Weekend Reads 180216: Skimmers and MITM and x509 Covert Channels, oh my…

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it’s difficult not to inspect or even pull on these machines when you’re forced to use them personally — half expecting something will come detached. For those unfamiliar with the stealth of these skimming devices and the thieves who install them, read on. @Krebs on Security

Here is a short blog post that explains how you can make your own Man-in-the-Middle (MitM) setup for sniffing the traffic between a SIM card and the backend server. This is NOT a new research but I hope this will help anyone who doesn’t have a telco background to get started to play with mobile data sniffing and fake base stations. This is applicable to many scenarios today as we have so many IoT devices with SIM cards in it that connects to the backend. —Priya Chalakkal @The Insinuator

He got the idea while analyzing the Vawtrak malware after discovering that it read multiple fields in the X.509 certificate provided by the server before proceeding. Jason initially thought these fields were used as a C2 channel, but then realized that Vawtrak performed a variant of certificate pinning in order to discover SSL man-in-the-middle attempts. —Erik Hjelmvik @Netresec

Account takeover attacks are a nearly invisible tactic for conducting cyber espionage. Because these breaches can take months or years to detect, we are slowly discovering that this attack vector is much more common than we thought. The more we learn about new methodologies, the more we realize just how misunderstood account takeover attacks can be. Many of the common myths about account takeover attacks are making it easier for the attackers to continue undetected, which is why we feel obligated to debunk them. —Dylan Press @The Cloud Security Alliance

In advance of Data Privacy & Protection Day, the Online Trust Alliance, an Internet Society initiative, just released the Cyber Incident & Breach Trends Report (press release here), a look back at the cyber incident trends in 2017 and what can be done to address them. This report marks the tenth year OTA has provided guidance in this area, and while the specifics have certainly changed over time, the core principles have not. —Jeff Wilbur @The Internet Society

Got an old Raspberry Pi lying around? Hate seeing ads while browsing the web? Pi-hole is an open source software project that blocks ads for all devices on your home network by routing all advertising servers into nowhere. What’s best is it takes just a few minutes to set up. —Ben Nuttall @opensource.com

Fumbling is a general term for repeated systematic failed attempts by a host to access resources. For example, legitimate users of a service should have a valid email ID or user identification. So if there are numerous attempts by a user from a different location to target the users of this service with different email identifications, then there is a chance that this is an attack from that location. From the data analysis point of view, we say a fumbling condition has happened. —Dipankar-Ray @ opensourceforu

Coming from the simple days of peripheral firewalls, the cloud made security more nuanced for IT teams. However, with the advent of containers, this equation reached a new level of complexity. When they started out, the mantra around containers was that “containers do not contain.” Linux security professionals were vocal about the weak process isolation between containers, and that a vulnerability couldn’t be easily contained from spreading to neighboring containers, as multiple containers share the same guest OS. —Twain Taylor @The New Stack

Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats. @Krebs on Security

Republican Sens. Tom Cotton (Ark.) and Marco Rubio (Fla.) introduced a bill Wednesday to prohibit government use of telecommunications products from two Chinese companies. The Defending U.S. Government Communications Act would prohibit the U.S. government from purchasing or leasing equipment or services from Huawei or ZTE, according to a statement from Cotton’s office. Cotton said the government should not trust devices from companies so closely linked to the Chinese communist government. —Paul Crookston @The Free Beacon

Humans are not sleeping the way nature intended. The number of sleep bouts, the duration of sleep, and when sleep occurs have all been com­prehensively distorted by modernity. —Matthew Walker @ Delancey Place

Many Americans find their lives devoid of meaning; up to 40 percent of Americans have “not discovered a satisfying life purpose.” Without purpose can anyone truly live a full, happy life? As Bill Murray discovered in his classic comedy Groundhog Day, a life focused on hedonic pleasures won’t lead to happiness. —Barry Brownstein @Intellectual Takeout

Until her suicide last week, most people had never heard of Jill Messick, which by all accounts, was how she wanted things. She wasn’t a star, but she babysat for them, as all film producers must, and she knew first-hand how ugly fame can be. —Abigail Shrier @The Federalist