Infosec Reading List - November 2019

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

---

---

---

---

---

InfoSec

• Reverse Engineering of a Not-so-Secure IoT Device - nice overview of reversing an IoT device and intercepting LoRa traffic - [link]
• Researchers Think They Know How Many Phones Are Vulnerable to ‘SIMjacker’ Attacks - [link]
• Your Pa$$word doesn’t matter - article around different ways to get access to a password including password spraying, cracking databases etc. - “Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” - [link]
• Using Flight Tracking For Geolocation – Quiztime 30th October 2019 - awesome OSINT work based on weather data, google earth and flight data - [link]
• Lessons from Our Zero Trust Journey - summary of Google Zero Trust articles - [link]
• Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies - “I robbed a bank and gave the money away,” Phineas Fisher wrote in the manifesto. “Computer hacking is a powerful tool to fight economic inequality.” – The hacker also explained that they got into The Cayman Bank and Trust Company using the same exploit they used against Hacking Team: targeting a vulnerable virtual private network and firewall appliance. - [link]
• Facebook and Google’s pervasive surveillance poses an unprecedented danger to human rights - “Google and Facebook dominate our modern lives amassing unparalleled power over the digital world by harvesting and monetizing the personal data of billions of people. Their insidious control of our digital lives undermines the very essence of privacy and is one of the defining human rights challenges of our era,” - [link]
• Phineas Phisher - Hack Back - Bank - some quotes from the pastebin article in order to understand the technical aspects of the hacks - be aware: this is the translated version into English, the authenticity needs to be challenged anytime: “None of the financial hacks I made, or those I’ve known, have ever been reported. This is going to be the first, and not because the bank wanted to, but because I decided to publish it.” - “They only used password authentication to access the application with which they connected to the SWIFT network.” - “I used Get-Keystrokes, modifying it so that instead of storing the pressed keys, a GET request is made to my server every time it is detected that they have entered a username. This request adds the username to the url and, as they type the token, several GETs are made with the token digits concatenated to the url.” - “Then I started scanning the entire internet with zmap and zgrab to identify other vulnerable devices. I had the scanner save the vulnerable IPs, along with the common and alt names of the device’s SSL certificate, the device’s Windows domain names, and the reverse DNS lookup of the IP. I grepped the results for the word “bank”, and there were plenty to choose from, but the truth is that I was attracted to the word “Cayman”, and that’s how I came to choose this one.” - “A fun suggestion for you to follow the investigations of your hacks is to have a backup access, one that you won’t touch unless you lose normal access. I have a simple script that expects commands once a day, or less, just to maintain long-term access in case they block my regular access.” - “In this operation, as in, I used a lot of powershell. Then, powershell was super cool, you could do almost anything you wanted, without antivirus detection and with very little forensic footprint.” - “The two most important skills for practical hacking are phishing and social engineering to get initial access, and then being able to climb and move through the Windows domains.” - “A basic knowledge of web application security is useful, but specializing more in web security is not really the best use of your time, unless you want to make a career in pentesting or chasing bug rewards.” - “I will pay up to 100 thousand USD for each filtration of this type, according to the public interest and impact of the material, and the labor required in the hacking. Needless to say, a complete leak of the documents and internal communications of any of these companies will be a benefit for society that exceeds those one hundred thousand, but I am not trying to enrich anyone.” - [link]
• Laser-Based Audio Injection on Voice-Controllable Systems - Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. - [link]
• The Story Behind the Iran Cables - [link]
• Addicted to Screens? That’s Really a You Problem - “A movement to be ‘post-digital’ will emerge in 2020,” Mr. Fogg wrote last month. “We will start to realize that being chained to your mobile phone is a low-status behavior, similar to smoking.” - Unlike the other newly wary, though, Mr. Eyal does not think tech is the problem. We are. - [link]

Outdoor

• Gear List: What I carried in the desert - interesting article from a lady that used the Monowalker carrier to cross some deserts in South America - [link]