I have a serious thirst for InfoSec knowledge. However, like anybody else in this field, I tend to stay within the domains that interest me most - or that I find myself working in most often. After a recent conversation with a friend I found myself deep-diving into a whitepaper on Apple iOS Security implementation and was both floored and fascinated. This was so far out of my wheelhouse I’d have never thought to seek it out on my own, let alone devote hours to reading and debating its points. It made me wonder -- what else am I missing out on by being myopic in my research? So, I turned to Twitter. I interact with a great many security experts every day, and wondered what they’re reading that I am not. I made the following plea:
Let's try something. Reply w/your favorite Infosec article, paper, or howto. Just one. Spread some knowledge and some cool reading materials— Jayme (@highmeh) August 13, 2016
And boy did I ever get a response. From technical articles, to book recommendations, to videos and whitepapers, Twitter responded in force. I’d like to share some of the great recommendations I’ve got - though admittedly, I’m still working my way through them all.
Credit is given to both author and submitters, where available.
“Pentest Bookmarks,“ by kurobats. Submitted by @xpirabit
An enormous list of Penetration Testing resources; from blogs and people to follow, to privilege escalation articles, to tools and how-tos. This is a great resource for anyone on the red-side of security.
“How to Milk a Computer Science Education for Offensive Security Skills,” by Cobalt Strike. Submitted by @xpirabit
Traditional schools teach Computer Science - but how does that translate into the Offensive Security roles that interest you? The author gives his advice on making the most of your college education.
“The Power of Believing That You Can Improve,” by Carol Dweck. Submitted by @haydnjohnson
A great TED Talk on growing your capacity to problem solve and understand problems that at face value seem too difficult to overcome.
“nmap: Documentation and Manuals,” by Fyodor. Submitted by @TryCatchHCF
In Information Security, nmap is our bread and butter. But there is much more behind the scenes to what it can do for you - from scripts, to very granular scans, the documentation beyond “nmap --help” is well worth a glance.
“AVLeak: Fingerprinting Antivirus Emulators through Black-Box Testing,” by Blackthorne/Bulazel/Fasano/Biernat/Yener of Rensselaer Polytechnic Institute. Submitted by @hexacorn
Discusses techniques that can be used to fingerprint Antivirus Emulators without reverse-engineering. Discusses classification of fingerprints, defensive implications, and future research opportunities.
“Beyond good ol’ Run key (series),” by Hexacorn. Submitted by @jepayneMSFT
Malware needs persistence to run and keep itself active. Often times, it sticks itself in the registry RUN key - but what are its other options? Where should you as a defender look? This is a deep dive into persistence (at this writing up to Part 45).
“Security Engineering, Second Edition,” by Ross Anderson. Submitted by @mikerod_sd
Available online in addition to textbook form, Security Engineering runs the gamut on security theory and best practice. Discussing everything from crypto and psychology of usability to electronic warfare and nuclear command and control considerations, the knowledge contained here is worth a read.
“Sandbox Stories, Flight of the Great Cuckoo Bird,” by DigiWarfare. Submitted by @da_667
A very thorough how to and discussion of deploying Cuckoo Sandbox - a tool used to analyze malware. Cuckoo accepts files you send it, runs them, analyzes its actions, and sends you results. Any budding malware analyst should give this a read.
“Countdown to Zero Day,” by Kim Zetter. Submitted by @DumbM4st4
Kim Zetter goes into great detail of both the political and technical parts of the Stuxnet incident, a highly advanced piece of malware discovered to target Iranian Uranium Enrichment plants in 2010. While not available to read online, this is a worthwhile purchase for anyone in the security industry or anyone interested in cyber warfare.
“How to Build your Own Penetration Testing Drop Box,” by Beau Bullock. Submitted by @jayhaskins
Beau Bullock of Black Hills Information Security compares three single board computers to determine which serves as the best penetration testing ‘drop box’ on a very small budget. Includes comparisons and a full walkthrough.
“The Defensive Security Podcast,” by Jerry Bell and Andrew Kalat. Submitted by @xpirabit
While not quite reading material, the Defensive Security Podcast is a weekly release by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg), which discusses recent information security news, stories, and invites guests to talk about what they’re doing. Quickly approaching 200 episodes, the Defensive Security Podcast has kept me company during many long commutes.
“The Conscience of a Hacker,” by +++The Mentor+++. Submitted by @zBeer.
A quick glimpse into the mind of a teenage hacker. The source of the quote “Yes, I am a criminal. My crime is that of curiosity.” Worth reading for a (probably very relatable) perspective.
“Hacking in The Far East,” by Paul Sebastian Ziegler. Submitted by @purkkaviritys
Pop culture has shown us the typical hackers in the United States and, to a degree, in Eastern Europe. But what about the rest of the world? This presentation discusses how InfoSec works in Japan, South Korea, and Hong Kong. A very unique perspective.
“Incident Response & Computer Forensics,” by Luttgens/Pepe/Mandia. Submitted by @regimentality
The definitive guide to incident response - Incident Response & Computer Forensics (Third Edition) covers the full scope of IR - from evidence preservation and data collection to malware triage and reporting - this is a great intro for newcomers and reference guide for experienced IR practitioners.
“Security Attacks and Solutions in Clouds,” by Zunnurhain/Vrbsky, University of Alabama. Submitted by @therealmikepres
These days we see the cloud as an extension of our own networks; in fact, for many companies, it has become the norm. But with the move to cloud, we face a unique set of problems. What risks are unique to cloud computing, and how are they mitigated?
“Out of the Ordinary - Finding Hidden Threats by Analyzing Unusual Behavior,” by Hollywood/McKay. Submitted by @maartenvhb
We’ve all heard the phrase, ‘You can’t know abnormal until you know normal’ in regard to system security. But beyond comparing to a baseline, what does atypical behavior mean? This document describes hunting for abnormal behavior, discusses conceptual architecture for analyzing behavior, and the techniques for connecting the dots to find out what truly qualifies as “unusual.”
“Smashing the Stack for Fun and Profit,” by Aleph One. Submitted by @_noid_
Described by many as a game changer in earlier careers, Smashing the Stack for Fun and Profit discusses ‘corrupting execution stacks by writing past the end of an array declared auto in a routine.’ With this method, it is possible to jump to random addresses, producing unintended results - such as overflowing a buffer to return a command shell.
“A Tour of the Win32 Portable Executable File Format,” by Matt Pietrek. Submitted by @sehque
In this document, Pietrek deep-dives into the Windows Portable Executable File Format, used by all Win32 based systems. A deep dive, but accessible enough for most practitioners, the article gives not only a technical analysis but discusses why Microsoft moved to the format.
“How to become a Pentester,” by corelanc0d3r. Submitted by @xpirabit
Everyone wants to pop shells, but how does one make a move into the red side of security? In this article, Corelan describes the process of how to get a start in penetration testing. As someone making a move into this side of the industry myself, I found it a very good read with very realistic recommendations.
“Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” by Adrian/Bhargavan/Durumeric/Gaudry/Green/Halderman/Heninger/Springall/Thome/Valenta/VanderSloot/Wustrow/Zanella-Benguelin/Zimmerman. Submitted by @SecureSamurai
This is an intense read that crypto folks will love. The authors investigate DH key exchange security, and find multiple flaws. It discusses weaknesses, attacks against the service, and how they are being used in practice by governments to attack some types of VPN.
“When Back Doors Go Bad: Mind your Ps and Qs,” by Jeffrey Goldberg. Submitted by @TheSmallMargin
This article puts it simply: It’s easier to backdoor a system that is less secure than others. The author discusses the math behind recent backdoor technologies developed by the NSA. This is a great read.
“‘I’ve Got Nothing To Hide,’ and other Misunderstandings of Privacy,” by Daniel J Solove. Submitted by @LibbyBrittain
It’s a phrase we hear all the time - “Who cares if the government watches what I’m doing, I’ve got nothing to hide.” But this barely skirts the edge of the mass surveillance issue - which Solove explains. The amount of data that can be correlated to an individual, and what tales it can tell, can be alarming. Solove discusses the common misconceptions of surveillance and privacy and some of the real-world repercussions we face as a result.
“Environmental Key Generation towards Clueless Agents,” Riordan/Schneier. Submitted by @VessOnSecurity
In this paper, the authors introduce cryptographic key constructions built from environmental data that resist analysis and deceit, and the applications of such keys.
“This World of Ours,” by James Mickens. Submitted by @t_husoy
Security researchers love screaming about the end of the world. But what is at the heart of it all? What really matters, when you cut through the wordy essays and the panic? Mickens gives a lighthearted and entertaining look at This World of Ours, and how to figure out what's really important.
“Temporal Return Addresses: Exploitation Chronomancy,” by skape. Submitted by @moyix
Most exploit vectors depend on some process address space knowledge, or on knowledge of a process’s static addressing. In this paper, the author describes the concept of temporal addresses and their use cases, to make for more reliable exploitation.
”Order-Preserving Symmetric Encryption,by Boldyreva/Chenette/Lee/O’Neill of Georgia Institute of Technology. Submitted by @pag_crypto
If you love crypto, you’ll love this paper. In it, the authors begin the study of order-preserving symmetric encryption, intended for allowing efficient range queries on encrypted data. This is a very deep dive into the concept, and walks through the design of an efficient OPE scheme.
“PSA: Backups,” by jwz. Submitted by @unixbigot
You should be doing a backup. No, really. Backup. Seriously - when did you last backup? Go backup again. In this extremely short but worthwhile post, the author gives some very simple ways to personal backups on the cheap. Why? Because at some point, your hardware will die. Go backup now.
“Cryptonomicon,” by Neal Stephenson. Submitted by @weirdnik
An entertaining fiction bestseller focusing on cryptography in the past and in the future - which actually predicts the rise of anonymous internet money. As this is a book and not an online resource, the link goes to Amazon.com. A very good read and a favorite of many in information security.
This should be enough to keep anyone busy for quite a while. Some of the topics may be completely foreign to you, or over your head (believe me - the some of the crypto whitepapers had my head spinning) -- and others you might think of as simple review. Neither is a bad thing. Knowing what your peers are reading and learning has great value in a collaborative industry such as ours. Feel free to share anything you’d recommend to the community - what you think of as standard reading may lead someone else down a wildly different career path.