Swiss government says give M365, and all SaaS, a miss as it lacks end-to-end encryption
(2025/12/01)
- Reference: 1764547504
- News link: https://www.theregister.co.uk/2025/12/01/infosec_news_in_brief/
- Source link:
Infosec In Brief Switzerland’s Conference of Data Protection Officers, Privatim, last week issued a [1]resolution calling on Swiss public bodies to avoid using hyperscale clouds and SaaS services due to security concerns.
“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data,” the resolution states. Privatim therefore thinks SaaS or hyperscale clouds – especially those subject to the US CLOUD Act – are not appropriate places for Swiss government agencies to place “particularly sensitive personal data or data subject to a legal obligation of confidentiality.”
The resolution also points out that cloud and SaaS service providers can unilaterally amend their terms and conditions, potentially eroding security and privacy provisions.
[2]
“The use of SaaS applications therefore entails a significant loss of control,” the resolution states. “The public body cannot influence the likelihood of a violation of fundamental rights. It can only mitigate the severity of potential violations by not releasing particularly sensitive data from its sphere of control.”
[3]
[4]
The document concludes that Switzerland should not allow use of SaaS from “large international providers … in most cases” and singled out Microsoft 365 for mention as an inappropriate service.
Clean up your repos, people
Security engineer Luke Marshall has revealed he scanned every public repository he could find on GitLab – all 5.6 million of them – and found 17,000 verified live secrets.
As detailed on a [5]post at secret-sniffing service Truffle Security, a GitLab API makes it possible to generate a list of all public repos.
Marshall generated that list, and then wrote “A local Python script that sent all 5,600,000 repository names to an AWS SQS queue, which acted as a durable task list.”
[6]
He also created an AWS Lambda function to scan the repositories with Truffle Security’s TruffleHog tool, and logged the result.
“This set me back about $770 USD, but it let me scan 5,600,000 repositories in about 24 hours,” he wrote.
Among the secrets he found were over 5,000 credentials for Google Cloud, over 2,000 for MongoDB, plenty for OpenAI and AWS, and 910 tokens for Telegram bots.
[7]
Marshall has run a similar analysis of Atlassian’s Bitbucket code locker, and says his scan found “~35% higher density of leaked secrets per repository on GitLab compared to Bitbucket.”
Strava says spooks should stop oversharing
Exercise-tracking app Strava has released a [8]draft update to its terms of service that requires users to accept all risks associated with using its geolocation features.
The app allows users to create maps of their outdoor activities like runs, walks, hikes, and bike rides. That data has revealed the whereabouts of users at [9]military bases and the location of [10]French president Emmanuel Macron’s bodyguards .
Strava’s new legalese, which takes effect on January 1, 2026, absolves it of any risks associated with using geolocation and points out: “These risks may be greater depending on your circumstances, e.g., if you work in a sensitive job or position of trust.”
[11]Weaponized file name flaw makes updating glob an urgent job
[12]Logitech leaks data after zero-day attack
[13]Louvre's pathetic passwords belong in a museum, just not that one
[14]Shaq's new ride gets jaq'ed in haq attaq
Leak exposes Iran’s Charming Kitten gang
Iranian opposition activist and independent cyber espionage investigator Nariman Gharib last week [15]published an analysis of what he says are leaked documents that describe the activities of Iran’s “Charming Kitten” crew.
Gharib says the leaked docs link [16]Charming Kitten to assassination operations.
“Every breached airline database, every compromised hotel booking system, every hacked medical clinic feeds into a system designed to locate and kill people the Iranian regime considers enemies,” he wrote.
The investigator says Charming Kitten is a sophisticated operation that runs teams dedicated to developing offensive tools, infiltrating targets, and running phishing campaigns. Another team spends a lot of its time translating documents stolen in raids.
Gharib says Iran has operated Charming Kitten since at least 2017, and the organization is growing in size and sophistication.
Israeli military may have banned Androids
The Israel Defense Forces have reportedly banned use of Android smartphones by top brass.
According to [17]The Jerusalem Post , Israeli Army Radio last week foreshadowed an order that would define a standard operating environment that specifies the use of iOS devices by senior officers.
The order is apparently a measure to reduce exposure to surveillance using social media apps. ®
Get our [18]Tech Resources
[1] https://www.privatim.ch/de/publikation-resolution-zur-auslagerung-von-datenbearbeitungen-in-die-cloud/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.strava.com/legal/terms-2026
[9] https://www.theregister.com/2018/01/29/strava_heatmap_military_base_locations/
[10] https://www.theregister.com/2024/10/29/macron_location_strava/
[11] https://www.theregister.com/2025/11/23/infosec_news_in_brief/
[12] https://www.theregister.com/2025/11/16/infosec_news_in_brief/
[13] https://www.theregister.com/2025/11/09/infosec_news_in_brief/
[14] https://www.theregister.com/2025/10/26/shaq_haq_attaq/
[15] https://blog.narimangharib.com/posts/2025%2F11%2F1763938840948?lang=en
[16] https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
[17] https://www.jpost.com/israel-news/defense-news/article-876327
[18] https://whitepapers.theregister.com/
“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data,” the resolution states. Privatim therefore thinks SaaS or hyperscale clouds – especially those subject to the US CLOUD Act – are not appropriate places for Swiss government agencies to place “particularly sensitive personal data or data subject to a legal obligation of confidentiality.”
The resolution also points out that cloud and SaaS service providers can unilaterally amend their terms and conditions, potentially eroding security and privacy provisions.
[2]
“The use of SaaS applications therefore entails a significant loss of control,” the resolution states. “The public body cannot influence the likelihood of a violation of fundamental rights. It can only mitigate the severity of potential violations by not releasing particularly sensitive data from its sphere of control.”
[3]
[4]
The document concludes that Switzerland should not allow use of SaaS from “large international providers … in most cases” and singled out Microsoft 365 for mention as an inappropriate service.
Clean up your repos, people
Security engineer Luke Marshall has revealed he scanned every public repository he could find on GitLab – all 5.6 million of them – and found 17,000 verified live secrets.
As detailed on a [5]post at secret-sniffing service Truffle Security, a GitLab API makes it possible to generate a list of all public repos.
Marshall generated that list, and then wrote “A local Python script that sent all 5,600,000 repository names to an AWS SQS queue, which acted as a durable task list.”
[6]
He also created an AWS Lambda function to scan the repositories with Truffle Security’s TruffleHog tool, and logged the result.
“This set me back about $770 USD, but it let me scan 5,600,000 repositories in about 24 hours,” he wrote.
Among the secrets he found were over 5,000 credentials for Google Cloud, over 2,000 for MongoDB, plenty for OpenAI and AWS, and 910 tokens for Telegram bots.
[7]
Marshall has run a similar analysis of Atlassian’s Bitbucket code locker, and says his scan found “~35% higher density of leaked secrets per repository on GitLab compared to Bitbucket.”
Strava says spooks should stop oversharing
Exercise-tracking app Strava has released a [8]draft update to its terms of service that requires users to accept all risks associated with using its geolocation features.
The app allows users to create maps of their outdoor activities like runs, walks, hikes, and bike rides. That data has revealed the whereabouts of users at [9]military bases and the location of [10]French president Emmanuel Macron’s bodyguards .
Strava’s new legalese, which takes effect on January 1, 2026, absolves it of any risks associated with using geolocation and points out: “These risks may be greater depending on your circumstances, e.g., if you work in a sensitive job or position of trust.”
[11]Weaponized file name flaw makes updating glob an urgent job
[12]Logitech leaks data after zero-day attack
[13]Louvre's pathetic passwords belong in a museum, just not that one
[14]Shaq's new ride gets jaq'ed in haq attaq
Leak exposes Iran’s Charming Kitten gang
Iranian opposition activist and independent cyber espionage investigator Nariman Gharib last week [15]published an analysis of what he says are leaked documents that describe the activities of Iran’s “Charming Kitten” crew.
Gharib says the leaked docs link [16]Charming Kitten to assassination operations.
“Every breached airline database, every compromised hotel booking system, every hacked medical clinic feeds into a system designed to locate and kill people the Iranian regime considers enemies,” he wrote.
The investigator says Charming Kitten is a sophisticated operation that runs teams dedicated to developing offensive tools, infiltrating targets, and running phishing campaigns. Another team spends a lot of its time translating documents stolen in raids.
Gharib says Iran has operated Charming Kitten since at least 2017, and the organization is growing in size and sophistication.
Israeli military may have banned Androids
The Israel Defense Forces have reportedly banned use of Android smartphones by top brass.
According to [17]The Jerusalem Post , Israeli Army Radio last week foreshadowed an order that would define a standard operating environment that specifies the use of iOS devices by senior officers.
The order is apparently a measure to reduce exposure to surveillance using social media apps. ®
Get our [18]Tech Resources
[1] https://www.privatim.ch/de/publikation-resolution-zur-auslagerung-von-datenbearbeitungen-in-die-cloud/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS0g6wE-WcMOENZ5JmdBBwAAAM8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.strava.com/legal/terms-2026
[9] https://www.theregister.com/2018/01/29/strava_heatmap_military_base_locations/
[10] https://www.theregister.com/2024/10/29/macron_location_strava/
[11] https://www.theregister.com/2025/11/23/infosec_news_in_brief/
[12] https://www.theregister.com/2025/11/16/infosec_news_in_brief/
[13] https://www.theregister.com/2025/11/09/infosec_news_in_brief/
[14] https://www.theregister.com/2025/10/26/shaq_haq_attaq/
[15] https://blog.narimangharib.com/posts/2025%2F11%2F1763938840948?lang=en
[16] https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/
[17] https://www.jpost.com/israel-news/defense-news/article-876327
[18] https://whitepapers.theregister.com/
Re: End to end encryption is not enough
Anonymous Coward
Yeah, hopefully they learned something from the 1.3 million files stolen by the Play ransomware gang through [1]Xplain AG , and the most notorious 3 million-strong [2]toothbrush botnet that nonstop DDoS-ed the whole place last year ...
[1] https://www.theregister.com/2024/03/08/swiss_government_files_ransomware/
[2] https://www.theregister.com/2024/02/09/a_look_at_fortinet_week/
End to end encryption is not enough
“Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data”
I sincerely hope that doesn't mean that if/when Microsoft does enable full end to end encryption in M365, that the Swiss government would then start using it for confidential government data.
The fact that the Swiss government is talking about end-to-end encryption rather than zero trust is a bad sign.
All end to end encryption does is prevent the data from being decrypted in transit. The SAAS recipient, in this case Microsoft, still has access to the unencrypted data.
People aren't concerned about Windows Recall because they're worried about man in the middle attacks, they're worried that Microsoft will have access to their data. Even with end to end encryption, Microsoft could still access M365 data. There can be all sorts of legalities stopping them, and internal processes, but physically, Microsoft employees could access the M365 data.
Unless they're committing to zero trust systems, I wouldn't trust any SAAS vendor. And I'd only trust them with zero trust because, by definition, zero trust assumes they can't be trusted.