August 5,2019
Space agency uses Raspberry Pi to solve satellite encryption puzzle
By John E Dunn
How does the European Space Agency (ESA) communicate securely with satellites and space missions?
Surprisingly, until relatively recently it often didn’t – something which is still true for smaller, cheaper satellites such as CubeSats.
Now ESA hopes that an experiment consisting of a small module built around a tiny Raspberry Pi Zero board controlled from a laptop on the ground will close this hypothetical security issue at very low cost.
It’s called the Cryptography ICE Cube (or CryptIC), measures only 10x10x10cm, and is the brainchild of a special ESA department called the International Commercial Experiments service, or ICE Cubes for short.
Currently installed on the Cygnus NG-11, launched in April 2019, the CryptIC box is a small unit shielded from the high radiation levels in space using a plastic coating.
However, while the coating protects the electronics from the worst of the radiation, it isn’t enough to stop interference with the microprocessors used to make encryption possible. ESA software product assurance engineer, Emmanuel Lesser, explains:
In orbit the problem has been that space radiation effects can compromise the key within computer memory causing ‘bit-flips’.
This is enough to disrupt communication as keys used on the ground and in space no longer match up.
The traditional solution to this is to use radiation-hardened equipment, but this is expensive.
Read more at https://nakedsecurity.sophos.com/2019/08/02/space-agency-uses-raspberry-pi-to-solve-satellite-encryption-puzzle/
4 million Club Penguin Rewritten accounts exposed in breach
By John E Dunn
Last Friday, the hugely popular gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach that exposed four million user accounts.
Having account data including email addresses, usernames, IP addresses and passwords hacked is bad enough in any event but this was made much worse by the fact it came on the back of a separate breach in January 2018 affecting 1.7 million accounts, made public more than a year later.
The cause of the latest breach? According to someone connected to CPRewritten who contacted news site Bleeping Computer this week, the hack happened after hackers accessed a hidden PHP database back door put there by a former site admin last year.
It’s a version of events that both the individual concerned, and a hacking group that’s claimed responsibility for the hack, both strenuously deny.
The New World Order group who claim credit for the breach say they compromised the site using a vulnerability in the Adminer database administration tool. Regarding the admin’s involvement, they tweeted this:
…he had nothing to do with it. CPR admins know who we are, we’re responsible for the database breaches of many other CPPSes.
July breach
CPRewritten launched in 2017 in order to continue the earlier Club Penguin (CP), which was shut by owners Disney in the same year.
A year later it was announced that Club Penguin, too, would be closing, a decision that was reversed a month later after extra funding was found.
Read more at https://nakedsecurity.sophos.com/2019/08/02/4-million-club-penguin-rewritten-accounts-exposed-in-breach/
Anime filter glitches, exposing face of one extremely smart vlogger
By Lisa Vaas
Full disclosure.
Before delving into the case of a Chinese vlogger whom the public was aghast to find out was older than her filters made her out to be, I should tell you that the photo on my bio for Naked Security isn’t real.*
This is how I look without filters.
Forgive the deception. It’s necessary for me to eat your species. I mean mate with. I mean, hey, look over there, is that a blimp?
As the BBC tells it, The vlogger in question calls herself “Your Highness Qiao Biluo”. The porcelain-skinned cutie-pie was quite popular before the porcelain cracked during an interview she was doing with another vlogger, the jaw-droppingly cute presumably-without-filters Qingzi, on the Chinese video-game live-streaming DouYu platform, which is similar to Twitch.
Qiao Biluo had nearly 130,000 followers on DouYu before a computer glitch removed the filter she was using to make herself look like an anime doll (and thus imminently worthy of cash donations).
You can see for yourself how Your Highness Qiao Biluo’s filters failed during the chat, since it was captured on YouTube. She’s the woman on the right.
According to the BBC, the live-streaming platform Lychee News reported that the filter failure happened on 25 July, during the joint live-stream.
According to Global News, up until the filter fail, the vlogger had covered her face with an anime sticker. The BBC has a picture of Qiao Biluo using a filter in previous videos to make herself look younger:
"China has more than 425 million live-streamers and the use of face filters is something that is common across the… twitter.com/i/web/status/1…
—
Resh (@thebooksatchel) August 01, 2019
Prior to the accidental reveal, fans had been sending in donations, even without seeing her face, but had also been begging Qiao Biluo to remove her filter so they could see the real McCoy.
Read more at https://nakedsecurity.sophos.com/2019/08/02/anime-filter-glitches-exposing-face-of-one-extremely-smart-vlogger/
Facebook is working on mind-reading
By Lisa Vaas
How does the prospect of Facebook learning how to read minds strike you?
Fellow social media-participating lab rats, you are likely already aware that Facebook has been crafted on the principles of Las Vegas-esque addiction, the idea being to exploit human psychology by giving us little hits of dopamine with those “Likes” in order to keep us coming back to the platform like slot machine addicts feeling favored by Lady Luck.
In 2017, ex-president of Facebook Sean Parker told us all about Facebook’s nonchalantly endeavoring to get us addicted, during that era’s spate of mea-culpa’ing.
This is all just to say that it might be reasonable to worry about Facebook playing around with our wetware. There might be reasons why somebody might not trust Facebook with direct access to their brain.
But one of Facebook’s technology research projects – the funding of artificial intelligence (AI) algorithms capable of turning brain activity into speech – may be altruistic.
It’s about creating a brain-computer interface (BCI) that allows people to type just by thinking, and Facebook has announced that it’s just achieved a first in the field: while previous decoding has been done offline, for the first time, a team at University of California San Francisco has managed to decode a small set of full, spoken words and phrases from brain activity, in real-time.
In an article published on Tuesday in Nature Communications, University of California San Francisco (UCSF) neurosurgeon Edward Chang and postdoctoral student David Moses published the results of a study demonstrating that brain activity recorded while people speak could be used to almost instantly decode what they were saying into text on a computer screen.
Chang also runs a leading brain mapping and speech neuroscience research team dedicated to developing new treatments for patients with neurological disorders. In short, he’s the logical choice for the BCI program, which Facebook announced at its F8 conference in 2017. The program’s goal is to build a non-invasive, wearable device that lets people type by simply imagining that they’re talking.
Read more at https://nakedsecurity.sophos.com/2019/08/02/facebook-is-working-on-mind-reading/
Researchers hack camera in fake video attack
By Danny Bradbury
Tampering with surveillance cameras is a common activity for Hollywood heroes and criminals alike. Now, researchers have shown how they can do it in real life.
Remember Speed, the 1994 movie where Keanu Reeves and Sandra Bullock had to keep a bus moving above a certain speed to stop Dennis Hopper blowing it up? Hopper’s character, Howard Payne, watches them with a hidden video camera. Any funny business, and he presses the button. To fool him, they persuade a local news crew to record the camera footage and then broadcast it in a loop, enabling everyone to escape while convincing Payne that they were still there.
Back then, cameras were analogue, but researchers at security company Forescout have demonstrated how to do the same thing with digital cameras over a network.
They conducted the project, which they described in a technical paper, to see how easy it would be to attack internet-connected smart building environments rather than save speeding buses. They set up a test network incorporating smart lighting, IP surveillance cameras, and an IoT device that connected energy consumption and space consumption sensors.
Technology may make things more functional, but it also makes them more hackable. Many IP cameras come with weak protocols such as Telnet and FTP enabled by default, they pointed out – even when their users don’t need them. This needlessly increases the attack surface of the devices. They also stream video using unencrypted real-time transport (RTP), along with the real-time streaming protocol (RTSP).
There are secure versions of RTP and RTSP, but Forescout’s report said that it rarely sees them used in real-world deployments. You could tunnel the RTSP stream through an encrypted protocol such as a Transport Layer Security (TLS) stream, but again, vendors typically don’t bother.
Forescout’s team verified that they could gain access to the network by compromising an existing device. Given the reliance on default login credentials, this is all too common. Hackers can then use a compromised device to attack other devices on the network.
Read more at https://nakedsecurity.sophos.com/2019/08/01/researchers-hack-camera-in-fake-video-attack/