DEAD DROP 24 / 1.4 BILLION RECORDS, HP KEYLOGGING, NON-GPS TRACKING, P2P WEBSITES
--

Welcome to Dead Drop number 24, your look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.

- Youtube link
- Archive.org mirror
- Torrent

BREACHES

Researchers at 4iQ recently came across a previously unknown database of 1.4 billion cleartext credentials on a hacker forum. This includes many known hacked accounts, but also lots that weren't known too. They also did some research on the most commonly used passwords in the database, and you won't be surprised to know that most people are still terrible at picking them.

https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14

Bitcoin mining company NiceHash also suffered a breach this week, when they announced their site had been hacked, where a large amount of bitcoin was stolen. They haven't calculated the final total, but almost $80million worth may have been taken. They're unsure whether user accounts were affected too, but are recommending users change their passwords immediately.

https://www.nicehash.com
https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585

KEYLOGGERS

A security researcher has found a keylogger type program hidden in the touchpad drivers of HP laptops. It is off by default, but can be activated with admin privileges to record every keystroke. This affects 460 HP laptops, and in response, the company released patches for them.

https://support.hp.com/us-en/document/c05827409
https://thehackernews.com/2017/12/hp-laptop-keylogger.html

TRACKING

Engineers at Princeton have come up with an automated way to track a users location without using GPS. They created an app, called PinMe, which takes existing sensor data on a phone, and uses machine learning to accurately guess where they've been.

An example they use figured out that a person got on a flight to a particular place, by recognising the accellerometer, compass and air pressure readings for flying, and combined that with publicly available information about weather, and flight take off and landing times.

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

VULNERABILITIES

Last week Microsoft issued an emergency security update to patch a remote code execution exploit found in it's Malware Protection Engine. A flaw in the system allows an attacker to execute malicious code, and potentially take full control of a victim's computer. This affects pretty much all modern versions of Windows.

https://thehackernews.com/2017/12/windows-update-malware-protection.html

SAFE CRACKING

TwoSixLabs have shown off a vulnerability in the Vaultek VT20i bluetooth enabled safe, which allows attackers to open them. They found that the safes allow for unlimited pairing attempts, they don't have encryption, and that anyone who sends a specially formatted bluetooth message, without even knowing the PIN, can unlock it. Vaultek say they have updated the safes, and recommend customers check out their site for more info on how to apply it.

https://www.youtube.com/watch?v=1xrdwhisW-M
https://www.twosixlabs.com/bluesteal-popping-gatt-safes/

PHISHING

An interesting side-effect of people being taught to check for the green padlock on websites, is that phishing websites are increasingly using HTTPS encryption themselves. A report by PhishLabs showed that around 25% of phishing sites now use HTTPS, and it is precisely because it lulls people into a false sense of security.

https://info.phishlabs.com/blog/quarter-phishing-attacks-hosted-https-domains
https://nakedsecurity.sophos.com/2017/12/08/phishing-embraces-https-hoping-youll-check-for-the-padlock/

VIDEOS

And to finish, here are a few interesting new videos that you may like. The first is a mini documentary following the WannaCry malware story, and it's various twists.

https://www.youtube.com/watch?v=GGMbd5esy4A

Computerphile also released an informative video explaining the various ways that so-called anonymous data can be processed and crossreferenced to reveal identities.

https://www.youtube.com/watch?v=puQvpyf0W-M

And finally, here's a talk given by Paul Frazee, on the P2P web that he's building using the dat protocol and beaker browser. Quite fascinating, and something I'll be looking more into.

https://www.youtube.com/watch?v=-ep0ZIe6i10

Alright, that's it for this week. Thanks for watching.

--
BY NODE