Privacy Roundup #0097 • August 2014
August 2014 brought a wave of Snowden disclosures, mega retail card breaches and a hard look at how governments and companies hoard our data.
1. Russia's blogger law takes effect and ends anonymous posting
A new Russian law that came into force on 1 August forced any blogger with more than 3,000 daily readers to register with the state and hand over personal details. It made anonymous blogging effectively impossible and held writers liable for readers' comments.
2. Google scans Gmail for abuse images and a man is arrested
Google detected known child abuse imagery in a Houston man's Gmail account and reported it to the National Center for Missing and Exploited Children, leading to his arrest. The case confirmed that Google fingerprints and scans email content, not just search results.
3. Russian crime ring amasses 1.2 billion stolen passwords
Hold Security reported that a Russian gang it called CyberVor had collected 1.2 billion username and password pairs and more than 500 million email addresses. The credentials were harvested from some 420,000 websites using automated SQL injection attacks.
4. Russia grants Edward Snowden a three-year residence permit
Six days after his temporary asylum expired, Snowden received a three-year Russian residence permit that took effect on 1 August. The permit let him move freely within Russia and travel abroad for up to three months.
5. Wikimedia publishes its first transparency report and rejects forgetting
The Wikimedia Foundation released its first transparency report and revealed that Google had begun delisting Wikipedia pages under Europe's right to be forgotten. Jimmy Wales condemned the removals, arguing that history is a human right.
6. Snowden describes the NSA's automated MonsterMind retaliation system
In a Wired interview, Snowden revealed MonsterMind, an NSA program designed to detect foreign cyberattacks and strike back automatically without human review. He warned that spoofed attacks could trigger retaliation against innocent third parties.
7. Supervalu and Albertsons grocery chains breached for card data
Supervalu disclosed that malware on its payment systems had exposed card data at more than 200 of its own stores and over 800 Albertsons-operated locations. The stolen data included cardholder names, account numbers and expiry dates.
8. GCHQ's HACIENDA program port-scans whole countries
Documents revealed that Britain's GCHQ ran HACIENDA, a tool that port-scanned every public-facing server in at least 27 countries to find systems it could exploit. The capability was shared across the Five Eyes partners.
9. German intelligence is caught recording Kerry and Clinton calls
Der Spiegel reported that Germany's BND had intercepted phone calls made by John Kerry and Hillary Clinton. The agency said the recordings were accidental and quickly destroyed, but the revelation embarrassed Berlin after its outrage over NSA spying.
→ npr.org
10. Community Health Systems loses data on 4.5 million patients
The hospital operator Community Health Systems disclosed that hackers had stolen personal data belonging to about 4.5 million patients. The exposed records included names, addresses, birth dates, telephone numbers and Social Security numbers.
11. Heartbleed is blamed for the Community Health Systems hack
Security firm TrustedSec reported that attackers exploited the Heartbleed flaw in a Juniper device to steal credentials and reach the hospital network. It was the first known major breach attributed to the OpenSSL bug.
12. Twitter lets families remove images of the deceased
Twitter changed its policy to allow relatives to request the removal of images and video of deceased people. The move followed harassment of Robin Williams's daughter and the spread of graphic footage online.
13. UPS Store discloses point-of-sale malware at 51 locations
The UPS Store said malware had infected the tills at 51 franchised locations across 24 states between January and August. Names, addresses and payment card details of about 105,000 transactions may have been exposed.
14. Secret Service says Backoff malware has hit 1,000 businesses
A government advisory warned that the Backoff point-of-sale malware had compromised more than 1,000 American businesses. The malware scraped clear-text card data from the memory of checkout computers after attackers guessed weak remote-access passwords.
15. The Intercept reveals ICREACH, the NSA's secret search engine
The Intercept reported on ICREACH, a Google-style tool that let analysts at 23 agencies query more than 850 billion records of calls, emails and locations. The database included records on Americans who were never accused of wrongdoing.
16. Dairy Queen investigates a likely card breach across its stores
Brian Krebs reported that banks were tracing card fraud back to Dairy Queen outlets in several states, pointing to a payment system compromise. The company at first denied any reports, then confirmed the Secret Service had flagged suspicious activity.
17. FBI probes a Russia-linked hack of JPMorgan Chase
The FBI began investigating a sophisticated intrusion that stole gigabytes of data from JPMorgan Chase and at least one other bank. Investigators examined whether the attack was retaliation for sanctions on Russia.
18. Phony cell towers are found intercepting calls across America
Popular Science reported that the CryptoPhone 500 had detected 17 fake cell towers, or interceptors, scattered across the United States. The devices could eavesdrop on calls and push spyware onto phones, and many sat near military bases.
19. Hackers post stolen nude photos of celebrities from iCloud
Private images of Jennifer Lawrence and dozens of other celebrities were stolen from iCloud accounts and posted online. Apple said its systems were not breached and blamed targeted attacks on usernames, passwords and security questions.
20. HealthCare.gov server is breached and seeded with malware
A test server supporting HealthCare.gov was hacked and infected with malware in an intrusion detected during a late-August security scan. Officials said no personal data was taken and that the server was being used to launch denial-of-service attacks elsewhere.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: