Open Security News week 47-2023

Machine Learning (AI) is one of the most powerful technologies of our time. But machine learning is a complex technology that brings a lot of new cyber security and privacy risks. Cyber security is a field where commercial vendors of security solutions proclaim breakthrough innovations every week. But don’t fall for it: there is no magical new tool for old and new threats. Good cyber security is and will be hard work. Now and in times to come.

1 What the !#@% is a Passkey?

The passkey promises to solve phishing and prevent password reuse. Despite the fact that I read many security articles the term ‘Passkey’ is still rather new. Also Passkeys do not fit every use case and Passkeys have some disadvantages. E.g. a passkey stored just on your computer or phone isn’t that useful. So the back and restore challenge for secrets applies also for Passkeys.


2 Stop deploying web application firewalls

Everyone who has preached for using a WAF should read this article. In essence it comes down to the fact that nobody is immune for the brainwashing propaganda by commercial vendors. So known the disadvantages of WAF and be clear why you use it. And yes, I think that there are solid use cases when you should use a WAF.


3 Tapping into a telecommunications company’s office cameras

Great read on a common security issue: Unprotected API endpoints. So the lessons are: keep track of all your API endpoints and always assume your API endpoints are discoverable, so always protect your APIs!


4 That time I wrote malware and got caught

Nowadays hacking your high school can have nasty consequences for your school career. But playing in the wild and discovering how computers and networks work is essential for learning. But be warned: in many countries strict laws apply for even just non intrusive testing the security configurations of computers that you do not own.


5 Hackers, Scrapers & Fakers: What’s Really Inside the Latest LinkedIn Dataset

Leaked data comes in many different forms. This post is a nice read to make you aware again that storing private data means that you should practice Security By Design. And of course be very aware of the data that web scraping companies collect, often with the aim of misusing in bulk.


6 Biggest DDoSes of all time generated by protocol 0-day in HTTP/2

I don’t like this site, but the story is worth reading, and the visual overview is nice.


7 Europe’s hidden security crisis

Real-Time Bidding (RTB) is an advertising technology that is active on almost all websites and apps. But without any security measures to protect the data. The report (pdf) is worth reading.


8 Security Assessment‬ of PyPI

Some FOSS software should be good and secure. PyPI should be trusted since it is used at large. PyPI is the Python Package Index. It is the primary repository for the Python ecosystem. It hosts half a million unique Python packages uploaded by 750,000 unique users and serves over 26 billion downloads every single month. The good news: There is no real severe finding and the number of findings is minor when related to the amount of sources reviewed. But there is always room for improvements. The open report is valuable for everyone to learn from.


9 CacheWarp

When a vulnerability gets is own website, it is serious and worth reading. CacheWarp is a new software fault attack on AMD CPUs . It allows attackers to hijack control flow, break into encrypted VMs, and perform privilege escalation inside the VM. This is alarming, check the site and view the demos.


10 Escaping the sandbox

A critical stack corruption bug that has existed in Windows for more than 20 years (CVE-2023-36719). The bug was found in a core Windows OS library which is used by countless software products. This is a must read for everyone involved in cybersecurity to test and update your knowledge. This post has great visuals that helps with understanding how things really work with these kind of bugs.


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.