Welcome to Dead Drop number 8, a look at what's happening in the worlds of computer security and internet freedom. All source links mentioned are below.
BREACHES / LEAKS
British mobile network Three had one of it's databases hacked recently, exposing data for 6 million of it's customers. It's related to the companies phone upgrade database, and since the breach, they say have seen an uptick in people fraudulently attempting to get upgraded smartphones.
A tech recruitment company also inadvertently leaked the data from 8 million Github users recently too. It scraped millions of Github accounts for their project, but a misconfigured MongoDB Database exposed everything. The info was already available online, but it tied names, email addresses, locations etc together in a large dataset.
A digital forensics firm has found that Apple's iPhones automatically sends call logs if iCloud backup is enabled, as you'd expect, but more worrying, it also sends data when it's disabled, all without the user knowing.
Similar to that, some other researchers have also recently found a backdoor installed on over 700 million android phones, which is secretly sending user call logs, contact lists, location history and app data, back to China every 72 hours.
A major vulnerability has been discovered in Linux too. It involves the implementation of the Cryptsetup utility which handles full disk encryption on many Linux systems. Researchers found that if you incorrectly enter the disk encryption password 93 times in a row, it automatically gives the attacker root privelages to the boot areas on a drive, and that could be used to plant malicious software to gain access, or delete the contents of the encrypted disk.
As well as that, youtuber EverythingApplePro showed off a way to bypass iPhone and iPad lock screens, and access photos, contacts and message logs. This effects the latest iOS 10 release, all the way down to iOS 8.
Samy Kamkar released a new video this week of his PoisonTap attack, which involves using a Pi Zero to mimic a network interface, redirecting traffic to the device, and installing a backdoor, even on systems that are password protected. There's much more to it than that, so check out his video.
Hak5 also created another insightful tutorial, showing you how to use the USB Rubber Ducky to automatically copy files to it when you plug it into a system.
This week an international team of security researchers released the results of it's security audit of the Signal messaging app. The team passed it with flying colours, saying "Signal has no discernible flaws, and offers a well-designed and compromise-resistant architecture". A link to the paper is in the description.
INTERNET OF FAILS
Researcher Rob Graham set up a test environment to see what happens when you add an unprotected IP camera to a network, and found that it became infected by the Mirai botnet worm in a staggering 98 seconds. What hope do non-technical people have?
And finally, this week the UK government introduced some new surveillance laws that allow law enforcement to basically do whatever they want when it comes to our devices and data. This includes forcing ISPs to store every single thing we do online for a year, and making it available real-time, forcing companies to decrypt data on demand, and legally allowing agencies to hack into any computer or device they want. Great.
And on that depressing note, that's it for this week. Thanks for watching.