Privacy Roundup #0073 • August 2012
August 2012 showed how weak account recovery, leaky databases and government surveillance powers all chip away at personal privacy at once.
1. A reporter's whole digital life was wiped through a phone-call hack
Wired writer Mat Honan lost his Google, Twitter and Apple accounts after attackers tricked Amazon and Apple support staff into resetting his credentials. The case showed how account-recovery questions and partial card numbers can hand over a person's entire online identity.
2. Google paid a record $22.5 million to settle the Safari tracking case
The Federal Trade Commission announced that Google would pay $22.5 million for placing tracking cookies on Safari users who had been told they were opted out. It was the largest civil penalty the agency had ever imposed on a single company at the time.
3. Appeals court said victims cannot sue the government for warrantless wiretapping
The Ninth Circuit threw out the Al-Haramain charity's lawsuit over warrantless surveillance, ruling that the government had not waived its immunity from such claims. The decision left people who are spied on without a warrant with no clear way to seek a remedy in court.
4. Blizzard's Battle.net was breached, exposing emails and security answers
Blizzard disclosed that intruders had reached its internal network and copied email addresses, scrambled passwords and personal security answers. The company urged millions of players to change their passwords and security questions at once.
5. Germany reopened its probe into Facebook's facial recognition
Hamburg's data protection commissioner restarted an investigation into Facebook's photo tagging, saying the company was building a face database without proper consent. The regulator demanded that Facebook delete the German data and ask users to opt in rather than out.
6. Twitter appealed a ruling forcing it to hand over a protester's tweets
Twitter challenged a New York court order that demanded the tweets and account data of Occupy Wall Street protester Malcolm Harris. The company argued that users keep a privacy interest in their posts and that broad subpoenas need a warrant.
7. Researchers uncovered Gauss, spyware built to watch bank accounts
Kaspersky Lab revealed Gauss, a state-sponsored toolkit that stole banking credentials, cookies and browser passwords from infected machines, mostly in Lebanon. Its design and code linked it to the same group behind the Flame and Stuxnet operations.
8. A court pressed Homeland Security over its body-scanner rules
The DC Circuit ordered the Department of Homeland Security to answer EPIC's petition demanding a public rulemaking on airport body scanners. The agency had stalled for a year despite an earlier order to take public comment on the privacy impact.
9. Leaked emails exposed TrapWire, a camera-fed surveillance network
Documents published through WikiLeaks described TrapWire, a system that pulls data from surveillance cameras at sites across American cities. The revelation raised alarm that ordinary security cameras were feeding a central intelligence database.
10. Sixth Circuit said police need no warrant for phone location data
The appeals court ruled in United States v. Skinner that officers could track a suspect's mobile phone location without a warrant. Civil liberties groups warned that the reasoning stripped location privacy from everyone, not just criminals.
11. The Senate cybersecurity bill collapsed over monitoring fears
The Cybersecurity Act of 2012 fell short in the Senate, partly because privacy advocates feared it would push providers to monitor their customers. The 52 to 46 vote left the year's main cybersecurity effort dead for the moment.
12. A wiper virus tore through 30,000 Saudi Aramco computers
Saudi Aramco confirmed that the Shamoon virus had destroyed data on about 30,000 of its workstations, forcing the company offline for days. Investigators treated it as one of the most damaging corporate cyberattacks seen up to that point.
13. India blocked hundreds of accounts and pages after riot rumours
The Indian government ordered Internet providers to block more than 300 web addresses, including Twitter accounts and Facebook pages, citing inflammatory content tied to violence in Assam. Critics called it some of the heaviest online censorship the country had yet attempted.
14. FinFisher spy software was found in mobile versions for every major phone
Citizen Lab researchers identified mobile FinFisher samples built to monitor iPhone, Android, BlackBerry, Windows Mobile and Symbian devices. The tool could read messages, track calls and report a target's whereabouts to government clients.
15. Team GhostShell dumped a million records from banks and agencies
The hacking crew Team GhostShell leaked roughly one million account records taken from banks, government bodies and consultancies as part of its Project Hellfire campaign. Analysts found that most of the data had been pulled out through simple SQL injection flaws.
16. The FTC made its Facebook privacy settlement final
The Federal Trade Commission accepted as final its order requiring Facebook to honour its privacy promises and submit to regular audits. Facebook now has to get clear consent before sharing data beyond a user's chosen settings, including facial recognition data.
17. The FTC proposed closing a children's privacy loophole for ad networks
The agency sought comment on revised children's privacy rules that would cover ad networks and plug-ins collecting data through child-directed sites and apps. The plan aimed to stop third parties from gathering children's information without a parent's consent.
18. EFF sued the government over admittedly illegal surveillance
The Electronic Frontier Foundation filed a Freedom of Information Act lawsuit demanding records about NSA spying that had gone beyond what the FISA Amendments Act allowed. The group wanted the secret court opinions and congressional briefings that described the violations.
19. Dropbox joins the security two-step party
Dropbox detailed the breach that had flooded some users with spam and admitted that a reused employee password had exposed a file of customer email addresses. The firm rolled out optional two-step verification so that an account could no longer be opened with a stolen password alone.
20. Captured server data revealed the inner workings of the Grum spam botnet
Investigators examined a control server from the recently dismantled Grum botnet and found years of records on the infected machines that fuelled it. At its peak the network had pumped out billions of spam messages a day from roughly 193,000 hijacked computers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: