Infosec Reading List – July 2021
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security and Outdoor Sports.
All InfoSec Reading Lists can be found here.
Best of Twitterverse
- What’s on the minds of CISOs? New responsibilities, future risks and hiring talent – recommended read/audio – link
- Kaseya supply chain attack delivers mass ransomware event to US companies – summary of the Kaseya situation – link
- The 10 Best Tools to Stay Mentally Sharp at Work – link
- We Need To Talk About The Insecurity Industry – great article by Snowden about the impact of Pegasus – „The people creating the software behind every device of any significance—the people who help to make Apple, Google, Microsoft, an amalgamation of miserly chipmakers who want to sell things, not fix things, and the well-intentioned Linux developers who want to fix things, not sell things—are all happy to write code in programming languages that we know are unsafe, because, well, that’s what they’ve always done, and modernization requires a significant effort, not to mention significant expenditures.“ – „If hacking is not illegal when we do it, then it will not be illegal when they do it—and “they” is increasingly becoming the private sector. It’s a basic principle of capitalism: it’s just business. If everyone else is doing it, why not me?“ – „In technology as in public health, to protect anyone, we must protect everyone. The first step in this direction—at least the first digital step—must be to ban the commercial trade in intrusion software.“ – link
- [Q&A #02] Bombs vs. Bugs – “When you fire a rocket or drop a bomb, you don’t have to worry about the target catching it and throwing it back at you. But with exploits, every time you use it, you run the risk of losing it.” – link
- How the Kaseya VSA Zero Day Exploit Worked – “However, in the case that all checks failed, it would default to an else clause that sets “loginOK” to true.” – web-based attack of course – link
- Metrics: Useful or Evil? – link
- A case against security nihilism – “The problem that companies like Apple need to solve is not preventing exploits forever, but a much simpler one: they need to screw up the economics of NSO-style mass exploitation.” – link
- A P O P H E N I A – “Here’s a better way to think: in an apophenic, information-glutted world where you can basically find evidence for any theory you want, where people inhabit separate online realities, we should focus on falsifiability (which can be tested) over supportability (which cannot).” – link
- The Pegasus Project – important article about the general issue with the Pegasus/NSO situation from a person sitting directly at the source – “Companies like NSO would have you think tools like Pegasus are critical to protecting us all from terrorism and organised crime, and the occasional abuse is only anecdotal. This fiction is the product of the secrets and lies of a murky industry which grew too powerful and unregulated. The Pegasus Project reveals a much darker reality.” – “The tech sector needs to take a hard look, and reach down in its deep pockets to find the money necessary to unfuck this situation.” – link
- From Stolen Laptop to Inside the Company Network – “To recap, we took a locked down FDE laptop, sniffed the BitLocker decryption key coming out of the TPM, backdoored a virtualized image, and used its VPN auto-connect feature to attack the internal corporate network. That is one way to go from stolen laptop to internal compromise.” – link