Open Security News week 9-2024

Good cyber security is and will be hard work. Almost every security professional uses the CVE system. But be cautious: The CVE system is broken and the database of existing CVEs is full of questionable content and plenty of downright lies. Cyber solutions can be often simpler and the best solution is rethinking if the solutions you use are really solutions. Frequently, numerous security solutions end up exacerbating security risks rather than mitigating them, sometimes making avoiding the solution altogether a more prudent choice. Why is good cyber security still so hard to accomplish?

1 The Danger of a Free VPN

Personally I distrust all Paid or Free VPN services. If you care about your privacy and security you should really do a good research before using any VPN service. An excellent article that outlines the risk of a VPN Data Breach was created by Jeremiah Fowler last year.


2 The Cloudflare Thanksgiving 2023 security incident

Cloudflare acts as a middleman between websites and their visitors, optimizing content delivery and providing security features. Cloudflare is used at large as CDN and as solution for DDoS mitigation. Learning of a security incidents helps to improve. So great to see that Cloudflare shared some details of a major security incident. The claim is of course that customers and customer data or systems were not impacted by this security event. However stated in the blog is that the incident is caused by a ‘sophisticated actor, likely a nation-state’ and some crucial details are missing to validate the claim that your data was not impacted…


3 Companies embracing SMS for account logins should be blamed for SIM-swap attacks

I love this blog titles! But true facts in this article: “Sending an SMS to a customer is like sending a postcard through the mail. It’s plaintext (not encrypted), and anyone can open your mailbox and intercept/read it (which is what happens in a SIM-swap attack). The protocol was never designed to be secure.”


4 A layer 3 distributed denial-of-service (DDoS) on SourceHut

When you connect something on internet you will be hit by bad actors. Fighting DDoS attacks is very hard. This post-mortem is a great write up. Thank you Drew DeVault for your openness by sharing your lessons.


5 Cyberattacks That Manipulate Behavior of AI Systems

No foolproof method exists as yet for protecting AI from misdirection, and AI developers and users should be wary of any who claim otherwise. But please: Do not believe me! Just check this article of NIST (The US The National Institute of Standards and Technology).


6 Fail2ban sucks

Fail2ban is an intrusion prevention software framework. Its FOSS and has many users and an active community. But I think Jes Olson has some strong arguments against using Fail2ban. So read his arguments and check if you share his conclusion: At best, fail2ban: does nothing.


7 Stop using JWT for sessions

Be always very cautious when using a micro service architecture that is using too many JWT tokens. This research resulted strong arguments why you should avoid JWT tokens for session handling. A good way to keep learning is to figure out if you agree upon with the arguments and conclusions made by this author. I love the visual created in this blog. Do not get confused: There are valid reasons for using JWTs and I personally think not all arguments of this author are valid.


8 Insecure Features in PDFs

We all know: PDFs are NOT secure! PDFs files have and will be the root cause of security breaches. This blog is a great write up of some PDF features that can be used to create a security breach.



A great write up on the current disadvantage of CVEs! “the CVE system is broken and that the database of existing CVEs hosted by MITRE (and imported into lots of other databases) is full of questionable content and plenty of downright lies.” Daniel gave a great talk on FOSDEM 2024 on how he is managing the FOSS projects cURL and libcurl for more than 25 years by now. So the wasted time he needs to spend on this non issues is a shame. But great that he managed to write down his frustrations regarding te CVE system so more people are aware and can take action for improvements.


Our partners:


The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.