Infosec Reading List - January 2020

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

---

---

---

---

---

InfoSec

• Wifi deauthentication attacks and home security - kicking surveillance cameras out of the network using deauthentication frames - [link]
• Yet Another Librem 5 and PinePhone comparison - while not all of the steps these products are taking make sense to me, I strongly believe that they will play an important role in the future to get mobiles to the market that people can use in a sustainable but secure way - this is not the case today with the core global players that we are all using - [link]
• We’re telling Google: privacy shouldn’t be a luxury - But, at the moment, many Android Partners are manufacturing or selling devices that contain pre-installed apps that cannot be deleted (often known as “bloatware”), which can leave users vulnerable to their data being collected, shared and exposed without their knowledge or consent.” - see link above, that’s the reason why it is important to support free alternatives that do not have a financial model as first priority - [link]
• Sometimes once is better than a lifetime - “Today’s beta releases of Signal for Android and iOS include a new way to send individual photos and videos that are automatically removed from a conversation thread after they have been viewed.” - be aware that a similar feature has already been available in Signal since years: automatically removing messages after hours/days etc. - why is this so important? Because it’s a different mindset than most of the messengers offer today: don’t store everything but instead focus on the stuff that is really valuable in the moment - [link]
• Tricky Phish Angles for Persistence, Not Passwords - interesting approach: not phishing for passwords, but phishing for approval - [link]
• Getting Serious About Open Source Security - “No, really. Every time you pip install, go get, or mvn fetch something, you’re doing the equivalent of plugging a thumb drive you found on the sidewalk into your production server.” - [link]
• Hackers hit Norsk Hydro with ransomware. The company responded with transparency - [link]
• Sodinokibi Ransomware Publishes Stolen Data for the First Time - “Expect to see more ransomware operators begin to use stolen data as leverage for payments soon as it becomes the norm in attacks.” - [link]
• Hacking ‘Docker’, the Shodan way! - “In all, the learning is to never expose your docker host API over the public. By default, it doesn’t have any authentication.” - [link]
• Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - [link]
• Cyber Attack Trends: 2019 Mid-Year Report - it’s interesting to look back and compare today vs the past - [pdf] - [link]
• Before You Use a Password Manager - an extensive view on using password managers - [link]
• Technical Report of the Bezos Phone Hack - [link]
• How Messaging Has Changed Human Interaction - a great article about the evolution of chat programs and their small little impact on privacy - “Read receipts aren’t about informing us whether our message was successfully delivered. They’re about offering us a glimpse into another person’s life. And while we’ve come to accept them as a constituent of modern messaging apps, time will tell whether they’ll remain so.” - “It’s knowing you can go online without having to fear what our online status may reveal about you. It’s about liking someone’s photo without the anxiety of being called out for it. And above anything, it’s about reading a message, without feeling guilty of not sending an immediate response.” - [link]
• Big Game Ransomware being delivered to organisations via Pulse Secure VPN - [link]
• Brief Analysis of the FDLP.gov Deface - [link]

Outdoor

N/A