Privacy Roundup #0053 • December 2010
WikiLeaks turned December into a fight over who controls your data, while breaches, tracking apps and new browser defences kept the pressure on everyone else.
1. WikiLeaks loses its domain after host pulls the plug
EveryDNS dropped the wikileaks.org name on 2 December, blaming a wave of denial-of-service attacks that put its other half a million customers at risk. The site vanished from the web until volunteers set up hundreds of mirrors to keep the cables online.
2. Amazon and Tableau cut off WikiLeaks under political pressure
After a call from Senator Joe Lieberman's office, Amazon stopped hosting WikiLeaks and Tableau pulled its data charts. The moves showed how fast private firms will drop a customer when a politician asks them to.
3. Leaked cable shows diplomats told to collect biometric data on UN staff
A diplomatic cable revealed orders for US diplomats to gather DNA, fingerprints, iris scans, passwords and encryption keys belonging to senior United Nations officials. Legal experts said the directive broke the 1947 headquarters agreement between the US and the UN.
4. Swiss bank freezes Julian Assange's account
PostFinance closed Assange's account on 6 December, saying he had given false information about living in Switzerland. WikiLeaks said the freeze cost it tens of thousands of euros in defence funds and personal assets.
5. Anonymous attacks PayPal over blocked WikiLeaks donations
A group calling itself Anonymous launched denial-of-service attacks on PayPal after it stopped handling WikiLeaks donations. The campaign, named Operation Avenge Assange, went on to target Visa, MasterCard and other firms that cut ties with the site.
6. FTC backs a "do not track" setting for web browsers
The Federal Trade Commission proposed a browser setting that would let people opt out of having their web activity watched for targeted ads. All five commissioners supported the idea, which set the stage for browser makers to build it in.
7. Internet Explorer 9 to ship with tracking protection
Microsoft said the next Internet Explorer would let users block third-party sites from following them around the web. The feature used opt-in lists, so people had to switch it on before it did anything.
8. Gawker hack exposes 1.3 million user accounts
Hackers broke into Gawker Media and dumped 1.3 million user names, email addresses and passwords, along with the company's source code. Many of the stolen passwords were weak, and "password" itself turned up nearly two thousand times.
9. Ohio State breach hits 760,000 people
Ohio State University told 760,000 current and former staff, students and applicants that a hacker had reached a server holding their names, Social Security numbers, dates of birth and addresses. The university put the cost of the cleanup at four million dollars and offered a year of credit monitoring.
10. US government demands Twitter records of WikiLeaks figures
A court order told Twitter to hand over account details for Julian Assange, Chelsea Manning, Birgitta Jonsdottir and others, including addresses, payment information and connection records. Twitter fought the gag clause so it could warn the people named, and several said they would resist the order.
11. One breach at Silverpop spills data from McDonald's, Walgreens and 100 more
The FBI traced leaks at McDonald's, Walgreens, deviantArt and dozens of other firms to a single break-in at the email marketing company Silverpop. Stolen names and addresses were soon used to send phishing messages to the affected customers.
12. WikiLeaks suspect held in solitary confinement
Reports said the soldier accused of leaking the cables was kept alone for 23 hours a day at Quantico, without a pillow or blankets. Critics around the world called the treatment punitive and questioned whether it amounted to a form of abuse before any trial.
13. Former contractor claims FBI planted a backdoor in OpenBSD
Gregory Perry told OpenBSD founder Theo de Raadt that contractors had been paid to weaken the system's encryption code a decade earlier. De Raadt published the email and asked developers to audit the code, though no backdoor was ever confirmed.
14. Court backs warrants for phone location records
The Third Circuit refused to revisit its ruling that judges may require a search warrant before the government gets a person's past phone location data. It was the first federal appeals decision in more than thirty years to find people can expect privacy in records a company keeps about them.
15. Facebook adds face recognition to photo tagging
Facebook started suggesting names for people in uploaded photos by matching faces against pictures users had already tagged. The feature was switched on without clear notice, which critics said built a searchable database of faces by default.
16. Wall Street Journal finds apps leaking phone data to advertisers
The newspaper tested 101 iPhone and Android apps and found 56 sent the phone's unique ID to outside firms without asking. Some, including Pandora, also passed on age, gender and location to advertisers.
17. Bank of America stops handling WikiLeaks payments
Bank of America joined Visa, MasterCard and PayPal in refusing to process money for WikiLeaks, citing its own payment policies. WikiLeaks urged supporters to close their accounts and hinted it held documents about the bank.
18. Homeland Security affidavit for domain seizures full of errors
A review of the affidavit behind a round of website seizures found the agent confused domain names with the servers behind them and skipped any free speech analysis. Critics said the seized sites mostly linked to material rather than hosting it, which is not itself a crime.
19. Apple and Pandora sued over app tracking
A class action accused Apple, Pandora and others of letting apps send unique device IDs and location data to ad networks without consent. The suit followed the Wall Street Journal study and named the worst offenders it had identified.
20. Geinimi trojan steals data from Android phones
Researchers found a trojan called Geinimi hidden inside repackaged games sold through Chinese app stores. Once installed, it quietly sent location data, device identifiers and a list of installed apps to remote servers, the first Android malware to behave like a botnet.
→ www.infosecurity-magazine.com
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: