Infosec Reading List - October 2025

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

InfoSec

• In-Depth Technical Analysis of the Bybit Hack - the attack was carried out by injecting malicious JavaScript code into Safe{Wallet} UI through a compromised developer machine - [link]
• Reporter’s Guide to Detecting AI-Generated Content - here’s what keeps me up at night: Traditional fact-checking takes hours or days. AI misinformation generation takes minutes. - [link]
• How weak passwords and other failings led to catastrophic breach of Ascension - When I came up with Kerberoasting in 2014, I never thought it would live for more than a year or two,” - [link]
• The Problem with Human 2.0 and the Promise of Human 3.0 - provoking and worth thinking about - [link]
• One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens - one of the biggest public vulns in MSFT infrastructure in the last years -. In my personal opinion, this whole Actor token design is something that never should have existed. It lacks almost every security control that you would want - [link]
• AI-Generated “Workslop” Is Destroying Productivity - Yet a recent report from the MIT Media Lab found that 95% of organizations see no measurable return on their investment in these technologies. - Over time, this interpersonal workslop tax threatens to erode critical elements of collaboration that are essential for successful workplace AI adoption efforts and change management. - [link]
• Why burnout is a growing problem in cyber-security - nothing fundamentally new in this article but it‘s important to keep it on the radar - [link]
• Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882) - what we have observed is that CVE-2025-61882 (as it is now memorably called) is not “just” one vulnerability. It is a poetic flow of numerous small/medium weaknesses. - this is because if the connection is not kept alive, the XSL document can not be downloaded and parsed in-time - which causes the full RCE chain to fail. - beautifully constructed - [link]
• 102 Lessons from the 102 Books I Read This Year - not directly infosec but worth a review - [link]
• Apple alerts exploit developer that his iPhone was targeted with government spyware - if you play with fire … - [link]
• Owners of Luxury Smart Beds Literally Lost Sleep Due to AWS Outage - Status of the Internet in 2025 - [link]
• Token Protection: The Good, the Bad, and the Assumptions - good read on tokens and associated weaknesses - [link]
• Security Leadership Master Class 2 : Dealing with the board and other executives - great series with a lot of actionable insights - [link]
• Three Security Invariants Could Prevent 65% of Breaches: Analyzing 70 Incidents and Building CISO Challenge - TLDR: hardware 2nd factor, egress controls, positive execution control - When CEOs ask their CISOs “what will we get for this investment?”, the answer is honest but unsatisfying: “No guarantees. Even with significant investment, we can’t promise zero incidents.” So most CEOs make the rational choice: do the bare minimum, focus on growth and customer acquisition, and deal with security incidents when they happen. - [link]
• The security paradox of local LLMs - The conventional wisdom that local, on-premise models offer a security advantage is flawed. While they provide data privacy, our research shows their weaker reasoning and alignment capabilities make them easier targets for sabotage - [link]
• Could the internet go offline? Inside the fragile system holding the modern world together - But the real doomsday event, the kind that the world’s few internet experts still worry about in private Slack groups, is slightly different – a sudden, snowballing error in the creaky, decades-old protocols that underlie the whole internet. - let me guess: DNS and BGP - In the UK, there is a non-virtual contingency plan, or at least there was. If the internet shuts down, the people who know how it works will meet up in a pub outside London and decide what to do, says Murdoch - - [link]
• Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking - At least according to Cellebrite, GrapheneOS is more secure than what Google offers out of the box - [link]
• CyberSlop — meet the new threat actor, MIT and Safe Security - [link]
• Cyber Brief 25-11 - October 2025 - [link]
• China’s Vulnerability Research: What’s Different Now? - Two decades ago, China’s vulnerability scene was open and improvised: a mix of hobbyists, hackers, and small collectives trading exploits online. Today, it’s structured, competitive, and increasingly state-aligned. - [link]
• Brussels knifes privacy to feed the AI boom - [link]
• AI Has the Opposite Data Problem - great point with a lot of strong arguments on why we have enough data for AI to work on - whether this is the data we should use to train AI on is another question - [link]