NO. 360 | NEWS, ANALYSIS & DISCOVERY SERIES


Exploring the intersection of security, technology, and society—and what might be coming next…

Standard Web Edition | December 5, 2022

SECURITY NEWS


Security researchers found that Chinese electronics company Eufy (part of Anker) has major vulnerabilities in its security cameras. The issues include uploading data to the cloud when they said they weren’t, and the existence of a URL endpoint that allows an attacker to stream live video without encryption. MORE

Attackers are hitting a Redis vulnerability and deploying a new piece of malware called Redigo. Make sure you don’t have unnecessary/unsecured Redis (port 6379) listening on the internet. MORE

Two power substations were damaged by gunfire in North Carolina on Sunday. The damage caused power outages for tens of thousands and will take days to repair. MORE

TikTok’s CEO said in a recent interview about US TikTok data, “no foreign government has asked us for user data before, and if they did we would say no.” Appreciate that, but there’s not a foreign government we’re more worried about than yours. MORE

South Dakota has banned TikTok on state-owned devices. MORE

Rackspace had a security incident that took out their hosted Exchange services. They’re still investigating. MORE

LastPass can’t catch a break and has reported a third update to their original breach back in August. This time they’re saying that some customer data was accessed, but not any passwords because passwords aren’t accessible to them either. Stay strong, security team; this has to have been a rough 5 months. MORE

Vulnerabilities:

  • Nvidia has patched 29 GPU driver bugs that can lead to code execution and system takeover. MORE
  • CISA warns of multiple critical issues affecting Mitsubishi Electric PLCs. MORE

 


TECHNOLOGY NEWS


Apple appears to be GTFO’ing out of China as quickly as possible. They’ll be using chips from TSMC’s new Arizona plant when it goes live, and Ming-chi Kuo thinks they’ll eventually move 40-45% of iPhone production to India. MORE

Disney has a new AI tool that can age or de-age actors in video in just a few seconds. Completely insane. MORE | VIDEO

Creators can now earn money through Discord. They’ve expanded their server subscription program allowing creators to charge for premium access and perks. MORE

Tesla has delivered its first production Semi, and it successfully completed a 500-mile delivery. It was a delivery to Pepsi, who has ordered 100 of them. The 500-mile version will cost $180,000. MORE

Amazon layoffs might be as high as 20,000 now, including senior managers. MORE

HUMAN NEWS


New York City’s mayor, Eric Adams, has directed agencies to remove the severely mentally ill from the streets if they are deemed unable to take care of themselves. They’re being taken to and cared for in hospitals, which is what we used to do before the hospitals were shut down. This is nice, but we need a sustainable and scalable solution as well. MORE

A new study contradicts the common-held belief that you become more likable in two-person conversations if you speak less. They showed that people were more likable the more they spoke. MORE

A study looked at multiple factors to determine predictors of political tolerance and found the strongest predictor was cognitive ability. MORE
 


IDEAS & ANALYSIS


💡 Napkin Ideas Around What to Expect Post-ChatGPT — I collected a bunch of my thoughts on the impact ChatGPT is going to have on business and society. ARTICLE

NOTES


I’ve spent a silly amount of time playing with AI over the last couple of weeks, and have been impressed with what the internet has done with ChatGPT. Check out the Discovery section to see some of my favorite examples.

We just came up with something called the UL Boost Protocol, which is a way for UL members to promote member content outside the community in a coordinated fashion. Thanks to Bryan for the logo and emoji! MORE

I have my KOMPLETE keyboard set up. It’s time to make some music finally. Although I think my first creation will be a multi-note bass tone for a new UL YouTube bumper.

DISCOVERY


⚒️ ThreatMapper — Deepfence ThreatMapper looks for threats in your production platforms and ranks those threats based on risk of exploit. It looks for vulnerable software, exposed secrets, and misconfigurations. It also maps those threats visually to show how they can be exploited. TOOL | by DEEPFENCE

⚒️ pup — Process HTML at the command line. Reads from stdin, prints to stdout, and allows you to filter by CSS. Example: cat index.html | pup ‘title’ TOOL | by ERIC CHIANG

⚒️ teler — A tool that reads your log files and tells you about attacks in real time. Super slick and easy to set up, but doesn’t have the community sharing and blocking capabilities that CrowdSec has, which (full disclosure) is why I’m looking to work with them. I love that this fail2ban/bro/snort space is heating up after seeming to be dead for so long! TOOL |  by KITABISA

🔥 A Project Discovery SQL Injection Chain — Use a combination of subfinder, httpx, katana, GF, and sqlmapse se to run SQL Injection testing at scale. COMMAND | BY SERGIO MEDEIROS

🎙️ A Conversation with Erkang Zheng of JupiterOne (Sponsored) — I had a great conversation with Erkang, the CEO of JupiterOne, about what mistakes we keep making in Vulnerability Management. We’re kindred spirits on the point of asset management being the center of the universe. Not just for VM, but for security in general. Highly recommended listen! THE CONVERSATION

🧱 OWASP Top 10 CI/CD Risks — This document helps defenders identify focus areas for securing their CI/CD ecosystem. It is the result of extensive research into attack vectors associated with CI/CD, and the analysis of high-profile breaches and security flaws. PROJECT 

🤖 ChatGPT Insanity:

  • Imagine You’re a Database Server MORE
  • Imagine You’re a Linux Server MORE 
  • Be My Writing Coach MORE 
  • Talk to Me as My Younger Self MORE
  • Take an SAT MORE
  • Create a Set of Fantasy Creatures MORE
  • Describe How You’d Destroy Humanity MORE

The best managers are the best ICs that never wanted to be managers. MORE

The BlackHat USA 2022 Conference Recordings MORE 

You can measure someone’s height instantly using recent iPhones’ LIDAR scanner. You just open the Measure app, point it at someone’s full height, and it’ll show you a line with their height on it. MORE

You can instantly extract people and things from their background in macOS Ventura. Open Photos, go to an image with someone in it, right-click, and select Copy Subject. You now have that person in your clipboard without the background. MORE

Capsaicin is a psychoactive substance. By the way, it’s pronounced CAP say sn, which I just looked up. MORE 

You can get to your cough nerfed version of Apple’s Spotify Wrapped by going to replay.music.apple.com. You then click around several times. It’s awesome. Results are decent though, once you get in. But not nearly as good as the Spotify version, and that’s coming from an Apple Acolyte. MORE

ProjectDiscovery just released version 9.3 of their Nuclei Templates, with 73 new templates! MORE

Security, Funded — A newsletter about the financing activity around the InfoSec industry. Mike Privette just hit 1,000 subscribers with this newsletter and that’s pretty rad. Check it out if you haven’t seen it yet. THE NEWSLETTER

Google has a company strategy, not a product strategy. Basically, they are looking for someone to make the next GMail, so they just hire tons of smart people and have them throw stuff at the wall as their way to search for it. MORE

TikTok is obsessing over the camera on the iPhone 3GS. MORE

RECOMMENDATION OF THE WEEK


You already know what I’m going to say, don’t you? AI. AI this. AI that. “Daniel, why do you keep talking about AI?” Because stuff like ChatGPT, that’s why. This train isn’t coming—it’s here. And here’s how to get ready. Start thinking a lot about what core human needs people have regarding Security and Status. In other words, what makes them more safe and more desirable? Those are the safest and most guaranteed plays for any business, but they’re also the ripest opportunities for quick disruption using new AI. Come up with the ideas. Learn how to implement them using the OpenAI, Google, and Meta tools. Become versed in the APIs. Become a guru at writing prompts. Focus a lot on what people should be asking, not what they are asking. There’s no way to prepare for what’s coming, but this is the next best thing. Prepare the young people you know. They need this more than anyone. Broad education. Critical thinking skills. A focus on the questions rather than the answers. And the coding and data skills required to use all these AI tools that are coming.

APHORISM OF THE WEEK





Source link