Infosec Reading List - June 2017

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View

Desktop View

Desktop View


  • Enterprise Mobile Apps Expose Sensitive Data via Backend Systems - “While the connection between the mobile app, its API and the Elasticsearch data store is typically secure, the Elasticsearch server is often exposed to the Internet.” - [link]
  • Why Is Cybersecurity So Hard? - “As long as we treat cybersecurity as a technical problem that should have easy technical solutions, we will continue to fail. If we instead develop solutions that address the reasons why cybersecurity is a hard problem, then we will make progress.” - [link]
  • Penetration Testing Skype for Business: Exploiting the Missing Lync - [link]
  • Law Firm Takes Cyber Insurance Provider to Court for Not Covering US$700,000 in Ransomware Losses - [link]
  • How The Intercept Outed Reality Winner - converting to text could help to mitigate that but would destroy some indicators that the leaked documents are authentic - [link]
  • Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election - “Democratic elections serve two purposes. The first is to elect the winner. But the second is to convince the loser.” - [link] - [link]
  • How and why to hire a CISO - Do they want to side-line their hard-earned technical skills in favor of developing softer skills “they have never been taught?” - [link]
  • How we hacked more than 10,000 user accounts at the University of Amsterdam - [link]
  • Impact of Swiss surveillance laws on secure email - “The Swiss surveillance law is similar to the one which was recently approved in Germany. However, there are some differences. The Swiss version requires sign off by a judge and needs to go through two levels of judiciary for approval. The Swiss also don’t have a history of cooperating with the US, unlike German intelligence.” - [link]
  • *bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images - “I’m donating this reward to charity. Upon being asked about charitable matching, Yahoo! accepted a suggestion to match (i.e. double) the reward to $28,000. – As you can now see, the attacker could simply create an RLE image that has header flags that do not request canvas initialization, followed by an empty list of RLE protocol commands. This will result in an uninitialized canvas being used as the result of the image decode.” - [link]
  • How I could’ve taken over the production server of a Yahoo acquisition through command injection - [link]
  • De-anonymizing Facebook Ads - [link]
  • Amazon Echo, Google Home devices raise privacy rights questions - “Because technology is invading our homes and our lives in pervasive ways that we can’t dream of escaping, I think we need a societal conversation about what aspects of that technology are going to be available to law enforcement period,” - [link]
  • Rash of in-the-wild attacks permanently destroys poorly secured IoT devices - a botnet on IoT destruction course - [link]
  • Analysis of a Ford Sync Gen 1 Module - [link]
  • Advanced CIA firmware has been infecting Wi-Fi routers for years - it’s pretty bad in case your router is compromised since it enables the adversary to MitM your sensitive, encrypted conversations, lets the adversary attack other devices directly within your LAN etc. - and this is exactly what this software intends to do according to wikileaks documents - [link] - [link]
  • Something is wrong when the ‘telephone app’ on your phone becomes 3rd party - Is some of my phone’s core functionality now provided by a 3rd party app? Indeed. Does it respect my privacy? No. Can I uninstall it again? No. Was I ever asked to comply with their terms and conditions? Of course not.” - With open software customers risk that shady providers offer hardware with a shady version of Android with shady capabilities and services implemented by default - [link]
  • Malicious Android Ads leading to drive by downloads - [link]
  • Dvmap: the first Android malware with code injection - [link]
  • Hundreds of Malicious Android Apps Masked as Anti-virus Software - Exploiting the fear of people - [link]


  • All New Gaia GPS: Our favorite GPS app gets a major update. - [link]
  • GaiaGPS App Setup and Battery Management Tips - [link]
  • Commit. Leap. Begin. - [link]
  • Instruments of Adventure - pretty amazing video about multisport adventures - [link]
  • Into Darkness - [link]
This post is licensed under CC BY 4.0 by the author.