Privacy Roundup #0029 • December 2008
December 2008 closed the year with a landmark Strasbourg ruling against the UK DNA database, fresh deep packet inspection rows, and a clutch of payment and government data failures.
1. New terror guidelines on photography
The National Police Improvement Agency issued fresh guidance reminding officers that the Terrorism Act 2000 does not prohibit people from taking photographs in public, even where a section 44 stop and search authority is in force. The clarification followed a run of incidents in which police had wrongly stopped students and amateurs for pointing cameras at stations and public buildings.
2. Malware spread explains Pentagon USB ban
A worm known as Agent-btz spread through US military networks in Iraq and Afghanistan after arriving on an infected USB drive, reaching one classified system. The scale of the infection prompted the Pentagon to suspend the use of removable storage and even warranted a presidential briefing.
3. Online payment site hijacked by notorious crime gang
Attackers seized control of CheckFree domains by stealing the firm's credentials at its registrar and pointed visitors to a server in Ukraine. The rogue site presented a bogus certificate and pushed malware onto customers before the company regained control hours later.
4. Human rights court rules UK DNA grab illegal
The Grand Chamber of the European Court of Human Rights ruled unanimously that the indefinite retention of innocent people's DNA and fingerprints breached Article 8 of the Convention. The judgment put more than 570,000 profiles held on the National DNA Database in question.
5. EU asks Google for privacy advice
The European Commission invited Google's global privacy counsel onto a new advisory group helping to shape future data protection legislation, drawing criticism given the firm's long retention of search records. Google used the platform to argue that a company should answer to only one national regulator rather than every member state in which it operates.
6. Brit ISPs censor Wikipedia over 'child porn' album cover
Six British internet providers filtered a Wikipedia article on a 1976 Scorpions album after the Internet Watch Foundation added the page to its blacklist. The transparent proxies used to enforce the block funnelled British editors through shared addresses and crippled editing of the site.
→ eff.org
7. Facebook worm hijacks web search
A fresh variant of the Koobface worm spread across Facebook by posting messages to friends that lured them to fake sites offering a bogus Flash update. Once installed on Windows machines, the malware hijacked victims' search queries and redirected them to scam pages for profit.
8. Leeds Council loses kids details
Leeds City Council mislaid an unencrypted memory stick holding the personal records of around 5,000 nursery-age children. The data covered names, addresses, dates of birth, phone numbers, ethnicity, child protection notes and whether parents claimed benefits.
9. IWF pulls Wikipedia from child porn blacklist
After days of disruption and public anger, the Internet Watch Foundation reversed its decision and removed the Wikipedia page from its list. The body conceded that its action had produced the opposite effect and regretted the consequences for the encyclopedia and its readers.
10. Sony sued for collecting kids' data
The US Federal Trade Commission sued Sony BMG Music Entertainment for gathering personal details from about 30,000 children under thirteen without parental consent. The information had been harvested through roughly 1,100 artist and band websites since 2004, in breach of the Children's Online Privacy Protection Act.
11. American Express web bug exposes card holders
A cross-site scripting flaw on the American Express website let attackers steal customers' authentication cookies and hijack their accounts. The researcher who found it warned the firm for a fortnight without reply, an awkward lapse for a founding member of the body that writes the payment card security rules.
12. German card leak delivered by microfilm
A Frankfurt newspaper received an anonymous package of microfilmed credit card records from Landesbank Berlin, Germany's largest card issuer. The data covered cardholders' names, addresses, numbers and payment histories for several co-branded cards.
→ heise.de
13. Virgin Media to dump neutrality and target BitTorrent users
Virgin Media confirmed plans to use deep packet inspection to single out and throttle BitTorrent traffic rather than treat heavy users equally. The move reversed earlier assurances that the company would not discriminate between applications.
14. Jacqui promises Ripa changes
Home Secretary Jacqui Smith announced a review of the code of practice governing council use of surveillance powers under the Regulation of Investigatory Powers Act, distinguishing serious enforcement from snooping on litter and dog fouling. She also promised a White Paper on DNA retention and the removal of the youngest children from the database.
15. Yahoo! mocks Google Privacy Theatre
Yahoo! announced it would anonymise search records within ninety days and contrasted its method with Google's nine-month policy. The piece argued that Yahoo! deleted far more identifying detail, while Google merely altered a few bits of stored addresses and left cookie data intact.
→ eff.org
16. Ohio prof develops CCTV people-tracker 'ware
Researchers at Ohio State University unveiled software that automatically follows a chosen person across a network of CCTV cameras. The system stitches feeds into geo-referenced panoramas and hands cameras off to one another without any human operator steering them.
17. Giant US air travel data suck fails own privacy tests
A Department of Homeland Security review of its handling of airline Passenger Name Record data admitted a string of failures despite claiming compliance. Privacy campaigners said the report's own findings undercut its conclusion that the vast collection of traveller information met the agency's stated safeguards.
18. RBS WorldPay breach exposes 1.5 million
RBS WorldPay disclosed that hackers had compromised the records of about 1.5 million payroll and gift card holders, along with up to 1.1 million social security numbers. The firm reset card PINs but faced criticism for waiting weeks and announcing the breach just before Christmas.
19. Boffins bust web authentication with game consoles
Researchers used a cluster of more than two hundred PlayStation 3 consoles to exploit weaknesses in the MD5 algorithm and forge a rogue certificate authority. Presented at the Chaos Communication Congress in Berlin, the attack meant they could mint trusted SSL certificates for any website and impersonate secure sites at will.
20. Google scrubs urinating woman from Street View
Google removed a Street View image of a woman relieving herself in Madrid within twelve hours of bloggers spotting it. The episode renewed questions about Street View's intrusion, with the firm's face and body blurring failing to mask the subject.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: