Unsupervised Learning: No. 69

This week’s topics: The Vault7 CIA dump, Russian shenanigans, Dahua, Verifone, mandatory genetic testing, WordPress, atomic storage, Google Kaggles, presenting at HouSecCon, fasting research, data wars, chaos, voice interfaces, tools, projects, and more…

This is Episode No. 69 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.

Infosec news  Wikileaks released a massive dump of CIA files, now called Vault 7, to the public last week. The core of the content was information on various techniques the CIA could use to gain access to target systems, including Android, iOS, consumer routers, consumer Smart TVs, etc. The leak has spawned massive discussion on the internet about how new or old the exploits/attacks were, who the likely source of the leak was, whether Russia was involved, etc. The biggest misconception that came out of the whole thing was that they had hacked Signal and other secure messengers. They didn't. They hacked Android, which allowed them to steal the information before it got to Signal, et al. Anyway, my personal opinion is that this is most likely a continuation of the Russian campaign to discredit attacks on Trump, and thus to improve Russia's position in the world. LinkRussian espionage and Russian cybercrime appear to be more linked than most people thought. Evgeniy Bogachev is a known cybercrime player out of Russia, but he's also been implicated in a lot of the election-related activity from last year. He also appears to live quite comfortably within Russia, much like a prized asset as opposed to an unwanted criminal. Interesting analysis from the New York Times. LinkVerifone, the largest maker of credit card terminals used in the United States, is investigating a break of internal networks that might have impacted numerous companies running its POS solutions. Verifone is saying that it was merely an internal network breach and that it didn't affect their payment system products. LinkBrian Krebs reported that Dahua, the second largest IoT manufacturer of things like security cameras and DVRs just patched a major hole that allowed attackers to completely bypass authentication in some significant percentage of their devices. You could basically request the password list for any device, get a list of users and hashes back, and then send any of them in your own request to get access. LinkA House committee has proposed a law requiring employees to undergo genetic testing as part of workplace wellness programs, and will allow penalties of up to 30% of the cost of the insurance if they don't provide the data. LinkA major vulnerability was found in Apache Struts 2 web application framework last week, and scans were very active looking for vulnerable targets. The flaw was in the Jakarta multipart parser upload function, and it let an attacker send a malicious content-type value and execute arbitrary system commands. Make sure you're patched. LinkWordPress issued a new release (4.7.3) to address six vulns, including some XSS, a URL validation issue, file deletion, and a CSRF issue. Patch early, patch often. LinkConsumer reports is adding cybersecurity to their list of rating criteria. The layout for the requirements looks pretty decent as well. LinkAn Intel Security report says 93% of companies have security strategies, but only 49% are fully implementing them. I think 49% is quite high. Either they didn't respond truthfully or their strategies are really weak. If half of the companies I went to had a security strategy and were fully implementing it I'd be overjoyed. It ain't true. I'd put that number closer to 5%. LinkCornell did some interesting research on mobile MAC address randomization. They claim they can defeat randomization on Android with 96% accuracy using one technique, and all main platforms leveraging a previous vulnerability. LinkCA bought Veracode for $614M. So let me get this right: Fortify is being sold to Microfocus. WhiteHat is basically dead because all their talent left. And now Veracode has been sold to CA, which means we probably won't hear much from them anymore. Who's left? CheckMarx has to be loving this. Link InfoSec Sales Engineers evidently make between $180K and $220K, making them higher paid than security engineers and cloud security engineers. It's evidently the need for a combination of skill sets, including technical skills, soft skills, and (although they didn't mention it) the willingness to travel and interact with customers constantly. LinkTechnology news  IBM researchers have found a way to store data on a single atom. LinkIBM has over 600 employees working on the possibility of replacing bloated and unwieldy supply chain documentation with blockchain technology. Walmart and Maersk are among the companies who are interested. LinkTwitch, an Amazon company, has started rolling out a Twitter-like competitor called Pulse. It's not quite a Twitter clone, though, because it's really meant to just magnify Twitch content, so it ends up looking a lot like a combination of a push-based RSS system, a sharing platform for Twitch media, and a commenting system. LinkThe head of the largest advertising firm says Amazon is a major threat to them. I think it's very smart for them to realize this. It's the Google for products, and Amazon is just scary good at almost everything they touch. LinkGoogle has purchased Kaggle, a company that hosts data science and machine learning competitions. LinkAT&T and T-Mobile are in the middle of a massive rate plan battle that is really making it nice for customers. They're especially focused on unlimited data plans. If you're a customer of either of these companies, and especially if you use your plan for tethering, consider going in to see if you can upgrade to a better / cheaper plan. LinkHuman news  There's a bunch of new research on the benefits of fasting to the human body. This study talks about alternate day calorie restriction, where you eat far fewer calories one day, and then far more the next. It's early, but this appears to be some of the most promising research on weight loss and immune system health in a long time. Link Researchers are finding increasingly interesting links between sleep, sunlight, and depression. LinkChildren prefer reading books on paper rather than screens. LinkDeep Learning is helping hearing aid users pick out voices in crowded rooms. LinkWhy Facts Don't Change Our Minds LinkIdeasThe Bifurcation of America: The Forced Class Separation into Alphas and Betas Link First and Second Order Chaos LinkA Response to Benedict Evans on the Limitations of Voice Interfaces LinkVoice Interfaces Are a Combination of Voice Recognition and NLP LinkDiscoveryWhy the Future Doesn't Need Us. One of the first essays I ever read on the topic of future technologies and how they might affect humanity. It's from 2000 and written by Bill Joy. Highly recommended. LinkAuthMatrix — A Burp extension that provides a simple way to test authorization in web applications and services. LinkHow to permanently update Burp's attack strings by editing the .jar file. LinkAn interesting little visualization of different infosec career jump points. LinkMobSF — A mobile security testing framework. LinkGartner's AppSec Magic Quadrant Analysis. LinkBloodhound — Uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment. LinkFascinating relationship analysis around Trump, his associates, and Russia. LinkSome fantastic analysis by Robert Graham on the CIA leak. LinkA quiz to learn about your personal circadian rhythm. LinkAn in-depth study of over 10 years of Java exploitation. LinkNAND has released a fascinating study on 0-day and exploit data and how much harm is caused by various entities sitting on them vs. releasing them. LinkBash Bunny — Hak5's latest pentest tool. It emulates trusted USB interfaces like ethernet, serial, flash storage and keyboards, etc., and as a result it receives tons of sensitive data from the system. LinkHow online gamers use malware to cheat. Particularly interesting to me since I'm currently working on a game security project. LinkSystem Design Primer — Learn how to design large scale systems. Prep for a system design interview. LinkNotesI'll be presenting at HouSecCon with my buddy Jason Haddix on the 23rd of this month. The presentation is on The Game Security Framework, and we're going to be talking all about the project's structure, the data we have so far, and where we're taking it. LinkGetting closer on my OSINT primer. I have onsite customer work next week, but I'm hoping to still finish it within a week or so. I'm almost done with Sapiens and I'm moving on to Homo Deus, by the same author. By the way, it's Deus (as in the second version of humans), which makes more sense than what I mentioned in the podcast last week.I finally removed the single ad I had on my website and moved to a sponsorship model. The site is currently sponsored by Netsparker, a strong web application scanner I've used off and on for many years. It's nice to not have an ad network (JavaScript) running on the site anymore, even though the one I used wasn't bad at all. Now it's just text and a link—super clean. If you need a good web scanner, head over to my site's sidebar. LinkRecommendationsRemember to focus on your Eulogy attributes, and not just your Resume attributes. If you were to die tomorrow, and your eulogy were next week, what would people say about you? Are they the things that you would want them to say? Take the actions that would make that the case.Aphorism"Extraordinary claims require extraordinary evidence." ~ Christopher Hitchens

Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

No related posts.