DEAD DROP 13 / ACROBAT DODGINESS, HTTPS 2016, ZERONET BIRTHDAY, 3D FACE CAMERA
--

Welcome to Dead Drop number 13, your look at what's happening in the worlds of computer security, privacy, and internet freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

This week it was revealed that digital forensics company Cellebrite had 900GB of data stolen from one of its servers. Apparently the data contains customer info, as well as phone evidence from various investigations, and details on how the their technology works.

https://thehackernews.com/2017/01/mobile-hacking-cellebrite.html
http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach

8GB of Jabber IM private message logs have also been stolen from chat provider JabbIM. Remember, all centralized and unencrypted chat protocols and services are susceptible to these kind of breaches.

https://motherboard.vice.com/read/hack-exposes-reams-of-private-jabber-chats
https://jabb.im/cms/jabbim-archive-breach

VULNERABILITIES

Adobe recently released an update for the Windows version of Acrobat Reader to fix various security issues, but unknowingly to users, this also automatically installed a chrome browser extension, which requires various system permissions, and also automatically sends data back to Adobe by default. Not cool.

https://www.bleepingcomputer.com/news/software/adobe-acrobat-reader-dc-update-installs-chrome-browser-extension/

And in another Chrome related vulnerability, researcher Viljami Kuosmanen has found that the browsers autofill function can be used to automatically collect information like addresses and phone numbers from the user, even when they don't input them specifically on a website. A demo, and all the code is on Github.

https://thehackernews.com/2017/01/browser-autofill-phishing.html
https://github.com/anttiviljami/browser-autofill-phishing

ENCRYPTION

The EFF recently posted a review on the state of HTTPS encryption in 2016, and it looks promising. According to research by Google, and others, about 50% of all page loads in Firefox and Chrome now use HTTPS encryption.

This week the EFF also launched a new campaign to help teach people about encryption. Check it out at eff.org/encrypt

https://www.eff.org/deeplinks/2016/12/https-deployment-growing-leaps-and-bounds-2016-review
https://www.youtube.com/watch?v=PdnpNJZVUE0
https://eff.org/encrypt

Google has also announced Key Transparency, a new project which aims to create an open source, and publicly auditable solution for verifying and exchanging public keys, so as to make it easy for both technical, and non-technical people to use. More details are on Github.

https://security.googleblog.com/2017/01/security-through-transparency.html
https://github.com/google/key-transparency/

FINGERPRINTING

A team of researchers from various US Universities have identified cross-browser fingerprinting techniques, which can track users when they're using different browsers on the same machine, and all with about 99% accuracy.

This relies on combining information about your hardware, screen resolution, fonts installed, languages installed, audio capabilities, and a bunch of graphics hardware capabilities related to WebGL. However, they did find that the Tor browser with Javascript disabled was the only browser that protected against this.

https://www.bleepingcomputer.com/news/security/new-fingerprinting-techniques-identify-users-across-different-browsers-on-the-same-pc/
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf

TOR

Speaking of Tor, if you use iOS, the Onion Browser, which is the platforms only Tor compatible browser, has now gone from being a $0.99 app to free from now on.

It's worth noting that it doesn't include all the features of the desktop version, since it needs to use Apple's WebKit API, but it could be better than nothing. Do your own research.

http://arstechnica.com/security/2017/01/tor-onion-browser-ios-vpn/

ZERONET

This week, P2P network ZeroNet turned 2 years old, and Tamas the creator wrote a year in review on their blog. It's really cool to see how far they're come since we interviewed them on the NODE site back in 2014. Tamas also hints at a huge development coming for the project this year. Stay tuned.

https://medium.com/@zeronet/2016-for-zeronet-getting-attention-5e59fc353658
https://www.youtube.com/watch?v=4dkBKyhK_F8
https://zeronet.io

FACIAL RECOGNITION

And finishing this week with the Bellus3D Face Camera, which was shown off at this years CES. This thing can take high res 3D face scans in 15 seconds.

The technology itself isn't new, but it's worth thinking about the implications for facial recognition when both 3D scanning, and 3D printing is readily available.

https://www.youtube.com/watch?v=ePEFdHTqYr4

Alright, that's it for this week, thanks for watching.

--
BY NODE