Tech Friday


  • MicrosoftMayPatch Tuesday delivers 79 updates:
    • "Patch Tuesday" refers to Microsoft's regular releases of software updates (aka "patches" or "fixes") for Windows and other products that typically occur on the second and occasionally on the fourth Tuesday of each month
    • Microsoft (MS) has a rating system for vulnerabilities that includes the following categories: (https://technet.microsoft.com/en-US/security/gg309177.aspx)
      •  Critical
      •  Important
      •  Moderate
      •  Low
    • Critical and other updates may be released outside Patch Tuesday as necessary to address urgent vulnerabilities and flaws
    • Daily updates of anti-malware definitions are made for Windows Defender
    • Microsoft’s May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical across many Microsoft products including Windows, Office, Office 365, Sharepoint, .Net Framework, SQL Server
    • Some of the most noteworthy include:
      • A fix for a processor flaw known as "ZombieLoad" that allows programs to access each others’ data. Apple and Google also provided patches that create a workaround until Intel fixes the bug
      • Several fixes for critical vulnerabilities that could enable remote code execution
      • Another patch fixes an issue with Remote Desktop Services (RDS) that could create a WannaCry-like attack
      • An issue that would let attacker run code as the targeted user by persuading them to open a malicious file
    • Microsoft also provided patches for Flash
    • Additionally,Adobe released patches for 84 vulnerabilities in Acrobat and Reader on Windows and Mac. Get the details here: https://helpx.adobe.com/security/products/acrobat/apsb19-18.html
    • In most cases, it's a good good idea to apply all of these updates as soon as possible
    • It’s also a good idea to back up your system before applying updates and/or create a restore point.Learn more about Restore Points here:https://support.microsoft.com/en-us/help/4027538/windows-create-a-system-restore-point
  • WhatsApp bug allows hackers to plant spyware on your phone with only a call:
    • Facebook bills WhatsApp as "Simple. Secure. Reliable messaging"
    • A serious flaw that allows attackers to inject professional spyware on iPhone and Android devices simply by calling a target was recently disclosed
    • Facebook said: "This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human-rights organizations to share the information we can, and to work with them to notify civil society."
    • An attacker could call a target and send specially crafted Secure Real-time Transport Protocol (SRTP) packets to a phone to inject the spyware
    • The most disturbing part is that the target doesn't even need to answer the phone
    • The Financial Times reported thatthe spyware is professional grade software from Israeli company NSO Group
    • NSO Group's Pegasus product is known as a "lawful intercept" tool designed for law enforcement and government agencies. It's very powerful and can record conversations, exfiltrate photos and messages, enable the micphone and camera, and collect location data 
    • NSO claims the technology is only licensed to authorized government agencies for fighting crime and terror
    • WhatsApp moved quickly to fix the issue and deployed a patch for it this week. They also reported the issue to the US Department of Justice
    • NSO said "NSO would not or could not use its technology in its own right to target any person or organization, including this individual"
    • If you use WhatsApp, update it now:
      • iOS: go to the App Store and press "Update" beside WhatsApp. You should be on version 2.19.51 or higher
      • Android: go to the Play Store, press menu, press "Apps and games", press "Updates" and press "Update" beside WhatsApp. You should be on version 2.19.134 or higher
      • If there is no Update option, you should be on the most current version
  • Deepfakes return with a creepy Elon Musk baby video:
    • Advances in computer power and machine learning have lead to technology that is making it hard to believe your own eyes and ears
    • New algorithms can take a single photo of someone and create a video that is completely fabricated but very, very realistic
    • Pinscreen is a Los Angeles start-up that has created the technology
    • They believe these renderings will become so realistic that it will be virtually impossible to determine what is real
    • Thao Li, a leading researcher on computer-generated video at USC, founded Pinscreen in 2015. "With further deep-learning advancements, especially on mobile devices, we'll be able to produce completely photoreal avatars in real time"
  • Videos known as "Deep Fakes" have surfaced where celebrities' faces have been carefully inserted into pornographic videos and popular movies
    • FakeApp is one of several new AI-powered synthesizing tools that doesn't require specialized hardware or skilled experts to create convincing fake videos
  • Software such as FakeApp can be used for fraud, forgery, and propaganda. FakeApp has been downloaded more than 100,000 times and been used to create many fake pornographic videos featuring celebrities and politicians
    • FakeApp is relatively easy to use, a user "trains" it with hundreds of photos of source and target faces. It relies on deep-learning algorithms to find patterns and similarities between the two faces
      • While the process isn't trival, you don't have to be a graphics or machine-learning expert to use FakeApp and it will run on relatively low-end systems
      • Nvidia has published a video showing AI algorithms generating photo-quality synthetic human faces. It may soon be capable of creating realistic-looking videos of non-existent "people"
    • "Ten years ago, if you wanted to fake something, you could, but you had to go to a VFX studio or people who could do computer graphics and possibly spend millions of dollars," says Dr. Tom Haines, lecturer in machine learning at University of Bath. "However, you couldn't keep it a secret, because you'd have to involve many people in the process."
    • University of Washington researchers recently demonstrated a similar technique to move President Obama's mouth to match a fake script
    • There are many possible applications for this technology and many of them are malicious. Imagine the capability to use fake videos for blackmail, revenge or propaganda
    • This technology could have a devastating impact on the use of audio and video evidence in court cases. "This goes far beyond 'fake news' because you are dealing with a medium, video, that we traditionally put a tremendous amount of weight on and trust in," said David Ryan Polgar, a writer and self-described tech ethicist
    • Hany Farid, a digital forensics expert at Dartmouth College, said watching for blood flow in the face can sometimes determine whether footage is real. He also said slight imperfections at the pixel level may reveal fakes
    • TheFakening, a YouTube channel dedicated to deepfakes, has a video of Elon Musk's face embedded into a viral video called "Cutest Baby Montage Ever"
    • There are many Musk deepfakes, but this one has Musk's adult face on a baby that eventually speaks with his adult voice. It's weird!
    • Watch it here and despair for our future:https://www.youtube.com/watch?time_continue=59&v=WHwQeetjLwk