DEAD DROP 02 / XIAOMI BACKDOOR, INTERNET TAKEDOWN, URI HACK
--

Welcome to Dead Drop number 2, your weekly look at what's happening in the worlds of computer security, privacy, and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

Over 300,000 financial records and credit card details have been stolen either from payment processor BlueSnap or it's customer Regpack. Neither company has admitted the breach, but a database of the records was posted online recently.

https://thehackernews.com/2016/09/bluesnap-payment-gateway-hack.html
https://www.youtube.com/watch?v=dgnwWHpgG-g

About a third of the associated email addresses have been added to the Have I Been Pwned site, so search that if you think you might be affected.

http://haveibeenpwned.com

VULNERABILITIES

Adobe have issued another security bulletin for a critical vulnerability found in Flash player for Windows, Mac, Linux, and ChromeOS. This one can potentially take control of your system, so update now, or better still get rid of Flash player if you don't need it.

https://helpx.adobe.com/security/products/flash-player/apsb16-29.html
https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Signal, the private messaging app recently issued a patch for their Android app due to two new vulnerabilities found. The first allows attackers to add extra data onto the end of attachments, and the other can remotely crash the app.

https://pwnaccelerator.github.io/2016/signal-part1.html
https://www.youtube.com/watch?v=9k6sW1hwxdA

A researcher in Holland has found that his Xiaomi smartphone has a vulnerability allowing attackers to silently install any app they wish. He found an app named Analytics.apk routinely sends data about the phone back to the Xiaomi servers, and more importantly checks for an update every 24 hours. This means if someone acts as a man in the middle and renames any malicious app as Analytics.apk, it will be downloaded and installed automatically, without the user knowing.

https://www.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered/
https://www.youtube.com/watch?v=ocbm-PX_158

DENIAL OF SERVICE

Bruce Schneier wrote an interesting post about what looks to be a huge, and sustained operation to probe critical infrastructure on the internet. It seems like a nation state is testing capabilities and weak points, potentially to use in a cyber war scenario to take down the entire internet, using targetted DDoS attacks.

https://www.lawfareblog.com/someone-learning-how-take-down-internet http://www.scmagazine.com/infrastructure-ddos-attacks-could-be-part-of-larger-plan-to-shut-down-internet-on-massive-scale/article/522962/
https://www.youtube.com/watch?v=3oZ8aEKDI7Y

In other denial of service news, researchers from Ben-Gurion University have found that it would take only 6000 smartphones to take down a states emergency phone system, and around 200,000 for the entire system across the US. They theorized that malware infected phones could launch a distributed attack, overwhelming the system, and bringing it to its knees.

https://thehackernews.com/2016/09/hacking-911-emegency.html
https://arxiv.org/ftp/arxiv/papers/1609/1609.02353.pdf

HACKING

Steve Kemp found out that if web apps don't filter out URI inputs from standard URL forms, he could read files on the web apps server, including password files and other potentially damaging data. This one's worth a read if you're a developer.

https://blog.steve.fi/If_your_code_accepts_URIs_as_input__.html

ADVERTISING

Adblock Plus, the famous ad blocking browser extension, has announced that will now start selling and including ads on web pages. They say they aim to replace big and intrusive ads with their own preselected ones.

http://www.theverge.com/2016/9/13/12890050/adblock-plus-now-sells-ads
https://adblockplus.org

TRACKING

Four researchers from the Max-Planck Institute for Informatics wrote a paper titled ‘Faceless Person Recognition', and investigated whether it's possible for image-matching systems to correctly identify people in photos even if faces have been obscurred, pixelated or blurred.

https://nakedsecurity.sophos.com/2016/09/15/can-you-stay-anonymous-by-hiding-your-face/
https://arxiv.org/pdf/1607.08438v1.pdf

INTERNET FREEDOM

To finish, we have a great article by Robert Epstein, about how Silicon Valley tricked us into giving up our freedom, privacy, data, and behavioral patterns, in return for “free” stuff. Definitely check this one out if you're into these sort of ideas.

https://motherboard.vice.com/en_ca/read/free-isnt-freedom-epstein-essay

--
BY NODE