This week’s topics: Russians at it again, Microsoft and Adobe updates, PoS breaches, US-CERT throws TLS shade, epilepsy tweet stalking, Tesla’s billion, lip-reading AI, autonomous BMWs, Fiber Lasers, taxing robots, Green Zones and Red Zones, AI disruption of healthcare, discovery, recommendations, and aphorisms, and more…
This is Episode No. 70 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.
Two Russian FSB members and two Russian hackers collaborated to execute the Yahoo! breach in 2014. This isn't the 2013 Yahoo! hack of a billion accounts. Or the other one. This is the 2013 one. Link
Adobe and Microsoft both pushed out significant patches last week, with Adobe fixing a bunch of Flash issues and Microsoft dropping 18 update bundles. Link
1 million decrypted Gmail and Yahoo! passwords are available for purchase. Link
Brian Krebs is reporting another PoS breach, this time for a restaurant chain called Select Restaurants. His analysis is that the hospitality and restaurant industries are massively owned, and that this is especially true for smaller chains that don't have direct relationships with the banks whose cards are being run through their PoS systems. Link
In a regular yearly tradition at CanSecWest in Vancouver, vulnerabilities were found in Safari, MacOS, Microsoft Edge, Adobe, Firefox, etc., and someone also escaped a VM. Link
US-CERT has thrown some shade at HTTPS interception applicances and services like Cloudflare by saying they have a negative effect on secure communications. Link
33 million US employees have had their data leaked. The data was discovered by Dun & Bradstreet, and is available in Have I Been Pwned. Link
GitHub rewards an $18,000 bounty to a researcher who found an RCE issue in GitHub Enterprise. Link
Ubiquity has a critical command injection vulnerability in more than 40 of its products' admin interfaces. Researchers reported the issue(s) to the vendor through its HackerOne bounty program, but went public with it after receiving an unsatisfactory response from the vendor. Link
A Secret Service laptop, security lapel pins, and radio were stolen from a Secret Service vehicle in New York City. Some of the items have supposedly been recovered, but it's not clear which. The incident is yet another entry in the book of recent embarrassments for the group. Link
Sound waves have been used to confuse common accelerometers. Link
A new version of the Shamoon malware, called StoneDrill, has been found on a European petroleum company's systems. Shamoon was popularized back in 2012 for wiping disks at Saudi Aramco, and the new version does that even better and adds lots of more advanced functionality. Link
38 Android devices infected with malware pre-installed in the supply chain. Link
WhatsApp and Telegram have flaws that can lead to account compromise. The issue is improper parsing of malicious images in the web version of the application. Link
A man has been arrested for cyberstalking after sending a flashing tweet to a journalist who has epilepsy. Link
Trump has put $1.5 billion in the new budget for cybersecurity and critical infrastructure. Link
Tesla is raising over $1 billion to offset the risk of the Model 3 bet. Link
Uber president Jeff Jones has quit among turmoil at the company. Link
Oxford scientists, in cooperation with Google's Deep Mind division, say they've created an AI that can lip-read better than humans. Link
Microsoft is putting ads all throughout Windows 10, including in the explorer window. Link
BMW is shooting for a level 5 autonomous car by 2021. Link
Netflix is dropping their five star ratings for a thumbs up or thumbs down. Basically, nobody ever uses 2-4 stars; it's always 5 or 1. Link
Teslas massive batteries are being used to power everything from breweries to small islands. Link
The U.S. Army gets the first 60kW Beam Combined Fiber Laser Weapon. I'm excited and scared at the same time. Mostly excited though. Link
WePay now supports ApplePay and Android Pay. Link
Intel has purchased MobileEye for $15.3 billion. Their technology does computer vision for autonomous driving. Link
Everyone is spinning up for 5G. "Nothing will be mobile because everything will be mobile." Link
Sony is working on mobile-to-mobile wireless charging technology. Link
Nintendo is doubling production of its wildly popular Switch console. Link
Microsoft's Slack rival, Teams, is now open to all Office 365 users. Link
Numerous and sustained studies of "learning styles" have failed to find scientific support for the concept. Link
Police have got a judge to petition Google for an entire city's searches for a given phrase, in order to help solve a fraud case. Link
Tim Cook says globalization is in general great for the world. After reading Naked Economics by Charles Wheelan, I too agree. Link
Bill Gates wants to tax robots. Link
Failure, and How to Help People Avoid It Link
Green Zone, Red Zone Link
AI is about to massively change healthcare. Basically, you give more and more of your data, and the system tells you when you're sick, and exactly what to do to optimize outcomes. And it'll do this way better than human doctors. It'll basically be using the power of the entire human dataset each time it looks at you. Link
The 6 levels (0-5) of autonomous car autonomy. Link
A list of the crazy cool projects that DARPA is currently working on. Link
Principles of Covert Action. Link
Five myths about obesity in America. Link
Analysis of docker image vulnerabilities. Link
Glitch — A collaborative community for building applications, bots, or webpages. Link
Brian Romelle, a prominent technologist focused on the voice-first revolution tweeted out my book last week, and generated a solid amount of interest. If you haven't read the book, or you've read it but not reviewed it, please take the time! Link
I'm speaking at HouSecCon this week with Jason Haddix on our Game Security Framework. The session will be recorded and we'll share it when it becomes available. Link
I've finished Sapiens and have started on Homo Deus. And, yes, Homo Deus is about humans becoming gods, like I said originally. Deus is Latin for god. Someone sent me a correction, which turned out to be wrong. Derp on my part. Link
I really wish Apple Watch had a round form factor instead of square. I get that the iPhone is rectangular, and that this is the shape of all their widgets, but high-end watch faces are mostly round. I'd give anything for an Apple Watch face that looked like a NOMOS TANGOMAT DATUM. The bad news for the watch industry is that I'm basically just going to wait for smartwatches to reach this level of craftsmanship. I can't see myself going back. Link
The OSINT primer is still coming along. Being onsite with customers and other projects have extended the timeline a bit. But it's coming.
I'm working to get some new wordlists (payloads and usernames/passwords) incorporated into SecLists. I've reached out to the creators of the various GitHub projects and they were happy to be incorporated. Will integrate as time allows.
When you patronize hotels and restaurants (especially the smaller ones), expect the chance of POS malware to be far higher. Use a credit card rather than a debit card, and maybe don't use your favorite one. Consider designating a throw-away card that you use for higher-risk transactions, and that you don't mind having replaced frequently.
"People don't seem to realize that their opinion of the world is also a confession of character." ~ Ralph Waldo Emerson
Thank you for listening, and if you enjoy the show please share it with a friend or on social media.