Open Security News week 14-2024

Cyber solutions can be often simpler and far more effective. Most cyber security solutions are not future-proof and not maintainable in the long term. Most cyber security improvements programs end with more paperwork, more new fancy software tools without increased security resilience.

1 Why HTML emails are a risk to your organization

Receiving HTML emails presents still severe security and privacy risks. This since active content, external resources, and tracking mechanisms are easily inserted. With simple css-tags some text blocks in html emails are only visible when a mail is forwarded.


2 The madness governments plans to ban Flipper Zero

Flipper Zero is a nice play tool to learn how weak technology used for security and safety really is. But too many politicians and governments worldwide go for the easy non working ways of taking actions. So, instead of solving problems, they opt for simplified window-dressing measures that often do more harm than good, rather than making our world a bit more secure.


3 OpenVPN is Open to VPN Fingerprinting

VPNs don’t make you more secure necessarily, they just reroute your traffic. Raw network traffic that contains real users’ data is highly sensitive, and this is especially true for traffic related to privacy-oriented services such as VPNs. You should never ever fully trust a VPN whether FOSS or commercial. Firewalls ( like Checkpoint, Palo Alto Network, Fortinet etc.) can block OpenVPN connections, so they can fingerprint endpoints to.


4 HTTP/2 CONTINUATION Flood: Technical Details

This article is a real deep dive into HTTP/2 and gives you an excellent introduction to a class of vulnerabilities within numerous HTTP/2 protocol implementations.


5 The xz attack shell script

The blogs I have seen regarding the xz supply chain attack are almost all opinionated and far from clear. But since this ‘xz’ supply chain attack has a large impact on commercial and FOSS software worldwide you better dive in to learn about what, how and the possible impact for you!

(Link or even better Link )

6 IBIS hotel check-in terminal keypad-code leakage

Never ever trust a lock on your hotel door. Never ever trust a hotel safe. Never trust the WiFi in you hotel. The best thing to do is to bring your own security guard during your stay to safeguard your valuable belongings. Next best thing: Bring your own safe or never ever leave some valuable items behind.


7 OWASP Data Breach Notification

This is embarrassing. This notice raises more questions:Why is this data kept for so long anyway? what happened here. Was it a vulnerability in MediaWiki? Some custom extension? Another component on the wiki server unrelated to Mediawiki? Was it just a really old software version with known public CVEs, or something else?


8 Not The Same Security Debate

The old “can open source be secure?” has changed It’s not the same debate as “open source security” today. The open security issue is now fundamentally an incumbent’s dilemma, not an upstart’s challenge. It’s territory to be held, not to be taken. Lessons can be learned from the past.


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.