Infosec Reading List - December 2018
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.
Quotes from the Twitterverse
InfoSec
- Zero-day RCE via XXE & SSRF on NetGear Stora, SeaGate Home, and Medion LifeCloud NAS - [link]
- How to Use DNS Analytics to Find the Compromised Domain in a Billion DNS Queries - “Finding a needle in a haystack is hard, but it’s nothing compared to finding a single piece of hay in the haystack that was put there with malicious intentions.” - [link]
- What the Marriott Breach Says About Security - Krebs regarding the latest Marriott Breach - “But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.” - you can find my opinion regarding this principle here In case you follow the “assume breach principle”, the risk avoidance via deleting unnecessary data is a key step. As it seems, even US senators have heard that bell ringing: “We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need.” - [link]
- Hiding Through a Maze of IoT Devices - hint: run port scans, close unnecessary ports even if you do not consider them as important (UPnP!) – scan again – repeat - [link]
- Facebook internal emails published by UK Parliament - [link]
- Locking Down Signal: A Guide for Journalists - “Even when your phone is locked with a password, anyone who picks it up can still read the message and sender name from your lock screen.” - probably one of the most common security failures - be aware that this could even include 2-factor-authentication tokens coming in via SMS - so lock your device properly or you are still at risk when your phone gets stolen even in case the adversary cannot access your phone / unlock the screen - [link]
- Which of the OWASP Top 10 Caused the World’s Biggest Data Breaches? - there are some pretty obvious results in this research which however are great to get confirmed: “Which OWASP Vulnerabilities are missing from the top 50 breaches? A3-XSS and A8-CSRF + A10-Unvalidated Redirects and Forwards” - [link]
- On Ghost Users and Messaging Backdoors - “What, exactly, is “responsible encryption”? Well, that’s a bit of a problem. Nobody on the government’s side of the debate has really been willing to get very specific about that.” - [link]
- Mondelez’s NotPetya cyber attack claim disputed by Zurich: Report - “He explains that the onus will be on Zurich to prove that the exclusion applies, but this could also be a difficult task given the information to prove where the NotPetya malware actually came from could be a guarded state secret.” – the outcome of this could be interesting and important for further cyber insurance cases - [link]
Outdoor
This post is licensed under CC BY 4.0 by the author.