Privacy Roundup #0079 • February 2013
February 2013 brought a wave of state-linked intrusions, fresh regulatory pressure on mobile apps, and hacktivists exposing corporate and government surveillance.
1. Path settles FTC charges over secretly harvesting address books
The social app maker agreed to pay 800,000 dollars after collecting contacts from users without consent and gathering data on children. The settlement required a comprehensive privacy programme and independent audits for twenty years.
2. FTC report urges just-in-time consent for mobile apps
The Commission released "Mobile Privacy Disclosures: Building Trust Through Transparency", recommending that platforms ask permission before apps reach sensitive data. The report also floated a Do Not Track mechanism for mobile advertising.
3. Twitter confirms hackers compromised 250,000 accounts
The company reset passwords and session tokens after attackers reached usernames, email addresses, and hashed passwords. Twitter said the intruders were sophisticated and that other firms had faced similar campaigns.
4. Hackers breach US Energy Department networks
Intruders reached fourteen servers and twenty workstations at the department's headquarters, exposing the personal data of several hundred employees and contractors. Officials treated the incident as a national security matter and said no classified information was taken.
5. Anonymous claims hack of Federal Reserve contact system
The group obtained details for roughly 4,000 bankers by exploiting a vendor flaw in the Fed's emergency communications system. The campaign, called Operation Last Resort, was a protest over the prosecution of Aaron Swartz.
6. Security firm Bit9 hacked and used to sign malware
Attackers stole one of Bit9's code-signing certificates and used it to push trusted malware onto at least three customers. The whitelisting vendor admitted it had failed to run its own product on the affected machines.
7. Adobe rushes emergency Flash patches for two zero-days
Adobe shipped out-of-band fixes for two flaws already exploited in the wild against Windows and Mac users. The attacks arrived through booby-trapped Word documents aimed at aerospace and other targets.
8. Facebook Graph Search raises fresh discoverability fears
Security researchers warned that the new search tool turned scattered profile data into instantly queryable intelligence about employees and strangers. Information that was technically public but hard to find could now be surfaced in seconds.
9. Raytheon Riot software tracks people across social networks
A leaked video showed Raytheon's "Riot" tool mining Facebook, Twitter, and Foursquare to map a person's movements and predict where they would go next. Privacy advocates warned it would let governments surveil ordinary people without suspicion.
10. Obama signs cybersecurity executive order for critical infrastructure
Executive Order 13636 directed NIST to build a voluntary security framework and pushed agencies to share threat data with private operators. It included privacy safeguards based on Fair Information Practice Principles.
→ obamawhitehouse.archives.gov
11. FAA agrees to address drone privacy after EPIC petition
Responding to a petition backed by more than a hundred groups, the FAA said it would seek public comment on the privacy impact of drones at test sites. The agency acknowledged that wider drone use raised genuine privacy concerns.
12. Apple breached by the same crew that hit Facebook
Apple disclosed that malware infected a limited number of Mac systems through a Java browser flaw used to attack a developer forum. The company said no data was stolen and that it would release a tool to clean infected machines.
13. Mandiant report ties APT1 espionage to China's military
The firm published an unprecedented dossier linking a prolific hacking group to a Shanghai-based unit of the People's Liberation Army. It documented years of theft from 141 victims and released more than three thousand indicators.
14. Burger King and Jeep Twitter accounts hijacked
Hackers seized both brand accounts, rebranding Burger King as McDonald's and Jeep as Cadillac before the feeds were locked down. The takeovers underlined how weak social media credentials could expose major companies.
15. Zendesk breach exposes Twitter, Pinterest, and Tumblr users
A hacker reached the support vendor's systems and downloaded email addresses and subject lines from people who had contacted the three services. Passwords were not part of the breach, but the incident showed the risk of shared suppliers.
16. NBC.com hacked to spread Citadel banking malware
Attackers planted hidden code on NBC sites that redirected visitors to an exploit kit serving the Citadel and Zeus trojans. The infection abused Java and PDF flaws to steal banking credentials from anyone who browsed in.
17. Microsoft confirms it was caught in the same Java attack
Microsoft said a small number of its computers, including some in the Mac business unit, were infected by the campaign that struck Apple and Facebook. The company reported no evidence that customer data was affected.
18. HTC settles FTC charges over insecure smartphones
In its first case against a device maker, the FTC said HTC shipped phones with flaws that exposed location, messages, and other sensitive data. The company agreed to patch the holes and submit to security audits for twenty years.
19. Supreme Court dismisses challenge to FISA surveillance law
In Clapper v. Amnesty International, the court ruled that the plaintiffs could not prove they were surveilled and so lacked standing to sue. Critics warned this let the government shield secret spying from any challenge.
20. Anonymous leaks Bank of America surveillance dossier
Hacktivists released hundreds of files showing that contractors had monitored Anonymous and Occupy activists across chat rooms and social media. The cache exposed how the bank tracked online dissent through outside analysts.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: