Swiss government says give M365, and all SaaS, a miss as it lacks end-to-end encryption
PLUS: Exercise app tells spies to stop mapping; GitLab scan reveals 17,000 secrets; Leak exposes Iran’s Charming Kitten; And more!
INFOSEC IN BRIEF Switzerland’s Conference of Data Protection Officers, Privatim, last week issued a resolution calling on Swiss public bodies to avoid using hyperscale clouds and SaaS services due to security concerns.
“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data,” the resolution states. Privatim therefore thinks SaaS or hyperscale clouds – especially those subject to the US CLOUD Act – are not appropriate places for Swiss government agencies to place “particularly sensitive personal data or data subject to a legal obligation of confidentiality.”
The resolution also points out that cloud and SaaS service providers can unilaterally amend their terms and conditions, potentially eroding security and privacy provisions.
REG AD
“The use of SaaS applications therefore entails a significant loss of control,” the resolution states. “The public body cannot influence the likelihood of a violation of fundamental rights. It can only mitigate the severity of potential violations by not releasing particularly sensitive data from its sphere of control.”
REG AD
The document concludes that Switzerland should not allow use of SaaS from “large international providers … in most cases” and singled out Microsoft 365 for mention as an inappropriate service.
Clean up your repos, people
Security engineer Luke Marshall has revealed he scanned every public repository he could find on GitLab – all 5.6 million of them – and found 17,000 verified live secrets.
As detailed on a post at secret-sniffing service Truffle Security, a GitLab API makes it possible to generate a list of all public repos.
Marshall generated that list, and then wrote “A local Python script that sent all 5,600,000 repository names to an AWS SQS queue, which acted as a durable task list.”
He also created an AWS Lambda function to scan the repositories with Truffle Security’s TruffleHog tool, and logged the result.
“This set me back about $770 USD, but it let me scan 5,600,000 repositories in about 24 hours,” he wrote.
Among the secrets he found were over 5,000 credentials for Google Cloud, over 2,000 for MongoDB, plenty for OpenAI and AWS, and 910 tokens for Telegram bots.
REG AD
Marshall has run a similar analysis of Atlassian’s Bitbucket code locker, and says his scan found “~35% higher density of leaked secrets per repository on GitLab compared to Bitbucket.”
Strava says spooks should stop oversharing
Exercise-tracking app Strava has released a draft update to its terms of service that requires users to accept all risks associated with using its geolocation features.
The app allows users to create maps of their outdoor activities like runs, walks, hikes, and bike rides. That data has revealed the whereabouts of users at military bases and the location of French president Emmanuel Macron’s bodyguards.
Strava’s new legalese, which takes effect on January 1, 2026, absolves it of any risks associated with using geolocation and points out: “These risks may be greater depending on your circumstances, e.g., if you work in a sensitive job or position of trust.”
Leak exposes Iran’s Charming Kitten gang
Iranian opposition activist and independent cyber espionage investigator Nariman Gharib last week published an analysis of what he says are leaked documents that describe the activities of Iran’s “Charming Kitten” crew.
Gharib says the leaked docs link Charming Kitten to assassination operations.
REG AD
“Every breached airline database, every compromised hotel booking system, every hacked medical clinic feeds into a system designed to locate and kill people the Iranian regime considers enemies,” he wrote.
The investigator says Charming Kitten is a sophisticated operation that runs teams dedicated to developing offensive tools, infiltrating targets, and running phishing campaigns. Another team spends a lot of its time translating documents stolen in raids.
Gharib says Iran has operated Charming Kitten since at least 2017, and the organization is growing in size and sophistication.
Israeli military may have banned Androids
The Israel Defense Forces have reportedly banned use of Android smartphones by top brass.
According to The Jerusalem Post, Israeli Army Radio last week foreshadowed an order that would define a standard operating environment that specifies the use of iOS devices by senior officers.
The order is apparently a measure to reduce exposure to surveillance using social media apps. ®