DEAD DROP 03 / YAHOO BREACH, ATM HACKING, TESLA HACK, IPHONE MEMORY CLONE
--

Welcome to Dead Drop number 3, a weekly look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

Starting off with the mother of all breaches. This week Yahoo announced that at least 500 million of its accounts had been hacked sometime in 2014, with names, email addresses, telephone numbers, dates of birth, and encrypted passwords being stolen.

https://www.yahoo.com/tech/yahoo-set-confirm-massive-data-breach-recode-112838870–finance.html
https://www.youtube.com/watch?v=_0b6qaPY-CQ (yahoo logo)

That means this year is on track to seeing more than 1 billion records stolen in various breaches, and that's only what's been made public.

http://www.darkreading.com/attacks-breaches/2016-on-track-to-see-over-1-billion-records-breached/d/d-id/1326951

HACKING

Researchers from Keen Security Lab discovered, and exploited multiple vulnerabilities in Telsa's car software, demonstrating the ability to unlock doors, turn on lights and windscreen wipers, open the trunk, and worryingly, engage the brakes while the car is moving.

https://www.youtube.com/watch?v=c1XyhReNcHY

In other news, high school student Jacob Ajit wrote a post explaining how he gained access to T-Mobile's LTE data network for free, by making a workaround to the network's implicit trust in speedtest servers.

https://medium.com/@jacobajit/how-i-gained-access-to-tmobiles-national-network-for-free-f9aaf9273dea

Kaspersky Lab also showed off an ATM attack, allowing full control over the machine, and the ability to withdraw cash using fake credit cards. They do this by removing the ethernet cable that connects the ATM to the banks processing center, and plugging it into a Raspberry Pi that has custom software which mimics this process.

https://securelist.com/analysis/publications/76099/future-attack-scenarios-against-atm-authentication-systems/
https://www.youtube.com/watch?v=nRbqBLBlLLs

NORTH KOREA

Last week it was revealed that the North Korean web has a total of 28 websites registered on it, and we only found this out after the countries .kp nameserver was misconfigured. I wouldn't want to be that person. Most of the sites look pretty boring, and as you might expect, there's a lot of propaganda being pumped at the citizens.

http://www.craveonline.com/design/1122013-north-korea-accidentally-leaked-propaganda-websites
https://motherboard.vice.com/en_uk/read/north-korea-has-just-28-websites

IPHONE

Researcher Sergei Skorobogatov has successfully demonstrated a flash memory cloning technique which allows someone to bypass the Iphone5c's passcode attempt limit, disproving FBI director James Comey, when earlier in the year, the agency wanted Apple to backdoor it's operating system.

https://arxiv.org/abs/1609.04327
https://www.youtube.com/watch?v=tM66GWrwbsY

In other Iphone news, a digital forensics firm Elcomsoft says Apple has weakened the backup security protection in iOS 10, making it simpler for attackers to crack the password protection for backups that are stored on PCs.

http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-passwords-much-easier-to-break/

VULNERABILITIES

This week Mozilla patched a certificate validation zero-day in Firefox and the Tor browser, which allowed attackers to impersonate update servers for browser extensions, and potentially deliver malicious code. If you're using either of those browsers, you should update now.

http://www.theregister.co.uk/2016/09/18/mozilla_tor_flaws/
https://www.mozilla.org/en-US/firefox/products/
https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/

INTERNET OF FAILS

In another example of the dangers of rushing into an Internet of Things world, a guy on reddit found that Apple's HomeKit automation system has a glaring security hole. He realised that the system which controls his smart locks reacts to Siri commands, and all it takes is an attacker (or neighbour in his case), to shout commands within earshot of an idle iPad or iPhone inside the house, and the doors unlock.

https://nakedsecurity.sophos.com/2016/09/22/siri-opens-smart-lock-to-let-neighbor-walk-into-a-locked-house/
http://www.apple.com/ios/home/
https://www.youtube.com/watch?v=Bbs6F8ArLX4

In other IoT news, Symantec wrote about how Internet of Things devices are increasingly getting infected with malware, and being used in DDoS botnets. One of the alarming, and unsurprising things is the amount of people using very weak or default passwords.

http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks

--
BY NODE