DEAD DROP 18 / 3 BILLION BREACH, RPITX, KEYBASE ENCRYPTED REPOS, SMART METER VULN
--

Welcome to Dead Drop number 18, your look at what's happening in the worlds of computer security and digital freedom. As always, all source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

A year ago, I covered the massive Yahoo breach of a billion user accounts, well, this week the company, now owned by Verizon, has revised that number to 3 billion, or every single Yahoo account. I've got a feeling incidents like this will only be increasing in the future.

https://thehackernews.com/2017/10/yahoo-email-hacked.html
https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
https://www.youtube.com/watch?v=_0b6qaPY-CQ

Disqus, the comment service has also revealed that it was hit by a data breach. They believe a snapshot of all user information, including email addresses, usernames, and activity data from 2007 to 2012 was stolen. This effects 17.5 million users, so if you had an account during that time, change your password just in case.

https://blog.disqus.com/security-alert-user-info-breach
https://thehackernews.com/2017/10/disqus-comment-system-hacked.html
https://www.youtube.com/watch?v=sbru-y93Wa4

VULNERABILITIES

The people at Sophos' Naked Security have found that the new iPhone control centre has some confusing features. They explain that you can now customize the control centre screen, including toggles for wifi and bluetooth. However, when the user taps the wifi or bluetooth icon so that it is greyed out, it is not actually switched off. They found that although current connections are ended, the interfaces are still active. This isn't a vulnerability in itself, but could become one. Just be aware.

https://nakedsecurity.sophos.com/2017/10/09/iphones-new-off-switch-that-leaves-bluetooth-and-wi-fi-turned-on/
https://www.youtube.com/watch?v=K4wEI5zhHB0

Speaking of phones, researchers at Positive Technologies have also discovered a flaw in the way 4G and 5G networks converge voice data and web data, allowing attackers to snoop on, and hijack uncencrypted data, as well as perform denial of service attacks. This is due to the architecture using some IP based protocols which can be attacked using automated, easily available web hacking tools.

https://www.darkreading.com/perimeter/new-4g-5g-network-flaw-worrisome-/d/d-id/1330062
https://www.ptsecurity.com/ww-en/premium/epc-research/

RADIO

The RTL-SDR Blog uploaded a Youtube video, showing you how to use RPiTX to send radio signals to various appliances which use remote switches, and trick them into turning on or off.

https://www.youtube.com/watch?v=ewY-woG1dNw

WEB SECURITY

Here's a good video detailing the steps that an attacker would take to gain access to a bitcoin web wallet using only the persons name and phone number. We've known for a while that 2 factor authentication using phones isn't secure, and this video is a great example of that.

https://player.vimeo.com/video/232678861

In other news, security researchers at Skyhigh Networks have spotted a new technique for attempting to gain access to web accounts. Dubbed 'KnockKnock', this technique specifically targets email addresses frequently used by companies for their management systems, i.e. ones that aren't checked frequently.

Another interesting aspect is its slow speed. This botnet will target an address over months, using multiple IP addresses, so as to not trigger intrusion detection systems.

https://www.skyhighnetworks.com/cloud-security-blog/skyhigh-discovers-ingenious-new-attack-scheme-on-office-365/
https://www.bleepingcomputer.com/news/security/devilishly-clever-knockknock-attack-tries-to-break-into-system-email-accounts/

INTERNET OF FAILS

Researcher Maxim Rupp has discovered a flaw in the Siemens 7KT PAC1200 Smart meter which gives attackers full admin access over the devices. This reminds me of Mr Robot. Imagine the damage someone could cause by spoofing readout data for power and temperature meters, especially in industrial settings.

www.securityweek.com/critical-flaw-found-siemens-smart-meters
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-971654.pdf

ENCRYPTION

And finally, last week Keybase introduced a new encrypted Git feature to their platform, which allows individual users, and teams to create real private git repos.

It users end-to-end encryption, so only the team members can read and update repos they're a part of. Cool

Anyways, that's it for this week. As always, thanks for watching, and I'll see you in the next video.

https://keybase.io/blog/encrypted-git-for-everyone

--
BY NODE