Privacy Roundup #0107 • June 2015
June 2015 closed the door on the NSA telephone dragnet while a wave of breaches, court orders and new surveillance laws showed how far the fight over personal data still had to run.
1. Section 215 of the Patriot Act lapsed at midnight
The Senate let three Patriot Act powers expire on 1 June, including the Section 215 authority that underpinned the NSA bulk telephone records programme. For the first time since 2001 the agency could not gather new American call records in bulk.
2. Obama signed the USA Freedom Act into law
One day after the lapse, the Senate passed the USA Freedom Act and President Obama signed it on 2 June. The law ended the government's bulk collection of phone metadata and left the records with the carriers, to be queried only under a court order.
3. Facebook added OpenPGP encryption for notification emails
Facebook let users post a public PGP key on their profile and receive encrypted notification emails. The experimental feature, announced on 1 June, was a rare push to take end-to-end encryption mainstream.
4. German Bundestag hack left investigators in the dark
German officials confirmed that the federal parliament's network had been breached and that data had almost certainly been stolen. By 1 June the source and scale of the intrusion remained a mystery, and the malware may have sat on the systems for months.
5. Hola VPN was caught selling its users as a botnet
The free VPN Hola was found to be reselling its users' idle bandwidth through a sister service called Luminati. That network had already been used to attack the message board 8chan, turning millions of unwitting users into a botnet for hire.
6. Google launched My Account to centralise privacy controls
Google rolled out a single dashboard called My Account on 1 June, gathering scattered privacy and security settings into one place. The company also opened a question and answer site to explain what data it collects and why.
7. Snowden files showed the NSA hunting hackers without warrants
Documents reported on 4 June revealed that the Justice Department had quietly let the NSA search internet cables on American soil for traffic tied to foreign hackers. The hunt swept up large volumes of Americans' communications without a warrant.
8. OPM disclosed the theft of millions of personnel records
The Office of Personnel Management revealed on 4 June that hackers had stolen the personal records of around four million current and former federal workers. A second, larger breach of background investigation files soon pushed the total far higher.
9. Kaspersky exposed the Duqu 2.0 espionage platform
Kaspersky Lab disclosed that a sophisticated state-grade attacker had penetrated its own network using a new version of the Duqu malware. The same campaign targeted venues for the Iran nuclear talks and other high-profile sites.
10. Medical Informatics Engineering reported a major health data breach
The electronic health records firm Medical Informatics Engineering disclosed an intrusion that exposed sensitive patient information, including names, addresses, Social Security numbers and medical records. The breach reached millions of patients through dozens of clinics and providers.
→ www.dataprivacyandsecurityinsider.com
11. The Anderson review urged a clean slate for UK surveillance law
David Anderson QC published "A Question of Trust" on 11 June, his independent review of British investigatory powers. He called the existing framework tangled and undemocratic and proposed judicial sign-off for interception warrants.
12. EFF warned that Wassenaar export rules could chill security research
The Commerce Department issued a FAQ on its proposed export controls for intrusion software, but the EFF found the answers raised fresh worries. The group cautioned that the broad rules could criminalise everyday vulnerability research and disclosure.
13. Wikipedia switched to HTTPS by default
Wikimedia announced that all of its sites would encrypt traffic with HTTPS by default and adopt strict transport security. The change protected the reading habits of around half a billion people from interception and censorship.
14. EU ministers agreed a Council position on data protection reform
On 15 June the Council of Ministers approved its general approach to the General Data Protection Regulation. The decision cleared the way for trilogue talks with the Parliament and Commission, aiming for a final text by the end of the year.
→ www.dataprotectionreport.com
15. France ordered Google to apply the right to be forgotten worldwide
The French regulator CNIL told Google that delisting requests had to be honoured across every version of its search engine, not just European domains. Google was given a fortnight to comply or face sanctions.
16. LastPass disclosed a breach of its password vault servers
The password manager LastPass said it had spotted and blocked suspicious activity on its network. Attackers took email addresses, password reminders and authentication hashes, though the company found no evidence that encrypted vaults were cracked.
17. The FBI investigated the St Louis Cardinals for hacking a rival
Federal agents examined evidence that St Louis Cardinals staff had broken into the Houston Astros' private scouting database. The intrusion reportedly used an old password from a former colleague, turning a baseball rivalry into a federal computer crime case.
18. A keyboard flaw left 600 million Samsung phones exposed
Researchers found that the SwiftKey software bundled into Samsung handsets fetched language updates over unencrypted connections. An attacker on the same network could push malicious code and run it with system privileges.
19. Canada's Bill C-51 became law despite privacy objections
Canada's Anti-terrorism Act received royal assent on 18 June, broadening the powers of the security service and allowing information sharing across government departments. The federal privacy commissioner warned that it opened the door to mass collection of citizens' personal data.
20. NSA and GCHQ were shown targeting antivirus makers
Snowden documents reported on 22 June revealed that the NSA and GCHQ had reverse engineered security software to defeat it and track users. Kaspersky Lab was a prime target, and the agencies even monitored vulnerability reports sent to antivirus firms.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: