Privacy Roundup #0013 • August 2007
August 2007 was dominated by the rampaging Storm Worm, the swelling cost of the TJX card breach, and a run of leaks and laws that showed how casually personal data was still being handled.
1. Pirate Bay to resurrect Suprnova.org
The file-sharing group announced plans to revive Suprnova.org, once the most popular BitTorrent index before it closed in 2004. The move signalled a fresh round in the long fight between trackers and the entertainment industry.
2. VeriSign worker exits after laptop security breach
A VeriSign employee lost an unencrypted laptop holding staff names, salaries, and Social Security numbers when it was stolen from a parked car in California. The security firm offered a year of credit monitoring and conceded that its own encryption policy had been ignored.
3. Fake e-cards signal massive DDoS attack
Researchers reported a sharp surge in Storm Worm infections, with SecureWorks counting 1.7 million compromised hosts in June and July. Experts feared the operators were assembling firepower for a large distributed denial of service attack rather than mere spam.
4. FaceTime exposes prospect contact info
The messaging security firm accidentally left unencrypted spreadsheets of white paper requesters reachable through its own website. Comments left in the page source pointed visitors straight at the exposed contact files.
5. Free download empowers black hat hackers
Immunity released a free debugger built to speed the writing of exploit code, reigniting the argument over dual-use security tools. Critics warned that the same software that helps defenders also lowers the bar for attackers.
6. The great Passenger Name Record sell out
A new agreement let the United States collect and profile European travel records using undisclosed algorithms, with European privacy protections largely circumvented through aviation treaties. The deal exposed how sensitive bookings can reveal who someone travels with, where they sleep, and even their religion through meal requests.
7. Germany enacts 'anti-hacker' law
New legislation criminalised the creation and possession of dual-use security tools such as port scanners and password crackers. Several researchers and tool developers promptly announced plans to move their work abroad.
8. TJX takes $118m hit over massive security breach
The retailer set aside $118m to cover the costs and liabilities of the largest payment card breach disclosed to that point. The intrusion had run for some seventeen months and exposed tens of millions of card records.
9. Second security breach hits Pfizer
Two password-protected laptops holding the names and Social Security numbers of around 950 contract workers were stolen from a consultant's vehicle, the second Pfizer data loss disclosed within two months. The drug maker again delayed telling affected workers, mailing notices only weeks after the May theft came to light.
10. Universities warned of Storm Worm attacks
Colleges came under automated counterattack when they tried to scan systems infected by the Storm botnet. A research network body issued warnings after repeated incidents knocked campus services offline.
11. Patch Tuesday update triggered Skype outage
Skype blamed a two-day global outage on the wave of reboots that followed Microsoft's monthly patches. The flood of logins exposed a bug that stopped the network's self-healing mechanism from working.
12. Storm Worm of a thousand faces
The botnet's operators switched to fake membership emails to push a backdoor that mutated its code roughly every thirty minutes. The rapid morphing left signature-based antivirus tools struggling to keep up.
13. Pentagon bins home-front threat database
The Pentagon shut down its Talon database, which had gathered Threat and Local Observation Notices on supposed domestic security risks. Officials admitted the system held little analytical value and had swept up records on peaceful anti-war protesters, drawing condemnation from civil liberties groups.
14. Monster.com torpedoes rogue server as malware scam rolls on
Monster shut down a server that had used stolen recruiter logins to harvest personal details from hundreds of thousands of job seekers. The thieves then sent targeted phishing emails posing as the site to trick victims into giving up bank details.
15. Google changes Street View privacy policy
Following sustained criticism, Google agreed to let people request the blurring of their faces and vehicle number plates in its street-level imagery. The change was an early concession in the long argument over photographing people without warning.
16. Sony bundles rootkit-like software on USB drive
A Sony fingerprint reader was found to hide files in a concealed directory using techniques reminiscent of a rootkit. The discovery revived memories of the firm's 2005 copy protection scandal and raised fears the hidden folder could shelter malware.
17. VXers rain on YouTube's parade
The Storm gang launched a campaign using fake YouTube links to lure recipients into installing malware. Infected machines were folded into the botnet to pump out yet more spam.
18. MSN Messenger flaw creates web cam peril
A buffer overflow in older versions of MSN Messenger let attackers run code on the machines of people who accepted booby-trapped web cam invitations. Upgrading to the newer Windows Live Messenger removed the risk.
19. Mystery SNAFU exposes email logins for 100 foreign embassies
A Swedish consultant published working credentials for roughly a hundred embassy and government email accounts gathered by listening on misconfigured network traffic. The episode laid bare just how weak password practice was across diplomatic institutions.
20. Information Commissioner updates personal data guidance
The UK watchdog issued fresh guidance clarifying what counts as personal data under the Data Protection Act. It stressed that information can identify a person even without a name and that the test must account for anyone determined to single someone out.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: