Privacy Roundup #0078 • January 2013
January 2013 paired sweeping cyber espionage and breach disclosures with a wave of enforcement, transparency reports and the death of Aaron Swartz, which turned computer crime law into a privacy fault line.
1. FTC closes its Google antitrust investigation without a search-bias case
The Federal Trade Commission ended its nineteen-month inquiry into Google and concluded that it lacked the evidence to bring a search-bias case. Google agreed to loosen some restrictions on advertisers and to stop scraping rival sites, but it faced no fine.
2. Ruby on Rails flaw puts hundreds of thousands of sites at risk
A critical hole in the Ruby on Rails web framework, tracked as CVE-2013-0156, let attackers run code on any server with the default XML parser switched on. Roughly 240,000 sites were exposed, and a working exploit appeared within hours.
3. Java zero-day exploit spreads through crimeware kits
A previously unknown flaw in fully patched Java 7, later named CVE-2013-0422, was folded into the Blackhole and Nuclear Pack exploit kits and used to plant malware on victims. The US government advised people to disable the Java browser plug-in until a fix arrived.
4. Aaron Swartz dies while facing computer crime charges
Aaron Swartz, the programmer and activist who helped build RSS and Reddit, was found dead in his apartment on 11 January while facing felony charges under the Computer Fraud and Abuse Act. His death prompted sharp criticism of prosecutorial overreach and the breadth of computer crime law.
5. Kaspersky uncovers the Red October cyber espionage campaign
Kaspersky Lab disclosed Operation Red October, a five-year campaign that quietly stole diplomatic and government secrets from networks across Eastern Europe and beyond. The modular malware could even resurrect itself on cleaned machines through hidden plug-ins.
6. EFF proposes fixing the CFAA in the wake of Swartz
The Electronic Frontier Foundation set out reforms to the Computer Fraud and Abuse Act so that breaking a terms-of-service contract or changing an IP address could no longer be charged as a felony. The proposals fed into what would later become Aaron's Law.
7. Polish registry seizes domains controlling the Virut botnet
Polish registry NASK took over twenty-three .pl domains used to command the Virut botnet and redirected the traffic to a CERT Polska sinkhole. Some of the seized domains had steered the malware for nearly five years.
8. TSA agrees to pull naked-image body scanners from airports
The Transportation Security Administration ended its contract for backscatter scanners that produced detailed naked images of travellers and began removing them from US airports. The move followed years of EPIC litigation that forced a public rulemaking on the devices.
9. Facebook Graph Search raises fresh privacy worries
Facebook launched Graph Search, a tool that let people run structured queries across friends, friends of friends and strangers. Privacy advocates warned that content buried years ago could suddenly be surfaced, and they urged users to review their settings.
10. Kim Dotcom launches the encrypted Mega file-sharing site
A year to the day after the raid that shut down Megaupload, Kim Dotcom launched Mega, a storage site where only users held the keys to decrypt their files. Half a million people registered in the first fourteen hours.
11. Three men charged over the Gozi banking Trojan
US prosecutors charged a Russian, a Latvian and a Romanian over the Gozi Trojan, a strain of malware tailored to drain specific banks. Gozi infected more than a million computers and stole personal and financial data, causing millions of dollars in losses.
12. Backdoor accounts found in Barracuda Networks appliances
A researcher revealed undocumented accounts in Barracuda firewall, spam filter and VPN appliances that allowed remote access over SSH. The accounts were meant to be reachable only from Barracuda's own addresses, yet hundreds of unrelated networks shared those ranges.
13. UK regulator fines Sony £250,000 over the PlayStation breach
The Information Commissioner's Office fined Sony Computer Entertainment Europe £250,000 over the 2011 PlayStation Network breach that exposed millions of customers' details. Regulators said the attack could have been prevented with up-to-date patches and proper password protection.
14. Appeals court keeps WikiLeaks Twitter records secret
The Fourth Circuit refused to unseal or even list the orders the government had sent to companies for the records of three Twitter users tied to its WikiLeaks investigation. The ruling let the Justice Department keep its warrantless data demands hidden from public view.
15. Anonymous hijacks a US government site over Swartz
The hacktivist group Anonymous defaced the US Sentencing Commission website, planting a game of Asteroids and a message protesting the prosecution of Aaron Swartz. The group claimed to hold encrypted government files and threatened to release the keys unless computer crime law was reformed.
16. Dutch and Canadian regulators find WhatsApp breaks privacy law
A joint investigation by the Dutch and Canadian data protection authorities found that WhatsApp forced users to hand over their entire address book and kept the numbers of non-users. Regulators also noted that messages had been sent unencrypted and open to interception.
17. Google transparency report shows rising government demands
Google set out how it handles government requests and reported that demands for user data kept climbing, with the United States leading the field. More than two-thirds of US requests arrived as subpoenas that carried no judicial oversight.
18. Rapid7 finds tens of millions of devices exposed through UPnP
Rapid7 reported that flaws in the Universal Plug and Play protocol left between forty and fifty million internet-facing devices open to attack. Affected products ranged from home routers and printers to network storage and IP cameras.
19. Chinese hackers infiltrate The New York Times for months
The New York Times disclosed that hackers based in China had been inside its network for roughly four months, stealing reporters' passwords. The intrusion followed the paper's investigation into the wealth of relatives of Chinese premier Wen Jiabao.
20. Advocates press Microsoft for a Skype transparency report
Privacy and human rights groups published an open letter urging Microsoft to document Skype's security practices and to disclose how it answers government requests for user data. The campaign argued that transparency reports should become standard for the platforms on which activists and journalists rely.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: