Welcome to Dead Drop number 26, your look at what's happening in the worlds of computer security, and digital freedom. All source links are below.
Earlier in the week, Github sent out emails letting users know that a number of passwords were accidentally stored in plaintext logs, due to a bug, and that they should reset their passwords asap. The company says only a handful of people were affected, and no wider problems have been found.
Researchers have discovered a bootrom vulnerability in the Nvidia Tegra X1 chip, used in the Nintendo Switch, and other android devices. It gives attackers control over early execution, bypassing all signature checks. This means you can install Linux, custom firmware, and run unofficial games. A write up and code links are available on the researchers website.
The default configuration of Western Digital's My Cloud EX2 storage device allow attackers to bypass authentication to access files over local networks. HTTP requests can be sent to a specific directory over port 9000 to access a list of all files, which can then be used to directly access individual files.
Schneider Electric recently patched a remote code vulnerability in their industrial control system software, which is used by oil, gas and manufacturing businesses. Researchers found that carefully crafted packets could allow an attacker to potentially write executable code, which is obviously dangerous when industrial systems are increasingly being connected to networks.
Researchers over at Sophos recently found a URL redirect vulnerability in Google Maps, which scammers have been exploiting. Simply edit the end of a legit Google Maps URL, and due to an open redirection vulnerability, you can redirect a user to any other address. Unlike Google's soon to be defunct URL shortener, anyone can create any redirect on the fly without an account, plus there's no easy way to report scam addresses.
The people at F-Secure have designed an RFID device which basically acts like a master key, granting access to all doors using the widely adopted Vision electronic lock system. The attackers first need a legitimate key, and from that the device derives a master code, granting access to all levels, and basically opening every door in a building. On this occasion the F-Secure team decided not to release in depth details for obvious reasons.
Researcher Marius Tivadar recently released details about his USB stick of doom, after Microsoft refused to issue a security notice last year. This attack uses a specially made image of a Windows NT file system placed on a USB stick, and takes advantage of the auto-play feature. As soon as the drive is plugged in, the host system crashes immediately, even when it's locked. If auto-play is off, just clicking the file will also crash the system.
And finally, Blockstack held their Berlin conference earlier this year, and have uploaded a bunch of videos of the talks to their Youtube channel. Lots of discussions about the various ways we could evolve the internet through decentralization.
SEND LINKS TO
If you see an interesting news story, send it to email@example.com