Unsupervised Learning: No. 67

This week’s topics: CloudBleed, SHA1-1, White House Leaks, Planets, Satellites, Drones vs. Eagles, InfoSec Jobs, ExFil, IQ and Creativity in a Post-work World, Weaponized Narrative, Security Tools, Tons of Great Links, and more…

This is Episode No. 67 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.

Infosec news  Tavis Ormandy of Project Zero discovered a major flaw in Cloudflare this week, which is being called CloudBleed. The best way to describe it is that CloudFlare was randomly injecting content from its protected sites into the browsing sessions of other websites hosted on Cloudflare. So they were protecting OK Cupid for example, and if you were visiting any site hosted by Cloudflare you might get random data from OK Cupid injected into the page you got back. Project Zero and Cloudflare worked to fix the issue quickly. LinkA large number of Google users reported being mysteriously logged out of their accounts last Thursday, which was concerning timing given the situation with the Cloudflare vulnerability. Google said, however, that it was a maintenance issue on their side, and was unrelated to the Cloudflare bug. LinkGoogle researchers have demonstrated the first successful attack on SHA-1 by creating two different PDF files that produce the same SHA-1 hash. Contrary to what much of the media is saying, this is not an extremely practical or realistic attack vector right now. This was Google working for two years to produce this, so it's pretty unlikely to be used against you. It should, however, slightly speed up your migration to a stronger option. Link

[ NOTE: So it looks like there are attacks on some code repositories based on this attack, but it looks like they’re more of the Y2K “don’t know how to handle issue” variety than the “create malware that checks out to something known-good variety”. Worth keeping an eye on, though. ]

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.


No related posts.