Infosec Reading List – March 2017

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.

All InfoSec Reading Lists can be found here.

Interesting Tweets


  • Why boards aren’t dealing with cyber threats – the bottom line is: inadequate processes to address cyber threats + lack of expertise leads to the fact that boards  neglect cybersecurity issues at their peril. The problem is: the problem will not go away by simply neglecting it. It will get worse – so boards should better start addressing this challenge now – see the recent Yahoo! case for an example what can happen to your bonus – linklink
  • A pretty extensive Tech Wish List – interesting to see that some of the ideas I also had in my mind in the past like the mic/audio hardware power switch – link
  • From Russia with Cheats – Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix – link
  • March was the month of the CIA leaks – bottom line: encryption works, as we know from the snowden documents, and makes mass surveillance much more complicated/expensive forcing 3-letter agencies to attack the endpoints in order to catch data before it gets encrypted. No indication that WhatsApp and Signal are broken – so all in all these are good news. For me the most interesting question is: who leaked the data and why? The worst part of the story is that 3-letter agencies keep vulnerabilities/exploits instead of publishing and fixing them with vendors – doesn’t this stand in contrast with the goal to protect their people? But is this really shocking/new? And let’s stay focused: 99% of the world’s population will most probably never get onto a CIA target list. linklink – link
  • How data crosses the air gap – different aspects of potential covert channels such as physical, acoustic, seismic, magnetic, light etc. – link
  • This book reads you – exploiting services and readers that support the ePub book format – very nice approach – old issue: Never ever trust client data – link
  • Crypto is hard – the discussion of the Needham-Schroeder protocol in the article remembers  me of the old times when we reviewed broken crypto protocols at the university – link
  • Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key – link
  • Android Devices Security Patch Status – nice capability to get information around the latest patch level for non-google Androids – but sadly statistics show: you need to own a google-supported phone in order to get the latest Android version in production – 7.1.1 at the time of writing – link
  • Related to the item above: Android Security Bulletins – what is included in the monthly patches? – link
  • How to Build a Successful Information Security Career – I agree with most of the points in the article but disagree heavily with the point where it is stated that security certifications add more value than a university degree – pick the right university and you will get a lot out of it – link
  • Introduction to Cryptography – YouTube session by a former professor of mine – great overview – link
  • Talking to the Hacker Who Took Down a Fifth of the Dark Web – obviously the hoster, named Freedom Hosting II, had some insecure configuration in place which allowed to reset passwords – link
  • “Hey we just released OMEN! A Markov model-based password guesser” – check out the source on Github – link
  • “Ossmann & Osborn also briefly documented multiplexed audio connectors, noting that Nexus 4 has a TTL UART interface hidden in its headphone jack, a functionality which is enabled if the voltage on the MIC pin exceeds some threshold.” – and this is how it all began. I see similarities here to the networking attack surface: the more interfaces (open ports), the worse it is – link
  • Subgraph OS – link
  • Secure computing for journalists – some interesting views on OS security “mobile device vs Laptop/Desktop” – link
  • Follow the trail of the Yahoo! adversary and learn about his tactics, techniques and procedures – my highlight: “Found that cookies generated in staging were valid in production, and modified a staging cookie to access the production instance of the administrative portal (bypassing 2FA)” – link

Layer 7

  • How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) – interesting technical deep dive on a gmaps XSS – link
  • Hacking the Western Digital MyCloud NAS – including command injection via PHP – one of the reasons not to expose a NAS admin panel to the Internet – link
  • Apple iCloud Hoards ‘Deleted’ Browser History Going Back More Than A Year – you are potentially impacted in case you are logged in with your icloud account – most probably a design issue, but a pretty privacy-impacting one – link – and while we talk about Apple: iPhones Secretly Send Call History to Apple, Security Firm Says – link
  • Related to the icloud case above: Your Browsing History Alone Can Give Away Your Identity – based on Twitter data – link
  • In regards to Twitter & Privacy: You will be surprised by what your Tweets may reveal about you and your habits – metadata analysis of Twitter data with support of the Twitter API. The snowden example is an interesting one – link
  • Facebook Vulnerability – Delete Any Video on Facebook – link
  • Samsung shipment company leaks private data – and Samsung doesn’t care – although first order has been done via Samsung – link
  • “Privacy analysis of Ambient Light Sensors”– I’m still struggling to understand the need to connect browsers to the light sensor in my device – link
  • This is an excellent idea – “The Account Takeover Runbook” – with the growing capabilities of web-based email interfaces, simply resetting the password after compromise is not sufficient anymore – link


  • Interesting considerations for (Securely) Updating Smart Devices – link
  • Security and the Internet of (insecure) Things – extensive article from Schneier on the IoT mess – I can specifically recommend the “Truisms” number 1-5 – link
  • iPhone Robbers Try to iPhish Victims – interesting case from Brazil – link
  • flAWS challenge – nice one to learn more about the security configs of AWS instances – you remember the CloudPets leak last month? Part of the data was stored on insecurely configured AWS S3 buckets – link
  • Reversing the “iSmartAlarm” system – an extensive analysis – link
  • Hacking the DJI Phantom 3 – will not be the last article around attacking drones, in flight or on the ground – link


  • “The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX.” – operation BugDrop – pretty well-organized malware campaign – link
  • Two new Mac backdoors discovered – interesting aspect: malware searches on mac for iOS backups. Iphones are more difficult to attack and often contain personal/sensitive material – link
  • Former Mozilla Engineer says: Disable Your Antivirus Software (Except Microsoft’s) – it’s an interesting perspective and you can spend hours on discussing what is right and what is wrong – I recommend to follow the links in the article to get the different opinions – link
  • On the notion of threat hunting – link
  • Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society – link
  • Macro Malware Comes to macOS – easy attack, low tech approach, highly efficient most probably – link
  • Analysis of Malware Used Watering-Hole Attacks Against Polish, Other Financial Institutions – link
  • Preinstalled Malware Targeting Mobile Users – In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it – link

Politics Related

  • “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” – Cardinal Richelieu in 1641 – discussion around opsec in regards to phone / traveling abroad – “I’ll never bring my phone on an international flight again. Neither should you.”link – here is another article in case you still intend to bring your personal devices – link
  • Swiss Lawful Interception Report 2017 – (german) link
  • “Fearing U.S. Withdrawal, Europe Considers Its Own Nuclear Deterrent” – link


  • Top 10 tents recommended – ZPacks Duplex is in it as well – that’s the one I can recommend personally – link
  • on the best hikes in Africa and the Middle East – link
  • China’s glass walkway opens in Tianmen mountain – impressive pictures – link
  • “Ya can’t safely whip doughnuts on the edge of the Sea of Serenity without a trusty roll of Duct Tape.” – a love letter to the duct tape – totally overdue – link
  • Backpacking with a SteriPEN Ultraviolet Water Treatment System – link
  • “The best expedition teams aren’t made up of individuals who are the most physically strong, but those that have minds that can overcome literally anything. And put aside the ego.”link
  • 5 Cool Things You Didn’t Know About Topo Maps – link
  • Why walking is the ideal speed to see the world – link
  • “On Instagram’s Impact on Wilderness, and True Adventure Photographers” – link
  • “At the time, I was convinced that by the 21st century we would already have scientific stations on Mars and settlements on the Moon. But the 21st century came and all we do is wage war, make money, and stuff ourselves.” – Record-Breaking Russian Adventurer Says The World Needs More Explorers – link
  • Garmin on my recent trip to the deserts of Bolivia – link


  • Bruce Lee’s Never Before Revealed Letters to Himself About Authenticity, Personal Development, and the Measure of Success – link
  • The Purpose of Sleep? To Forget, Scientists Say – link
  • The Most Attractive Cities to Move to for Work – link
  • If You Want to Be Happy at Work, Have a Life Outside of It – link
  • “The world is getting louder. But silence is still accessible” – link
  • “Just look around you — at the people crouched over their phones as they walk the streets, or drive their cars, or walk their dogs, or play with their children. Observe yourself in line for coffee, or in a quick work break, or driving, or even just going to the bathroom. Visit an airport and see the sea of craned necks and dead eyes. We have gone from looking up and around to constantly looking down.” – a mindblowing article on how modern technology is stealing our time to actually live and what could be done about it – link – related to this, another interesting article: “I find it interesting that the late Steve Jobs said in a 2010 interview that his own children didn’t use iPads. In fact, there are a surprising number of Silicon Valley titans who refuse to let their kids near certain devices. There’s a private school in the Bay Area and it doesn’t allow any tech — no iPhones or iPads. The really interesting thing about this school is that 75 percent of the parents are tech executives.” – let this sink for a second and re-read the last sentence – link

One Comment on “Infosec Reading List – March 2017

  1. Pingback: Infosec Reading List – October 2017 | Dominik Birk

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s