Privacy Roundup #0074 • September 2012
September 2012 mixed state censorship of Google, YouTube and Twitter with hard breach disclosures, fresh browser and card flaws and a wave of surveillance and tracking fights.
1. AntiSec leaks a million Apple device IDs said to come from an FBI laptop
The hacker group AntiSec posted around one million Apple unique device identifiers and claimed they were trimmed from a file of twelve million taken from an FBI agent's laptop. The FBI and Apple both denied that the bureau had ever sought or held the data.
2. Pew finds most smartphone owners take steps to guard their data
A Pew Research survey reported that most application users had backed away from installing an app once they saw how much personal information it wanted. Many people had also cleared their browsing history or switched off location tracking out of concern about who could reach the data.
3. GoDaddy outage knocks millions of sites offline as Anonymous claims credit
GoDaddy suffered an outage of several hours that took down customer websites and the domain name service used by many others. A person using the handle AnonymousOwn3r claimed responsibility, though the wider Anonymous network distanced itself and the company later blamed internal network faults.
4. Microsoft disrupts the Nitol botnet hidden in counterfeit Windows machines
Microsoft won a court order to seize the Chinese domain 3322.org and block the Nitol botnet along with tens of thousands of malicious subdomains. The company said it found the malware preloaded on new computers sold with counterfeit copies of Windows.
5. Cambridge researchers show chip and PIN cards can be cloned
Cambridge researchers published a paper describing how weak random number generation in some payment terminals allowed a pre-play attack on chip and PIN cards. A crook with brief access to a card could harvest codes and later make fraudulent withdrawals at cash machines.
6. House renews the FISA Amendments Act without new privacy limits
The House of Representatives voted to renew the FISA Amendments Act for another five years, leaving the warrantless surveillance powers in place. The vote came despite the government conceding that the secret court had once found such surveillance to breach the Fourth Amendment.
7. Philippines signs a cybercrime law that criminalises online libel
President Aquino signed the Cybercrime Prevention Act, which sharply raised the penalty for online libel and let the justice department order websites taken down without a warrant. Rights groups warned that the law would chill free speech and enable warrantless real-time data collection.
8. Leaked White House draft hands cyber powers across vague critical sectors
A leaked draft of a White House cybersecurity executive order surfaced as a stand-in for the legislation that had stalled in Congress. Critics said it set up information sharing with little attention to privacy and used a dangerously broad definition of critical infrastructure.
9. Twitter hands an Occupy protester's tweets to a New York court
Twitter gave up months of tweets belonging to Occupy Wall Street protester Malcolm Harris after a judge threatened the company with contempt and a fine. The handover ended a long fight against a subpoena from the Manhattan district attorney.
10. Working exploit appears for an Internet Explorer zero-day
A previously unknown flaw in Internet Explorer came under active attack, and working exploit code was published and added to the Metasploit framework. The vulnerability affected versions seven, eight and nine and let attackers run code on a victim's machine through a booby-trapped web page.
11. Pakistan blocks YouTube nationwide over an anti-Islam video
The Pakistani prime minister ordered YouTube blocked across the country after Google refused to remove a video clip considered blasphemous. The block followed deadly street protests and remained in place for years.
12. Facebook switches off facial recognition for European users
Facebook turned off its tag suggestion facial recognition feature for new European users and agreed to delete stored face templates by mid-October. The move followed a review by the Irish Data Protection Commissioner that pushed the company beyond its first set of recommendations.
13. Iran blocks Google and Gmail over the same anti-Islam film
Iran announced that it was filtering Google and Gmail across the country during a wave of anger over an anti-Islam video on YouTube. Officials tied the block to that controversy as the state pushed its own national email service and domestic network.
14. IEEE leaks a hundred thousand members' passwords in plain text
A researcher found that login details for about a hundred thousand IEEE members sat in plain text in log files on a public FTP server. The exposed accounts belonged to staff at companies such as Apple, Google and IBM and to researchers at NASA and Stanford.
15. Dirty USSD code can wipe Samsung phones from a web link
A researcher demonstrated that a single hidden USSD code embedded in a web page could reset some Samsung phones to factory settings. The code worked through the stock browser on TouchWiz devices and could also arrive by text message, NFC tag or QR code.
16. Researchers expose the VOHO watering hole espionage campaign
RSA detailed the VOHO campaign, in which attackers compromised trusted websites to plant code that infected selected visitors with a remote access trojan. The compromised sites included a Maryland local government and a Massachusetts bank, and the operation redirected tens of thousands of visitors.
17. California bars employers from demanding workers' social media passwords
Governor Jerry Brown signed two bills that stopped employers and colleges in California from forcing applicants, staff or students to hand over social media account details. The state became one of the first to write such protection into law.
18. Chinese hackers blamed for breach at energy giant Telvent
Telvent told customers that attackers had broken into its internal network and stolen project files tied to its OASyS industrial control software. Investigators linked the intrusion to a Chinese group known for cyber-espionage against Western targets, raising fears about the energy grid.
19. Adobe revokes a code-signing certificate after a server breach
Adobe admitted that attackers had compromised a build server and used its code-signing certificate to make malware look like genuine Adobe software. The company said it would revoke the certificate and warned that signed tools for stealing Windows password hashes had already appeared.
20. New Zealand admits its spy agency illegally watched Kim Dotcom
Prime Minister John Key apologised after an official report found that the GCSB had unlawfully intercepted the communications of Megaupload founder Kim Dotcom, a New Zealand resident. The agency was barred from spying on residents and had relied on wrong information about his status before the raid on his home.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: