DEAD DROP 9 / NAVY BREACH, RIOT ENCRYPTION, MICROPHONE HEADPHONES, UNSECURED WIFI
--

Welcome to Dead Drop number 9, a look at what's happening in the worlds of computer security and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

A laptop used by a Navy IT contractor was recently hacked, exposing sensitive data including social security numbers of about 130,000 Navy personnel. A spokesman said that those affected will be notified in the coming weeks.

http://www.reuters.com/article/us-usa-cyber-navy-idUSKBN13J001

COMMUNICATION

Riot announced that the latest version of their decentralized, cross-platform chat app now has end-to-end encryption built in, meaning room admins now have the ability to increase the privacy of users.

https://medium.com/@RiotChat/exciting-new-riot-release-get-ready-for-chatting-securely-acc93ecfe0a
http://riot.im

The Tor Project also pushed out a new release of their Tor Messenger app this week too. Have any of you tried either of these chat apps? What are your thoughts?

https://blog.torproject.org/blog/tor-messenger-030b1-released

HACKING

Blackhat uploaded a tonne of new videos from their latest conference, Black Hat USA 2016. As always, there are many different topics covered to get your neurons firing.

https://www.youtube.com/user/BlackHatOfficialYT/videos

WIFI

Kaspersky Lab created a report on the security of wireless networks around the globe, according to their security network database. They found that of the 32 million access points assessed, roughly ΒΌ of them are completely open, without any form of encryption. It also drills down into the types of encryption used, and distribution around the world. Well worth a read.

https://securelist.com/blog/research/76733/research-on-unsecured-wi-fi-networks-across-the-world/

And speaking of unsecured networks, AndroidAuthority on Youtube, released a good 101 video about the different ways someone could go about capturing data on open wifi hotspots.

https://www.youtube.com/watch?v=YzP3ZL4vlkY

INTERNET OF FAILS

On the back of all the IP camera fails I've covered recently, a new serious vulnerability has been found in Siemens-branded CCTV cameras, used widely by government and healthcare organizations.

A careful crafted request can be exploited remotely, revealing admin credentials, and leading to access. A patch has been released, but it requires individual camera operators to apply it manually.

https://threatpost.com/credentials-accessible-in-siemens-branded-cctv-cameras/122072/
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-284765.pdf

VULNERABILITIES

Another day, another massive Android vulnerability, this time, affecting almost 3 million Chinese handsets. Similar to something I covered in an earlier episode, researchers found a hidden binary responsible for software updates, which can be taken advantage of using a man in the middle attack, allowing attackers to install and run, anything they like.

http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
https://thehackernews.com/2016/11/hacking-android-smartphone18.html
https://www.youtube.com/watch?v=I0P5vOmuzqw

PRIVACY

Researchers at Ben Gurion University showed off a way to turn headphones into microphones, for audio surveillance. This is due to the widely used Realtek audio codec chip, which allows attackers to change audio output to audio input.

https://www.youtube.com/watch?v=ez3o8aIZCDM
https://thehackernews.com/2016/11/headphone-spying-malware.html

BIG DATA

And finally, Bloomberg reports that some financial insitutions have begun using phone data, like location, call and browsing habits, to determine whether people who don't have credit histories are allowed or denied loans.

This opens up the possibility of being pre-declined for loans, just by virtue of where you live, who you know, and what your interests are.

https://www.bloomberg.com/news/articles/2016-11-25/no-credit-history-no-problem-lenders-now-peering-at-phone-data
https://www.youtube.com/watch?v=g-MkkXUFedE

--
BY NODE