Privacy Roundup #0103 • February 2015
February 2015 was dominated by spy agencies caught stealing encryption keys, fresh Snowden disclosures and a wave of breaches that exposed the data of tens of millions of people.
1. Spies stole the encryption keys to the world's mobile phones
The Intercept reported that the NSA and GCHQ broke into Gemalto, the largest maker of SIM cards, and stole encryption keys that protect billions of handsets. The theft let the agencies monitor mobile voice and data without a warrant or a wiretap order.
2. Researchers uncovered NSA spyware hidden in hard drive firmware
Kaspersky Lab exposed the Equation Group, a state-backed operation that buried malware in the firmware of drives from Seagate, Western Digital, Toshiba and others. Because the code lived below the operating system, it survived disk wipes and reinstalls, making infected machines almost impossible to clean.
3. Lenovo shipped laptops that broke HTTPS security
Lenovo was found pre-installing Superfish adware that intercepted encrypted web traffic by inserting its own root certificate. Every affected laptop shared the same private key, so any attacker could impersonate banks and other secure sites without triggering a browser warning.
4. Samsung warned that its smart TVs were listening to private conversations
A clause in Samsung's privacy policy warned owners not to discuss sensitive matters near their televisions, because spoken words were captured and sent to a third party. The voice recognition feature relied on Nuance to transcribe commands, turning living room chatter into transmitted data.
5. Anthem breach exposed records of nearly 80 million people
The health insurer Anthem disclosed that hackers had stolen names, birth dates, Social Security numbers and addresses for as many as 78.8 million customers. It was the largest healthcare data breach disclosed at the time, and investigators later tied it to a China-based espionage group.
6. The FCC voted to regulate broadband under Title II
The Federal Communications Commission reclassified broadband as a telecommunications service in a historic three to two vote, securing strong net neutrality rules. The change also brought broadband providers under Section 222, raising the prospect of new federal limits on how they use customer browsing data.
7. Carbanak gang stole up to a billion dollars from banks
Kaspersky Lab revealed Carbanak, a campaign in which criminals used spear phishing to plant malware inside more than 100 financial institutions. Over two years the attackers quietly watched staff, drained accounts and rigged cash machines, with losses estimated at up to one billion dollars.
8. Obama signed an executive order on cyber threat sharing
At a summit at Stanford, President Obama signed an executive order encouraging companies to share cybersecurity threat data with each other and the government. Civil liberties groups warned that broader sharing risked sweeping personal information into government hands unless minimisation rules were strictly enforced.
→ obamawhitehouse.archives.gov
9. UK tribunal ruled GCHQ intelligence sharing unlawful
The Investigatory Powers Tribunal found that GCHQ's access to NSA mass surveillance data had been unlawful because the rules governing it were kept secret. It was the first time the secretive court had ruled against the British intelligence agencies in its history.
10. Verizon agreed to let customers escape its supercookie
Under pressure from the Senate Commerce Committee, Verizon said it would let customers opt out of the hidden header it injected into every web request. The supercookie had been abused by an advertising partner to rebuild tracking profiles after users deleted their cookies.
11. Uber disclosed a breach affecting 50,000 drivers
Uber revealed that an unauthorised person had accessed a database in 2014, exposing the names and driving licence numbers of around 50,000 drivers. The company had discovered the intrusion months earlier but only disclosed it publicly in late February.
12. Citizenfour won the Academy Award for best documentary
Laura Poitras won an Oscar for Citizenfour, her film documenting Edward Snowden's NSA disclosures from a Hong Kong hotel room. Accepting the award, Poitras argued that mass surveillance threatened not only privacy but democracy itself.
13. Europol dismantled the Ramnit botnet
Europol coordinated an international operation that seized command servers behind Ramnit, malware used to spy on PCs and steal banking and social media passwords. The takedown freed about 3.2 million infected computers and involved police forces across Britain, the Netherlands, Italy and Germany.
14. Jeb Bush published emails full of citizens' Social Security numbers
In a transparency drive, Jeb Bush posted years of gubernatorial emails online, but the cache contained nearly 13,000 Social Security numbers along with names and birth dates. Some numbers stayed publicly accessible for days before his team finished redacting the records.
15. EPIC asked regulators to investigate Samsung's listening televisions
The Electronic Privacy Information Center filed a complaint urging the Federal Trade Commission to investigate Samsung over its always-listening smart TVs. The group argued that recording and transmitting private conversations to third parties amounted to deceptive and unfair trade practices.
16. Mattel unveiled an internet-connected Barbie that records children
Mattel introduced Hello Barbie at the New York Toy Fair, a doll that sent recorded conversations to ToyTalk's servers to generate spoken replies. Privacy advocates immediately warned that a microphone listening to children and storing their words in the cloud was a surveillance device in disguise.
17. Google advisory council said the right to be forgotten should stop at Europe
The expert council Google convened after the Costeja ruling published its report, recommending that delisting requests apply only to European versions of the search engine. European data protection regulators disagreed, having argued that links should be removed worldwide, including from Google.com.
18. UK watchdog found FinFisher maker breached human rights guidelines
The UK's OECD contact point concluded that surveillance vendor Gamma International had failed to meet its human rights obligations over the FinFisher spyware. The finding followed a complaint by Privacy International and partners that the tool had been used against activists in Bahrain.
19. Oakland weighed a privacy policy for its surveillance hub
Oakland's officials considered a privacy framework to govern the Domain Awareness Center, a hub that pools feeds from cameras and other sensors across the city. The EFF welcomed proposed audit and oversight roles but warned the draft still left residents exposed to broad monitoring.
20. TalkTalk admitted a breach exposed customer account details
TalkTalk emailed customers to confirm that account numbers, addresses and phone numbers had been stolen in a breach. The company linked the incident to an earlier compromise of a third-party system, and scammers soon used the data to pose as the firm's support staff.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: