How Not talk links
How Not… talk: the links Herein are some books, articles, and people that we read, skimmed, or thought fondly of while preparing the “How Not to Have a Bad Time with Risky Data” talk seen at B-Sides Atlanta 2024
- CSV/XLS foolishness
- https://infosecwriteups.com/formula-injection-exploiting-csv-functionality-cd3d8efd02ec
- https://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection
- This way to GIFARs, polyglots, chimera, and weird machines …
- https://github.com/corkami/docs, https://github.com/corkami/docs/blob/master/AbusingFileFormats/README.md , https://www.dfirnotes.net/filetypes-brownbag/ (2017)
- QubesOS is merely “A reasonably secure operating system”
- cf: http://www.trustedbsd.org/news.html => Common Criteria (replaced The Rainbow Books)
- Rabbit Hole: https://en.wikipedia.org/wiki/Solaris_Trusted_Extensions
- or this argument: https://isopenbsdsecu.re/about/
- or this one: https://grsecurity.net/research
- or this one: MJG, who “wrote the first prototype of Shim”: https://mjg59.dreamwidth.org/
- But mostly: https://stopdisablingselinux.com/
- VM Escape example: (more than 42 listed):
- https://en.wikipedia.org/wiki/Virtual_machine_escape
- file(1) and libmagic vuln example (via FreeBSD Security)
- https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A16.file.asc
-
Smart Girls’ Guide to Privacy Violet Blue (2015) https://nostarch.com/smartgirlsguide
- The Grugq’s many fine articles and conference talks adjacent to and about operational security (opsec) failures: http://grugq.github.io/
- Matt Honkan of Wired (2012) (NPR coverage, no paywall):
- https://www.npr.org/2012/08/09/158477219/hacker-s-wreak-havoc-on-wired-writer-s-digital-life
- Reality Winner (2018)
- https://www.justice.gov/opa/pr/federal-government-contractor-sentenced-removing-and-transmitting-classified-materials-news
- Jack Teixeira (2024)
- https://www.airforcetimes.com/home/2024/03/04/pentagon-leak-suspect-jack-teixeira-pleads-guilty-in-federal-court/
- Practical Malware Analysis by Michael Sikorski and Andrew Honig (2012) https://nostarch.com/malware
- 1.2 “Malware Analysis in Virtual Machines”
- Building Virtual Machine Labs: A Hands-On Guide (Second Edition) (2021) By: Tony Robinson (@da_667) https://leanpub.com/avatar2
- “Obtaining the Guidance You Seek”
- Amanda “Malware Unicorn” Rousseau’s workshops
- https://malwareunicorn.org/workshops/re101.html#2 RE 101: Environment Setup
- Malware Analyst’s Cookbook and DVD Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard (2010) Wiley http://www.malwarecookbook.com/
- Chapter 1: “Anonymizing Your Activities”
- Whonix and/or Qubes OS docs for reference / research links
- https://www.whonix.org/ , https://www.qubes-os.org/faq/
- Joanna R’s talks and papers:
- https://blog.invisiblethings.org/2013/02/21/converting-untrusted-pdfs-into-trusted.html (2013)
- https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf (2014)
- https://www.blackhat.com/eu-17/briefings.html#security-through-distrusting (2017)
- James Mickens’ writings https://mickens.seas.harvard.edu/wisdom-james-mickens
- “This World of Ours” (2014)
- Locard’s principle of Exchange, Kirk’s interpretation
- https://en.wikipedia.org/wiki/Locard%27s_exchange_principle
- http://aboutforensics.co.uk/edmond-locard/
- Eli Lily & Twitter
- https://www.investors.com/news/technology/lly-stock-dives-taking-novo-sanofi-with-it-after-fake-twitter-account-promises-free-insulin/
- LockBit:
- https://www.yahoo.com/news/lockbit-claims-federal-breach-threatens-232219114.html
- https://www.wired.com/story/lockbit-fulton-county-georgia-trump-ransomware-leak/
- CISA, “unintentional threats”
- https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
- Cisco on URLScan.io
- https://www.cisco.com/c/en/us/products/security/technical-alliance-partners/urlscan.html
- American Bar Association “Embarrassing Redaction Failures” (2019)
- https://www.americanbar.org/groups/judicial/publications/judges_journal/2019/spring/embarrassing-redaction-failures/
- Techdirt “New York Times Suffers Redaction Failure, Exposes Name Of NSA Agent And Targeted Network In Uploaded PDF” (2014)
- https://www.techdirt.com/2014/01/28/new-york-times-suffers-redaction-failure-exposes-name-nsa-agent-targeted-network-uploaded-pdf/
- Law.com / ALM Media “Epic Fail: This Common Redaction Error Exposes Confidential Info” (2018)
- https://finance.yahoo.com/news/epic-fail-common-redaction-error-174645060.html
- CBC News “Federal government mistakenly sent ‘sensitive’ information to lawyer — and now wants it back in the box” (2021)
- https://www.cbc.ca/news/politics/cbsa-ircc-national-security-redactions-1.5942306
- FBI + CISA “Alert Number: I-091224-PSA September 12, 2024
Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections”
- https://www.ic3.gov/Media/Y2024/PSA240912
Written on September 23, 2024