In the final monthly review of 2020, we talk about recent news, our activities in 2020, and the state of our website.
Always stay in the loop!
Subscribe to our RSS/Atom feed.
News of the month
Let us recap the following news:
The SolarWinds Orion supply chain compromise(s)
In early December, most people interested in information security read about the “FireEye breach.” FireEye, a US cybersecurity company, reported a data breach that affected some of their well-protected assets. The subsequent investigation exposed one of the most significant supply-chain compromises in recent years: An unknown advanced persistent threat manipulated the SolarWinds Orion platform. Companies use SolarWinds Orion to manage their IT networks and systems. Therefore, a backdoor in the platform allows access to the digital core of modern corporations. Aside from FireEye, hundreds of organizations and government agencies may be affected by the compromise. See also the CISA Alert below.
While the investigation is still ongoing, and Microsoft discovered another distinct backdoor in the Orion platform, the compromise shows the limits of information security. We always reach a point where we trust others to contribute their part to the overall security of our networks and systems.
Another lesson is (again) the importance of detecting ongoing attacks. Only focusing on “preventing all attacks” is insufficient. A modern security concept considers that attackers may breach your preventive measures. Good concepts define actions to detect compromises, respond to incidents, and recover from attacks. And yes, we recommend these measures even if you only run some services on a rented server for your family.
Data Security on Mobile Devices
The Johns Hopkins University published a detailed overview of the state of security on iOS and Android. The report discusses some key findings, such as exposed cryptographic keys after the device’s first unlock, limitations when using cloud services, and security issues due to the general system design. See the link to “Data Security on Mobile Devices” below to read the full technical report.
Data breaches and leaks
We recently posted ‘What breach?', discussing the lack of awareness when it comes to data breaches. Most affected users don’t react if they (ever) learn about a data breach.
What should you do? Only “preventing” breaches may be insufficient, as mentioned above. Yes, you can create unique and strong passwords for every account. Yes, you can deploy two-factor authentication wherever possible. However, the service provider can still store your password in cleartext in an exposed database on the internet.
Therefore, we recommend storing additional information in your password database, including which information you provided for this service. For instance, if you entered your real name, physical address, and phone number, write this down in your password database. Besides, regularly read about data breaches. Even if the breach “only” contains personal data, you need to check what kind of information may be leaked on the internet. Remember that attackers can misuse your information for social engineering attacks.
From September until today, Have I Been Pwned added information about the following breaches:
- Experian, South Africa (breached in August 2020)
- WiziShop (breached in July 2020)
- Chowbus (breached in October 2020)
- Reincubate (breached in October 2020)
- StarTribune (breached in October 2019)
- Promofarma (breached in August 2019)
- Minted (breached in May 2020)
- Wongnai (included in a set of previously undisclosed data breaches, October 2020)
- James (included in a set of previously undisclosed data breaches, June 2020)
- Lazada RedMart (breached in October 2020)
- Mashable (breached in mid-2020)
- Animal Jam (breached in October 2020)
- Home Chef (breached in early 2020)
- 123RF (breached in March 2020)
- Cit0day (unverified collection of 23,000 allegedly breached websites, November 2020)
- Pluto TV (breached in October 2018)
- Peatix (breached in January 2019)
- Ledger (breached in June 2020)
Check if you were affected, and change your credentials.
Our activities in 2020
In 2020, we published four new articles:
- Social engineering: The story of Jessika: The summary of our lecture on social engineering at the University of Regensburg in 2020. This article describes how attackers gather more and more information about their victims to prepare social engineering attacks.
- KeePassXC for beginners – setup and basic usage: This guidance for beginners shows the first steps with KeePassXC, an open-source password manager.
- NTS – Securing NTP with RFC 8915: This article for advanced users describes the steps to set up Network Time Security. NTS secures the Network Time Protocol that your devices use to synchronize their time.
- KeePassXC and YubiKeys – Setting up the challenge-response mode: The second article on KeePassXC is about setting up the challenge-response mode of a YubiKey to secure your KeePassXC database further.
This short list excludes any News posts, AMA articles, and posts about tools. Despite the smaller number of new articles, we voluntarily spent 274 hours (equivalent to 34 workdays) writing and revising our content, improving our website’s technical setup, and replying to your questions.
Apart from the new articles, we changed several things on our website:
- We merged our RSS feeds. Subscribe to our combined RSS feed that now contains all content updates (articles and news).
- We added a News section for content that doesn’t fit into separate articles.
- We improved our theme by introducing dedicated HTML tags (kbd, samp, code, dfn) for better readability and accessibility.
- We removed most of our external accounts (Threema, Keybase, PrivacyTools, Fediverse/Mastodon, GitLab, Keybase, Session) to refocus on our own website and skip some toxic “us vs. them” communities.
Last December, we announced our revised Web server security series and new content for our Home network security series for early 2020. However, we had to cancel most of our plans for 2020 due to the ongoing pandemic.
Currently, we think that 2021 will be similar to 2020 in terms of a small number of new articles on our website. Although we can’t promise, we plan to finally release the revised articles and some new articles of good quality.
If you are interested in contributing, please visit our repository "blog-content" on codeberg.orgexternal link.
We wish you a secure and healthy 2021!
- CISA Alert AA20-352A (SolarWinds Orion): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizationsexternal link
- Data Security on Mobile Devicesexternal link