Greeting from FelixGreeting from Felix

Shift Security Left #6

Hi folks! Security implies dealing with bad actors' tricks and vulnerabilities, but we have treats for our security-aware developers' community as well. Enjoy your reading and protect your data 🎃

Felix from Cossack Labs

Real world

The anomaly of cheap complexity

Have you ever wondered why are our computer systems so complex and so insecure? Computers are insecure because they have so many complex layers. But why there are so many layers? Read the story to find out why this happened.

freedom-to-tinker.com

Secure Architecture

From Zero to One Hundred

Zero Trust architecture has been defined in NIST SP 800-207 since 2019 as a response to remote work, BYOD, cloud infrastructures and insider threats. Two years after, what can we say about Zero Trust? Here is an article about the implications of Zero Trust on enterprise people, processes, and technology.

acm.org

Cryptography

Cryptographic agility and superior alternatives

Cryptographic agility – selecting cyphers within a cryptographic protocol that works best for a particular use case – is a great idea. Or is it? Often cryptographic agility leads to insecurity and fails in practice. The article by Soatok also uncovers superior alternatives to agility and cryptography migration strategies.

soatok.blog

Vulnerabilities

One I/O ring to rule them all: a full read/write exploit primitive on Windows 11

I/O ring is a new asynchronous I/O mechanism that allows an app to queue as many as 0x10000 I/O operations and submit them all at once, using a single API call.

Read a blog post by Yarden Shafir uncovering the post-exploitation technique unique to Windows 11 22H2+ – using I/O ring preregistered buffers to create a read/write primitive, using 1-2 arbitrary kernel writes (or increments).

windows-internals.com

DevOps

A guide to improving security through infrastructure-as-code

Infrastructure as Code (IaC) comes with benefits such as cost reduction, increased deployment speed, scalability and consistent, reliable configurations, visible governance, security and compliance controls.

In this article, Viktor Gazdag from NCC Group makes an attempt to create a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secure the infrastructure by mentioning free and/or open-source tools wherever possible.

nccgroup.com

Incidents

Statement on the fatal flaws found in a defunct CIA covert communications system

The CIA developed dozens of websites to communicate with their agents secretly, but it was a fatally insecure network. An investigation led by Citizen Lab senior researcher Bill Marczak confirmed it.

Here's a special report by Joel Schectman and Bozorgmehr Sharafedin about a CIA asset who communicated with agency handlers via a hidden communications app on a sports website, then was captured in Iran, and served 7 years in prison.

This vulnerability went far beyond Iran. CIA created many similar websites to communicate with agents across 20 countries.

citizenlab.ca

P.S.

The answer to life, security, and everything

I assume it's time for a native ad! 🤓 niyaniya

So, you know where to find the right tool to get security things done right, if not—see Acra database security suite.

No spam, ever. We'll never share your email address and you can opt out at any time.