Open Security News week 24-2024

We all deserve protection from abusive data practices like mass surveillance, browser tracking, demographic profiling, and data discrimination. Protecting privacy means preserving your and our digital autonomy, our freedom, and core democratic values. Technology will continue to enrich our lives and enable new possibilities for the future.

There should be no tension between digital innovations and maintaining your digital privacy. Good security is vital for good privacy. Using open, transparent and simple solutions is key to prevent unneeded data collections that impact our privacy and fundamental human rights.

1 Inside The Zero DayMarket

Getting solid information on how bad actors work and how they acquire the tools and knowledge is too often not backed by solid research and open information. Personally, I do not trust non-verifiable statements from cybersecurity firms and published information from secret services. In the link, you will find a slide deck by Mark Dowd. Mark is a member of the Black Hat Review Board, but he is also the founder of the Azimuth company, which is known to have a questionable reputation. This company has a non-proven reputation for helping customers, including the FBI, with zero-days for remotely hacking Android devices and iPhones. Check this slide deck and use the knowledge to your advantage.


2 TunnelVision

Never trust a VPN. I continue to make this statement. A VPN does little to nothing to protect your privacy. Your security is still at risk—maybe even higher because you might think a VPN is a solid security measure. So read the story on CVE-2024-3661: Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak. Great visuals really make this story stick!


3 Mobifree

FOSS software is a mandatory step for better cybersecurity. However, alternatives to Big Tech are sometimes hard to find. The good news: there is now a new open-source mobile ecosystem.


4 Mandatory secret backdoors in software

This title is no joke. Too many governmental organizations demand backdoors in software. Seldom do they follow the correct democratic way: transparency in laws for software makers. Some democratic countries still have some sort of transparency, like Ottawa and the EU. In Ottawa, Bill C-26 empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada’s networks. There is never a good reason for creating backdoors for surveillance by governments. Besides the major privacy issues, history shows that backdoors are not only used by good actors. A design with a backdoor is broken by design from a security perspective.


5 Subjectivity of “sensitive”

Some people argue that it is okay to encrypt only “sensitive” web traffic. However, even a simple plaintext message should be served by HTTPS. This blog provides a good reminder of the power of defaults, such as using HTTPS. Attackers abuse plaintext webpages to deliver malware and browser exploits.


6 Are vulnerabilities out of control?

There’s a prevailing attitude in the industry to get the number of CVEs in our environments to zero. This creates a perverse incentive where the goal is a number, not better security. We should try to find ways to discover which vulnerabilities matter and deal with those, not do whatever it takes to make a number on a spreadsheet equal zero.


7 Big Tech’s role in enabling link fraud

Every ad on the internet is often a security threat. Besides get-rich-quick ads, too many ads have links that pose a real security threat when clicked. Corporate greed has gotten so out of control that companies such as Google and Microsoft now deeply integrate advertising technologies at the browser level, with effects ranging from battery drain to personal interest tracking, and even taking a cut of the value of your attention. A simple solution: never click on an ad to minimize the risks involved. The risk of malvertising and fraud through adtech platforms has become so concerning and prevalent that the FBI now recommends all citizens install ad blockers.


8 Online Privacy Is Like Fishing

Microsoft is spying on its AI users. The good news: you should know this because you agreed to the Terms of Service (ToS) and the privacy statement. Everything you do at the prompt is stored and analyzed. So beware and read this story!


9 No Security no privacy

Good security is vital for good privacy. Strong security measures are essential to privacy from start to finish. This ensures that all data is securely retained and then securely destroyed at the end of the process, in a timely fashion. A nice overview of open privacy solutions can be found by using this Privacy Solution Overview.


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.