Privacy Roundup #0031 • February 2009
February 2009 was dominated by the Conficker worm crippling courts and air forces, a Facebook revolt over who owns your data, and fresh scrutiny of location tracking and behavioural advertising.
1. Heartland data breach hit 160 banks (and rising)
The fallout from the Heartland Payment Systems intrusion widened as at least 160 banks across the United States, Canada, Bermuda and Guam told customers their card details may have been exposed. A survey of community bankers found that 83 per cent of respondents had some debit or credit details caught up in the breach, with one institution alone reporting 75,000 affected cards.
2. Google launches Latitude location sharing
Google added an opt-in service called Latitude to Google Maps for mobile, letting users broadcast their position to chosen friends. The launch put continuous location sharing in front of a mass audience for the first time and immediately raised questions about consent and retention.
3. Researcher clones RFID passport cards from a moving car
Security researcher Chris Paget drove through San Francisco and read the identifiers of nearby passport cards and enhanced driving licences using a kit he built for around 250 dollars. His demonstration showed how remotely readable government identity documents could be captured and cloned without the holder noticing.
4. Privacy International calls Latitude a danger to security
Privacy International warned that Google Latitude lacked safeguards to stop someone secretly enabling tracking on another person's handset. The group argued the service could become a tool for stalkers, jealous partners and prying employers.
5. FTC settles data security charges with Geeks.com operator
The Federal Trade Commission reached a settlement with Genica, the parent of Geeks.com, over claims it had falsely promised to protect customer data. Hackers had used SQL injection to lift card numbers that the firm had stored and transmitted without encryption.
6. House of Lords warns surveillance erodes constitutional foundations
The House of Lords Constitution Committee published "Surveillance: Citizens and the State", calling the spread of CCTV, DNA records and data collection one of the most significant changes in national life since the war. The peers urged judicial oversight of state surveillance and limits on council snooping.
7. WikiLeaks publishes thousands of Congressional Research Service reports
WikiLeaks released 6,780 Congressional Research Service reports that Congress had kept from the public despite their being in the public domain. The disclosure opened more than 127,000 pages of taxpayer-funded analysis to ordinary readers.
8. Conficker shuts down the Houston justice system
The Conficker worm infected hundreds of machines on Houston's municipal network, forcing courts to close and police to stop arrests for minor offences. Staff fell back on pen and paper while the city paid outside consultants to clean up.
9. Microsoft urges common search anonymisation before EU regulators
Ahead of a hearing of the EU's Article 29 Working Party on search engines, Microsoft said it would cut its retention period to six months if rivals matched the move. The company argued that uniform anonymisation across Google, Yahoo and Microsoft would do more for privacy than any single firm acting alone.
10. European Court upholds the legal basis of the Data Retention Directive
The European Court of Justice rejected Ireland's challenge and ruled that the Data Retention Directive had been correctly adopted as an internal market measure. The court pointedly declined to address whether bulk retention of communications data infringed fundamental rights.
→ edri.org
11. Brussels threatens formal action against the UK over Phorm
The European Commission warned it might take formal action against Britain for failing to act over BT's secret interception trials with the advertising firm Phorm. The Commission questioned whether UK law adequately protected the confidentiality of communications.
12. Microsoft offers 250,000 dollars for the Conficker author
Microsoft posted a 250,000 dollar reward for information leading to the arrest and conviction of whoever wrote the Conficker worm. The bounty accompanied a coordinated industry effort to disable the domains the worm used to receive instructions.
13. Conficker grounds French Navy fighter jets
The Conficker worm spread through the French Navy's Intramar network, leaving Rafale aircraft unable to download their flight plans. The infection forced the service to quarantine systems and fall back on telephone, fax and post.
14. Facebook reverts its terms after a user revolt
Facebook backed down on revised terms that appeared to claim a perpetual licence over anything users posted, even after they deleted their accounts. After widespread outrage and a planned complaint to regulators, the company restored its previous terms and promised a more open governance process.
15. FTC revises its principles for behavioural advertising
FTC staff issued revised self-regulatory principles for online behavioural advertising, covering transparency, security, limited retention and consent for sensitive data. The agency framed the report as a final chance for industry to police itself before regulators stepped in.
16. Adobe warns of a Reader and Acrobat zero-day exploited in the wild
A buffer overflow in the way Adobe Reader and Acrobat handled JBIG2 image streams allowed attackers to run code through booby-trapped PDF files. Exploit code was already circulating, and a patch would not arrive for several weeks.
17. "Sexy View" worm spreads through signed Symbian phones
A mobile worm packaged as "Sexy View" harvested phone numbers and device details from infected Symbian handsets and sent them to remote servers. Unusually, it carried a valid digital certificate, which helped it install with elevated privileges and spread by text message.
18. Microsoft confirms an Excel zero-day under targeted attack
Microsoft published an advisory about a flaw in how Excel parsed legacy Office documents that attackers were already exploiting in limited, targeted attacks. A malformed spreadsheet could give an intruder complete control of a victim's computer.
19. Thousands of Kaiser Permanente employees exposed in a data breach
Kaiser Permanente disclosed that the names, addresses, birth dates and Social Security numbers of about 29,500 employees may have been exposed. The breach came to light after police seized a file of staff records from someone outside the company.
20. Schneier argues privacy is being lost to data persistence
Bruce Schneier published "Privacy in the Age of Persistence", describing data as the pollution of the information age. He warned that ubiquitous recording of once fleeting interactions threatened the freedom on which open societies depend.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: