Privacy Roundup #0080 • March 2013
March 2013 mixed fresh breaches and denial of service floods with a wave of corporate transparency, as regulators, courts and campaigners pushed back against everyday surveillance.
1. Evernote forces a service-wide password reset after a breach
Evernote told its more than fifty million users that attackers had reached an internal network holding usernames, email addresses and hashed passwords. The company reset every account password as a precaution, even as it found no sign that stored notes had been touched.
2. Celebrities and politicians lose their privacy in a doxing attack
A site called exposed.su published home addresses, social security numbers and credit files for figures including Michelle Obama, the head of the FBI and the attorney general. The data appeared to come from poorly guarded access to the three big credit bureaus, and the case sparked federal and local investigations.
→ www.infosecurity-magazine.com
3. Researcher cracks China's Skype surveillance keyword list
A graduate student bypassed the encryption used by TOM-Skype, the Chinese version of Skype, and uncovered the secret blacklist that scans messages for sensitive words. The terms ranged from drug references to the names of human rights groups and the locations of planned protests.
4. Citizen Lab maps government spyware across twenty-five countries
Researchers at Citizen Lab found thirty-six servers in twenty-five countries running the FinSpy surveillance tool sold by the Gamma Group. The command and control machines turned up in democracies and authoritarian states alike, including the United States, Canada, Ethiopia and Bahrain.
5. A denial of service attack knocks JPMorgan Chase offline
JPMorgan Chase confirmed that its website and online banking were disrupted by a flood of malicious traffic that blocked customers for hours. The bank was one of several American financial firms targeted by a campaign that claimed political motives.
6. Google settles the Street View Wi-Fi snooping case for seven million dollars
Thirty-eight states reached a seven million dollar settlement with Google over Street View cars that collected data from unsecured home wireless networks. Privacy advocates argued that the deal failed to address the underlying harm and even risked discouraging open networks.
7. Microsoft publishes its first law enforcement transparency report
Microsoft released its first report on government demands, covering more than seventy-five thousand requests received in 2012 across services from Hotmail to Skype. The disclosure followed an open letter from rights groups pressing the company to account for its handling of user data.
8. Charts lay bare which states ask Google for the most user data
The EFF and partners visualised Google's transparency figures to show which governments demanded the largest share of user information. The analysis flagged places such as Hong Kong and Singapore as making heavy requests relative to their online populations.
9. House hearing pushes to update a 1986 email privacy law
A House hearing examined reform of the Electronic Communications Privacy Act, the 1986 statute that lets the government read old email without a warrant. The Department of Justice conceded that people hold a reasonable expectation of privacy in email older than one hundred and eighty days.
10. Documents show a secret Stingray order was not a real warrant
Records obtained by the ACLU revealed that federal agents used a Stingray cell site simulator under a court order that never mentioned the device. Judges in the district had raised concerns that a basic pen register was being stretched to authorise far more invasive tracking.
11. Hacker known as weev sentenced over the AT&T iPad data grab
Andrew Auernheimer received a forty-one month prison sentence for exploiting a flaw on AT&T servers that exposed the email addresses of around one hundred and fourteen thousand iPad owners. Supporters argued that he had exposed a security hole rather than committed a crime.
12. Cyberattack wipes computers at South Korean banks and broadcasters
A coordinated attack hit three broadcasters and three banks in South Korea, erasing files on around thirty-two thousand machines. Some bank branches and cash machines were paralysed, and officials later blamed North Korea for the assault.
13. Spamhaus weathers a record denial of service attack
Anti-spam group Spamhaus was hit by what was then the largest denial of service attack on record, peaking at around three hundred gigabits per second. The flood, traced to a dispute with the Dutch host Cyberbunker, briefly disrupted wider parts of the internet.
→ www.infosecurity-magazine.com
14. Apple adds two-step verification to the Apple ID
Apple introduced an optional two-step verification system for the Apple ID, asking users to supply a short code in addition to their password. The move aimed to harden accounts against takeovers after a string of high profile credential thefts.
15. A Seattle bar bans Google Glass before the device even ships
The owner of a Seattle cafe announced that customers wearing Google Glass would not be welcome, citing fears of being filmed and posted online without consent. The casual notice drew worldwide attention and previewed years of arguments over wearable cameras.
16. European Parliament committee delays its data protection vote
The lead committee of the European Parliament postponed its vote on the proposed General Data Protection Regulation until late May. Members were struggling under more than three thousand amendments tabled to the sweeping privacy reform.
17. A Gates-funded student database spooks parents
A one hundred million dollar database backed by the Gates Foundation began storing records on millions of schoolchildren, including grades, disabilities and sometimes social security numbers. Parents and civil liberties advocates warned that centralising such data created a tempting target for abuse.
18. Report details how shops quietly track their customers
A Consumer Reports investigation described how retailers used cameras, facial detection and smartphone signals to watch shoppers move through stores. The piece noted that buyers staring at a digital sign rarely realised a hidden camera was studying their age, sex and mood.
19. Virginia moves to become the first state with a drone moratorium
Governor Bob McDonnell amended legislation that placed a two-year moratorium on police and regulatory use of drones in Virginia. The bill banned weaponised drones and set narrow exceptions, putting the state at the front of efforts to curb aerial surveillance.
20. Schnucks discloses a breach that exposed millions of payment cards
The Schnucks supermarket chain announced that attackers had quietly harvested card data at most of its stores for months, exposing around two and a half million credit and debit cards. The company said it took weeks to trace and contain the intrusion after fraud reports surfaced.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: