Open Security News week 49-2022

We are all humans. For severe cyber security problems we fall in love with so called ‘Holy Grail’ products. The product capabilities of these product are outlined with vague and difficult marketing buzz. So perfect for managers who lack a solid technical background. But deploying these products can be compared with deliberately installing a large backdoor in your trusted environment. Security by obscurity is a bad security principle. Demand openness and full transparency.

1 Automating Data Protection at Scale: Airbnb

I love reading stories on cybersecurity from real life experiences. You learn and get insight in the real world complexity when dealing with cybersecurity. This story is all about data protection within Airbnb. When reading this story the only sensible conclusion is: Security and privacy breaches within Airbnb will be no surprise since automation is never perfect.


2 Results of the CloudEvents Security Assessment

This Security Assessment took place in September 2022, in which a team of two experts conducted a security review, with four person-weeks of effort. Direct link to the report here. Learning point from this assessment: dependencies that need critical security updates should be done!

3 Enhanced Protection with Google Chrome

This is the fastest and strongest level of protection against dangerous sites and downloads that Safe Browsing offers in Chrome. As a result, Enhanced Protection users are phished 20-35% less than users on Standard Protection.

4 CoRA: Collaborative Risk-Aware Authentication

CoRA is a Collaborative Risk-aware Authentication) method that takes advantage of any and many devices that the user owns. CoRA does not assume any secure element or physical security for the devices. If you are into banking security or using a VISA card, pay attention to this research paper of VISA.

5 FBI Calls Apple’s Enhanced Encryption ‘Deeply Concerning’

The news of Apple’s new End-to-End encryption scared governments world wide. But going back to a governmental approved encryption with back doors built-in should not be a discussion any more.


6 Tech companies fueled the rise of Homeland Security and domestic surveillance

Unfortunately this is no surprise to me. But more spot lights on these kind of nasty issues always help. With the EU and many EU countries a unhealthy marriage between cyber security firms and governments is also very common.


7 A Framework for Building Industrial Control Systems Security Simulation Testbeds

With the advent of smart industry, Industrial Control Systems (ICS) are increasingly using Cloud, IoT, and other services to meet Industry 4.0 targets. Operational ICSs are not safe to research cyber measurements due to the possibility of catastrophic risks. Therefore, realistic ICS testbeds are needed. Personally I would not focus directly on using machine learning IDS for these kind of environments. Start with a security-by-design culture change. But nice paper if you are involved with setting up a cyber security test lab.
(arXiv Link)

8 CAN-BERT do it? CAN Intrusion Detection System based on BERT Language Model

Car Hacking safety serious business. Cyber risks are increasing due to the open nature of a CAN connectivity. But reading a paper on BERT (an open NLP model) and cyber security is real brain food. More and more machine learning and cyber security will be connected.

(arXiv Link)

Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.