Welcome to Dead Drop number 5, a look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.
A data management company called Modern Business Solutions was allegedly hacked recently, with upwards of 58million user records being dumped on various file sharing sites. The breach was a result of a poorly secured Mongo database, and it revealed users full names, IP addresses, dates of birth, email addresses, occupation details and more.
An IT analyst in Jakarta, Indonesia faces up to 12 years in jail for hacking a giant billboard next to a highway, and broadcasting Japanese porn to thousands of motorists stuck in traffic.
Blockchain.info, one of the biggest blockchain explorers and Bitcoin web wallets had its domain name hijacked this week, leaving 8 million wallet users unable to access their accounts. Thankfully this only caused disruption for a day or so, and luckily the DNS wasn't successfully pointed at a phishing site, which I'm guessing is what might have been the plan.
Apple recently added a preview feature to the latest iMessage update, which automatically loads links, allowing attackers to send phishing links in SMS messages, revealing data about the user that can be used in further attacks.
Researchers at McAfee have found a banking trojan on Android which hides on your phone, and pops up a phishing overlay for instance when you want to buy something on the Google Play store, but more than just stealing your credit card details, it also asks you to take a selfie to verify your identity, making it possible for attackers to find people on social networks, and steal their identities etc.
In another recently discovered vulnerability, researchers found a zero-day in the OpenJPEG library, affecting JPEG 2000 image files. An attacker need only send a specially crafted JPEG 2000 file as an email attachment, a link, or embedded in a PDF, and it automatically runs the code within.
A report by the ACLU showed that facebook, instagram, and twitter provided data to a surveillance company, which has been used by police to identify and arrest people at protests. The product is called Geofeedia, and it allows its customers to monitor social media posts made inside certain geographic areas, all in real time.
INTERNET OF FAILS
CDN Akamai released new research on how 2 million IoT devices, such as CCTV cameras, routers and network attached storage have old OpenSSH vulnerabilities, allowing attackers to spy on networks or launch DDoS attacks. Like the other IoT stuff I've talked about, this is due to default passwords, vendors using out of date firmware, and having SSH enabled by default.
And finally this week, Signal the encrypted messaging app, released a new update which enables timed disappearing messages. Times can range from 5 seconds up to a week. I'm not sure how secure the deletion process is, but the source code is available on Github.