ROI

Open Security News week 21-2022

Reducing complexity for information security means following key proven principles. Some key principles for simplifying security are e.g. prevention of security risks is easier for maintenance and good simple up-to-date documentation always helps. Bring it down to the crucial things.

1 Security by Design Playbook

Security by design is a proven method to develop products that are less vulnerable for cyber security threats. This open access Security by Design playbook covers the core elements needed for succesfull application of the Security by Design approach.

(Link)

2 Zero-trust architecture may hold the answer to cybersecurity insider threats

Zero-trust security principles could protect against insider threat by treating every component, service, and user of a system as continuously exposed to and potentially compromised by a malicious actor. But a key takeaway from the study is that there isn’t a one-size-fits-all approach to zero trust.
(Link)

3 Calico has a the OpenSSF best practices Badge

Recently the Calico project did the OpenSSF self assessment and received the Bade. The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Calico is a widely adopted, battle-tested open source networking and network security solution for Kubernetes, virtual machines, and bare-metal workloads.

(link)

4 Microsoft detects surge in Linux XorDDoS malware activity

A stealthy and modular malware used to hack into Linux devices and build a DDoS botnet has seen a massive 254% increase in activity during the last six months, as Microsoft revealed today.

This malware (active since at least 2014) is known as XorDDoS due to its use of XOR-based encryption when communicating with command-and-control servers and being employed to launch distributed denial-of-service (DDoS) attacks.

(Link)

5 Themes from Real World Crypto 2022

Recently 500 cryptographers from around the world gathered in Amsterdam for Real World Crypto 2022. This article gives a excellent summary! Read it to learn more on what has been discussed like e.g.: Security tooling is still too difficult to use, Side channels everywhere and Application layer protocol confusion

(link)

6 Can we fix bearer tokens?

If you’re issuing a bearer token to a system then you’re already asserting that the system is trusted. Most issuers of bearer tokens have no support for embedding holder identity into the token.
(Link)

7 Revocation Reason Codes for TLS Server Certificates

Some CAs were not using revocation reason codes at all for TLS server certificates. The new requirements are important steps towards improving the security of the web PKI.

(Link)

8 Open Source Software Security: Turning Sand into Concrete

No company is immune,  everyone relies on multiple open source software packages to run their organization’s software. The Linux Foundation and OpenSSF gathered around 100 participants from enterprise, the U.S. government, and the open source community to agree on an action plan to help increase the security of open source software.  Check the new OpenSSF plan: The Open Source Software Security Mobilization Plan .


(Link)

9 Qubes OS

Qubes OS is a FOSS security-oriented operating system for single-user desktop computing. Qubes OS leverages Xenbased virtualization to allow for the creation and management of isolated compartments called qubes. If you are looking to a better alternative for LXD (linux) or jails (BSD) this project should be on your radar.

(link)

10 Can You Still See Me?: Reconstructing Robot Operations Over End-to-End Encrypted Channels

Connected robots play a key role in Industry 4.0, providing automation and higher efficiency for many industrial workflows. Unfortunately, these robots can leak sensitive information regarding these operational workflows to remote adversaries. Ultimately, simply adopting best cybersecurity practices is clearly not enough to stop even weak (passive) adversaries.
(arXiv Link)

Our Partners:

nocomplexity

The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.