Infosec Reading List – June 2020

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.
All InfoSec Reading Lists can be found here.
Best of Twitterverse
InfoSec
- Zero-day in Sign in with Apple – “For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program.” – “I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid.” – link
- Blur tools for Signal – “One immediate thing seems clear: 2020 is a pretty good year to cover your face.” – link
- Looking back at how Signal works, as the world moves forward – “The only Signal user data we have, and the only data the US government obtained as a result, was the date of account creation and the date of last use not user messages, groups, contacts, profile information, or anything else.” – “We do not believe that security and privacy are about “responsibly” managing your data under our control, but rather about keeping your data out of anyone else’s hands including our own.” – link
- Privilege Escalation in Google Cloud Platform’s OS Login – link
- Top #10 Vulnerabilities: Internal Infrastructure Pentest – link
- How I made $31500 by submitting a bug to Facebook – link
- Analysing the (Alleged) Minneapolis Police Department “Hack” – “Thirdly, this is getting traction because emotions are high; public outrage is driving a desire for this to be true, even if it’s not.” – link
- Discord client turned into a password stealer by updated malware – link
- Pinebook Pro reviewa $200 FOSS-to-the-hilt magnesium-chassis laptop – link
- Hidden Profits How Criminals are Using Cyber Attacks for Stock Market Gain – link
- The A1 Telekom Austria Hack – they came in through the web shells – “A1 confirmed the existence of webshells and the validity of the passwords, although they were old and most of them not used anymore.” – link
- Thai Database Leaks 8.3 Billion Internet Records – link
- Guy Who Reverse-Engineered TikTok Reveals The Scary Things He Learned, Advises People To Stay Away From It – link
- Promotions. The reward for good work is more work. – link
- Fixers Know What ‘Repairable’ MeansNow There’s a Standard for It – “The problem is, industry won’t do this by itself. Managers get ahead by showing quarterly sales growth, not increased product lifespans.” – link
- What’s The Deal With Snap Packages? – link
- Hacking Starbucks and Accessing Nearly 100 Million Customer Records – “By adding a the “$count” parameter from Microsoft Graph URL, we could determine that the service had nearly 100 million records. An attacker could steal this data by adding parameters like “$skip” and “$count” to enumerate all user accounts.” – link
- Report: Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting – “But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw, potentially violating security industry norms while handing over a surveillance backdoor to federal agents.” – “Facebook also never notified the Tails team of the flawbreaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix.” – link
Outdoor
- Hikers Survive 19 Days Lost in New Zealand Bush – link
- Surviving the Desert: Pt 1 The approach: My strategies & fears – great article, the author uses the Monowalker in South America, very interesting for me to see it in use – link
Thank you for your list!!