Privacy Roundup #0048 • July 2010
July 2010 was dominated by leaked profiles, government data demands and the Stuxnet shortcut flaw, as regulators circled Google and Apple over how much they knew about us.
1. Hacker compiles public data on 100 million Facebook users
A security researcher scraped Facebook's searchable directory and bundled the names and profile links of roughly 100 million users into a single torrent. Facebook argued that nothing private had been exposed, yet the file showed how little effort it took to harvest data at scale.
2. Apple details its location data collection to Congress
Apple sent a thirteen-page letter to two members of Congress explaining how iPhones and iPads gather information about nearby cell towers and Wi-Fi access points. The company insisted that the data stayed within its own systems and that users could switch location services off.
3. Wall Street Journal launches its "What They Know" tracking series
The newspaper began a landmark investigation into how the most popular websites install dozens of tracking tools on visitors without warning. The series documented cookies, flash cookies and beacons that let advertisers guess a person's age, income and more.
4. WikiLeaks publishes the Afghan War Diary
WikiLeaks released more than ninety thousand classified military logs covering the war in Afghanistan, sharing them in advance with three newspapers. Privacy campaigners and the Pentagon both raised concerns that named Afghan informants could be identified and endangered.
5. Spokeo accused of breaking federal privacy law
The Center for Democracy and Technology filed a complaint with the Federal Trade Commission alleging that the data broker Spokeo failed to safeguard consumers under the Fair Credit Reporting Act. The site sold detailed profiles covering ethnicity, shopping habits and family members.
6. German upper house backs a Street View blurring law
The Bundesrat adopted a draft law requiring services such as Google Street View to blur faces and number plates before publishing panoramic street imagery. The measure also limited how long the raw, unblurred data could be retained.
→ iapp.org
7. UK watchdog clears Google over Street View Wi-Fi capture
The Information Commissioner's Office decided to take no action against Google after reviewing samples of the payload data its Street View cars had recorded. The regulator conceded the collection was wrong but judged that little meaningful personal data had been gathered.
8. Researchers warn of a critical Windows shortcut flaw
Experts disclosed a vulnerability in the way Windows handled shortcut files, which malware later identified as Stuxnet was already exploiting. The flaw allowed a fully patched machine to be infected simply by viewing the contents of an infected USB drive.
9. Microsoft offers a stopgap fix for the shortcut bug
With proof-of-concept code circulating, Microsoft published a point-and-click tool that disabled the vulnerable shortcut feature. The workaround stripped icons from the taskbar and start menu but blunted attacks while a full patch was prepared.
10. Microsoft rushes an emergency patch for the shortcut flaw
Microsoft announced an out-of-band security update to close the shortcut hole as exploitation attempts climbed. The company confirmed it had seen a rising number of attacks targeting the bug across every supported version of Windows.
11. Card skimmers found siphoning data at petrol pumps
Thieves attached card skimmers to pumps at more than thirty filling stations around Denver, capturing the card details of motorists. Some devices used Bluetooth so criminals could collect stolen data without returning to the scene.
12. Alleged author of the Mariposa botnet arrested
Police in Slovenia detained a suspect believed to have written the Mariposa botnet, which had infected roughly twelve million computers worldwide. The malware had spread through more than half of the Fortune 1,000 and at least forty major banks.
13. Verizon report finds most breaches were easily preventable
A joint study by Verizon and the US Secret Service concluded that the great majority of 2009 breaches could have been stopped by reading server log files. The report found that insiders and basic configuration errors, not exotic attacks, drove most incidents.
14. Librarian of Congress legalises smartphone jailbreaking
The Library of Congress granted an exemption to the anti-circumvention rules of copyright law, allowing owners to jailbreak their phones to run third-party software. The Electronic Frontier Foundation had argued for the change so users could control devices they had bought.
15. Scareware victims rarely dispute the charges
Leaked accounts from a rogue antivirus operation revealed that fewer than one in five victims challenged the fraudulent charge with their bank. Embarrassment and confusion left most people paying for worthless software that had hijacked their machines.
16. Services let criminals check their own malware reputation
Researchers uncovered subscription services that let malware authors test whether their malicious links had been blacklisted by safe-browsing tools. The offerings checked against eighteen reputation databases, helping attackers stay one step ahead of defences.
17. Adobe promises a sandbox to contain Reader attacks
Adobe said its next version of Reader would run inside a sandbox, a restricted environment meant to stop attackers from installing malware even after a successful exploit. The move responded to a wave of attacks that used booby-trapped PDF files.
18. Justice Department seeks warrantless access to internet records
The Department of Justice pressed Congress to widen the reach of National Security Letters so the FBI could demand internet records without a warrant. Critics warned that the change could expose browsing history, search terms and location data under secret gag orders.
19. UK scraps the ContactPoint children's database
Ministers confirmed that ContactPoint, a national database holding records on every child in England, would be switched off in early August. Campaigners had long warned that exposing such records to hundreds of thousands of users was disproportionate and unsafe.
20. Cyber insurance helps a utility recover stolen funds
A small Texas water utility recouped tens of thousands of dollars lost to online banking fraud after attackers drained its account through money mules. The case showed how insurance was becoming a backstop for organisations whose financial data had been compromised.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: