Infosec Reading List - May 2024
On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.
Quotes from the Twitterverse
InfoSec
- Microsoft’s Dangerous Addiction To Security Revenue - Microsoft is Using Its Own Security Flaws as an Opportunity to Upsell - It has become clear over the past few years that Microsoft’s addiction to security product revenue has seriously warped their product design decisions, where they hold back completely necessary functionality for the most expensive license packs or as add-on purchases. - [link]
- Why CISA is Warning CISOs About a Breach at Sisense - [link]
- Passkeys: A Shattered Dream - And it was removed because Chrome never implemented it. As a result, if Chrome doesn’t like something in the specification they can just veto it without consequence. - Corporate interests have overruled good user experience once again. Just like ad-blockers, I predict that Passkeys will only be used by a small subset of the technical population, and consumers will generally reject them. - does not sound promising - [link]
- How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me) - G.M. says this discrepancy between the app and the website was the result of “a bug” that affected a “small population” of customers. That group got the worst possible version of Smart Driver: We couldn’t get insights into our driving, but insurance companies could. - He confirmed that he had enrolled us for OnStar, noting that his pay is docked if he fails to do so. He said that was a mandate from G.M., which sends the dealership a report card each month tracking the percentage of sign-ups. - it‘s as 1984-like as it can get - [link]
- Wiz Research finds architecture risks that may compromise AI-as-a-Service providers - Furthermore, if you intend to let users utilize untrusted AI models in your environment, it is extremely important to ensure that they are running in a sandboxed environment — since you could unknowingly be giving them the ability to execute arbitrary code on your infrastructure. - [link]
- What OpenAI did - A new model opens up new possibilities - [link]
- Lethal Injection: How We Hacked Microsoft’s Healthcare Chat Bot - The first vulnerability allowed access to authentication credentials belonging to the customers. With continued research, we’ve found vulnerabilities allowing us to take control of a backend server of the service. That server is shared across multiple customers and has access to several databases that contain information belonging to multiple tenants. - [link]
- War Zone Surveillance Technology Is Hitting American Streets - [link]
- Microsoft’s new Windows 11 Recall is a privacy nightmare - MSFT has a trust issue, hence, the timing of this feature couldn‘t be worse - First and foremost, large companies have a history of exploiting users’ data for their own profit, making it hard for users to trust Microsoft when they say they won’t access the Recall data. - but I understand the business intention of MSFT and why they push this topic now to the next level. The next years and decade will tell whether society will accept an OS like this. My expectation is that the ransomware industry will jump on this feature in order to escalate extortion capabilities: Let‘s not forget - the more you store, the more can be used against you. The bottom line issue with this is: we haven‘t fixed the root issue yet, which is: securing endpoints to an extend where the standard user can trust it. Instead, we are now significantly increasing the attack surface of the endpoint. I struggle to understand how this aligns with MSFT recent public commitment to „prioritize security over other things“ - [link]
- ‘Operation Endgame’ Hits Malware Delivery Platforms - trolling the bad guys - [link]
- Cybercriminals pose as “helpful” Stack Overflow users to push malware - In this case, the pytoileur package contains a ‘setup.py’ files that pads a base64 encoded command to execute with spaces so it is hidden unless you enable word wrap in your IDE or text file editor. - [link]
- Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster. - [link]
- Looking at Passwords in 2024 - [link]
- Advanced Cyber Threats Impact Even the Most Prepared - MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient - [link]
- Should I Use jwts For Authentication Tokens? - [link]
Outdoor
- Europe’s best long-distance hiking trails - some of them really can‘t count as long distance trails - but are still nice - [link]
This post is licensed under CC BY 4.0 by the author.