Infosec Reading List – July 2020
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.
All InfoSec Reading Lists can be found here.
Best of Twitterverse
- Certifiably “F”ine – “It’s possible to further reduce the scope of potential compromise by generating your own unique offline trust root and pinning that signing certificate into the app. This approach completely eliminates third-party trust from the certificate signature equation, and it’s exactly what Signal does.” – an important article that explains the weaknesses of SSL testing applications and what Signal does about it – link
- The more cybersecurity tools an enterprise deploys, the less effective their defense is – well, this doesn’t sound like a surprise to me – the effect of tools and technologies is often overrated in an enterprise context. This is bad news to the sales folks out there, but the real game changer is the integration of a specific technology into the enterprise landscape via effective and efficient services that the business can or even must leverage. Technologies need to support services that are adding value to reduce the risk – technology alone is mostly useless. What does an AV help in case nobody stares at the logs and cleans up false-positives? – link
- Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools – “Until early 2018, NSO Group’s customers were found primarily using SMS and WhatsApp messages in order to trick targets into opening a malicious link, which would result in exploitation and infection of their mobile devices.” – “… network injections allow for the automatic and invisible redirection of targets’ browsers and apps to malicious sites under the attackers’ control, most likely unknown to the victim.” – “Therefore, despite the unlawful surveillance of Maati Monjib and Abdessadak El Bouchattaoui that Amnesty International uncovered and documented in October 2019, we conclude that the Moroccan government actively remained a customer of NSO Group until at least January 2020 and continues to unlawfully target HRDs, such as in the case of Omar Radi.” – link
- Maersk, me & notPetya – this is actually a great article that I strongly recommend to read since it contains a lot of important lessons that I assume none of us wants to repeat – “Yes, it is inevitable that you will be attacked. It is inevitable that one day, one will get through.” – “Within a couple of hours, it was clear this had impacted every single domain-joined Windows laptop, desktop, virtual machine and physical server around the planet. The organisation had just been sent back into the dark ages.” – “Yes, things like network segmentation would help to slow the spread. Things like a SOC would help us see the activity before the fateful day arrived. Patching would absolutely have helped (seriously, if you are waiting to install critical security patches you are doing it wrong). But ultimately, the fundamental risk we had failed to address was management of privileged access” – link
- Qubes Architecture Next Steps: The New Qrexec Policy System – link
- Uncovering a Massive Hack-For-Hire Operation – link
- 17-Year-Old Critical ‘Wormable’ RCE Vulnerability Impacts Windows DNS Servers – link
- Hackers Tell the Story of the Twitter Attack From the Inside – “The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday.” –> seems like a basic OpSec failure – link
- CJEU invalidates “Privacy Shield” in US Surveillance case. SCCs cannot be used by Facebook and similar companies – “This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.” – link
- Seven ‘no log’ VPN providers accused of leaking yup, you guessed it 1.2TB of user logs onto the internet – it’s nothing new, just a constant confirmation that VPN vendors should be considered as “not trustworthy” by default and normal users should not use VPNs unless their threat model demands it, example: If I use an unencrypted web service via a public unencrypted WIFI, I would recommend to use a VPN instead – but that’s basically the only rare case that comes to my mind right now – link
- Why is Signal asking users to set a PIN, or “A few thoughts on Secure Value Recovery” – “My major issue with SVR is that it’s something I basically don’t want, and don’t trust. I’m happy with Signal offering it as an option to users, as long as users are allowed to choose not to use it.” – “Nobody is going to engineer something as complex as Signal’s SVR just to store contact lists. Once you have a hammer like SVR, you’re going to want to use it to knock down other nails. You’ll find other critical data that users are tired of losing, and you’ll apply SVR to back that data up. Since message content backups are one of the bigger pain points in Signal’s user experience, sooner or later you’ll want to apply SVR to solving that problem too.” – link