Privacy Roundup #0106 • May 2015
May 2015 was the month the courts and Congress turned on bulk surveillance even as fresh Snowden files and a wave of breaches showed how deeply data collection had spread.
1. Appeals court rules NSA bulk phone records collection is unlawful
On 7 May the Second Circuit held in ACLU v. Clapper that the NSA programme sweeping up Americans' telephone metadata went far beyond what Congress authorised under Section 215 of the Patriot Act. The court did not reach the constitutional question, but its statutory ruling reshaped the surveillance reform debate already under way in Congress.
2. House passes the USA Freedom Act to end bulk collection
On 13 May the House of Representatives passed the USA Freedom Act by 338 votes to 88, a measure meant to stop the NSA from indiscriminately collecting phone records. The bill required the government to use specific selection terms when asking the surveillance court for records held by third parties.
3. Rand Paul filibusters surveillance renewal as Section 215 nears expiry
On 20 May Senator Rand Paul took the Senate floor for an extended speech opposing the renewal of Patriot Act surveillance powers. His stand left the future of Section 215 uncertain ahead of its looming June expiry and forced the Senate to confront the bulk collection question directly.
4. Snowden files show the NSA converts speech into searchable text
On 5 May The Intercept reported that the NSA had built systems to automatically transcribe spoken words and turn intercepted conversations into searchable text. The documents described tools that analysts privately compared to a Google for voice, raising fresh questions about the scale of automated eavesdropping.
5. Speech recognition described as the NSA's best-kept open secret
On 11 May The Intercept followed up with a closer look at how widely the agency relied on automated speech-to-text capabilities. The reporting argued that the technology had received little public scrutiny despite being acknowledged in government documents for years.
6. NSA and allies planned to hijack app stores to plant spyware
On 21 May The Intercept revealed a Five Eyes pilot project, codenamed IRRITANT HORN, to hijack connections to Google and Samsung app marketplaces. The plan would have let agencies push malicious implants to targeted phones and send misinformation to users' handsets.
7. Spyware maker mSpy hacked and customer data dumped online
On 14 May Brian Krebs reported that the mobile surveillance company mSpy had been breached, with hundreds of gigabytes of data posted to a Tor hidden service. The cache exposed Apple credentials, payment details, tracking data and private messages belonging to people monitored by the software.
8. mSpy denies the breach even as its own customers confirm it
On 20 May Krebs reported that mSpy was publicly denying any compromise while affected customers were confirming that their data appeared in the leaked dump. He verified the breach by contacting victims directly and checking their details against the stolen records.
9. CareFirst BlueCross breach exposes 1.1 million members
On 20 May the health insurer CareFirst disclosed that an intrusion dating to mid-2014 had exposed records on about 1.1 million current and former members. Attackers obtained names, birth dates, email addresses and insurance identification numbers in an attack linked to the earlier Anthem and Premera breaches.
10. IRS Get Transcript breach hits more than 100,000 taxpayers
On 26 May the Internal Revenue Service announced that criminals had abused its Get Transcript service to pull past tax returns for more than 100,000 taxpayers. The thieves used personal information gathered elsewhere to answer identity questions, and the agency suspended the online service while it investigated.
11. Sally Beauty confirms a second payment card breach
On 28 May Sally Beauty confirmed that point-of-sale malware had again infected its tills, less than two years after an earlier intrusion. Forensic investigators found the malware ran between early March and mid-April, putting customer card data from many United States stores at risk.
12. Adult FriendFinder breach exposes millions of intimate profiles
In late May the adult dating site Adult FriendFinder confirmed that a breach had exposed sensitive details on millions of members. The leaked records included email addresses, usernames, dates of birth and information about users' sexual preferences, an unusually intrusive disclosure.
→ www.dataprivacyandsecurityinsider.com
13. Logjam flaw leaves tens of thousands of HTTPS sites open to eavesdropping
On 20 May researchers disclosed Logjam, a weakness in the Diffie-Hellman key exchange that let attackers downgrade secure connections to weak export-grade cryptography. They warned that a well-resourced adversary could passively decrypt a large share of supposedly encrypted web traffic.
14. VENOM bug lets attackers escape virtual machines
On 13 May CrowdStrike disclosed VENOM, a flaw in the virtual floppy disk code used by QEMU, Xen and KVM that had existed since 2004. The bug could let an attacker break out of a guest virtual machine and run code on the host, threatening other tenants sharing the same hardware.
15. Penn State unplugs engineering network after Chinese intrusion
On 15 May Penn State disclosed that its College of Engineering network had been compromised in attacks traced in part to China. The university disconnected the network from the internet for several days and notified thousands of people whose credentials may have been exposed.
16. German Bundestag battles a deep network intrusion
In mid-May the German parliament discovered that its computer network had been deeply compromised by attackers who gained broad administrative access. Officials struggled to expel the trojans, and reports suggested that thousands of machines might need to be replaced to fully clean the systems.
17. Beacon Health warns 220,000 patients after email phishing breach
On 28 May the Indiana provider Beacon Health began notifying about 220,000 patients that phishing attacks had exposed their protected health information. Attackers had gained access to employee email accounts over a long period, illustrating how a single tricked login can spill sensitive medical records.
18. Hola free VPN found turning users into a botnet
On 29 May reporting revealed that the popular Hola VPN was quietly selling its users' spare bandwidth through a sister service called Luminati. People who installed Hola to protect their privacy had instead become exit nodes whose connections could be bought and used to attack websites.
19. Hard Rock casino warns customers of a payment card breach
On 4 May the Hard Rock Hotel and Casino in Las Vegas warned that malware may have stolen card data from its retail and restaurant tills. The exposed transactions spanned several months and could have included names, card numbers and security codes.
20. Virginia signs a warrant requirement for police drones
On 6 May the governor of Virginia signed a law requiring police to obtain a warrant before using drones for surveillance. He declined to set similar limits on automatic licence plate readers, leaving that bulk location tracking largely unchecked.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: