Privacy Roundup #0062 • September 2011
A rogue certificate authority collapsed, hacktivists kept dumping personal data, and firms from Facebook to OnStar were caught watching people who thought they had left.
1. WikiLeaks posts the full unredacted diplomatic cables online
The entire cache of 251,000 United States diplomatic cables appeared online with names intact after a passphrase leaked. The release exposed informants, activists and other sources who had been promised confidentiality.
2. Anonymous defaces a Texas police chiefs site and leaks officer email
Anonymous took over the Texas Police Chiefs Association website and published documents marked law enforcement sensitive. The dump included private officer email, some of it containing racist and sexist content.
3. The scale of the DigiNotar certificate breach becomes clear
Attackers who broke into the Dutch certificate authority DigiNotar issued fraudulent certificates for Google, Yahoo, Mozilla and other domains. The forged Google certificate was used to intercept the Gmail traffic of Iranian users.
4. Mozilla permanently removes DigiNotar from Firefox
Mozilla pulled DigiNotar from its trusted root program in every supported version of Firefox. The organisation stressed that this was a complete removal rather than a temporary suspension, citing the firm's failure to disclose the breach.
5. Comodohacker claims the DigiNotar attack and names four more authorities
A self-described Iranian student using the handle Comodohacker took credit for the DigiNotar breach on Pastebin. He claimed access to four further certificate authorities, including GlobalSign, deepening fears about the whole trust system.
6. GlobalSign halts certificate issuance after the hacker's threat
GlobalSign suspended all certificate issuance to investigate the claim that its systems had been breached. The cautious pause underlined how fragile confidence in certificate authorities had become.
7. Google urges Iranian users to re-secure their Gmail accounts
Google warned users in Iran to change passwords and review account settings after the DigiNotar certificates were used against them. The company set out concrete steps to undo any interception of their mail.
8. Court forces disclosure of warrantless cell phone tracking cases
The DC Circuit ruled that the government must reveal case records where agents obtained cell-site location data without a warrant. The win for the EFF and the ACLU shed light on how often location tracking was used.
9. Post-mortem confirms 300,000 Iranians were targeted through DigiNotar
A detailed analysis showed that the forged Google certificate let attackers read the communications of an estimated 300,000 mainly Iranian internet users. The case became a stark example of how one compromised authority can endanger an entire population.
10. Hackers breach Mitsubishi Heavy Industries
Japan's largest defence contractor confirmed that 45 servers and 38 computers were infected with malware. The targeted machines sat at plants making missiles, submarines and nuclear power equipment.
11. Dutch government sets a kill date for DigiNotar certificates
The Dutch authorities announced they would revoke the DigiNotar government certificates on 28 September. The decision followed the firm's bankruptcy and the collapse of trust in its entire chain.
12. FBI arrests a LulzSec suspect over the Sony Pictures hack
Cody Kretsinger, who used the handle recursion, was arrested for his part in the LulzSec attack that exposed personal data of Sony Pictures contest entrants. The student had publicly hoped for a job at the Department of Defense.
13. Federal agents arrest Anonymous figure Commander X
Christopher Doyon, said to use the name Commander X, was arrested over a denial-of-service attack on Santa Cruz County computers. The case showed prosecutors moving against named individuals behind hacktivist operations.
14. OnStar reverses a policy that tracked cars after cancellation
GM's OnStar abandoned a plan to keep collecting location data from vehicles even after owners cancelled the service. The retreat came after senators and privacy advocates condemned the change.
15. Facebook is caught tracking users after they log out
Researcher Nik Cubrilovic showed that Facebook cookies kept identifying users after they signed out. After he raised the alarm, Facebook promised to stop the logout cookies from collecting identifiable information.
16. Microsoft dismantles the Kelihos botnet
Microsoft used a court order to sever the Kelihos botnet, which had infected around 41,000 computers and sent billions of spam messages a day. The malware also stole sensitive personal information from the machines it controlled.
17. CabinCr3w doxxes the Goldman Sachs chief executive
A group calling itself CabinCr3w published the personal details of Goldman Sachs boss Lloyd Blankfein and dozens of staff. The leak tied the doxxing to the early days of the Occupy Wall Street protests.
18. Stolen tapes expose health data on 4.9 million TRICARE members
Backup tapes holding records for 4.9 million military health beneficiaries were stolen from an SAIC employee's car in San Antonio. The unencrypted tapes held Social Security numbers, addresses and clinical notes.
19. Facebook's frictionless sharing draws regulators' attention
At its f8 conference Facebook unveiled Timeline and frictionless sharing, which broadcast a user's activity automatically once an app was authorised. Privacy groups asked the Federal Trade Commission to investigate the change.
20. HTC logging flaw exposes phone numbers, location and messages
Researchers revealed that HTC had added logging tools to its Android phones that any app with internet permission could read. The exposed data included phone numbers, GPS location, text messages and email addresses.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: