First, a lullaby for sleep by Wiz.io Security; patch your internal vulnerabilities:
TL;DR:
This week’s digest covers a range of topics including privacy concerns with tech giants, the rising need for automated vulnerability remediation, data breaches due to server misconfigurations, and the implications of backdoors in open-source software.
Interesting reads of the week:
- Wired highlights the increasing need for privacy-focused browsers, as tech giants like Google continue to track user data even in ‘Incognito’ mode. It recommends switching to browsers like DuckDuckGo which offer enhanced security and data protection.
- In the world of cybersecurity, Resilient Cyber discusses a report by Rezilion, which found that over 15 million public-facing instances were susceptible to vulnerabilities from the CISA’s Known Exploited Vulnerabilities (KEV) catalog. The author emphasizes the need for automated vulnerability remediation and mitigation to address the speed asymmetry between defenders patching vulnerabilities and malicious actors exploiting them.
- On the topic of data breaches, OWASP details a breach that occurred due to a misconfiguration of their old Wiki web server, exposing member resumes from 2006 to 2014. In response, OWASP has taken steps to rectify the breach and review data retention policies to prevent future incidents.
- In the open-source community, a Boehs article details more of the discovery and analysis of a backdoor in the XZ compression software. The author traces the suspicious activities of GitHub user JiaT75 from 2021 to 2024, highlighting their attempts to introduce vulnerabilities and criticizes GitHub’s response to the situation.
Additional thoughts on Browser privacy: Arc Browser
I’ve been testing Arc Browser for 2 months now, and it’s amazing. But there are a few key points to consider regarding Arc Browser’s privacy compared to Google Chrome and other alternatives like Brave:
- Arc Browser claims to prioritize user privacy and states that they do not sell user data, unlike Google’s data-centric model with Chrome. However, the closed-source nature of Arc raises some skepticism about their privacy claims.[4]
- Arc requires users to create an account to access the browser, which can be seen as a potential privacy concern. Providing personal information, even if fake, for a browser may be off-putting to privacy-conscious users.[3][4]
- Arc is built on the Chromium engine, the same engine that powers Google Chrome. While this provides compatibility benefits, it also means that Arc may be vulnerable to the same exploits and security threats that target Chromium-based browsers.[4]
- Arc includes privacy-enhancing features like uBlock Origin pre-installed for ad and tracker blocking, which addresses some privacy concerns effectively.[5] However, the extent of Arc’s privacy protections is unclear due to its closed-source nature and limited availability for testing.[2]
- In comparison, Brave, on the other hand, is an open-source browser that has undergone more extensive privacy and security analysis. It offers strong privacy protections out-of-the-box and has a transparent model.[2][3]
In summary, until Arc becomes more widely available for thorough testing and analysis, its true privacy merits remain unknown to us.
If privacy is our top priority, using an open-source browser like Brave or Firefox with proven privacy features and transparency may be a safer choice. These browsers have undergone extensive scrutiny and offer strong protections without the need for a mandatory account.
Ultimately, the best browser for us depends on your specific needs and threat model. If we prioritize privacy above all else, sticking with well-established, open-source options like Brave or Firefox is better. However, if you value Arc’s unique features and user experience, using it for non-sensitive browsing while relying on a more privacy-focused browser for critical tasks could be a reasonable compromise. Compartmentalize.
Conclusion:
This week’s digest underscores the importance of privacy, the urgency of addressing cybersecurity vulnerabilities, and the need for vigilance in the open-source community. It serves as a reminder that while technology offers numerous benefits, it also brings with it risks that must be managed effectively.
Citations about browsers:
[2] https://www.reddit.com/r/privacy/comments/17x3rxk/arc_browser_privacy/
[3] https://discuss.privacyguides.net/t/arc-browser-security-privacy-settings/14545
[4] https://www.toolify.ai/ai-news/the-untold-truth-of-the-arc-browser-175640
[5] https://eightify.app/media/arc-browser-review-design-privacy-and-customization-concerns