NO. 370


SECURITY


GoDaddy Multi-year Hack
GoDaddy has suffered a multi-year security breach in which attackers stole source code and installed malware on its servers. The company believes the breach is part of a larger campaign by a sophisticated threat actor group targeting hosting services. Previous breaches disclosed in November 2021 and March 2020 are also linked to this campaign, which has affected over 1.2 million customers. MORE | SEC FILING | STATEMENT

European Cyber Warns on Chinese APTs
ENISA is warning that multiple Chinese APTs are attacking European targets. They include APT27, APT30, Ke3chang, GALLIUM, and Mustang Panda, and all of them have been tied to China’s PLA or some form of Chinese government. “Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance.” MORE

Oakland Ransomware
Oakland, CA is still dealing with a ransomware attack that hit them last week. They haven’t said how much the ransom is, or how severe the damages are, but they are working with law enforcement on addressing the scope and impact. 911 still seems to be functioning. MORE

Sponsor
2023 Report: IT Compliance & Risk Game-Changers

Want to know what over 1,000 compliance and risk professionals shared about their pain points, budgets, staffing, best practices, and much more? Join Hyperproof’s webinar to get an overview of the findings from our annual report.

We’ll cover:

  • The top five findings from the survey
  • How your peers are planning to handle compliance, audit management, and risk management in the midst of a volatile economy
  • What companies are doing differently in response to recent and highly publicized security breaches to avoid security lapses and compliance violations
  • Leading practices for compliance, security, and risk management today

hyperproof.io/unsupervisedlearning

hyperproof.io/unsupervisedlearning

Headless Chrome Update
The new version of headless Chrome is much harder to detect as headless. You can still detect it using deep JavaScript inspection, but the fingerprint itself is quite clean. MORE

GPS Darts
Police in Oak Brook, IL are using devices that fires GPS darts at vehicles. You can mount the device to the front of a police car, or you can carry and fire it handheld. It fires a GPS tracker at a moving or stationary vehicle and reduces the need to engage in dangerous high-speed chases. MORE

Nuclear Iran
Nuclear inspectors in Iran have discovered uranium in the country that’s been enriched up to 84% purity, which is right below what’s needed (90%) for nuclear weapons. Iranian officials responded that they’ve not gone above 60%. MORE

🚨Fortinet has released patches for 40 issues in Fortiweb, FortiOS, FortiNAC, and FortiProxy. MORE

⚒️ Semgrepper — A Burp extension that runs Semgrep rules within Burp’s passive scanner. You can include your own rules via files or directories, and define your own scopes where they apply. MORE | PROJECT

⚒️ Ghidra Golf — Ghidra Golf is reverse engineering/forensics Capture The Flag event with focus on Ghidra Script development. The contestant’s goal in addition to solving traditional reverse engineering challenges is to develop Ghidra Scripts to identify, parse, decrypt/decode or otherwise accomplish a specific reverse engineering task. MORE | PROJECT

⚒️ Legitify — Detect and remediate misconfiguration and security and compliance issues across all your GitHub and GitLab assets. MORE | PROJECT

⚒️ pbom.dev — PBOM.DEV is an open framework for releasing secure products. It’s like a MITRE ATT&CK but for supply chain. MORE

⚒️ Sublime Security — Congrats to my buddy Josh Kamdjou whose company, Sublime Security, just emerged from stealth via TechCrunch. Sublime takes an open platform and Detection as Code approach to email security. Kind of similar to Nuclei or Semgrep. Nice work man! MORE

⚒️ Paul Seekamp shows how to directory and parameter brute force at the same time:

  • GET ffuf -w “./dir.txt:DIR” -w ./params.txt -u https://EXAMPLE(.)COM/DIR?FUZZ=1 -t 300 -ac
  • POST ffuf -w “./dir.txt:DIR” -w ./params.txt -u https://EXAMPLE(.)COM/DIR -X POST -d “FUZZ=1” -t 300 -ac

🤖 My buddy Joseph Thacker (rez0) just put out a great post on hacking with GPT. He talks about the ideal tasks for AI and gives multiple use cases. MORE

Sponsor
Is Dynamic Data Masking Good Enough?

Dynamic Data Masking is a popular, flexible, and powerful tool for protecting sensitive information, like PII, in data warehouses and data lakes. Because masks are applied at query-time, dynamic masking can enforce complex RBAC policies and ensure only privileged users or roles access sensitive information.

However, because it is non-destructive, dynamic data masking doesn’t help with DSAR and retention policies, nor does it help with development and test environments. Most importantly, masking only direct identifiers doesn’t protect your data from re-identification attacks.

Privacy Dynamics’ customers use de-identified data to complement dynamic masking and further reduce your attack surface.

privacydynamics.io/unsupervisedlearning

TECHNOLOGY

Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what’s happening in security and tech—and why it matters.


Amazon RTO
Amazon is telling corporate workers they need to come to the office at least 3 days a week. I see this as part of the return to the Alaskan Fishing Boat model for companies. The message is basically “do it our way or go somewhere else”, which is an expected reaction to overhiring and over-indexing on worker perks, benefits, and experiences. Right now the power is with the corporations, the managers, and top performers. Kind of feels like mediocrity is no longer good enough. MORE

Layoffs Not So Bad?
Scott Galloway has some interesting analysis that says the layoffs aren’t so bad if you consider how many people tech has hired in the last few years. E.g., Microsoft hired 77,000 and laid off 10,000. Google: 67K/12K. Meta: 42K/11K. In other words, they’re still way above their pre-pandemic numbers, not down. MORE

Apple Contractor Flex
Meanwhile, Apple appears to be laying off hundreds of contractors, which is something they’re good at and take pride in. They are happy to flex contractors to save FTE people, and this is an example of that. MORE

AI Porn
A company called Unstable Diffusion is building tech to generate high-quality AI porn. My question is what took so long? I’ve always heard that porn was like war in that it basically invents all the new stuff. Honestly I’m happy to see it because it’ll bring us that much closer to DIY Hollywood, where solo creators can come up with great stories (see Anime) and turn them into full movies. This is just images for now, but it won’t be for long. MORE

An AI Book Boom
Amazon is seeing a ton of new books written by AI. A lot of people hate this idea, but I love it. AI is a tool, just like a word processor. Ultimately we’re trying to get ideas from one mind to another. MORE

Data Science For Beginners
Microsoft has a free Data Science for Beginners course. It’s a 10-week, 20-lesson course based out of Google Codespaces that lets you build as you learn. MORE

PaaS
Promptify.ai — A service that outsources AI prompt writing to others. You just call their service for a particular task, and it gives you the result. MORE

No More Linode
Linode is now Akamai Cloud. Weird, but I’ll get used to it. MORE

HUMANS


COVID and Diabetes
Another study has shown a 58% increased risk of diabetes after COVID infection. MORE

Mouthwash Counters Exercise?
A 2019 study showed that anti-bacterial mouthwash countered the blood-pressure-lowering effects of exercise. Evidently, it has to do with the bacteria in the mouth. MORE

Notion All The Things
Someone went all-in on using Notion to manage their life. Dashboards for everything. Health, fitness, work, tasks, education, everything. MORE

Remote Costs
Remote work is costing Manhattan over $12 billion a year. MORE

Culture Optimism
Actually, America’s Culture is Booming MORE

IDEAS & ANALYSIS


Major in Humanity
David Brooks just did a solid piece on what young people should major in to be resistant to AI. He talks about a distinct personal voice, presentation skills, childlike creativity, unusual worldviews, empathy, and situational awareness. Not sure I agree with all those, as many of them are also vulnerable to AI, but I like the premise of, “Major in Being Human”. I think the big one he forgot is making sure you’re really good at using AI to do things. MORE

Bad Management Choice
What’s better for a bad manager to do: be absent or be a micromanager? This is a hard one. Neither is good. Both are bad. And it depends on who is being managed. Micromanagement is super annoying, especially for talented and experienced workers, although some people see that attention as caring. Being absent is, in my opinion, even worse. It’s the parenting equivalent of neglect. Both can cause attrition, but neglect probably does it faster. Which do you think is worse? DISCUSS IN THE COMMUNITY | MORE

FOLLOW ON TWITTER

NOTES


Slack -> Discord
So excited. A few of us in the community, including me, were quite reticent because Discord just gave us an ikky feeling. Like of being amateur and not pro enough. But it turns out we have way more features there than we ever had with Slack. And it feels like we own our community now rather than renting it with Slack. Can’t wait to get fully migrated! We’re loving it. JOIN THE NEW SERVER | SUBSCRIBE TO JOIN

The Practical AI Video Series
The first episode of the Practical AI Series is getting really close to dropping. Doing some finalization of tons of settings on Final Cut Pro, YouTube, etc. And about ready to hit record and ship it!

RECOMMENDATION OF THE WEEK


Your State is Your Reality
Think about reality in terms of mental state, and prioritize getting yourself into the ideal mental state above all else. Why? Because your state is your lens through which you see everything. If you haven’t worked out in a few days, you’ve been overeating, haven’t been sleeping well, and haven’t invested in your relationships you’re going to be a 2-4 on the scale of mental state. That means every single input that hits you throughtout the day will be negative. Someone’s going on vacation? Damn them. You need a vacation too. That’s not fair. Your friend gets noticed for work they did? You’ve done work as good or better, but nobody noticed. Books suck these days. Why are people so shitty? But if you’ve been sleeping, working out, eating decently, talking to your loved ones, and doing well on your projects, well now you’re a 7-9 on the mental state. Now everyone’s happiness is your happines. Every obstacle is an opportunity. And you have excess optimism to offer others. Your state is your reality. Make sure it’s healthy.

APHORISM OF THE WEEK


“Change your thoughts and you change your world.”

Norman Vincent Peale





Source link