Privacy Roundup #0090 • January 2014
January 2014 was dominated by fresh Snowden documents on NSA and GCHQ surveillance, a wave of retail and corporate data breaches in the wake of Target, and the first official pushback on bulk telephone records.
1. Syrian Electronic Army hijacks Skype's social media accounts
The Syrian Electronic Army took over Skype's Twitter feed, Facebook page and blog on New Year's Day and told users to stop using Microsoft email because it was being handed to governments. Microsoft said no user data was exposed and regained control of the accounts within hours.
2. Snapchat breach exposes 4.6 million usernames and phone numbers
A database of 4.6 million Snapchat usernames and partial phone numbers was posted online days after researchers had warned the company that such an attack was possible. The leak made it trivial to match supposedly private phone numbers to individual accounts.
3. Yahoo advertising network spreads malware to European users
For several days around the turn of the year, advertisements served through Yahoo's network redirected visitors to an exploit kit that installed banking malware. Fox-IT estimated roughly 27,000 infections an hour, with users in Romania, Britain and France hit hardest.
4. Surveillance court renews NSA bulk telephone records collection
The Foreign Intelligence Surveillance Court reauthorised the NSA's bulk telephone metadata programme for another ninety days, the thirty-sixth such renewal. The Director of National Intelligence took the unusual step of declassifying the application because of intense public interest.
5. Target says up to 70 million customers had personal data stolen
Target widened its breach disclosure, revealing that names, addresses, telephone numbers and email addresses of as many as 70 million people had been taken alongside the earlier 40 million payment cards. The information had been lifted from compromised point-of-sale systems during the holiday shopping period.
6. Neiman Marcus confirms hackers stole payment card data
The luxury retailer acknowledged that intruders had stolen customer card data and that it was working with the Secret Service on the investigation. Brian Krebs had traced a pattern of fraudulent charges back to cards used at Neiman Marcus stores.
7. Bruce Schneier argues NSA surveillance harms national security
Schneier set out the case that mass surveillance is ineffective and wasteful, citing the gulf between the agency's claims of disrupted plots and the handful that withstood scrutiny. He warned that the programmes damaged trust in American technology and weakened the security of the internet for everyone.
8. NSA shown reaching computers that are not on the internet
New York Times reporting revealed that the NSA had implanted hardware in tens of thousands of machines worldwide, using covert radio signals from tiny circuit boards and USB devices to reach computers cut off from any network. The technique had been in use since at least 2008 for both surveillance and cyberattack.
→ phys.org
9. Presidential review panel defends its NSA reform proposals
Members of the president's review group told the Senate Judiciary Committee that none of their forty-six recommendations would harm genuine intelligence gathering. The panel pressed its central proposal to move bulk telephone records out of government hands.
10. Starbucks mobile app found storing passwords in plain text
A researcher discovered that the Starbucks iOS payment app kept usernames, email addresses and passwords in a readable log file on the device. Because the app could draw on linked bank accounts, anyone with the handset could recover the credentials without even knowing the PIN.
11. NSA Dishfire programme sweeps up nearly 200 million texts a day
Guardian reporting described Dishfire, an NSA system that collected close to 200 million text messages each day on an untargeted basis. The agency mined the haul for travel plans, contact books and financial transactions, much of it concerning people under no suspicion.
12. Obama announces limited changes to NSA surveillance
In a speech at the Justice Department the president called for court approval before searches of telephone records and said the government should no longer hold the bulk metadata itself. Rights groups welcomed the gestures but said the reforms left mass collection and the treatment of foreigners largely untouched.
13. Oversight board declares phone records programme illegal
The Privacy and Civil Liberties Oversight Board concluded that the Section 215 bulk telephone records programme lacked a legal foundation and raised serious constitutional concerns. A majority recommended that the government end the collection, finding little evidence that it had produced unique counterterrorism results.
14. Coca-Cola breach exposes data of 74,000 staff on stolen laptops
Coca-Cola began notifying about 74,000 employees and contractors after dozens of unencrypted laptops were taken by a former worker assigned to dispose of old equipment. The machines held names, social security numbers, addresses and compensation details, in breach of the company's own encryption policy.
→ www.infosecurity-magazine.com
15. NSA and GCHQ harvest data from 'leaky' smartphone apps
Documents showed the two agencies collecting personal information that popular apps such as Angry Birds transmitted across mobile networks. The data ranged from device identifiers and location to age, gender and in some cases sexual orientation.
16. Government lets technology firms publish FISA request figures
After lawsuits from Google, Microsoft and others, the Justice Department agreed to let companies disclose, in broad bands, how many national security orders they received and how many accounts were affected. It was the first time firms could publish any numbers about Foreign Intelligence Surveillance Act demands.
17. Michaels warns of a possible payment card breach
The craft retailer said it was investigating suspected fraudulent activity on cards used at its stores and was working with law enforcement and security experts. The warning followed a pattern of fraud that Brian Krebs had traced to recent purchases at Michaels.
→ www.infosecurity-magazine.com
18. GCHQ 'Squeaky Dolphin' monitors YouTube and Facebook activity
Leaked slides revealed a GCHQ programme that watched YouTube views, Facebook likes and Blogger visits in real time by tapping the cables carrying global web traffic. Google and Facebook said they had not authorised any such access to their platforms.
19. Security experts boycott RSA conference over NSA backdoor claims
Following reports that RSA had taken ten million dollars to make a weakened random number generator the default in its toolkit, nine speakers withdrew from the company's conference. They set up a rival event, TrustyCon, to protest at the apparent collaboration with the NSA.
20. White Lodging breach hits restaurants at fourteen hotels
The firm that runs franchises for Marriott, Sheraton, Westin and other brands confirmed it was investigating a breach of card data at food, drink and gift outlets across fourteen properties. The stolen details covered cards used over much of the previous year.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: