This is episode No. 91 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: 465K pacemaker patches, instagram leak, DJI bounty, Marketing departments messing up security news, false dichotomy in complex issues, IRS social media mining, death of the Sun, more fake Wells Fargo accounts, human echolocation, facial gestures as interface, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

Infosec news 





465,000 patients are being told to visit their doctor and get their Abbott/St. Jude pacemakers patched. As is the case with so many of these types of vulnerabilities, a local attacker can potentially use RF to disrupt or change the operation of the device, which for a pacemaker means potentially causing harm or death. Link



Instagram leaked a bunch of emails and phone numbers through an API vulnerability. The attackers collected data on a number of high profile types, but are also selling a larger dataset of non-verified users. I think API security is going to be a much bigger topic in 2018. So many companies think their attack surface is the website, and that 2FA solves everything, but API access is done via tokens and secrets—a.k.a username and password. API security is at least a couple of years behind other types of web security. Link



An ingenious way of attacking someone on Twitter: take your swarm of spam accounts and follow someone you don’t like. Twitter will see it as a sign that the victim did something shady to gain followers, and they’ll ban their account. Link



AT&T U-verse modems appear to have some serious problems. Not sure why this isn’t bigger news. Link



DJI, the Chinese drone maker, has launched an internal bug bounty program. They’re offering between $100 and $30K for issues, based on severity. Link



New York has started implementing its new laws around cybersecurity for financial institutions. They’re requiring financial institutions of a certain size to have a risk program, follow a policy, have incident response, have a qualified CISO, have trained security people, limit their access privileges, and provide 72-hour notice for certain types of events. It looks to me like massive progress. Link



A professor at WSU’s college of business believes the IRS is mining peoples’ social media data to decide who to audit, and she’s produced a 55-page paper that makes her case. I think there’s a good and a bad way to do this. If they’re digging into personal things and looking for gotchas, that’s one thing, but if they’re using automation to validate things that would otherwise be manual then I say bring on the efficiency. The legitimacy is in the details. Link



Quadium is a security startup out of San Francisco that basically looks like Shodan with nice handles and a GUI. It’s also not publicly available data, and it lets you focus results on a particular target company. It’s backed by Peter Thiel, the CEO is ex-CIA, and they appear to have around $66 million in funding. Link



Australia is going to start using drones to patrol for sharks near popular beaches. The drones will also have speakers, so if they identify a shark nearby they can tell the people on the beach to get out of the water. Link



The data breach at Yahoo evidently costed them around $350 million dollars in purchase price re-negotiations. That’s a large number, but we should be cautious about thinking this is the new standard for data breach impact. As breaches get more common I expect the overall impact (especially from lost confidence in the brand) to go down, not up. Link



Patching: RubyGems





Technology news 





Oracle has killed Sun. They basically laid everyone off and hoped nobody would notice. Growing up in the Bay Area, this is a bit sad. Fun fact: the other side of the Facebook sign (that used to be the Sun campus) is the original Sun logo. I hope they keep it for at least another 10 years. Thanks Sun, you did a lot for this industry. Link



Microsoft is offering a real-time coding editor that you can use to do remote developer interviews over Skype. Link



A company in Thailand has developed a smart dog vest that streams live video when the dog barks. They’re basically trying to turn stray dogs into a security monitoring force. Link



Tinder became the top grossing app on the App Store for the first time. Link



Salesforce and IBM are already integrated via their AI products, but now they’re doing more integration around data. Link



Wells Fargo has added another 1.4 million fake accounts to their previously discovered 2.1 million number, bringing the total to 3.5 million accounts. They were basically signing people up for accounts without their knowledge to raise their sales numbers. Even worse, they started charging fees to almost 200K of them. Gross. Link





Human news 





Hurricane Harvey destroyed around 40,000 homes and around 1,000,000 cars. The loss of the cars has been estimated at somewhere between $2.7 and $4.9 billion dollars. Link



Some blind people are able to use a series of mouth click sounds for echolocation. Link



A massive new Canadian study on carbs and fat in diets has found that too little fat is bad, too much carbs is bad, and ultimately that moderation is best (no duh). They found that the ideal percentage of carbs for a meal is around 50%, with another 35% coming from the various types of fats. I assume the remaining percentage (15%) would be protein. Link



A psychiatrist at Yale did a brilliant study that showed that people’s expectations of how reality will be can actually alter their perception of it. In other words, if you believe you’re about to hear or see something, you can actually experience that thing happening even if it doesn’t. This is super interesting because it explains (to me anyway) how people who believe ridiculous things about the world can then have those beliefs reinforced by their own brains. It further emphasizes that beliefs matter, not only because they predict action, but also because they affect how someone experiences the world. So maybe that person did see a ghost, or maybe they did hear a god talk to them. But that doesn’t mean it happened. What it means is that they thought it was likely and therefore their brain made it happen and they believed it. Link



Silicon Valley is going after teachers with brands, and it’s making some folks uncomfortable. I personally think most people are going to be heading towards branding for the simple reason that the previous reason for not needing one (having an employer where you’re safe) is going away. In short, when your company sees you as a burden that they’d rather get rid of, you better have a brand that can help you stand out against the crowd. Expect more of this in virtually every industry. Link



Women outnumber men (54% of players) on Tencent’s top game Honour of Kings, which is a more social adaptation of League of Legends. In most similar games, females account for only around 35% of players. Link



China is getting extremely serious about cleaning up pollution and moving to renewable energy. They’re kind of changing everything overnight, and I think they’re going to quickly leave the U.S. far behind. One thing I admire about them is their ability to move quickly for a shared goal. Link Link





Ideas 





Marketing Groups are Junking Up the Security News Link



Facial Gestures and Eye Tracking as Computer Inputs Link



My Problem With Buddhism Link



Reading is Life Link



On complex topics, the truth is probably a hybrid of all the positions that are held by different sides. Don’t fall into the temptation to choose just one of them. Link



Companies are moving to a new model: keep the core competency in-house, and outsource everything else. Contractors are not treated well, they don’t get most benefits, and they can’t necessarily depend on work. As I’ve written about many times before, this is precisely what we should expect. Corporations don’t have an obligation to society; they have an obligation to customers and shareholders. They will do what makes those groups happy, and if that means a massive percentage of the country goes without a job, so be it. Don’t be surprised. Expect it. This article comparing the lives of two janitors—one from the 60s and one from today—captures this new reality really well. Link



Is coding becoming the new middle class, blue-collar job? I think this is a fascinating idea, and the analogy gets even more interesting when you consider how automation will remove it as a source of jobs at some point in the future. Link



$337 Out of Pocket to See a Doctor in Las Vegas Link



The term “vet”–as in–“…that person needs to be vetted…”, comes from horse racing. A vet(erinary) doctor would have to medically clear horses before they could race.





Discovery 





A malware analysis cheat sheet. Link



A Hacker News thread on the books that changed peoples’ minds about how the world works. Link



A curated list of coding music. Link



The Unfortunate Fallout of Campus Postmodernism Link



Some great analysis of a 320M password hash dump. Link



Analysis of the Alexa top 1M from a security standpoint. Link



Someone has built a device that emits various smells when it detects a data leak, like the butane smell we associate with a leak in a gas pipe. Link



An argument that you don’t need that much of a math background to build and get value from ML models, and that you most need data analysis skills instead. Link



Reverse engineering a Google Voice appliance. Link



Damn Vulnerable Docker VM — A VM image that lets you test for Docker vulns in two different difficulty levels. Link



What’s the best real-life plot twist in history? Here’s a pretty good candidate. Link



The updated HTM5 security cheat sheet. Link



ISF — An industrial exploitation framework for iOS based on Python that operates like Metasploit. Link



Domain Analyzer — Discovery of DNS, mail, IPs, Nmap scans, SPF info, etc. for a target domain. Link





Notes 





I’m almost done with The Gift of Fear. It’s quite short and quite excellent. Link



I’ve moved off of Patreon for multiple reasons and created a new site that uses Stripe where people can support my work. If you like the site, the podcast, or the newsletter, consider throwing me a monthly bit of support over there. Thanks! Link





Recommendations

 



One of the most important things you can have for your business is a list of every third party that has your data. If you don’t have this list then you are blind to a significant amount of risk, and if you do a lot of business in the cloud then the risk is even greater. Asset management is the core of any successful infosec program.



The Gift of Fear is a super short book about recognizing everyday threats. Read it, and give it to everyone you think might need it. Link





Aphorism





“Comedy is a funny way of being serious.” ~ Peter Ustinov

You can also sign up below to receive this newsletter—which is the podcast’s show notes—every week as an email, and click here to get previous editions.

Newsletter

Every Sunday I put out a curated list of the most interesting stories in infosec, technology, and humans.

I do the research, you get the benefits. Over 10K subscribers.

And if you enjoy this content, please consider supporting the site, the podcast, and/or the newsletter below.

Monthly Support

A subscription is the most helpful way to help me continue making content.

Supporter - $5 / monthMember - $25 / monthPartner - $50 / monthPatron - $100 / monthSubscribe

One-Time Support

You can also make a one-time contribution of any amount.

$

Send

Thanks for listening. I’ll see you next week.

__

I do a weekly show called Unsupervised Learning, where I curate the most interesting stories in infosec, technology, and humans, and talk about why they matter. You can subscribe here.

Unsupervised Learning: No. 56
Unsupervised Learning: Episode 39
Security Fails at the Weakest Link
Twitter: Should You Follow Someone or Add Them to a List?
Unsupervised Learning: No. 70