Infosec Reading List – October 2019

Red-White signs of the trail

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.

All InfoSec Reading Lists can be found here.

Best of Twitterverse







  • Uber allegedly paid $100,000 ransom and had hackers sign NDAs after massive data breach – this does not sound like a solid plan to me – link
  • Moroccan Human Rights Defenders Targeted with NSO Group’s Spywarelink
  • Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp – important to know is: “The vulnerability, tracked as CVE-2019-11932, is a double-free memory corruption bug that doesn’t actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that WhatsApp uses.”link
  • Alexa and Google Home abused to eavesdrop and phish passwordslink
  • Supply-Chain Security and Trustlink
  • “BriansClub” Hack Rescues 26M Stolen Cards – conclusion: systems will get breached and data will change owners, independently whether you have a legitimate reason or not for owning, storing and processing the data – link
  • Signal Technology Foundation is now open for donationslink
  • How does Apple (privately) find your offline devices?link
  • The spy in your wallet: Credit cards have a privacy problem – well, this situation does definitely not look promising, it’s important to understand that behind a simple creditcard transaction, a whole rabbit whole of companies opens up that are interested to understand what the customers wants – link
  • Exploit Wars II – The server strikes back – conclusion: be careful what kind of exploit you use from which system and against which target – link
  • WhatsApp blames and sues mobile spyware maker NSO Group over its zero-day calling exploit – the outcome of this will be an interesting one – link
  • How safe is Apple’s Safe Browsing?link
  • How a Bitcoin Trail Led to a Massive Dark Web Child-Porn Site Takedown – important message: also without backdoors investigators can do excellent work and bring bad guys behind bars – link
  • Avast fights off cyber-espionage attempt, Abiss – unpopular question to ask Avast: why did their own software not prevent this kind of attack? Why did they need MS software here? – link
  • Avast, NordVPN Breaches Tied to Phantom User Accounts – the scenarios under which I would use a VPN would be really limited since most of the providers are not capable to keep what they promise – link
  • On the inside of a hacking catastrophe – interesting insights into the Equifax breach, also learning how NOT to do it – “In that meeting, where external counsel [lawyers] were also present, some of us were told ‘if you tell anyone else about this, you’ll be fired on the spot and walked off-site’.” – “Equifax spent millions responding to the breach, but that turned into people from the security team working overtime, on 36 hour shifts, and that’s the hidden cost of the breach that no one has gotten near to quantifying so far,”link
  • It’s the middle of the night. Do you know who your iPhone is talking to?“This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?”link
  • In a world of infosec rockstars, shutting down sexual harassment is hard work for victimslink
  • BSides Luxembourg 2019 Wrap-Uplink
  • NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114]“After this is done, go to the receiver phone, tap the “Beam completed” notification, and tap the file. It will skip directly to the install prompt, bypassing the “Install unknown apps” check.”link
  • Extended Validation Certificates are (Really, Really) Deadlink
  • Asymmetry in infosec – good article that I disagree with on various points – but great read – “Either way, the choices add up over time into a path that lets an attacker start with a single toehold and turn it into a full compromise.” – “The deeper answer is that we are not good at accounting for the sum of mistakes being larger than the whole of each mistake …”link
  • Cylance, I Kill You! – important article that demonstrates clearly the downside of all that “AI hype” on the example of one software – “Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass.”  – “In this post we will show how we can reverse the model of an AI based EPP product, and find a bias enabling a universal bypass. We chose Cylance for practical reasons, namely, it is publicly available and widely regarded as a leading vendor in the field.”link
  • Microsoft’s new vulnerability tracking service is about IT productivitylink
  • Microsoft Japan’s experiment with 3-day weekend boosts worker productivity by 40 percent“Productivity went up by a staggering 39.9 percent. That means even though the employees were at work for less time, more work was actually getting done!”link
  • Capital One removes CISO from role following breachlink
  • Wireshark Column Setup Deepdive – great article about Wireshark tips and tricks – tiny but helpful – link
  • Anatomy of a Hack: SQLi to Enterprise Adminlink
  • Research Project Resources – great link list for academic writing as well as baseline project management tools – link


  • Route Report: Khangai Mountains Traverse, Mongolia – added to ToDo list – link
  • Being ‘Indistractable’ Will Be the Skill of the Future – a super important article about one of the core crafts of our time: to remain indistractable – “… distraction is “the process of interrupting attention” and “a stimulus or task that draws attention away from the task of primary interest.””“The truth is, we overuse video games, social media, and our cell phones not just for the pleasure they provide, but because they free us from psychological discomfort.”link
  • Into The Empty Quarter – full movie – link
  • Seven Lonely Days – The Rescue of Alexander Gukovlink

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s