From Zero to One Hundred
Zero Trust architecture has been defined in NIST SP 800-207 since 2019 as a response to remote work, BYOD, cloud infrastructures and insider threats. Two years after, what can we say about Zero Trust? Here is an article about the implications of Zero Trust on enterprise people, processes, and technology.
Cryptographic agility and superior alternatives
Cryptographic agility – selecting cyphers within a cryptographic protocol that works best for a particular use case – is a great idea. Or is it? Often cryptographic agility leads to insecurity and fails in practice. The article by Soatok also uncovers superior alternatives to agility and cryptography migration strategies.
One I/O ring to rule them all: a full read/write exploit primitive on Windows 11
I/O ring is a new asynchronous I/O mechanism that allows an app to queue as many as 0x10000 I/O operations and submit them all at once, using a single API call.
Read a blog post by Yarden Shafir uncovering the post-exploitation technique unique to Windows 11 22H2+ – using I/O ring preregistered buffers to create a read/write primitive, using 1-2 arbitrary kernel writes (or increments).
A guide to improving security through infrastructure-as-code
Infrastructure as Code (IaC) comes with benefits such as cost reduction, increased deployment speed, scalability and consistent, reliable configurations, visible governance, security and compliance controls.
In this article, Viktor Gazdag from NCC Group makes an attempt to create a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secure the infrastructure by mentioning free and/or open-source tools wherever possible.
Statement on the fatal flaws found in a defunct CIA covert communications system
The CIA developed dozens of websites to communicate with their agents secretly, but it was a fatally insecure network. An investigation led by Citizen Lab senior researcher Bill Marczak confirmed it.
Here's a special report by Joel Schectman and Bozorgmehr Sharafedin about a CIA asset who communicated with agency handlers via a hidden communications app on a sports website, then was captured in Iran, and served 7 years in prison.
This vulnerability went far beyond Iran. CIA created many similar websites to communicate with agents across 20 countries.
The anomaly of cheap complexity
Have you ever wondered why are our computer systems so complex and so insecure? Computers are insecure because they have so many complex layers. But why there are so many layers? Read the story to find out why this happened.
The answer to life, security, and everything
I assume it's time for a native ad! 🤓 niyaniya
So, you know where to find the right tool to get security things done right, if not—see Acra database security suite.