Welcome to Dead Drop number 20, your look at what's hapenning in the worlds of computer security and digital freedom. As always, all source links mentioned are below.
Alright, it's that time of the year again. Over the past week, Defcon have began uploading tonnes of new videos from their latest conference earlier in the year. There's hours and hours of footage, covering every hacking topic you can imagine.
Researchers from the University of Maryland have released unCaptcha, a tool which can defeat Google's reCaptcha authentication system with 85% accuracy. It does this by using the audio authentication feature, intended for visually impaired users, automatically converting the audio to text, and then typing it out. More info, and the code is available in the links in the description.
David Wong has created an experimental 4chan-like system as a decentralized app, living on the ethereum blockchain. Users have to pay a tiny amount of ethereum to post, and there is zero moderation or censorship, so be aware. This is very early days for what I think is the next stage of the internet, and I think more of these projects will be appearing in the future.
Hardware designer Lukas Hartmann has created a pitch for the Reform, an open hardware laptop. Similar to the Novena project by Bunnie Huang, this is aiming to be both as open as possible, and buildable by anyone.
It's in the very early stages, but I think we should support open hardware projects when they pop up. Lukas is looking for feedback on his plans, so check the website out for more info.
Infosec Bytes uploaded a bunch of video guides for using the Tails Operating System. This is aimed at journalists, but is also useful for those of you who may have heard about it, but haven't tested it out.
Felix Krause recently made a PSA reminding us that iPhone camera permissions are potentially suspect. He showed that if you give an app permission to use your phones cameras, it goes much deeper. This permission also allows the apps to use both your cameras, take pictures and videos, and upload them without you knowing, as well as running real time face recognition, again without giving you any indication.
Researcher Barak Tawily has found a flaw in how Facebook displays embedded links, allowing malicious actors to create URLs that look legitimate. All the attacker needs to do is add a fake URL metatag to their malicious website, and the OpenGraph protocol that Facebook uses displays that link to users, without verifying it first, so the only way a user can know if it's real is to click it.
And speaking of domains, Dell briefly lost control of domain they owned for a month earlier in the year, as they forgot to renew it. What's worse is that the domain "DellBackupandRecoveryCloudStorage.com" as you might guess, was used for their backup systems by customers. There are even signs that the new domain holders were pushing malwares to users, before Dell regained control.
INTERNET OF FAILS
And it wouldn't a Dead Drop episode without some kind of IoT nonsense. This week, Amazon announced the Amazon Key, a new system which allows strangers to enter your house while you're out. All for convenience, of course. Users install an internet connected lock, and camera in their houses, to allow remote access. I mean what planet are they living on, and how long until those locks are hacked?
And speaking of IoT hacks. Check Point security have also found vulnerabilities in various LG smart appliances, allowing attackers to take control of your fridge, dishwasher, microwave, dryers, and robotic vacuum cleaners. Details are on their website.
Alright, that's it for this week. Thanks for exploring the chaos with me. See you in the next video.