Privacy Roundup #0010 • May 2007
May 2007 showed how loosely guarded data leaks everywhere, from the record TJX card theft to British DNA records, MySpace, ID cards and a spear-phishing raid on company bosses.
1. Mobile Spy ups mobile snooping powers
Retina-X Studios released Mobile Spy, software for Windows Mobile handsets that quietly logged calls and text messages for parents and employers to read. Security vendors such as F-Secure and Symantec classified the covert tool as malware because it hid itself on the target phone.
2. Lax security led to TJX breach
Investigators traced the world's largest known theft of card numbers to a weakly protected wireless network at a Marshalls store. TJX admitted losing 45.7 million card numbers, and analysts reckoned the clean-up could cost it around a billion dollars.
3. US spy chief wants 'some control' over satellite imagery
The director of the National Geospatial-Intelligence Agency argued that the government should be able to restrict commercial satellite pictures during a crisis. Critics warned that such a power amounted to censorship of openly available imagery and a threat to public oversight.
4. UK ID card costs climb £600m in six months
The Identity and Passport Service put the price of the National Identity Register and card scheme at £5.5bn, up from £4.9bn half a year earlier. Campaigners said the bill to British citizens had risen by more than a billion pounds in six months.
5. Credit card fraud fears cloud Operation Ore
A BBC investigation suggested that many of the people swept up in Britain's largest child abuse inquiry may have been victims of card fraud rather than offenders. Security experts argued that police had failed to investigate whether stolen card details, not the named holders, had paid for access.
6. Half a million kids' DNA on UK police database
The government admitted that about 521,901 children had their DNA stored on the national police database, with a third of all entries belonging to people never convicted of anything. Opposition politicians called the trend sinister and a threat to the presumption of innocence.
7. US states press MySpace to give up sex offender data
Eight state attorneys general demanded that MySpace hand over the names and details of registered sex offenders using the service. The company refused to disclose the records without a subpoena, citing federal privacy law and its own privacy policy.
8. Pirate Bay plundered by hackers
Attackers lifted a copy of the file-sharing site's user database, exposing roughly 1.6 million usernames and passwords. The passwords were stored in encrypted form, but users were urged to change any credentials they had reused elsewhere.
9. Littlewoods bombards man by phone. Big mistake
A Manchester man who was repeatedly called for a stranger held on Littlewoods' database won £150 after the firm ignored his requests to delete his number. He claimed damages under section 13 of the Data Protection Act, and the dispute settled before reaching court.
10. MP questions police computer policy
A Conservative MP challenged forces over the inconsistent removal of records from the Police National Computer, even where individuals had been cleared. He warned that innocent people were being left with permanent entries on a national database despite official guidance to delete them.
11. Adware firm sues over adware classification
Zango, formerly 180solutions, took PC Tools to court for tagging its software as a threat and removing it from users' machines. The company sought $35m in damages despite a recent settlement with regulators over deceptive installs by its affiliates.
12. Gozi hybrid Trojan menaces the net
A fresh variant of the Gozi malware paired keylogging with the ability to snoop on encrypted SSL streams. It used customised server and database code to harvest banking credentials and other sensitive data from infected machines.
13. Symbian signing is no protection from spyware
F-Secure found spyware for Symbian 9 phones that had obtained official Symbian Signed status, letting it bypass the usual security warnings. The case showed that a digital signature confirmed only authorship, not that an application was safe to trust with personal data.
14. Your space, MySpace, everybody's space
This piece examined the clash between MySpace privacy policies and public demands that the site reveal sex offenders without legal process. The author argued that companies should not be turned into law enforcement agents through pressure campaigns rather than proper warrants.
15. Bulldog fingers sacked employee for credit card scam
Cable and Wireless blamed a dismissed worker for the leak of a database holding around 100,000 customer records. The details were said to have reached Pakistani call centres that used them to trick people into surrendering their card numbers.
16. Google faces multiple privacy probes
The US Federal Trade Commission opened an inquiry into Google's $3.1bn purchase of DoubleClick, while European regulators pressed the firm over how long it kept search records. Google agreed to cooperate with the EU review as scrutiny of its data hoard mounted on both sides of the Atlantic.
17. Google Maps hits the streets
Google launched Street View, offering ground-level photographic panoramas of several American cities. The feature soon drew complaints once people realised it captured faces, number plates and views through their own windows.
18. Phony BBB email dupes more than 1,400 execs
A precisely targeted phishing campaign posed as the Better Business Bureau to lure individual company bosses into installing a data-stealing trojan. Researchers found a store of harvested data on some 1,400 victims, including Social Security and account numbers grabbed before they reached SSL protection.
19. iTunes Plus - plus user details that is
Apple's new DRM-free download service was found to embed each buyer's name and email address in every track. The hidden detail let Apple trace shared music back to the original purchaser, though it could be spoofed easily enough to undermine any case.
20. Spam King arrested in Seattle
Robert Alan Soloway was arrested and indicted on charges that included identity theft, mail fraud and money laundering over his bulk email operation. Prosecutors said he had relayed messages with forged headers through botnets and sought to recover about $772,000 in proceeds.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: