Open Security News week 40-2023

Reducing cyber security risks is complex. The most simple solutions are the best. Finding simple IT solutions is hard. We need to stop reinventing the wheel. Creating software that meets trivial security and privacy design rules has proven to be very difficult. So improve existing solutions instead of creating new solutions that will fail again. Use of proven open solutions (FOSS). We need to use solutions that are transparent, and we can trust. Cyber security is vital for privacy protection.

1 BLASTPASS: iPhone Zero-Click – Zero-Day Exploit Captured in the Wild

The Citizen Lab is doing amazing work regarding fighting digital threats. This story is unbelievable. In short: BLASTPASS is an exploit capable of compromising iPhones without any interaction from the victim. Not surprising the well known firm NSO Group’s used this to deliver spyware on demand.


2 Privacy Nightmare on Wheels

This is a must read if you have a modern car and care a bit about security and privacy. This article is no joke, no science fiction, but is the naked truth. The car industry uses terrible privacy practices. All modern cars can hear you, see you, and will track you.


3 Apple vs Meta: The Illusion of Privacy

I try to minimize the use social apps. Installing apps on a mobile means installing spyware, since the software is not open. Also this software means lowering your security with a lot of impact on your privacy. This short story is fun to read and is created in a way that sticks.


4 Bcrypt at 25: A retrospective on password security

Good knowledge of tried solutions on password security is crucial to improve password security. This article gives a great overview regarding password security methods used and famous password breaches . Generating secure password hashes should be a solved problem. But history learns that it is not.


5 I disconnected our smart oven, and maybe you should as well

Smart devices are still often security nightmares. This article is a good reminder that connecting a device to the internet has too often a price.


6 In toto framework

In-toto is a security framework to secure the integrity of software supply chains. in-toto is designed to ensure the integrity of a software product from initiation to end-user installation.


7 The Marvin Attack

When attacks have their own name you should be more aware than usual. The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key.


8 Debunking NIST’s calculation of the Kyber-512 security level

This is a very good story to read. But be warned: your trust in the US NIST will never be the same!


9 You Can’t Control Your Data in the Cloud

This article is still a good reminder that security and Cloud is still a factor to be considered very good. The mainstream believe Cloud security is always better is not correct. Cloud hosting is not by default more secure! You loose control. Not only of your data but you also on managing risks. The article list some incidents and it is just tiny fraction…


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.