Privacy Roundup #0014 • September 2007
September 2007 was dominated by stolen customer databases, the Storm botnet's grip on the world's spam, and fresh fights over state surveillance on both sides of the Atlantic.
1. Attackers turn Bank of India site into malware bazaar
Criminals planted a hidden iframe on the Bank of India website that pushed more than thirty separate pieces of malware at unpatched visitors. The infrastructure traced back to the Russian Business Network, and the bank pulled its site offline once researchers raised the alarm.
2. Germany floats Trojan for terror suspects
The German interior minister proposed deploying state-written spyware by email to monitor the computers of terrorism suspects. Critics warned that the plan was unworkable and dangerous, since a government Trojan could be detected, blocked or turned against its makers.
3. Pentagon: Chinese military hacked us
American officials briefed reporters that they were close to certain the People's Liberation Army had breached the office of the US Defense Secretary in June. The intrusion was treated as notable because it combined network disruption with the theft of data rather than passive snooping alone.
4. Sony to exorcise 'rootkit' from USB drives
Sony promised an update to strip rootkit-like code from its MicroVault fingerprint USB drives, which hid a directory that malware could exploit. The episode echoed the company's earlier disc digital-rights debacle that had handed virus writers a place to hide.
5. Large databases are not safe enough, says stats boffin
A Carnegie Mellon statistics professor warned that conventional anonymisation techniques could not stop individuals being re-identified from supposedly scrubbed records. The warning landed as governments pressed ahead with ever larger central databases of citizen data.
6. Tor at heart of embassy passwords leak
A Swedish security researcher captured around a thousand email passwords, including those of more than a hundred foreign embassies, by running malicious Tor exit nodes. The episode showed how diplomats had been routing unencrypted traffic through anonymity servers without grasping that exit operators could read it.
7. 'All-in' DNA database plan hinges on human rights case
A senior judge revived calls for a universal British DNA database covering the whole population. Civil liberties campaigners pointed to a pending European human rights case over the retention of innocent people's samples that could derail any such scheme.
8. Secretive FBI 'National Security Letters' to ISPs, telcos halted
A federal judge struck down Patriot Act provisions that let the FBI demand customer records from internet and telephone firms without judicial oversight. The court found the secret National Security Letters, often paired with gagging orders, incompatible with constitutional limits on government power.
9. ISPs turn blind eye to million-machine malware monster
Researchers complained that large internet providers routinely ignored abuse reports about infected customer machines. The Storm Worm botnet was by then thought to span millions of compromised computers, making it one of the most powerful criminal networks ever assembled.
10. Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users
Yahoo's Right Media advertising network served banner adverts that silently pushed malware onto unpatched Windows machines across high-traffic sites. The campaign ran for roughly three weeks and exposed millions of visitors before it was halted.
11. Microsoft dispels rumors of stealth Windows updates
Users discovered that Windows Update had quietly modified nine files even on machines configured to block automatic updates. Microsoft explained that the changes patched the update service itself, while admitting it should have been more transparent about the behaviour.
12. Storm Worm linked to spam surge
MessageLabs tied a sharp jump in junk mail to a burst of Storm Worm activity that distributed hundreds of thousands of Trojans within a day. Analysts attributed the operation to a small Russian group using fast-flux hosting and constant code mutation to dodge detection.
13. Hackers infiltrate TD Ameritrade client database
Intruders installed a backdoor on the broker's network and harvested names, email addresses, phone numbers and postal addresses from a database covering 6.3 million accounts. The firm declined to say how long the breach had lasted or how the attackers had got in.
14. BitTorrent-busters busted by BitTorrent
Internal emails from anti-piracy firm MediaDefender were leaked onto file-sharing networks, exposing tactics such as a fake video site built to entrap users. The breach began when an employee forwarded company mail to a personal account protected by a weak password.
15. Web host breach may have exposed passwords for 6,000 clients
Layered Technologies disclosed that an attacker had broken into a support database holding the details of as many as six thousand customers. Names, addresses, contact information and possibly passwords were thought to have been exposed through a vulnerable support application.
16. ABN Amro customer deets tip up on BearShare
A former ABN Amro mortgage employee accidentally exposed records for more than five thousand customers by sharing files over the BearShare peer-to-peer network. The leaked data included social security numbers and mortgage details, illustrating the risk of file-sharing software on machines holding sensitive records.
17. Iraq fiasco creeps into NSA surveillance controversy
President Bush pressed Congress to make permanent the Protect America Act, which allowed warrantless wiretapping of communications with an overseas target. Intelligence chief McConnell argued that the law was partly about establishing that such surveillance fell outside the Fourth Amendment entirely.
18. Pirate Bay sues media giants for 'sabotage'
The Pirate Bay filed a criminal complaint against entertainment firms after the leaked MediaDefender emails appeared to document sabotage, denial-of-service attacks and spamming. The same trove revealed coordination between private companies and law enforcement.
19. Unisys blamed for DHS data breaches
A congressional committee accused the contractor of failing to detect breaches that sent data from around 150 Homeland Security computers to a Chinese-language website. Lawmakers further alleged that Unisys had falsified network security certifications to conceal the lapses.
20. Canadian privacy commissioner slams TJX data policy
Canada's privacy watchdog ruled that the retailer behind the record-breaking card breach had collected too much data, kept it too long and relied on weak encryption. The commissioner judged the breach foreseeable and secured promises of security and privacy improvements.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: