Privacy Roundup #0109 • August 2015
August 2015 turned private lives into public spectacle, as the Ashley Madison dumps, fresh surveillance disclosures and a string of firmware and browser flaws showed how little control people held over their own data.
1. Ashley Madison hackers dump the data of millions of users
The Impact Team made good on its July threat and published a large trove of Ashley Madison account, profile and billing records covering more than thirty million people. The release exposed users who had paid the site to delete their details, proving that the deletion had never happened.
→ www.dataprotectionreport.com
2. Second Ashley Madison leak exposes the chief executive's emails and source code
A few days after the first dump, the attackers released a second archive nearly twice the size, containing internal company emails and the website's source code. The folder of correspondence belonging to Avid Life Media boss Noel Biderman turned a customer breach into a corporate humiliation.
3. Documents reveal AT&T's decades-long surveillance partnership with the NSA
ProPublica and The New York Times reported that the NSA relied on a uniquely close relationship with AT&T to capture vast amounts of internet traffic on American soil. Internal documents praised the company's "extreme willingness to help" under the cover names Fairview and Stormbrew.
4. Appeals court confirms the FTC can police corporate data security
The Third Circuit ruled in FTC v. Wyndham that the agency may treat sloppy data security as an unfair practice under Section 5 of the FTC Act. The decision gave the regulator a firm legal footing to pursue companies whose failures expose customer records.
5. Lenovo caught hiding unremovable software in the firmware
Researchers found that Lenovo used a Windows feature called the Platform Binary Table to reinstall its own software from the firmware, even after a clean reinstall of the operating system. The hidden Lenovo Service Engine also carried a flaw that could be abused to gain administrator access.
6. Stagefright flaw leaves nearly a billion Android phones at risk
The full details of the Stagefright media flaw were laid out at Black Hat, showing that a booby-trapped message could compromise a phone without the owner touching it. Researchers estimated that around nine hundred and fifty million Android devices were vulnerable.
7. Google, Samsung and LG promise monthly Android security updates
Shaken by Stagefright, Google pledged regular monthly patches for its Nexus devices and Samsung and LG quickly said they would follow. The move aimed to fix a patching system that had long left most phones exposed for months.
8. Firefox PDF flaw exploited to steal files from victims' computers
Mozilla disclosed that a vulnerability in the Firefox PDF viewer was being used in the wild to read and upload sensitive local files. The exploit, seen on a Russian news site, hunted for passwords, keys and configuration files before sending them to a server in Ukraine.
9. IRS says its 'Get Transcript' breach hit 330,000 taxpayers
The tax agency revised the scale of its Get Transcript breach upward, saying identity thieves had pulled records on more than three hundred and thirty thousand people. The stolen tax data fed a wave of fraudulent refund claims.
10. Carphone Warehouse breach exposes 2.4 million UK customers
The British retailer disclosed that intruders had accessed the personal details of up to 2.4 million customers, along with the encrypted card data of about ninety thousand. Names, addresses, dates of birth and bank details were among the information taken.
11. White House backs the privacy-invasive CISA surveillance bill
The Obama administration endorsed the Senate's Cybersecurity Information Sharing Act, a bill the EFF warned would hand the government broad new spying powers. Critics argued that its vague definitions and legal immunity invited needless damage to ordinary users' privacy.
12. Homeland Security warns that CISA would damage privacy
The Department of Homeland Security cautioned that the CISA bill would sweep away important privacy protections and force it to spread personal information further. The admission lent official weight to the EFF's long-running objections to the legislation.
13. NSA signals a shift towards post-quantum cryptography
The NSA updated its Suite B guidance and warned partners to prepare for a transition to quantum-resistant algorithms. Bruce Schneier noted that the move suggested deeper concerns about the future security of widely used encryption.
14. A cheap radio device defeats car and garage keyless entry
Researcher Samy Kamkar unveiled RollJam, a thirty-two dollar gadget that captures and replays the rolling codes used by many car fobs and garage remotes. The tool let an attacker open vehicles and garages without leaving a trace.
15. Mozilla adds tracking protection to private browsing in Firefox
Mozilla shipped an experimental feature that blocks tracking services when a user opens a private window, going beyond the limited protection most private modes offer. The company said people deserved real control over who follows them across the web.
16. Microsoft rushes an emergency patch for an Internet Explorer zero-day
Microsoft issued an out-of-band fix, MS15-093, for a memory flaw in Internet Explorer that attackers were already exploiting. The bug allowed remote code execution against anyone who visited a malicious page, prompting an urgent call to patch.
17. Thunderstrike 2 shows Macs can be infected through their firmware
Researchers demonstrated the first firmware worm for Apple computers, able to spread through Thunderbolt accessories and survive a full reinstall of the operating system. Because it rewrites the boot flash, ordinary clean-up steps cannot remove it.
18. Yahoo's ad network spreads malware to millions of visitors
Malwarebytes uncovered a large malvertising campaign that abused Yahoo's own advertising network to push the Angler exploit kit. The attack relied on unpatched Flash flaws and reached one of the most visited properties on the web.
19. UK regulator orders Google to delist 'right to be forgotten' stories
The Information Commissioner's Office told Google to remove nine search links to news articles that named a person and revealed details of a removal request. The order created an awkward loop, as reporting on a delisting had itself become newly searchable.
20. Russia prepares to force personal data onto local servers
With a new data localization law due to take effect on the first of September, Russian authorities published guidance on what companies would have to do. The rule required firms to store and process the personal data of Russian citizens on servers inside the country.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: