DEAD DROP 22 / IMGUR BREACH, USB SPYING, $15 PENTEST TOOL, AI SATELLITE ANALYSIS
--

Welcome to Dead Drop number 22, your look at what's hapenning in the worlds of computer security and digital freedom. As always, all source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent

BREACHES

This week image sharing site Imgur announced that a breach occurred in 2014, where 1.7million user email addresses and passwords were stolen. These passwords were hashed using the SHA-256 algorithm, so all them may have been cracked already.

https://blog.imgur.com/2017/11/24/notice-of-data-breach/

It was revealed that Uber also suffered a breach in October last year, where an estimated 57 million customers and drivers were exposed, including names, email addresses, and phone numbers. What's worse is the company knew about this, and allegedly paid the hackers to keep quiet.

https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
https://www.youtube.com/watch?v=RbHaoi-gpzY

Over in Australia, the Department of Social Services has just informed 8,500 employees that data from 2004 to 2015 was compromised. This includes credit card data, names, actual email content, passwords, and more.

https://www.theguardian.com/technology/2017/nov/24/data-breach-hits-department-of-social-services-credit-card-system

PATCHES

Researchers have found a remotely exploitable vulnerability in HP's Enterprise Printers, potentially meaning attackers can run arbitrary code. HP has pushed out a firmware update for the long list of affected printers. Patch now if you're in charge of one of them.

https://thehackernews.com/2017/11/hp-printer-hacking.html
https://support.hp.com/nz-en/document/c05839270
https://www.youtube.com/watch?v=QYQzdnXXNCQ

Earlier in the year Trend Micro researchers found a serious flaw in a system tool for MacOS, which allowed attackers to run code using malicious USB devices. Apple released a patch a few weeks ago.

It seems more and more the case that all ports and interfaces are vulnerable one way or another.

http://www.securityweek.com/apple-patches-usb-code-execution-flaw-macos

ARTIFICIAL INTELLIGENCE

As a sign of where things are heading, since July, the US Intelligence Advanced Research Projects Activity organization has been running a competition looking for a private sector AI that can analyze satellite images, and automatically detect various map features, like fires, smoke, missile sites, and more. How many steps until this AI links to drones, for autonomous target identification?

https://spectrum.ieee.org/aerospace/satellites/wanted-ai-that-can-spy
https://www.youtube.com/watch?v=wnvzSoZZ8q8

PENTESTING

A user called Tomas C wrote a medium post on creating an OpenWRT network pen-testing tool, similar to the Hak 5 packet squirrel, but for only $15. The idea is to insert it into a network, to gain remote sustained access, and to perform various tasks. All instructions and links needed are in the post.

https://medium.com/@tomac/a-15-openwrt-based-diy-pen-test-dropbox-26a98a5fa5e5

SPYING

An investigation by Quartz has found that all android smartphones automatically track location data of users, sending the information to Google, even when location services are turned off, or there is no sim card inserted.

https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
https://www.youtube.com/watch?v=qeLG2YIqddI

In another story, researchers at Princeton found that almost 500 of the internet's biggest websites use session replay scripts which track every single mouse movement and keystroke of users. We know this has been going on for quite a while now, but it's good to be reminded just how much we are tracked.

https://thehackernews.com/2017/11/website-keylogging.html
https://www.youtube.com/watch?v=l0Yc8s0DTZA

I mentioned a few weeks ago how the Danish government was telling parents to stop using kids smart watches because of privacy fears, well apparently the German government also agrees, and recently banned them, asking parents to destroy any remaining devices.

https://www.hackread.com/germany-bans-kids-smartwatches-asks-parents-to-destroy-them/
https://www.youtube.com/watch?v=Xoer_28U41k

A researcher named Mich wrote a fascinating teardown of a crazily cheap USB spying device, which has a hidden sim card slot and microphone, meaning you can call the number and listen to what's in the vicinity of the device, amongst other features.

https://ha.cking.ch/s8_data_line_locator/

BLOCKCHAIN

And finally, bitcoin magazine wrote an eye-opening article about 3 startups that are creating decentralized, blockchain-based video streaming services. Hopefully these will take off, and I plan to cover some of these in upcoming videos.

https://bitcoinmagazine.com/articles/video-streamers-have-more-options-these-new-blockchain-startups/

Alright, that's it for this weeks Dead Drop. Hope you liked it. Thanks for watching, and I'll see you in the next video.

--
BY NODE