I gave a talk called Peak Prevention at AppSec Cali on Tuesday. The presentation was crap in my opinion, but the idea is pretty cool. Here are my slides, and I'll do a standalone essay/podcast soon for it as well. Link
An Austrian luxury hotel plans on installing old-fashioned key locks after they had to pay bitcoin to release hundreds of guests who were locked in their rooms due to ransomware. Link
Russia arrested Kaspersky's top hacker hunter, Ruslan Styanov, for treason. Stoyanov has worked with the Russian ministry of the interior's cybercrime unit in the past. The head of the Russian FSB's CDC (their information security center), Sergei Mikhailov, was arrested at the same time, and they are accused of being paid to help foreign governments. Link
Wordpress 4.7.2 fixes some XSS, SQLi, other bugs. Link
Trump evidently continues to use a highly insecure (very old) Android phone. Link
The US House of Representatives has introduced a bill called the Security and Privacy in Your Car Study Act (SPY Car) to get experts to devise standards for new vehicles, including firewalls, segmentation, etc. Link
Google's evidently so concerned about HTTPS security that they're building their own CA for all of Alphabet. Link
Former Mozilla employee, Robert O'Callahan, says you shouldn't be running any AV other than Windows Defender. Link
Facebook is now supporting YubiKey and other hardware-based 2FA solutions. Very few people are targets to such a degree that they might have their physical token stolen, because it's not an attack that scales. Link
Uber paid a $9,000 bounty to a researcher who found a bug in Code42's anti-ransomware software because the issue could have resulted in attacks against its customers--including Uber. Link
Tavis Ormandy of Google's Project Zero said that the only way you could get around the patch for the Cisco WebEx extension flaw from last week is if there was XSS on the site--and then he found XSS on the site. Link
Most companies are still paying the ransom to get their data back. Not surprising to me, since the alternative is often going out of business. Link
There's a new phone scam called "Can You Hear Me" that works by asking if you can hear them. They then record your YES answer and use it to prove later that you signed up for whatever service they're selling. If you get this type of call and question, just hang up on them. Link
Technology news
Microsoft crushed its quarterly earnings on strong growth in its cloud business, and the stock is up 23% over the last 12 months. Link
Facebook has hired away Hugo Barra from Xiaomi to become their head of VR. The expectation is that he'll end up working on some sort of hardware platform for them to enable that VR push. I think they need mobile hardware for multiple reasons, most importantly to have a native digital assistant. Link
Apple is rolling out its new filesystem--APFS--in iOS 10.3. It's a filesystem optimized for flash and SSD storage featuring much-improved performance, clones, snapshots, encryption, and metadata integrity. Link
Foxconn is thinking about building a $7B plant in the United States. Link
Deep Learning algorithm does as well as dermatologists at identifying skin cancer. Link
The Army has picked the Sig Saur P320 to replace the M9 Beretta as its new service weapon. Link
Alphabet announced 22% year-on-year revenue growth in the fourth quarter of 2016. Link
People are getting burned out on static site generators. They're basically realizing that any obstacles to writing are significant enough to stop you. The search is on for some sort of hybrid static-based CMS. Link
Weaponized drones are becoming increasingly common. Here's some footage of how ISIS uses them. Link
Human news
For the first time ever we have captured video of four directly-imaged exoplanets orbiting a star. Un. Believable. Link
People are more likely to be happy at work if their boss could do their job. Link
Facebook and Google are adjusting their algorithms to combat the fake news problem. Link
Lesley Carhart has done a great piece on removing your information from a number of different public databases that have your addresses, phone numbers, and relationships to others. Link
A great presentation on various techniques used by Microsoft Office malware. Link
Project Everest -- An attempt to build and deploy a verified HTTPS stack. Link
My simplified definition of "Data Scientist". Link
The best infographic I've ever seen on how to become a Data Scientist. Link
Pipenv -- A new Python package manager that combines multiple features of previous ones. Link
ARES -- A phishing toolkit for Red Teams and Pentesters. Link
Google's Infrastructure Security Design Overview -- Their set of procedures for hardening their cloud infrastructure. Specifically talks about how they use a combination of custom silicon and various other layers to secure systems hosted in other peoples' data centers. Link
Here's a robot filling in the 'I am not a robot' form on a webpage. Link
Amusing comment on how Google has successfully vertically integrated the internet. Link
Notes
I'll be at the ENIGMA conference in Oakland this week (Monday to Wednesday) if you want to meet up. Link
There was tons of interest down at AppSec Cali on the new project I'm working on with Jason Haddix, called the OWASP Game Security Framework. Expect to see a refined release soon. So excited about this project. Link
Every week I'm going to put a different message here about why you should read my new book on IoT. This week you should read it because it's only available in Kindle format, and Kindle books are virtually weightless. Link
I just finished,The Dictator's Handbook: Why Bad Behavior is Almost Always Good Politics. It's absolutely spectacular. Highly recommended. Link
Currently reading Lexicon. I needed some fiction. Link
Recommendations
If you're truly concerned about your data being publicly available (i.e., doing an OSINT cleanup on yourself), consider using the Abine service (or a similar one) to proactively go out and find and delete your data trail online. The issue with trying to do it yourself is that there are just SO MANY things you have to not only clean up once, but stay on top of perpetually. These elements make a service a strong option. Link
Tell your family / friends (especially the more vulnerable ones) to watch out for the, "Can you hear me?" scam. Link
Aphorism
"Reality is that which, when you stop believing in it, doesn't go away." ~ Philip K. Dick
If you like the newsletter, please share it on social media or forward it to a friend!