DEAD DROP 12 / NETGEAR 0DAY, PRE-CRIME AI, HARDWARE HACKING, CON VIDS
--

Welcome to Dead Drop number 12, a look at what's happening in the worlds of computer security, privacy, and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

VULNERABILITIES

Starting off with a new remotely exploitable 0-day for the NETGEAR WNR2000 router. Researcher Pedro Ribeiro found that a remote admin feature commonly used for local area networks can also be exploited through the internet, due to a process which allows unauthenticated users access.

www.securityweek.com/remotely-exploitable-0-day-impacts-netgear-wnr2000-routers
http://seclists.org/fulldisclosure/2016/Dec/72

And in response to this and other NETGEAR related vulnerabilities, the company has now started a bug bounty program, offering up to $15k for disclosing bugs and exploits.

https://bugcrowd.com/netgear

In other news, if you recently downloaded Super Mario Run for Android, then you probably downloaded malware, since at the time of this video, the official app is only available on iOS, and not on the Google Play Store, or other third party stores.

https://thehackernews.com/2016/12/super-mario-run-android-apk.html

PRE-CRIME

Dubai's police force recently began using a crime prediction AI, which takes various dispirate pieces of information and analyzes the likelihood of crimes occuring. The idea is then to send police into specific areas as a deterrence, before any actual crimes happen. Sounds like a way to quell protests before they even start.

http://www.businesswire.com/news/home/20161221005613/en/Dubai-Police-Unveils-%E2%80%9CCrime-Prediction%E2%80%9D-Software
http://newatlas.com/dubai-police-crime-prediction-software/47092/

HARDWARE HACKING

Cory Doctorow wrote a brief review of the upcoming book, The Hardware Hacker, by Bunnie Huang. It deals with hardware hacking, reverse engineering, chinese manufacturing and more, and needless to say, looks very good. It's due to be released later this month.

https://boingboing.net/2016/12/30/the-hardware-hacker-bunnie-hu.html
https://www.amazon.com/Hardware-Hacker-Adventures-Making-Breaking/dp/159327758X/

SURVEILLANCE

Artist and researcher Adam Harvey is developing HyperFace, a new project which aims to help ordinary people against mass surveillance, and specifically mess up facial recognition systems. It does this by creating a sort of camo-design, which to machines, looks like many faces, sending them into overdrive.

https://ahprojects.com/projects/hyperface/
https://www.theguardian.com/technology/2017/jan/04/anti-surveillance-clothing-facial-recognition-hyperface

In other surveillance news, authorities in Singapore will now begin collecting iris scans from citizens whenever they apply for, or renew certain services like passports. This is also in addition to photos and fingerprints that are currently used on these documents. What could possibly go wrong?

http://www.channelnewsasia.com/news/singapore/authorities-to-collect-iris-scans-from-singaporeans-prs-starting/3398728.html
https://www.youtube.com/watch?v=vbLKerkIrkY

FINGERPRINTING

Talking of fingerprints of a different kind, Mozilla have scheduled an update for the upcoming Firefox 52 release which will prevent websites from fingerprinting users using system fonts, a feature which is already active in the Tor browser. It's due in March this year.

https://www.bleepingcomputer.com/news/software/firefox-52-borrows-one-more-privacy-feature-from-the-tor-browser/
https://bugzilla.mozilla.org/show_bug.cgi?id=1121643

And speaking of the Tor browser, researchers have shown a way to de-anonymize users, by using ultrasound. Javascript embedded on pages or in ads can emit sounds outside human hearing range, which can then be picked up by other devices within microphone distance, sending personally identifiable information back. The attack is fairly convoluted, but it's something to be aware of.

https://www.bleepingcomputer.com/news/security/ultrasound-tracking-could-be-used-to-deanonymize-tor-users/
https://www.youtube.com/watch?v=ffFk0E7E7ek

VIDEOS

Absolutely tonnes of new videos this week. Seems like all the hacker-cons uploaded at the same time.

First we have all the latest talks from the Chaos Computer Congress 33 in Germany. As always, an eclectic mix covering many facets of hacker culture.

https://www.youtube.com/user/CCCen/videos

2600 also created a new playlist for the latest HOPE conference too. This one alone contains over 100 new videos.

https://www.youtube.com/playlist?list=PLcajvRZA8E099SG5JGAaS56NMHPTbuHIV

And finally we have a bunch of new videos from DEFCON 24's Social Engineering Village, covering a variety of issues related to the human side of hacking, and security.

https://www.youtube.com/playlist?list=PL9fPq3eQfaaBgh8PZgxzgG1Coj-ocPQ7t

Alright, that's it for this week, if you find any interesting links let me know, and thanks for watching.

--
BY NODE