ROI

Open Security News week 30-2022

Zero-trust security principles could protect against insider threat by treating every component, service, and user of a system as continuously exposed to and potentially compromised by a malicious actor. But is zero-trust really a good name for this concept? Naming things is hard and a bad name is fuel for confusion.

1 Decentralized Identifiers (DIDs) v1.0 is a W3C Recommendation

The Decentralized Identifier Working Group has published Decentralized Identifiers (DIDs) v1.0 as a W3C Recommendation. This document defines Decentralized identifiers (DIDs), a new type of identifier that enables verifiable, decentralized digital identity. A DID identifies any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) that the controller of the DID decides that it identifies.
(Link)

2 Log4j: The Pain Just Keeps Going and Going

The Apache Log4j’s Log4Shell security hole was an all-time awful code disaster. “The #Log4Shell vulnerability isn’t just an RCE [Remote Code Execution] 0day. It’s a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It’s a 0day cluster bomb.” Log4j is often deeply embedded in code and hidden from view due to being called in by indirect dependencies.

(Link)

3 Movement towards MFA is underway

Generally users of OSS expect that the software source code and packages came from its OSS developers, not from attackers who take over developer’s accounts. Moves towards MFA are not occurring in a vacuum.
(Link)

4 DNS-over-HTTP/3 in Android

Most network connections begin with a DNS lookup. DNS lookup has traditionally not been private by default: the base DNS protocol is raw UDP with no encryption. While the internet has migrated to TLS over time, DNS has a bootstrapping problem. DNS-over-HTTP/3 avoids several problems that can occur with DNS-over-TLS operation.
(Link)

5 SOARs vs. No-Code Security Automation: The Case for Both

Just a few years ago, security orchestration, automation and response (SOAR) was the new buzzword associated with security modernization. Today, however, SOAR platforms are increasingly assuming a legacy look and feel. Although SOARs still have their place in a modern SecOps strategy, the key to driving SecOps forward today is no-code security automation.
(Link)

6 For years, some Gigabyte and Asus motherboards carried UEFI malware

The rootkit was discovered in firmware images of several Asus and Gigabyte motherboards equipped with an Intel H81 chipset, one of the longest-living Haswell-era chipsets that was finally discontinued in 2020.

(Link)

7 ‘Zero Trust’ security is a poor choice of words

Naming things is hard. Zero Trust is a phrase with negative connotations. Proper naming and messaging will assist with its adoption, as the implementation of Zero Trust is not going to be frictionless, despite vendor claims to the contrary.

(Link)

8 Microsoft open sources its software bill of materials (SBOM) generation tool

SBOMs are lists of ingredients that make up software components, providing software transparency so organizations have insight into their supply chain dependencies.

(Link)

9 Notes on OpenSSL remote memory corruption

OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. Somewhat peculiarly, almost nobody is talking about this. If RCE exploitation is possible this makes it worse than Heartbleed in an isolated severity assessment.

(Link)

10 Public Key Cryptography and Web Authentication (WebAuthn)

The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.

(Link – W3C) (Link to Guide and API)

Our partners:

nocomplexity

The Open Security newsletter is a bi-weekly overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.