Privacy Roundup #0100 • November 2014
November 2014 paired fresh Snowden cable-tap revelations and nation-state spy malware with a wave of corporate tracking and a stalled push for surveillance reform.
1. Verizon injects perma-cookies to track mobile customers
Verizon was found to silently add an X-UIDH header to every unencrypted request its mobile customers made, letting advertisers build permanent profiles. The tracker ignored browser privacy modes and Do Not Track settings because it was inserted at the network layer.
2. EFF rates which messaging tools are truly safe and secure
The EFF published its first Secure Messaging Scorecard, grading dozens of chat, email and calling tools against seven security criteria. Most mainstream apps fell short, while a handful including Signal, TextSecure and CryptoCat earned full marks.
3. WireLurker malware crosses from Macs to iPhones
Palo Alto Networks revealed WireLurker, a malware family that infected Mac applications and then trojanised iOS apps over USB. It was the first in-the-wild malware able to install software on non-jailbroken iPhones through enterprise provisioning.
4. Operation Onymous seizes Silk Road 2.0 and hundreds of dark sites
A joint Europol and FBI operation shut down Silk Road 2.0 and hundreds of other hidden services and made seventeen arrests. The takedown raised hard questions about how police had located Tor hidden services in the first place.
5. Home Depot says hackers also stole 53 million email addresses
Home Depot confirmed that the breach which exposed 56 million payment cards had also leaked 53 million customer email addresses. The company warned shoppers to expect phishing attempts using the stolen addresses.
6. DarkHotel spies on executives through luxury hotel WiFi
Kaspersky documented DarkHotel, an espionage crew that compromised hotel networks to push fake software updates onto travelling executives. The attackers targeted senior business figures across Asia and deleted their tools after each infection to avoid detection.
7. Postal Service breach exposes data on 800,000 employees
The United States Postal Service disclosed a breach that compromised the personal records of more than 800,000 employees, including Social Security numbers. Data on nearly three million customers who had contacted its call centre was also taken, with suspicion falling on Chinese state hackers.
8. Justice Department flies fake cell towers to sweep up phone data
The Wall Street Journal reported that the Justice Department mounted cell-site simulators called dirtboxes on aircraft to locate suspects. A single flight could capture identifying data from tens of thousands of phones, including those of innocent bystanders.
9. State Department shuts down email after suspected intrusion
The State Department took its entire unclassified email system offline to repair damage from a suspected hacking attack. The intrusion was detected around the same time as a separate breach of a White House network, with officials pointing to a nation-state actor.
10. WhatsApp turns on end-to-end encryption for Android
WhatsApp began rolling out end-to-end encryption built on Open Whisper Systems' TextSecure protocol, covering one-to-one Android messages. With hundreds of millions of users, it was the largest deployment of strong message encryption to date.
11. EFF and partners announce Let's Encrypt to encrypt the web
The EFF, Mozilla and others announced Let's Encrypt, a free certificate authority designed to make HTTPS easy and automatic for any website. The project promised to cut certificate setup from hours to seconds when it launched in 2015.
12. Senate blocks the USA Freedom Act surveillance reform
A bid to advance the USA Freedom Act, which would have ended the bulk collection of phone records under Section 215, fell short of the votes needed to break a filibuster. The EFF called the failure a missed chance for bipartisan reform after months of campaigning.
13. Uber probes use of its God View tool to track a journalist
Uber said it was investigating a New York manager who allegedly used an internal tool called God View to track a reporter without her consent. The episode arrived alongside reports that an executive had floated digging into the private lives of critical journalists.
14. Snowden files reveal Cable and Wireless aided GCHQ cable taps
New documents showed that Cable and Wireless, later bought by Vodafone, gave GCHQ access to undersea cables carrying internet traffic. A GCHQ employee was embedded at the firm, which was paid millions to help tap nearly seventy per cent of the data on the cables it controlled.
15. Detekt tool lets activists scan for state spyware
Amnesty International, the EFF and Privacy International released Detekt, a free tool that scanned Windows computers for known government surveillance malware. It was aimed at journalists and human rights defenders who feared they were being monitored.
16. Guardians of Peace cripple Sony Pictures and leak its secrets
A group calling itself the Guardians of Peace locked Sony Pictures computers studio-wide and began leaking unreleased films, salaries and sensitive employee data. The attack exposed the personal information of thousands of staff and set off a months-long fallout.
17. Regin spy malware tied to NSA and GCHQ attack on Belgacom
The Intercept linked the sophisticated Regin malware to a US and British intelligence operation against Belgacom and European Union systems. Researchers described it as among the most advanced espionage tools ever found, capable of long-term covert surveillance.
18. Twitter starts logging the other apps on your phone
Twitter began collecting the list of apps installed on a user's device through a feature it called the app graph, switched on by default. The company said it would use the data to tailor ads and follow suggestions, with opt-out left to the user.
19. EU regulators say right to be forgotten must reach .com domains
The Article 29 Working Party adopted guidelines saying that de-listing under the right to be forgotten should not be limited to European domains. To be effective, search engines would need to apply removals on global domains such as .com as well.
20. European Parliament backs breaking up Google over its data power
Members of the European Parliament voted for a resolution urging regulators to consider unbundling search engines from other commercial services. Backers cited the vast amount of personal data Google controlled as a pressing concern for competition and privacy alike.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: