Personally I distrust all Paid or Free VPN services. If you care about your privacy and security you should really do a good research before using any VPN service. An excellent article that outlines the risk of a VPN Data Breach was created by Jeremiah Fowler last year.
(Link)
Cloudflare acts as a middleman between websites and their visitors, optimizing content delivery and providing security features. Cloudflare is used at large as CDN and as solution for DDoS mitigation. Learning of a security incidents helps to improve. So great to see that Cloudflare shared some details of a major security incident. The claim is of course that customers and customer data or systems were not impacted by this security event. However stated in the blog is that the incident is caused by a ‘sophisticated actor, likely a nation-state’ and some crucial details are missing to validate the claim that your data was not impacted…
(Link)
I love this blog titles! But true facts in this article: “Sending an SMS to a customer is like sending a postcard through the mail. It’s plaintext (not encrypted), and anyone can open your mailbox and intercept/read it (which is what happens in a SIM-swap attack). The protocol was never designed to be secure.”
(Link)
When you connect something on internet you will be hit by bad actors. Fighting DDoS attacks is very hard. This post-mortem is a great write up. Thank you Drew DeVault for your openness by sharing your lessons.
(Link)
No foolproof method exists as yet for protecting AI from misdirection, and AI developers and users should be wary of any who claim otherwise. But please: Do not believe me! Just check this article of NIST (The US The National Institute of Standards and Technology).
(Link)
Fail2ban is an intrusion prevention software framework. Its FOSS and has many users and an active community. But I think Jes Olson has some strong arguments against using Fail2ban. So read his arguments and check if you share his conclusion: At best, fail2ban: does nothing.
(Link)
Be always very cautious when using a micro service architecture that is using too many JWT tokens. This research resulted strong arguments why you should avoid JWT tokens for session handling. A good way to keep learning is to figure out if you agree upon with the arguments and conclusions made by this author. I love the visual created in this blog. Do not get confused: There are valid reasons for using JWTs and I personally think not all arguments of this author are valid.
(Link)
We all know: PDFs are NOT secure! PDFs files have and will be the root cause of security breaches. This blog is a great write up of some PDF features that can be used to create a security breach.
(Link)
A great write up on the current disadvantage of CVEs! “the CVE system is broken and that the database of existing CVEs hosted by MITRE (and imported into lots of other databases) is full of questionable content and plenty of downright lies.” Daniel gave a great talk on FOSDEM 2024 on how he is managing the FOSS projects cURL and libcurl for more than 25 years by now. So the wasted time he needs to spend on this non issues is a shame. But great that he managed to write down his frustrations regarding te CVE system so more people are aware and can take action for improvements.
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.
]]>The passkey promises to solve phishing and prevent password reuse. Despite the fact that I read many security articles the term ‘Passkey’ is still rather new. Also Passkeys do not fit every use case and Passkeys have some disadvantages. E.g. a passkey stored just on your computer or phone isn’t that useful. So the back and restore challenge for secrets applies also for Passkeys.
(Link)
Everyone who has preached for using a WAF should read this article. In essence it comes down to the fact that nobody is immune for the brainwashing propaganda by commercial vendors. So known the disadvantages of WAF and be clear why you use it. And yes, I think that there are solid use cases when you should use a WAF.
(Link)
Great read on a common security issue: Unprotected API endpoints. So the lessons are: keep track of all your API endpoints and always assume your API endpoints are discoverable, so always protect your APIs!
(Link)
Nowadays hacking your high school can have nasty consequences for your school career. But playing in the wild and discovering how computers and networks work is essential for learning. But be warned: in many countries strict laws apply for even just non intrusive testing the security configurations of computers that you do not own.
(Link)
Leaked data comes in many different forms. This post is a nice read to make you aware again that storing private data means that you should practice Security By Design. And of course be very aware of the data that web scraping companies collect, often with the aim of misusing in bulk.
(Link)
I don’t like this site, but the story is worth reading, and the visual overview is nice.
(Link)
Real-Time Bidding (RTB) is an advertising technology that is active on almost all websites and apps. But without any security measures to protect the data. The report (pdf) is worth reading.
Some FOSS software should be good and secure. PyPI should be trusted since it is used at large. PyPI is the Python Package Index. It is the primary repository for the Python ecosystem. It hosts half a million unique Python packages uploaded by 750,000 unique users and serves over 26 billion downloads every single month. The good news: There is no real severe finding and the number of findings is minor when related to the amount of sources reviewed. But there is always room for improvements. The open report is valuable for everyone to learn from.
(Link)
When a vulnerability gets is own website, it is serious and worth reading. CacheWarp is a new software fault attack on AMD CPUs . It allows attackers to hijack control flow, break into encrypted VMs, and perform privilege escalation inside the VM. This is alarming, check the site and view the demos.
(Link)
A critical stack corruption bug that has existed in Windows for more than 20 years (CVE-2023-36719). The bug was found in a core Windows OS library which is used by countless software products. This is a must read for everyone involved in cybersecurity to test and update your knowledge. This post has great visuals that helps with understanding how things really work with these kind of bugs.
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.
]]>The Citizen Lab is doing amazing work regarding fighting digital threats. This story is unbelievable. In short: BLASTPASS is an exploit capable of compromising iPhones without any interaction from the victim. Not surprising the well known firm NSO Group’s used this to deliver spyware on demand.
(Link)
This is a must read if you have a modern car and care a bit about security and privacy. This article is no joke, no science fiction, but is the naked truth. The car industry uses terrible privacy practices. All modern cars can hear you, see you, and will track you.
(Link)
I try to minimize the use social apps. Installing apps on a mobile means installing spyware, since the software is not open. Also this software means lowering your security with a lot of impact on your privacy. This short story is fun to read and is created in a way that sticks.
(Link)
Good knowledge of tried solutions on password security is crucial to improve password security. This article gives a great overview regarding password security methods used and famous password breaches . Generating secure password hashes should be a solved problem. But history learns that it is not.
(Link)
Smart devices are still often security nightmares. This article is a good reminder that connecting a device to the internet has too often a price.
(Link)
In-toto is a security framework to secure the integrity of software supply chains. in-toto is designed to ensure the integrity of a software product from initiation to end-user installation.
(Link)
When attacks have their own name you should be more aware than usual. The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key.
(Link)
This is a very good story to read. But be warned: your trust in the US NIST will never be the same!
(Link)
This article is still a good reminder that security and Cloud is still a factor to be considered very good. The mainstream believe Cloud security is always better is not correct. Cloud hosting is not by default more secure! You loose control. Not only of your data but you also on managing risks. The article list some incidents and it is just tiny fraction…
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.
]]>Almost everyone in tech agrees that Large Language Models (like ChatGPT) are a generational change in what we can do with software. It feels like the blockchain and bitcoin hype all over again.
But can this new machine learning technology be used to simplify IT landscapes? This is a severe problem that many companies and governments face and results in slowing down their development and innovation speed.
New technology to solve complex IT problems can help to:
Technology to solve complex IT problems can be divided into:
Great FOSS software exists already for many years to ease the process of problem solving. In this slide deck you find an opinionated selection of proven tools and methods to simplify IT landscapes. When the power of LLMs will be combined with open tools, methods, and knowledge that is already used to analyse and solve complex IT problems, new opportunities with this technology will open new dimensions for open innovation.
But beware: Don’t solve problems you don’t have. Be suspicious of IT hypes!
]]>So be aware of so-called AI detection tools. So it is time to introduce a new ethical label for blogs that are created by humans. The logo is simple:
The rules to use this logo are not enforceable. If you use this logo with your writings you subscribe the following rules:
These simple ethical rules are established to provide you with confidence that this text has been created by a human. On this site it will be me.
Security by design is not a product. Nor a simple straight through process. Security by design can be viewed as a core philosophy to do the right things from a cyber security perspective in every action performed when developing and producing a new product. Too many organisations are depending on vulnerable vendor solutions for security protection that over promise but under deliver. Cyber security is a wicked problem, so learn from mistakes already make by others.
This is a real security challenge: Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. Simple is of to practice defense in depth and security by design. So assume hardware is broken by design.
(Link)
Nice interview on FBI discussing DDoS-for-hire sites. As suspected criminals who are offering services tend to be more sophisticated than the criminals that are consuming the services. Hard verification on facts is missing, but we preventing a DDos is still not in some cases impossible.
(Link)
Leaving your information on a site is always a risks. So sites that really take security seriously minimize data collection. The Discord.io breach is again a breach that was just a matter of time. The sensitive information leaked gives some indication on the security management, culture and design of the systems of discord.io. It doesn’t look well to put is mildly.
(Link)
Do you have all actors, roles, and privileges documented? The Rekt Test focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress. Personally I rather see implemented measurements a bit more important than security-by-documentation.
(Link)
I love simple ‘How-to’ articles. If you have limited time and need a checklist, this article helps you with securing your database. Truth is: It is not simple.
(Link)
A Playbook on why security matters. Simple advice is avoid Crypto when you do not understand all risks.
A great framework for Releasing Secure Products. Check it out.
(Link)
When security is sold as extra features your privacy is at risks. Very disturbing read of this very serious privacy foundation!
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.
]]>To avoid misunderstandings: QR codes are generally safe to use. But like any technology, they can be exploited. So to avoid cyber security risks, like hitting websites that steal information or infect your device some caution is needed.
A QR code is a two-dimensional barcode that can be scanned by a smartphone app or another mobile device. Most QR codes contain the following type of information:
Phishing is the most common cyber threat that most users fall into when using QR codes.
A QR code is a very easy way to force a user to use a mobile device. And mobile devices have no or very limited anti phishing protections.
The most simple solution to prevent cyber security risks when using QR codes is just do not use QR codes. Every company or governmental organization that takes cybersecurity seriously should consider offering an alternative. However more and more banks use QR codes as part of an authentication process and usage is mandatory if your bank offers no other method for authentication.
The safety of QR codes depends on several factors:
Most smartphone users hold a fundamental misbelief that their devices are safer than typical PCs, but this misconception is a recipe for disaster.
1: Increase awareness: Increase awareness of the risks involved so users think before scanning their next QR code.
2: Prevent cyber disasters. So avoid using QR codes at much as possible. If you see a QR code on a wall, building, computer screen or even a business card, do not scan it. Control your curiosity. A threat actor can easily paste their malicious QR code on top of a real one and create their own copies, and based on appearance, you have no idea if the contents are safe or malicious. Avoid scanning a QR code to receive money at all times!
Completely avoiding using QR code is unrealistic and is becoming harder and harder. This is due to companies and governmental organisations who force you to use QR codes without thinking about the cyber security risks that are exposed to you.
]]>Cyber security is a vital concern for individuals, organizations, and societies at large. Most cyber security improvements programs end with more paperwork, more new fancy software tools without increased security resilience. We need to break out of this cycle.
(Link)
Never fully trust antivirus software. The companies do not act completely in your interest. Avast is known for its antivirus and security software and services. When checking for malware, Avast software collected all kinds of data. In the Netherlands, a lawsuit against AVAS starts. Valuable data has been commercially resold by Avast. So join the fight.
(Link)
Strong rumors suggest that the vulnerability CVE-2023-2868 was already known and used since October 2022. Unfortunate examples of commercials security companies with debatable moral and ethical principles are not uncommon.
(Link)
A good example of a threat report to help companies. Since legal companies in other companies face equal threat, just use and reuse this report! More awareness never hurts. This sector is known for dealing with real sensitive information that really should be kept secure at any time.
(Link)
Most non tech people in my country do not see the danger of smart doorbells. More awareness is needed. Smart doorbells are insecure and most companies behind these devices sell your data. With advanced AI software for visual recognition becoming mainstream, a disaster is looming.
(Link)
Memory safety is a property of some programming languages that prevents programmers from introducing certain types of bugs related to how memory is used. Memory safety bugs are often security issues, memory safe languages are more secure than languages that are not memory safe.
(Link)
LTE sniffers are important for security and performance analysis because they can passively capture the wireless traffic of users in LTE network. Due to the nature of LTE traffic being transferred over the air interface, anyone with the appropriate hardware can sniff LTE signals.
(Link)
A disturbing read. Imho again a warning that ‘Cloud’ != ‘Secure by default’…
(Link)
Reading about client-side encryption in Gmail on the security Blog of Google is fun. Unfortunately, the real details are missing but the concepts are nicely visualized.
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.
]]>Cyber security is a vital concern for individuals, organizations, and societies at large. To address this pressing issue and ensure a safer digital environment, we present this manifesto, which aims to simplify cyber security to accelerate its effectiveness.
Good cyber security is still a cost factor for companies. Software and hardware companies have too little solid legal requirements to deliver products that meet basic security needs. Also software and hardware used for automation are complex products that are hard to understand and require a lot of specific knowledge of various fields.
We have made things worse by our thoughtless behaviour. We refuse to create simple systems for simple problems that can be easily adjusted and are resilient for common cyber security threads. We speak a strange language and talk about risks, processes and complex technical measurements. Transparency is lacking and we advocate for complex security products which we don’t understand and are impossible to maintain. We embrace every new IT hype as the holy grail for solving our cyber security problems. In the end you always pay more for cyber security solutions, but the risks still remain. We call it residual risks and are not able to deal with common security threats for too long now.
We, security experts, are trained and brainwashed by commercial vendors to advocate for complex, expensive cyber security solutions that are costly to implement and lack transparency. Most cyber security solutions are not future-proof and not maintainable in the long term. Most cyber security improvements programs end with more paperwork and more new fancy software tools, without increased security resilience.
We need to break out of this cycle. We need deeper and better knowledge in how computers and software work to design effective cyber security defence methods. We need to stop doing what we have done for too many years. We need simpler solutions, we need to use solutions that are transparent and we can trust. We need to stop reinventing the wheel. We should make use of proven open solutions. We should improve existing solutions instead of creating new solutions that will fail again in future.
We promote and advocate for the reuse of proven cyber security solutions. We simplify the use and reuse of common security practices. We advocate for security by design as an approach to involve all stakeholders. We believe that continuous education and awareness are fundamental to simplifying cybersecurity.
We think openness is key. This means that we only promote open solutions (products, methods and documentation) that can be used and improved so that we all benefit.
You don’t have to be a genius to make cyber security simpler and better. All it takes is continuous learning and the willingness to go against common conventions.
We know that cyber security protection can be much better and simpler. Established large companies within the cyber security field will not change overnight, So we keep showing and promoting simple cyber security solutions. Join and help us. Learn to build simpler cyber security solutions that are future proof and work better.
Help us by sharing this manifesto to create awareness that we need to do better as cyber security professionals.
]]>I love conferences that are open. This means open access to slides or videos for everyone who is interested in a subject , but was unable to attend. My experience is that conferences that have pay walled access to conference slides, videos or proceedings are seldom worth the effort. It are often not only the talks but the conversations with peers that make it really valuable to go to an in-person security conference or meetups.
Please tip me if you have a non-commercial cybersecurity conference that you would like to see in this collection.
About | The Pan-European dialogue on Internet governance (EuroDIG) is an open platform for informal and inclusive discussions on public policy issues related to Internet Governance (IG). First organised in 2008 by several organisations, government representatives and experts, it fosters dialogue and collaboration with the Internet community on public policy for the Internet. Culminating in an annual conference that takes place in a different European city. EuroDIG ‘Messages’ are prepared and presented to the Internet Governance Forum (IGF). |
Date | 19 – 21 June 2023 |
Location | Tampere, Finland |
More information on EuroDIG |
About | The Network and Distributed System Security (NDSS) Symposium fosters information exchange among researchers and practitioners of network and distributed system security. |
Date | tbd |
Location | San Diego, California. |
More information on NDSS Symposium |
About | CPDP (Computers, Privacy & Data Protection) is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University. |
Date | tbd |
Location | Brussels, Belgium |
More information on CPDP |
About | Hardwear.io Security Conference is a platform for hardware and security community where researchers showcase and discuss their innovative research on attacking and defending hardware. |
Date | 30th October - 3rd November 2023 |
Location | The Hague, Netherlands |
More information on Hardwear.io |
About | THOTCON (pronounced \ˈthȯt\ and taken from THree - One - Two) is a hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best conference possible on a very limited budget. |
Date | May 19th & 20th, 2023 |
Location | Chicago |
More information on THOTCON 0xC |
About | ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. |
Date | 20-22 January 2023 |
Location | US, Washington |
More information on ShmooCon |
About | BSides Munich is the premiere, independently organized computer security event in the Munich, Germany area, bringing together both local and internationally renowned experts. As an offshoot of our Meetup group, MUC:SEC, this conference extends our goals of bringing local computer security professionals together, exchanging ideas and experience and most importantly, establishing trust relationship within our community. |
Date | 2023-10-15 00:00:00 |
Location | The Westin Grand Munich, Arabellastraße 6, 81925 München |
More information on BSides Munich |
About | WICCON is organized by WICCA, the women in cybersecurity community of 1000+ members who meet monthly to discuss all things information security. We collaborate with people, companies, and universities to offer learning opportunities for women interested in a cybersecurity career, as well as experts who want to further develop their skills. |
Date | 2023-10-31 00:00:00 |
Location | Lichtfabriek, Haarlem, Netherlands |
More information on Wiccon |
About | The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. |
Date | August 9, 2023–August 11, 2023 |
Location | Anaheim, CA, United States |
More information on USENIX Security '23 |
About | The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. |
Date | August 14–16, 2024 |
Location | Philadelphia, PA, USA |
More information on USENIX Security 2024 |
About | The one-day OWASP conference equips developers, defenders, and advocates to build a more secure web. |
Date | 4-5 October 2023 |
Location | Singapore |
More information on OWASP 2023 Global AppSec Singapore |
About | The EU Agency for Cybersecurity (ENISA) is organising the 8th eHealth Security Conference, in collaboration with the Luxembourg Regulatory Institute. The conference will be a full-day physical event, hosted by CHL Hospital in Luxembourg City, on September 20th, 2023. |
Date | 2023-09-20 00:00:00 |
Location | Luxembourg |
More information on ENISA eHealth Security Conference |
About | This event is the continuation of the close collaboration between the European Union Agency for Railways (ERA) and the European Union Agency for Cybersecurity (ENISA) on cybersecurity in the railway domain. |
Date | 8/9 november 2023 |
Location | Europe/Athens |
More information on ERA-ENISA Conference on Cybersecurity in Railways |
About | The Open-Source Intelligence (OSINT) Summit will bring together OSINT practitioners, investigators, and enthusiasts alike to share their OSINT techniques and tools. As an attendee, you will learn current, real-world methods from others in the OSINT community who collect information across the Internet, analyze the results, and utilize key data to reach their objectives. |
Date | Sept 22, 2023 |
Location | Virtual |
More information on SANS OSINT Summit 2023 |