ROI

Open Security News week 35-2022

Our lives heavily depend on software. So software should be open, secure and safe. But the reality is, unfortunately, that most software is malware and steals your private data. That is why I advocate FOSS and love to share cyber security knowledge and lessons learned so we can our world a bit nicer.

1 5G hacking just got a lot more interesting

On MCH2022 many interesting security and privacy talks were given. I do not like camping so as usual I skip this great hacking event held in the Netherlands. The main reason to visit security conferences and hacking events is to gather information that can not be shared on slides, video or paper. 5G technology has a large attack surface. Some simple , some extremely difficult to hack. This talk shows that complexity is as always an enemy of security. Check the video or find the slides in the link below.

(Link)

2 The Illustrated TLS 1.3 Connection

TLS can be black magic. So learning the details of the protocol helps. This great tutorial guides you with great visuals through your TLS journey. In this demonstration a client connects to a server, negotiates a TLS 1.3 session, sends “ping”, receives “pong”, and then terminates the session.

(Link)

3 The Animated Elliptic Curve

Visuals always help when learning a new concept. This page guides you with great visuals through the essentials of Elliptic Curve Cryptography.

(Link)

4 Open to a fault: On the passive compromise of TLS keys via transient errors

TLS is one of the most used and most important technologies for internet security today. So keeping up to date with the TLS thread landscape is crucial for security consultants. It is well known that the most common digital signature schemes used in practice can fail catastrophically in the presence of faults during computation. Great paper if you are interested in the hard details of TLS!

(Link)

5 A “secure” smartphone that’s too good to be true

Erik Prince’s pitch to investors was simple, but certainly ambitious: pay just €5 million and cure the biggest cybersecurity and privacy plagues of our day. But almost every attempt to build this kind of phone has failed. This try is likely to be no different.

(Link)

6 Amazon Location Service now supports refined access control for geofences and tracked devices

Amazon Location Service now supports service specific condition keys allowing developers to set access control rules for each individual tracked device and geofence within a collection. This adds an additional layer of security and prevents unauthorized and unintended access while managing devices and geofences. 
(Link)

7 Bringing lessons from cybersecurity to the fight against disinformation

It’s only the goal that’s different.” Getting ahead of influence operations Research in counteracting online influence operations is still young. Studying and reinforcing those weaknesses can work in fighting influence operations, just as they do in cyber defense. Like cyberattacks, influence operations often follow a multistep path, called a kill chain, to exploit predictable weaknesses. These technologies are feeding into the work that Zurko is leading to develop a counter-influence operations test bed. These often-hidden dynamics are important to replicate in a test bed, both to study the spread of fake news and understand the impact of interventions.
(Link)

8 ‘Post-Quantum’ Cryptography Scheme Is Cracked on a Laptop

If today’s cryptography protocols were to fail, it would be impossible to secure online connections — to send confidential messages, make secure financial transactions, or authenticate data. Anyone could access anything; anyone could pretend to be anyone. The digital economy would collapse. When (or if) a fully functional quantum computer becomes available, that’s precisely what could happen.
(Link)

9 Introducing FISSURE: A Toolbox for the RF Hacker

No matter what the job at hand is, if you’re going to tackle it, you’re going to need the right kit of tools. And if your job includes making sense out of any of the signals in the virtual soup of RF energy we all live in, then you’re going to need something like the FISSURE RF framework. It looks like FISSURE could be a lot of fun, and very handy for your RF analysis and reverse engineering work. Exactly what FISSURE is pretty clear from its acronym, which stands for Frequency Independent SDR-Based Signal Understanding and Reverse Engineering. We’ve been looking through all the material we can find on FISSURE, and it appears to be an RF hacker’s dream come true.
(Link)

10 Cheap Complexity and Cybersecurity

In a world where complexity continues to grow, it is hard to provide security guarantees. The problem of escalating complexity becomes an escalated security problem.

(Link)

Our partners:

nocomplexity

The Open Security newsletter is a bi-weekly overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.