Unsupervised Learning: No. 67

This week’s topics: CloudBleed, SHA1-1, White House Leaks, Planets, Satellites, Drones vs. Eagles, InfoSec Jobs, ExFil, IQ and Creativity in a Post-work World, Weaponized Narrative, Security Tools, Tons of Great Links, and more…


This is Episode No. 67 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.


The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.


Infosec news  

Tavis Ormandy of Project Zero discovered a major flaw in Cloudflare this week, which is being called CloudBleed. The best way to describe it is that CloudFlare was randomly injecting content from its protected sites into the browsing sessions of other websites hosted on Cloudflare. So they were protecting OK Cupid for example, and if you were visiting any site hosted by Cloudflare you might get random data from OK Cupid injected into the page you got back. Project Zero and Cloudflare worked to fix the issue quickly. Link

A large number of Google users reported being mysteriously logged out of their accounts last Thursday, which was concerning timing given the situation with the Cloudflare vulnerability. Google said, however, that it was a maintenance issue on their side, and was unrelated to the Cloudflare bug. Link

Google researchers have demonstrated the first successful attack on SHA-1 by creating two different PDF files that produce the same SHA-1 hash. Contrary to what much of the media is saying, this is not an extremely practical or realistic attack vector right now. This was Google working for two years to produce this, so it's pretty unlikely to be used against you. It should, however, slightly speed up your migration to a stronger option. Link

[ NOTE: So it looks like there are attacks on some code repositories based on this attack, but it looks like they’re more of the Y2K “don’t know how to handle issue” variety than the “create malware that checks out to something known-good variety”. Worth keeping an eye on, though. ]

Hayvn is IBM Watson, but for information security analysis. People would think it was less awesome if they realized that IBM Watson has already replaced a decent number of Information Security related jobs. In the short term, though, it'll free security analysts up to do other things. Link

Sean Spicer has inspected his aides' mobile phones for apps like Signal and Confide to make sure they weren't communicating with reporters. He then ordered them not to talk about the fact that he was checking for leaks, which was then leaked. Link

With its 88 new satellites, Planet is about to become the worlds largest space surveillance company. Link

Terrorists are building drones, and France is using trained eagles to counter them. Link

Over half of infosec job openings take 3-6 months to fill, and less than 1/4 of applicants are qualified for the jobs they apply for. Link

A new covert data extraction technique has been developed by having malware blink a light on a computer, which is then monitored by a drone. Link

Netflix released a fascinating new tool called Stethescope, which is a user-focused security recommendations system for employees. Link

Technology news

Nokia appears to be trying anything, and have relaunched their used-to-be-popular 3310 phone. I have to admit it does look somewhat attractive, but I don't see a legacy form factor device like this selling well until we have separate displays and digital assistants, i.e., until the device isn't the center of the world. Link

Waynmo is suing Uber, saying an employee stole around 14,000 files from them and took them to Uber. The content in the files allegedly lead to innovations that have produced around half a billion dollars in revenue. Link

Facebook has open sourced Prophet, a data science forecasting tool for Python and R. Link

Google is about to start adding a "fact checked" tag to certain stories in their results. Link

Android Nougat was released in August of 2016 but fewer than 1% of devices are running it. Link

Linode is evidently losing customers massively as a result of their repeated DDoS outages. I'm about to be another one who's leaving. Probably heading to AWS. Link

Tesla is looking to sell cars complete with insurance and maintenance. Link

Human news                                                  

Bruce Lee used to write letters to himself about authenticity and personal development, and they've been released for the fist time. Link

NASA found 7 Earth-like planets, just 40 light years away. Link

Kim Jong-Nam was killed by the VX nerve agent, rubbed on his face by a girl at the airport. The entire story is some beyond fiction spy stuff. Link

Fantastic hand-drawn infographics by Wendy Macnaughton. Link

Travel Press is reporting a massive drop in tourism to the U.S. Link

Ideas

IQ and Creativity in a Post-work World Link

Weaponized Narrative is the New Battlespace Link

Companies Exist to Service Customers, Not to Employ People Link

You Should Have Two Different Kinds of Hiring Interview Link

Discovery

Troy Hunt's analysis of the Cloudbleed bug. Link

20 security startups worth paying attention to this year. Link

Analyzing bonnets with Suricata and Machine Learning. Link

A list of sites affected by CloudBleed. Link

If you haven't read about GPDR (the European data privacy law) you should look into it. The short summary is that it gives European citizens back control of their own personal data, and to protect that data from being exported and misused without their knowledge. It includes fines for companies who fail to protect the data of EU citizens of up to 4% of worldwide turnover. Link

Evaluator — An open source tool for strategic information security risk assessment. Link

A fantastic piece on the history of Trump, Putin, and a potential new Cold War. Link

MacOS WiFi Cleaner — A tool by Rob Fuller to remove open wireless hotspots from MacOS. Link

Amazon has launched a new blog dedicated to AI. Link

PayloadsAllTheThings — A list of appsec related attack payloads, coming soon to SecLists as well! Link

Google's API design guide. Link

pURL — An API testing tool written in Python. Link

The ISC/SCADA Top 10 List Link

Notes

If I could do any university program today I'd do the Philosophy, Politics, and Economics degree from Oxford. Link

Still working through Hamilton, and my next book will either be The Federalist Papers or Sapien.

I'll be going to London in the middle of June, so if you're going to be there we should get together.

I'm thinking about doing a live Twitch stream of something I'm calling Office Hours, where people can hit me up on Twitter, YouTube, Facebook, whatever, and ask me anything on the topic of infosec. I'll probably do my first session on my Information Security Career guide, and anyone can ask for more detail on any section, etc. If you're interested let me know on Twitter or via email. Link

Recommendations

Read history. I have learned so much about myself by reading the Hamilton biography. I've seen flaws in Hamilton and Jefferson that I could easily see me making myself, and their experience might be able to help me in my own life. Reading does this for you. It lets you live multiple lives. No matter how much you're reading, you can probably benefit by reading more.

Aphorism

"Never confuse movement with action." ~ Earnest Hemingway


Thank you for listening, and if you enjoy the show please share it with a friend or on social media.

Daniel Signature

__

I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Source: http://feeds.danielmiessler.com

Leave a Reply