Post

Infosec Reading List - February 2024

Posted
Preview Image
By Dominik Birk
3 min read

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View

Desktop View

InfoSec

  • Buying Spying: How the commercial surveillance industry works and what can be done about it - If governments ever claimed to have a monopoly on the most advanced cyber capabilities, that era is over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect. - in the detailed PDF linked in the article the above sentence is further explained: In 2023, TAG discovered 25 0-days being actively exploited in-the-wild, 20 of which were exploited by CSVs. - this is quite an interesting number. Generally, the PDF including the more detailed report is worth a read: For €8 million the customer receives the capability to use a remote 1-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time. - [link]
  • Canada bans Flipper Zero over what it imagines it does - Canada’s intent to ban the Flipper Zero wireless tool over car thefts is, on the one hand, an everyday example of poorly researched government action. - it will become increasingly important that a) the tech industry supports politicians to make fact-based, educated decisions that address the root cause of issues while b) politicians are listening to tech advisors before they make the actual political decision. This is just the tip of the iceberg - let‘s imagine how judgement like this can end up in more serious areas. - [link]
  • Hacking a Smart Home Device - nice, interesting and detailed writeup about reversing an ESP32-based iot device - [link]
  • sPACE Attack: Spoofing eID’s Password Authenticated Connection Establishment - Why does the attack work? The German eID scheme lacks a secure PIN entry mechanism for basic readers, as highlighted above. Considering that the physical chip is in proximity to the device where the PIN is entered, Mallory can exploit both the hardware factor (using APDU redirection) and the knowledge factor (by intercepting the PIN entry) in a single attack. - [link]
  • The buck stops here: Why the stakes are high for CISOs - CISOs should be mindful about what they circulate internally and ensure contentious decisions or requests from the C-suite are always recorded in writing. only written evidence is good evidence - [link]
  • Bypassing Wi-Fi Authentication in Modern WPA2/3 Networks - [pdf] - [link]
  • JavaScript Bloat in 2024 - it’s interesting to see where this is moving - [link]
  • My Simple Habit for Smarter Book Reading - article about this important topic: You read an author with a bold proclamation, Y, which they claim is the right way to think about X. … Someone points out some of the flaws in Y. … Now you feel hoodwinked - I don’t believe critical thinking is a skill at all. Instead, most of what we refer to as critical thinking is simply knowing more about the topic being discussed. - [link]
  • Malicious AI models on Hugging Face backdoor users’ machines - At least 100 instances of malicious AI ML models were found on the Hugging Face platform, some of which can execute code on the victim’s machine, giving attackers a persistent backdoor. - this was expected to happen - [link]
  • Ethernet for Hackers: The very basics - [link]
  • Why Adopting GenAI Is So Difficult - At best, they are in an exploratory phase with traditional AL, and at worst they’re simply feeling lost. A recent study suggested that more than 70% of the large companies surveyed were still wondering how to reap the potential benefits that AI can offer. - [link]

Outdoor

  • A Complicated Route: How One Man Hiked 2,600km from India to Nepal - [link]
infosec readinglist
This post is licensed under CC BY 4.0 by the author.