IEEE Cipher --- Items from security-related news (E133.Jul-2016)

Don't Even Ask About Your Biometrics
  • FBI wants to exempt its huge fingerprint and photo database from privacy protections
    The Washington Post
    By Ellen Nakashima
    June 1, 2016

    The FBI has a database of 100 million fingerprints 45 facial photos. The fingerprints are exempt from the Privacy Act, and under rules recently proposed by the agency, the facial photos and all biometric data would also be exempt. A coalition that includes the ACLU opposes the exemption. Unlike most public records, the photos would not available to examination by the subjects, so they would not be able to ask that errors be corrected. The FBI argues that letting someone know that information about them is in the database would compromise investigations. The public comment period ended on July 6.


    All Your MySpace Are Belong to Us
  • Why you should delete the online accounts you don't use anymore - right now
    The Washington Post
    Brian Fung
    May 31, 2016

    Sometime before June 2013, hackers stole over 350 million MySpace account credentials. They were recently put up for sale. Even if you forgot you had a MySpace account, this could be a problem for you, especially if you still have the same email address and used the same password for both services. This kind of data breach is not uncommon, and it illustrates the fragility of passwords. Although the title of article emphasizes deleting old accounts, more to the point is the importance of not re-using passwords.

    Cyber Security Hall of Fame

    Gene Spafford notes that he nomination cycle for the 2016 induction into the Cyber Security Hall of Fame is now open.

    Details on the nomination procedure are available at

    Nominations are due by July 20.

    Cybercurrency Hacked, and There Is No Good Solution (2 items)
  • Hacker May Have Taken $50 Million From Cybercurrency Project
    The New York Times
    Nathaniel Popper
    June 17, 2016

    A new blockchain-based currency, intended for an investment fund, lost at least a third of its value as hackers exploited a software flaw. The developers have been left with a dilemma: fork the code and lose the integrity of the blockchain (and the confidence of the community) or withdraw all funds and close down.

  • Ethereum Developers Launch White Hat Counter-Attack on The DAO
    Stan Higgins
    June 21, 2016

    More funds have be siphoned from the DAO, and the lead designer announced that the developers were removing their funds.

    Russian Government Hackers Go After the DNC
  • Cyber researchers confirm Russian government hack of Democratic National Committee
    The Washington Post
    Ellen Nakashima
    June 20, 2016

    The DNC website is managed by a company called MIS Department, and by registering a similar domain name, hackers may have used a phishing attack to gain access to confidential documents compiled by the Democratic National Committee. At least two security firms attribute forensic evidence to known hacker groups within the Russian government.

    Cybersecurity Pioneer Mourned
    Obituary for Stephen T. Walker
    The Baltimore Sun
    July 9, 2016


    Pokemon Go Insanity Overrides Rational Security
  • Pokemon Go maker: Coding error gave company access to your emails
    CNN Money
    Jose Pagliery
    Jul. 11, 2016

    The Pokemon Go phenomenon has a cybersecurity sidelight that is truly disturbing. Downloaded apps are supposed to run with the minimal privileges needed to their operation, but not all developers have the same notion of "minimal". In the "all or nothing" model of app privileges, the user either grants what the app demands or doesn't load the software. In the case of this game, iPhone users are asked to grant full access to their Google accounts to the app. That gives the Pokemon distributor the ability to access the users' email. Granting that privilege to this "insanely" popular game is ... insane.

    Facebook to Aggregator: Get Outta Here!
  • 9th Circuit: It's a federal crime to visit a website after being told not to visit it
    The Washington Post
    Orin Kerr
    Jul 12, 2016

    The Computer Fraud and Abuse Act was written long before Facebook was dreamed of, but it has been applied to a use of Facebook messaging that most people would probably consider perfectly legal. In this case, a new service for messaging allowed users to aggregate the use of their own social media accounts through a third party interface. That interface used the users' credential to login to their accounts and send messages to other users. Facebook sent a cease-and-desist order to the third party, but the service continued to operate. The Ninth Circuit Court held this to be a violation of CFAA and other laws. This article criticizes the decision, which is likely to be appealed.