The 25 Most Dangerous Software Vulnerabilities

Credit to Author: Brian Barrett| Date: Sat, 30 Nov 2019 14:00:00 +0000

DMV privacy, a password ruling, and more of the week's top security news.

Happy post-Thanksgiving weekend! Hope you’re still in a turkey coma and survived the lively political discourse with your various uncles. As you shop leftover Black Friday and upcoming Cyber Monday sales, please be safe out there; it’s a scammer’s paradise. Oh, and think twice before you give a device with a microphone or camera, especially to someone who may not realize the privacy and security implications.

This week we took a look at how privacy-focused cryptocurrencies aren’t as private as they seem—not even Harry Potter-inspired protocols. Trump won’t let go of his Ukraine server conspiracy, so neither will we. We spoke with UN Secretary-General António Guterres about conflict in cyberspace. And we explored how AI can be “hacked” by feeding it faulty data.

And if you thought your Thanksgiving debates were bad, know that the IoT encryption community is going through it, too.

And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

For the first time in nearly a decade, the Department of Homeland Security has updated its Common Weakness Enumeration list of the 25 mosts dangerous software errors. In other words, the most common and critical vulnerabilities in tech today, based on a combination of prevalence and severity. You can read the list in full at the link above, but top honors to go CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. It knocks “Improper Neutralization of Special Elements used in an SQL Command” out of the top spot. Better luck next time, SQL injection; remember that it’s an honor just to be nominated.

Insert your own joke about yet another reason to hate the DMV here. Motherboard reports that California’s Department of Motor Vehicle’s has made anywhere from $41 million to $52 million each year by selling names, addresses, and car registration info of drivers. The customers include insurance companies and car companies. California’s not the only state to do this, but the number alone is eye-popping, as is the fact that most people don’t realize that the simple act of registering their car or getting their license puts their personal info in a third-party’s hands.

The Pennsylvania Supreme Court ruled this week that a suspect in a child pornography case did not have to turn over the password to his computer, overturning a lower court’s decision. In its decision, the court wrote that disclosing a password is a verbal communication, rather than a physical act like handing over a key, and therefore the “foregone conclusion exception” that prosecutors had argued does not apply. Digital rights advocates applauded the decision.

Another week, another unsecured database. This time its online printing company Vistaprint’s turn. Security researcher Oliver Hough found a database with information related to 51,000 customer service interactions, which included some personally identifiable information and full online chats. As is often the case, it’s unclear if anyone other than Hough accessed the database before it was secured, but either way, it’s an inexcusable lapse.

https://www.wired.com/category/security/feed/