Unsupervised Learning: No. 187
Unsupervised Learning22 Juli 2019

Unsupervised Learning: No. 187

Lots of people in the security community went silly over the FaceApp application last week, basically saying that you shouldn't be using the application because they'll steal your face and then be able to impersonate you. Oh, and then it turned out to be a Russian company who put out the application, and that made it 100x worse. The problem here is the lack of Threat Model Thinking. When it comes to election security, propaganda discussions, etc., I am quite concerned about Putin's willingness and ability to harm our country's cohesion through memes and social media. But that does not extend to some random company stealing faces. Why? Because before you can get legitimately concerned about something, you have to be able to describe a threat scenario in which that thing becomes dangerous. As I talked about in this piece, pictures of your face are not the same as your face when it comes to biometric authentication. There's a reason companies need a specific device, combined with their custom algorithm, in order to enroll you in a facial identification system. They scan you in a very specific way and then store your data (which is just a representation, not your actual face) in a very specific way. Then they need to use that same exact system to scan you again, so they can compare the two representations to each other. That isn't happening with random apps that have pictures of you. And even if that were the case, they could just get your face off your social media, where those same people who are worried are more than happy to take selfies, put their pictures on profile pictures, and make sure as many people see them as possible. There are actual negative things that can be done with images (like making Deepfakes of you), and that will get easier over time, but the defense for that is to have zero pictures of you…anywhere. And once again you have to ask who would be doing that to you, and why. Bottom line: authentication systems take special effort to try to ensure that the input given is the same as the enrollment item, e.g., (face, fingerprint, etc.), so it will not be easy any time soon to go from a random picture to something that can full a face scanner or fingerprint reader at the airport. People reading this probably already know this, but spread the word: threat modeling is one of our best tools for removing emotion from risk management.

A contractor named SyTech that does work with Russian FSB has been breached, resulting in the release of 7.5TB of data on the FSB's various projects. This is obviously embarrassing for SyTech and the FSB, but the leaked projects focused on de-anonymization, spying on Russian businesses, and the project to break Russia away from the Internet, which are all known and expected efforts. So there don't seem to be any big reveals as a result of the leak. More

Someone discovered that a bunch of browser extensions were reading things they shouldn't be, and sending them out to places they shouldn't be. This is not surprising to me. Chrome extensions are like Android apps, which should tell you all you need to know about installing random ones that seem interesting. My policy on browser extensions is extremely strict for this reason. People need to understand how insane the entire idea of the modern web is. We're visiting URLs that are executing code on our machines. And not just code from that website, but code from thousands of other websites in an average browsing session. It's a garbage fire. And the only defense really is to question how much you trust your browser, your operating system, and the original site you're visiting. But even then you're still exposing yourself to significant and continuously-evolving risk when you run around clicking things online. And the worst possible thing you can do in this situation is install more functionality, which gives more parties, more access, to that giant stack of assumptions you're making just by using a web browser. The best possible stance is to have as few people possible with access to your particular dumpster. And that means installing as few highly-vetted add-ons as possible. More

Become a Member: https://danielmiessler.com/upgrade

See omnystudio.com/listener for privacy information.

Avsnitt(532)

Unsupervised Learning: Episode 42

Unsupervised Learning: Episode 42

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles Dropbox hacked 68 million accounts Back in 2012 Malware infected all Eddie Bauer stores in U.S. and Canada All 350 stores in North America Wicked iPhone vulnerability called Trident (3 0days) All you need to do is follow a link, […] -- :: Unsupervised Learning: Episode 42 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

1 Sep 20161h 4min

Unsupervised Learning: Episode 41

Unsupervised Learning: Episode 41

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles NSA hacking tools supposedly leaked back in 2013 Could have just been a jump box, which rival groups commonly attack from each other Snowden thinks Russia hacked the NSA and is announcing this as part of the DNC debate Flip […] -- :: Unsupervised Learning: Episode 41 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

18 Aug 201634min

Unsupervised Learning: Episode 40

Unsupervised Learning: Episode 40

- LinkedIn breach from 2013 | 65.5 million emails and salted and hashed passwords - XSS in Wordpress plugin (JetPack) - DerbyCon is going to stream live this year | you can’t stream the networking, so it probably won’t hurt next year’s sales too much - Websites using audio fingerprinting to track web usersBecome a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

31 Maj 201654min

Unsupervised Learning: Episode 39

Unsupervised Learning: Episode 39

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles BAE systems saying that SWIFT hack is linked to the Sony breach [ Link ] Kaspersky is saying ransomware is the #1 threat now [ Link ] Identity thieves grab W-2 data from Equinox [ Link ] Germany claims it was […] -- :: Unsupervised Learning: Episode 39 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

14 Maj 201623min

Unsupervised Learning: Episode 38

Unsupervised Learning: Episode 38

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news and articles Michigan lawmakers want life sentence for hacking cars | will that apply to changing the speed of your turn signal? SWIFT to get update after Bangladesh hack NSA is so overwhelmed with data that it’s no longer effective FBI now […] -- :: Unsupervised Learning: Episode 38 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

2 Maj 201645min

Unsupervised Learning: Episode 37

Unsupervised Learning: Episode 37

[ Subscribe to the Podcast: iTunes | Android | RSS ] InfoSec news Feds paid over 1M to get into San Bernardino iPhone Continued fallout from Panama papers 3.2 million servers vulnerable to JBoss attack which is being used in SamSam ransomware attacks MIT launches internal bug bounty platform | https://threatpost.com/mit-launches-experimental-bug-bounty-program/117618/ NSA recommends out-of-band taps […] -- :: Unsupervised Learning: Episode 37 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

25 Apr 201635min

Unsupervised Learning: Episode 36

Unsupervised Learning: Episode 36

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Nothing useful found on Farook’s phone | http://www.theregister.co.uk/2016/04/14/nothing_useful_on_farook_iphone/?utm_source=dlvr.it&utm_medium=facebook | I think they knew this and used it as a lever for something they’ve wanted for a long time [ ] Apple engineers say security threat is hackers, not government | http://www.macrumors.com/2016/04/15/apple-engineers-hackers-security-threat/ […] -- :: Unsupervised Learning: Episode 36 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

18 Apr 201620min

Unsupervised Learning: Episode 35

Unsupervised Learning: Episode 35

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] The hack of Mossak Fonseca has been tied to a breach of their wordpress install through a plugin called Revolution Slider, leading to the Panama Papers breach. So just to be clear, we might have just seen the biggest data leak […] -- :: Unsupervised Learning: Episode 35 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

11 Apr 201627min

Populärt inom Teknik

uppgang-och-fall
elbilsveckan
rss-racevecka
bilar-med-sladd
market-makers
skogsforum-podcast
rss-laddstationen-med-elbilen-i-sverige
rss-technokratin
natets-morka-sida
rss-elektrikerpodden
developers-mer-an-bara-kod
mediepodden
ai-sweden-podcast
rss-uppgang-och-fall
solcellskollens-podcast
hej-bruksbil
bli-saker-podden
rss-it-sakerhetspodden
rss-veckans-ai
rss-fabriken-2