Home Blog Page 44

Munich glove startup Proglove sold for a monster sum

0

Proglove supplies industrial groups with intelligent gloves, Volkswagen and Lufthansa use them, for example. Now a financial investor is buying the startup.

Founder Thomas Kirchner (left) with Proglove managing director and ex-Teamviewer boss Andreas König.
Proglove / Workaround GmbH

The Munich startup Proglove has apparently managed a remarkable exit. As the Frankfurter Allgemeine Zeitung (FAZ) reports, the Swedish private equity investor Nordic Capital is taking over the manufacturer of industrial wearables. According to the newspaper, the purchase contract is “freshly signed”, and Nordic Capital also confirmed the takeover when asked. According to FAZ information, Proglove was last valued at around 500 million euros. When asked by Gründerszene, a spokesman confirmed the exit, but did not want to comment on the sum. It was agreed not to disclose the exact amount of the stake. But it is a majority takeover.

Like many industry-related startups, Proglove flew under the radar for a long time. In the industry itself, the company, which was founded in 2014, is considered a flagship project for the possibilities of digitization: Proglove manufactures intelligent gloves that employees in production and logistics can use to work faster and more safely. Sensors and scanners in the glove, for example, recognize which components a worker is holding and whether they are being used correctly. According to the website, corporations such as DHL, Lufthansa, Volkswagen and Mediamarkt use the technology.

First prototype with iPod

The idea goes back to the founders Thomas Kirchner and Paul Günther. They made their first prototypes during their studies using a hardware store glove and an old iPod. “It couldn’t do anything technically, but it looked cool,” Kirchner once told Wirtschaftswoche. They were able to convince Intel, among others, with their concept: the US chip giant was one of the first investors in the startup. Proglove’s other backers include Bayern Kapital and Summit Partners. In total, more than 45 million euros flowed into the company.

read too

Facebook buys “Lion’s Den” startup Presize

According to the FAZ, there is a reason why a financial investor and not an industrial group is buying the start-up: Nordic Capital envisions a growth story on the scale of Teamviewer. In 2014, the financial investor Permira took over the Göppingen remote maintenance specialist and five years later successfully listed it on the stock exchange. This could now also be the case for Proglove. “That’s the plan, yes. The company really has the potential to get really big,” said Proglove boss Andreas König of the FAZ. König himself is no stranger: he was previously the CEO of Teamviewer.

Source: https://www.businessinsider.de/gruenderszene/technologie/proglove-exit-private-equity-handschuh-a/

Importance, benefits and providers [Anzeige]

0

For many website operators, the cost of hosting is the decisive point when it comes to deciding for or against a hoster. We will show you why hosting in Germany should not be ignored when making a decision.

What does hosting mean in Germany?

In order to be sure of whether the respective provider offers hosting in Germany, you can use two points as a guide: the location of the data centers and the location of the company headquarters. If both are located in Germany, hosting is usually available in Germany.

Because even if a German hosting provider has the data centers and the company headquarters abroad, the location of the company headquarters is decisive for the applicable law. This can be explained more easily using an example: For example, if your hoster has servers in Germany, but its company headquarters are in the USA, in the worst case the US government can also demand the release of data from German servers.

The EU is an exception here. The data protection certification is also an additional factor, which evaluates the level of data protection measures. The most common certifications include ISO 27001, IT-Grundschutz and PCI DSS.

What advantages do I have with hosting in Germany?

There are many different advantages that you have when choosing hosting in Germany. We present the most important ones below.

1st benefit: Security in data centers

Security in the data centers themselves should not be underestimated. If hosters neglect building security, this can lead to power failures and, in the worst case, to fires. At the same time, this has an impact on reliability, availability and security for customers.

German data centers usually take care of installing available fire protection measures, access control and the necessary technology to protect customer data in the event of a fire. In addition, many data centers have an on-site security guard who is permanently on duty.

2nd advantage: Strict data protection guidelines

Strict data protection rules have applied in Germany, especially since the GDPR came into force. So if a hoster operates the data centers in Germany, users do not have to worry about the GDPR. Because in these cases there is no data flow outside the EU.

3. Advantage: Good performance and better SEO ranking

With hosting in Germany, the distances to the servers are significantly shorter. As a result, users can also expect shorter loading times. This in turn has a positive impact on search engines. In the best-case scenario, hosting in Germany will ensure that your website ranks better in Google search results.

Google can also determine the server location of your website. This can also affect your Google ranking. For example, if a company based in Germany operates a website with German hosting, this speaks for relevance and added value in the eyes of Google. Among other things, potential customers can be reached more easily.

Hosting in Germany with Mittwald

Finding the right hoster for your hosting in Germany can be a challenge. For this reason we introduce you to Mittwald.

Mittwald is THE hosting partner for agencies and freelancers with a data center in Espelkamp, ​​East Westphalia. Web professionals can rely on the highest performance and security. And not only because of the latest hardware and certified security standards, but also because of the technicians who are on site 24/7 and can intervene in a matter of seconds in exceptional cases.

The Mittwald data center has been certified by TÜV Rheinland as a reliable data center (building security) and with ISO 27001 (information security).

The high single thread performance also ensures the fastest database queries and PHP script execution times at Mittwald. The multi-redundant fiber optic connection to internet nodes creates optimal latencies. In addition, Mittwald hosts your projects 100 percent climate-neutral.

If you are looking for a hoster for agencies and freelancers, where you not only get your hosting in Germany, but you can also rely on security and efficiency, Mittwald is the right partner.

Find out more about Mittwald here

Source: https://www.basicthinking.de/blog/2022/03/28/hosting-in-deutschland-mittwald/

Spotify wants to limit its service in Russia

0

Spotify wants to limit its service in Russia. This was announced by a company spokesman for the streaming provider. The reason is a new Russian media law that criminalizes statements about the Ukraine war that deviate from the state’s representations.

Streaming provider Spotify announced in early March that the company wanted to close its offices in Russia indefinitely in response to the Ukraine war. The Swedish group has now announced that streaming services in Russia will also be restricted.

A company spokesman for Spotify told the news agency Reuters With. The reason for this is a new Russian media law that criminalizes statements about the Ukraine war that deviate from the state’s representations.

Spotify wants to pull the plug in Russia in early April

Due to the Russian sanctions and the withdrawal of numerous payment service providers such as PayPal, Spotify was no longer able to offer its paid version in full.

The company originally justified the whereabouts of its other streaming offerings, regardless of the Ukraine war, by wanting to maintain access to independent information.

However, the new Russian media law now classifies independent information as false information and criminalizes it. The streaming provider is therefore forced to discontinue its offer completely.

This also applies to the advertising-financed free version. According to Reuters, Spotify plans to discontinue its entire streaming offering in early April.

Netflix, Disney and Co. are also withdrawing

While Spotify continues to believe that access to independent news and information is critical, a company spokesman added:

Unfortunately, recent legislation that further restricts access to information, stifles free speech, and criminalizes certain types of messages is putting the safety of Spotify employees and potentially our listeners at risk.

Streaming providers Netflix and DisneyPlus had previously restricted their services in Russia. Tech giants like Apple and Google also withdrew. Russia also officially banned the social networks Instagram and Facebook after both platforms had previously partially restricted their service.

Also interesting:

Source: https://www.basicthinking.de/blog/2022/03/28/spotify-dienst-in-russland-einschraenken/

These devices always need electricity

0

In many situations in life it is essential to save electricity. However, the measure does not make sense for every electrical device.

Do not disconnect OLED televisions from the mains

For most electrical devices, the approach is actually important to separate the devices from the mains and not to waste energy unnecessarily in stand-by mode. This principle works best with switchable power strips. However, not every technical device can simply be separated from the network.

If the manufacturers of the devices do not recommend disconnecting from the mains, the producers usually refer to this in the operating instructions.

A good example is OLED TVs, which should always be left plugged in to allow the display to regenerate during the night.

Do not disconnect OLED televisions from the mains
Do not disconnect OLED televisions from the mains | Foto: © naka # 204234711 – stock.adobe.com

Tips for using WiFi routers

It is generally not a disadvantage for the WLAN router if it is disconnected from the network at night. Nevertheless, switching off the power is not absolutely necessary and may lead to unpleasant side effects. Today, for example, it is common for most landline phones to be connected to each other via the router.
If the device is disconnected from the network, no calls are possible during this time. To save electricity, it is sufficient to switch off the WLAN signals overnight. This deactivation works with most routers via a simple keystroke. Alternatively, it is possible to make a setting that automatically switches the WLAN module on at night and off again in the morning.

Tips for using WiFi routers
If the device is disconnected from the network, no calls are possible during this time | Foto: © Pixel-Shot #239323941 – stock.adobe.com

Steady power supply for inkjet printers

Another good example is inkjet printers. These devices should also not be unplugged from the power supply after each use.
Finally, every time the printers are disconnected from the mains and then switched on again, they start what is known as a print head cleaning run. This process uses so much ink that the cost of the ink exceeds the cost of the electricity saved.

Source: https://blogg.de/diese-geraete-benoetigen-stets-strom/

Cyberus Technology – Fun with Python and Tycho

0

This article demonstrates how simple it is to setup our analysis tool Tycho and plays with the Tycho Python API in order to outline its potential. We will pause and resume processes, read interesting process information, and inject errors using the Tycho Python API.

Tychowhich is the name of our live binary analysis tool (you may also regard it as a super debugger), can be used to hook into processes in order to analyze/debug them. As user frontends it may talk with GDB, IDA Pro, or any graphical debugger application that supports GDB, which feels familiar to most users.

In this post, we will not regard the GDB interface, but the Python API. We will see that it is really easy to integrate Tycho into your own python scripts and this way combine it with whatever other libraries you have been using already (like e.g. Volatility).

The Python library part is open source and you can always get the latest version in our Github Repository.

Setup

In order to analyse processes with Tycho via Python, we first need to set up both the analyst system and the system that is subject to analysis. This setup consists of just 2 steps:

  1. Boot supernova on the analysis box
  2. Run tycho-server on the developer laptop.

The following picture shows the typical setup:

  • Let’s call the box on the left the analysis box. It hosts a completely unmodified Windows 7 box. We activate network boot in order to boot our supernova hypervisor on it, which will then in turn boot the already installed Windows.
  • The laptop on the right is the analyst- or developer laptop. It will communicate with our hypervisor and remote control the debugging/analysis that will happen to the processes that run on the box at the left side.

When the analysis box gets to boot the supernova hypervisor, the hypervisor in turn will chainload the operating system that is already installed. This way supernova can quickly be deployed to any system with a reboot. After another reboot, it’s gone again.

Now we need to start tycho-server on the developer laptop. tycho-server connects to the running supernova instance via serial cable or USB debug cable and listens on a TCP port on the developer laptop. This way we get a communication channel to the hypervisor and can use python scripts that instruct it to do what we need.

Python Example

Now that we have a running hypervisor that we can talk to, let’s fire up a python shell and stop the builtin calculator calc.exe:

from pyTycho import tycho

service = tycho()
calc = service.open_process("calc.exe")
calc.pause()

After the calc.pause() line, supernova is kind of “armed” to stop calc.exe as soon as it sees this process being scheduled again. When this happens, we observe the following:

On the analysis box: Tycho paused calc.exe

An interesting detail is that this happens completely without support from the Windows side. Windows is not aware of us pausing this process! With a closer look at the task manager we see that calc.exe burns 50% CPU cycles, which is a side effect of our process pausing method. Note that this does not really burn 50% of the CPU cycles.

By running calc.resume()we can resume normal process execution and everything is like it was before.

We can also do more. Let’s print the PID of calc.exe and see how many threads it has.

>>> calc.get_pid()
2932L
>>> calc.get_thread_list()
[188L]

As we can see, our running calc.exe instance has PID 2932. Task manager shows us the same number. The get_thread_list() function yields us a list with only a single item. If we do the same query on the also running Internet Explorer, we get a more interesting result as it has a few threads running:

>>> iexplore = s.open_process("iexplore.exe")
>>> iexplore.get_thread_list()
[4004L, 3112L, 2364L, 2652L, 1208L, 2624L, 2948L, 2692L, 1372L, 2876L, 1228L]

Let’s see what else we can do. How about listing what DLLs are loaded into a process? This information is listed in the VAD tree in the Windows kernel:

>>> [n.filename for n in calc.get_vad_list() if n.filename.endswith(".dll")]
['\\Windows\\System32\\oleaccrc.dll',
 '\\Windows\\System32\\user32.dll',
 '\\Windows\\System32\\kernel32.dll',
 '\\Windows\\System32\\ntdll.dll',
 '\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll',
 '\\Windows\\System32\\oleacc.dll',
 '\\Windows\\System32\\winmm.dll',
 '\\Windows\\System32\\WindowsCodecs.dll',
 '\\Windows\\System32\\dwmapi.dll',
 '\\Windows\\System32\\uxtheme.dll',
 '\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll',
 '\\Windows\\System32\\version.dll',
 '\\Windows\\System32\\cryptbase.dll',
 '\\Windows\\System32\\rpcrt4.dll',
 ...
]

We can also kill calc.exe by sending it a page fault:

>>> calc.pause()
>>> calc.inject_pagefault(0, 5)
True
>>> calc.resume()

With the inject_pagefault line we inject a page fault at address 0which looks like a null pointer dereference. From the perspective of the Windows kernel, this page fault came directly from the CPU. In reaction to that, it kills the calculator process.

calc.exe is being killed by Windows after we sent it a page fault via Tycho

Summary

We have seen how easy it is to prepare the analysis box for tampering around with it using the Tycho Python API. After rebooting the analysis box, the system is completely restored to the untouched state it was in before we booted supernova.

We have seen how to pause and resume processes like it is possible with normal debuggers – but without the support of the Windows kernel. This way the applications that run on this system cannot see any debugger artifacts.

In addition to that, we listed various process information (PID, thread list, VAD tree) and also killed a process by sending it a page fault.

Generally, there is more functionality like the following:

  • Stop and resume a process or individual threads
  • Read arbitraty memory from the process’ address space
  • Manipulate the process’ memory
  • Read out the whole VAD tree, EPROCESSand PEB information of a process from the Windows kernel space
  • Set breakpoints on…
    • specific instructions
    • System calls (without library hooking)
  • The number of features is steadily growing, so stay tuned, please.

We will showcase more features within the next blog articles.

Source: https://www.cyberus-technology.de/posts/2018-01-02-fun-with-python-and-tycho.html

Brazilian company wants to save the rainforest with NFTs

0

A Brazilian company wants to save the rainforest by selling NFTs. By purchasing the digital tokens, customers should be able to protect certain areas of the Amazon. The backgrounds.

The Brazilian company Grove started selling NFTs for saving the rainforest last Friday. The news agency reports Reuters. With every purchase of such a digital token, interested parties sponsor forest areas of different sizes.

In the course of this, the buyers receive information about the preservation of the corresponding properties through their NFTs. In addition, Nemus promises, among other things, satellite images, licenses and other documents, according to company founder Flavio de Meira Penna.

Nemus sold NFTs for a total of 8,000 hectares of rainforest on the first day. That corresponds to about ten percent of all tokens for sale. “I expect this to accelerate rapidly in the coming weeks,” Penna told Reuters.

This is what the NFT rainforest project looks like

“Nemus’ initial goal is to secure a sufficient amount of rainforest land to form a protective belt within the Brazilian Amazon to conserve the land and protect it from deforestation,” the company’s Litepaper says.

The sale of the NFTs is intended to serve two purposes: First, to set an example of how more value can be created through responsible use of the rainforest than through its destruction. Secondly, an ecosystem should be created in which the participants can be rewarded for their good deeds, the paper goes on to say.

“With this approach, Nemus can become an engine for positive change, using cryptocurrencies to create a new model of environmental action that will help us regain our lost balance with nature.”

$51,000 for rainforest NFTs

Each NFT to protect the rainforest consists of an artwork inspired by the flora and fauna of the Amazon region.

Buyers can purchase tokens for plots of different sizes. Plots of land are available from a quarter hectare to 81 hectares. With the help of an online map, the sponsors can locate their country.

Nemus offers the rainforest NFTs from a price of 150 US dollars. The largest land NFTs sell for up to $51,000.

Nemus founder Penna hopes that the company will raise up to five million dollars. This will then be used to buy another two million hectares of rainforest. The company owner told Reuters that the country in question is already being negotiated.

According to Penna, not only the rainforests should benefit from the sale of the NFTs. Nemus also intends to invest the funds raised in development measures in the future. This includes the harvesting of acai berries as well as Brazil nuts by local communities in the Amazon.

Nemus project not only meets with approval

Although the Nemus project appears very noble overall, critics have nevertheless questioned whether NFTs of all things are suitable for environmental protection. The blockchain technology on which the corresponding tokens are based requires high computing power. This drives up electricity consumption and releases climate-warming greenhouse gases.

However, Nemus founder Penna rejected this criticism to Reuters. In his view, protecting threatened areas of the Amazon far outweighs the environmental costs of NFT transactions.

The fact that all of the land acquired through the NFT sale is in the hands of Nemus could also raise some eyebrows. The NFT owners have no claim to the land thanks to Brazilian law.

One can only hope that the company will not come up with a more profitable use for the purchased land in Amazons in the future.

Also interesting:

Source: https://www.basicthinking.de/blog/2022/03/29/brasilianisches-unternehmen-nemus-nfts-regenwald-retten/

Cyberus Technology – Meltdown

0

Meltdown is an attack on the general memory data security of computers with the Intel x86 architecture. Two members of the founder team of Cyberus Technology GmbH were among the first experts to discover this vulnerability. This article describes how Meltdown actually works and also examines the mitigations that have been patched into the most widespread operating systems while the information embargo was still intact.

Rumors

The rumor factory has already been working overtime for about a week now and a lot of IT blogs and online newspapers wrote about it:

The Exploit

In short: It is possible to exploit the speculative execution of x86 processors in order to read arbitrary kernel-memory.

Thomas Prescher and Werner Haas, two of the founders of Cyberus Technology GmbH, were among the first experts to discover this bug. We disclosed this information responsibly to the Intel Corporation and adhered to the information embargo which was officially dropped by Intel on January 3rd, 2018.

A fully complete and detailed explanation can be found in the official Meltdown paper.

Implications

A short summary of what this security bug means:

  • Code utilizing this exploit works on Windows, Linux, etc., as this is not a software- but a hardware issue.
  • It is possible to dump arbitrary kernel memory with unprivileged user space applications.
  • Reading kernel memory implies reading the memory of the whole system on most 64 bit operating systems, i.e. also memory from address spaces of other processes.
  • Fully virtualized machines are not affected (guest user space can still read from guest kernel space, but not from host kernel space).
  • Paravirtualized machines are affected (e.g. Xen PV).
  • Container solutions like Docker, LXC, OpenVZ are all equally affected.
  • The Linux KPTI / KAISER patches mitigate Meltdown effects on Linux.
  • Most modern processors, in particular with Intel microarchitecture since 2010, are affected.
  • We have no evidence that this attack is successfully deployable on ARM or AMD, although the underlying principle applies to all contemporary superscalar CPUs.
  • Meltdown is distinct from the Spectre attacks, which became public at the same time.

If you have any questions about Meltdown and its impact or the involvement of Cyberus Technology GmbH, please contact:

Example Attack

Within the scope of research we were able to implement a proof-of-concept that is able to reliably dump kernel memory from arbitrary addresses:

Foreground: Kernel memory being read out by our meltdown proof-of-concept. Background: Actual kernel dump. Both views show identical data, the exploit is successful.

In this example run, we dumped a part of the system call table (which is usually not accessible from user space) of one of our systems (we tried Sandybridge, Broadwell, and Haswell chipsets) running on one of the latest Linux kernels before the KAISER patch set was deployed. The application runs as unprivileged user program.

The frontmost terminal window shows our proof-of-concept application dumping the first bytes of the system call table (0x60 0xd9 0x22 0x81 0xff 0xff 0xff 0xff 0x90). In order to enable the comparison with the real memory content, the terminal window in the background shows a legitimate kernel dump with just the same memory values. A comparison of both outputs shows that the exploit technique has been successfully utilized.

Technical Background

In a nutshell: Meltdown effectively overcomes the kernel space/user space memory isolation barrier of x86 architecture. The access happens indirectly by exploiting side-channel information that is inadvertently made available by the cache after speculative execution of a prepared instruction stream that is executed out-of-order.

The root cause of the problem is the combination of the following subsystems of a processor’s microarchitecture. Note that none of the individual components is to be blamed for the vulnerability – it is how they work together:

Virtual Memory

The virtual memory mapping from virtual to physical addresses enables the operating system to isolate processes spatially from each other. On top of that, the operating system can define which range of a memory view is accessible by user applications in order to secure kernel memory from unauthorized access.

This protection is the one actually getting bypassed.

Memory Cache

Since memory access is generally slow compared to the pace the CPU works with, often-accessed memory is transparently cached in order to accelerate program execution.

It is possible to measure which spots of the memory are warm (cached) and which are cold (not cached), which is a crucial part of the attack.

Speculative Execution

On the one hand, from a macroscopic view, superscalar processors still execute machine code instructions sequentially. On the other hand, from a microscopic view, the contemporary designs relax the order in which the instruction sequence is processed in order to accelerate program execution by e.g. concurrent operation on instructions without data dependencies.

Within a pipelined core, the processor fetches instructions from memory, decodes what they are supposed to do, fetches operand data from registers and/or memory, executes them on the operand data, and then stores the results back in registers and/or memory. While doing so, it breaks down each instruction into atomic parts.

A super scalar CPU has multiple processing units that can perform logical and arithmetical actions, as well as load/store units. With the instruction stream split into those atomic parts, a dynamic scheduler can intelligently dispatch instructions whose operands do not depend on each other’s completion to as many processing units as possible. This way the execution can be accelerated per core.

In order to keep the processing units filled up with as much work as possible to maximize this effect, the pipeline needs long uninterrupted instruction streams. Naturally, programs contain a lot of conditional and unconditional jumps, which chop the instruction stream in parts that are often too short to keep the pipeline filled.

By intelligently guessing the control flow path in the so called branch prediction unit (BPU) the pipeline can be fed with a continuous stream of instructions. A branch predictor deals with conditional jumps such that no cycles are wasted waiting for the resolution of the condition if the prediction is correct, hence accelerating program execution. In case of a mispredicted path, the pipeline is flushed and all intermediate results are discarded before they become visible in registers or memory. The front-end is resteered to the newly found instruction address and the CPU resumes working on correct program execution.

This kind of speculative execution does not only occur over branches: When a program accesses a specific cell of memory, the processor needs to decide if it is allowed to do so by consulting the virtual memory subsystem. If the memory cell has previously been cached, the data is already there and data is returned while the processor figures out if this access is legitimate. With speculative execution, the processor can trigger actions depending on the result of a memory access while working to complete the corresponding instruction.

If the memory access was not legitimate, the results of such an instruction stream need to be discarded, again. For a user application it is not possible to access the final result of any computation relying on such an illegitimate memory access. The interesting crux of this is that although retirement is correctly performed, all speculatively executed and then discarded instructions have still left some measurable effect on the cache subsystem…

Tying it All Together

By combining the characteristics of all these subsystems on a x86 CPU, we can execute the following machine code instructions from within an unprivileged user application (the code is a reduced version of the original proof-of-concept to remove complexity for the explanation):

; rcx = a protected kernel memory address
; rbx = address of a large array in user space
mov al, byte [rcx]         ; read from forbidden kernel address
shl rax, 0xc               ; multiply the result from the read operation with 4096
mov rbx, qword [rbx + rax] ; touch the user space array at the offset that we just calculated

The first instruction tries to access one byte of memory at an address that resides within the protected kernel space, in order to load it into a processor register. The effect of this instruction is generally a page fault, because normal user space applications are not allowed to access kernel memory addresses. This page fault will eventually hit the application (although it is possible to avoid page faults using transactional memory), but there is a very high chance that the superscalar processor will speculatively execute the following two instructions.

The second instruction shifts the (cached) value that came from kernel space by 12 bits to the left, which is the same as a multiplication with the value 4096. This number is an implementation detail the official Meltdown paper explains more thoroughly.

The third instruction reads from a spot in the user space array that is indexed by the value the program just (illegally) read from kernel space and multipled by 4096.

Of course none of this is really going to happen, at least not in a way that one could see the actual result in register rbx (where the final read result would go to).

Assume that the user space array is 4096 * 256 bytes large: The byte that the program reads from the kernel can have values ranging from 0 to 255. By multiplying such values with 4096we can reach our large array at 256 different spots that are each 4096 bytes away from each other.

While none of these spots contains anything useful before or after this sequence of machine code instructions, it is possible to make sure that the whole user space array is completely uncached/cold before executing them. After trying to execute them, it is necessary to recover from the page fault that the processor reacts with. But then, one of the spots in the user space array remains cached!

Finding out the offset of the cached/warm spot of memory in the user space array allows for calculating the actual value that was read from memory, which can be done by measuring access timings on each of the 256 spots that could have been touched by the speculative execution. That is basically it.

Mitigation Techniques

It is possible to apply a software patch to the operating system kernel in order to mitigate the effects of the Meltdown attack:

KPTI / KAISER Patches

The KPTI / KAISER patches that have already been applied to the latest Linux kernel version help against Meltdown attacks. This series of patches by Gruss et al. ultimately splits user space and kernel space tables by unmapping all kernel memory pages before executing code in user space.

This patch brings a certain amount of performance degradation, but makes Meltdown access to crucial data structures in the kernel impossible.

A similar strategy helps to keep Windows and OS X kernels safe.

Source: https://www.cyberus-technology.de/posts/2018-01-03-meltdown.html

Elon Musk is set to become temporary CEO of Twitter

0

Investors, including Larry Ellison, are also contributing more than $7 billion to the deal. Also: Peloton wants to sell shares and Mercedes is naming prices for autonomous driving systems.

The Tesla and Space-X boss – here at the 2022 Met Gala – is also said to be pulling the strings on Twitter, at least temporarily.
Photo by Jeff Kravitz/FilmMagic via Getty Images

Good Morning! While you slept, work continued elsewhere in the digital scene.

The top topics:

Elon Musk should after the takeover of Twitter will probably act as CEO of the short message service for several months, according to a media report. In addition, the Tesla boss is said to have found a group of investors who want to participate in his offer for Twitter with more than seven billion US dollars. Their investments reduce the personal risk Musk must take to close the $44 billion deal for the social media company.

Among the 19 investors are a Saudi prince and a bitcoin exchange. At the top of the list is Larry Ellison, Oracle’s co-founder and current CTO, who is committing $1 billion to the purchase. Ellison said he was “very close friends” with Musk. Ellison joined Tesla’s board of directors in 2018. [Mehr bei Wall Street Journal, The Verge und CNBC]

on Founder scene: Still lying They have Renners focus on Personio – this is important for the founder to emphasize. That’s why he’s not actively looking for investment opportunities. Nevertheless, the 37-year-old has already made it to more than 15 holdings brought. Our overview shows the companies in which he has previously invested his money. [Mehr bei Gründerszene+]

And here are the other headlines of the night:

Peloton Interactive is considering selling a sizeable minority stake, The Wall Street Journal reports. The fitness company, which was booming during the pandemic but is now suffering significant losses, is looking for potential investors. The latter could be industry players or private equity firms, the report says. A stake of around 15 to 20 percent is aimed for. The talks are apparently at an early stage, so far there is no guarantee that the New York-based company will find a buyer. [Mehr bei Wall Street Journal]

Mercedes announced prices for its autonomous driving system for the first time. The group equips its S-Class and EQS worldwide with a Level 3 system that costs from 5000 euros. According to the “Handelsblatt”, this is not only a declaration of war on Tesla in terms of price. The drive pilot works up to 64 kilometers per hour and in this context can do more than Tesla’s “autopilot” or the driving aids from BMW and Audi, as the report says. [Mehr bei Handelsblatt]

Shopify had to cope with another setback on the stock exchange on Thursday. Shares of the Canadian company fell 15 percent after the company released first-quarter results that missed analyst estimates. Shopify posted adjusted earnings of 20 cents per share, while Wall Street had expected 63 cents per share. Revenue rose 22 percent year over year to $1.2 billion, also less than analysts had estimated. At the same time, it became known that the company that produces tools for companies to sell products online is the logistics startup Deliverr for $2.1 billion in cash and stock. [Mehr bei The Information und CNBC]

Doordash On the other hand, the stock rose: The share rose by more than ten percent in extended trading after the company had reported sales growth of 35 percent in the first quarter. This suggests that the company’s core business, food delivery, still has room for growth even after the pandemic-related hype. Revenue exceeded the estimated $1.38 billion at $1.46 billion. This corresponded to a loss per share of 0.48 cents. [Mehr bei CNBC]

JD.com, Pinduoduo and other large Chinese companies are threatened with delisting in the USA. The US Securities and Exchange Commission has put more than 80 Chinese companies under scrutiny for failing to comply with disclosure requirements. Chinese companies listed in the US are struggling under pressure from Washington and Beijing. While US regulators are demanding access to companies’ books, Beijing is preventing companies from doing so by stipulating that only domestic firms can have access to audit records. In addition to the large e-commerce groups are also the online video site Bilibilithe online video game company Netease and the electric car manufacturers Xpeng and Nio newly added to the SEC list. [Mehr bei The Information]

Our reading tip on Gründerszene: For around a third of „Migrant Founders“ A current study by the startup association shows that the lack of networks is a central problem. Around one in five founders in Germany has a migration background. [Mehr bei Gründerszene]

Don’t want to miss anything? Then subscribe to our Gründerszene newsletter! It appears every morning at 8:30 a.m. and brings you all the important news straight to your inbox.

Happy Friday!

Your Gründerszene editors

Source: https://www.businessinsider.de/gruenderszene/business/elon-musk-ceo-twitter/

Berlin start-up wants to charge e-cars on street lamps

0

Around 1,000 new charging stations for electric cars are to be built in Berlin. The special thing about it: The charging infrastructure is located in conventional street lamps. In the course of a tender, the state of Berlin commissioned the Shell subsidiary Ubitricity to convert the first 200 lanterns.

The state of Berlin has awarded a first contract for its “lantern shop” pilot project. In the course of a Europe-wide tendering process, the Berlin company Ubitricity was commissioned to build 200 new charging stations for electric cars.

The special thing about it: The charging infrastructure should be located in conventional street lamps. According to the Berlin Environment Agency, the aim is for a total of around 1,000 of these charging stations to be built. With the help of the first 200 stations, they want to check whether and to what extent the use of the existing street lamp infrastructure is suitable.

Ubitricity wants to turn streetlights into charging stations for electric cars

Ubitricity, a subsidiary of the mineral oil company Shell, wants to start converting the first street lamps as early as the second quarter of 2022. The company’s own “Heinz” charging point is to be used, which is mounted on the lamp posts in the form of a narrow box.

The charging capacity of the converted street lamps should then be 3.7 kilowatts. E-car drivers can also charge their vehicles with a conventional type 2 charging cable. The first stations should be operational between April and June 2022.

Existing infrastructure – only with green electricity

According to the Berlin Environment Agency, users should be able to access the stations either via the contract-based service of their mobility provider or a QR code (without a contract). The charging lanterns should also be supplied exclusively with electricity from renewable energies.

Another advantage: the new charging stations do not require any additional parking space. The use of the existing street lamp infrastructure also promises charging options with good access – ideally even right on your doorstep.

Charging e-cars: the “lantern shop” project has been in the planning stage since 2019

If the first 200 charging stations prove successful, Ubitricity will be awarded the contract to build up to 800 more stations. The state of Berlin has already applied to the Federal Ministry for Economic Affairs and Climate Protection for an extension of the pilot project and is expecting approval.

This would mean that the project, which was actually planned for 2019, would enter the second round. Due to technical problems, however, the implementation was delayed at the time. Now Ubitricity has again been awarded the contract for the “ElMobileBerlin” research project funded by the Federal Ministry of Economics and Climate Protection.

Also interesting:

Source: https://www.basicthinking.de/blog/2022/03/29/berliner-start-up-will-e-autos-an-strassenlaternen-laden/

Cyberus Technology – Simple DLL injection detection

0

In this article we are going to play with a DLL injection tool on a Windows system that is running on top the Cyberus Virtualization Platform. Using the Tycho Python API, we will see how dead simple it is to check if a process has been subject to DLL injection.

Prerequisites

First, we need the typical setup of an analysis box running Windows on top of our supernova hypervisor, and a developer laptop that runs tycho-server.

If you are not familiar with this setup, please have a look into the article Fun with Python and Tycho where this is explained.

Analysis box

To perform the experiment, we first need to put two prerequisites on the analysis box:

Please note that we do not need any other developer tools, debuggers, or anything else apart from this list. The system can be a completely untouched fresh Windows installation.

In practice we can use any DLL injection tool or method, as well as any DLL. The typical bad hacker would use some DLL injection code in the malware that he aims to deploy and the DLL would of course contain malicious content.

I chose this tool and DLL for this article because they can be freely downloaded and serve the purpose of demonstration very well.

Injecting a DLL and Detecting it with Tycho

The first step is to launch the process on the analysis box that is going to be subject of DLL injection. Let’s just fire up calc.exe for that purpose. It could otherwise be any other application, of course.

Next, we switch to the developer laptop and launch a python shell. Whenever we analyse what’s happening in a process via Tycho, we have to connect to the tycho service first and then open the desired process:

>>> from pyTycho import tycho
>>> service = tycho()
>>> calc = service.open_process("calc.exe")

calc is our process handle and is all we need to query information about the running calc.exe instance. Now we can immediately save the list of DLLs that are loaded into this process in a variable by accessing its VAD tree and extracting all the DLL names.

>>> dlls_before = [v.filename for v in calc.get_vad_list() if v.filename.endswith(".dll")]
>>> dlls_before
['\\Windows\\System32\\oleaccrc.dll', '\\Windows\\System32\\user32.dll', '\\Windows\\System32\\kernel32.dll', '\\Windows\\System32\\ntdll.dll', '\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll', '\\Windows\\System32\\oleacc.dll', '\\Windows\\System32\\winmm.dll', '\\Windows\\System32\\WindowsCodecs.dll', '\\Windows\\System32\\dwmapi.dll', '\\Windows\\System32\\uxtheme.dll', '\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll', '\\Windows\\System32\\version.dll', '\\Windows\\System32\\cryptbase.dll', '\\Windows\\System32\\KernelBase.dll', '\\Windows\\System32\\advapi32.dll', '\\Windows\\System32\\sechost.dll', '\\Windows\\System32\\imm32.dll', '\\Windows\\System32\\msctf.dll', '\\Windows\\System32\\lpk.dll', '\\Windows\\System32\\msvcrt.dll', '\\Windows\\System32\\usp10.dll', '\\Windows\\System32\\gdi32.dll', '\\Windows\\System32\\oleaut32.dll', '\\Windows\\System32\\shlwapi.dll', '\\Windows\\System32\\clbcatq.dll', '\\Windows\\System32\\shell32.dll', '\\Windows\\System32\\ole32.dll', '\\Windows\\System32\\rpcrt4.dll', '\\Windows\\System32\\apisetschema.dll']

That is a lot of DLLs, but nothing special or suspicious yet.

Let us now start RemoteDLL on the analysis box and select our calc.exe process and the Suspender DLL in the user interface. After clicking the “Inject DLL” button, we can see all kinds of success messages in RemoteDLL’s log output:

Now we have 60 seconds until calc.exe freezes. That is enough time to check out if we can detect the DLL injection that we just performed.

Back on the developer laptop’s python shell we can again query the list of DLLs and save them into another variable:

>>> dlls_after = [v.filename for v in calc.get_vad_list() if v.filename.endswith(".dll")]
>>> dlls_after
['\\Windows\\System32\\oleaccrc.dll', '\\Windows\\System32\\user32.dll', '\\Windows\\System32\\kernel32.dll', '\\Windows\\System32\\ntdll.dll', '\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll', '\\Users\\demo3\\Documents\\Suspender.dll', '\\Windows\\System32\\oleacc.dll', '\\Windows\\System32\\winmm.dll', '\\Windows\\System32\\WindowsCodecs.dll', '\\Windows\\System32\\dwmapi.dll', '\\Windows\\System32\\uxtheme.dll', '\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll', '\\Windows\\System32\\version.dll', '\\Windows\\System32\\cryptbase.dll', '\\Windows\\System32\\KernelBase.dll', '\\Windows\\System32\\advapi32.dll', '\\Windows\\System32\\sechost.dll', '\\Windows\\System32\\imm32.dll', '\\Windows\\System32\\msctf.dll', '\\Windows\\System32\\lpk.dll', '\\Windows\\System32\\msvcrt.dll', '\\Windows\\System32\\usp10.dll', '\\Windows\\System32\\gdi32.dll', '\\Windows\\System32\\oleaut32.dll', '\\Windows\\System32\\shlwapi.dll', '\\Windows\\System32\\clbcatq.dll', '\\Windows\\System32\\shell32.dll', '\\Windows\\System32\\ole32.dll', '\\Windows\\System32\\rpcrt4.dll', '\\Windows\\System32\\apisetschema.dll']

This list of DLLs looks very similar, but with a sharp eye we can see that it contains one new item that was not there on the first query.

But let’s not strain our eyes when we can just let python determine the difference between both lists:

>>> set(dlls_after) - set(dlls_before)
set(['\\Users\\demo3\\Documents\\Suspender.dll'])

That’s our Suspender DLL!

One detail is that we just sticked to file entries in the VAD tree that have a .dll ending in their filename. A full-blown solution would be a bit more exact, but we kept it simple for the sake of this demonstration.

What Next

Starting with these few example lines it would be simple to write a little watcher script that periodically checks a set of processes for changing DLL lists. For every program that is not usually known to load DLLs at late runtime, it is of course immediately suspicious if some new DLL pops up.

A possibly nice idea would be to glue such a script together with some database that maintains lists of legitimately loaded DLLs for different applications.

Instead of polling for such events periodically, the script could also install breakpoints that stop the apps that are watched whenever they are rescheduled, or at specific systemcalls. The Tycho Python API provides many other possibilities.

Another idea that might have potential is to put memory-write breakpoints on the VAD tree items in order to detect if their structure or content is changed. But that is out of the scope of this article.

Source: https://www.cyberus-technology.de/posts/2018-01-04-simple-dll-injection-detection.html

Latest

Popular