History, Sailing, Security

Fruit Fly Movements Imitated by Giant Robot Brain Controlled by Humans

Leave a comment

They say fruit flies like a banana, and new science may now be able to prove that theory because robot brains have figured out that to the vector go the spoils.

The Micro Air Vehicle Lab (MAVLab) has just published their latest research

The manoeuvres performed by the robot closely resembled those observed in fruit flies. The robot was even able to demonstrate how fruit flies control the turn angle to maximize their escape performance. ’In contrast to animal experiments, we were in full control of what was happening in the robot’s ”brain”.

Can’t help but notice how the researchers emphasize getting away from threats with “high-agility escape manoeuvres” as a primary motivation for their work, which isn’t bananas. In my mind escape performance translates to better wind agility and therefore weather resilience.

The research also mentions the importance of rapidly deflating costs in flying machines. No guess who would really need such an affordable threat-evading flying machine.

I mean times really have changed since the 1970s when

Developed by CIA’s Office of Research and Development in the 1970s, this micro Unmanned Aerial Vehicle (UAV) was the first flight of an insect-sized aerial vehicle (Insectothopter). It was an initiative to explore the concept of intelligence collection by miniaturized platforms.

The Insectothopter was plagued by inability to fly in actual weather, as even the slightest breeze would render it useless. In terms of lessons learned, the same problems cropped up with Facebook’s (now cancelled) intelligence collection by elevated platform.

On June 28, 2016, at 0743 standard mountain time, the Facebook Aquila unmanned aircraft, N565AQ, experienced an in-flight structural failure on final approach near Yuma, Arizona. The aircraft was substantially damaged. There were no injuries and no ground damage. The flight was conducted under 14 Code of Federal Regulations Part 91 as a test flight; the aircraft did not hold an FAA certificate of airworthiness.

Instead of getting into the “airworthiness” of fruit flies, I will simply point out that “final approach” is where the winds blow and the damage occurred. If only Facebook had factored in some escape performance maximization to avoid the ground hitting them so dangerously when they landed.

Energy, Security

Police Say Man Who Stole Tesla Model 3 Charged With Battery

Leave a comment

Many moons ago you may remember this introduction to one of my car-hacking posts:

First, you need a Vehicle Identification Number (VIN). You can ask your friends or family for their VIN. You can walk into a parking lot, especially a Jeep dealer’s, and look at the VIN. Or you can search craigslist for a VIN. I used the SF bay area site but you can search anywhere using a simple URL modification…

The VIN is a token, a fairly important one, that requires manufacturers to use threat models to think about adversarial usage. Alas it sits in plain view both in person and online.

We interrupt this PSA about credential management to bring you a hot story about a brand new cutting edge technology Model 3 Tesla being stolen.

…a regular at the Trevls EV-only rent-a-car company in Minnesota was the key suspect in stealing a Model 3 rental car owned by the agency. According to the owner of Trevls, John Marino, the man simply walked up to the Model 3, opened it, got in, started it and drove off. Bloomington police are saying that “the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.”

The key here for the key suspect, puns intended, seems to be that this Tesla was rented before. The suspect had the VIN associated with his account and used the application, so was a temporary valid driver. A VIN has to be associated with an account to run the application, and I think most Tesla owners would not want any path for their public VINs to be “matched” to someone else’s account.

Alas, a rental company does exactly that, putting a VIN in random people’s accounts. The rental company claims they remove the VIN from a customer account after their rental, thus denying any further authorization. However, this driver likely realized since he was authenticated as a driver of that car at least once he probably could contact Tesla support and somehow convince them to add the VIN back to his account without authorization of the rental company. Or maybe the removal process wasn’t clean. Deprovisioning is notoriously hard in any credential system.

I’m going to go out on a limb here and say the Tesla application and driver support system wasn’t sufficiently threat modeled for the kind of VIN use that rental companies require, let alone social engineering talent of rental customers.

It reminds me once of sitting down with an automobile manufacturer and telling them while I enjoyed hacking cars I wasn’t about to start inserting USB into my rentals…and they interrupted me with a disgusted look on their face to say “WHY NOT?” I meekly explained I thought a lab was more appropriate as it would be dangerous for others to be renting cars I had been hacking on, especially when rental use wasn’t in the threat models (it wasn’t).

Police were scrambling for clues when this Tesla disappeared because, after the suspect reportedly disabled GPS, all the usual tracking signals (e.g. NFC/RFID scanning) on Interstate roads weren’t being helpful. The Tesla owner (rental company), on the other hand, noticed the stolen car being connected to the charging network and 1,000 miles from the scene of the crime (Minnesota to Texas in two days). Police simply went to the charging station and there they found the lazy thief, who despite noticing a loophole in authorization and means to disable GPS failed to think about other ways he could be charged.

And yes I wrote this entire thing just for the puns. You’re welcome.

Update Sept 15: Telsa has pushed an update (2018.34.1) that offers a “PIN to drive” security option to limit use of a key.

No word yet on the “forgot PIN, enter credentials to drive” flow resilience to social engineering. More to the point this update does not seem to leverage PIN to drive when using the mobile application with “keyless driving”…perhaps because if you can enter credentials for keyless driving you could start the car with the same credentials in the forgot PIN screen.

Food, Security

New Bar for Soldier Performance Readiness

Leave a comment

You might be wondering if this post is about raising the physical performance bar for a soldier, and it actually is the opposite. When I say bar I mean food. And by new bar, I mean something tasty like chocolate, which lowers the dangers from physical stress.

With that in mind, here’s a funny quote about making health improvements in military training:

“Research showed compliance was better when calcium and vitamin D were provided in a fortified bar,” said Army Maj. Kayla Ramotar, dietitian with the Army’s Training and Doctrine Command. “Trainees don’t get a lot of treats during basic training, and since this bar is made of chocolate, we know compliance won’t be an issue. It’s a lot more enticing than having to swallow a bunch of pills.”

I’m imaginging a poster now that says “Basic training. It’s no treat.”

Bottom line is that bone fractures were causing high numbers of drop-outs after strenuous physical tests. So the military has turned the sage old theory of “milk and cookies before bedtime” into a vitamin D enriched calcium bar. I suppose the tryptophan angle of this could mean people sleep better at night, which stimulates better recovery, but it’s seems like they’re going for the more direct vitamin to bone strength results.

From personal perspective I do believe a high consumption of vitamin D and calcium (I often was drinking a gallon of milk per day) prevented fractures many times over. One day, as I sat up on an examination table and my eyes involuntarily poured water, doctors repeatedly questioned me about incident details because they expected to see fractures where there were none.

This performance bar sounds more convenient than how I managed my diet, for sure, and I am going to wager right now that the study of 4,000 soldiers who eat the bar reveals positive results.

Security

RiskIQ Breaks Down the Magecart Role in BA Breach

Leave a comment

The RiskIQ blog explaining their analysis of the giant BA breach, by scanning public domain information, is excellent and in-depth. Here’s the executive summary, five things you need to know, because several people have been asking me for this.

1) Small custom changes bypassed the usual monitoring and alarms:

…Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code…[yet with BA] we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.

2) Thus, finding the attack meant looking for a different change, which turned out to be in the baggage claim code:

…we would verify all the unique scripts on the website and only look at them again if their appearance changed in our crawling. Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2…

3) Attackers became so familiar with their targeted environment they used several layers of obfuscation down to the infrastructure level:

The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server

4) Changes to the script were minimal and leveraged existing business logic to fit in, just enough to redirect payment information:

On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.

5) Ability to change a script leaves open the question of privileged access management, and how contained the attacks are:

…the fact that they were able to modify a resource for the site tells us the access was substantial…British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security…

Kudos to RiskIQ for providing a dump of their data collection and analysis of what changed in the scripts.

In summary, this example of a blacklist failing is a very good case for why whitelists are better. Had British Airways been monitoring their payment script for changes (2012 script modified in 2018, to look like a script from 2012) and used cryptographic signatures, they would have been able to detect this attack. No blacklist is going to find a business process attack designed to look like the business process, unless exceptionally lucky, once a privilege escalation has occurred (essentially an impostor scenario). At that point change control and alerting is the last and best line of defense.