Infosec Reading List – April 2019


On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.

All InfoSec Reading Lists can be found here.

Best of Twitterverse







  • Firefox, Edge, Safari, Tesla & VMware pwned at Pwn2Own – JIT bugs all over the place – link
  • Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years – while this is seems to be a disaster at first sight, I think that this problem is widely spread since a huge amount of companies do not follow up in regards to what their apps are storing where and what – storing log data in the age of SIEMs is relatively easy. A proper solution to this would be to never send the plaintext password to the server – I covered an article related to that topic in my Reading List October 2018 here. “Before we send the username and password over the wire we perform a single SHA3-512 round on the plain-text password plus a unique name for our service” – so the theory is out there – link
  • Trapdoor commitments in the SwissPost e-voting shuffle proof“Verifiability is a critical part of the trustworthiness of e-voting systems. Universal verifiability means that a proof of proper election conduct should be verifiable by any member of the public.” – I think we should seriously question whether society is ready for this e-voting move – we cannot even secure our critical infrastructure, IoT and all the legacy IT stuff that flies around – do we really want to digitize the core bones of our democracy? I’m sure we will get there – but I doubt that right now is the right time – link
  • Malicious Counter-Strike 1.6 servers used zero-days to infect users with malwarelink
  • Some notes on the Raspberry Pilink
  • Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?link
  • DJI Drone Vulnerability – XSS in the forum – link
  • Perfect is the Enemy – true words – link
  • Emotet droppers – “All in all, it shows how much effort is put in to deliver an executable on the target, which then servers as yet another downloader for another stage within the infection process.”link
  • Hundreds of motel guests were secretly filmed and live-streamed online – where is a market, there is a service offer – link
  • Family finds hidden camera livestreaming from their Airbnb in Ireland – not only hotels are affected, but also Airbnb – link
  • How Instagram’s drug deals go undetected – “Smartphone data is packed with specific information that touches cell towers and can be triangulated. Indeed, plenty of less-careful sellers have geotagged themselves into handcuffs. Virtual private networks (VPNs) for iOS and Android devices offer relative anonymity, but Google Location Services, for example, transmits the SSIDs of in-range wireless networks. If you’re using cell-based Internet, even with a VPN, the device can transmit cell tower identifiers. Using a phone is risky, so the pros don’t.” – selling drugs in 2019 – avoid smartphones – link
  • Why The Citrix Breach Matters — And What To Do Nextlink
  • How Lockergoga took down Hydro  ransomware used in targeted attacks aimed at big business – while this looks like a fail on Hydro’s side, this is a clear demonstration that most of the promises that the AV industry gives its customers, is snakeoil bulls***t and that we, as the industry, still have to work on getting better in protecting the endpoints – “As you can see above the detection rate was 0 out of 67 anti-virus engines. Now, before vendors get annoyed, I am well aware that VirusTotal results don’t tell the full story  however having zero detection from any engine is an extremely bad sign.”link
  • Remote command injection through an endpoint security product – to underline my statement about the AV industry above – check out this article – link
  • Locating The Netherlands’ Most Wanted Criminal By Scrutinising Instagram – TLDR: bad OPSEC, you shouldn’t use social media in case you are a fugitive – besides that, very nice OSINT work – link
  • Connected Camera Cock Up – TLDR: “Next step is to enter a device UID and static password of ‘ok12345678’.” link
  • Purism Becomes PIA’s First OEM Partner“Purism plans to include PIA-based VPN by default in the Librem 5 phone, as well as within PureOS for its Librem 13 and Librem 15 laptops. Purism will also collaborate with PIA on a future services bundle.” – this is bad. I really hope that this PIA integration can be easily disabled – routing all traffic via one provider by default is not the right approach, even if it promises to respect users privacy – various others did as well and it turned out later that they lied – Librem, you don’t want to take this risk – link
  • Wipro Intruders Targeted Other Major IT Firms – Supply Chain Attacks, getting more and more common – link
  • Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide – IMAP does not understand 2-factor-authentication by default – this is what bad guys abuse and exploit with the support of credential dumps – what helps here, besides using stronger protocols that support 2FA and raising awareness, is logging failed logins and block brute-forcing IPs accordingly – link
  • How Do I Prepare to Join a Red Team?link


  • Now, This is Kiting! – check out the video in the link – a nice way of doing multi-sport adventureslink
  • A Guide to Using Sauna to Increase Your Health and Longevitylink
  • Lonely Traverse of the Jungle – Packrafting the Congo River – link
  • Inflated Ambitions – Pack Rafting the Oxus River in Afghanistan – amazing trip – love the pictures – link
  • Quitting isn’t always failing“We don’t lose credibility for making mistakes, we only lose credibility when we fail to admit that we made that mistake.” link
  • Camino Del Puma: Peru and Bolivia – I need to go back there – this place is too amazing to just go there once – link
  • Solo travel is one of life’s greatest joys but what if you get so sick you can’t think?link
  • Do Not Disturb: How I Ditched My Phone and Unbroke My Brainlink
  • The origins of SOS and Mayday“Mayday, an international radio distress signal used especially by ships and aircraft, has a more linguistic origin than the pragmatic approach of S.O.S. Although a connection to the month of May might seem likely, it is actually an anglicization of the French m’aidez or m’aider, meaning ‘help me’.”link
  • Interview: Chaz Powell on Trekking the Gambialink
  • Freedom – bikerafting the Pamirs – link

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s