Infosec Reading List – October 2017

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.

All InfoSec Reading Lists can be found here.

Best of Twitterverse





InfoSec

  • Disqus Demonstrates How to Do Breach Disclosure Rightlink
  • Forrester.com Experienced A Cybersecurity Incidentlink
  • A Tough Corporate Job Asks One Question: Can You Hack It?link
  • Replacing Social Security Numbers Is Harder Than You Think – Steve Bellovin on the complicated matter of national IDs – “SSNs are not the problem; authentication commensurate with the risk to all parties, including especially individuals, is.”link
  • Introducing the Next Generation Qubes Core Stacklink
  • Mac Dumpster Diving Identifying Deleted File References in the Trash (.DS_Store) FilesPart 1 Part 2
  •  The Absurdly Underestimated Dangers of CSV Injection – this is an impressive example how plaintext data, that is supposed to do no harm in general, could trigger malicious behavior simply by interpreting it the wrong way – and yes, there are error messages that people “could” read – but will they? – link
  • Responding to typical breaches on AWSlink – I specifically found this link to AWS Shared Responsibility Model interesting and helpful
  • Administering Chromebooks – For teams traveling to complex and hostile environments – the author invested quite some time to assess the related risks, propose mitigating controls etc. – link
  • Patching is hard; so what? – indeed it is, but there are other alternatives in order to address problems that require immediate attention – so doing nothing is no option here – link
  • Removing Your PDF Metadata & Protecting PDF Fileslink
  • Falling through the KRACKs – everybody talks about the WPA mess this month – link
  • Ping is okay? Right? – shell access via ICMP – old but still nice – link

Layer 7

  • Broadening HSTS to secure more of the Web – announcing the HTTPS Strict Transport Security (HSTS) preload listlink
  • How I could have mass uploaded from every Flickr account! – true randomness is complicated to implement – link
  • Metadata: a hacker’s best friend – wget + exiftool + Splunk for visualization – nice writeup to get a powerful overview of metadata – link
  • Equifax website hacked again, this time to redirect to fake Flash updatelink
  • Penetration Testing AWS Storage: Kicking the S3 Bucket – Alexa Top 10000 AWS S3 assessment results – link
  • One Line of Code that Compromises Your Server – The dangers of a simplistic session secretlink
  • Web Cache Deception Attacklink

IoT (with S for “Security”)

  • Smart home: remote command execution (RCE) – RCE via unchecked php variables in Fibaro Smart Home solution – link
  • Google is nerfing all Home Minis because mine spied on everything I said 24/7link
  • Reverse Engineering My Home Security System: Decompiling Firmware Updates – not attacking the network interfaces this time, but reversing the firmware updates including OSINT via github – interesting read – link

Malware/Phishing

  • Nigerian Man Hacked Thousands of Global Oil & Gas and Energy Firms – “Even though this individual is using low-quality phishing emails, and generic malware which is easy to find online, his campaign has still been able to infect several organizations.”link
  • Detecting Lateral Movement through Tracking Event Logs – comprehensive overview of events created by potential attacker tools on Windows environments – [pdf] – link

MISC

  • Die Online-Giganten bohren sich in unseren Geist – [german] – link
  •  ‘Our minds can be hijacked’: the tech insiders who fear a smartphone dystopia“It is very common,” Rosenstein says, “for humans to develop things with the best of intentions and for them to have unintended, negative consequences” “Each time you’re swiping down, it’s like a slot machine,” Harris says. “You don’t know what’s coming next. Sometimes it’s a beautiful photo. Sometimes it’s just an ad.” – related to this very interesting topic, check out my Infosec Reading List from from March 2017, especially the MISC section which contains additional links related to this topic – link
  • How Booking.com manipulates youlink
  • Experts warn of the development and use of autonomous weapon systems – this topic is worth to have a look at – link – the open letter could be found here – link“Lethal autonomous weapons threaten to become the third revolution in warfare. Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways. We do not have long to act. Once this Pandora’s box is opened, it will be hard to close.”
  •  I asked Tinder for my data. It sent me 800 pages of my deepest, darkest secrets – “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.”link

One thought on “Infosec Reading List – October 2017”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s