Infosec Reading List - March 2017
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.
Quotes from the Twitterverse
InfoSec
- Why Boards Aren’t Dealing with Cyberthreats - the bottom line is: inadequate processes to address cyber threats + lack of expertise leads to the fact that boards neglect cybersecurity issues at their peril. The problem is: the problem will not go away by simply neglecting it. It will get worse - so boards should better start addressing this challenge now - see the recent Yahoo! case for an example what can happen to your bonus - [link]
- My Tech Wishlist - interesting to see that some of the ideas I also had in my mind in the past like the mic/audio hardware power switch - [link]
- Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix - [link]
- Wikileaks CIA/#vault7 leak - bottom line: encryption works, as we know from the snowden documents, and makes mass surveillance much more complicated/expensive forcing 3-letter agencies to attack the endpoints in order to catch data before it gets encrypted. No indication that WhatsApp and Signal are broken - so all in all these are good news. For me the most interesting question is: who leaked the data and why? The worst part of the story is that 3-letter agencies keep vulnerabilities/exploits instead of publishing and fixing them with vendors - doesn’t this stand in contrast with the goal to protect their people? But is this really shocking/new? And let’s stay focused: 99% of the world’s population will most probably never get onto a CIA target list. - [link] - [link] - [link]
- Hacking The Aether: How Data Crosses The Air-Gap - different aspects of potential covert channels such as physical, acoustic, seismic, magnetic, light etc. - [link]
- This book reads you - exploiting services and readers that support the ePub book format - This book reads you - exploiting services and readers that support the ePub book format - very nice approach - old issue: Never ever trust client data - [link]
- Cryptography is Hard - the discussion of the Needham-Schroeder protocol in the article remembers me of the old times when we reviewed broken crypto protocols at the university - [link]
- Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key - [link]
- Android Devices Security Patch Status - nice capability to get information around the latest patch level for non-google Androids - but sadly statistics show: you need to own a google-supported phone in order to get the latest Android version in production - 7.1.1 at the time of writing - [link]
- Android Security Bulletins - what is included in the monthly patches? - [link]
- How to Build a Cybersecurity Career [ 2019 Update ] - I agree with most of the points in the article but disagree heavily with the point where it is stated that security certifications add more value than a university degree - pick the right university and you will get a lot out of it - [link]
- Introduction to Cryptography by Christof Paar - YouTube session by a former professor of mine - [link]
- OMEN: Ordered Markov ENumerator - [link]
- Attacking Nexus 9 with Malicious Headphones - “Ossmann & Osborn also briefly documented multiplexed audio connectors, noting that Nexus 4 has a TTL UART interface hidden in its headphone jack, a functionality which is enabled if the voltage on the MIC pin exceeds some threshold.” - and this is how it all began. I see similarities here to the networking attack surface: the more interfaces (open ports), the worse it is - [link]
- Subgraph OS - [link]
- Secure computing for journalists - some interesting views on OS security “mobile device vs Laptop/Desktop” - [link]
- Alexsey’s TTPs - my highlight: “Found that cookies generated in staging were valid in production, and modified a staging cookie to access the production instance of the administrative portal (bypassing 2FA)” - [link]
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - interesting technical deep dive on a gmaps XSS - [link]
- Hacking the Western Digital MyCloud NAS - including command injection via PHP - one of the reasons not to expose a NAS admin panel to the Internet - [link]
- Apple iCloud Hoards ‘Deleted’ Browser History Going Back More Than A Year - Apple iCloud Hoards ‘Deleted’ Browser History Going Back More Than A Year - you are potentially impacted in case you are logged in with your icloud account - most probably a design issue, but a pretty privacy-impacting one - [link]
- Your Browsing History Alone Can Give Away Your Identity - Related to the icloud case above: Your Browsing History Alone Can Give Away Your Identity - based on Twitter data - [link]
- You will be surprised by what your Tweets may reveal about you and your habits - In regards to Twitter & Privacy: You will be surprised by what your Tweets may reveal about you and your habits - metadata analysis of Twitter data with support of the Twitter API. The snowden example is an interesting one - [link]
- Facebook Vulnerability - Delete Any Video on Facebook - [link]
- Samsung Leaking Customer Information - Samsung shipment company leaks private data – and Samsung doesn’t care - although first order has been done via Samsung - [link]
- Privacy analysis of Ambient Light Sensors - I’m still struggling to understand the need to connect browsers to the light sensor in my device - [link]
- The Account Takeover Runbook - This is an excellent idea - with the growing capabilities of web-based email interfaces, simply resetting the password after compromise is not sufficient anymore - [link]
- (Securely) Updating Smart Devices / Some Considerations - [link]
- Security and the Internet of Things - extensive article from Schneier on the IoT mess - I can specifically recommend the “Truisms” number 1-5 - [link]
- iPhone Robbers Try to iPhish Victims - [link]
- Hackers who took control of PC microphones siphon >600 GB from 70 targets - “The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX.” - operation BugDrop - pretty well-organized malware campaign - [link]
- Two new Mac backdoors discovered - interesting aspect: malware searches on mac for iOS backups. Iphones are more difficult to attack and often contain personal/sensitive material - [link]
- Disable Your Antivirus Software (Except Microsoft’s) - Former Mozilla Engineer says: Disable Your Antivirus Software (Except Microsoft’s) - it’s an interesting perspective and you can spend hours on discussing what is right and what is wrong - I recommend to follow the links in the article to get the different opinions - [link]
- Threat Hunting Basics - [link]
- Nile Phish Large-Scale Phishing Campaign Targeting Egyptian Civil Society - [link]
- Preinstalled Malware targeting mobile users - In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it - [link]
Outdoor
- 10 Best Backpacking Tents - ZPacks Duplex is in it as well - that’s the one I can recommend personally - [link]
- best hikes Africa & the Middle East - [link]
- Duct Tape: A Love Letter - “Ya can’t safely whip doughnuts on the edge of the Sea of Serenity without a trusty roll of Duct Tape.” - a love letter to the duct tape - totally overdue - [link]
- Ultraviolet Water Purification 101 - - [link]
- Why walking is the ideal speed to see the world - [link]
- On Instagram’s Impact on Wilderness, and True Adventure Photographers - [link]
- Record-Breaking Russian Adventurer Says The World Needs More Explorers - “At the time, I was convinced that by the 21st century we would already have scientific stations on Mars and settlements on the Moon. But the 21st century came and all we do is wage war, make money, and stuff ourselves.” - [link]
- inReach: Hiking through Bolivia with Dominik Birk - Garmin on my recent trip to the deserts of Bolivia - [link]
- I Used to Be a Human Being - “Just look around you - at the people crouched over their phones as they walk the streets, or drive their cars, or walk their dogs, or play with their children. Observe yourself in line for coffee, or in a quick work break, or driving, or even just going to the bathroom. Visit an airport and see the sea of craned necks and dead eyes. We have gone from looking up and around to constantly looking down.” - a mindblowing article on how modern technology is stealing our time to actually live and what could be done about it - related to this, another interesting article: “I find it interesting that the late Steve Jobs said in a 2010 interview that his own children didn’t use iPads. In fact, there are a surprising number of Silicon Valley titans who refuse to let their kids near certain devices. There’s a private school in the Bay Area and it doesn’t allow any tech - no iPhones or iPads. The really interesting thing about this school is that 75 percent of the parents are tech executives.” - let this sink for a second and re-read the last sentence - [link] - [link]
This post is licensed under
CC BY 4.0
by the author.