Privacy Roundup #0091 • February 2014
February 2014 was dominated by fresh Snowden revelations, the launch of The Intercept and a day of global protest, set against a run of data breaches and surveillance climbdowns.
1. The Intercept launches with the NSA's secret role in drone killings
Glenn Greenwald, Jeremy Scahill and Laura Poitras launched The Intercept on 10 February with a report showing the NSA used metadata and phone tracking, rather than human intelligence, to pick targets for lethal drone strikes. The story described geolocation systems code named GILGAMESH and SHENANIGANS that helped guide strikes which sometimes killed the wrong people.
2. GCHQ stored millions of private Yahoo webcam images under Optic Nerve
Documents revealed that GCHQ, helped by the NSA, ran a programme called Optic Nerve that intercepted and stored still images from millions of Yahoo webcam chats. The collection was indiscriminate, captured a large amount of sexually explicit material and was used for experiments in facial recognition.
3. GCHQ documents detail covert online manipulation and reputation attacks
The Intercept published a 50 page GCHQ presentation showing how its JTRIG unit set out to manipulate online discourse, plant false material and destroy the reputations of targets. The tactics included honey traps, false flag operations and the seeding of misleading content across the internet.
4. GCHQ launched denial of service attacks against Anonymous chatrooms
Snowden documents revealed that a GCHQ unit ran an operation called Rolling Thunder, using denial of service attacks to disrupt the chatrooms used by Anonymous and LulzSec. Critics noted that the British government had used the very technique for which it prosecutes and jails ordinary hacktivists.
5. NSA ally spied on an American law firm representing Indonesia
Documents showed that Australia's signals agency monitored trade talks involving a United States law firm acting for the Indonesian government and offered to share the take with the NSA. The intercepted material was said to include communications that may have been covered by attorney client privilege.
6. NSA and GCHQ targeted WikiLeaks and its readers
The Intercept reported that the NSA had placed WikiLeaks founder Julian Assange on a manhunting target list and wanted the site labelled a malicious foreign actor. GCHQ went further and collected the IP addresses of people who merely visited the WikiLeaks website, along with the search terms that brought them there.
7. Thousands of websites joined The Day We Fight Back against surveillance
On 11 February more than six thousand websites, including Reddit, Mozilla and Tumblr, displayed banners urging users to contact lawmakers about mass surveillance. The protest generated hundreds of thousands of calls, emails and signatures in a single day.
8. Kickstarter disclosed a breach of user account data
Kickstarter told users that attackers had accessed a database containing usernames, email addresses, postal addresses, phone numbers and encrypted passwords. No card data was taken, but the company urged everyone to change their passwords as a precaution.
9. Mt. Gox collapsed and lost hundreds of thousands of customer bitcoins
The Tokyo based exchange Mt. Gox suspended trading, shut its website and filed for bankruptcy protection on 28 February, admitting it had lost around 850,000 bitcoins. The collapse left thousands of customers exposed and shook confidence across the wider cryptocurrency market.
10. Apple patched the goto fail flaw that broke SSL verification
A duplicated line of code left Apple software failing to verify the authenticity of SSL connections, so an attacker on the same network could intercept supposedly encrypted traffic. Apple shipped fixes for iOS and then OS X after several days of mounting criticism from the security community.
11. University of Maryland breach exposed more than 300,000 records
The University of Maryland disclosed that attackers had reached a database holding names, dates of birth, Social Security numbers and university identification numbers going back to 1998. The breach affected more than 309,000 students, staff and faculty across two campuses.
12. Tinder flaw exposed the exact locations of users
Researchers revealed that a vulnerability in Tinder's geolocation feature had let anyone with basic programming skills calculate the precise position of other users. The flaw exposed locations for several months before it was quietly fixed.
13. Facebook agreed to buy WhatsApp for 19 billion dollars
Facebook announced that it would acquire the messaging service WhatsApp, which had built its reputation in part on a strong stance towards user privacy. The deal prompted immediate concern from users and regulators about how WhatsApp data would be combined with Facebook's tracking and profiling.
14. Belgian cryptographer Quisquater found his computer hacked
Reports emerged that the respected cryptographer Jean-Jacques Quisquater had been compromised by malware after clicking a fake LinkedIn invitation. The intrusion surfaced during the investigation into the Belgacom hack and pointed towards state level attackers, although attribution remained disputed.
15. Target apologised to Congress over its huge payment card breach
Target's chief financial officer told the Senate Judiciary Committee that the company was deeply sorry for a breach that exposed card data for around 40 million shoppers and personal data for up to 70 million. He explained that intruders had stolen a vendor's credentials to plant malware on point of sale registers.
16. Homeland Security cancelled its national licence plate database plan
After privacy advocates raised the alarm, the Department of Homeland Security cancelled a plan to build a national database of licence plate reader records. The proposal had threatened to log the movements of ordinary drivers who were under no suspicion of any crime.
17. Tech firms published their first surveillance request figures, to limited effect
Under a new government agreement, Google, Microsoft, Facebook and Yahoo released the first broad figures on the national security orders they had received. Critics pointed out that the numbers were lumped into vague ranges and revealed little about the bulk collection happening on the cables themselves.
18. Officials said the NSA gathered less than a third of American call records
The Washington Post reported that the NSA was collecting data on fewer than 30 percent of United States phone calls, far below the popular assumption of near total coverage. Officials attributed the gap to the agency struggling to keep pace with the shift from landlines to mobile phones.
19. Researchers found serious flaws in Belkin's WeMo home devices
Security firm IOActive warned that vulnerabilities in Belkin's WeMo home automation kit could let attackers push malicious firmware and seize control of connected devices. The flaws affected hundreds of thousands of devices and could be used to pivot onto other machines on a home network.
20. Syrian Electronic Army dumped a million Forbes user credentials
The Syrian Electronic Army breached Forbes, defaced the site and posted a database containing the email addresses and hashed passwords of more than one million accounts. The attackers gained access by compromising a staff publishing account and a vulnerable widget on the site.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: