Privacy Roundup #0088 • November 2013
November 2013 saw the Snowden revelations widen from American programmes to the surveillance of allies, while a run of password breaches and a wave of corporate encryption pledges reshaped the privacy landscape.
1. NSA gathered porn habits to discredit suspected radicalisers
Leaked documents showed the NSA collected records of online sexual activity belonging to six men it labelled radicalisers, intending to use the material to damage their reputations. None of the six was accused of plotting an attack, and the plan revived old fears of intelligence agencies weaponising private behaviour.
2. GCHQ's Royal Concierge tracked diplomats' hotel bookings
Der Spiegel revealed that GCHQ ran a programme called Royal Concierge that monitored reservation systems at around 350 upmarket hotels worldwide. When a booking arrived from a government email address, analysts received an alert and could prepare to wiretap the room or deploy human agents.
3. Australia tried to tap the Indonesian president's phone
The Guardian and the ABC published Snowden slides showing that Australia's Defence Signals Directorate targeted the mobile phone of Indonesian President Susilo Bambang Yudhoyono, his wife and senior ministers in 2009. The disclosure triggered a serious diplomatic rupture and a review of cooperation between the two countries.
4. NSA logged 33 million phone records in Norway
The Norwegian newspaper Dagbladet reported a document showing the NSA had logged more than 33 million phone records in Norway over a single month. Norwegian ministers expressed shock, and the country's intelligence service later said it had collected some of the data itself for military purposes.
5. NSA infected 50,000 networks with malware
NRC Handelsblad published a management slide revealing that the NSA had planted malware implants on more than 50,000 computer networks across the globe. The implants could be switched on remotely, acting as digital sleeper cells ready to siphon data at will.
6. Dutch intelligence agency hacked web forums
A further Snowden document published by NRC Handelsblad showed that the Dutch service AIVD had hacked internet forums and harvested data on all of their users. Legal experts warned the technique amounted to mass surveillance, and Dutch members of parliament demanded an inquiry.
7. MacRumors forums breached, exposing 860,000 accounts
The Apple news site MacRumors disclosed that attackers had broken into its forums and accessed usernames, email addresses and hashed passwords for more than 860,000 members. The intruders had compromised a moderator account and then escalated their access to reach the password database.
8. vBulletin.com hacked, prompting a password reset
The forum software maker vBulletin admitted that attackers had reached customer IDs and encrypted passwords on its own systems. The company urged users to reset their passwords, while a group claimed it had used a zero-day flaw that also hit MacRumors.
9. Cupid Media leaked 42 million plaintext passwords
Brian Krebs found a database from the Australian dating company Cupid Media that held more than 42 million customer records, including names, email addresses, birthdays and passwords stored in plain text. The company tied the data to an intrusion it had detected in January but never publicly disclosed.
10. Google paid $17 million over Safari cookie tracking
Google agreed to a $17 million settlement with 37 states and the District of Columbia over its bypassing of cookie-blocking settings in Apple's Safari browser. The deal required Google to stop circumventing browser controls and to explain its use of cookies to users.
11. Experts told Congress Healthcare.gov was not safe to use
At a House hearing titled "Is My Data on HealthCare.gov Secure?", security researcher David Kennedy warned of live vulnerabilities on the federal health insurance site. The site linked tax, financial and identity records from several agencies, and a bipartisan panel of experts advised against using it.
12. NSA strategy document set out a push for more power
The New York Times published an NSA strategy paper that described a desire to collect signals intelligence from anyone, anytime and anywhere. The document complained that the law had not kept pace with the agency's mission and called for legal authorities to be adapted in its favour.
13. Yahoo pledged to encrypt traffic between its data centres
Marissa Mayer announced that Yahoo would encrypt all traffic flowing between its data centres by the first quarter of 2014. The move followed reports that intelligence agencies had tapped the private links connecting Google and Yahoo servers.
14. Microsoft moved to encrypt its services against snooping
Microsoft said it would encrypt customer data moving across its services and between its data centres, citing concern about government interception. General counsel Brad Smith called the prospect of the NSA tapping its links a possible constitutional breach.
15. NSA and GCHQ spied on OPEC
Der Spiegel reported that the NSA and GCHQ had infiltrated the computer systems of the oil cartel OPEC. GCHQ used the Quantum Insert method to compromise nine employees and gained administrator rights over the network, while the NSA claimed to have penetrated the organisation in its entirety.
16. Loyaltybuild breach exposed 1.5 million Europeans
The Irish marketing firm Loyaltybuild disclosed a breach that compromised the personal details of about 1.5 million people across Europe. Full card details, including security codes, were exposed for more than 376,000 customers, and a Garda investigation followed.
17. US-CERT warned of the CryptoLocker ransomware
US-CERT issued a formal alert about CryptoLocker, the ransomware that encrypted victims' files and demanded payment to unlock them. The malware spread mainly through phishing emails posing as customer complaints and parcel tracking notices, and authorities cautioned that paying did not guarantee recovery.
18. EFF backed the USA Freedom Act as a starting point
The Electronic Frontier Foundation set out why it supported the USA Freedom Act while calling it a floor rather than a ceiling for reform. The group welcomed limits on bulk phone records collection and a new advocate at the surveillance court, but noted the bill left overseas spying and encryption sabotage untouched.
19. Vodafone Iceland breached, exposing tens of thousands of accounts
A Turkish hacking group defaced Vodafone Iceland's website and released a database holding around 77,000 user records. The dump included names, national identity numbers, encrypted passwords and even stored text messages, marking a severe exposure for the telecom's customers.
20. Stanford researchers set out to prove how revealing metadata is
Stanford researchers launched the MetaPhone project to demonstrate how much sensitive information could be inferred from call and text records alone. Their aim was to show the public, Congress and the courts that phone metadata is inherently revealing, directly challenging the official line that bulk metadata collection was harmless.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: