Privacy Roundup #0025 • August 2008
August 2008 was dominated by Phorm fallout, mounting state surveillance plans, and a run of government data losses and smartcard cracks.
1. US customs: yes, we can seize your laptop, iPod
The US Department of Homeland Security confirmed that border agents may search and copy travellers' digital devices without reasonable suspicion. Officials may also retain the devices and pass copies of their contents to other agencies and private firms.
2. Feds charge 11 in TJX ID fraud case
Federal prosecutors indicted eleven people over the theft of more than 40 million credit and debit card accounts from TJX, BJ's Wholesale Club, OfficeMax and other retailers. The case was described as the largest identity theft prosecution ever brought in the United States.
3. Researcher gives Elvis and bin Laden fake e-passports
In tests run for The Times, researchers altered the chip in a British e-passport to carry images of Osama bin Laden and Elvis Presley. The forged chips passed as genuine through the reference reader software used to set international passport standards.
4. Feds accuse bank insider of massive data heist
A former Countrywide analyst was charged with stealing around 20,000 customer records a week over two years and selling them on. The pilfered data included names, addresses, loan amounts and Social Security numbers.
5. German hackers poke hole in great firewall of China
The Chaos Computer Club handed out USB sticks loaded with the Tor anonymity browser to help visitors evade Chinese internet censorship during the Beijing Olympics. The group warned that China was not merely blocking sites but logging the traffic of those who read them.
6. FCC rules against Comcast for BitTorrent blocking
The US Federal Communications Commission voted three to two to censure Comcast for secretly throttling BitTorrent traffic. The commission ordered the company to stop the practice and to disclose its network management policies to subscribers.
7. Hacking Mifare transport cards
Researchers at Radboud University demonstrated that the Mifare Classic chip behind London's Oyster card and hundreds of transit systems could be cracked and cloned in minutes. A Dutch court rejected the chipmaker's attempt to suppress the work, ruling that the weak design, not the disclosure, was at fault.
8. Phorm papers reveal BT's backwards approach to wiretap law
Documents showed that BT had secretly tested Phorm on 18,000 customers in autumn 2006 before it asked the Home Office whether the system was lawful. The order of events raised doubts over whether BT genuinely believed the trials complied with wiretapping law.
9. UK.gov misses deadline on EU Phorm probe
The British government failed to answer the European Commission's questions about BT's secret Phorm trials within the one month it had been given. The Commission had asked why no UK authority had investigated the interception of tens of thousands of customers' web browsing.
10. Google tells Congress it's not Phorm
Google assured American lawmakers that, unlike Phorm and NebuAd, it did not use deep packet inspection to target advertisements. Critics countered that the firm's vast store of browsing data posed its own privacy risks regardless of the method.
11. Phorm secretly tracked Americans too
Phorm was found to have deployed its behavioural advertising technology on US Wi-Fi networks from 2005 under its former name, 121Media. The system, called PageSense, tracked users' browsing on hotel and municipal networks before the firm turned to British ISPs.
12. Facebook sued for Beacon blunder
A class action filed in California accused Facebook and eight retailers of breaking privacy and wiretapping laws through the Beacon advertising service. Beacon broadcast users' purchases on partner sites to their friends without proper consent.
13. UK.gov to spend hundreds of millions on a snooping silo
The government pressed ahead with the Interception Modernisation Programme, a centralised database to hold records of calls, texts, emails and web use for up to two years. The nine-figure scheme was driven by the intelligence agencies despite opposition from privacy campaigners.
14. UK.gov loses 29 million personal records
Analysis of departmental accounts showed that the British government had leaked around 29 million personal records in a single year. The total included 25 million from the lost child benefit discs and a missing Ministry of Defence laptop holding 620,000 records.
15. Red Hat hack prompts critical OpenSSH update
Red Hat disclosed that intruders had breached its systems and tampered with a small number of OpenSSH packages for Red Hat Enterprise Linux. The firm issued an urgent update and said its main distribution network had not been compromised.
16. Home Office contractor loses entire prison population
PA Consulting lost a memory stick holding the personal details of about 84,000 prisoners and 10,000 prolific offenders. The unencrypted data had been copied from a supposedly secure Home Office database for processing and then vanished.
17. Unencrypted traveller data laptop disappears then reappears
A laptop holding unencrypted records for 33,000 members of the Clear airport fast-track scheme was reported stolen from San Francisco airport. The machine later turned up in the office it had come from, prompting questions over whether it had been taken at all.
18. Best Western plays down impact of hack attack
A Scottish newspaper reported that a hacker had stolen eight million customer records from Best Western's European reservation system. The chain insisted the breach was confined to a single Berlin hotel and a handful of records.
19. Hijacking huge chunks of the internet, a new how to
Researchers at Defcon showed how the Border Gateway Protocol could be abused to redirect huge volumes of internet traffic through systems they controlled. The man-in-the-middle technique let them intercept unencrypted data without touching the target network.
20. Fog of attack clouds Best Western hack
A follow-up examined the gulf between the reported eight million records and Best Western's claim of just ten. The dispute turned on whether the infected hotel PC could reach the chain's worldwide reservation system or only local guest data.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: