Welcome to Dead Drop number 19, your look at what's happening in the worlds of computer security and digital freedom. All source links mentioned are below.
Latin American social site Taringa.net was breached in August this year. 27 million user accounts and passwords were cracked due to the weak MD5 hash that was used by the sites admins.
Pizza Hut also suffered a hack earlier this month, between Oct 1 and Oct 2. According to them, 1%, or 60,000 users had their accounts compromised, including identity and payment information. Some customers are complaining that their bank accounts have been drained as a result.
You've probably heard of this already, but a massive flaw has been found in wifis WPA2 protocol. Dubbed KRACK, this attack takes advantage of some of the authentication procedures of the wifi protocol, allowing adversaries to spy on traffic, and inject data too. It's worth mentioning that attackers need to be within wifi range of devices to perform this, and that sites using HTTPS encryption are still protected. You need to patch all your devices as soon as possible.
If you want to learn more, the EFF wrote a useful, detailed guide about this, so check that out if you're curious. Link is in the description.
Also on the back of it's recent massive breach, Equifax seems to be having more problems. Security analyst Randy Abrams was browsing the website, and randomly came across a bogus download link for Flash, which actually redirects to malware. What a complete mess.
And speaking of Flash Player, Adobe had to release yet another emergency security update for the software, as a new zero-day exploit was recently found. Please uninstall flash if you have it still.
The Console Cowboys blog launched a mini course this week titled "Hacking everything with RF and Software Defined Radio". It looks pretty in depth, and includes a bunch of videos to show you how to get up and running.
This week laptop manufacturer Purism announced that their Librem laptops are now available with Intel's Management Engine completely, and according to them, verifiably disabled. That's pretty cool, and I hope it's the start of something for other manufacturers.
Google opened up a new bug bounty program for the Google Play store this week. They're offering $1000 for each vulnerability that enables remote code executions on various apps running Android 4.4 and higher.
INTERNET OF FAILS
Another week, another massive botnet. This week, two new ones in fact. The first, called Reaper, aims mainly at security and IP cameras, and has grown to almost 2 million devices strong.
IOTroop is the other botnet, and researchers say this is growing at such a rate that it may dwarf the Mirai botnet which caused a lot of chaos earlier in the year. Again, this one takes advantage of vulnerable IP cameras, as well as poorly protected routers.
And finally, various government organizations in Europe have been voicing concerns about childrens smart watches, and how easy it is to hack them, allowing tracking using GPS, as well as recording, using the internal microphones and cameras. Security researcher Roy Solberg has released a detailed description about exactly how this is done.
Alright, that's it for this week. Thanks for watching, and I'll see you in the next video.