IEEE Cipher --- Items from security-related news (E164)

  • Dept of Commerce Dips Toe in Data Privacy for Foreign Apps
    U.S. agency submits initial recommendations on app data security to White House

    Publisher: Reuters
    Date: October 12, 2021
    By: David Shepardson

    Aiming to address worries that popular apps like TikTok and WeChat could harvest personal information of US citizens for nefarious uses in China, the Department of Commerce issued recommendations aimed at protecting such data without a full-out ban on foreign apps. The previous administration had tried to ban TikTok and WeChat from online app stores.

  • Evil Journalist Discovers How to Decode Top Secret Base64 Algorithm

    Missouri gov. calls journalist who found security flaw a "hacker," threatens to sue
    Publisher: Ars Technica
    Date: 10/14/2021
    By: Jon Brodkin

    Somehow the governor of Missouri decided that base64 encoding is an encryption method, and that led him to threaten legal action against the press for finding that his state had exposed private information of the state's teachers. The journalist who was behind this dastardly decoding of 3 SSNs on a state website had immediately reported the problem to the state. Of course, the state then had to do the embarrassing thing of telling the teachers that their private information had been exposed. The governor decided that the best apology is a broadside, so he condemned all parties involved in helping the state recognize a serious problem. Surprisingly, Cybersecurity Guide notes that Missouri has a "wealth of cybersecurity educational opportunities" and that Missouri University of Science and Technology is "recognized by the NSA for ... excellence".

    Missouri follow-up
    Nov. 10, 2021, State of Missouri statement re "Vulnerability Incident" admits some culpability re mishandling private information.

  • FBI Email Server Hacked, But No Worries
    FBI Says No Network Data Compromised After Fake Email Incident Publisher: Bloomberg News
    Date: November 14, 2021
    By: Belinda Cao

    A fake email emanating from an FBI server caused some worry about the integrity of the agency's infrastructure on November 13, but by the next day the problem was explained away. The server was dedicated to forwarding FBI notifications to state and local law enforcement, and its configueration was quickly changed to eliminate the misuse.

  • Azure Gives Database Users the Blues
    ChaosDB: How we hacked thousands of Azure customers' databases
    Publisher: Wiz
    Date: August 26, 2021
    By: Nir Ohfeld and Sagi Tzadik

    and ChaosDB: Infosec bods could pull anyone's plaintext Azure Cosmos DB keys at will from Microsoft admin tools, and they had a wildcard cert too. Still feeling secure?
    Publisher: The Register
    Date: 12 Nov 2021
    By: Gareth Corfield

    Microsoft's Azure cloud service features a database service named Cosmos DB. Many Fortune 500 companies, and others, use this tool for large-scale data management tasks that underlie their critical operations. So a bug that reveals the passwords for Cosmos DB users would be a Big Deal. But would Microsoft leave a gaping security hole like that in a flagship product? That's really unlikely. But that did happen when Microsoft developed a tool for Cosmos users that included an open-source web app for sharing live code. That app ran C# code as root. This was an astronomically large attack surface that was discovered by security researchers. They described the details recently at Black Hat Europe.