DEAD DROP 05 / BILLBOARD HACK, BLOCKCHAIN DNS, SOCIAL FINGERPRINTING
--

Welcome to Dead Drop number 5, a look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

A data management company called Modern Business Solutions was allegedly hacked recently, with upwards of 58million user records being dumped on various file sharing sites. The breach was a result of a poorly secured Mongo database, and it revealed users full names, IP addresses, dates of birth, email addresses, occupation details and more.

http://modbsolutions.com
https://www.riskbasedsecurity.com/2016/10/modern-business-solutions-stumbles-over-a-modern-business-problem-58m-records-dumped-from-an-unsecured-database/

HACKING

An IT analyst in Jakarta, Indonesia faces up to 12 years in jail for hacking a giant billboard next to a highway, and broadcasting Japanese porn to thousands of motorists stuck in traffic.

https://www.indy100.com/article/bored-man-hacks-into-giant-billboard-so-he-can-watch-porn-while-stuck-in-traffic-7348236

DNS HIJACKING

Blockchain.info, one of the biggest blockchain explorers and Bitcoin web wallets had its domain name hijacked this week, leaving 8 million wallet users unable to access their accounts. Thankfully this only caused disruption for a day or so, and luckily the DNS wasn't successfully pointed at a phishing site, which I'm guessing is what might have been the plan.

http://blockchain.info
https://thehackernews.com/2016/10/blockchain-bitcoin-website.html

VULNERABILITIES

Apple recently added a preview feature to the latest iMessage update, which automatically loads links, allowing attackers to send phishing links in SMS messages, revealing data about the user that can be used in further attacks.

https://theantisocialengineer.com/imessage-preview-problems/
https://www.youtube.com/watch?v=_jVmQYrTqqE

Researchers at McAfee have found a banking trojan on Android which hides on your phone, and pops up a phishing overlay for instance when you want to buy something on the Google Play store, but more than just stealing your credit card details, it also asks you to take a selfie to verify your identity, making it possible for attackers to find people on social networks, and steal their identities etc.

https://blogs.mcafee.com/mcafee-labs/android-banking-trojan-asks-for-selfie-with-your-id/

In another recently discovered vulnerability, researchers found a zero-day in the OpenJPEG library, affecting JPEG 2000 image files. An attacker need only send a specially crafted JPEG 2000 file as an email attachment, a link, or embedded in a PDF, and it automatically runs the code within.

http://blog.talosintel.com/2016/09/vulnerability-spotlight-jpeg2000.html
https://thehackernews.com/2016/10/openjpeg-exploit-hack.html
http://www.openjpeg.org/

PRIVACY

Robin Linus wrote a post about how a long known vulnerability in how some sites use cookies, allows other people to know which services you're currently logged into, which is obviously not good for privacy. The page that Robin created will show you which sites you're logged into, that is unless you have third party cookies disabled.

https://robinlinus.github.io/socialmedia-leak/

SOCIAL NETWORKING

A report by the ACLU showed that facebook, instagram, and twitter provided data to a surveillance company, which has been used by police to identify and arrest people at protests. The product is called Geofeedia, and it allows its customers to monitor social media posts made inside certain geographic areas, all in real time.

https://www.aclunc.org/blog/facebook-instagram-and-twitter-provided-data-access-surveillance-product-marketed-target
http://www.theverge.com/2016/10/11/13243890/facebook-twitter-instagram-police-surveillance-geofeedia-api
https://www.youtube.com/watch?v=pjZU8KRoezo

INTERNET OF FAILS

CDN Akamai released new research on how 2 million IoT devices, such as CCTV cameras, routers and network attached storage have old OpenSSH vulnerabilities, allowing attackers to spy on networks or launch DDoS attacks. Like the other IoT stuff I've talked about, this is due to default passwords, vendors using out of date firmware, and having SSH enabled by default.

https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
https://thehackernews.com/2016/10/sshowdown-iot-security.html

COMMUNICATION

And finally this week, Signal the encrypted messaging app, released a new update which enables timed disappearing messages. Times can range from 5 seconds up to a week. I'm not sure how secure the deletion process is, but the source code is available on Github.

https://whispersystems.org/blog/disappearing-messages/

--
BY NODE