Open Security News week 1-2023

This is an unusual post. This time, I want to emphasize the urgent need for reducing cybersecurity risks. We are on a tipping point. Security is required for safety and privacy. We are increasingly dependent on IT: Cars, trains, hospitals, medicines, energy, transportation are not possible today without IT. Without digital technology our world stops. But cyber security has become complex and is poisoned with solutions were transparency is lacking. It is time to stop reinventing the wheel. Simple solutions are often still the best. Make use of solid solutions that do work. There is no magic tool.

1 CWE Top 25 Most Dangerous Software Weaknesses (2022)

A retrospective is always good. Without learning a good cybersecurity strategy will keep firefighting. Unfortunate this is still the reality in most organisations. Real risk control has become maybe too complex. We should do something radical better in 2023 to protect our critical digital assets. This list of CWE should be no surprise if you are working as a security professional.


2 How Many Computers Are In Your Computer?

This simple article is again so relevant for 2023. This article from 2018 tries to answer a simple question: Why are there so many places for backdoors and weird machines in your “computer”? Of course the complexity of a computer system is much bigger than shown in this article. But only real nerds dive into modern chipsets with multi cores and show vulnerabilities possible. So the real lesson is: Never trust a computer system. There are too many hardware parts that with vulnerable software that will nullify your cybersecurity measurements.


3 LastPass breach explained

A must read. Wladimir Palant did a great analyze of the statements published by LastPass regarding their data breach. LastPass has been breached, data has been stolen. Shit happens. But the PR statements published are an excellent example of providing no transparency to users when urgently needed. From a security point of view you could have known: Trusting a company that is not transparent on security measurements and uses cloud hosting for your critical assets is a disaster waiting to happen.


4 NIST Retires SHA-1 Cryptographic Algorithm

SHA-1 (Secure Hash Algorithm ) is a cryptographically broken for a long time. But still widely used. Finally NIST is now recommending to replace SHA-1 in the situations where it is still used. Unfortunately we all know that software used in embedded devices, old consumer devices and Industrial automation is years behind and not easy to update, if possible at all.


5 eIDAS 2.0 Sets a Dangerous Precedent for Web Security

The EU is mandating that browsers accept EU member state-issued Certificate Authorities and not remove them even if they are unsafe. If you think this sounds bad, you’re right. The EU and the ‘eIDAS’ (electronic IDentification, Authentication and trust Services) initiative was from a security and privacy point of view a failure by design. And it is still getting worse with every enhancement.


6 Commercial spyware

This makes me both laugh and cry: Variston IT, a company in Barcelona, claims to be a provider of custom security solutions. However they provide commercial spyware that puts users at risk and makes the Internet less safe. This company creates software that exploits vulnerabilities that are known (CVEs) or not yet known. Yes: this is what they meant with custom security solutions.


7 The Difference Between Privacy and Security

It is 2023: the world has changed, and the old rules and thinking no longer apply. No security = no privacy. Privacy and security are largely achieved using the same practices, technologies, and analysis.


8 Distributed Energy Resources Cybersecurity Outlook: Vulnerabilities, Attacks, Impacts, and Mitigations

This article has great visuals and is a good read to learn more on security regarding energy supply. The digitalization and decentralization of the electric power grid are key thrusts towards an economically and environmentally sustainable future.
(arXiv Link)

9 Getting Bored of Cyberwar: Exploring the Role of Civilian Participation in the Russia-Ukraine Cyber Conflict

Data on so called cyberwar threads is hard to get. But facts do matter. If you like facts regarding cyberwar then this is a paper to read. These researchers collected 281k web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58k replies) of a volunteer hacking discussion group for two months before and four months after the invasion. Contrary to some expert predictions, the involvement of civilian and volunteer `hacktivists’ in the conflict appears to have been minor and short-lived.

(arXiv Link)

Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.