DEAD DROP 27 / CRITICAL PGP BUG, TWITTER BREACH, FREEDOM SMARTPHONE, CHIP DECAPPING
--

Welcome to Dead Drop number 27, your look at what's happening in the worlds of computer security, and digital freedom. All source links are below.

- Youtube link
- Archive.org mirror
- Torrent

BREACHES

On the back of the internal breach at Github I mentioned in the last episode, it seems like Twitter also have experienced something similar, with what seems like the entire 300 odd million userbases passwords being stored in a plaintext log. If you haven't already, Twitter suggests changing your password immediately.

https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
https://motherboard.vice.com/en_us/article/kzxmjm/you-should-change-your-twitter-password
https://www.youtube.com/watch?v=Fh20pdCrCAU

USB HACKING

The Hak5 team made another cool video recently, this time talking to MG. LOL about how easy it is to covertly insert malicious hardware directly into USB cables.

https://www.youtube.com/watch?v=Kfzk402uTLQ

VULNERABILTIES

Researchers have found a critical flaw in a range of PGP email tools, which they claim allows encrypted messages to be read as plaintext. At the time of making this video, the full details haven't been released, but it looks like it effects Enigmail for Thunderbird, GPGTools for AppleMail, as well as GPG4Win on Outlook.

The EFF is suggesting you disable or delete these utilities immediately, and has guides on it's site telling you exactly how to do it. It appears to be a problem with how those tools work with email clients, and not specifically the PGP algorithm itself.

https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

The researchers are also suggesting you use something like Signal instead for private communications, but they too have been hit with some vulnerabilities this week. Alfredo Ortega posted a proof of concept video which shows how a javascript payload can be sent as a message to any user on the Signal Desktop apps to execute code on their system - all without the recipient interacting at all.

https://thehackernews.com/2018/05/signal-messenger-vulnerability.html
https://www.youtube.com/watch?v=bfFcD9kZog4

And on top of that, some other researchers found that Signal's self destructing messages were being logged in MacOS' notification bar, even after being deleted from the app. Signal pushed out an update the other day to mitigate this.

https://motherboard.vice.com/en_us/article/kzke7z/signal-disappearing-messages-are-stored-indefinitely-on-mac-hard-drives

PRIVACY

Some engineers in Germany have created a prototype for what they call the 'Unhackable Envelope'. The device consists of mini computer with volatile memory, encased in an electrode shield, and outer metal shield. What's interesting is that the keys used on the device are derived from the unique electric field generated by the device shielding, so if you try to break into it, the field changes, meaning the keys no longer work, and the volatile memory is wiped.

https://spectrum.ieee.org/tech-talk/computing/hardware/the-unhackable-envelope

DIGITAL FREEDOM

Purism posted some updates on their Librem 5 smartphone project the other day. This privacy focused Linux-based phone now has a custom designed GNOME UI, which looks pretty slick. The company is still aiming at a January 2019 release.

https://puri.sm/posts/librem5-progress-report-11/
https://www.youtube.com/watch?v=QUiYmtGL1EE

DIY

In the last Cyber Dump video I showed you someone who was making their own chips on their garage, well now the people at Duo have released a video showing how researchers decap existing chips in order to read their contents.

https://duo.com/decipher/dont-try-this-at-home-chip-decapsulation

DECENTRALIZATION

Just over a week ago, I released episode 1 of the new decentralize series, which will be looking at what I think will be the next step in the evolution of the internet. Check it out and share the primer if you want.

https://www.youtube.com/watch?v=SrA7XTDCtok

And speaking of creating this new decentralized web, Blockstack just announced a $1million fund for teams to start building decentralized social networking apps. The funds will be split up, so 10 teams each receive $100,000 to develop their apps. You can apply now at requestforsocialnetworks.com

https://www.requestforsocialnetworks.com/

Alright, that's it for this week. Thanks to those who sent in links, and thank you for watching. See you in the next video.

--
BY NODE