Privacy Roundup #0015 • October 2007
October 2007 saw the TJX card breach balloon past ninety million accounts, Britain switch on powers to compel decryption keys, and the Storm worm fight back against the researchers chasing it.
1. UK police can now force you to reveal decryption keys
Britain switched on Part III of the Regulation of Investigatory Powers Act, letting officials serve a notice that compels a person to hand over an encryption key or decrypt the material themselves. Refusal carried up to five years in prison for terrorism cases and two years for everything else.
2. First RIAA file-sharing trial begins
Jammie Thomas became the first of roughly 26,000 accused file-sharers to take the recording industry to a jury rather than settle. The labels sought damages over two dozen songs they said she had shared on Kazaa under the name "tereastarr".
3. eBay: botnets are Linux-happy
eBay's security chief told a conference that most phishing sites aimed at his former employer ran on compromised Linux boxes rather than Windows machines. He added that eBay now assumes anyone contacting it from a personal desktop is probably using an infected computer.
4. German watchdog opposes Google purchase of DoubleClick
Germany's data protection commissioner for Schleswig-Holstein warned that folding DoubleClick's advertising databases into Google would amount to a massive violation of data privacy rights. He argued the merger would breach fundamental provisions of the European Data Protection Directive.
5. The Storm Worm
Bruce Schneier dissected Storm as a worm, a Trojan and a bot rolled into one, built for profit rather than notoriety. He described its peer-to-peer command structure, its morphing code and its quiet patience as the qualities that made it so hard to dislodge.
6. Yahoo! teams! with! eBay! and! PayPal! to! end! phishing!
Yahoo, eBay and PayPal announced that Yahoo Mail would use DomainKeys signatures to block forged messages claiming to come from eBay or PayPal. Critics noted the scheme could not touch phishing sent from unrelated domains.
7. Tax man praised for owning up to lost laptop
HM Revenue and Customs voluntarily disclosed the theft of an encrypted laptop holding data on about 400 holders of high-value savings accounts. Security commentators praised the candour, though a printout taken in the same theft left at least one victim fearful of identity theft.
8. Get a grip, file-sharing freeloaders: you've never had it so good
This opinion piece on the Jammie Thomas case argued that the recording industry's lawsuits were futile while file-sharing campaigners lacked moral standing. It urged advocates to press for licensed peer-to-peer services rather than claim victimhood.
9. UK ID card service mounts birth, marriage, death landgrab
The Identity and Passport Service announced it would absorb the General Register Office, consolidating control over records of every birth, marriage and death. Critics warned this let the agency build a lifelong biographical file on everyone, even people who never sought a card or passport.
10. EU privacy verdict on Google set for new year
The Article 29 Working Party said it would deliver its judgment on Google's search-log retention in early 2008. Google had already cut its anonymisation period from two years to eighteen months in an attempt to head off the criticism.
11. Skype Trojan steals login credentials
A piece of malware posing as a Skype security plug-in showed users a fake login screen and harvested their credentials. It also grabbed saved Internet Explorer passwords and sent the lot to a server controlled by the attackers.
12. Pump-and-dump scammers debut MP3 spam
Stock fraudsters switched tactics again, sending MP3 files disguised as tracks by Elvis and Fergie that actually held a monotone voice touting an obscure Canadian firm. Security researchers said such schemes had grown from under one per cent of spam in 2005 to about a quarter.
13. Comcast busted for bagging BitTorrents (again)
The Associated Press confirmed through testing that Comcast actively interfered with peer-to-peer uploads using a tool that forged reset packets. Comcast leaned on a semantic defence, insisting it blocked no websites or applications while admitting it managed traffic.
14. TJX breach was twice as big as admitted, banks say
Banks told a Boston court that the TJX intrusion had exposed more than 94 million accounts, over double the retailer's earlier figure of 45.7 million. Visa alone faced tens of millions of dollars in fraud losses from accounts taken during the seventeen-month compromise.
15. Storm Worm retaliates against security researchers
Researchers probing the Storm botnet found it could strike back, flooding their connections with denial-of-service traffic for days. The malware had also learned to disable antivirus tools while appearing to leave them running.
16. eBay employee 'torpedos' fraud trial
An eBay fraud investigator left the country before giving evidence, collapsing the prosecution of an alleged scammer in Exeter. The judge briefly weighed turning the witness's plane around before deciding against inconveniencing the other passengers.
17. New strain of Gozi Trojan prowls the net
Russian criminals spread a fresh Gozi variant through booby-trapped PDF files that exploited Adobe Reader. The malware excelled at lifting financial data even from secured sessions and had already been linked to more than two million dollars in theft, yet only a quarter of antivirus products detected it.
18. World's most gullible supermarket chain falls victim to online scam
The Supervalu grocery chain wired more than ten million dollars to fraudsters who emailed it posing as suppliers and asking that payments go to new bank accounts. Federal authorities froze the receiving accounts before the money could be drained.
19. Macs seized by porn Trojan
A Trojan named OSX.RSPlug.A spread through adult websites that told Mac visitors they needed a special codec to watch a video. Installing it planted DNS-changing malware that quietly redirected requests for eBay, PayPal and banking sites.
20. Trick or trojan - watch out for Halloween malware
Researchers warned of seasonal spam promoting a "dancing skeleton" download that actually carried the Storm Trojan. The gang behind it was thought to control infrastructure responsible for roughly a fifth of the world's spam.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: