This week’s topics: CloudBleed, SHA1-1, White House Leaks, Planets, Satellites, Drones vs. Eagles, InfoSec Jobs, ExFil, IQ and Creativity in a Post-work World, Weaponized Narrative, Security Tools, Tons of Great Links, and more…
This is Episode No. 67 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to here or read below.
Infosec news
Tavis Ormandy of Project Zero discovered a major flaw in Cloudflare this week, which is being called CloudBleed. The best way to describe it is that CloudFlare was randomly injecting content from its protected sites into the browsing sessions of other websites hosted on Cloudflare. So they were protecting OK Cupid for example, and if you were visiting any site hosted by Cloudflare you might get random data from OK Cupid injected into the page you got back. Project Zero and Cloudflare worked to fix the issue quickly. Link
A large number of Google users reported being mysteriously logged out of their accounts last Thursday, which was concerning timing given the situation with the Cloudflare vulnerability. Google said, however, that it was a maintenance issue on their side, and was unrelated to the Cloudflare bug. Link
Google researchers have demonstrated the first successful attack on SHA-1 by creating two different PDF files that produce the same SHA-1 hash. Contrary to what much of the media is saying, this is not an extremely practical or realistic attack vector right now. This was Google working for two years to produce this, so it's pretty unlikely to be used against you. It should, however, slightly speed up your migration to a stronger option. Link
[ NOTE: So it looks like there are attacks on some code repositories based on this attack, but it looks like they’re more of the Y2K “don’t know how to handle issue” variety than the “create malware that checks out to something known-good variety”. Worth keeping an eye on, though. ]
Hayvn is IBM Watson, but for information security analysis. People would think it was less awesome if they realized that IBM Watson has already replaced a decent number of Information Security related jobs. In the short term, though, it'll free security analysts up to do other things. Link
Sean Spicer has inspected his aides' mobile phones for apps like Signal and Confide to make sure they weren't communicating with reporters. He then ordered them not to talk about the fact that he was checking for leaks, which was then leaked. Link
With its 88 new satellites, Planet is about to become the worlds largest space surveillance company. Link
Terrorists are building drones, and France is using trained eagles to counter them. Link
Over half of infosec job openings take 3-6 months to fill, and less than 1/4 of applicants are qualified for the jobs they apply for. Link
A new covert data extraction technique has been developed by having malware blink a light on a computer, which is then monitored by a drone. Link
Netflix released a fascinating new tool called Stethescope, which is a user-focused security recommendations system for employees. Link
Technology news
Nokia appears to be trying anything, and have relaunched their used-to-be-popular 3310 phone. I have to admit it does look somewhat attractive, but I don't see a legacy form factor device like this selling well until we have separate displays and digital assistants, i.e., until the device isn't the center of the world. Link
Waynmo is suing Uber, saying an employee stole around 14,000 files from them and took them to Uber. The content in the files allegedly lead to innovations that have produced around half a billion dollars in revenue. Link
Facebook has open sourced Prophet, a data science forecasting tool for Python and R. Link
Google is about to start adding a "fact checked" tag to certain stories in their results. Link
Android Nougat was released in August of 2016 but fewer than 1% of devices are running it. Link
Linode is evidently losing customers massively as a result of their repeated DDoS outages. I'm about to be another one who's leaving. Probably heading to AWS. Link
Tesla is looking to sell cars complete with insurance and maintenance. Link
Human news
Bruce Lee used to write letters to himself about authenticity and personal development, and they've been released for the fist time. Link
NASA found 7 Earth-like planets, just 40 light years away. Link
Kim Jong-Nam was killed by the VX nerve agent, rubbed on his face by a girl at the airport. The entire story is some beyond fiction spy stuff. Link
Fantastic hand-drawn infographics by Wendy Macnaughton. Link
Travel Press is reporting a massive drop in tourism to the U.S. Link
Ideas
IQ and Creativity in a Post-work World Link
Weaponized Narrative is the New Battlespace Link
Companies Exist to Service Customers, Not to Employ People Link
You Should Have Two Different Kinds of Hiring Interview Link
Discovery
Troy Hunt's analysis of the Cloudbleed bug. Link
20 security startups worth paying attention to this year. Link
Analyzing bonnets with Suricata and Machine Learning. Link
A list of sites affected by CloudBleed. Link
If you haven't read about GPDR (the European data privacy law) you should look into it. The short summary is that it gives European citizens back control of their own personal data, and to protect that data from being exported and misused without their knowledge. It includes fines for companies who fail to protect the data of EU citizens of up to 4% of worldwide turnover. Link
Evaluator — An open source tool for strategic information security risk assessment. Link
A fantastic piece on the history of Trump, Putin, and a potential new Cold War. Link
MacOS WiFi Cleaner — A tool by Rob Fuller to remove open wireless hotspots from MacOS. Link
Amazon has launched a new blog dedicated to AI. Link
PayloadsAllTheThings — A list of appsec related attack payloads, coming soon to SecLists as well! Link
Google's API design guide. Link
pURL — An API testing tool written in Python. Link
The ISC/SCADA Top 10 List Link
Notes
If I could do any university program today I'd do the Philosophy, Politics, and Economics degree from Oxford. Link
Still working through Hamilton, and my next book will either be The Federalist Papers or Sapien.
I'll be going to London in the middle of June, so if you're going to be there we should get together.
I'm thinking about doing a live Twitch stream of something I'm calling Office Hours, where people can hit me up on Twitter, YouTube, Facebook, whatever, and ask me anything on the topic of infosec. I'll probably do my first session on my Information Security Career guide, and anyone can ask for more detail on any section, etc. If you're interested let me know on Twitter or via email. Link
Recommendations
Read history. I have learned so much about myself by reading the Hamilton biography. I've seen flaws in Hamilton and Jefferson that I could easily see me making myself, and their experience might be able to help me in my own life. Reading does this for you. It lets you live multiple lives. No matter how much you're reading, you can probably benefit by reading more.
Aphorism
"Never confuse movement with action." ~ Earnest Hemingway
Thank you for listening, and if you enjoy the show please share it with a friend or on social media.
__
I do a weekly show called Unsupervised Learning, where I collect the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.