Fixing the CVE program, your personal data checking out and taking flight

Weekly Security Mashup - September 4, 2018

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup.

Fixing the CVE program, your personal data has already “checked out,” and it even “may potentially” have taken flight. Watch this week’s episode below to see why these stories are trending.

U.S. government takes steps to bolster CVE program

via Catalin Cimpanu, BleepingComputer: Almost 20 years ago, in 1999, a great idea came into being with the creation of the Common Vulnerabilities and Exposures (CVE) List. The idea behind the CVE program was this: Everybody who found an exploitable flaw or bug in software or firmware would notify a single organization (the nonprofit, federally funded MITRE Corp.). That organization would assign the vulnerability an identification number and maintain a database containing relevant info about all known vulnerabilities. It’s like crowdsourcing security. But cyber security today is not like it was in the early days of the CVE program. Watch this segment to learn why it’s trending here:

Chinese hotel chain warns of massive customer data theft

via Shaun Nichols, The Register: Hacks of personal data are now just about a daily occurrence. And one of China’s biggest hotel chains joined the list of victims last week when a number of security firms noticed that data for about 130 million guests of the Huazhu Hotel Group was up for sale for about $56,000 in Bitcoin on a Chinese dark web forum. Watch this segment here:

Air Canada mobile app breach affects 20,000 people

via Pete Evans, CBC News: Two of the most ominous words in an announcement about a data breach are “may” and “potentially.” Air Canada announced last week that the personal data of about 20,000 users of its mobile app “may potentially have been improperly accessed.” Of course, every user of the app should translate that as “definitely” and “already.” What data “may” have been compromised? At a minimum, users’ names, email addresses, and telephone numbers. Watch to learn why this story is trending in security here:

Stay up-to-date on the latest security news.

Subscribe to the blog today!

*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: