IEEE Computer Society Cipher --- Items from security-related news (E147)

  • The Cyber Security Hall of Fame
    From: Gene Spafford

    The Cyber Security Hall of Fame was on hiatus while stable funding was secured. That has happened, and nominations are open for the class of 2019.

    Current honorees are listed at

    Help by nominating qualified candidates! See for details of nominations.

  • The People's Root Certificate Authority
    Sennheiser discloses monumental blunder that cripples HTTPS on PCs and Macs
    Poorly secured certificate lets hackers impersonate any website on the Internet

    Ars Technica
    By Dan Goodin

    Imagine installing headphones on your computer and finding that thereafter major websites seemed to be forgeries. That risk was incurred by users of an app that installed a root certificate in on Windows and MacOS machines. That root certificate had its private key encoded within it. Although the key was itself encrypted, hackers only needed a few minutes to extract it. From there, they could install signed certificates for any website, and the affected computers would "trust" them.

  • Dirty Cookies
    OPEN SESAME! - Hot new trading site leaked oodles of user data, including login tokens
    Data leaked by DX.Exchange would be "super easy" to criminalize.

    Ars Technica
    By Dan Goodin

    A trading site, DX.Exchange, opened recently to fanfare about its facilities for trading currencies and stocks. Users are, of course, required to register for accounts before using it. Whatever attention went into its design apparently were not spent on security analysis. The site was configured to use JSON Web tokens for its authentication cookies, and it had the habit of sending the login credentials for many random users along with whatever it needed for a single session. Those credentials could be used to login to other accounts.

  • VPNs that are Unprivate, Actually
    Malware, User Privacy Failures Found in Top Free VPN Android Apps
    Bleeping Computer
    January 21, 2019
    By Sergiu Gatlan

    Virtual Private Networks are a technology for keeping Internet data encrypted and confined to a set of trusted sites. Many people use them for connecting to their employer's networks. There are many free VPN apps in the Google Play Store, and one researcher found that about 20% of them have security and/or privacy problems. That represents about a quarter of a billion downloads. For example, 25% of them had location tracking.

  • Google Fine Not So Fine
    Google fined record L44m by French data protection watchdog
    CNIL found that company failed to offer users transparent information on data use

    The Guardian
    Alex Hern
    Jan. 21, 2019

    France has begun taking data protection seriously, and it has levied a fine of 50 million euros against Google for violating regulations about informing users about its data use policies. The data was available, but it was presented in a confusing manner in multiple documents and web pages.

  • Facebook is All Fine
    Facebook Faces Potential Record U.S. Fine on Privacy Violations
    January 18, 2019
    By David McLaughlin

    The fallout from the Cambridge Analytica fiasco keeps hitting Facebook. It seems that in 2011 Facebook told the FTC that it would be very careful about keeping users' personal data protected. Because Cambridge Analytica (and perhaps other companies) had access to user data, the Facebook may be subject to a fine to be determined by the FTC.