DEAD DROP 20 / NEW DEFCON VIDS, BOT AUTHENTICATOR, OPEN LAPTOP, METATAG VECTOR
--

Welcome to Dead Drop number 20, your look at what's hapenning in the worlds of computer security and digital freedom. As always, all source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror

HACKING

Alright, it's that time of the year again. Over the past week, Defcon have began uploading tonnes of new videos from their latest conference earlier in the year. There's hours and hours of footage, covering every hacking topic you can imagine.

https://www.youtube.com/user/DEFCONConference/videos

AUTHENTICATION

Researchers from the University of Maryland have released unCaptcha, a tool which can defeat Google's reCaptcha authentication system with 85% accuracy. It does this by using the audio authentication feature, intended for visually impaired users, automatically converting the audio to text, and then typing it out. More info, and the code is available in the links in the description.

https://www.youtube.com/watch?v=wXrTQzskJLE
https://github.com/ecthros/uncaptcha
http://uncaptcha.cs.umd.edu/
https://www.reddit.com/r/programming/comments/78og70/code_release_defeating_googles_recaptcha_with/

P2P

David Wong has created an experimental 4chan-like system as a decentralized app, living on the ethereum blockchain. Users have to pay a tiny amount of ethereum to post, and there is zero moderation or censorship, so be aware. This is very early days for what I think is the next stage of the internet, and I think more of these projects will be appearing in the future.

http://davidwong.fr/FiveMedium
https://www.youtube.com/watch?v=rZYiecJ_1b4
https://cryptologie.net/article/424/writing-a-dapp-for-the-ethereum-block-chain/

OPEN HARDWARE

Hardware designer Lukas Hartmann has created a pitch for the Reform, an open hardware laptop. Similar to the Novena project by Bunnie Huang, this is aiming to be both as open as possible, and buildable by anyone.

It's in the very early stages, but I think we should support open hardware projects when they pop up. Lukas is looking for feedback on his plans, so check the website out for more info.

http://mntmn.com/reform

PRIVACY

Infosec Bytes uploaded a bunch of video guides for using the Tails Operating System. This is aimed at journalists, but is also useful for those of you who may have heard about it, but haven't tested it out.

https://www.youtube.com/playlist?list=PLOZKbRUo9H_qXgyGp5UVYCoGQYo9YB5E8
https://www.youtube.com/watch?v=-f6cgUKBUXg

Felix Krause recently made a PSA reminding us that iPhone camera permissions are potentially suspect. He showed that if you give an app permission to use your phones cameras, it goes much deeper. This permission also allows the apps to use both your cameras, take pictures and videos, and upload them without you knowing, as well as running real time face recognition, again without giving you any indication.

https://krausefx.com/blog/ios-privacy-watchuser-access-both-iphone-cameras-any-time-your-app-is-running
https://www.youtube.com/watch?v=GqWUaflPMh0

DOMAINS

Researcher Barak Tawily has found a flaw in how Facebook displays embedded links, allowing malicious actors to create URLs that look legitimate. All the attacker needs to do is add a fake URL metatag to their malicious website, and the OpenGraph protocol that Facebook uses displays that link to users, without verifying it first, so the only way a user can know if it's real is to click it.

https://www.youtube.com/watch?v=qWMXBW9k130

And speaking of domains, Dell briefly lost control of domain they owned for a month earlier in the year, as they forgot to renew it. What's worse is that the domain "DellBackupandRecoveryCloudStorage.com" as you might guess, was used for their backup systems by customers. There are even signs that the new domain holders were pushing malwares to users, before Dell regained control.

https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

INTERNET OF FAILS

And it wouldn't a Dead Drop episode without some kind of IoT nonsense. This week, Amazon announced the Amazon Key, a new system which allows strangers to enter your house while you're out. All for convenience, of course. Users install an internet connected lock, and camera in their houses, to allow remote access. I mean what planet are they living on, and how long until those locks are hacked?

https://www.youtube.com/watch?v=wn7DBdaUNLA

And speaking of IoT hacks. Check Point security have also found vulnerabilities in various LG smart appliances, allowing attackers to take control of your fridge, dishwasher, microwave, dryers, and robotic vacuum cleaners. Details are on their website.

https://blog.checkpoint.com/2017/10/26/homehack-how-hackers-could-have-taken-control-of-lgs-iot-home-appliances/ https://www.youtube.com/watch?v=BnAHfZWPaCs

Alright, that's it for this week. Thanks for exploring the chaos with me. See you in the next video.

--
BY NODE