Privacy Roundup #0086 • September 2013

2013-10-03 17:00

The Snowden disclosures reached their peak as the NSA was shown to undermine encryption itself, while leaders abroad and watchdogs at home pushed back.

1. NSA campaign to crack and undermine internet encryption revealed

Documents from Edward Snowden showed that the NSA had spent billions to defeat the encryption that protects banking, email and web traffic, a programme codenamed Bullrun. The agency had inserted weaknesses into commercial products and influenced international standards rather than rely on mathematics alone.

→ www.propublica.org

2. NSA spied on the presidents of Brazil and Mexico

Brazil's Globo network reported that the NSA had read the emails and messages of Mexican President Enrique Pena Nieto before his election and had intercepted the communications of Brazilian President Dilma Rousseff. The disclosure, presented by Glenn Greenwald, drew sharp diplomatic protests from both governments.

→ www.aljazeera.com

3. NSA shown able to read data from major smartphones

Der Spiegel reported that the NSA could extract contacts, text messages, notes and location data from iPhone, BlackBerry and Android devices. The agency had set up a dedicated working group for each major operating system to gain covert access.

→ www.teltarif.de

4. FTC settles with TRENDnet over exposed home security cameras

The Federal Trade Commission announced a settlement with TRENDnet after lax security let strangers view and listen to live feeds from roughly 700 home and baby monitoring cameras. The company agreed to a comprehensive security programme and independent audits every two years for twenty years.

→ www.theregister.com

5. Government releases NSA documents and secret FISA court opinions

In response to a long running Electronic Frontier Foundation lawsuit, the government declassified hundreds of pages on the bulk collection of Americans' phone records. The papers showed the NSA had repeatedly misled the surveillance court about how the programme worked.

→ www.eff.org

6. NSA shares raw, unminimised intelligence with Israel

A memorandum of understanding showed that the NSA routinely passed raw collection, including the communications of American citizens, to an Israeli intelligence unit. The agreement placed no legally binding limits on how the Israelis could use the data.

→ www.securityweek.com

7. Vodafone Germany breach exposes two million customers

Vodafone confirmed that an intruder had accessed the names, addresses, dates of birth and bank account details of about two million German customers. The company described the attack as the work of an insider and said a suspect had been identified.

→ www.engadget.com

8. NSA accused of hacking Brazil's oil company Petrobras

Documents shown on Brazilian television indicated that the NSA had penetrated the computer networks of the state oil firm Petrobras. President Rousseff warned that, if confirmed, the spying amounted to industrial espionage driven by economic interests rather than security.

→ en.mercopress.com

9. NSA Follow the Money branch tracked global financial flows

Der Spiegel reported that an NSA unit called Follow the Money had monitored international credit card payments and the SWIFT banking network. Its Tracfin database held around 180 million records, the great majority of them credit card transactions.

→ techcrunch.com

10. Scrutiny falls on the Dual_EC_DRBG random number standard

Cryptographers detailed the deep flaws in the Dual_EC_DRBG generator after reports that the NSA had engineered it as a backdoor. The analysis explained how anyone who knew the secret relationship between two parameters could predict the generator's output.

→ blog.cryptographyengineering.com

11. Senator Franken presses Apple over Touch ID fingerprints

Senator Al Franken wrote to Tim Cook with twelve questions about the new iPhone 5s fingerprint sensor and how Apple stored and protected the data. He warned that a fingerprint, unlike a password, cannot be changed once it is compromised.

→ www.macrumors.com

12. GCHQ named as the agency that hacked Belgacom

Der Spiegel published Snowden documents identifying Britain's GCHQ as the force behind a years long breach of the Belgian telecoms operator Belgacom, codenamed Operation Socialist. Spies had lured engineers to fake pages that planted malware on their machines.

→ slate.com

13. Chaos Computer Club defeats Apple's Touch ID

The Chaos Computer Club demonstrated that it could fool the iPhone 5s fingerprint reader using a fake finger made from a print lifted off glass. The trick used a high resolution photograph, a laser printer and household materials to spoof the sensor.

→ www.ccc.de

14. California signs the online eraser button law for minors

Governor Jerry Brown signed SB 568, requiring websites and apps to let minors delete content they had posted. The law also restricted advertising of products such as alcohol, tobacco and firearms to young users.

→ laist.com

15. India found to be a top target of NSA surveillance

Documents reported by The Hindu showed that India ranked fifth among countries watched most closely by the NSA. The agency had used Boundless Informant and PRISM to gather billions of pieces of internet and telephone data each month.

→ www.commondreams.org

16. Rousseff condemns NSA spying at the United Nations

Speaking just before President Obama at the UN General Assembly, Brazil's Dilma Rousseff called American surveillance a breach of international law and an affront to her country's sovereignty. She urged the United Nations to draw up rules to govern the internet and protect privacy.

→ www.techdirt.com

17. Identity theft service found to have hacked major data brokers

An investigation by Brian Krebs revealed that the SSNDOB identity service had planted malware inside LexisNexis, Dun and Bradstreet and Kroll Background America. The intruders had quietly siphoned Social Security numbers, birth records and background reports on millions of Americans.

→ krebsonsecurity.com

Newly disclosed documents showed that since 2010 the NSA had built detailed graphs of some Americans' social ties, locations and travelling companions. The agency enriched its metadata with bank codes, insurance records, Facebook profiles and voter rolls.

→ www.csoonline.com

19. California enacts its Do Not Track disclosure law

Governor Brown signed AB 370, amending the state's online privacy law to require websites to disclose how they respond to Do Not Track signals. Sites also had to say whether third parties could track users across the web.

→ www.alstonprivacy.com

20. Yahoo publishes its first transparency report

Yahoo released its first global transparency report, revealing about 29,000 government requests for user data in the first half of 2013. Just under half of those requests, some 12,444, came from the United States.