DEAD DROP 16 / ANTBLEED, USB CANARY, LINUX PRIVACY GUIDE, BRICKERBOT
--

Welcome to Dead Drop number 16, your look at what's happening in the worlds of computer security, and digital freedom. All source links are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

Chiptole recently put out a statement that unauthorized activity was detected on the payment system used in their restaurants. It's supposed to have taken place between March 24th and April 18 this year, and customers are advised to keep a close eye on the credit card statements for irregular activity.

http://www.darkreading.com/endpoint/chipotle-serves-up-security-incident-warning/d/d-id/1328739
https://chipotle.com/security
https://www.youtube.com/watch?v=1-1ZtCbNzbA

BITCOIN

This week the AntBleed site was launched to illuminate a potentially serious flaw in the Bitmain Antminer bitcoin miners. It was revealed that the widely used miners were automatically transmitting IPs, MAC addresses, and serial numbers back to Bitmain's HQ. The API used for this was also unauthenticated, meaning MITM and other attacks could potentially remotely shut down the miners.

This issue was raised months ago with Bitmain's tech support, but was only patched after this site went viral.

http://www.antbleed.com/
https://www.youtube.com/watch?v=lqiVAZO4yTE
https://blog.bitmain.com/en/antminer-firmware-update-april-2017/

DATA

Here's an interesting sign of the times. Court documents show that data from a murdered womans fitbit tracker contradicts the version of events laid out by her husband, who claimed she was murdered by a masked home invader. The movement and heartrate sensors on the fitbit showed that she was actually alive for at least an hour after when he said the intruder had murdered her.

https://nakedsecurity.sophos.com/2017/04/27/murder-victims-fitbit-contradicts-husbands-version-of-events/
https://www.youtube.com/watch?v=x--70eBeN4M

MAL-WARS

On the back of Hajime and Mirai malware showdown, and as a few of you mentioned last week, there is another Internet of Things malware on the loose, this time one which isn't quite as friendly. This one's called Brickerbot, and as you might guess, it bricks various internet connected devices that it infects. The author thinks of it as "Internet Chemotherapy" and a way to restore the health of the Internet.

https://techcrunch.com/2017/04/25/brickerbot-is-a-vigilante-worm-that-destroys-insecure-iot-devices
https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/

SURVEILLANCE

This week the NSA announced that they will stop email collection of Americans who mention intelligence targets in their communications. I would say take this announcement with a hefty bucketful of salt, since there is no way for us to know what's really going on.

https://politics.slashdot.org/story/17/04/28/1851228/nsa-halts-collection-of-americans-emails-about-foreign-targets
http://www.theverge.com/2017/4/28/15474828/nsa-surveillance-snowden-collection-email-702
https://www.youtube.com/watch?v=_aCAC-rcP9A

HACKING

Security researchers have shown an attack which takes advantage of keyless car entry systems. This is done by getting within activation distance of the keyfob, and boosting the signal to an assailant standing next to the car. They are hoping to develop this method so that the data could be transmitted over the internet too.

https://conference.hitb.org/hitbsecconf2017ams/sessions/chasing-cars-keyless-entry-system-attacks/
http://hackaday.com/blog/page/3/
https://twitter.com/bravo_fighter/status/850991164899577858/video/1

SECURITY

A user on Github has released USB Canary, a linux tool which monitors your devices while you are absent, and alerts you via SMS or Slack notification whenever someone plugs or unplugs a device from one of your USB ports.

https://github.com/probablynotablog/usb-canary

PRIVACY

Police in the UK are planning on using facial recognition software to scan thousands of fans at the upcoming Champions League Final in Cardiff, Wales. It's thought this will capture up to 170,000 faces from both fans, and random citizens who are in the area at the time, and needless to say people aren't happy.

https://motherboard.vice.com/en_us/article/british-cops-will-scan-every-fans-face-at-the-champions-league-final
https://twitter.com/fckv2010/status/696469238962384896/photo/1
https://nakedsecurity.sophos.com/2017/04/28/sports-fans-protest-at-plans-to-scan-their-faces-as-they-head-for-the-match/
http://i4.dailyrecord.co.uk/incoming/article7232381.ece/ALTERNATES/s810/JS80998735.jpg

KNOWLEDGE

And finally, this week the DuckDuckGo team wrote a good little guide on some of the ways to protect your privacy on Linux. It covers everything from setting passwords, to locking down remote connections, to checking for rootkits and more.

Alright, that's it for this week. Thanks for watching.

https://spreadprivacy.com/linux-privacy-tips-1dc956657357

--
BY NODE