Privacy Roundup #0071 • June 2012
June 2012 paired a wave of unsalted password breaches at LinkedIn, eHarmony and Last.fm with the unmasking of the state-built Flame and Stuxnet cyberweapons and fresh fights over surveillance law.
1. New York Times reveals Obama ordered the Stuxnet attacks on Iran
David Sanger reported that President Obama had secretly accelerated a Bush-era cyber campaign, code-named Olympic Games, that used the Stuxnet worm to sabotage Iran's nuclear centrifuges. The account confirmed for the first time that the United States and Israel jointly built and deployed the malware.
2. Microsoft ships an emergency patch after Flame spoofs Windows Update
Microsoft rushed out an emergency update once researchers found that the Flame espionage malware had forged a Microsoft code-signing certificate. The forged certificate let Flame masquerade as a genuine Windows Update and push itself onto other machines on a network.
3. Nearly 6.5 million LinkedIn password hashes are dumped online
Around 6.5 million LinkedIn password hashes were posted to a Russian forum, where attackers crowdsourced help to crack them. The passwords had been stored as unsalted SHA-1 hashes, a weak choice that let hundreds of thousands fall quickly.
4. eHarmony confirms a breach of about 1.5 million passwords
The dating service eHarmony confirmed that roughly 1.5 million password hashes had been stolen and leaked, days after the LinkedIn dump. As with LinkedIn, the hashes were unsalted SHA-1, leaving them open to dictionary attacks.
5. LinkedIn's iOS app is caught sending calendar entries in plain text
Researchers at Skycure found that the LinkedIn iPhone app harvested users' calendar entries, including meeting subjects, locations and private notes, and sent them to LinkedIn servers. The data left the device with no clear consent and in plain text, exposing dial-in passcodes and other secrets.
6. Flame's operators trigger a self-destruct command
After Flame became public, its controllers pushed a module that wiped the malware from infected machines and overwrote the disk with random data. Symantec captured the urgent suicide command on honeypots and described it as an attempt to erase the operation's tracks.
7. Last.fm warns users to change passwords after a leak
The music service Last.fm told users to change their passwords after password hashes turned up on a cracking forum. The leaked hashes used unsalted MD5, an outdated method that made cracking straightforward.
8. Spokeo pays $800,000 to the FTC over consumer profiling
The data broker Spokeo agreed to pay $800,000 to settle Federal Trade Commission charges that it sold consumer profiles to recruiters and employers without honouring the Fair Credit Reporting Act. It was the first FTC case to treat the sale of internet and social media data as a consumer report.
9. UK publishes the draft Communications Data Bill
Home Secretary Theresa May published the draft Communications Data Bill on 14 June, a measure that would have forced providers to log every user's web browsing, email, calls and messaging for twelve months. Critics quickly branded the proposal a snooper's charter and warned it reached even postal services.
10. Google reports a rise in government censorship requests
Google's transparency report flagged an alarming jump in government demands to remove content, with the largest tallies coming from the United States, the United Kingdom and India. Senior policy analyst Dorothy Chou noted that some takedown requests came from Western democracies not usually associated with censorship.
11. Reports confirm the US and Israel built the Stuxnet virus
News reports citing current and former officials confirmed that the Stuxnet worm was a joint United States and Israeli creation aimed at Iran's nuclear enrichment plant at Natanz. President Obama was said to have accelerated the Olympic Games campaign even after the worm escaped onto the wider internet in 2010.
12. Belfast health trust fined £225,000 over abandoned records
The Information Commissioner's Office fined the Belfast Health and Social Care Trust £225,000 after sensitive patient and staff records were left in an abandoned hospital and photographed by trespassers. The images, including medical files and pay slips, were posted online before the trust noticed.
13. European Parliament's trade committee rejects ACTA
The European Parliament's International Trade Committee voted to recommend rejecting the Anti-Counterfeiting Trade Agreement, making opposition unanimous across the advising committees. The treaty had drawn heavy criticism over its threat to online privacy and free expression.
14. Supreme Court voids FCC indecency findings against broadcasters
The Supreme Court ruled unanimously that the Federal Communications Commission had not given Fox and ABC fair notice that fleeting expletives and brief nudity would be penalised. The Court held the indecency standards void for vagueness under the Fifth Amendment.
15. Facebook quietly switches users to @facebook.com email addresses
Facebook replaced the contact email shown on user profiles with new @facebook.com addresses without clear warning. The change drew a strong backlash from users who saw it as a move to keep them inside Facebook's walls.
16. FTC sues Wyndham hotels over repeated data breaches
The Federal Trade Commission filed suit against Wyndham Worldwide after three breaches exposed payment card data for hundreds of thousands of customers. The complaint alleged the chain failed at basic measures such as firewalls, network segmentation and strong passwords.
17. Brighton hospital trust fined £325,000 over hard drives sold on eBay
The Information Commissioner's Office fined Brighton and Sussex University Hospitals NHS Trust £325,000, its largest penalty to that date, after a contractor sold patient hard drives on eBay rather than destroying them. The drives held sensitive records, including details of patients treated for HIV and sexual infections.
18. EU data protection regulators set out rules for face recognition apps
The Article 29 Working Party issued guidance saying face recognition apps must obtain informed consent before processing people's photos or facial measurements. The opinion stressed that buried terms or simple opt-out settings would not be enough.
19. New York court orders Twitter to hand over an Occupy protester's tweets
A Manhattan judge ordered Twitter to produce nearly three months of tweets from Occupy Wall Street protester Malcolm Harris, ruling he had no standing to fight the subpoena. The judge wrote that a public tweet carries no reasonable expectation of privacy.
20. EFF says the government still claims it cannot be sued over wiretapping
The Electronic Frontier Foundation reported that the government continued to invoke sovereign immunity and the state secrets privilege to avoid a ruling on warrantless surveillance. The post tracked Jewel v. NSA and related cases as the administration tried to block any test of the programmes' legality.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: