Welcome to Dead Drop number 3, a weekly look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.
Starting off with the mother of all breaches. This week Yahoo announced that at least 500 million of its accounts had been hacked sometime in 2014, with names, email addresses, telephone numbers, dates of birth, and encrypted passwords being stolen.
https://www.youtube.com/watch?v=_0b6qaPY-CQ (yahoo logo)
That means this year is on track to seeing more than 1 billion records stolen in various breaches, and that's only what's been made public.
Researchers from Keen Security Lab discovered, and exploited multiple vulnerabilities in Telsa's car software, demonstrating the ability to unlock doors, turn on lights and windscreen wipers, open the trunk, and worryingly, engage the brakes while the car is moving.
In other news, high school student Jacob Ajit wrote a post explaining how he gained access to T-Mobile's LTE data network for free, by making a workaround to the network's implicit trust in speedtest servers.
Kaspersky Lab also showed off an ATM attack, allowing full control over the machine, and the ability to withdraw cash using fake credit cards. They do this by removing the ethernet cable that connects the ATM to the banks processing center, and plugging it into a Raspberry Pi that has custom software which mimics this process.
Last week it was revealed that the North Korean web has a total of 28 websites registered on it, and we only found this out after the countries .kp nameserver was misconfigured. I wouldn't want to be that person. Most of the sites look pretty boring, and as you might expect, there's a lot of propaganda being pumped at the citizens.
Researcher Sergei Skorobogatov has successfully demonstrated a flash memory cloning technique which allows someone to bypass the Iphone5c's passcode attempt limit, disproving FBI director James Comey, when earlier in the year, the agency wanted Apple to backdoor it's operating system.
In other Iphone news, a digital forensics firm Elcomsoft says Apple has weakened the backup security protection in iOS 10, making it simpler for attackers to crack the password protection for backups that are stored on PCs.
This week Mozilla patched a certificate validation zero-day in Firefox and the Tor browser, which allowed attackers to impersonate update servers for browser extensions, and potentially deliver malicious code. If you're using either of those browsers, you should update now.
INTERNET OF FAILS
In another example of the dangers of rushing into an Internet of Things world, a guy on reddit found that Apple's HomeKit automation system has a glaring security hole. He realised that the system which controls his smart locks reacts to Siri commands, and all it takes is an attacker (or neighbour in his case), to shout commands within earshot of an idle iPad or iPhone inside the house, and the doors unlock.
In other IoT news, Symantec wrote about how Internet of Things devices are increasingly getting infected with malware, and being used in DDoS botnets. One of the alarming, and unsurprising things is the amount of people using very weak or default passwords.