Infosec Reading List - February 2020

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

---

---

---

---

---

InfoSec

• How we hacked our colleague’s smart home - target is the Fibaro Smart Home system in this case, IoT madness – “After testing the cloud methods for processing requests from the device, we discovered a vulnerability linked to an authorization error allowing an intruder to list the backup copies of any user, upload backup copies to the cloud, and download them without having any rights in the system.” - [link]
• The cyber attack the UN tried to keep under wraps - “Researcher Linnet Taylor, associate professor at Tilburg Law School, said a desire to sweep bad news under the carpet is “normal in every sector which is why we make laws to prevent it”.” - [link]
• How I found the hacker behind a 850,000 computers botnet - “For each one I tried to see if I can find doxxable information, and indeed, I quickly identified that the hacker forgot to block his whois record for the domain Newblackage(.)com:” - [link]
• 5G Security - “5G security is just one of the many areas in which near-term corporate profits prevailed against broader social good. In a capitalist free market economy, the only solution is to regulate companies, and the United States has not shown any serious appetite for that.” - [link]
• 5G: The outsourced elephant in the room - “Just to let that sink in, Huawei (and their close partners) already run and directly operate the mobile telecommunication infrastructure for over 100 million European subscribers.” – “Similarly, any worries about “the Chinese” being able to disrupt our communications through backdoors ignore the fact that all they’d need to do to disrupt our communications.. is to stop maintaining our networks for us!” - [link]
• Explained: the strengths and weaknesses of the Zero Trust model - “Implementing a Zero Trust security model in an organization is not simply a change in mindset. It will require a clear view of functions within the company’s departments, currently-deployed software, access levels, and devices, and what each of those requirements will look like in the future.” - [link]
• Average tenure of a CISO is just 26 months due to high stress and burnout - we had this already covered last year in the monthly Infosec Reading List February 2019 - “Nominet said that 29% of CISOs who answered the survey said they’d be fired in the event of a breach, while 20% said they’d be fired anyway, even if they were responsible or not.” - [link]
• Apple vs Law Enforcement: Cloudy Times - “C’mon, Apple, please do not call it “end-to-end”, that term is reserved for the case when some data can be only decrypted at the end point, because it is the only place that holds the decryption key. Yes, trusted iPhones do have the key, but we can get one even from the outside and without access to the device. This isn’t exactly end-to-end, is it?” – “All that data is stored in iCloud and synchronized across “trusted devices”. In case if you did not know, the key to decrypt that data is also stored in iCloud (even if Apple wants you and the law enforcement to believe otherwise).” – “Next, it is not clear what really happens when you delete the data. In the past, we found some of the data to remain on Apple’s server past the advertised retention time, including media files (photos and videos), Web history and notes. Moreover, we have found a way to extract it.” – we should be aware of the limitations that Apple offer - [link]
• How Attackers Could Hijack Your Android Camera to Spy on You - “To properly demonstrate how dangerous this could be for Android users, our research team designed and implemented a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.” – not good, demonstrates that the Android permission model had some fundamental issues - [link]
• How to decrypt WhatsApp end-to-end media files - [link]
• Salary Negotiation: Make More Money, Be More Valued - [link]
• Building a more private web: A path towards making third party cookies obsolete - [link]
• Protecting users from insecure downloads in Google Chrome - [link]
• Burn, drown, or smash your phone: Forensics can extract data anyway - [link]
• U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack - [link]
• Report: 1,000s of Plastic Surgery Patients Exposed in Massive Data Leak - [link]
• The Journey to Hijacking a Country’s TLD – The Hidden Risks of Domain Extensions - [link]

Outdoor

• Man Survives for 3 Weeks in Alaska With No Shelter - [pdf] - [link]