Open Security News week 9-2023

Complexity has become a significant issue for cyber security. Senior engineers and experts in the cyber domain with years of experience have developed a troubled sight on what is simple and what is complex. My personal core believe is that hard to solve security problems should be fixed through simple solutions. But remember: Simple is not easy. But finding a simple solution is one of my core principles when solving problems. Elegantly simple designs don’t happen by accident. They’re the result of difficult decisions and discussion. A good cyber simple solution does not reinvent the wheel.

1 South Korea’s online security dead end

A fundamental distrust in security technologies coming out of the United States.” and “Nowadays, a typical Korean banking website will require five security applications to be installed before you are allowed to log in.” are just two lines from this great article. My advice: Maybe not everything from the US is bad!


2 Cyberattack on food giant Dole temporarily shuts down North America production

Ransomware. Ransomware and Ransomware misery! But beware: Ransomware is not the only digital scam that has hit the food sector. Cybercriminals have stolen hundreds of thousands of dollars’ worth of shipments from US food suppliers by placing fraudulent orders for milk products, the FBI and other federal agencies warned in December.


3 Signal would ‘walk’ from UK if Online Safety Bill undermined encryption

The UK government, and prominent child protection charities have long argued that encryption hinders efforts to combat online child abuse – which they say is a growing problem. So just take using a sledgehammer to crack a nut. End-to-end encryption is the first line of defence against government approved mass surveillance. If it falls, the rest will follow. A huge educational campaign is necessary that being pro-encryption doesn’t mean being criminals or pedophiles.


4 Low-Level Software Security for Compiler Developers

With software security becoming even more important in recent years, it is no surprise to see an ever increasing variety of security hardening features and mitigations against vulnerabilities implemented in compilers. This book aims to help developers of code generation tools such as JITs, compilers, linkers and assemblers to overcome this.


5 Security audit of account and payment services

VPNs don’t make you more secure necessarily, they just reroute your traffic. Its a matter of trust. And yes this audit report helps, but many questions remain. The good news: There are not many VPN companies that are this transparent. the bad news: You still should have valid question that your trust in this VPN service is based on verifiable facts. A commercial VPN is never a good protection if you’re being directly targeted by your state especially when your state has connections with the NSA. But a VPN is often useful against your ISP selling your browsing habits to advertisers. Which of course no single ISP in this world will ever do!


6 Why settle for one layer of security when you can have 2FA?

Two-factor authentication is one of the most accessible and effective online security tools around. With 2FA, logging onto an online account will require not just a password but a second form of verification. Turning it on works as an extra layer of protection between hackers and your personal, work, banking or any other information stored in your online accounts.

7 Digital identity architectures: comparing goals and vulnerabilities

Digital identity systems have the promise of efficiently facilitating access to services for a nation’s citizens while increasing security and convenience. There are many possible system architectures, each with strengths and weaknesses that should be carefully considered. This report first establishes a set of goals and vulnerabilities faced by any identity system, then evaluates the trade-offs of common digital identity architectures, principally comparing centralised and decentralised systems.

(arXiv Link)

Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.