The big topic clearly is what Edward Snowden unveiled: The PRISM program and some other nation-state activities on the Internet. In fact, this did not really come as a surprise. There have been discussions and rumors about such activities (and others) for many, many years. Maybe it helps driving forward risk- and information-centric security concepts and end-to-end-security instead of investing in point solutions. I will cover that topic in another blog post soon.
Facebook again struggles with privacyHowever, besides PRISM etc. there have been various other security-related incidents and news. Facebook inadvertently shared eMail addresses and phone numbers of 6 million users with other members. That also comes as no surprise, given that Facebook always has been brilliant in weak security and privacy architectures and implementation.
Google under regulatory pressure – againGoogle sees itself confronted with new pressure from regulators. The U.K. ICO (Information Commissioner Officer) has placed a legal requirement on Google to delete any data the company still has related to its Street View snooping.
In addition, the French regulator CNIL (Commission nationale de l’informatique et des libertés) ordered Google to change its privacy policies. Unfortunately, the fines are ridiculously low, starting at 150,000 €. Obviously, the plans of the EU to massively increase the potential fines and relate them to an organization’s annual revenue would put far more pressure on companies such as Google.
Old bugs appear againSometimes, security weaknesses appear to have a long lifetime. A bug that had been fixed by Adobe back in 2011 appeared again in the Adobe Flash Plug-In for Google Chrome browser. Adobe informed the public that Google is working on a patch for that bug.
And again plug-insPlug-Ins in general appear to be a potential weakness when it comes to security. The German BSI, the federal department for IT security, analyzed systems such as WordPress, Joomla!, Typo3, etc. from a security perspective. Most identified security weaknesses are related to plug-ins and add-ons, sometimes up to 95%. Thus, you should be (even more) careful when you start enhancing such systems.
Besides these news items, there have been many others. One of the positive reports has been that Microsoft and the FBI recently shut down a massive Citadel botnet. A negative one has been another issue in the DNS system where a human error led to the mis-routing of thousands of domains. Maybe it is time to start developing a successor to the stone-aged DNS system?
In general, the situation in security appears to remain rather unchanged. A lot of security bugs, incidents caused by human misbehavior, nation-state attacks and other activities, and the ongoing struggle around privacy, including some massive data leaks.