View on La Reunion

Infosec Reading List – November 2019

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.

All InfoSec Reading Lists can be found here.

Best of Twitterverse

tweet6


tweet2


tweet3


tweet4


tweet5

InfoSec

  • Protecting our users from a video calling cyber attack – remember, not only WhatsApp had an issue like this, but also Signal – the link to the Signal issue can be found in the September reading listlink
  • Reverse Engineering of a Not-so-Secure IoT Device – nice overview of reversing an IoT device and intercepting LoRa traffic – link
  • 2019 Mobile Threat Landscape Report – [pdf] – “Mobile malware running on the Android operating system is the mostprevalent at this time, driven by the ease of installing new applications from third-party sources.”link
  • Researchers Think They Know How Many Phones Are Vulnerable to ‘SIMjacker’ Attackslink
  • Your Pa$$word doesn’t matter – article around different ways to get access to a password including password spraying, cracking databases etc. – “Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”link
  • Using Flight Tracking For Geolocation Quiztime 30th October 2019 – awesome OSINT work based on weather data, google earth and flight data – link
  • Lessons from Our Zero Trust Journey – summary of Google Zero Trust articles – link
  • Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies“I robbed a bank and gave the money away,” Phineas Fisher wrote in the manifesto. “Computer hacking is a powerful tool to fight economic inequality.” – The hacker also explained that they got into The Cayman Bank and Trust Company using the same exploit they used against Hacking Team: targeting a vulnerable virtual private network and firewall appliance.link
  • Facebook and Google’s pervasive surveillance poses an unprecedented danger to human rights“Google and Facebook dominate our modern lives amassing unparalleled power over the digital world by harvesting and monetizing the personal data of billions of people. Their insidious control of our digital lives undermines the very essence of privacy and is one of the defining human rights challenges of our era,”link
  • iVerify App Launched To Provide Security Oversight and Recommendations to iPhone Users – interesting security recommendations for iOS users – also interesting is the aspect that newer hardware provides a better protection for the enduser – this means, that Apple requires you to constantly buy new devices in order to stay secure – link
  • The Economic Inequality of Mobile Security“Wherever the needle points at the moment, whether to Apple or Google, today the answer generally boils down to digging into the wallet for serious money to spend on a new phone. And this is the essence of the problem I want to address here.” “You could instead attribute that to capitalism, shining through the lenses of brand new Triple Cameras or a Super Retina XDR display with a gazillion colors.” – this is a very important aspect that demonstrates that your social status also heavily impacts your defense capabilities in the “cyber” world – this is not fair – “Mobile security has become a luxury for the rich, because smartphones were turned into luxury items, while at the same time having become necessary survival accessories for daily life “link
  • Phineas Phisher – Hack Back – Bank – some quotes from the pastebin article in order to understand the technical aspects of the hacks – be aware: this is the translated version into English – the authenticity needs to be challenged anytime:“None of the financial hacks I made, or those I’ve known, have ever been reported. This is going to be the first, and not because the bank wanted to, but because I decided to publish it.” – “They only used password authentication to access the application with which they connected to the SWIFT network.” – “I used Get-Keystrokes, modifying it so that instead of storing the pressed keys, a GET request is made to my server every time it is detected that they have entered a username. This request adds the username to the url and, as they type the token, several GETs are made with the token digits concatenated to the url.” – “Then I started scanning the entire internet with zmap and zgrab to identify other vulnerable devices. I had the scanner save the vulnerable IPs, along with the common and alt names of the device’s SSL certificate, the device’s Windows domain names, and the reverse DNS lookup of the IP. I grepped the results for the word “bank”, and there were plenty to choose from, but the truth is that I was attracted to the word “Cayman”, and that’s how I came to choose this one.” – “A fun suggestion for you to follow the investigations of your hacks is to have a backup access, one that you won’t touch unless you lose normal access. I have a simple script that expects commands once a day, or less, just to maintain long-term access in case they block my regular access.” – “In this operation, as in, I used a lot of powershell. Then, powershell was super cool, you could do almost anything you wanted, without antivirus detection and with very little forensic footprint.” – “The two most important skills for practical hacking are phishing and social engineering to get initial access, and then being able to climb and move through the Windows domains.” – “A basic knowledge of web application security is useful, but specializing more in web security is not really the best use of your time, unless you want to make a career in pentesting or chasing bug rewards.” – “I will pay up to 100 thousand USD for each filtration of this type, according to the public interest and impact of the material, and the labor required in the hacking. Needless to say, a complete leak of the documents and internal communications of any of these companies will be a benefit for society that exceeds those one hundred thousand, but I am not trying to enrich anyone.”
  • Laser-Based Audio Injection on Voice-Controllable Systems“Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. “link
  • The Story Behind the Iran Cableslink
  • Addicted to Screens? That’s Really a You Problem“A movement to be ‘post-digital’ will emerge in 2020,” Mr. Fogg wrote last month. “We will start to realize that being chained to your mobile phone is a low-status behavior, similar to smoking.” – Unlike the other newly wary, though, Mr. Eyal does not think tech is the problem. We are.link
  • Saudi Aramco: What happens when the Blue Team wins at Cyber Security?link

Outdoors

  • The Man Who Paddled a Kayak From Germany to Australia“Speck had paddled more than 30,000 miles, crossed the Mediterranean Sea and some of the Indian Ocean’s most treacherous straits. He’d survived numerous capsizings, potshots, machete attacks and malaria. But the events of Europe still reached him, clear on the other side of the world.” link
  • Gear List: What I carried in the desert – interesting article from a lady that used the Monowalker carrier to cross some deserts in South America – link

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s