Privacy Roundup #0064 • November 2011
November 2011 mixed smartphone snooping rows, fresh breaches and landmark surveillance fights as Carrier IQ, GPS tracking and a wave of hacks dominated the privacy agenda.
1. Carrier IQ tries to censor research with a baseless legal threat
Mobile analytics firm Carrier IQ sent researcher Trevor Eckhart a cease-and-desist letter after he showed its software logged extensive handset activity. The EFF stepped in, arguing his work was protected fair use and free expression.
2. Carrier IQ drops its legal threat and apologises to the researcher
Days after threatening Eckhart, Carrier IQ withdrew the letter and issued an apology to him and the EFF. The climbdown left the underlying questions about its hidden logging software unanswered.
3. Researcher finds secret software on phones logging nearly everything
Eckhart published a video showing Carrier IQ software recording keystrokes, dialled numbers and browsing activity in plain text. The demonstration turned a niche dispute into a national debate about smartphone surveillance.
4. Valve admits forum hack exposed Steam users' details
Valve disclosed that an intrusion beginning with a defaced Steam forum had reached a database holding usernames, hashed passwords, billing addresses and encrypted card numbers. The breach touched a service with roughly 35 million accounts.
5. Facebook settles FTC charges over broken privacy promises
Facebook agreed to settle Federal Trade Commission charges that it deceived users about how their data was shared. The order required affirmative consent for privacy changes and twenty years of independent audits.
6. Cyber intrusion blamed for hardware failure at an Illinois water utility
An intelligence report claimed hackers using stolen vendor credentials had toggled a water pump until it burned out at a district near Springfield. Federal investigators later disputed the account, but the scare exposed weak control-system security.
7. Researchers convinced Duqu was written by the Stuxnet authors
Kaspersky analysts concluded that the Duqu espionage malware shared its origins with Stuxnet, pointing to a single sophisticated group. Fewer than fifty highly targeted infections had been found worldwide.
8. Estonian arrests end a four-million-strong DNS hijacking ring
The FBI's Operation Ghost Click dismantled a click-fraud scheme that used DNSChanger malware to redirect more than four million infected machines. Six Estonians were arrested and a seventh charged over the long-running fraud.
9. Phishers net Norwegian oil, gas and defence secrets
Norway's security authority confirmed that spear-phishing attacks had swept industrial drawings, contracts and passwords from at least ten companies. Officials called it one of the country's largest data espionage cases.
10. Supreme Court hears argument that GPS tracking needs a warrant
The justices heard oral argument in United States v. Jones, where the FBI had tracked a vehicle for a month without a valid warrant. Several justices warned that cheap, constant tracking raised Orwellian concerns.
11. Anonymous backs away from threat to expose a Mexican cartel
Anonymous called off OpCartel, its threat to publish the names of people linked to Los Zetas, after the kidnapped activist was released. The cartel had warned it would kill ten people for every name revealed.
12. SOPA is a blacklist by any other name
The EFF dissected the newly introduced Stop Online Piracy Act, warning it would let the government force search engines, DNS providers and payment firms to cut off accused sites. Critics framed the DNS-filtering powers as a serious threat to the open internet.
13. Court rules against privacy in the Twitter and WikiLeaks records battle
A Virginia judge let federal investigators obtain three users' Twitter records in the WikiLeaks investigation without a warrant. The decision also blocked the users from learning whether other firms had received similar demands.
14. Another Dutch certificate authority confirms a breach
KPN's Getronics certificate arm suspended issuance after finding its web server compromised, with attack tools left running for years. The disclosure deepened the crisis of confidence in certificate authorities after DigiNotar.
15. Finnish hackers leak a far-right group's membership list
Anonymous activists in Finland published what they said was the membership database of a neo-Nazi movement, naming applicants including a parliamentary aide. The same cell soon dumped personal data on some 16,000 people drawn from education sector systems.
16. Stolen computer exposes data on millions of Sutter Health patients
Sutter Health disclosed that an unencrypted desktop holding records on more than four million patients had been stolen from a Sacramento office. The data included names, addresses, dates of birth and, for some, diagnoses and procedures.
→ www.infosecurity-magazine.com
17. The Leveson Inquiry opens its hearings into press conduct
The inquiry into the culture, practices and ethics of the British press began public hearings, streamed live for the first time. It would examine phone hacking and the balance between free expression and personal privacy.
18. Facebook vows consequences for an extreme porn spam attack
Facebook said it had identified those behind a flood of pornographic and violent images that hijacked users' news feeds. The attack tricked people into pasting malicious code into their browsers to spread the content.
19. Criminals try to plant malware in ads on a security blog
Krebs on Security revealed that members of a criminal forum had paid to slip a malicious advert disguised as antivirus software through its ad network. Manual review of the ads stopped the malvertising attempt before it ran.
20. A botnet floods Krebs on Security with a sustained denial-of-service attack
More than 20,000 infected PCs bombarded the site after it published an instalment of its Pharma Wars series. Researchers traced the assault to a commercial crimeware kit also hitting a Ukrainian news outlet.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: