Infosec Reading List – October 2018

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports – but you will also find other recommendations from time to time.

All InfoSec Reading Lists can be found here.

Best of Twitterverse

tweet5


tweet4


tweet3


tweet2


tweet1

InfoSec

  • An interesting Google vulnerability that got me 3133.7 reward. – putting GET-request data into POST-request fields is probably not the best idea – link
  • GoogleMeetRoulette: Joining random meetingslink
  • Accidentally Finding RCE in Signal Desktop via HTML Injection in Quoted Replies – “Much like innerHTML, use of dangerouslySetInnerHTML is, well, dangerous and can cause lead to XSS like what occurred in the Signal Desktop app.”link
  • Catching phishing before they catch you – early phishing warning system based on certstream API – nice – link
  • Unauth meetings access – “When decoded this base64 string includes the phone number and the pin for the meeting”link
  • Password and Credential Management in 2018 – this article has indeed some interesting aspects that should be considered – “Before we send the username and password over the wire we perform a single SHA3-512 round on the plain-text password plus a unique name for our service” –  “There is no way we could ever accidentally store the user’s plain-text password in our logging system, unlike GitHub and Twitter, which both admitted in May 2018, that they have found plain-text passwords in their logging systems.” – interesting thoughts – to ensure the plaintext password will never leave the client side – link
  • IoT Pentesting 101 && IoT security 101link
  • So, you want to be a darknet drug lord…link
  • Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges“Next, call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privileges and authenticate as admin by adding the cookie username=admin.”link
  • Local file inclusion at IKEA.com“The used PDF library contains (hidden) functionality that allows one to embed files into the PDF by adding a specific tag in the template.”link
  • RCE by uploading a web.configlink
  • How I “found” the database of the Donald Daters Applink
  • How I hacked modern Vending Machineslink

Outdoors

  • Chile Opens 1,700-Mile Hiking Trail Connecting 17 National Parks – it needs to verified how much is really through-hiking here and how much needs to be done by car – linklink
  • Ruta de Los Seis Miles, Norte – added to bucket list – perhaps could even combined with the Chile Trails mentioned above? – some of these areas have already been covered by my previous tripslink norte link sur
  • Iceland Divide (North-South) – yet another entry on the bucket list although I spent already 1 month in Iceland a few years ago – it’s definitively a place to go back – link

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s