Privacy Roundup #0099 • October 2014
October 2014 turned the post-Snowden privacy fight towards the phone in your pocket, as default encryption, carrier tracking headers and a run of retail breaches collided with a chorus of official complaints.
1. FBI director Comey attacks default phone encryption in 'Going Dark' speech
FBI director James Comey used a Brookings address on 16 October to argue that Apple and Google had gone too far by encrypting phones by default, and he floated the idea of forcing firms to weaken their products. The EFF replied that the so called debate was phony because no backdoor can be limited to the good guys.
2. Whisper app tracked users who had opted out of location sharing
A Guardian investigation reported that the anonymous messaging app Whisper pinpointed users to within 500 metres, even when they had switched location services off. The company also kept supposedly deleted posts in a searchable database and shared some user data with the United States Department of Defense and the FBI.
3. Verizon and AT&T caught injecting undeletable tracking headers
Researchers showed that Verizon and AT&T were inserting a unique identifier header, a so called perma-cookie, into the unencrypted web traffic of mobile customers. The tag let advertisers build a profile of browsing habits, and Verizon users could not fully switch it off even after clearing cookies.
4. 'The Snappening' spilled tens of thousands of Snapchat images
Up to 90,000 photos and 9,000 videos believed to come from Snapchat surfaced online after attackers raided a third party app that quietly saved users' snaps. Snapchat said its own servers were not breached and blamed services such as Snapsaved that broke its terms of use.
5. Dropbox credentials posted to Pastebin from third party leaks
A user dumped hundreds of working Dropbox usernames and passwords on Pastebin and claimed to hold nearly seven million more. Dropbox said its systems were not hacked and that the credentials had been stolen from unrelated services where people had reused the same passwords.
6. Kmart point of sale registers infected with card stealing malware
Sears disclosed that malware on Kmart store registers had been quietly harvesting payment card numbers since early September. The retailer said names, PINs, email addresses and social security numbers were not taken, and it offered free credit monitoring to affected shoppers.
7. Banks traced a fresh card breach to Staples stores
Brian Krebs reported that more than six East Coast banks had spotted a fraud pattern pointing back to shoppers at several Staples locations across New Jersey, New York City and Pennsylvania. Staples confirmed it was investigating a possible intrusion into its payment systems and had contacted law enforcement.
8. Sandworm hackers used a Windows zero-day to spy on NATO and the EU
The firm iSight Partners revealed that a Russia linked group it called Sandworm had exploited a Windows zero-day, CVE-2014-4114, through booby trapped PowerPoint files. The targets included NATO, the European Union, Ukraine, Poland and energy and telecoms companies tied to the conflict in Ukraine.
9. POODLE flaw broke the old SSL 3.0 encryption protocol
Google researchers disclosed POODLE, a padding oracle attack that let a network attacker downgrade connections to SSL 3.0 and decrypt traffic. The finding, tracked as CVE-2014-3566, pushed browsers and servers to abandon the ageing protocol for good.
10. Facebook launched a Tor address for anonymous access
Facebook unveiled a Tor only version of the site at a special .onion address, paired with a certificate that proved the link was genuine. The move helped people who already reached Facebook over Tor, including users in countries such as Iran and China where the service is blocked.
11. Apple Pay launched with a privacy first payment design
Apple Pay went live in the United States on 20 October, letting iPhone 6 owners pay by touch in shops and apps. Apple said it did not store actual card numbers or keep a purchase history, using a unique device account number held in a secure chip instead.
12. 'Core Secrets' files exposed NSA agents inside foreign firms
The Intercept published Snowden documents describing how the NSA used undercover operatives and physical subversion to compromise networks in countries such as China and Germany. The papers also confirmed that the agency worked with companies to weaken encryption and penetrate computer systems.
13. FTC sued AT&T over throttled 'unlimited' data plans
The Federal Trade Commission filed suit against AT&T on 28 October, charging that it had misled millions of customers by selling unlimited data while slowing their speeds by up to 90 percent. The agency said more than 3.5 million people had been throttled, some after using as little as two gigabytes.
14. FBI built a fake Seattle Times page to plant spyware
Documents surfaced showing the FBI had created a counterfeit Seattle Times news story to lure a bomb threat suspect into installing tracking software. The newspaper said it was outraged that the agency had traded on its name and reputation to deploy the malware.
15. FCC fined Marriott for jamming guests' personal Wi-Fi
The Federal Communications Commission fined Marriott 600,000 dollars after staff at a Nashville hotel blocked guests from using their own mobile hotspots. The hotel had sent de-authentication packets to knock people offline while charging exhibitors as much as 1,000 dollars per device for its own network.
16. Twitter sued the government for the right to report surveillance demands
Twitter filed a First Amendment lawsuit on 7 October seeking to publish the true number of national security letters and FISA orders it received, even if that number was zero. The company argued that the gag rules left it unable to speak honestly with its users about government data demands.
17. 'Drupalgeddon' SQL injection put millions of sites at risk
Drupal published advisory SA-CORE-2014-005 on 15 October, warning of a critical SQL injection flaw in Drupal 7 that let anonymous attackers run arbitrary database queries. Automated exploits appeared within hours, and the project later told admins to assume unpatched sites had been compromised.
18. White House 'BuySecure' order pushed chip and PIN cards
President Obama signed an executive order requiring the federal government to issue chip and PIN payment cards and upgrade its terminals to match. The BuySecure plan also promised more sharing of breach evidence with companies and easier tools for victims to report identity theft.
19. Tor Browser 4.0 added the meek censorship circumvention tool
The Tor Project released Tor Browser 4.0, bundling the meek pluggable transport that hides Tor traffic behind popular cloud domains. The build also disabled the SSL 3.0 protocol in response to POODLE and aimed to help users behind firewalls in places such as China.
20. CurrentC, the retailer-backed Apple Pay rival, was hacked
MCX, the retail consortium behind the CurrentC payments app, said attackers had stolen the email addresses of pilot programme testers days before launch. The breach embarrassed the group as it pressed members such as Walmart and Best Buy to block Apple Pay in their stores.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: