Open Security News week 44-2022

Today all software is under continuous attack. So focus on practical simple steps to improve cybersecurity. Increase the effectiveness of your current cybersecurity measurements and tools. Do not fall in the trap of buying another security defense application that promise to reduce cyber risks with lower costs and lower effort. A magic solution to reduce your cyber security threads does not exist.

1 State of AWS Security

The best security stories to learn from are real world stories and experiences. You are not alone: Managing security with AWS is not simple and full of pitfalls. This story presents some numbers that will make you depressed.


2 Zeek is Now a Component of Microsoft Windows

As FOSS security evangelist I am still in doubt. One thing is clear: The FOSS security ZEEK application is a very successful and good security monitoring product. For those not familiar: Zeek is an open source powerful network analysis framework. Since Zeek is BSD licensed, so lets hope that Microsoft will not only take and use code, but will also donate improvements back to the Zeek community. With a BSD licensed product there is absolute no obligation, so Microsoft please surprise me.


3 How Do You Prove a Secret?

This short blog should be mandatory for every #CISSP or whatever security certification you have. Zero-knowledge proofs are not simple. But crucial to really understand PKI and encryption solutions.


4 The Holy Grail of cryptography

Fully Homomorphic Encryption will be the future. But this future of FHE is not here yet. We will need FHE when quantum computing will be possible at large. This article gives a nice summary of the state of this exiting development in the cyber security research labs.


5 If OpenSSL were a GUI

As security architect I love visuals. Explaining complexity can be done with a simple visual. But to show the complexity of openssl you can of course visualize some options in a imaginary GUI. Nice blog to discuss the correctness of the GUI for nerds. But showing this visual to a manager helps in explaining SSL complexity when needed.


6 Reverse Engineering the Apple MultiPeer Connectivity Framework

Nice write up on how a hacker approaches a possible exploit.

7 Data Security Takes Front Seat In Industrial IoT Design

As recently as 10 years ago, protecting Internet of Things (IoT) data was largely an afterthought. Not anymore. But hacking IoT devices is still a walk in the park. Understanding that security starts with design and not foreseen use cases should be a better start.

8 Software Supply Chain Maturity

Nice report. Ultra short summary: Minimizing the total number of dependencies and maintaining low update times are two critical factors for reducing the risk of transitive vulnerabilities. And the challenges go beyond malicious attacks, as the research revealed that 96% of open source Java downloads were of components with known-vulnerabilities even when a safer version was available. Now read the report yourself!


9 Our computer security problems are our own fault

The title is a click bait but I wonder: Is it true? As FOSS evangelist do not use so called malware applications, application that I should trust but with code that is insecure by design. Should we develop better open standards to be more resilience for cyber attacks?


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.