Privacy Roundup #0039 • October 2009
October 2009 saw harvested webmail passwords spill onto the open web, the Sidekick cloud erase a million phones, and lawmakers water down PATRIOT Act reform.
1. Automated attacks push malware on Facebook
Researchers found thousands of computer-generated fake Facebook profiles pushing rogue anti-virus software through bogus video links. The scale suggested the network's CAPTCHA defences had been beaten by an automated tool.
2. Botnet buries commands in image files
A botnet was caught hiding its command-and-control instructions inside ordinary JPEG images using steganography. The trick let the malware receive orders while its traffic looked like innocent picture transfers.
3. EFF liveblogs the Senate Judiciary PATRIOT Act mark-up
The Electronic Frontier Foundation reported live as the Senate Judiciary Committee debated amendments to the PATRIOT Act renewal. Reforms to National Security Letters and bulk records collection were proposed, but most were stripped out.
4. 10,000 Hotmail passwords mysteriously leaked to the web
More than 10,000 Windows Live username and password pairs were posted to Pastebin, most likely harvested by phishing or keylogging malware. The alphabetical list ran only from A to B, hinting at a far larger haul.
5. Hardware hacker, e-voting investigator and public domain advocate win Pioneer Awards
The Electronic Frontier Foundation named Limor Fried, Harri Hursti and Carl Malamud as its 2009 Pioneer Award winners. The honours recognised work on open hardware, voting machine security research and public access to government records.
6. IE, Chrome and Safari duped by bogus PayPal SSL certificate
A researcher published a counterfeit SSL certificate for PayPal that exploited a flaw in Microsoft's CryptoAPI. The forged certificate could fool Internet Explorer, Chrome and Safari into displaying a spoofed page with no warning.
7. Gmail, AOL and Yahoo! all hit by webmail phishing scam
The Hotmail leak proved to be one part of a wider phishing campaign that also harvested Gmail, Yahoo and AOL credentials. Lists of more than 30,000 accounts surfaced online, and Google forced password resets on affected users.
8. FTC's new disclosure rules for bloggers
The Federal Trade Commission published final guides requiring bloggers and prominent social media users to disclose any payment or free product behind an endorsement. The rules took effect on 1 December and exposed both advertisers and endorsers to liability.
9. Scareware scams spill onto Skype
Fraudsters began sending fake security warnings through Skype, posing as an "Online Notification" service. The messages tried to frighten recipients into buying worthless clean-up tools.
10. Pirate Bay sinks again after Dutch ISP complies to cut-off order
The Pirate Bay was knocked offline after its Dutch host complied with a court demand from anti-piracy group Brein. The case showed how studios were forcing intermediaries to disconnect the tracker rather than pursue users directly.
11. Hotmail phish exposes most common passwords
Analysis of the stolen Hotmail credentials revealed that the single most common password was "123456". The finding underlined how weak, reused passwords give attackers a head start on more sensitive accounts.
12. Man banished from PayPal for showing how to hack PayPal
PayPal suspended the account of the researcher who had demonstrated the SSL certificate weakness, freezing his funds. He had distributed the same security tools for years without complaint until the forged certificate appeared.
13. PATRIOT Act renewal bill passes Senate Judiciary Committee minus reforms
The committee approved a PATRIOT Act renewal by eleven votes to eight after accepting Republican amendments that stripped away privacy safeguards. The Electronic Frontier Foundation noted that the Obama administration had recommended several of those amendments.
14. Microsoft sees no silver lining in Sidekick server snafu
A server failure at Microsoft's Danger subsidiary wiped contacts, calendars and photos for around a million T-Mobile Sidekick users. The cloud service had no working backup, leaving recovery prospects initially described as very slim.
15. ID fraud prevention week fights the UK's fastest growing crime
National Identity Fraud Prevention Week highlighted that impersonation was among Britain's fastest growing financial crimes. The fraud prevention service Cifas reported more than 59,000 victims in the first nine months of the year, a sharp annual rise.
16. Google fixes SMS crashing bug in mobile OS
Google patched two denial-of-service flaws in Android that let a crafted WAP Push message or malicious app force handsets to restart. Users were urged to upgrade to the corrected builds of the operating system.
17. Microsoft's Patch Tuesday fixes record number of flaws
Microsoft shipped its largest ever batch of security updates, including one flaw already under attack in the wild. The release finally closed a CryptoAPI hole that had been exploited to forge SSL certificates for sites such as PayPal.
18. Gaping security hole turned 64,000 Time Warner cable modems into hacker prey
A blogger found that disabling JavaScript in the browser exposed hidden administrative controls on Time Warner's SMC8014 cable modems, revealing a shared login and password in clear text. The flaw left around 64,000 home routers open to remote takeover and traffic interception.
19. Oracle and Sun fingered for Sidekick fiasco
Further reporting traced the Sidekick disaster to infrastructure built on Oracle database technology and Sun servers. A failure in this stack left user data unreachable until the system was painstakingly rebuilt.
20. Scareware Mr Bigs enjoy 'low risk' crime bonanza
A study of the fake anti-virus trade found its operators raking in large sums while facing little chance of prosecution. The researchers likened the rogue software business to a licence to steal.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: