Privacy Roundup #0098 • September 2014
September 2014 turned the post-Snowden privacy debate towards the device itself, as Apple and Google promised encryption by default while breaches at Home Depot, Goodwill and Jimmy John's showed how exposed everyday data remained.
1. Private celebrity photos stolen from iCloud accounts spread online
Hundreds of intimate photographs of female celebrities were leaked after attackers compromised individual iCloud accounts through phishing and weak security questions. Apple said its own systems were not breached and pointed to a targeted attack on user names, passwords and recovery answers.
2. Home Depot confirms 56 million payment cards exposed
Home Depot disclosed that custom malware on its self-checkout systems had stolen around 56 million debit and credit card numbers between April and September. The disclosure made it the largest retail card breach on record at the time, surpassing the earlier Target intrusion.
3. Apple says it cannot unlock iOS 8 devices for police
With the release of iOS 8, Apple began encrypting personal data by default and tied the key to the user passcode. The company stated that it was no longer technically able to extract data in response to a warrant, a shift that drew immediate concern from law enforcement.
→ npr.org
4. Google promises encryption by default in next Android release
Google announced that its forthcoming version of Android would encrypt user data out of the box, without requiring people to switch the feature on. The move mirrored Apple and signalled that strong on-device encryption was becoming a mainstream consumer expectation.
5. Unsealed documents reveal Yahoo faced $250,000 daily fines over PRISM
Court records released through Yahoo litigation showed the government had threatened the company with fines of $250,000 a day, doubling each week, if it refused to hand over user data. The papers exposed how the secret surveillance court applied a broad exception to the Fourth Amendment to authorise sweeping collection.
→ npr.org
6. Microsoft held in contempt over emails stored in Ireland
A federal judge held Microsoft in contempt after it refused to hand over customer emails held on a server in Dublin under a domestic warrant. Microsoft accepted the finding so that it could appeal, arguing that a United States warrant should not reach data stored on foreign soil.
7. Jimmy John's confirms card breach at 216 stores
The sandwich chain confirmed that intruders had used stolen vendor credentials to plant malware on point-of-sale systems at 216 of its locations. Card numbers, names, verification codes and expiry dates may have been captured from cards swiped between June and September.
8. Goodwill names C&K Systems as the vendor behind its breach
Goodwill Industries identified the payment processor C&K Systems as the compromised third party in a breach affecting about 330 of its stores. The malware exposed roughly 868,000 payment card records over a period stretching back more than a year.
9. Apple unveils Apple Pay with tokenisation and a privacy pitch
Apple announced Apple Pay alongside the iPhone 6, replacing card numbers with single-use tokens so that merchants never received the real details. The company marketed the service as an easy, secure and private way to pay, an unusual emphasis in the payments industry at the time.
10. Nearly five million Gmail credentials dumped on a Russian forum
A file containing close to five million Google account user names and passwords was posted to a Russian Bitcoin forum. Google said its systems were not breached and that the credentials appeared to have been gathered over years through phishing, with very few combinations still working.
→ cnbc.com
11. Facebook softens real-name policy after drag queen protests
Facebook deactivated hundreds of accounts belonging to drag performers whose stage names were reported as fake, prompting a protest movement and a meeting with the company. Facebook later apologised and agreed to loosen the policy for performers and others who do not use their legal names.
→ npr.org
12. Apple quietly drops its warrant canary from the transparency report
Observers noticed that Apple had removed language stating it had never received a bulk surveillance order under Section 215 of the Patriot Act. The disappearance of the so-called warrant canary fuelled speculation that the company had since received such a demand.
13. Shellshock flaw in Bash exposes countless internet-facing systems
Researchers disclosed Shellshock, a serious flaw in the widely used Bash shell that let attackers run arbitrary commands on vulnerable servers. Within hours of disclosure, compromised machines were being herded into botnets for denial-of-service attacks and scanning.
→ cisa.gov
14. Snowden files reveal NSA and GCHQ mapping of German telecom networks
Der Spiegel and The Intercept reported on Treasure Map, a programme to build a near real-time map of the global internet by penetrating networks at firms including Deutsche Telekom and Stellar. The documents showed surveillance access points planted inside the networks of German companies.
15. TripAdvisor's Viator hit by breach affecting 1.4 million customers
The tour booking site Viator disclosed a compromise after its payment processor flagged fraudulent charges on customer cards. Around 880,000 people had payment card details exposed and a further 560,000 had account credentials taken.
16. SuperValu reports a second card breach weeks after the first
The supermarket group announced a second, separate intrusion into its payment systems at four franchised Cub Foods stores in Minnesota. The malware may have captured card numbers and names because security upgrades from the earlier breach had not yet been completed.
17. Twitpic to shut down after trademark fight with Twitter
The early photo-sharing service Twitpic announced it would close after Twitter pressed it to abandon a trademark application or lose access to the platform. The shutdown raised questions about the fate of users' archived images and the privacy terms governing them.
18. eBay listings abused to steal logins through cross-site scripting
Attackers planted malicious scripts inside eBay auction pages, using cheap iPhone listings as bait to redirect shoppers to phishing pages. The flaw let criminals harvest eBay user names and passwords, and reports suggested it had lingered on the site for months.
19. New Zealand accused of mass surveillance it publicly denied
The Intercept reported that New Zealand's GCSB had worked on a mass metadata collection project codenamed Speargun, tapping the country's main undersea cable. Edward Snowden said the agency fed data into the NSA's XKEYSCORE system, contradicting the prime minister's denials of domestic mass surveillance.
20. HealthCare.gov server found infected with malware
Officials disclosed that a hacker had broken into a test server supporting the federal health insurance website and uploaded malicious software. Investigators said the server held no consumer data and found no evidence that personal information had been taken, but the intrusion raised fresh doubts about the site's security.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: