Infosec news  


I gave a talk called Peak Prevention at AppSec Cali on Tuesday. The presentation was crap in my opinion, but the idea is pretty cool. Here are my slides, and I'll do a standalone essay/podcast soon for it as well. Link

An Austrian luxury hotel plans on installing old-fashioned key locks after they had to pay bitcoin to release hundreds of guests who were locked in their rooms due to ransomware. Link

Russia arrested Kaspersky's top hacker hunter, Ruslan Styanov, for treason. Stoyanov has worked with the Russian ministry of the interior's cybercrime unit in the past. The head of the Russian FSB's CDC (their information security center), Sergei Mikhailov, was arrested at the same time, and they are accused of being paid to help foreign governments. Link

Wordpress 4.7.2 fixes some XSS, SQLi, other bugs. Link

Trump evidently continues to use a highly insecure (very old) Android phone. Link

The US House of Representatives has introduced a bill called the Security and Privacy in Your Car Study Act (SPY Car) to get experts to devise standards for new vehicles, including firewalls, segmentation, etc. Link

Google's evidently so concerned about HTTPS security that they're building their own CA for all of Alphabet. Link

Former Mozilla employee, Robert O'Callahan, says you shouldn't be running any AV other than Windows Defender. Link 

Facebook is now supporting YubiKey and other hardware-based 2FA solutions. Very few people are targets to such a degree that they might have their physical token stolen, because it's not an attack that scales. Link

Uber paid a $9,000 bounty to a researcher who found a bug in Code42's anti-ransomware software because the issue could have resulted in attacks against its customers--including Uber. Link

Tavis Ormandy of Google's Project Zero said that the only way you could get around the patch for the Cisco WebEx extension flaw from last week is if there was XSS on the site--and then he found XSS on the site. Link

Most companies are still paying the ransom to get their data back. Not surprising to me, since the alternative is often going out of business. Link

There's a new phone scam called "Can You Hear Me" that works by asking if you can hear them. They then record your YES answer and use it to prove later that you signed up for whatever service they're selling. If you get this type of call and question, just hang up on them. Link


Technology news                                                    


Microsoft crushed its quarterly earnings on strong growth in its cloud business, and the stock is up 23% over the last 12 months. Link

Facebook has hired away Hugo Barra from Xiaomi to become their head of VR. The expectation is that he'll end up working on some sort of hardware platform for them to enable that VR push. I think they need mobile hardware for multiple reasons, most importantly to have a native digital assistant. Link

Oracle has doubled its license fees on AWS. Link

Apple is rolling out its new filesystem--APFS--in iOS 10.3. It's a filesystem optimized for flash and SSD storage featuring much-improved performance, clones, snapshots, encryption, and metadata integrity. Link

Foxconn is thinking about building a $7B plant in the United States. Link

Deep Learning algorithm does as well as dermatologists at identifying skin cancer. Link

The Army has picked the Sig Saur P320 to replace the M9 Beretta as its new service weapon. Link

Alphabet announced 22% year-on-year revenue growth in the fourth quarter of 2016. Link

People are getting burned out on static site generators. They're basically realizing that any obstacles to writing are significant enough to stop you. The search is on for some sort of hybrid static-based CMS. Link

Weaponized drones are becoming increasingly common. Here's some footage of how ISIS uses them. Link


Human news                                                  


For the first time ever we have captured video of four directly-imaged exoplanets orbiting a star. Un. Believable. Link

People are more likely to be happy at work if their boss could do their job. Link

Facebook and Google are adjusting their algorithms to combat the fake news problem. Link

You might want to check email less often. Link

85% of humanity lives under a corrupt government. Link

Paralyzed man regains use of limbs after injection of stem cells. Link

Researchers have confirmed the efficacy of some performance enhancement drugs for Chess. Link

Water is becoming increasingly expensive in a number of areas in the U.S. Link


Ideas


The Future of Education Link

What I wrote about data science back in 2013 before it had that name. Link

The Rules for Rulers. A fantastic 20-minute summary of the concepts talked about in The Dictator's Handbook. Link

Why Open Plan Work Areas Don't Work Link


Discovery


ShmooCon 2017 Talks Link

Twitter Security for Activists -- A great how-to guide by The Grugq Link

How to become a data scientist on your own. An unbelievably strong list of links and resources for self-educating on the topic of data science. Link

Get free honey tokens from Canarytokens.org. Link

Someone came up with a whiteboard sticker for your laptop. Brainstorm anywhere. Link

How Google hardens their KVM instances. Link

Lesley Carhart has done a great piece on removing your information from a number of different public databases that have your addresses, phone numbers, and relationships to others. Link

A great presentation on various techniques used by Microsoft Office malware. Link

Project Everest -- An attempt to build and deploy a verified HTTPS stack. Link

My simplified definition of "Data Scientist". Link

The best infographic I've ever seen on how to become a Data Scientist. Link

Pipenv -- A new Python package manager that combines multiple features of previous ones. Link

ARES -- A phishing toolkit for Red Teams and Pentesters. Link

Google's Infrastructure Security Design Overview -- Their set of procedures for hardening their cloud infrastructure. Specifically talks about how they use a combination of custom silicon and various other layers to secure systems hosted in other peoples' data centers. Link
 
Here's a robot filling in the 'I am not a robot' form on a webpage. Link

Amusing comment on how Google has successfully vertically integrated the internet. Link


Notes


I'll be at the ENIGMA conference in Oakland this week (Monday to Wednesday) if you want to meet up. Link

There was tons of interest down at AppSec Cali on the new project I'm working on with Jason Haddix, called the OWASP Game Security Framework. Expect to see a refined release soon. So excited about this project. Link

Every week I'm going to put a different message here about why you should read my new book on IoT. This week you should read it because it's only available in Kindle format, and Kindle books are virtually weightless. Link

I just finished,The Dictator's Handbook: Why Bad Behavior is Almost Always Good Politics. It's absolutely spectacular. Highly recommended. Link

Currently reading Lexicon. I needed some fiction. Link


Recommendations


If you're truly concerned about your data being publicly available (i.e., doing an OSINT cleanup on yourself), consider using the Abine service (or a similar one) to proactively go out and find and delete your data trail online. The issue with trying to do it yourself is that there are just SO MANY things you have to not only clean up once, but stay on top of perpetually. These elements make a service a strong option. Link

Tell your family / friends (especially the more vulnerable ones) to watch out for the, "Can you hear me?" scam. Link


Aphorism

"Reality is that which, when you stop believing in it, doesn't go away." ~ Philip K. Dick