[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] New website aims to publicly shame apps with lax security
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2014-08-19 8:07:38
Message-ID: alpine.DEB.2.02.1408190807270.18751 () infosecnews ! org
[Download RAW message or body]

http://arstechnica.com/security/2014/08/new-website-aims-to-shame-apps-with-lax-security/

By Robert Lemos
Ars Technica
Aug 18 2014

The amount of personal data traveling to and from the Internet has 
exploded, yet many applications and services continue to put user 
information at risk by not encrypting data sent over wireless networks. 
Software engineer Tony Webster has a classic solution—shame.

Webster decided to see if a little public humiliation could convince 
companies to better secure their customers' information. On Saturday, the 
consultant created a website, HTTP Shaming, and began posting cases of 
insecure communications, calling out businesses that send their customers' 
personal information to the Internet without encrypting it first.

One high-profile example includes well-liked travel-information firm 
TripIt. TripIt allows users to bring together information on their 
tickets, flight times, and itinerary and then sync it with other devices 
and share the information with friends and co-workers. Information shared 
with calendar applications, however, is not encrypted, Webster says, 
leaving it open to eavesdropping on public networks. Among the details 
that could be plucked from the air by anyone on the same wireless network: 
a user's full name, phone number, e-mail address, the last four digits of 
a credit card number, and emergency contact information. An attacker could 
even change or cancel the victim's flight, he says.

So far, TripIt and 18 other applications and services have made the 
shaming list, many submitted by other people fed up with the security 
missteps of companies, Webster says.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/

[prev in list] [next in list] [prev in thread] [next in thread]