Privacy Roundup #0070 • May 2012
May 2012 paired the Flame cyber-espionage discovery and a run of payment and password breaches with fresh regulator pressure on Google, Myspace and Facebook over how they handle personal data.
1. Flame, the most complex spy malware yet found, surfaces in Iran
Researchers at Kaspersky Lab, Iran's national CERT and Hungary's CrySyS Lab announced a sprawling espionage toolkit that records audio, keystrokes, screenshots and Skype calls. Most of the infected machines sat inside Iran, and analysts called Flame the most sophisticated malware they had ever studied.
2. Myspace settles FTC charges over sharing user data with advertisers
The Federal Trade Commission said Myspace handed advertisers the unique Friend ID numbers that let them look up users' full names and browsing habits, despite promising not to. The settlement bars further misrepresentations and requires twenty years of independent privacy assessments.
3. Maryland becomes the first state to ban employer demands for social media passwords
Governor Martin O'Malley signed a law forbidding employers from requiring workers or job applicants to hand over passwords to Facebook and other personal accounts. The measure grew out of an ACLU case involving a corrections officer pressured into giving up his login.
4. Classified report finds vulnerabilities in the airport body scanner programme
EPIC reported that a Department of Homeland Security inspector general investigation uncovered several flaws in the body scanner programme, which had already cost more than 87 million dollars. EPIC challenged the decision to withhold the full report as Sensitive Security Information.
5. Most Facebook users do not trust the company with their data, poll finds
An AP-CNBC poll released days before the flotation found that 59 per cent of Facebook users had little or no faith in the company to protect their privacy. The result underlined how central data collection was to the business investors were about to buy into.
6. Senator Durbin presses the FCC over Google's Street View Wi-Fi capture
Senator Dick Durbin called the agency's 25,000 dollar penalty against Google a clear failure to treat the interception of private Wi-Fi traffic as a privacy violation. FCC Chairman Julius Genachowski agreed that the law should protect people even when their wireless networks are unencrypted.
7. FBI warns travellers that hotel network software updates can be malware
The FBI cautioned that criminals were using pop-up prompts on hotel internet connections to push fake software updates carrying malware. Brian Krebs reported the alert, which advised travellers to update before leaving and to fetch updates only from the vendor's own site.
8. Global Payments card breach is traced back to early 2011
Brian Krebs reported that the breach at card processor Global Payments reached back to January 2011, far earlier than first admitted. A hacker claimed his group had access for over a year and that millions of card accounts, not the company's stated 1.5 million, were exposed.
9. Human rights and foreign policy websites turned into malware traps
Researchers found exploits lurking on the sites of Amnesty International Hong Kong, a Washington think tank and a Cambodian government ministry, waiting to infect visitors. The campaign was an early example of the watering hole tactic aimed at activists and policy staff.
10. Twitter commits to honouring Do Not Track
Twitter confirmed it would respect the Do Not Track browser signal, so users who switched it on would not be tracked across the web for tailored suggestions. The White House welcomed the move as a step towards its proposed Consumer Privacy Bill of Rights.
→ obamawhitehouse.archives.gov
11. Google starts warning half a million users infected with DNSChanger
Google began showing a warning to people whose computers were still infected with the DNSChanger trojan, which silently redirected their web traffic. The notices aimed to clean up machines before a court order shutting down substitute servers cut the victims off from the internet.
12. WHMCS breach exposes half a million customer records
Brian Krebs reported that attackers used social engineering to seize administrative control of billing software maker WHMCS, then stole roughly 1.7 gigabytes of customer data and posted it online. The records included usernames, passwords and in some cases payment card details.
13. Skype flaw lets anyone uncover a user's IP address and location
A web tool circulated that exploited a long-known Skype weakness to reveal a target's last known IP address, and from it their rough location, without their knowledge. The flaw had been reported to Skype more than a year earlier and still was not fixed.
14. EFF asks a court to return a user's files seized in the Megaupload takedown
The Electronic Frontier Foundation filed a brief on behalf of Kyle Goodwin, who lost lawful business files when the government seized Megaupload's servers. The case tested whether ordinary users could recover their own data after a cloud service was shut down.
15. France's CNIL sends Google a second round of pointed privacy questions
The French data protection authority told Google its earlier answers about the consolidated privacy policy were often incomplete or approximate and pressed it again on combining data across services. EPIC noted that the inquiry was being run on behalf of European governments.
16. EFF dissects the privacy risks in the Lieberman-Collins cybersecurity bill
The Electronic Frontier Foundation published a detailed explainer warning that the Senate's Cybersecurity Act would let companies hand user communications to the government with weak safeguards. The group urged readers to oppose the proposals before an expected vote.
17. EFF's second 'Who Has Your Back' report grades companies on user privacy
The Electronic Frontier Foundation rated eighteen major internet firms on whether they stood up for users when the government demanded data. The chart highlighted who required warrants, told users about requests and fought overbroad orders, and who did not.
18. House hearing examines the NSA's warrantless wiretapping powers
The Electronic Frontier Foundation reviewed a House Judiciary Committee hearing on the FISA Amendments Act, the law underpinning warrantless interception of international communications. With the authority due to expire, advocates pressed for civil liberties safeguards that the administration wanted to renew untouched.
19. Yahoo leaks its own signing key while launching the Axis browser
When Yahoo released its Axis extension for Chrome, it accidentally shipped the private cryptographic key used to sign the add-on. Anyone holding the key could forge extensions that Chrome would trust as genuine Yahoo software, putting users at risk until a fix went out.
20. House panel to probe online banking thefts hitting businesses
Brian Krebs reported that the House Financial Services Committee would examine cyber thefts draining the accounts of small and mid-sized firms. The hearing followed a Tennessee company's 328,000 dollar loss after thieves planted malware and intercepted its one-time login passcode.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: