Infosec Reading List – April 2021
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.
All InfoSec Reading Lists can be found here.
Best of Twitterverse
- Hacking Chess.com and Accessing 50 Million Customer Records – “The “session_id” values were different for each user. Since it was returning a user object, this meant that they likely belonged to the user versus something that belonged to my session.” – “Since the PHPSESSID was the only means of authorizing users, this meant we could extract this value from any user and hijack their session.” – link
- How to Get Rich Sabotaging Nuclear Weapons Facilities – interesting view on the SolarWinds situation – it focuses rather on the systematic issues given by the current state of the industry – perhaps the incentives are the wrong ones? When will we see the next SolarWinds or has it already happened? – “Thoma Bravo identifies software companies with a loyal customer base but middling profits and transforms them into moneymaking engines by retooling pricing, shutting down unprofitable business lines and adding employees in cheaper labor markets.” – “In a sense, this hack, and many more like it, will continue to happen, as long as men like Bravo get rich creating security vulnerabilities for bad actors to exploit.” – “Though I hate the phrase, the real scandal isn’t what’s illegal, it’s what is legal.” – “But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.” – link
- Whistleblower: Ubiquiti Breach “Catastrophic” – “Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.” -see my Infosec Reading List in January 2021: “I still struggle to understand why we need online, cloud-based accounts for local WIFI hardware – do we really need to put everything on the Internet simply because we can?” – link
- Cybersecurity: Council adopts conclusions on the EU’s cybersecurity strategy – “the need to support the development of strong encryption as a means of protecting fundamental rights and digital security, while at the same time ensuring the ability of law enforcement and judicial authorities to exercise their powers both online and offline” – I’m looking forward to solid proposals regarding this topic which are not falling back into the old schema of “we need backdoors for the good to fight the bad” – link
- Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective – “We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future.” – link
- ‘Smart’ Cities Are Surveilled Cities – “One of the paradoxes of a hyperconnected world is that the smarter a city gets, the more exposed it becomes to a widening array of digital threats.” – link
- Anatomy of how you get pwned – link
- Reflections on a Man in his Wilderness – link