Privacy Roundup #0009 • April 2007
April 2007 was dominated by Google's swallowing of DoubleClick, a wave of botnet and phishing trouble, and fresh cracks in the technologies meant to keep personal data safe.
1. Google buys DoubleClick for $3.1bn cash
Google paid 3.1bn dollars in cash for the advertising firm DoubleClick, its largest purchase to that date. The deal handed a single company an unprecedented store of data about who clicks what across the web, and privacy campaigners raised the alarm at once.
2. Privacy activists attempt block of Google's purchase of DoubleClick
The Electronic Privacy Information Centre, the Centre for Digital Democracy and US PIRG lodged a complaint with the Federal Trade Commission seeking to halt the DoubleClick takeover. They argued that concentrating so much information about users in one company could lead to dangerous privacy breaches.
3. TJX finds self at bottom of 300-bank pig pile
Nearly three hundred banks in the north-eastern United States sued the retailer TJX to recover the cost of a data breach that exposed more than forty-five million payment cards. The banking groups accused the company of negligent misrepresentation over the way it handled and protected customer card data.
4. Laptop thefts expose 40,000 Chicago teachers
Two laptops stolen from Chicago Public Schools headquarters held the names and social security numbers of roughly 40,000 teachers. The machines belonged to an accountancy firm auditing pension contributions, and the data sat on them without adequate encryption.
5. Student loan companies illegally use US database
The US Department of Education barred several college loan firms from the National Student Loan Data System after they searched it in ways that broke federal privacy laws. The database held social security numbers, dates of birth and financial records for nearly sixty million people.
6. Officer jailed for leaking police records to violent criminal
A police officer was sent to prison after he improperly accessed a police database and passed personal details of three people to a man with a history of violence. The Court of Appeal raised his sentence to nine months, treating the breach of trust as a serious abuse of access to sensitive records.
7. EU court rules monitoring of employee breached human rights
The European Court of Human Rights found that a Welsh college had violated an employee's privacy by monitoring her email, telephone and internet use without telling her. The judgment held that staff retain a reasonable expectation of privacy at work when no monitoring policy has been disclosed.
8. Data collation can evade Data Protection Act
The Court of Appeal ruled that selecting and compiling information already held in separate files does not always count as processing under the Data Protection Act. The decision, in a case against the Medical Defence Union, handed organisations a way to sidestep some of their obligations to the people they hold data about.
9. Home Office rethinks call data plans
The Home Office published draft regulations requiring telephone companies to keep records of calls made, though not their content, for twelve months. The rules were drawn up to meet an EU data retention directive, while the question of retaining internet records was left for later.
10. California Senate fights RFID tracking for schoolkids
The California state Senate approved a bill barring public schools from forcing pupils to carry RFID devices that broadcast their identity and track their movements. The measure followed a Sutter school's attempt to tag children, which parents and the press had forced to a halt.
11. Texas Senate waves through cell phone wiretapping bill
The Texas Senate unanimously passed a bill extending wiretap powers to mobile phones and to crimes such as kidnapping, trafficking and money laundering. It also required retailers to record the identities of people buying prepaid handsets, drawing complaints that it went too far against civil liberties.
12. Europe wants to civilise US terror war
Members of the European Parliament travelled to Washington to press for limits on American surveillance of travellers, including the Automated Targeting System and Passenger Name Records. They sought a transatlantic deal that would protect ordinary citizens from one-sided demands for their personal and financial data.
13. Phishing attack evades bank's two-factor authentication
Fraudsters drained money from ABN Amro customers who used two-factor authentication tokens, defeating a defence the banking industry had promoted as near foolproof. A man-in-the-middle phishing site captured one-time codes and relayed them to the real bank before they expired.
14. Evil twins spread zombie plague
Two malware families, Sdbot and Gaobot, accounted for four in five botnet detections in the first quarter of 2007, according to Panda Software. Widely available source code let criminals spin up custom variants that hijacked PCs to send spam, plant spyware and harvest personal data.
15. Zombies infiltrate US military networks
Researchers at Support Intelligence found spam-spewing, malware-infected computers operating inside US military networks. Machines at an air force base and a military information directorate were seen trying to reach botnet command servers, showing that even sensitive networks had been quietly compromised.
16. MS plans emergency update to fix blinking cursor bug
Microsoft rushed out an out-of-band patch for a flaw in how Windows handled animated cursor files, after attackers exploited it over a weekend. Because Internet Explorer processed the files inside web pages and HTML email, victims could be infected with keystroke loggers simply by viewing a booby-trapped message.
17. Britney fears used as ANI exploit lure
Spammers used promises of candid Britney Spears pictures to draw people to sites that attacked the unpatched Windows animated cursor bug. The campaign showed how quickly criminals wrapped a fresh exploit in social engineering to plant data-stealing code on home machines.
18. WEP key wireless cracking made easy
Researchers at Darmstadt Technical University published a method that recovered a 104-bit WEP key after capturing only about 40,000 packets, far fewer than earlier attacks needed. Processing took as little as three seconds, leaving home and business wireless networks that still relied on WEP wide open to eavesdroppers.
19. My RFID-embedded car numberplate has a virus
McAfee's Global Threat Report warned that malware could spread to new platforms such as the RFID chips planned for identity documents and car numberplates. The report noted earlier research showing that RFID tags could be infected through SQL injection attacks against the databases they talk to.
20. Spam: it sucks like a tarpit
Researchers gathering at MIT showcased new anti-spam tactics, with a tarpit approach that throttled suspect mail winning particular praise. The work also highlighted how image-based junk mail was rising sharply as spammers tried to slip past filters and reach inboxes.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: