The Unsupervised

by Daniel Miessler
Unsupervised Learning is a weekly show where I handpick the best stories and ideas in infosec, technology, and humanity, and talk about why they matter.

Information Security news  

Symantec has purchased LifeLock for 2.3 billion dollars. This is part of Symantec's overall play to become a "comprehensive cyberdefese solution" for customers. I personally don't know what these big security software companies are doing, and I'm not sure they know either. It seems the consolidation will only continue. First, the software security companies will join the big software companies. Then the big hardware companies will combine with the big software companies, which will also combine with the big IT services companies. So at some point companies like HP, DELL, and IBM combine with companies like Microsoft and Oracle, which then combine with companies like Accenture and KPMG. Customers would rather not buy things from lots of different places. If the trend continues we'll eventually end up with lots of startups and a few monoliths. Link

A group of researchers at Norwegian security firm Promon have found a way to steal a Tesla by installing malware on their Android phone. The attack works by installing a malicious app that can read a cleartext OAuth token from the Tesla app's sandbox. Once it has root it can then delete that token and force the user to re-login to the app, at which point it captures their password. You can defend against this by not installing the malicious app in the first place, or by having the latest security updates. I'll take this opportunity to recommend that if you're going to run Android you should switch to Pixel as fast as possible. Link

A message, "You Hacked, ALL Data Encrypted" was seen on Muni station terminals all over San Francisco on Saturday. An anonymous Muni worker said they've been hacked since Friday afternoon. We'll see if it affects service or not, but with the recent attacks against hospitals in the U.K. it seems pretty obvious that the line between theoretical and real-world is now being crossed with increasing frequency. In the meantime, people are currently riding for free. So, good news bad news I guess. Link

A group called PCAST has recommended to both the current and incoming administrations that they start taking bioterrorism, and specifically gene-editing techniques such as CRISPR, very seriously. They warn that we've been mostly thinking of bio defenses in terms of natural threats like Ebola and flu, but warn that we now need to be thinking about maliciously created threats. The primary examples they give are modifying common diseases to be more dangerous, more virulent, or more resistant to drugs. I think this is a good example of where we need to focus on impact control more than prevention. These sorts of attacks will only get easier as access to sequence data for various life forms becomes increasingly available. We need to figure out detection, response, and impact reduction rather than spending everything on prevention that will ultimately fail. Link

Attackers have stolen millions from European ATMs using malware that spits out cash. Authorities believe the attacks are coming from a criminal group called Cobalt and/or a Russian ATM hacking gang called Buhtrap. The world's largest two ATM manufacturers, Diebold and NCR, said they were aware of issues and were working on the problem. Link

There's been a credit card breach at Madison Square Garden and Radio City Music Hall. Cards were swiped in person at the food and beverage locations, and the incidents seemed to happen between November of 2015 and October 24th of 2016. Link

The personal data of 130,000 sailors in the U.S. Navy were potentially stolen when an HPE contractor's laptop was compromised. The investigation is still in its early stages. Link

NIST has released new password recommendations. A few of the highlights include: favoring the user, at least 8 characters and allow up to 64, check against a list of bad passwords, don't force unnatural combinations of special/uppercase/etc. characters, don't use password hints, don't use password questions, no more mandatory expiration for the sake of it, don't use SMS for 2FA. Link

The Phantom Squad hacking group is vowing to take down one or more major gaming services throughout the holidays using massive DDoS attacks. The likely targets are Xbox, Playstation Network, and Steam. They've already attacked Steam, CounterStrike, and RainbowSix in the past. Link

Twitter has asked law enforcement to stop mining its service for surveillance purposes. SnapTrend and GeoFeedia have already had their public API access revoked because Twitter learned that they were sharing their harvested geolocation data with law enforcement. Link

Facebook appears to have developed content suppression software that will allow them to enter markets that have strict restrictions, such as China. It's disappointing to see this, but I suppose it shouldn't be surprising. Not being in China basically means leaving billions of dollars on the table, so companies are likely to make all sorts of sacrifices to make it happen. It's just weird because of the juxtaposition of free speech and openness in Silicon Valley vs. actual censorship in China. It's the fact that they're doing both that makes it feel so wrong. Link

Technology news                                                    

Researchers at the University of Toronto have succeeded in teaching an AI (I prefer Synthetic Intelligence) to learn from human instructions rather than from data, which increased its learning performance by 160%. In addition, the algorithm outperformed its own training by 9%. This is the type of research that makes me happy that there are organizations like Nick Bostrom's that are putting effort into ensuring that we don't accidentally create a real Skynet. When you're talking about self-improving intelligence, how many similar surprises will it take before something special is truly born? I don't know, and I'm not sure anyone else does either. Link

Alphabet is cutting back its drone plans as part of a general tightening of focus. It cancelled its Google Fiber project a few months back as well, and seems to be shelving more and more projects. It feels like a natural contraction to me, with an inevitable expansion surely to come some point in the future. It just felt as if they were trying a 'many small bets' strategy that turned into 'too many medium sized bets', and someone finally said enough. Link

Google has a new offering coming out called Google WiFi, which is a mesh networking WiFi solution that is supposed to have incredible coverage and speeds. You can get more information and pre-order here. Link

MIT researchers just released a paper about a new Machine Learning training methodology which has a system perform web research when it doesn't feel it has enough confidence in a classification it's made. So if the confidence score is low, it'll perform a web query, parse the content, and reassess. If the score remains low it'll perform another query, reassess, etc. This is another interesting advance in self-improved learning for AI systems. Link

Samsung has plans to release a glossy black version of its Galaxy S7 device. I'm biased towards Apple in many ways, but it sure seems to me that when Apple copies something it's something that was obvious and inevitable, such as waterproofing or wireless charging. But when others copy Apple they tend to take design-oriented features like form factor and colors. Link

Researchers are developing ways to use drones and biobots to map large unfamiliar areas. Well, sure, that's what they'll be used for at first. But eventually you get to the real use cases, i.e., surveillance and war. Link

Oracle has purchased DYN. I used to love DYN. I used them for over 10 years. I recently left them and went somewhere else for a number of reasons, but this purchase would have been the last push needed were I still there. Link

Google can now show live views of certain locations during peak hours. I love that they continue making their core products better. I hear that the Google Earth VR experience is breathtaking. Link

Apple is getting out of the WiFi router business. They also got out of the monitor business recently as well. Seems like they're looking to focus on their core products even more, which I think is a good idea. I'll be checking out Ubiquiti for my next WiFi purchase most likely. Link

Facebook is now helping users find free WiFi through its website and application. I love how they just add useful functionality in whenever they can. I still think they're ultimately angling to be the AOL of the future, with most people starting and ending their internet session there. All they need is search that's good enough for them to not have to leave to use Google. Link

Facebook's ad revenue isn't anywhere near Google's, but it just passed all the media giants for the first time. Those companies include CBS, Disney, and Comcast. Link

Amazon could be close to offering HBO Now through its Amazon Channels service. It's so interesting to see these various groups competing in the new world of decoupled content creation and content distribution. Link

Amazon is getting into the Deep Learning cloud services arena. Google and IBM are already playing there and continue to enhance their offerings. Link

Google is removing the 'mobile friendly' label for sites that have good mobile interfaces. They say that 85% of sites they show have good mobile sites at this point so it's not necessary anymore. They're also about to start punishing mobile sites that have popups when you visit them. Link

Human news                                                  

A new study published in the journal of Applied Physiology, Nutrition, and Metabolism has shown that one of the breakdown products of Aspartame attacks a gut microbe that helps fight obesity. This might explain why, despite diet soda having no sugar in it, those who drink diet soda rather than regular soda don't lose a significant amount of weight. Link

Another study of 1,454 people over 10 years showed that use of low-calorie sweetener is independently associated with larger waist and higher prevalence of abdominal obesity. In unrelated news I just got off of diet soda drinks again. I'm going to embrace the theory that unnatural substances might be messing with the gut biome (or whatever) and that it's just better to drink water, tea, coffee, beer, and wine. With most of that being water. I've made an investment in Perrier since I do enjoy a cold drink with gas. Link

80% of students can't tell the difference between real and fake news. Luckily this is only a problem if you care about a healthy democracy. Link

How Prospect Theory might explain a lot of the Trump and Brexit votes. Basically, when people feel down they're more likely to take extreme risks, and when they feel up they are far less likely. So if the narrative of Britain and the United States being in bad shape was effective it might have encouraged many to take a risk to get something better. Like double or nothing, except with countries. It's an interesting possible explanation, or a least a contributing factor. Link

The FTC has demanded that homeopathic remedies be labelled to say they don't work. It's a great step, but there will probably be counter-marketing that says, "They made us put this on the package because they're scared of how effective our stuff is." And the people who are likely to use the products are likely to believe that. Link

Business Insider did a great piece on how we have basically 11 sub-nations within the United States. Yankeedom, New Netherland, The Midlands, Tidewater, Great Appalachia, Deep South, El Norte, The Left Coast, The Far West, New France, and the First Nation. The piece is about how the peoples that populated these lands when America was founded are quite different and have different personalities due to their histories. They argue that these differences lead to the differences we see in those regions today. Link

A new study out of University of Utah Salt Lake City has found a strong link between people's dispositional mindfulness, their self-concept clarity, and their psychological well-being. So basically the more people know about their current state, the more they understand what they're about, the happier they tend to be. Link

The University of Basel just did a study of 6,500 teenagers and found a strong link between mental and physical health. The summary was that depression in young people affects the stomach, while anxiety affects the skin. Link

The election is once again in the news with Jill Stein and Hillary Clinton teaming up to do recounts in a few key states. There is evidently enough information to warrant an audit of some of the results in those state, with many officials pretty much confirming that Russia did in fact influence the election by sowing anger towards the left. This information warfare angle from Russia is something I've written quite a bit about, but I personally want this challenge to go away. I'm a liberal, but the Democrats deserved to lose because of their silly beliefs and silly rhetoric. As an example of the type of thing all these people voted against, Jill Stein (one of the leaders of this movement) just came out in support of Fidel Castro, saying he was "a symbol for the the struggle for justice". She also thinks WiFi causes cancer. As long as liberals insist on having people like this lead them they deserve to lose. As a country we need to adjust and move on. You got trounced; a recount will do nothing but make things worse. Start planning for 2018 and 2020. And if you're worried about WiFi risk, turn off your router and move to Cuba. NOTE: And don't worry---while I am happy to talk about philosophy in the Human section of this show, and I talk about politics on my blog and in standalone editions of the podcast, I'll continue to not talk politics here. There's a time and place for everything, and this is not the time or place for politics. Link 

Ideas, trends, and statistics

Big companies seem to be buying up or hiring all of the limited AI talent. I suppose this is to be expected since they also have the data to apply it to, but it's somewhat disconcerting to realize that it'll take some time for AI benefits to get to smaller companies because it'll need to go through the big companies and be turned into services that the smaller companies can use. It'll be a while before AI is just considered part of every business, but it's already starting through companies like Google, Amazon, and Salesforce creating services where others can leverage AI for their own purposes. Link

I wrote a quick little post about an alternative definition of The Internet of Things, which I said it could be based on the swapping of roles between computers and functionality. So the definition would be: "The transition from things with functionality having computers in them, to things being computers that are able to perform functions." So in the past we had cars with computers in them, and now we have computers that take you places. Before we had phones with computers in them, and now we have computers that make phone calls. Link

I wrote an analysis piece on the philosophy of Westworld (don't read on if you don't want any spoilers), where I say it's basically a statement that there's no difference between hosts and humans. We're both programmed---us by evolution, and hosts by us---to be on our loops. And the more primal the loop the more meaning it produces for you. It's also about how looking too deeply at the loop makes you search for another one. The people outside the game can't wait to get into it because the real world is fake. And the people stuck in the game can't wait to break out of it to get to the real world. They're both confused in thinking that there's something real to find. My summary was that, "If you want happiness you just have to find a loop you like and enjoy the ride." Link

I was asked to put together some thoughts on metrics for quotes in an upcoming book, and I came up with the following four: 1) metrics have to be connected to goals on one side and actions on the other to be effective, 2) you need to track the percentage under management, 3) you often need coverage more than you need precision, and 4) don't confuse your metrics program with a big data project; focus on how many different types of actions you'll take as a result, and then build your metrics to have that resolution. Link

Recommended links

PyExfil --- a data extraction toolset for Python that exfils data over DNS query, HTTP cookie, ICMP, NTP requests, BGP, HTTP certs, POP3, and FTP MKDIR functionality Link

Shinatra --- a web server in five lines of Bash Link

Neet --- Network Enumeration and Exploitation Tool. This is a tool that manages other tools for scanning, finding vulnerable services, and pulling back the output in an easy-to-use format. I feel like all good pentesters have written a tool like this in their life, however crappy it might have been. Link

A CISO Mind Map --- an overview of the responsibilities for a typical CISO Link

A practical guide to securing MacOS Link

An interesting workflow from SANS ISC on preventing malicious attachment attacks Link

Gartner has published a paper on Applying Deception Technologies and Techniques to Improve Threat Detection and Response Link

The MOVR Visualization --- A mobile usage statistics report that presents its data in a super clean visual way. Link

I read a lot, and when I finish a good book I collect or create a summary for the book and capture what I learned from it. You can see the books I've read and get the summaries here. Link

Announcements, tips, and miscellanea

I've submitted my book, titled the Real Internet of Things, to an editor, and hope to have it cleaned up and published within the next couple of weeks. It's been 10 times as hard as I anticipated, which I should probably write about at some point. I'll say more when it's actually published and I can talk about the process as a whole. 

I've massively redone my podcast production process, including changing up the delivery of the weekly show. I've moved to Adobe Audition for my recording and mixing software, and OmnyStudio for my hosting. Audition has given me way more control of my audio content, including the ability to clean it up and apply noise removal in a much better way. I've also gone to putting my analysis in the newsletter text itself rather than ad-libbing it, which should make the shows far more crisp while still keeping the analysis piece. If you care about this type of thing at all I'd love to hear what you think of the changes.

I'll be presenting at NBTCon (@nbtcon) in San Francisco on Saturday, December 3rd. Link

Dark Reading featured a piece on my opinions on IoT Security called Balancing the Risk & Promise of The Internet of Things. Link

Books I just finished: Rework, Sleeping Giant, Left of Bang, and Influence.

Books I'm reading: Naked Statistics

Books I'm currently working on summaries for: The Hard Thing About Hard Things, The Red Queen (Evolution), 

If you are an Android person and are looking to get a new phone, I strongly recommend getting a Pixel. There are many reasons for this, but security is a good enough one by itself. Link

If you're currently not watching anything on TV, I highly recommend checking out Westworld. It's definitely one of the smartest shows on right now.

“One should respect public opinion insofar as is necessary to avoid starvation and keep out of prison, but anything beyond this is voluntary submission to an unnecessary tyranny."

~ Bertrand Russell
Subscribe and listen to the companion podcast.
Copyright © 2016 Daniel Miessler, All rights reserved.