Infosec Reading List - December 2019

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

---

---

---

---

---

InfoSec

• Intro to SDR and RF Signal Analysis - [link]
• Attacking Private Networks from the Internet with DNS Rebinding - “Local APIs consistently offload trust and security to the private network itself. Why would your local REST API need authorization if your router has it? Entire protocols like UPnP are built around the idea that devices on the same network can trust each other. This is the root of the problem.” - [link]
• Technology Preview: Signal Private Group System - [link]
• The VPN is dying, long live zero trust - well, I doubt that VPN will die that easily in huge multinational landscapes since the transition to a zero trust landscape will take years if not decades – this won’t be an easy game – but for me the “zero trust” approach makes totally sense since it goes hand in hand with the “assume breach” mentality - [link]
• The Growing Problem of Malicious Relays on the Tor Network - [link]
• Can end-to-end encrypted systems detect child sexual abuse imagery? - “Unfortunately, while the concept may be easy to explain, actually realizing it for CSAI-detection immediately runs into a very big technical challenge. This is the result of a particular requirement that seems to be present across all existing CSAI scanners. Namely: the algorithms are all secret.” - [link]
• A technical look at Phone Extraction - great article on forensics of mobile devices - [link]
• How to Spy on Your Neighbors With a USB TV Tuner - “Every device that you own is screaming its name into the infinite void” - [link]
• Why Cybersecurity Isn’t Only a Tech Problem - well, this isn’t actually news, but interesting read anyway - [link]
• BSI Audit Documents of TrueCrypt - [DE] only, 10 years old security audit docs for TrueCrypt have just been released, way too late of course - [link]
• Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up - this is overdue, I wondered why the bad folks didn’t do this already years ago - [link]
• Inside ‘Evil Corp,’ a $100M Cybercrime Menace - [link]
• Google Dorks - [link]
• Getting Malicious Office Documents to Fire with Protected View Enabled - [link]
• Twelve Million Phones, One Dataset, Zero Privacy - “I can’t say I’m surprised,” Mr. Broili told us in early December. “But knowing that you all can get ahold of it and comb through and place me to see where I work and live that’s weird.” – “Until then, one thing is certain: We are living in the world’s most advanced surveillance system. This system wasn’t created deliberately. It was built through the interplay of technological advance and the profit motive. It was built to make money. The greatest trick technology companies ever played was persuading society to surveil itself.” - [link]
• Introducing Unfurl - “Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing the obscured.” - [link]
• Anti-interdiction Services - “This is a custom add-on service we have provided in the past to high-risk customers who are especially concerned about detecting any tampering with their hardware during shipment.” - [link]
• How these Toronto sleuths are exposing the world’s digital spies while risking their own lives - “The fear is that border officials will confiscate computers or cellphones and scan sensitive data that might put civil rights activists or others involved with Citizen Lab at risk. Team members follow strict protocols to keep information out of reach, but it’s a tense time, nonetheless.” – “It was like we were both playing Columbo to each other,” says Scott-Railton, a senior researcher at the lab.” - [link]

Outdoor

N/A