Infosec Reading List - November 2024

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

N/A

InfoSec

• How Computers Generate Random Numbers - Here’s something that might surprise you: computers can’t actually generate truly random numbers. These incredible machines that power our digital world are, at their core, following precise instructions step by step. What we call “random numbers” in programming are actually “carefully crafted sequences that look random” - we call them pseudorandom numbers in tech-speak. - [link]
• The Key Lessons from 10 Important Books on Productivity - [link]
• Yahoo cybersecurity team sees layoffs, outsourcing of ‘red team,’ under new CTO - [link]
• The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access - The Enterprise Wi-Fi network, however, did not require MFA and only required a user’s valid domain username and password to authenticate. Meanwhile, the threat actor was halfway around the world and could not actually connect to Organization A’s Enterprise Wi-Fi network. To overcome this hurdle, the threat actor worked to compromise other organizations who were in buildings within close proximity to Organization A’s office. - [link]
• How to Lose a Fortune with Just One Bad Click - When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin. - By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app. TLDR: dont synch your Google Authenticator app, do offline backups instead - [link]
• Quantum computing: What leaders need to know now - McKinsey has estimated that 5,000 quantum computers will be operational by 2030 but that the hardware and software necessary for handling the most complex problems won’t be available until 2035 or later - [link]
• The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices - [link]
• 15 Times to use AI, and 5 Not to - Knowing when to use AI turns out to be a form of wisdom, not just technical knowledge. Like most wisdom, it’s somewhat paradoxical: AI is often most useful where we’re already expert enough to spot its mistakes, yet least helpful in the deep work that made us experts in the first place. - [link]
• How safe is encrypted file storage? - [link]
• Employees as Risks - A case study on intrusive surveillance and behavioral profiling for cybersecurity, insider risk detection and “compliance” - [link]
• How to protect yourself from the Salt Typhoon hack, no matter what the FBI says - “It’s just the same, illogical talking points they have had for 30+ years, where they say, ‘Encryption is OK, but we need to be able to access communications.’ That is a circle that cannot be squared.” - At least eight telecommunications companies were compromised in the hack, which was first made public in September and has been described as ongoing by U.S. officials. - “If you build a system so that it is easy to break into, people will do so — both the good guys and the bad. That’s the inevitable consequence of CALEA, one we warned would come to pass — and it did,”  - [link]

Outdoor

N/A