Privacy Roundup #0093 • April 2014
April 2014 was defined by the Heartbleed catastrophe and a fresh wave of Snowden surveillance disclosures, as courts and journalists pushed back against state spying.
1. Heartbleed bug in OpenSSL is disclosed to the public
Researchers at Google and Codenomicon revealed a flaw in OpenSSL that let attackers read chunks of server memory, exposing passwords, session cookies and private keys. About 17 per cent of secure web servers were thought to be vulnerable when the fixed version shipped on 7 April.
2. NSA reported to have exploited Heartbleed for years
Bloomberg cited two sources who said the agency had quietly used the OpenSSL flaw to gather intelligence rather than warn the public. The claim raised hard questions about the government stockpiling vulnerabilities instead of disclosing them.
3. White House and NSA deny prior knowledge of Heartbleed
The administration issued a categorical denial, saying neither the NSA nor any other part of the government knew about Heartbleed before its public disclosure. Officials claimed any such flaw would have been reported to the OpenSSL maintainers under a vulnerabilities disclosure policy.
→ phys.org
4. EU Court of Justice strikes down the Data Retention Directive
On 8 April the Court of Justice declared the 2006 Data Retention Directive invalid in its entirety. It held that forcing telecoms firms to keep traffic data and granting authorities access amounted to a serious interference with privacy and data protection rights.
5. Clapper confirms NSA searches Americans' calls and emails
In a letter to Senator Ron Wyden, Director of National Intelligence James Clapper acknowledged that the NSA had run queries using US person identifiers against data it had collected. It was the first official confirmation of the so called backdoor search loophole under Section 702.
6. Snowden tells the Council of Europe the NSA spied on rights groups
Testifying by video link to a parliamentary hearing in Strasbourg, Edward Snowden said the agency had targeted the communications of human rights organisations including Amnesty International and Human Rights Watch. He described XKeyscore as an extraordinarily invasive tool used without judicial oversight.
7. Michaels confirms breach of nearly three million payment cards
The craft retailer confirmed that malware on its systems and those of its Aaron Brothers unit had compromised about three million payment cards. Card numbers and expiry dates were taken, though the company said names, addresses and PINs were not affected.
8. AOL discloses a breach behind a wave of spoofed mail
AOL traced a surge in spoofed messages to a breach that exposed email and postal addresses, address books, and encrypted passwords and security answers. The company urged all current and former users to change their credentials.
9. Canada charges a teenager over a Heartbleed attack on the tax agency
The RCMP charged 19 year old Stephen Arthuro Solis-Reyes after the Canada Revenue Agency lost about 900 social insurance numbers to a Heartbleed attack. He faced counts of unauthorised use of a computer and mischief in relation to data.
10. Guardian and Washington Post win a Pulitzer for NSA reporting
The Pulitzer board awarded its public service prize to The Guardian and The Washington Post for their coverage of the Snowden documents. The award lent institutional weight to journalism the government had sought to discourage.
11. Greenwald and Poitras return to the United States to collect an award
The two journalists flew into New York for the first time since the Snowden revelations to receive a George Polk award. Despite fears of being detained, they left the airport without incident.
12. Turkey lifts its Twitter ban after a constitutional court ruling
Turkey restored access to Twitter on 2 April after the Constitutional Court found that the block, imposed amid leaked wiretap recordings, violated free expression. A separate block on YouTube remained in place despite similar court pressure.
13. US judge rules a warrant can reach Microsoft emails stored in Ireland
Magistrate Judge James Francis held that a US search warrant compelled Microsoft to hand over customer emails even though the messages sat on a server in Dublin. He reasoned that such warrants worked as a hybrid of warrant and subpoena, served on the provider rather than executed abroad, and Microsoft said it would appeal.
14. Verizon report finds nine patterns explain almost every data breach
Verizon published its vastly expanded 2014 Data Breach Investigations Report, drawing on 1,367 confirmed breaches and more than 63,000 security incidents from 2013. It concluded that 92 per cent of incidents over a decade fell into just nine attack patterns, with stolen credentials remaining the leading way in.
15. EFF publishes a Heartbleed recovery guide for administrators
The EFF set out a step by step plan for system administrators cleaning up after Heartbleed, from patching OpenSSL to reissuing certificates. The guide stressed that private keys had to be treated as compromised.
16. Bruce Schneier calls Heartbleed catastrophic
The cryptographer described the flaw as catastrophic and rated it an eleven on a scale of one to ten. He warned that the attack left no trace and could be repeated to extract secret keys, passwords and content.
17. Supreme Court hears argument on warrantless cell phone searches
The justices heard argument on 29 April in Riley v. California and the companion case United States v. Wurie, weighing whether police may search a phone seized during an arrest without a warrant. The cases put the privacy of the data people carry at the centre of Fourth Amendment law.
18. Senate Intelligence Committee votes to declassify the CIA torture report
The committee voted 11 to 3 to send the executive summary of its report on CIA detention and interrogation for declassification review. Rights groups welcomed the move while pressing for the fuller record to be released.
19. Tor network rejects relays left vulnerable to Heartbleed
The Tor Project began blocking hundreds of relays that had not been patched against Heartbleed, including trusted guard and exit nodes. The cull threatened to remove as much as 12 per cent of the network's capacity.
20. Galaxy S5 fingerprint scanner is spoofed to reach PayPal
Researchers at Security Research Labs fooled the new Samsung Galaxy S5 scanner with a mould made from a photograph of a fingerprint left on the screen. Because the phone allowed unlimited attempts and authorised PayPal payments by fingerprint, the trick put accounts at risk.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: