Privacy Roundup #0056 • March 2011
March 2011 was dominated by the RSA SecurID and Comodo certificate breaches, a wave of stolen email databases, and fresh fights over who may read your location and account records.
1. RSA admits attackers stole SecurID two-factor data
RSA disclosed that an advanced persistent threat had breached its systems and taken information that could weaken the SecurID tokens used by some forty million workers. The company stayed vague about exactly what was lost, drawing sharp criticism over its lack of candour.
2. Comodo partner tricked into issuing forged HTTPS certificates
A registration partner of the Comodo certificate authority was breached and used to mint nine fraudulent certificates for Google, Yahoo, Skype and Mozilla domains. The forgeries would have let an attacker impersonate those sites, and the evidence pointed towards Iran.
3. Firefox ships an update to block the forged Comodo certificates
Mozilla pushed out releases of Firefox that hard-coded the nine fraudulent certificates into a distrust list. The move arrived alongside parallel fixes from Google and Microsoft to shut the impersonation window across browsers.
4. Google settles FTC charges over the Google Buzz rollout
Google agreed to settle Federal Trade Commission charges that it had deceived Gmail users when it launched Buzz and folded their contacts into a public social network. The order required a comprehensive privacy programme and independent audits every two years for the next twenty years.
5. Play.com customer email addresses leak through Silverpop
Play.com warned shoppers after some began receiving spam at addresses used only for the retailer, with the marketing firm Silverpop blamed for the breach. The company said only email addresses were exposed and that payment details remained safe.
6. TripAdvisor warns members that its email list was stolen
TripAdvisor told members that an unauthorised party had taken part of its member email database over the weekend. The firm said passwords and financial data were untouched, but warned that affected users should expect unsolicited spam.
7. Charlie Miller hijacks an iPhone 4 through a booby-trapped web page
At the Pwn2Own contest, researcher Charlie Miller exploited an iPhone 4 so that merely visiting a crafted web page handed him control of the device. A separate team chained three flaws to subvert a BlackBerry the same day, underlining how a single page could expose the personal data held on a phone.
8. Court rules the government may seize WikiLeaks Twitter records
A federal magistrate ruled that prosecutors could obtain the Twitter account records of three users tied to the WikiLeaks investigation, including Icelandic parliamentarian Birgitta Jonsdottir. The judge also kept some of the government's justifications under seal, prompting an appeal.
9. Anonymous publishes leaked Bank of America emails
A member of Anonymous posted internal emails from a former Balboa Insurance employee that purported to show questionable foreclosure and document practices. Bank of America dismissed the allegations as untrue while confirming the messages had been taken by a former worker.
10. Rustock botnet goes dark and global spam plummets
A coordinated takedown severed the Rustock botnet from its command servers, and worldwide junk email volumes fell sharply overnight. The operation reached a network that had at times pumped out tens of billions of spam messages a day.
11. Texas comptroller exposes 3.5 million people's records
Texas officials discovered that personal data on about 3.5 million people had sat on a public server for more than a year. The unencrypted records held names, addresses, Social Security numbers and in some cases dates of birth and driving licence numbers.
12. France's CNIL hands Google a record privacy fine
The French data protection authority imposed a then-record fine of 100,000 euros on Google over its Street View and Latitude services. Regulators found that Google had quietly captured payload data from home Wi-Fi networks and had failed to file proper notices.
13. MySQL.com falls to a SQL injection attack
Attackers used a blind SQL injection to lift usernames and password hashes from MySQL.com and several of its localised sites, along with two Sun subdomains. The irony of a database company being undone by a database attack was not lost on observers.
14. Judge lets Sony unmask visitors to a PS3 hacking site
A magistrate granted Sony a subpoena for the IP addresses of everyone who had visited George Hotz's blog over a span of more than two years. The EFF condemned the order as overbroad and a threat to the anonymity of ordinary readers.
15. Firefox 4 launches with a Do Not Track header
Mozilla released Firefox 4 with built-in support for a Do Not Track signal that lets users tell sites and ad networks to stop following them. The browser became one of the first to ship the privacy header on multiple platforms.
16. Domains used in the RSA attack mocked the United States
Researchers traced the command channels behind the RSA breach to domains with names such as "obama.servehttp.com" that appeared to taunt the target. The trail offered fresh clues about the infrastructure and likely origin of the intrusion.
17. FTC finalises its security settlement with Twitter
The Federal Trade Commission accepted a final order resolving charges that Twitter had failed to protect user accounts, allowing hackers to seize administrative control. The settlement barred misleading security claims and required independent audits for the next decade.
18. A politician publishes six months of his own phone metadata
Malte Spitz released the 35,000 records his carrier had kept on him and worked with Zeit Online to map them into an interactive timeline. The result showed how data retention can reconstruct nearly every movement of an ordinary life.
19. Health Net notifies 1.9 million people after drives go missing
Health Net began telling almost two million members that nine server drives had vanished from an IBM-run data centre. The lost hardware held names, addresses, health details and in some cases Social Security and financial information.
20. HBGary Federal chief resigns over the Anonymous breach
Aaron Barr stepped down as chief executive of HBGary Federal after Anonymous gutted the firm's systems and dumped its emails. He said he needed to focus on his family and rebuild a reputation badly damaged by the leaks.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: