Infosec Reading List – December 2019

View from Piton des Neiges

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.

All InfoSec Reading Lists can be found here.

Best of Twitterverse







  • Intro to SDR and RF Signal Analysislink
  • Attacking Private Networks from the Internet with DNS Rebinding – “Local APIs consistently offload trust and security to the private network itself. Why would your local REST API need authorization if your router has it? Entire protocols like UPnP are built around the idea that devices on the same network can trust each other. This is the root of the problem.” – link
  • Technology Preview: Signal Private Group Systemlink
  • The VPN is dying, long live zero trust – well, I doubt that VPN will die that easily in huge multinational landscapes since the transition to a zero trust landscape will take years if not decades – this won’t be an easy game – but for me the “zero trust” approach makes totally sense since it goes hand in hand with the “assume breach” mentality – link
  • The Growing Problem of Malicious Relays on the Tor Networklink
  • Can end-to-end encrypted systems detect child sexual abuse imagery?“Unfortunately, while the concept may be easy to explain, actually realizing it for CSAI-detection immediately runs into a very big technical challenge. This is the result of a particular requirement that seems to be present across all existing CSAI scanners. Namely: the algorithms are all secret.”link
  • At war with the truthlink
  • A technical look at Phone Extraction – great article on forensics of mobile devices – link
  • How to Spy on Your Neighbors With a USB TV Tuner – “Every device that you own is screaming its name into the infinite void” – link
  • Why Cybersecurity Isn’t Only a Tech Problem – well, this isn’t actually news, but interesting read anyway – link
  • BSI Audit Documents of TrueCrypt – [DE] only – 10 years old security audit docs for TrueCrypt have just been released – way too late of course – link
  • Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up – this is overdue – I wondered why the bad folks didn’t do this already years ago – link
  • Blue Team Fundamentals“The basics are called the basics for a reason, it’s amazing how many companies don’t apply them.”link
  • Inside ‘Evil Corp,’ a $100M Cybercrime Menacelink
  • The Year of the Phish“While I will hopefully share more details about some of those in the future, I decided to release now a 25GB archive of data on the latest 100’000 phishing sites one of my systems processed.”link
  • Google Dorkslink
  • Getting Malicious Office Documents to Fire with Protected View Enabledlink
  • Twelve Million Phones, One Dataset, Zero Privacy “I can’t say I’m surprised,” Mr. Broili told us in early December. “But knowing that you all can get ahold of it and comb through and place me to see where I work and live that’s weird.”“Until then, one thing is certain: We are living in the world’s most advanced surveillance system. This system wasn’t created deliberately. It was built through the interplay of technological advance and the profit motive. It was built to make money. The greatest trick technology companies ever played was persuading society to surveil itself.”link
  • Introducing Unfurl “Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing the obscured.”link
  • Anti-interdiction Services“This is a custom add-on service we have provided in the past to high-risk customers who are especially concerned about detecting any tampering with their hardware during shipment.”link
  • How these Toronto sleuths are exposing the world’s digital spies while risking their own lives“The fear is that border officials will confiscate computers or cellphones and scan sensitive data that might put civil rights activists or others involved with Citizen Lab at risk. Team members follow strict protocols to keep information out of reach, but it’s a tense time, nonetheless.”“It was like we were both playing Columbo to each other,” says Scott-Railton, a senior researcher at the lab.”link
  • From Zero to Lateral Movement in 36 Minutes“As always, do not put RDP directly on the internet.”link

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s