Infosec Reading List – June 2017

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.

All InfoSec Reading Lists can be found here.

Best of Twitterverse



  • “While the connection between the mobile app, its API and the Elasticsearch data store is typically secure, the Elasticsearch server is often exposed to the Internet.” – Enterprise Mobile Apps Expose Sensitive Data via Backend Systems – link
  • “As long as we treat cybersecurity as a technical problem that should have easy technical solutions, we will continue to fail. If we instead develop solutions that address the reasons why cybersecurity is a hard problem, then we will make progress. “link
  • Penetration Testing Skype for Business: Exploiting the Missing Lynclink
  • Law Firm Takes Cyber Insurance Provider to Court for Not Covering US$700,000 in Ransomware Losseslink
  • The Crossed Swords wargame: Catching NATO red teams with cyber deception – link
  • “How The Intercept Outed Reality Winner” – converting to text could help to mitigate that but would destroy some indicators that the leaked documents are authentic – link
  • “Democratic elections serve two purposes. The first is to elect the winner. But the second is to convince the loser.” – Schneier on Russian attempt to hack voter roles – link – corresponding Intercept article – link
  • Do they want to side-line their hard-earned technical skills in favor of developing softer skills “they have never been taught?” – How and why to hire a CISO – link
  • How we hacked more than 10,000 user accounts at the University of Amsterdam – link
  • “The Swiss surveillance law is similar to the one which was recently approved in Germany. However, there are some differences. The Swiss version requires sign off by a judge and needs to go through two levels of judiciary for approval. The Swiss also don’t have a history of cooperating with the US, unlike German intelligence.” – link

Layer 7

  • “Publish tweets by any other user”link
  • Yahoobleed #1 (YB1) – “I’m donating this reward to charity. Upon being asked about charitable matching, Yahoo! accepted a suggestion to match (i.e. double) the reward to $28,000. – As you can now see, the attacker could simply create an RLE image that has header flags that do not request canvas initialization, followed by an empty list of RLE protocol commands. This will result in an uninitialized canvas being used as the result of the image decode.”link
  • “How I could’ve taken over the production server of a Yahoo acquisition through command injection”link
  • “De-anonymizing Facebook Ads”link

IoT (with S for “Security”)

  • “Because technology is invading our homes and our lives in pervasive ways that we can’t dream of escaping, I think we need a societal conversation about what aspects of that technology are going to be available to law enforcement period,”link
  • Rash of in-the-wild attacks permanently destroys poorly secured IoT devices – a botnet on IoT destruction course – link
  • Analysis of a Ford Sync Gen 1 Modulelink


  • CherryBlossom – CIA Router Compromise Framework – it’s pretty bad in case your router is compromised since it enables the adversary to MitM your sensitive, encrypted conversations, lets the adversary attack other devices directly within your LAN etc.  – and this is exactly what this software intends to do according to wikileaks documents – linklink

Mobile Related

  • Is some of my phone’s core functionality now provided by a 3rd party app? Indeed. Does it respect my privacy? No. Can I uninstall it again? No. Was I ever asked to comply with their terms and conditions? Of course not. ” – With open software customers risk that shady providers offer hardware with a shady version of Android with shady capabilities and services implemented by default – link
  • “Here’s How To Track The Smartphone Apps That Are Tracking You” – Quis custodiet ipsos custodes? – link
  • “Malicious Android Ads leading to drive by downloads”link
  • “Dvmap: the first Android malware with code injection”link
  • Exploiting the fear of people – “Hundreds of Malicious Android Apps Masked as Anti-virus Software”link


  • All New Gaia GPS: Our favorite GPS app gets a major update – link
  • GaiaGPS App Setup and Battery Management Tips – helpful tips in case you don’t know already – link
  • Commit. Leap.
  • What Happens When a User Triggers an SOS on an inReach? – link
  • Instruments of Adventurelink – pretty amazing video about multisport adventures – see here
  • “Into Darkness”link


  • “Learning and Adapting: al-Qaeda’s Attempts to Counter Drone Strikes” – blankets used to absorb body heat, spoofing communication, jamming GPS signal, weather balloons are just some examples of a list of potential counter-drone tactics – be assured that for every tactic there is a counter tactic – in Internet times, these efforts can easily be crowdsourced – link – I can also heavily recommend to have a look at the OpSec documents translated and published by the “Associated Press” – link

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s