Apple via its iTunes Store mobile application. Such a list is available for sale for approximately $136 per thousand customers listed.”

Source: Apple’s privacy schtick is just an act, say folks suing the iGiant: iTunes ‘purchase histories sold’ to highest bidders • The Register

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

Posted on by

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese text inside the database with commands such as:

  •  模型更新完成事件已触发,同步用户到 
  • according to Google Translate: The model update completion event has been triggered, syncing to the user. 

The strange thing about this discovery was that there were multiple dating applications all storing data inside this database. Upon further investigation I was able to identify dating apps available online with the same names as those in the database. What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other. The Whois registration for one of the sites uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device).

Finding several of the users’ real identity was easy and only took a few seconds to validate them. The dating applications logged and stored the user’s IP address, age, location, and user names. Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services. This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.

Source: Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online – Security Discovery

Newly Released Amazon Patent Shows Just How Much Creepier Alexa Can Get

Posted on by

A newly revealed patent application filed by Amazon is raising privacy concerns over an envisaged upgrade to the company’s smart speaker systems. This change would mean that, by default, the devices end up listening to and recording everything you say in their presence.

Alexa, Amazon’s virtual assistant system that runs on the company’s Echo series of smart speakers, works by listening out for a ‘wakeword’ that tells the device to turn on its extended speech recognition systems in order to respond to spoken commands.

[…]

In theory, Alexa-enabled devices will only record what you say directly after the wakeword, which is then uploaded to Amazon, where remote servers use speech recognition to deduce your meaning, then relay commands back to your local speaker.

But one issue in this flow of events, as Amazon’s recently revealed patent application argues, is it means that anything you say before the wakeword isn’t actually heard.

“A user may not always structure a spoken command in the form of a wakeword followed by a command (eg. ‘Alexa, play some music’),” the Amazon authors explain in their patent application, which was filed back in January, but only became public last week.

“Instead, a user may include the command before the wakeword (eg. ‘Play some music, Alexa’) or even insert the wakeword in the middle of a command (eg. ‘Play some music, Alexa, the Beatles please’). While such phrasings may be natural for a user, current speech processing systems are not configured to handle commands that are not preceded by a wakeword.”

To overcome this barrier, Amazon is proposing an effective workaround: simply record everything the user says all the time, and figure it out later.

Rather than only record what is said after the wakeword is spoken, the system described in the patent application would effectively continuously record all speech, then look for instances of commands issued by a person.

Source: Newly Released Amazon Patent Shows Just How Much Creepier Alexa Can Get

wow – a continuous spy in your home

Germany thinks about resurrecting the Stasi, getting rid of end-to-end chat app encryption and requiring decrypted plain-text.

Posted on by

Government officials in Germany are reportedly mulling a law to force chat app providers to hand over end-to-end encrypted conversations in plain text on demand.

According to Der Spiegel this month, the Euro nation’s Ministry of the Interior wants a new set of rules that would require operators of services like WhatsApp, Signal, Apple iMessage, and Telegram to cough up plain-text records of people’s private enciphered chats to authorities that obtain a court order.

This would expand German law, which right now only allows communications to be gathered from a suspect’s device itself, to also include the companies providing encrypted chat services and software. True and strong end-to-end encrypted conversations can only be decrypted by those participating in the discussion, so the proposed rules would require app makers to deliberately knacker or backdoor their code in order to comply. Those changes would be needed to allow them to collect messages passing through their systems and decrypt them on demand.

Up until now, German police have opted not to bother with trying to decrypt the contents of messages in transit, opting instead to simply seize and break into the device itself, where the messages are typically stored in plain text.

The new rules are set to be discussed by the members of the interior ministry in an upcoming June conference, and are likely to face stiff opposition not only on privacy grounds, but also in regards to the technical feasibility of the requirements.

Spokespeople for Facebook-owned WhatsApp, and Threema, makers of encrypted messaging software, were not available to comment.

The rules are the latest in an ongoing global feud between the developers of secure messaging apps and the governments. The apps, designed in part to let citizens, journalists, and activists communicate secured from the prying eyes of oppressive government regimes.

The governments, meanwhile, say that the apps also provide a safe haven for criminals and terror groups that want to plan attacks and illegal activities, making it harder for intelligence and police agencies to perform vital monitoring tasks.

The app developers note that even if governments do try to implement mandatory decryption (aka backdoor) capabilities, actually getting those tools to work properly, without opening up a massive new security hole in the platforms that miscreants and criminals could exploit, would be next to impossible.

Source: Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works • The Register

Whatever happened to mail confidentiality then?

Google Now Forces Microsoft Edge Preview Users to Use Chrome for the Modern YouTube Experience – a bit like they fuck around with Firefox

Posted on by

Microsoft started testing a new Microsoft Edge browser based on Chromium a little while ago. The company has been releasing new canary and dev builds for the browser over the last few weeks, and the preview is actually really great. In fact, I have been using the new Microsoft Edge Canary on my main Windows machine and my MacBook Pro for more than a month, and it’s really good.

But if you watch YouTube quite a lot, you will face a new problem on the new Edge. It turns out, Google has randomly disabled the modern YouTube experience for users of the new Microsoft Edge. Users are now redirected to the old YouTube experience, which lacks the modern design as well as the dark theme for YouTube, as first spotted by Gustave Monce. And when you try to manually access the new YouTube from youtube.com/new, YouTube simply asks users to download Google Chrome, stating that the Edge browser isn’t supported. Ironically, the same page states “We support the latest versions of Chrome, Firefox, Opera, Safari, and Edge.”

The change affects the latest versions of Microsoft Edge Canary and Dev channels. It is worth noting that the classic Microsoft Edge based on EdgeHTML continues to work fine with the modern YouTube experience.

The weird thing here is that Microsoft has been working closely with Google engineers on the new Edge and Chromium. Both the companies engineers are working closely to improve Chromium and introduce new features like ARM64 support to Chromium. So it’s very odd that Google would prevent users of the new Microsoft Edge browser from using the modern YouTube experience. This is most likely an error on Google’s part, but it could be intentional, too — we really don’t know for now.

Source: Google Now Forces Microsoft Edge Preview Users to Use Chrome for the Modern YouTube Experience – Thurrott.com

See also:
Google isn’t the company that we should have handed the Web over to: why MS switching to Chromium is a bad idea

SpaceX Starlink satellites dazzle but pose big questions for astronomers – Musk thought things out well again, not.

Posted on by

The first batch of satellites were launched from Cape Canaveral, Florida, and deployed to orbit by a Falcon 9 rocket on May 23. Each contains a single solar array, which both captures and bounces sunlight off the satellites and, as a result, can sometimes be seen from Earth. On May 25, as the drifting luminescent army of satellites zoomed overhead, Dutch satellite tracker Marco Langbroek captured their marching, posting a stunning video to Vimeo.

In time, the satellites will drift apart and head to specific orbits so that satellite internet coverage can be beamed to every corner of the globe.

However, as the unusual display in the night sky quickly gathered steam across social media, some astronomers began to point out the potential problems the satellite system may pose for astronomy. At present, only 60 satellites are moving into their orbit, but eventually that number will reach 12,000, and a megaconstellation will encircle the Earth. Practically overnight, our view of the sky has changed.

“We’ve become used to change in space activities as slow and incremental, and suddenly, it’s fast and speeding up,” said Alice Gorman, space archeologist at Flinders University, Australia. “By its very visibility, Starlink has opened up some big questions: who gets to use Earth orbit and what for?”

Watch this: SpaceX launches first batch of Starlink satellites
7:05

Indeed, Starlink would triple the number of satellites orbiting the Earth. If thousands of satellites are sent into orbit, our view of space changes. Will we find ourselves in a position where it’s impossible to investigate the cosmos from the ground?

The quick answer: not forever, no. SpaceX designed the Starlink satellites to fall back to the Earth after about five years of service..

“The satellites are meant to put themselves in a re-entry orbit at the end of their mission life, and remove themselves from the debris population by burning up,” says Gorman.

But the long answer is: potentially. Astronomers already wrangle with the problems posed by space robots and satellites circling the Earth whenever they turn their ground-based telescopes toward the stars. Bright, reflective surfaces pose a problem because they obstruct our view of the universe.

More satellites equals cloudier vision, and Starlink plans to launch more satellites than ever.

When the sun is reflecting off the satellites’ solar panels, astronomers will have to account for the appearance of the satellites in their images. SpaceX was relatively mum about the design of the satellites leading up to launch, so it’s come as a bit of a surprise to some astronomers just how bright they are. However, the satellites will position their solar panels as they establish themselves in orbit, which should reduce their brightness.

Jonathan McDowell, an astronomer with the Harvard-Smithsonian Center for Astrophysics, perhaps summed it up best in a tweet, saying the satellites are “brighter than we had expected and still a problem, but somewhat less of a sky-is-on-fire problem.”

“Somewhat less of a sky-is-on-fire problem” sounds slightly reassuring, at least. But there do seem to be clear issues for the astronomy community..

Elon Musk, SpaceX CEO, jumped to the defense of his satellite system and noted on Twitter how “potentially helping billions of economically disadvantaged people is the greater good,” while making it clear that SpaceX plans to limit Starlink’s effects on astronomy. “We care a great deal about science,” Musk tweeted. He said he’s sent a note to the Starlink team to reduce albedo — that is, the amount of light the satellites reflect.

In addition, after a user suggested placing space telescopes using Starlink chassis into orbit to appease the astronomers, Musk said he “would love to do exactly that.” That might ease concerns, but will it slow our quickening colonization of Earth’s orbit? Unlikely.

“Space agencies and organizations have been cluttering the sky for decades and taking a very lax attitude to the long-term consequences,” said Gorman.

With a number of satellite constellations on the way, it will be critical for regulatory bodies and satellite providers to adequately manage the space debris and satellite problem, lest all of our space robots collide and lock us on Earth forever (yes, that’s a faint but possible catastrophic scenario)

Source: SpaceX Starlink satellites dazzle but pose big questions for astronomers – CNET