The Security Digest: Week 13
Hello and welcome to TSD, your regular blog post with top of mind security issues! TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Hi Cyraloons and welcome to another week of TSD, your regular email / blog post with top of mind security issues, a few security tips for work, home and protest and at least 1 fun thing related to owls.
- TLDR: Watch Last Week Tonight with John Oliver talk about facial recognition. During the Freddie Gray protests, Baltimore Police used facial recognition to go after protesters after the demonstrations. Are others using it now during and after the current protests? A number of big tech companies have put a moratorium on police usage of facial recognition, but that doesn’t mean everyone has. “‘While Amazon, Google, and IBM have decided to exit the marketplace, Clearview AI believes in the mission of responsibly used facial recognition.’ […] CEO Hoan Ton-That said in a statement” See more at PCMag. Meanwhile the ACLU has taken Clearview AI to court which prompted them to end their relationship with private companies like Macys, Walmart and more according to Buzzfeed. Clearview AI has reportedly built their database from public social media posts and given they’ve “ended their relationship with private companies”, the only ones left are governmental entities like the reported 600 small and large police stations around the country and their attempts to sell it to countries around the world.
- Zoom is back in the news for all the wrong reasons after they initially suspended and later reactivated a US based account that “held an event to commemorate the 31st anniversary of China’s Tiananmen Square crackdown”. Read the full article at Reuters.
- Reseachers have just debuted a new technique for eavesdropping from 25 meters away simply from watching a hanging lightbulb called Lamphone. On their site you can actually listen to 2 songs that were recovered, both recognized by Shazam, and a sentence. The full research will be presented at virtual Black Hat in August. Read more about the attack, its limitations, related work and more at Wired.
- ZecOps wins the vulnernability name of the week with SMBleedingGhost. ZecOps discovered another vulnerability called SMBleed while looking at the vulnerability SMBGhost. They were then able to chain, or use one after another, to take over a number of different Windows systems remotely without authentication. Last Tuesday was Patch Tuesday for Microsoft, so apply those patches now. Both of the individual vulnerabilites have already been patched.
Owl fun and facts:
This is a Long-Eared Owl. “The so called “ears” that the Long-Eared Owl is named for are really just tufts of feathers atop its head. Researchers believe that these tufts may help them blend into their surroundings. There are several species of owls that share this feature, including the more common Great-Horned Owl.” This photo is courtesy of the Owl Research Institute which has been working for more than 30 years out of Montana on owl conservation and research.
2 Shout Outs:
DevSecCon just wrapped up yesterday and had a number of great presentations that you can see as doodles. Above is the doodle for ‘Appsec is Dead! Long Live DevSecops’ from Matias Madou. Follow MyDevSecOps to check out more of the doodles and all of the videos once they’re posted.
This coming Friday is Juneteenth and the above picture is from a previous celebration of Juneteenth in Philadelphia. I lived for a number of years in Philly and always looked forward to the Juneteenth Parade and Festival. With everything that’s going on, it’s going virtual this year with hopes of returning next year. Read more about Juneteenth on Wikipedia and look for ways you can celebrate in your community this Friday.
That’s owl for now!
Unlocking Security as Code by Using GitHub for Managing Cyral Policies
tl;dr Automated CI/CD is a powerful tool for software collaboration, automated testing, and deployment of cloud applications. Following its development, many cloud native technology companies …
The Security Digest: Week 20
Hello and welcome to TSD, your regular blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, …