This week’s topics: The Vault7 CIA dump, Russian shenanigans, Dahua, Verifone, mandatory genetic testing, WordPress, atomic storage, Google Kaggles, presenting at HouSecCon, fasting research, data wars, chaos, voice interfaces, tools, projects, and more…
This is Episode No. 69 of Unsupervised Learning ―a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.
The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.
The show is released as a Podcast on iTunes , Overcast ,Android, or RSS ―and as a Newsletter which you can view and subscribe to here or read below.
Wikileaks released a massive dump of CIA files, now called Vault 7, to the public last week. The core of the content was information on various techniques the CIA could use to gain access to target systems, including Android, iOS, consumer routers, consumer Smart TVs, etc. The leak has spawned massive discussion on the internet about how new or old the exploits/attacks were, who the likely source of the leak was, whether Russia was involved, etc. The biggest misconception that came out of the whole thing was that they had hacked Signal and other secure messengers. They didn't. They hacked Android, which allowed them to steal the information before it got to Signal, et al. Anyway, my personal opinion is that this is most likelya continuation of the Russian campaign to discredit attacks on Trump, and thus to improve Russia's position in the world. Link
Russian espionage and Russian cybercrime appear to be more linked than most people thought. Evgeniy Bogachev is a known cybercrime player out of Russia, but he's also been implicated in a lot of the election-related activity from last year. He also appears to live quite comfortably within Russia, much like a prized asset as opposed to an unwanted criminal. Interesting analysis from the New York Times. Link
Verifone, the largest maker of credit card terminals used in the United States, is investigating a break of internal networks that might have impacted numerous companies running its POS solutions. Verifone is saying that it was merely an internal network breach and that it didn't affect their payment system products. Link
Brian Krebs reported that Dahua, the second largest IoT manufacturer of things like security cameras and DVRs just patched a major hole that allowed attackers to completely bypass authentication in some significant percentage of their devices. You could basically request the password list for any device, get a list of users andhashes back, and then send any of them in your ownrequest to get access. Link
A House committee has proposed a law requiring employees to undergo genetic testing as part of workplace wellness programs, and will allow penalties of up to 30% of the cost of the insuranceif they don't provide the data. Link
A major vulnerability was found in Apache Struts 2 web application framework last week, and scans were very active looking for vulnerable targets. The flaw was in the Jakarta multipart parser upload function, and it let an attacker send a malicious content-type value and execute arbitrary system commands.Make sure you're patched. Link
WordPress issued a new release (4.7.3) to address six vulns, including some XSS, a URL validation issue, file deletion, and a CSRF issue. Patch early, patch often. Link
Consumer reports is adding cybersecurity to their list of rating criteria. The layout for the requirements looks pretty decent as well. Link
An Intel Security report says 93% of companies have security strategies, but only 49% are fully implementing them. I think 49% is quite high. Either they didn't respond truthfully or their strategies are really weak. If half of the companies I went to had a security strategy and were fully implementing it I'd be overjoyed. It ain't true. I'd put that number closer to5%. Link
Cornell did some interesting research on mobile MAC address randomization. They claim they can defeat randomization on Android with 96% accuracy using one technique, and all main platforms leveraging a previous vulnerability. Link
CA bought Veracode for $614M. So let me get this right: Fortify is being sold to Microfocus. WhiteHat is basically dead because all their talent left. And now Veracode has been sold to CA, which means we probably won't hear much from them anymore. Who's left? CheckMarx has to be loving this. Link
InfoSec Sales Engineers evidently make between $180K and $220K, making them higher paid than security engineers and cloud security engineers. It's evidently the need for a combination of skill sets, including technical skills, soft skills, and (although they didn't mention it) the willingness to travel and interact with customers constantly. Link
IBM researchers have found a way to store data on a single atom. LinkIBM has over 600 employees working on the possibility of replac