Privacy Roundup #0095 • June 2014
One year after the first Snowden leak, June 2014 mixed fresh surveillance disclosures with a wave of breaches, encryption launches and a landmark cell phone ruling.
1. NSA collects millions of facial images a day for recognition
New Snowden documents revealed that the NSA harvests millions of images a day from emails, texts and social media to feed a facial recognition programme. The agency treated roughly 55,000 of those daily as high quality enough to match against targets.
2. Operation Tovar disrupts the Gameover ZeuS botnet
Law enforcement agencies and security firms across several countries seized the infrastructure behind Gameover ZeuS, a botnet that stole banking credentials and spread the CryptoLocker ransomware. Prosecutors named a Russian man, Evgeniy Bogachev, as the alleged administrator.
3. Google releases an End-to-End encryption extension for Chrome
Google published the code for an alpha Chrome extension that uses OpenPGP to encrypt email so that private keys never reach the company. The release was a direct response to the previous year of surveillance disclosures.
4. New OpenSSL flaw exposes connections to man-in-the-middle attacks
Researchers disclosed a CCS injection bug in OpenSSL that let an attacker who could intercept traffic force the use of weak keys and read or alter encrypted data. The flaw had been present in the code for many years before its discovery.
5. Reset the Net pushes encryption on the Snowden anniversary
On the first anniversary of the first Snowden story, a broad coalition launched Reset the Net to spread HTTPS, forward secrecy and other protections across the web. Sites and app makers were urged to encrypt traffic by default.
→ eff.org
6. Court holds emergency hearing over NSA evidence destruction
The EFF won an emergency hearing after learning that the government had kept deleting intercepted internet communications despite a preservation order in the Jewel surveillance case. The government argued that keeping the records would harm its Section 702 programme.
→ eff.org
7. Vodafone reveals scale of government access to its networks
Vodafone published its first transparency report covering 29 countries, detailing interception and metadata demands. It disclosed that in a small number of countries, agencies had direct, permanent links into its network that needed no warrant.
8. Apple builds Wi-Fi MAC address randomisation into iOS 8
Apple confirmed that iOS 8 would use random MAC addresses while scanning for Wi-Fi networks, frustrating retailers and others who track shoppers by their devices. The change was part of a wider privacy push unveiled at the developer conference.
9. Feedly and Evernote knocked offline by extortion DDoS attacks
Feedly and Evernote were both hit by distributed denial-of-service attacks, with criminals demanding money to stop the flood of traffic. Feedly refused to pay and worked with its providers and law enforcement to restore service.
10. TweetDeck taken offline by a self-spreading XSS worm
A cross-site scripting flaw in TweetDeck let a single tweet run code in viewers' browsers, creating a worm that forced tens of thousands of accounts to retweet it. Twitter pulled the service down to patch the hole.
11. P.F. Chang's confirms a payment card breach
The restaurant chain confirmed that thieves had stolen credit and debit card data from its locations after cards turned up for sale on a carding site. It fell back to manual card imprinting while it investigated.
12. AT&T reports a breach by a third-party vendor
AT&T told customers that employees of an outside vendor had accessed accounts without permission and could view Social Security numbers and dates of birth. The workers were apparently after codes used to unlock phones for resale.
13. Domino's refuses ransom after Rex Mundi steals customer data
A group calling itself Rex Mundi stole the records of more than 650,000 Domino's customers in France and Belgium and demanded a payment to keep them secret. Domino's declined to pay and reported the matter to the authorities.
14. UK official says social media counts as foreign communications
A senior counter-terrorism official set out in a witness statement how the UK justifies mass interception of Facebook, Twitter, YouTube and Google use. Because those services run on overseas servers, the government treated such traffic as external communications open to bulk collection.
15. Facebook's secret mood experiment sparks an ethics backlash
A study revealed that Facebook had manipulated the news feeds of nearly 700,000 users to test whether emotions spread online, without seeking consent. The disclosure prompted widespread anger over the lack of informed consent and oversight.
→ pnas.org
16. Extortion hack wipes out code host Code Spaces
After a denial-of-service attack and a demand for money, an intruder who had reached the firm's cloud control panel deleted its data, backups and configurations. Code Spaces could not recover and shut down the business.
17. Supreme Court rules police need a warrant to search phones
In Riley v. California, the Supreme Court held unanimously that officers must get a warrant before searching the contents of a phone seized during an arrest. The court recognised that modern phones hold a vast amount of sensitive personal data.
→ eff.org
18. Researchers bypass PayPal's two-factor authentication
Security researchers showed that a flaw in PayPal's mobile setup let an attacker sidestep its two-factor authentication. PayPal disabled the feature for its mobile apps while it worked on a fix.
19. Montana notifies 1.3 million people after a health agency hack
Montana said it would notify about 1.3 million people after attackers reached a server at its public health department holding names, addresses, dates of birth and Social Security numbers. Officials said they had no evidence the data was misused.
20. Microsoft seizes No-IP domains and knocks millions offline
Microsoft used a court order to seize 23 domains from dynamic DNS provider No-IP, claiming they were abused by malware. The sweep was far too broad and cut off millions of innocent users before Microsoft returned the domains.
→ eff.org
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: