DEAD DROP 08 / 1984 IS HERE, LOCKSCREEN BYPASS, POISONTAP, FAST IOT INFECTIONS
--

Welcome to Dead Drop number 8, a look at what's happening in the worlds of computer security and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES / LEAKS

British mobile network Three had one of it's databases hacked recently, exposing data for 6 million of it's customers. It's related to the companies phone upgrade database, and since the breach, they say have seen an uptick in people fraudulently attempting to get upgraded smartphones.

https://thehackernews.com/2016/11/3-mobile-uk-hacked.html
http://www.three.co.uk/upgrade-fraud

A tech recruitment company also inadvertently leaked the data from 8 million Github users recently too. It scraped millions of Github accounts for their project, but a misconfigured MongoDB Database exposed everything. The info was already available online, but it tied names, email addresses, locations etc together in a large dataset.

http://www.securityweek.com/recruitment-site-scraped-leaked-8-million-github-profiles

VULNERABILITIES

A digital forensics firm has found that Apple's iPhones automatically sends call logs if iCloud backup is enabled, as you'd expect, but more worrying, it also sends data when it's disabled, all without the user knowing.

https://theintercept.com/2016/11/17/iphones-secretly-send-call-history-to-apple-security-firm-says/
https://www.youtube.com/watch?v=sbios0u2Px8

Similar to that, some other researchers have also recently found a backdoor installed on over 700 million android phones, which is secretly sending user call logs, contact lists, location history and app data, back to China every 72 hours.

http://www.kryptowire.com/adups_security_analysis.html
https://thehackernews.com/2016/11/hacking-android-smartphone.html
https://www.youtube.com/watch?v=8xn9iq3lG_w

A major vulnerability has been discovered in Linux too. It involves the implementation of the Cryptsetup utility which handles full disk encryption on many Linux systems. Researchers found that if you incorrectly enter the disk encryption password 93 times in a row, it automatically gives the attacker root privelages to the boot areas on a drive, and that could be used to plant malicious software to gain access, or delete the contents of the encrypted disk.

https://thehackernews.com/2016/11/hacking-linux-system.html
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html

As well as that, youtuber EverythingApplePro showed off a way to bypass iPhone and iPad lock screens, and access photos, contacts and message logs. This effects the latest iOS 10 release, all the way down to iOS 8.

https://thehackernews.com/2016/11/iphone-hacking.html
https://www.youtube.com/watch?v=hP3BMyrFBSs

HACKING

Samy Kamkar released a new video this week of his PoisonTap attack, which involves using a Pi Zero to mimic a network interface, redirecting traffic to the device, and installing a backdoor, even on systems that are password protected. There's much more to it than that, so check out his video.

https://www.youtube.com/watch?v=Aatp5gCskvk
http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/

Hak5 also created another insightful tutorial, showing you how to use the USB Rubber Ducky to automatically copy files to it when you plug it into a system.

https://www.youtube.com/watch?v=48viMtzQ4rE
https://www.hak5.org/episodes/season-21/hak5-2112-stealing-files-with-the-usb-rubber-ducky

CRYPTO

This week an international team of security researchers released the results of it's security audit of the Signal messaging app. The team passed it with flying colours, saying "Signal has no discernible flaws, and offers a well-designed and compromise-resistant architecture". A link to the paper is in the description.

http://www.darknet.org.uk/2016/11/signal-messaging-app-formal-audit-results-are-good/
https://eprint.iacr.org/2016/1013.pdf

INTERNET OF FAILS

Researcher Rob Graham set up a test environment to see what happens when you add an unprotected IP camera to a network, and found that it became infected by the Mirai botnet worm in a staggering 98 seconds. What hope do non-technical people have?

https://twitter.com/ErrataRob/status/799556482719162368
https://techcrunch.com/2016/11/18/this-security-camera-was-infected-by-malware-in-98-seconds-after-it-was-plugged-in

INTERNET FREEDOM

And finally, this week the UK government introduced some new surveillance laws that allow law enforcement to basically do whatever they want when it comes to our devices and data. This includes forcing ISPs to store every single thing we do online for a year, and making it available real-time, forcing companies to decrypt data on demand, and legally allowing agencies to hack into any computer or device they want. Great.

And on that depressing note, that's it for this week. Thanks for watching.

http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-becomes-law/
https://www.youtube.com/watch?v=b36co0WUOWM

--
BY NODE