Privacy Roundup #0092 • March 2014
March 2014 was dominated by fresh Snowden revelations about mass hacking and whole country call recording, alongside a European backlash, corporate encryption moves and a wave of payment card breaches.
1. NSA built an automated system to infect millions of computers with malware
The Intercept reported that the NSA system codenamed TURBINE was designed to scale malware implants to millions of machines with little human oversight. The documents also described QUANTUMHAND, a technique that impersonates a Facebook server to deliver the agency's malicious code.
2. NSA can record and replay every phone call in an entire country
The Washington Post revealed the MYSTIC programme and its RETRO tool, which let the agency record the full audio of all calls in a target nation and replay them for up to a month. The disclosure showed surveillance reaching into the past rather than merely intercepting communications as they happen.
3. NSA secretly hunts and hacks system administrators
An internal NSA post titled "I hunt sys admins" revealed that the agency tracks the private email and Facebook accounts of network administrators in order to break into the systems they run. The administrators were not suspected of any crime and were targeted only because they held the keys to networks the agency wanted to reach.
4. NSA burrowed into Huawei's networks under operation Shotgiant
Leaked documents reported by the New York Times and Der Spiegel showed the NSA had hacked the Chinese telecommunications giant Huawei, copying source code and reading staff email. The agency also sought to use Huawei equipment to monitor communications in countries such as Iran and Pakistan.
5. NSA put Angela Merkel on a list of 122 targeted leaders
Der Spiegel and The Intercept reported that the NSA maintained a "Target Knowledge Base" naming 122 foreign heads of state and government. The German chancellor appeared alongside leaders such as Syria's Bashar al-Assad, with more than three hundred separate reports filed on her.
6. Snowden gives written testimony to the European Parliament
The European Parliament's civil liberties committee published Edward Snowden's written testimony for its inquiry into mass surveillance of EU citizens. He stated that he had reported problematic programmes to ten officials who did nothing, and that he was seeking asylum in Europe.
7. Snowden tells SXSW that encryption works
Speaking by video link from Russia to the South by Southwest festival, Snowden urged technologists to build strong encryption into their products. He described encryption as the defence against the dark arts in the digital realm and argued it remained effective when keys were not compromised.
8. European Parliament approves sweeping data protection reform
Members of the European Parliament voted overwhelmingly in favour of the proposed General Data Protection Regulation, with 621 votes for and 10 against. The justice commissioner described the strong support as making further progress on the reform irreversible.
9. MEPs demand an end to mass surveillance and suspension of Safe Harbour
In a separate resolution the Parliament concluded its inquiry into NSA spying and called on the Commission to suspend the Safe Harbour data transfer framework. It also urged the suspension of the Terrorist Finance Tracking Programme until US access to EU bank data could be clarified.
10. Obama proposes ending the NSA's bulk telephone metadata programme
President Obama announced a plan to stop the government collecting and holding bulk telephone records under Section 215 of the Patriot Act. Under the proposal the data would stay with the telephone companies and the agency would need court approval to query specific records.
→ obamawhitehouse.archives.gov
11. Turkey blocks Twitter amid a corruption scandal
The Turkish government blocked access to Twitter after recordings appearing to implicate officials in corruption spread on the platform. Prime Minister Erdogan vowed to rip out the roots of the network, although users quickly found ways around the ban.
→ time.com
12. Fandango and Credit Karma settle FTC charges over insecure apps
The Federal Trade Commission announced settlements with Fandango and Credit Karma over mobile apps that disabled SSL certificate validation. The flaw left millions of users open to man in the middle attacks that could intercept credit card and other sensitive data.
13. EPIC asks the FTC to block the Facebook acquisition of WhatsApp
The Electronic Privacy Information Center filed a complaint urging the FTC to investigate Facebook's nineteen billion dollar purchase of WhatsApp. It argued that WhatsApp had built its reputation on privacy promises that Facebook's advertising business model would be unable to keep.
→ epic.org
14. Microsoft admits reading a blogger's Hotmail to find a leaker
Court documents revealed that Microsoft had searched the Hotmail account of a French blogger while hunting an employee accused of leaking Windows 8 code. The company argued its terms of service permitted the search, drawing criticism from digital rights groups.
15. Tim Berners-Lee calls for a digital bill of rights on the web's 25th birthday
Marking 25 years since he proposed the world wide web, Tim Berners-Lee called for a global charter to protect online freedom and privacy. He warned that growing surveillance and censorship threatened the future of democracy.
16. Mt. Gox customer data leaked after the exchange collapses
After the bitcoin exchange filed for bankruptcy, attackers hijacked the chief executive's blog and posted what they said were database dumps and user records. The leak followed claims that hundreds of thousands of customer bitcoins had gone missing.
17. Sally Beauty hit by a payment card breach
Brian Krebs reported that stolen cards traced back to Sally Beauty stores had appeared for sale on the same underground shop used to sell Target and Home Depot data. The retailer later confirmed that hackers had broken into its network and taken payment card details.
18. Google switches Gmail to always use encrypted connections
Google announced that Gmail would always use an HTTPS connection and would also encrypt messages as they moved between its data centres. The company said the change was a direct response to revelations that intelligence agencies were tapping cables between company data centres.
19. United States moves to give up its oversight of internet addresses
The Commerce Department announced it would transition stewardship of the IANA functions, which manage domain names and IP address allocation, to the global multistakeholder community. The move was widely read as a response to international anger over NSA surveillance.
20. Bruce Schneier argues that metadata is surveillance
In an essay for IEEE Security and Privacy, Bruce Schneier rejected official claims that bulk collection was harmless because it involved only metadata. He argued that gathering metadata on people is itself surveillance, comparable to following them with a private detective.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: