This week’s topics: The Vault7 CIA dump, Russian shenanigans, Dahua, Verifone, mandatory genetic testing, WordPress, atomic storage, Google Kaggles, presenting at HouSecCon, fasting research, data wars, chaos, voice interfaces, tools, projects, and more…
This is Episode No. 69 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.
Wikileaks released a massive dump of CIA files, now called Vault 7, to the public last week. The core of the content was information on various techniques the CIA could use to gain access to target systems, including Android, iOS, consumer routers, consumer Smart TVs, etc. The leak has spawned massive discussion on the internet about how new or old the exploits/attacks were, who the likely source of the leak was, whether Russia was involved, etc. The biggest misconception that came out of the whole thing was that they had hacked Signal and other secure messengers. They didn't. They hacked Android, which allowed them to steal the information before it got to Signal, et al. Anyway, my personal opinion is that this is most likely a continuation of the Russian campaign to discredit attacks on Trump, and thus to improve Russia's position in the world. Link
Russian espionage and Russian cybercrime appear to be more linked than most people thought. Evgeniy Bogachev is a known cybercrime player out of Russia, but he's also been implicated in a lot of the election-related activity from last year. He also appears to live quite comfortably within Russia, much like a prized asset as opposed to an unwanted criminal. Interesting analysis from the New York Times. Link
Verifone, the largest maker of credit card terminals used in the United States, is investigating a break of internal networks that might have impacted numerous companies running its POS solutions. Verifone is saying that it was merely an internal network breach and that it didn't affect their payment system products. Link
Brian Krebs reported that Dahua, the second largest IoT manufacturer of things like security cameras and DVRs just patched a major hole that allowed attackers to completely bypass authentication in some significant percentage of their devices. You could basically request the password list for any device, get a list of users and hashes back, and then send any of them in your own request to get access. Link
A House committee has proposed a law requiring employees to undergo genetic testing as part of workplace wellness programs, and will allow penalties of up to 30% of the cost of the insurance if they don't provide the data. Link
A major vulnerability was found in Apache Struts 2 web application framework last week, and scans were very active looking for vulnerable targets. The flaw was in the Jakarta multipart parser upload function, and it let an attacker send a malicious content-type value and execute arbitrary system commands. Make sure you're patched. Link
WordPress issued a new release (4.7.3) to address six vulns, including some XSS, a URL validation issue, file deletion, and a CSRF issue. Patch early, patch often. Link
Consumer reports is adding cybersecurity to their list of rating criteria. The layout for the requirements looks pretty decent as well. Link
An Intel Security report says 93% of companies have security strategies, but only 49% are fully implementing them. I think 49% is quite high. Either they didn't respond truthfully or their strategies are really weak. If half of the companies I went to had a security strategy and were fully implementing it I'd be overjoyed. It ain't true. I'd put that number closer to 5%. Link
Cornell did some interesting research on mobile MAC address randomization. They claim they can defeat randomization on Android with 96% accuracy using one technique, and all main platforms leveraging a previous vulnerability. Link
CA bought Veracode for $614M. So let me get this right: Fortify is being sold to Microfocus. WhiteHat is basically dead because all their talent left. And now Veracode has been sold to CA, which means we probably won't hear much from them anymore. Who's left? CheckMarx has to be loving this. Link
InfoSec Sales Engineers evidently make between $180K and $220K, making them higher paid than security engineers and cloud security engineers. It's evidently the need for a combination of skill sets, including technical skills, soft skills, and (although they didn't mention it) the willingness to travel and interact with customers constantly. Link
IBM researchers have found a way to store data on a single atom. Link
IBM has over 600 employees working on the possibility of replacing bloated and unwieldy supply chain documentation with blockchain technology. Walmart and Maersk are among the companies who are interested. Link
Twitch, an Amazon company, has started rolling out a Twitter-like competitor called Pulse. It's not quite a Twitter clone, though, because it's really meant to just magnify Twitch content, so it ends up looking a lot like a combination of a push-based RSS system, a sharing platform for Twitch media, and a commenting system. Link
The head of the largest advertising firm says Amazon is a major threat to them. I think it's very smart for them to realize this. It's the Google for products, and Amazon is just scary good at almost everything they touch. Link
Google has purchased Kaggle, a company that hosts data science and machine learning competitions. Link
AT&T and T-Mobile are in the middle of a massive rate plan battle that is really making it nice for customers. They're especially focused on unlimited data plans. If you're a customer of either of these companies, and especially if you use your plan for tethering, consider going in to see if you can upgrade to a better / cheaper plan. Link
There's a bunch of new research on the benefits of fasting to the human body. This study talks about alternate day calorie restriction, where you eat far fewer calories one day, and then far more the next. It's early, but this appears to be some of the most promising research on weight loss and immune system health in a long time. Link
Researchers are finding increasingly interesting links between sleep, sunlight, and depression. Link
Children prefer reading books on paper rather than screens. Link
Deep Learning is helping hearing aid users pick out voices in crowded rooms. Link
Why Facts Don't Change Our Minds Link
The Bifurcation of America: The Forced Class Separation into Alphas and Betas Link
First and Second Order Chaos Link
A Response to Benedict Evans on the Limitations of Voice Interfaces Link
Voice Interfaces Are a Combination of Voice Recognition and NLP Link
Why the Future Doesn't Need Us. One of the first essays I ever read on the topic of future technologies and how they might affect humanity. It's from 2000 and written by Bill Joy. Highly recommended. Link
AuthMatrix — A Burp extension that provides a simple way to test authorization in web applications and services. Link
How to permanently update Burp's attack strings by editing the .jar file. Link
An interesting little visualization of different infosec career jump points. Link
MobSF — A mobile security testing framework. Link
Gartner's AppSec Magic Quadrant Analysis. Link
Bloodhound — Uses graph theory to reveal hidden and often unintended relationships within an Active Directory environment. Link
Fascinating relationship analysis around Trump, his associates, and Russia. Link
Some fantastic analysis by Robert Graham on the CIA leak. Link
A quiz to learn about your personal circadian rhythm. Link
An in-depth study of over 10 years of Java exploitation. Link
NAND has released a fascinating study on 0-day and exploit data and how much harm is caused by various entities sitting on them vs. releasing them. Link
Bash Bunny — Hak5's latest pentest tool. It emulates trusted USB interfaces like ethernet, serial, flash storage and keyboards, etc., and as a result it receives tons of sensitive data from the system. Link
How online gamers use malware to cheat. Particularly interesting to me since I'm currently working on a game security project. Link
System Design Primer — Learn how to design large scale systems. Prep for a system design interview. Link
I'll be presenting at HouSecCon with my buddy Jason Haddix on the 23rd of this month. The presentation is on The Game Security Framework, and we're going to be talking all about the project's structure, the data we have so far, and where we're taking it. Link
Getting closer on my OSINT primer. I have onsite customer work next week, but I'm hoping to still finish it within a week or so.
I'm almost done with Sapiens and I'm moving on to Homo Deus, by the same author. By the way, it's Deus (as in the second version of humans), which makes more sense than what I mentioned in the podcast last week.
Remember to focus on your Eulogy attributes, and not just your Resume attributes. If you were to die tomorrow, and your eulogy were next week, what would people say about you? Are they the things that you would want them to say? Take the actions that would make that the case.
"Extraordinary claims require extraordinary evidence." ~ Christopher Hitchens
Thank you for listening, and if you enjoy the show please share it with a friend or on social media.