Post

Infosec Reading List - October 2019

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View


Desktop View


Desktop View


Desktop View


Desktop View


InfoSec

  • Uber allegedly paid $100,000 ransom and had hackers sign NDAs after massive data breach - this does not sound like a solid plan to me - [link]
  • Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp - important to know is: “The vulnerability, tracked as CVE-2019-11932, is a double-free memory corruption bug that doesn’t actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that WhatsApp uses.” - [link]
  • Alexa and Google Home abused to eavesdrop and phish passwords - [link]
  • Supply-Chain Security and Trust - [link]
  • “BriansClub” Hack Rescues 26M Stolen Cards - conclusion: systems will get breached and data will change owners, independently whether you have a legitimate reason or not for owning, storing and processing the data - [link]
  • Signal Technology Foundation is now open for donations - [link]
  • How does Apple (privately) find your offline devices? - [link]
  • The spy in your wallet: Credit cards have a privacy problem - well, this situation does definitely not look promising, it’s important to understand that behind a simple creditcard transaction, a whole rabbit whole of companies opens up that are interested to understand what the customers wants - [link]
  • Exploit Wars II - The server strikes back - conclusion: be careful what kind of exploit you use from which system and against which target - [link]
  • WhatsApp blames — and sues — mobile spyware maker NSO Group over its zero-day calling exploit - the outcome of this will be an interesting one - [link]
  • How safe is Apple’s Safe Browsing? - [link]
  • How a Bitcoin Trail Led to a Massive Dark Web Child-Porn Site Takedown - important message: also without backdoors investigators can do excellent work and bring bad guys behind bars - [link]
  • Avast fights off cyber-espionage attempt, Abiss - unpopular question to ask Avast: why did their own software not prevent this kind of attack? Why did they need MS software here? - [link]
  • Avast, NordVPN Breaches Tied to Phantom User Accounts - the scenarios under which I would use a VPN would be really limited since most of the providers are not capable to keep what they promise - [link]
  • On the inside of a hacking catastrophe - interesting insights into the Equifax breach, also learning how NOT to do it - “In that meeting, where external counsel [lawyers] were also present, some of us were told ‘if you tell anyone else about this, you’ll be fired on the spot and walked off-site’.” – “Equifax spent millions responding to the breach, but that turned into people from the security team working overtime, on 36 hour shifts, and that’s the hidden cost of the breach that no one has gotten near to quantifying so far,” - [link]
  • In a world of infosec rockstars, shutting down sexual harassment is hard work for victims - [link]
  • BSides Luxembourg 2019 Wrap-Up - [link]
  • NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] - “After this is done, go to the receiver phone, tap the “Beam completed” notification, and tap the file. It will skip directly to the install prompt, bypassing the “Install unknown apps” check.” - [link]
  • Extended Validation Certificates are (Really, Really) Dead - [link]
  • Asymmetry in infosec - good article that I disagree with on various points, but great read - “Either way, the choices add up over time into a path that lets an attacker start with a single toehold and turn it into a full compromise.” – “The deeper answer is that we are not good at accounting for the sum of mistakes being larger than the whole of each mistake …” - [link]
  • Cylance, I Kill You! - important article that demonstrates clearly the downside of all that “AI hype” on the example of one software - “Combining an analysis of the feature extraction process, its heavy reliance on strings, and its strong bias for this specific game, we are capable of crafting a simple and rather amusing bypass.” – “In this post we will show how we can reverse the model of an AI based EPP product, and find a bias enabling a universal bypass. We chose Cylance for practical reasons, namely, it is publicly available and widely regarded as a leading vendor in the field.” - [link]
  • Microsoft Japan’s experiment with 3-day weekend boosts worker productivity by 40 percent - “Productivity went up by a staggering 39.9 percent. That means even though the employees were at work for less time, more work was actually getting done!” - [link]
  • Capital One removes CISO from role following breach - [link]
  • Wireshark Column Setup Deepdive - great article about Wireshark tips and tricks - tiny but helpful - [link]

Outdoor

  • Route Report: Khangai Mountains Traverse, Mongolia - added to [todo] list - [link]
  • Being ‘Indistractable’ Will Be the Skill of the Future - a super important article about one of the core crafts of our time: to remain indistractable - “… distraction is “the process of interrupting attention” and “a stimulus or task that draws attention away from the task of primary interest.”” - “The truth is, we overuse video games, social media, and our cell phones not just for the pleasure they provide, but because they free us from psychological discomfort.” - [link]
  • Into The Empty Quarter - full movie - [link]
  • Seven Lonely Days - The Rescue of Alexander Gukov - [link]
This post is licensed under CC BY 4.0 by the author.