Unsupervised Learning No. 233

News & Analysis
June 15, 2020

MEMBER EDITION | EP. 233 | June 15, 2020

THIS WEEK’S TOPICS: SMBleed, Republicans. vs. China, Hawkey Surveillance, COVID in August 2019, IBM Facial PR, Palantir NHS, Blockchain Misinformation, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…

 

SECURITY NEWS

There's an extremely nasty SMB vulnerability that was just patched in MIcrosoft's patch Tuesday, which basically works like psexec for attackers. Please get your 445 off the internet if you can. And high-fives to all those pentesters in the mines. It's funny, we've been saying for a decade that pentesting would be near impossible before too long. But the vulns keep coming. More > 

A group of Republicans (the Republican Study Committee) is taking action to highlight and restrict China's various influence operations within the US. More >

A private company with Hawkeye cameras strapped to Cesnas was hired by the Baltimore Police Department to fly over and monitor the city. The ACLU is suing. This also ties into another story where a guy used a simple SDR to log aircraft beacons and callsigns, and found an FBI surveillance plane near LA. Between the cameras everywhere, the planes flying overhead, we really are becoming a surveillance state. I truly believe it's possible to do this well, and for the right reasons—i.e., transparently, and with the full endorsement of the people—but I also believe that's the opposite of how we're doing it. More > More >

Analysis of hospital traffic using satellite imagery and Baidu search engine activity indicate that Wuhan was already facing a significant outbreak in late summer, early fall of 2019. More >

IBM said they're getting out of the facial recognition business for ethical reasons, but I and a lot of others see this like Blackberry getting out of the AI business. There were many such announcements and they all smelled strongly of PR in my opinion. Amazon paused selling Rekognition to police departments for a year. And there's a bill in Congress to limit the use of facial recognition. More >

Britain gave Palantir sensitive access to NHS data as part of their £1 deal. More >

It's possible to identify individuals by looking at their heartbeat data, and that's flared up the common security debate around biometrics. I talked about > how the theft threat was overblown back in 2017. A number of steps in many biometric authentication workflows make the systems resistant to these steal-once / use forever attacks. First, it's hashes that are usually stored, not high-res images of the source data. Second, devices that take the readings can be improved as attacks improve. Third, in the future, it'll likely be a massive combination of readings that will be used simultaneously to identify someone, not single factors. And finally, auth systems can evolve based on what we know has been stolen and copied. If everyone's biometrics were perfectly stolen and replicated, we would simply stop using them. There are definitely valid concerns with biometrics (as with any auth system), and we should be thoughtful as this inevitable switch is made, but it's not the Pandora's Box that people think it is. More >

The New York Times had their R&D team build a prototype blockchain system for combatting misinformation. The system allows people to see the history of something being shared. More >

Twitter is testing out a feature that will prompt you if you try to retweet something without reading it. More >

China is spending $1.4 trillion dollars over the next 5 years to develop 5G, AI, and datacenters. This includes plans to build 600,000 new 5G towers by the end of 2020. More >

A number of city blocks in Seattle are now "Autonomous >" meaning that Seattle itself is not claiming authority there. Protesters there have designated the area as owned by the people. More >

Twitter has removed over 170,000 accounts associated with Chinese state-linked media campaigns around COVID-19, the Hong Kong protests, and George Floyd. More >

Spies can now eavesdrop by watching the vibrations of a lightbulb in a room. Before you ask—yes, it's research from Israel. More >

Putin just said in an interview that the US is in "deep internal crisis" due to the US's inability to accept Trump as a legitimate president. Nicely played. I honestly can't wait to read in 10 to 20 years what was really happening in the current moment with regard to Russia and the US. It's going to be the best spy story ever written. More >

Vulnerabilities:

  • There's an extremely critical SMB vulnerability that basically works like psexec for the attacker. More >

  • Microsoft's Patch Tuesday has 129 CVEs. More >

  • IBM Websphere has two critical issues. More >

  • There's a new vulnerability in UPnP. Remember to disable it on your IoT stuff if at all possible. More >

  • 23 issues in SAP, with two being critical. More >

  • Adobe has updates to Flash, Experience Manager, and Framemaker. More >

Breaches:

  • Nintendo says another 140,000 accounts may have been accessed in its recently announced breach. More >

  • Babylon Health leaked their video health consultations. More >

Companies:

  • Palantir is set to IPO soon. More >

TECHNOLOGY NEWS

Facebook has an AI-based system called TransCoder that can convert code back and forth between C++, Python, and Java. More >

Quite a bit of the US's AI supremacy relies on Chinese talent, and many are worried that trade tensions will remove that advantage. More >

United has added touchless check-in kiosks around the country. More >

Grammarly has added custom business style guides. More >

Companies:

  • Grow Credit builds peoples' credit scores by paying for online subscriptions. More >

  • Snowflake as filed for their IPO. More >

HUMAN NEWS

California has banned private prisons and immigration detention centers. More >

Dogs have been trained to detect people who have COVID-19 at a 95% success rate. More >

Around one-third of heterosexual American males aged 18-24 reported having no sex in the last year. Researchers said women are preferring men of higher socioeconomic status, and that more women now have college degrees, which are two factors affecting the chances of having heterosexual encounters for men. More >

24-hour Fitness is permanently closing around a quarter of its gyms, including 10 in the SF Bay Area. More >

Russia had a major oil spill in the Arctic. More >

Brazil deforested 10,000 square kilometers of rainforest in 2019, which is a 34% increase over 2018. I don't have many authoritarian tendencies, but getting the international community to intervene and protect the Amazon is one of them. More >

IDEAS, TRENDS, & ANALYSIS

It might be a really good time for companies to move towards Zero Trust architectures. More >

Gene Spafford was interviewed about digital voting security and came to the same conclusion I did after attending ENIGMA one year. In short, all the experts agree it's a bad idea. More >

Layoffs are coming, and employers need to do them right. More >

UPDATES

I'm in the middle of working on two big presentations right now, so I've been writing a bit less. But that'll be done in two weeks and I'll just have one presentation in August to prepare for.

I've finished the book on Complex PTSD, Nonviolent Communication, and now I'm reading Getting to Yes.

DISCOVERY

A project that lets you explore ISS images of Earth for a given location. More >

Create diagrams with code, using Graphviz. More >

Cloud Pentesting Cheatsheets More >

The word "huh?" seems to exist in every language. More >

Using SharpChisel to ExFil data from a network. More >

How to talk about your experience and perspective using stories during interviews. More >

All slides from NahamSec this weekend, including my buddy Jason's session on his Bug Hunter's Methodology v4! More >

How to use a serious camera as your webcam. More >

A Machine Learning Field Guide More >

A broad interview with Marc Andreessen about time management, reading, and other topics. More >

A deep-dive into fountain pen ink properties. More >

Canary Tools — Plant triggers all over your network and applications, and get notifications if anyone trips them. More >

Gordon — A tool to check multiple reputation lists based on IP or domain. More >

Baby Shark — A C2 server that uses Google translate as a proxy. More >

URLCrazy — A tool to testing typo-squatting attacks against your domains. More >

RECOMMENDATIONS

Nonviolent Communication is an extraordinary book for conflict resolution. I do think it could have had a better name though. I spent all these years thinking it was about hostage negotiation or something, but no—it's really quite universal. More >

APHORISMS

"Life consists of what one thinks of all day."

~ Ralph Waldo Emerson

Thank you for reading...