DEAD DROP 19 / PIZZA HUT BREACH, WPA2 VECTOR, SDR 101, INTEL M.E. TURNED OFF
--

Welcome to Dead Drop number 19, your look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

BREACHES

Latin American social site Taringa.net was breached in August this year. 27 million user accounts and passwords were cracked due to the weak MD5 hash that was used by the sites admins.

https://www.darknet.org.uk/2017/10/taringa-hack-27-million-user-records-leaked/
https://www.taringa.net/posts/taringa/19972402/Un-mensaje-importante-sobre-la-seguridad-de-tu-cuenta.html

Pizza Hut also suffered a hack earlier this month, between Oct 1 and Oct 2. According to them, 1%, or 60,000 users had their accounts compromised, including identity and payment information. Some customers are complaining that their bank accounts have been drained as a result.

http://www.foxbusiness.com/features/2017/10/17/pizza-hut-got-hacked-but-waited-two-weeks-to-tell-its-customers.html
https://www.youtube.com/watch?v=4Qyl2FuI4aM

VULNERABILITIES

You've probably heard of this already, but a massive flaw has been found in wifis WPA2 protocol. Dubbed KRACK, this attack takes advantage of some of the authentication procedures of the wifi protocol, allowing adversaries to spy on traffic, and inject data too. It's worth mentioning that attackers need to be within wifi range of devices to perform this, and that sites using HTTPS encryption are still protected. You need to patch all your devices as soon as possible.

If you want to learn more, the EFF wrote a useful, detailed guide about this, so check that out if you're curious. Link is in the description.

https://www.youtube.com/watch?v=Oh4WURZoR98
https://www.eff.org/deeplinks/2017/10/krack-vulnerability-what-you-need-know

Also on the back of it's recent massive breach, Equifax seems to be having more problems. Security analyst Randy Abrams was browsing the website, and randomly came across a bogus download link for Flash, which actually redirects to malware. What a complete mess.

https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/
https://www.youtube.com/watch?v=XzyDR7f7Wm0

And speaking of Flash Player, Adobe had to release yet another emergency security update for the software, as a new zero-day exploit was recently found. Please uninstall flash if you have it still.

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/adobe-patches-zero-day-vulnerability-used-in-cyberespionage

HACKING

The Console Cowboys blog launched a mini course this week titled "Hacking everything with RF and Software Defined Radio". It looks pretty in depth, and includes a bunch of videos to show you how to get up and running.

https://console-cowboys.blogspot.com/2017/10/hacking-everything-with-rf-and-software.html
https://www.youtube.com/watch?v=e7NnVeaRfc8

INTEL M.E.

This week laptop manufacturer Purism announced that their Librem laptops are now available with Intel's Management Engine completely, and according to them, verifiably disabled. That's pretty cool, and I hope it's the start of something for other manufacturers.

https://puri.sm/posts/deep-dive-into-intel-me-disablement/
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
https://www.youtube.com/watch?v=bl29wKp5whA

BUG BOUNTIES

Google opened up a new bug bounty program for the Google Play store this week. They're offering $1000 for each vulnerability that enables remote code executions on various apps running Android 4.4 and higher.

https://www.google.com/about/appsecurity/play-rewards/
https://hackerone.com/googleplay

INTERNET OF FAILS

Another week, another massive botnet. This week, two new ones in fact. The first, called Reaper, aims mainly at security and IP cameras, and has grown to almost 2 million devices strong.

https://www.bleepingcomputer.com/news/security/a-gigantic-iot-botnet-has-grown-in-the-shadows-in-the-past-month/

IOTroop is the other botnet, and researchers say this is growing at such a rate that it may dwarf the Mirai botnet which caused a lot of chaos earlier in the year. Again, this one takes advantage of vulnerable IP cameras, as well as poorly protected routers.

https://threatpost.com/iotroop-botnet-could-dwarf-mirai-in-size-and-devastation-says-researcher/128560/

And finally, various government organizations in Europe have been voicing concerns about childrens smart watches, and how easy it is to hack them, allowing tracking using GPS, as well as recording, using the internal microphones and cameras. Security researcher Roy Solberg has released a detailed description about exactly how this is done.

Alright, that's it for this week. Thanks for watching, and I'll see you in the next video.

https://www.youtube.com/watch?v=Xoer_28U41k
https://blog.roysolberg.com/2017/10/tracking-kids
https://www.bleepingcomputer.com/news/government/eu-kids-gps-watches-have-so-many-security-flaws-they-should-not-be-in-stores/

SUPPORT NODE

https://patreon.com/N_O_D_E_
https://N-O-D-E.net/shop

--
BY NODE