DEAD DROP 21 / KEYLOG KEYBOARD, ONEPLUS DODGY APPS, MESH NETWORKS, FACE ID TRICKS
--

Welcome to Dead Drop number 21, your look at what's happening in the worlds of computer security and digital freedom. As always, all source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent

BREACHES

I'm guessing not many of you shop here, but fashion chain Forever 21 announced that payment data may have been stolen from various stores from May to October this year. They're still investigating, so if you might be affected, keep an eye on your bank account, and contact them.

https://www.darkreading.com/attacks-breaches/forever-21-informs-shoppers-of-data-breach/d/d-id/1330438
http://www.forever21.com/protecting_our_customers/
https://www.youtube.com/watch?v=KbYluMP9aEI

VULNERABILITIES

This is a couple of weeks old, but the Tor Project announced an emergency update for the Tor browser on macOS and Linux, after a critical bug was found that reveals users real IP address.

https://blog.torproject.org/tor-browser-709-released
https://thehackernews.com/2017/11/tor-browser-real-ip.html

Users have also found out that the Mantistek GK2 mechanical keyboard sends user keystroke data, back to a Chinese IP address, believed to be owned by shopping giant Alibaba.

https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html

Researchers say they have found about 40 USB related security bugs in the Linux Kernel, allowing attackers to do all sorts of things from denial of service attacks, to potentially executing code. It seems like they all require physical access, so as always, be careful about what's plugged into your system.

https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/

SMARTPHONES

A researcher who goes by the alias of Elliot Alderson has uncovered a bunch of factory installed apps on OnePlus branded smartphones, which could easily be used by attackers, to basically track and take control over everything on the devices. It's unclear whether this is malicious, or intended for debugging and remote customer service, but regardless, how they've implemented it is pretty reckless.

https://www.bleepingcomputer.com/news/security/second-oneplus-factory-app-discovered-this-one-dumps-photos-wifi-and-gps-logs/
https://www.bleepingcomputer.com/news/security/oneplus-phones-come-preinstalled-with-a-factory-app-that-can-root-devices/
https://www.youtube.com/watch?v=TzmtU5RxKWw

And speaking of annoying android apps, some users recently spotted that a fake WhatsApp Messenger app, is very popular on the Google Play Store, having been downloaded over 1 million times. It did this by using special unicode characters in it's title, to make it appear legit. Google has since removed it from the store.

https://thehackernews.com/2017/11/fake-whatsapp-android.html

NETWORKS

Techcrunch wrote a fascinating article about Mesh Networks, specifically how GoTenna's Mesh relay devices have been proliferating in the US, currently at around 100,000 nodes. They also detailed how the company is helping Puerto Rico regain some connectivity after the recent hurricanes there.

https://techcrunch.com/2017/11/14/a-mesh-network-spontaneously-erupts-in-the-us-and-helps-connect-puerto-rico/
https://www.youtube.com/watch?v=Ite5XEN9u-k

Motherboard also uploaded a new mini documentary following a group of citizens in Detroit who are building their own wifi infrastructure to bring the internet to places that ISPs don't or won't service. You've gotta respect people making it happen for themselves.

https://www.youtube.com/watch?v=1B0u6nvcTsI

IMAGE RECOGNITION

Trent Lapinski wrote an interesting post recently about how his younger brother can trick the iPhone X's Face ID system to gain access to his phone. What's curious is that as humans we can easily tell these two people aren't the same, not even twins, yet it's close enough to trick the system.

https://hackernoon.com/my-younger-brother-can-access-my-iphone-x-face-id-is-not-secure-376c904f88bc
https://www.youtube.com/watch?v=K4wEI5zhHB0

And speaking of tricking image recognition systems, a group of MIT researchers have come up with a way to reliably trick neural networks into thinking 3D printed objects are something else. In their example they tricked Google's Image Recognition system into thinking this 3D printed turtle is actually a rifle. The textures, noise, and swirling patterns really seem to mess them up.

http://www.labsix.org/physical-objects-that-fool-neural-nets/
http://www.labsix.org/media/2017/10/31/video.mp4

SPAM

And finally, I thought this was funny. Netsafe New Zealand have set up a chatbot system which anyone can forward spam mail to. The AI takes the context of the spam mail, and purposefully wastes as much of the spammers time as possible by keeping them in conversation.

https://www.youtube.com/watch?v=jPajqAJWiNA

Anyways, hope you enjoyed this one. Thanks for watching, and I'll see you in the next video. Look out for new projects soon.

--
BY NODE