Post

Infosec Reading List - November 2020

Posted
Preview Image
By Dominik Birk
5 min read

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View

Desktop View

Desktop View

Desktop View

Desktop View

InfoSec

  • Windows 10 quietly got a built-in network sniffer, how to use - includes pcapng format output to enable compatibility with Wireshark - [link]
  • Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes - “The good news is that some apps don’t render previews at all, such as Signal (if the link preview option is turned off in settings), Threema, TikTok and WeChat.” - [link]
  • Waze: How I Tracked Your Mother - “As a part of the interface Waze shows you random icons of other drivers who are nearby, what always interested me as a security engineer. Maybe there is a way to find out who are those people?” - [link]
  • Ryuk in 5 Hours - “Four hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup server. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then workstations. The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the 5 hour mark, the attack completed.” - [link]
  • Ryuk Speed Run, 2 Hours to Ransom - [link]
  • Security Experts Alarmed by ‘Broken’ Cyber Market - “In cybersecurity, information about a product’s capabilities, efficacy and quality are mostly understood by vendors alone, with customers often relying on them for insights instead of doing their own in-depth appraisal, the report argued.” - [link]
  • We Hacked Apple for 3 Months: Here’s What We Found - “This means that there is no server side processing of the emails in terms of content sanitation, and that all of the actual functionality to render and process the mail body is within the JavaScript where it’s done client side. This isn’t necessarily a bad thing, but simplifies the process of identifying XSS by understanding what specifically we’ll need to break within the source code.” – this is really a great read which I enjoyed a lot - [link]
  • Cybersecurity as we know it will be ‘a thing of the past in the next decade,’ says Cloudflare’s COO, as security moves towards a ‘water treatment’ model - this statement of course provokes and is by default, without deeper context according to my opinion, wrong in many ways. But to understand it better, we need to keep in mind who pushes this message out – it’s a COO of an infosec company (Cloudflare) who has a strong interest in representing the company’s interests and increasing sales. Only in a very few cases (never), reality ended up how individual people or companies predicted the future of infosec. – “I have a point of view that cybersecurity is going to be a thing of the past the next decade because I think technology is going to solve those problems,” – If you’re connected to the Internet, you’re going to connect through a cybersecurity network like Cloudflare or some others,” Zatlyn said. “And we’re going to cleanse it and make sure whatever’s passing through us is clean.” – as a COO of Cloudflare it makes sense to make these statements. With the brutal honesty of the reality out there this has little (nothing) in common. I had conversations like this with infosec colleagues in the early 2000 years and where are we today, in 2020? We struggle with the huge amount of change, try to clean up the past (human factor, legacy environments built on outdated OSs, manage shadow IT … just to name a view) and prepare ourselves for the future. We are far away from a secure digital infrastructure that our society can use – I’m looking forward to review this note in 2030, but I’m pretty sure that Cloudflare at this time has not fixed the infosec problem for society - [link]
  • About Cybersecurity Management and Expectations - “Unfortunately, in cybersecurity, many individual contributors who were not trained or qualified to act as managers of humans have been pushed into management roles for various reasons. The skill set required to manage people and teams is totally different than blue teaming or red teaming. It is absolutely fine to be good at one of those things and not great at the others.” – this is a great article that I personally can totally support – also the listed recommendations go into the right direction: management is about people in the end, and has, in the first instance, little to nothing in common with core technological aspects - [link]
  • Lined up in the sights of Vietnamese hackers - [link]
  • Why Paying to Delete Stolen Data is Bonkers - Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.” - [link]
  • I am the Chief Security Officer at Akamai and I make the internet suck less. Ask me anything! - [link]
  • Play Store identified as main distribution vector for most Android malware - “The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.” – we need to be careful with the detailed definition of “malicious” though – but it’s no news that the playstore has issues already since years - [link]
  • Principles for Cybersecurity Metrics - [link]
  • Firefox: How a website could steal all your cookies - “This is a write up for CVE-202015647, explaining how webpages are capable of stealing files from your Android device, including but not limited to cookies from any visited website.” - [link]
  • New lawsuit: Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they’re not even in use? - [link]
  • A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak - specifically check out the tips in the end - [link]
  • Malicious Python Code and LittleSnitch Detection - [link]

Outdoor

  • SPOT Gen4 Review: Better Maps, More Messages, and Auto-Send - [link]
  • Mapping Hiking Routes in OSM - [link]
  • waymarkedtrails.org - trails for hiking, cycling etc. based on OSM - [link]
  • Introducing the Pamir Trail - [bucket] list updated - [link]
infosec readinglist
This post is licensed under CC BY 4.0 by the author.