DEAD DROP 06 / VOIP ACOUSTIC ATTACK, FACE DATABASES, VERACRYPT AUDIT, IOT DDOS
--

Welcome to Dead Drop number 6, a look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below. All footage used is under fair use guidelines for news and comment.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

Website building service Weebly has reportedly had over 43 million records stolen in a recent breach. Information taken includes usernames, email adresses, IP addresses and password hashes.

http://weebly.com
https://www.youtube.com/watch?v=B6t02_J7be8
https://thehackernews.com/2016/10/weebly-foursquare-data-breach.html

And over in India, over 3 million debit card details have been stolen from multiple banks and financial platforms. This effects the State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis, and customers should change their PINs immediately. The attack was allegedly due to malware which targets ATMs and Point of Sale machines.

https://thehackernews.com/2016/10/india-debit-card-hack.html

Hackers are also claiming they have stolen a database with over 70 million account details from the swinger website AdultFriendFinder.

https://nakedsecurity.sophos.com/2016/10/21/millions-of-adultfriendfinder-user-accounts-hacked-again/

VULNERABILITIES

Security researchers at the University of California have shown that Skype and other Voice-Over-IP calls can reveal user keystrokes, by using acoustic eavesdropping. Dubbed Skype & Type, they show that when users type whilst in calls, keystrokes and typing patterns can be accurately guessed, potentially revealing sensitive data.

http://www.securityweek.com/skype-calls-expose-user-keystrokes-researchers
https://arxiv.org/pdf/1609.09359.pdf
skype logo https://www.youtube.com/watch?v=PQUDQo—tg
https://www.youtube.com/watch?v=TDnHTqtdUJ8

FACIAL RECOGNITION

A report by the Center for Privacy & Technology at Georgetown University has found that one in two Americans, some 117 million adults have their faces in facial recognition databases created by US law enforcement, and since this technology is fairly new, there aren't really any rules or oversight in place for potential misuse.

https://www.perpetuallineup.org
https://www.youtube.com/watch?v=K4u4Dpl6NKk

ENCRYPTION

Veracrypt, the open source encryption app, and successor to Truecrypt had the results of it's recent security audit released this week. QuarksLab found 8 critical vulnerabilities and various lower level problems in the software, with all of them except the most minor, being fixed.

http://blog.quarkslab.com/security-assessment-of-veracrypt-fixes-and-evolutions-from-truecrypt.html
https://ostif.org/the-veracrypt-audit-results/
https://www.youtube.com/watch?v=xhJwPA6b2QA

And speaking of encryption, 2 people in California have been forced by police to press their fingers to their phones in order to unlock them, and get around the built in encryption.

http://www.forbes.com/sites/thomasbrewster/2016/10/16/doj-demands-mass-fingerprint-seizure-to-open-iphones/
http://arstechnica.com/tech-policy/2016/10/to-beat-crypto-feds-have-tried-to-force-fingerprint-unlocking-in-2-cases/
https://www.youtube.com/watch?v=U2MTLNfCZBQ

HACKING

A bunch of researchers have documented an interesting, if somewhat convoluted hack which allowed attackers to sabotage 3D printing files for a drone, causing it to fail mechanically after short use. Although this is a bit of a novelty at the moment, it may develop into more of a problem if 3D printing goes mainstream.

https://www.youtube.com/watch?v=zUnSpT6jSys
http://www.3ders.org/articles/20161020-dr0wned-researchers-highlight-security-concerns-with-3d-printing-by-downing-a-drone.html

DDOS

I've been talking about how insecure Internet of Things devices are going to be a problem for a while now, and we all saw this the other day with the massive DDoS attack on the DNS service which is used by many big tech companies, like Twitter, Spotify, Reddit, Netflix and more.

It could be related to the Bruce Schneier post I mentioned a few weeks back, where he thought someone was trying to figure out how to take down the Internet. It may be a testrun for something closer to the upcoming US election, or perhaps Wikileaks' reported bombshell they'll be releasing soon, but no-one knows for sure. I guess we will find out in the next few weeks. What do you think's going on?

http://thenextweb.com/insider/2016/10/21/massive-ddos-attack-dyn-dns-causing-havoc-online/
https://www.dynstatus.com/
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
http://www.networkworld.com/article/3134057/security/how-the-dyn-ddos-attack-unfolded.html
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
https://thehackernews.com/2016/10/iot-dyn-ddos-attack.html
http://www.scmagazine.com/mirai-botnets-linked-to-massive-ddos-attacks-on-dyn-dns-flashpoint-says/article/567607/
https://www.youtube.com/watch?v=k0BlYANFwWc

KNOWLEDGE

And finally this week, here are two guides you might enjoy. The first is called 'A Noob's Guide to Mesh Networking', and goes over a few of the alternative network projects out there. The next shows your how to bypass VPN blocking that some sites implement.

https://www.deepdotweb.com/2016/10/04/noobs-guide-mesh-networking/
https://www.bestvpn.com/how-to-bypass-vpn-blocks/

--
BY NODE