Post

Infosec Reading List - May 2020

Posted
Preview Image
By Dominik Birk
4 min read

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View

Desktop View

Desktop View

Desktop View

InfoSec

  • Simple Remote Code Execution Vulnerability Examples for Beginners - [link]
  • GDPR.EU has er… a data leakage issue - “It’s an old one: the /.git/ folder is world readable.” - [link]
  • Signal Is Finally Bringing Its Secure Messaging to the Masses - “I’d like for Signal to reach billions of users. I know what it takes to do that.” – this is the dilemma: with increasing popularity and market share, the demand to build in backdoors will increase. So being the underdog not only has disadvantages – it also allows to fly under the radar of specific groups that cry for backdoors since years. In case Signal is crossing that line, it needs to navigate new challenges. - [link]
  • Me on COVID-19 Contact Tracing Apps - “The end result is an app that doesn’t work. People will post their bad experiences on social media, and people will read those posts and realize that the app is not to be trusted. That loss of trust is even worse than having no app at all.” - [link]
  • Contact Tracing in the Real World - another interesting article to consider from Ross Anderson this time – “What we need is a radical redistribution of resources from the surveillance-industrial complex to public health.” – “We must call out bullshit when we see it, and must not give policymakers the false hope that techno-magic might let them avoid the hard decisions.” - [link]
  • Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use - “… it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software.” – “The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page.” - Update 2024: interestingly, Xiaomi deleted the original press statement from their website from 2020 addressing these privacy concerns - [link]
  • DNS-over-HTTPS causes more problems than it solves, experts say - “The general idea is that DNS-over-HTTPS isn’t what many have thought. It doesn’t actually protect users from having their web traffic snooped, and it’s not really that useful for dissidents in dangerous countries.” - [link]
  • First seen in the wild – Malware uses Corporate MDM as attack vector - “This is the first time we have a reported incident of lateral movement inside a corporate network that utilizes the MDM server as a means of spreading. - [link]
  • The Six Dumbest Ideas in Computer Security - this is a great article from 2005 which is still pretty actual today - for instance: penetrate and patch is still done today since we haven’t achieved yet the “security by design” stage for most of the stuff that mankind is building today. Additionally, various expectations the author stated have not been fulfilled, instead, things got into the opposite direction (#hacking is cool, #educating users). - [link]
  • Tracking REvil - “This blog describes our efforts in tracking the REvil ransomware and its affiliates for the past six months. REvil has been around since 2019 and is one of the top variants of ransomware causing havoc at many organizations around the globe ever since.” - [link]
  • CISSP Qualification Given Cert Status Equivalent to Master’s Degree Level - “The Certified Information Systems Security Professional (CISSP) certification has been officially recognized as equivalent to a master’s degree across Europe.” - as you can imagine, this message got strong rejection throughout the community - here is a different perspective on the situation – “it’s an entry level certification that doesn’t require a college degree, and teaches students only familiarity with buzzwords used in the industry rather than the deeper level of understanding of how things work.” - [link]
  • It’s Time to Get Back Into RSS - “It was a direct connection between creators and consumers. By adding someone’s feed to your RSS reader you were saying, “Yes, I’d like to subscribe to your interpretation of reality.” – “First, they broke the direct connection between the reader and the creator …” – “With RSS you get the content itself, which your reader can choose to display in different ways. Advertisers hate that.” – great article which I can support 100% – I never moved away from RSS and I would be more than happy to see a new rise of this great piece of technology in the future - [link]
  • The Secret Life Of JPEGs - [link]
  • Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks? - [link]

Outdoor

  • The Annamites: Vietnam’s Unknown Mountains - [link]
infosec readinglist
This post is licensed under CC BY 4.0 by the author.