DEAD DROP 11 / MICRO SD RECOVERY, FACE TRACKING, THUNDERBOLT RAM HACK
--

Welcome to Dead Drop number 11, a look at what's happening in the worlds of computer security and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

So on the back of the mother of all breaches that happened at Yahoo recently, well it seems like they've topped it, with the announcement that a further 1 billion accounts have been compromised. This breach apparently occurred in August 2013, and Yahoo aren't quite sure how it happened. What a shit show.

https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users
https://thehackernews.com/2016/12/yahoo-data-breach-billion.html

Dailymotion are also asking users to change passwords, after an apparent trove of almost 90million user details turned up on the LeakedSource website.

http://blog.dailymotion.com/en/dailymotion-account-security-update/

Troy Hunt, the creator of HaveIBeenPwned has released 1.4 billion records for researchers to look over. All personal information, and associated domains have been stripped, and it will be interesting to see what information is gleaned from this dataset.

https://www.troyhunt.com/heres-1-4-billion-records-from-have-i-been-pwned-for-you-to-analyse

PRIVACY

This week the EFF released version 2 of their Privacy Badger browser extension, with a bunch of new features to help increase browsing privacy.

https://www.eff.org/deeplinks/2016/12/new-and-improved-privacy-badger-20-here

Robin Linus created a little web app, which shows what every browser knows about you. From location, to what hardware and software you're running, to local and public IP addresses, battery charge, and more. This is an old link, but still worth reminding yourself of the various ways you're tracked.

http://webkay.robinlinus.com/

VULNERABILITIES

Researchers at TrustWave have found a bug in Skype on Mac's, which allows attackers to spy on users communications. It takes advantage of Skype's API which allows third party apps to use the service, gaining full access with just a few lines of code.

https://thehackernews.com/2016/12/hacking-skype.html
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-021/?fid=8709
https://www.youtube.com/watch?v=FskzENRR0Yo

HACKING

Researcher Ulf Frisk showed how you can steal FileVault encryption passwords directly from Macbooks with Thunderbolt ports. This is achieved using a PCI Express Thunderbolt Adaptor with flashed firmware, which can read RAM contents directly when the laptop is rebooted, bypassing protections.

https://www.youtube.com/watch?v=n_3eIFMR46Y
http://blog.frizk.net/2016/12/filevault-password-retrieval.html

Hackaday have also uploaded a bunch of new videos to their Youtube channel from one of their recent events.

https://www.youtube.com/user/hackaday/videos

DATA RECOVERY

I found this video which shows you how to recover data from dead micro-sd cards. It involves sanding the back to reveal the copper circuit, and manually soldering them to a memory controller. Pretty interesting, I've never seen this method before.

https://www.youtube.com/watch?v=jjB6wliyE_Y

TRACKING

Art student Egor Tsvetkov started a project called "Your Face is Big Data". It involved taking photos of random people on the subway, then putting them through the FindFace facial recognition app. About 70% of the photos allowed Egor to find the person's related social media accounts. We already know governments can do this, but think of the implications when corporations and random people have this power too.

https://imgur.com/gallery/1cLxV

And finally, after having his phone stolen, film maker Anthony van der Meer decided to set up a new phone, modified so it can take photos, video and audio remotely, and intentionally left it in a place where it would be stolen.

This short film documents the journey the phone goes on, and the people it comes into contact with.

https://www.youtube.com/watch?v=NpN9NzO4Mo8

--
BY NODE