Unsupervised Learning: No. 187

Unsupervised Learning: No. 187

Lots of people in the security community went silly over the FaceApp application last week, basically saying that you shouldn't be using the application because they'll steal your face and then be able to impersonate you. Oh, and then it turned out to be a Russian company who put out the application, and that made it 100x worse. The problem here is the lack of Threat Model Thinking. When it comes to election security, propaganda discussions, etc., I am quite concerned about Putin's willingness and ability to harm our country's cohesion through memes and social media. But that does not extend to some random company stealing faces. Why? Because before you can get legitimately concerned about something, you have to be able to describe a threat scenario in which that thing becomes dangerous. As I talked about in this piece, pictures of your face are not the same as your face when it comes to biometric authentication. There's a reason companies need a specific device, combined with their custom algorithm, in order to enroll you in a facial identification system. They scan you in a very specific way and then store your data (which is just a representation, not your actual face) in a very specific way. Then they need to use that same exact system to scan you again, so they can compare the two representations to each other. That isn't happening with random apps that have pictures of you. And even if that were the case, they could just get your face off your social media, where those same people who are worried are more than happy to take selfies, put their pictures on profile pictures, and make sure as many people see them as possible. There are actual negative things that can be done with images (like making Deepfakes of you), and that will get easier over time, but the defense for that is to have zero pictures of you…anywhere. And once again you have to ask who would be doing that to you, and why. Bottom line: authentication systems take special effort to try to ensure that the input given is the same as the enrollment item, e.g., (face, fingerprint, etc.), so it will not be easy any time soon to go from a random picture to something that can full a face scanner or fingerprint reader at the airport. People reading this probably already know this, but spread the word: threat modeling is one of our best tools for removing emotion from risk management.

A contractor named SyTech that does work with Russian FSB has been breached, resulting in the release of 7.5TB of data on the FSB's various projects. This is obviously embarrassing for SyTech and the FSB, but the leaked projects focused on de-anonymization, spying on Russian businesses, and the project to break Russia away from the Internet, which are all known and expected efforts. So there don't seem to be any big reveals as a result of the leak. More

Someone discovered that a bunch of browser extensions were reading things they shouldn't be, and sending them out to places they shouldn't be. This is not surprising to me. Chrome extensions are like Android apps, which should tell you all you need to know about installing random ones that seem interesting. My policy on browser extensions is extremely strict for this reason. People need to understand how insane the entire idea of the modern web is. We're visiting URLs that are executing code on our machines. And not just code from that website, but code from thousands of other websites in an average browsing session. It's a garbage fire. And the only defense really is to question how much you trust your browser, your operating system, and the original site you're visiting. But even then you're still exposing yourself to significant and continuously-evolving risk when you run around clicking things online. And the worst possible thing you can do in this situation is install more functionality, which gives more parties, more access, to that giant stack of assumptions you're making just by using a web browser. The best possible stance is to have as few people possible with access to your particular dumpster. And that means installing as few highly-vetted add-ons as possible. More

Become a Member: https://danielmiessler.com/upgrade

See omnystudio.com/listener for privacy information.

Avsnitt(532)

5 Increasingly Effective Ways to Achieve Immortality

5 Increasingly Effective Ways to Achieve Immortality

[ Subscribe to the Podcast: iTunes | Android | RSS ] — I think a lot about how to become immortal. More than I should, probably. Many think it’s a waste of time. Everyone dies, and it’s foolish to think we can avoid it. This piece takes a different view, and describes a number of ways, with varying levels of requirement and effectiveness, one can either avoid dying or live on after death. They’ll go from most practical to most effective. 1. Live On Through Your Children This one is cheating a bit, mostly because you’re not actually becoming immortal. But the fact remains that this does give many people (probably billions) a genuine feeling of lastingness, and that’s significant. Again, I don’t really count it because it’s an extremely tenuous way of living on, but it deserves mention. 2. Live On Through Your Works This one is kind of like the first, in that you’re not actually getting to continue living. So it’s a bit of a misnomer too. What it deals with, however, can also provide a significant sense of contentment at the end of one’s life. Basically, if you leave behind works and ideas that will be used by significant numbers of people, for a significant period of time, you can think of this as living on. It’ll take some sting off of dying, perhaps. But not much. You’re still dead. 3. Reconstruction Through Reproduction of Variables Ok, now we’re getting into actual survivability. This one works like this: either before you die, or after you are dead, an organization collects a series of inputs about you and uses them to create a working model of you. Here are some of the input types: * Your DNA (this is really important) * Everything there is to know about where you grew up (what was happening in the world then, where you went to high school, what the major news events were, the major themes in culture and art, etc.) * Everything there is to know about the people you grew up with * All your personal, transformational experiences. This can be gathered from a myriad of sources, but your own description of the incidents will be key. It’ll also come from interviews with people who know those experiences and how they affected you * Every piece of output you left behind, e.g. blog posts, Facebook posts, books, essays, schoolwork, letters, videos, whatever. They’re all harvested for evidence of who you are Then, the system takes the environment data and models it against your DNA, which it got from a piece of hair or something. It runs your entire genome and determines how you would respond mentally to these various stimuli. The output is a digital life form that is, as much as it can be, you. You now live in cyberspace somewhere, and you’re introduced to the fact that you were reconstructed using this method, and that you have this rich history, etc. You are you. 4. Preserving Your Brain to Be Put in Another Body in the Future Another method for achieving comfort that you’ll continue to live after death is to have a reliable way to preserve your brain once you pass, with the belief that it’ll be either 1) put into another body later (not my favorite idea), or 2) it’ll be downloaded into a digital form to live permanently in cyberspace. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

7 Apr 201613min

Unsupervised Learning: Episode 33

Unsupervised Learning: Episode 33

News [ ] Panama Papers leak [ ] Hackers targeting major US law firms [ ] Ubuntu has some kernel vuln patches out [ ] 50 million turkish citizens have their information dumped online [ ] Microsoft makes cloud-app security services now available (Adallom) [ ] OSVDB shutting down because nobody would pay them [ ] WhatsApp is now end-to-end encrypted [ ] Critical new Flash bug, expect Ransomware to leverage it [ ] Security salaries skyrocketing due to talent shortage | http://www.csoonline.com/article/3049374/security/survey-with-all-eyes-on-security-talent-shortage-sends-salaries-sky-high.html [ ] Data exfiltration using Smart Lightbulbs | http://www.scribd.com/doc/306620189/Eyal-Ronen-and-Adi-Shamir-Hack-Lightbulbs [ ] Significant Firefox extensions bug, look for a patch soon [ ] $40 attack that steals police drones from 2 kilometers away | http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/ | break wep, disconnect their controller, connect yours, must be within 100 meters [ ] IoT is expected to push the US ahead of China in manufacturing by 2020 | http://www.zdnet.com/article/internet-of-things-analytics-expected-to-push-u-s-ahead-of-china-for-manufacturing/ [ ] 1,400 vulnerabilities found in automated medical supply system | https://www.helpnetsecurity.com/2016/03/30/1400-flaws-automated-medical-supply-system/ | automated cabinets that dispense medical supplies , if you’re locked out it could be bad -- :: Unsupervised Learning: Episode 33 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

7 Apr 201637min

T1SP: Episode 32

T1SP: Episode 32

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Verizon Enterprise Solutions had a major data breach of their customer data. This is the group that handles breaches for their customers. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks…” * [ ] Iranians charged with attacks against US banks and a New York dam * [ ] Hackers steal 81 billion from the Federal reserve bank of New York * [ ] Uber launches bug bounty program, describes the surface area. Someone said it was really bad, though. Not sure what that’s about * [ ] New ultra-fast SSD technology coming from Intel soon * [ ] FBI backs off request for Apple backdoor. Says they have it handled. We find out it’s an Israeli company * [ ] Water treatment plant hacked, chemical mix changed for tap supplies | http://www.theregister.co.uk/2016/03/24/water_utility_hacked/ * [ ] German steel mill compromised and wrecked a blast furnace * [ ] This is after a string of attacks against power companies using spear phishing and office malware * [ ] Microsoft’s AI Chatbot was a teenage girl, but it learned from the people who talked to it, so before long it was talking about loving incest, sex, and hitler * [ ] Millions of Android devices vulnerable to root exploit due to Snapdragon chip flaw * [ ] Kentucky-based Methodist Hospital declares state of emergency after it’s wrecked by Locky ransomware * [ ] Credit Card Breaches Linked To Security Cameras * [ ] Chinese national pleads guilty to stealing plans for Air Force aircraft * [ ] Hackers offer Apple’s Ireland staff $23,000 for their login credentials * [ ] Ransomware hitting major vulns: The Angler, Neutrino, Magnitude, RIG, and Nuclear exploit kits spread the Flash CVE 2015-7645 exploit; Angler spreads Flash 2015-8446; Angler and Neutrino spread Flash CVE 2015-8651; and Angler spreads Silverlight CVE-2016-0034, an exploit exposed in the Hacking Team breach. * [ ] Microsoft Deploys Macro Blocking Feature in Office to Curb Malware Ideas, updates, and discussion * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] AI and messaging apps are the new mobile apps * [ ] Human Attention as Attack Surface | https://danielmiessler.com/blog/human-attention-as-influence-attack-surface/ * [ ] Most can’t respond to breach: http://blogs.csc.com/2016/03/15/while-majority-of-orgs-fear-big-breach-theyre-not-prepared-to-respond/?utm_content=bufferc043c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer * [ ] How your data is collected and commoditized online by free online services | http://www.troyhunt.com/2016/03/how-your-data-is-collected-and.html Tools, talks, and projects * [ ] Innovation Sandbox | Innovative Security Products (2016 Edition) * [ ] 2016 Data Breach Digest | https://danielmiessler.com/blog/analysis-verizons-2016-data-breach-digest/ * [ ] AI and messaging apps are the new mobile apps | https://danielmiessler.com/blog/ai-assistants-are-the-new-applications/ * [ ] Idea Expansion Format | https://danielmiessler.com/blog/idea-expansion-format-ief/ * [ ] BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. * [ ] IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets and log files using a message queuing protocol.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

28 Mars 201636min

T1SP: Episode 31

T1SP: Episode 31

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] FBI saying it will force Apple to hand over source code and signing ability if they don’t comply | http://thehackernews.com/2016/03/fbi-apple-iphone.html [ ] Locky ransomware campaign, JS downloader [ ] X11 forwarding issue in OpenSSH, update now [ ] Seagate Phish Exposes All […] -- :: T1SP: Episode 31 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

14 Mars 201632min

My Response to Sam Harris on the Apple Encryption Debate

My Response to Sam Harris on the Apple Encryption Debate

[ Subscribe to the Podcast: iTunes | Android | RSS ] [ UPDATE: Much credit to Sam for engaging in the conversation. I’m not sure how people claim he’s closed on this topic when he is clearly open to exploring it. ] I don't agree with all of it. But this is a very good response to my remarks about encryption. https://t.co/rMl8zgtuWN@danielmiessler— Sam Harris (@SamHarrisOrg) February 28, 2016 — I’ve been planning on doing a podcast episode on the Apple encryption debate for some time, but I was unsure of the format I should use. This problem was just solved for me when I listened to Sam Harris—who is someone I respect greatly—miss the mark significantly in a recent podcast. The thing that compelled me to respond was the fact that I don’t often disagree with Sam. His logic is usually impeccable, and we often end up with nearly identical opinions. So it was somewhat surreal to hear him be wrong about something. Or at least disagree with me (which, of course, may not be the same thing). Anyway, being in information security myself I felt like a response was important. This essay takes the form of a retort to his comments, followed by my own points and then a summary. Sam’s points [ The points are summarized, by the way, not necessarily exact quotes. ] * Apple built the lock, but didn’t build the key, and now they’re telling us that building the key would put us all at risk. Self-serving abdication of responsibility. * Community in tech swayed by Snowden. Even when the government gets a court order, they think they shouldn’t give access * Gives cases where text messages could have helped solve a murder, but the texts are unread because the iPhone is unbreakable. Imagine being a family member! * Could someone build an impregnable room inside their own house? * What if you could take a drug that could make your DNA unanalyzable? So you could never be linked to any crime. The only people who would benefit would be criminals! * Apple could maintain the backdoor and it’d be fine, just like banks have your banking information. They’re trading on paranoia. My responses [ NOTE: This will come in the form of a podcast, which I may still record. I wrote it largely in the voice of a spoken conversation. ] First, let’s start with where we agree. You speak of a “Cult of Privacy”, where people are blindly saying that Snowden did nothing wrong whatsoever, that he didn’t set a dangerous precedent, that any violation of privacy in any case is always bad, etc., etc. I absolutely agree with you that this is not an intelligent way to understand and discuss current events. But there’s another cult on the other side, and it’s one that you’re coming dangerous close to membership in. And that’s “The Cult of Safety”. This one works like this: If there is any situation in which some amount of data could be used to help learn where a kidnapped girl is, or where a terrorist’s bomb will detonate, then it’s within the rights of a government to legally seize ...Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

28 Feb 201636min

T1SP: Episode 29

T1SP: Episode 29

[ Subscribe to the Podcast: iTunes | Android | RSS ] News * [ ] Apple calls out FBI on iPhone decryption case * [ ] Trump calls for a boycott of Apple, from an iPhone * [ ] Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers * [ ] Wow. Someone hacked @linuxmint’s website and replaced ISOs with backdoored version today http://blog.linuxmint.com/?p=2994  * [ ] This affects a universally used library (glibc) at a universally used protocol (DNS).  Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe. ~ Dan Kaminsky * [ ] Mint Forum Hacked, website compromised, fake downloads posted * [ ] TeslaCrypt now targeting Joomla sites as well as WordPress * [ ] Hollywood Hospital pays 17K to decrypt files; hope they cleaned up afterwards otherwise they’ll be paying rent * [ ] Patch your vServer; RCE flaw * [ ] Power grid honeypot by MalCrawler Ideas, updates, and discussion * [ ] The San Bernadino health department changed the iCloud password (at the FBI’s request) after having the device for just a few hours * [ ] The FBI didn’t have the other two phones, which were destroyed * [ ] The implications for data security if US companies are told the government must be able to get in is that US citizens will soon be told that they cannot create, purchase, or use tech that is locked down in this way * [ ] There’s another way to the iPhone data: https://threatpost.com/delicate-hardware-hacks-could-unlock-shooters-iphone/116388/ via @IOActive Tools, talks, and projects * [ ] Bitquark is releasing some subdomain research; will be added to SecLists * [ ] Log.io web interface for looking at log files | http://www.tecmint.com/linux-server-log-monitoring-with-log-io/ * [ ] Lobotomy: Automate Android assessment and reversing | https://n0where.net/android-security-toolkit-lobotomy/ * [ ] SSLyze: https://n0where.net/fast-and-full-featured-ssl-scanner-sslyze/ * [ ] SELKS: Full NSM with Suricate and rule manager | https://www.stamus-networks.com/downloads/ Announcements * [ ] I’ll be at the IOAsis at RSA next week; come by and say hello Miscellaneous * [ ] War-games movie prompted Reagan to take cybersecurity action | http://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html [ Subscribe to the Podcast: iTunes | Android | RSS ] Notes * The intro track is from one of my favorite EDM artists: Zomby. The song is ‘Orion’, and it’s from the ‘With Love’ album. Highly recommended if you like chill EDM. Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

23 Feb 201619min

T1SP: Episode 28

T1SP: Episode 28

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Major Cisco ASA buffer overflow; patch now [ ] Critical patches for Windows and Flash [ ] The FBI is officially investigating Hillary Clinton regarding her private email server [ ] NSA doing a complete reorg (basically combining defense and offense) […] -- :: T1SP: Episode 28 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

15 Feb 201642min

T1SP: Episode 27

T1SP: Episode 27

[ Subscribe to the Podcast: iTunes | Android | RSS ] News [ ] Heavy surveillance around the Super Bowl [ ] A new BlackEnergy spear phishing campaign is targeting more Ukrainian companies [ ] Magneto, the popular e-commerce CMS, releases fixes to critical XSS issues [ ] Someone has posted private files of America’s […] -- :: T1SP: Episode 27 appeared originally on danielmiessler.com. :: Subscribe to Unsupervised Learning---my weekly show where I handpick the best stories from infosec and technology, and talk about why they matter.Become a Member: https://danielmiessler.com/upgradeSee omnystudio.com/listener for privacy information.

2 Feb 201622min

Populärt inom Teknik

uppgang-och-fall
elbilsveckan
bilar-med-sladd
market-makers
skogsforum-podcast
rss-racevecka
rss-elektrikerpodden
developers-mer-an-bara-kod
natets-morka-sida
rss-technokratin
rss-laddstationen-med-elbilen-i-sverige
mediepodden
ai-sweden-podcast
rss-uppgang-och-fall
solcellskollens-podcast
hej-bruksbil
rss-it-sakerhetspodden
har-vi-akt-till-mars-an
teknikveckan
rss-badfluence