IEEE Computer Society Cipher --- Items from security-related news (E147)
The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019.
Current honorees are listed at http://www.cybersecurityhalloffame.com/
Help by nominating qualified candidates! See http://bit.ly/CSHOFNom for details of nominations.
Imagine installing headphones on your computer and finding that thereafter major websites seemed to be forgeries. That risk was incurred by users of an app that installed a root certificate in on Windows and MacOS machines. That root certificate had its private key encoded within it. Although the key was itself encrypted, hackers only needed a few minutes to extract it. From there, they could install signed certificates for any website, and the affected computers would "trust" them.
A trading site, DX.Exchange, opened recently to fanfare about its facilities for trading currencies and stocks. Users are, of course, required to register for accounts before using it. Whatever attention went into its design apparently were not spent on security analysis. The site was configured to use JSON Web tokens for its authentication cookies, and it had the habit of sending the login credentials for many random users along with whatever it needed for a single session. Those credentials could be used to login to other accounts.
Virtual Private Networks are a technology for keeping Internet data encrypted and confined to a set of trusted sites. Many people use them for connecting to their employer's networks. There are many free VPN apps in the Google Play Store, and one researcher found that about 20% of them have security and/or privacy problems. That represents about a quarter of a billion downloads. For example, 25% of them had location tracking.
France has begun taking data protection seriously, and it has levied a fine of 50 million euros against Google for violating regulations about informing users about its data use policies. The data was available, but it was presented in a confusing manner in multiple documents and web pages.
The fallout from the Cambridge Analytica fiasco keeps hitting Facebook. It seems that in 2011 Facebook told the FTC that it would be very careful about keeping users' personal data protected. Because Cambridge Analytica (and perhaps other companies) had access to user data, the Facebook may be subject to a fine to be determined by the FTC.