Privacy Roundup #0108 • July 2015
July 2015 was dominated by the Hacking Team leak, which laid bare the surveillance trade, alongside the Ashley Madison and OPM breaches and a hardening fight over encryption.
1. Italian spyware vendor Hacking Team is breached and 400GB is dumped
Attackers seized control of Hacking Team's Twitter account and published more than 400 gigabytes of internal emails, invoices and source code. The leak exposed the inner workings of a firm that sold intrusion tools to governments around the world.
2. Leaked files show the FBI, DEA and US Army bought Hacking Team spyware
Internal documents revealed that American federal agencies had purchased Remote Control System, a tool that takes over a target's computer and phone. The FBI was code-named Phoebe and the DEA was code-named Katie in the company's records.
3. Hacking Team emails confirm sales to repressive governments
A close reading of the leaked correspondence confirmed that Hacking Team had sold its surveillance suite to Ethiopia, Bahrain, Egypt, Sudan, Saudi Arabia and other states with poor human rights records. Internal messages showed managers more worried about lost revenue than about how the tools were used.
4. An Adobe Flash zero-day from the Hacking Team dump is weaponised within days
A previously unknown Flash flaw, tracked as CVE-2015-5119, surfaced inside the leaked files and was patched by Adobe on the same day it became public. Attackers folded the exploit into mainstream exploit kits and spear-phishing campaigns almost immediately.
5. Harvard discloses an IT breach affecting eight schools
Harvard announced that intruders had compromised the networks of its Faculty of Arts and Sciences and central administration, touching eight schools and administrative bodies. Login credentials, including Office 365 passwords, may have been exposed, though the university found no sign that research data was taken.
6. UK tribunal admits GCHQ unlawfully spied on Amnesty International
The Investigatory Powers Tribunal reversed an earlier ruling and confirmed that GCHQ had illegally retained communications belonging to Amnesty International. The correction came after the agency itself pointed out a mistaken attribution in the original judgment.
7. FBI Director Comey presses Congress for access to encrypted data
At Senate hearings, James Comey argued that the spread of strong encryption was letting criminals go dark and asked lawmakers to give agencies a way in. Technologists countered that any such access would weaken security for everyone.
8. Fifteen cryptographers warn against mandated encryption backdoors
The "Keys Under Doormats" report argued that building exceptional access for governments would make systems less secure and harder to maintain. Bruce Schneier, one of the authors, summarised the case as the report landed in the middle of the Senate encryption debate.
9. Second OPM breach exposes 21.5 million background-check records
The Office of Personnel Management revealed a second intrusion that compromised the security clearance files of 21.5 million current, former and prospective federal workers. Director Katherine Archuleta resigned the following day.
→ iapp.org
10. Germany opens a treason inquiry into the blog Netzpolitik
Federal prosecutors confirmed an investigation into the digital rights site Netzpolitik for publishing leaked plans to expand state surveillance. It was the first treason probe against journalists in Germany in half a century and drew immediate condemnation.
11. MEPs back an EU passenger name record system
The European Parliament's civil liberties committee voted to support an EU-wide scheme to collect and process airline passenger data for counter-terrorism. The vote granted negotiators a mandate to begin talks with the Council, with members claiming data protection safeguards would apply.
12. Police in twenty countries dismantle the Darkode hacking forum
An international operation led by the FBI and Europol shut down Darkode, a vetted marketplace for malware, botnets and stolen data. The takedown produced dozens of arrests and house searches across the globe.
13. UCLA Health reveals a breach of 4.5 million patient records
UCLA Health disclosed that hackers had reached systems holding names, dates of birth, Social Security numbers and medical information for some 4.5 million people. Much of the data was unencrypted, and the intrusion had begun the previous autumn.
14. Ashley Madison is hacked and its 37 million users are threatened
A group calling itself the Impact Team breached the affair-arranging site Ashley Madison and demanded that its parent company shut it down. The hackers threatened to release records on tens of millions of users, accusing the firm of lying about a paid deletion service.
15. Researchers remotely kill a Jeep Cherokee on the motorway
Charlie Miller and Chris Valasek showed they could take over a moving Jeep over the internet, cutting its transmission and brakes from miles away. The demonstration pushed Fiat Chrysler to recall 1.4 million vehicles to close the flaw.
16. US export rules on surveillance tools draw fierce industry pushback
The comment period closed on proposed American rules implementing the Wassenaar Arrangement controls on intrusion software. Critics warned the broad language would criminalise everyday work by security researchers and cripple bug bounty programmes.
17. Anti-abortion hackers breach Planned Parenthood databases
A group calling itself 3301 attacked Planned Parenthood and published the names and contact details of hundreds of employees. The organisation alerted federal authorities and raised concerns for the safety of its staff.
18. Stagefright flaw leaves almost a billion Android phones exposed
Researchers disclosed a vulnerability in Android's media library that could be triggered by a single crafted multimedia message. The bug laid bare how slowly patches reach handsets once manufacturers and carriers are involved.
19. Hacking Team leaks expose the growth of the spyware industry
Analysis of the dump showed at least thirty-eight government users of Remote Control System, far more than researchers had previously documented. The files underlined how little oversight governs the trade in intrusion tools.
20. FISA court lets the NSA resume bulk phone metadata collection
A judge ruled that the USA Freedom Act allowed the National Security Agency to keep gathering Americans' call records for a 180-day transition period. The decision revived a programme that had briefly lapsed, prompting the ACLU to vow a fresh challenge.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: