This week’s topics: Gooligan, Korean Game Hacking Law, DoubleFlag Experian Hack, Georgia Tech Attribution Research, Amazon’s re:Invent Conference Highlights, recommended links, and more…
This is Episode No. 56 of Unsupervised Learning—a weekly show where I collect my favorite stories and ideas in infosec, technology, and humanity, and talk about why they matter.
The show is released as a Podcast on iTunes, Overcast, Android —and as a Newsletter which you can view and subscribe to here or read below.
Information Security news
Over a million Google accounts have been hacked by a campaign called Gooligan. It works by installing malicious Android apps (surprise) and then stealing auth tokens, deleting them, and then capturing them when the user is forced to re-authenticate. Link
South Korea has passed a law making it illegal to create and use video game hacks that are not allowed by the game company. That’s dedication to an industry. An actual law making it illegal. Link
Uber is now collecting your location data before and after you get out of the car. The rationale given is that it will help with the efficiency of pickup and drop-off, but many are quite upset about it. Link
A hacker known as DoubleFlag is claiming to have 203 million Experian accounts and 88 million WhoIs accounts, and is selling them for $600 USD. The breach information isn’t fully available yet, but the guy is known for similar attacks against DropBox, Brazzers, Epic Games, uTorrent, Mail.ru, Yandex.ru, and BitcointTalk forum. Link
Georgia Tech is rewarded a $17 Million dollar contract to solve the cybersecurity attack attribution problem. I think they’re going to need more than that. Link
Gareth Heyes has done a great post on the Portswigger site on JPEG Polyglots. Long story short, if you allow users to upload images (or any files) to your site, you might want to host them on another domain. Other things you can do are rewriting image headers and stripping comments, which is where the attack code was stored. Link
Some cool research has been done on using AWS Access Keys as HoneyTokens. The system basically uses CloudTrail and CloudWatch to notify you when fake tokens are used. Link
A couple of researchers have tested 10 different types of medical devices and pacemakers and found ways to disable them and send life-ending shocks from up to 5 meters away. They compromised the systems by reversing the wireless traffic and then sending malicious traffic. Link
Mirai has been attacking and disrupting hundreds of thousands of broadband users in Europe by attacking their routers and changing their configurations to knock them offline. Link
US-CERT has put out an online Incident Scoring Demo, which rates things by impact, observed activity, location of activity, threat actor, information impact, recoverability, dependencies, and potential impact. The GUI auto-updates as you select options. Link
Many people are starting to worry that Machine Learning is going to lead to massively more intelligent attacks. One of the examples used is looking lots of dumped data and figuring out who to attack. I think there’s something to this, but as with most statistical models, you need some pretty clean data to benefit from Machine Learning. I think large, high-quality datasets and ANY kind of analysis will yield more results than massive, non-manicured data with ML applied. Link
Visa is pushing their requirement for gas pumps to support chips to 2020. Let’s skip it and go to Apple/Android pay. Link
Technology news
Amazon absolutely crushed their re:Invent conference last week. Some of the highlights included a new VPS service, adding GPUs to any system, VMs accelerated with FPGAs, Postgres support in Aurora, an API for the Alexa service, a text to speech engine as a service, DDoS protection for all AWS systems, a batch job management system, and more. Link
Logojoy is a logo creation service that uses AI to create the logos. The guy who wrote it is evidently making $15K/month off of it. Link
Fitbit is buying Pebble. Link
Human news
Four million commutes reveal new U.S. megaregions in a stunning visual. Link
The FDA agrees to MDMA trials for PTSD patients. Link
Scientists have found a way to magnify the sensations from the reward center of the brain by applying magnetism to the brain. Orgasms were mentioned several times in the paper. Link
Ideas, trends, and statistics
I wrote a short post this week called, Purple Team Pentests Mean You’re Failing at Red and Blue, in response to an article heralding this new assessment type called Purple Team Pentests. They basically made it sound like this new amazing thing, which it isn’t. Link
I wrote an essay this week called, When Logic Only Comes from Extremists, Expect Bad Things to Happen, which is about how liberals are basically causing their own problems by refusing to speak logically and honestly about certain issues. Link
A whole lot of people mistakenly believe that manufacturing jobs are way down because U.S. manufacturing output is down, which is just about the exact opposite of the truth. I wrote a piece about the fact that manufacturing is thriving, and that it’s actually automation that’s causing the jobs to leave. Link
We’ve heard all about Russia did this, or Russia did that during the election, and there is some very good evidence that they had a major campaign going to influence the outcome. Well, I was looking at logs on Tuesday, as I’m prone to do, and saw a “Vote for Trump” string in the Language field of incoming traffic. Curious, I looked at the country. All Russia. Turns out it was like one guy doing a Google Analytics spam campaign. Link
An essay on Medium about how Basic Income will increase innovation by reducing fear of failure. Link
Recommended links
A free, video-based data science course from Harvard (CSCI E-109). Link
My buddy Ryan Black turned me on to DatumBox, a machine learning API that lets you do things like Sentiment Analysis of text, check whether text is leaned male or female, check for text language, and all sorts of other stuff. The API is limited to 1000 requests a day for the free version. Link
OSS-Fuzz — Continuous fuzzing of open source software. OSS developers connect their code, OSS-Fuzz scans it, finds things, the developer fixes it, and then 7 days after fix or 90 days after reporting the issue becomes public. Link
How to become an A-Player — a pretty strong list of concepts. Link
Amazon has a really powerful new text to speech engine. Fun to play with. Link
A collection of resources for learning Reverse Engineering. Link
CyberChef — a browser-based Swiss Army Knife for doing multiple kinds of text manipulations. Link
Announcements, tips, and miscellanea
Hoping to get my book back from the editor soon so I can start preparing to publish. I’m publishing to Kindle. I’ll post a link when it’s finally available.
I continue to tweak my podcast audio. If you are an audiophile and/or experienced podcaster, and you have idea on how I can improve the sound, please let me know.
Books I’m reading: Naked Statistics
Books I’m currently working on summaries for: The Hard Thing About Hard Things, The Red Queen (Evolution)
The last episode for the first season of Westworld just aired. If you’re not watching the show yet, now is a good time to start a binge session.
Wired had a good piece of advice this week: “Never ever download an Android app outside of Google Play.”
Thank you for listening, and if you enjoy the show please share it with someone!