DEAD DROP 04 / DLINK HOLES, SPOTIFY MALWARE, HACKER DOCUMENTARIES, IOT DDOS
--

Welcome to Dead Drop number 4, a look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

i-Dressup, a social network for teenage girls has allegedly leaked as many as 5.5 million plaintext passwords, apparently due to an SQL-injection attack. As of a few days ago, Ars Technica reported that the site hasn't been fixed.

http://www.i-dressup.com/
http://arstechnica.com/security/2016/09/social-hangout-site-for-teens-leaks-millions-of-plaintext-passwords/

SCAN Health Plan has also been notifying users of a breach which exposed almost 90,000 customers personal and health details to attackers, in an event which happened in June, earlier this year.

http://www.scmagazine.com/87k-affected-in-scan-health-plan-breach/article/519407/

VULNERABILITIES

Security researcher Pierre Kim has found and documented a bunch of vulnerabilities in the Dlink DWR-932B router. These include telnet and SSH being enable as standard, admin password being admin, and root password being 1234. There's also a hardcoded WPS pin for the wifi security, along with lots more holes.

https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
https://threatpost.com/backdoored-d-link-router-should-be-trashed-researcher-says/120979/
https://thehackernews.com/2016/09/hacking-d-link-wireless-router.html

This week Spotify users found out that some of the ads on the free version of the player was delivering malware to their systems, making their browsers open up infected sites.

http://www.darkreading.com/attacks-breaches/malicious-ad-served-gratis-with-spotify-free/d/d-id/1327126

Security company RiskIQ also released a new report about the rise in eCommerce sites being compromised by web-based keyloggers, allowing attackers to steal credit card numbers and other identity info in real time.

https://safe.riskiq.com/rs/455-NHF-420/images/Compromised_eCommerce_Sites_Lead_to_Web-Based_Keyloggers.pdf
https://threatpost.com/web-based-keylogger-used-to-steal-credit-card-data-from-popular-sites/121141/

BROWSERS

I made a video about this the other day, but if you haven't checked it out, a Github user by the name of Eloston has created Ungoogled Chromium, which takes the Chromium browser, and removes all traces of Google from it for privacy and security.

https://github.com/Eloston/ungoogled-chromium
https://www.youtube.com/watch?v=7FTEn-ivwu4

HACKING

Hak5 took a trip to DerbyCon, and in the latest episode they talk about unusual Internet connected devices that can be attacked and controlled remotely, including sex toys.

https://www.youtube.com/watch?v=uHiRWJn6sWw

I also came across this gigantic list of hacker documentaries and videos from conferences recently and had to share. There seem to be literally hundreds of videos to download, so check it out.

https://vids.localmsp.org/

INTERNET OF FAILS

I mentioned recently about how IoT devices are increasingly being used for DDoS attacks, well recently an unprecedented attack involving 1.5 million hijacked IP cameras was used to bombard the popular KrebsOnSecurity site for more than 2 days.

http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
https://motherboard.vice.com/read/15-million-connected-cameras-ddos-botnet-brian-krebs

Off the back of that, researchers have found at least 500,000 devices that are vulnerable to this kind of botnet takeover, due to a combination of reasons, like having default passwords, and ssh/telnet being enabled as standard.

https://www.flashpoint-intel.com/when-vulnerabilities-travel-downstream/
http://www.securityweek.com/over-500000-iot-devices-vulnerable-mirai-botnet

SURVEILLANCE

Privacy International posted an interesting overview of the different ways the US and UK governments perform bulk data collection, from tapping undersea cables, to how they store, share, and analyse the data.

https://medium.com/privacy-international/how-bulk-interception-works-d645440ff6bd

Speaking of surveillance, some former Yahoo employees have said that last year, the company built a system to automatically monitor all of its users email accounts for the US government, affecting the privacy of hundreds of millions of people.

I think the only good thing about these kind of revelations is that it might spur the creation of better zero knowledge and P2P alternatives.

http://news.trust.org/item/20161004170601-99f8c
https://theintercept.com/2016/10/07/ex-yahoo-employee-government-spy-program-could-have-given-a-hacker-access-to-all-email/

CENSORSHIP

And finally, the EFF wrote an interesting article about how pharmaceutical companies are bypassing laws to indirectly censor rivals on the internet. They create organizations made up of large providers such as Google, Facebook, Mastercard etc, and basically make it impossible to run these sites, even if owners of the sites are fully compliant with the law.

https://www.eff.org/deeplinks/2016/09/how-big-pharmas-shadow-regulation-censors-internet

--
BY NODE