Post

Infosec Reading List - July 2025

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

InfoSec

  • O2 VoLTE: locating any customer with a phone call - Any O2 customer can be trivially located by an attacker with even a basic understanding of mobile networking. - [link]
  • We’ve All Been Wrong: Phishing Training Doesn’t Work - “The big finding is that these standard, out-of-the-box industry trainings are not efficacious in preventing users from clicking on emails in the future,” - nothing new, just approached from a more academic point of view - [link]
  • Why Would Anyone Want to Be a CISO Anymore? - Six months after a breach, the stock is often even higher than before (up ~5.9% on average). - A survey of over 2,000 security leaders (by Oxford Economics for Splunk) revealed that nearly half (46%) of security teams spend more time maintaining and managing their tools than actually defending the organization. Moreover, 59% said tool maintenance is their single biggest source of inefficiency. - In fact, layering on AI tools can feel like just another stack to maintain, adding to the integration and false-positive headaches discussed earlier. - I’m not the biggest fan of these surveys (the article quotes a lot of them) that are popping up for each and every topic that is currently moving along the hype cycle. For me it seems like there is a survey result for each opinion that exists out there. But the article has a lot of points which I would consider as „valid“. - [link]
  • Airborne: Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk - Im less concerned about the iphone/ipad/official Mac endpoint devices since they will receive proper patching - what about the more IoT related devices that have Airplay receiving enabled? - [link]
  • The EU wants to decrypt your private data by 2030 - For Wilton, policymakers must never forget one simple fact: “Strong encryption isn’t the enemy of security – it’s the starting point for it.” - [link]
  • Google can now read your WhatsApp messages, here’s how to stop it - Last week, some Android users received an email from Google notifying them that starting July 7 (yesterday), Gemini will, as the company puts it, “help you use Phone, Messages, WhatsApp, and Utilities on your phone,” regardless of whether your Gemini Apps Activity is on or off. - [link]
  • CitrixBleed 2: Electric Boogaloo - CVE-2025–5777 - [link]
  • Would you like an IDOR with that? Leaking 64 million McDonald’s job applications - [link]
  • The cryptography behind passkeys - At their core, passkeys are just key pairs used to produce digital signatures. - [link]
  • Has CISO become the least desirable role in business? - “In many cases, the CISO is tasked with managing enterprise risk while remaining structurally underpowered to influence it fully.” - [link]
  • Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server - Patch early, log often, and never underestimate an attacker’s creativity… or their browser history. - [link]
  • Why I don’t ride the AI Hype Train - now every company is racing to create a product with “AI”. What they really mean is: “you can now use our app through a chat window.” That’s it. - [link]
  • Qantas attack reveals one phone call is all it takes to crack cybersecurity’s weakest link: humans - The Qantas attack came just days after US authorities warned the airline sector had been targeted by a group known as Scattered Spider, using social engineering techniques, including impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication. - risks associated with helpdesks are one of the most underestimated ones, if you ask me. Who debugs your username / passwd / MFA login problems of your endusers? IT Helpdesk. So they have the rights and power to do so - and are often not skilled and educated to understand and respond properly to social engineering attacks. I’m sure we will see more successful attacks via helpdesks in the future. - Searle said attackers like Scattered Spider deliberately targeted third-party systems and outsourced IT support, as seen in the Qantas breach, representing a risk for large companies. - [link]
  • Reflections on OpenAI - An unusual part of OpenAI is that everything, and I mean everything, runs on Slack. - That said, you probably shouldn’t view OpenAI as a single monolith. I think of OpenAI as an organization that started like Los Alamos. - Leadership is quite visible and heavily involved. There are no absentee leaders. - [link]
  • Valve conquered PC gaming. What comes next? - On a practical level, all desks at Valve have wheels, with staff physically shifting themselves around the office to be near the people they’re working with. - worth a read to learn about the key player on the gaming market - [link]
  • Your Browser Is Now Your Enemy: Delivering PHP RCE to Your Local Servers - PHP vuln combined with DNS rebinding - interesting in the context of locally hosted environments behind NAT - [link]
  • What Happens When People Don’t Understand How AI Works - They are not emotionally intelligent or smart in any meaningful or recognizably human sense of the word. LLMs are impressive probability gadgets that have been fed nearly the entire internet, and produce writing not by thinking but by making statistically informed guesses about which lexical item is likely to follow another. - “We encounter text that looks just like something a person might have said and reflexively interpret it, through our usual process of imagining a mind behind the text. But there is no mind there, and we need to be conscientious to let go of that imaginary mind we have constructed.” - [link]
This post is licensed under CC BY 4.0 by the author.