Privacy Roundup #0114 • January 2016
January 2016 reopened the crypto wars and exposed fragile firewalls, with NSA-tainted backdoors, point-of-sale breaches and a landmark European surveillance ruling all landing in one month.
1. EFF confirms T-Mobile's Binge On is just throttling
EFF testing found that T-Mobile's Binge On programme did not optimise video at all but simply throttled every video stream to around 1.5Mbps, whether or not the provider had signed up. The group warned that throttling all video by default, without consent, undercut the carrier's net neutrality and privacy claims.
2. Dutch government rejects encryption backdoors
The Netherlands became the first country to publish an unambiguous official stance against weakening encryption, in a letter from the Ministry of Security and Justice to parliament. Ministers acknowledged that criminals use encryption but concluded that restrictive measures would harm the security of every citizen.
3. Time Warner Cable warns 320,000 of stolen passwords
Time Warner Cable told up to 320,000 customers that their email passwords might have been stolen, after the FBI alerted the company to the exposed credentials. The firm said its own systems were not breached and urged affected customers to reset their passwords at once.
4. Henry Schein settles FTC charges over false encryption claims
Dental software maker Henry Schein Practice Solutions paid 250,000 dollars to settle FTC charges that it falsely advertised the encryption protecting patient records in its Dentrix G5 software. The agency said the company told dentists the product met HIPAA standards when it used a much weaker form of data masking.
5. Juniper rips out NSA-linked Dual EC from ScreenOS
After disclosing an unauthorised backdoor in its firewalls the previous month, Juniper said it would remove the Dual EC and ANSI X9.31 random number generators from ScreenOS. Researchers had tied the weakness to the discredited Dual EC algorithm long championed by the NSA, raising fresh questions about who planted the code.
6. Hard-coded SSH login found in Fortinet firewalls
A researcher revealed that FortiOS firewalls shipped with a hard-coded SSH password that granted administrator access, and a working exploit was posted to a public mailing list. Fortinet downplayed the flaw as a management authentication issue rather than a deliberate backdoor, weeks after the Juniper revelations.
7. Strasbourg court strikes down Hungarian mass surveillance
The European Court of Human Rights ruled in Szabo and Vissy v Hungary that the country's sweeping anti-terror surveillance law breached the right to private life. The judges found the regime overbroad, lacking any test of strict necessity and missing judicial oversight of secret monitoring.
8. Hyatt card breach hit 250 hotels in 50 countries
Hyatt finished investigating a payment system compromise and said malware had infected card processing at around 250 hotels across roughly 50 countries. The infections ran between August and December 2015 and mostly affected restaurants inside the hotels.
9. Casino sues Trustwave over failed breach response
Casino operator Affinity Gaming sued security firm Trustwave, alleging that it failed to contain a card breach it had been hired to remediate. The suit claimed attackers struck again while Trustwave was investigating, and a rival firm later judged the earlier work woefully inadequate.
10. Researchers detail the Ukraine power grid hack
Investigators confirmed that the December attack on Ukrainian utilities was the first known blackout caused by hackers, who used BlackEnergy malware to open breakers and cut power to around a quarter of a million people. The analysis described a coordinated operation against three distribution companies, with code to hinder recovery.
11. Asacub Android trojan turns into a banking weapon
Researchers documented how the Asacub trojan had evolved from a contact-stealing spyware tool into mobile banking malware able to mimic banking login pages and redirect calls. An intense campaign infected thousands of Android users, and a variant aimed at a large United States bank was also found.
12. Hello Barbie security analysis raises child privacy alarm
A detailed analysis of Mattel's internet-connected Hello Barbie set out flaws in the doll's app and cloud services that could expose user data. The findings sharpened concern that a toy recording children's speech and storing it on remote servers created a fresh privacy risk for families.
13. Skype starts hiding user IP addresses by default
Microsoft updated Skype so that it would conceal a caller's internet address rather than expose it to anyone who knew the username. The change targeted so-called Skype resolver tools that abusers had bundled with denial-of-service services to find and harass victims.
14. Malware attack strikes Israeli electricity regulator
Israel said it had repelled a serious cyberattack on the computers of its Electricity Authority, forcing officials to take many machines offline while they cleaned the infection. Reports tied the incident to BlackEnergy and wiper malware, though the national power grid itself was not disrupted.
15. Lincolnshire council shuts down all IT after ransomware
Lincolnshire County Council took its entire computer estate offline after ransomware locked its files and demanded a large payment. The authority described it as the biggest attack it had faced, and services including libraries and online bookings were down for days while staff rebuilt systems.
16. Wendy's investigates reports of a card breach
Wendy's confirmed it was looking into unusual payment card activity flagged by banks at some of its restaurants. The fast-food chain hired a security firm to examine the reports, which began with Midwest banks before spreading to the East Coast.
17. Centene loses hard drives holding 950,000 health records
Health insurer Centene said it was missing six unencrypted hard drives containing the personal and medical data of about 950,000 members. The drives held names, addresses, dates of birth and Social Security numbers for people who had used laboratory services between 2009 and 2015.
18. FTC links a 47 percent jump in identity theft to tax fraud
The Federal Trade Commission reported that identity theft complaints rose by nearly half in 2015, driven mainly by criminals filing fraudulent tax refunds in victims' names. The agency urged consumers to file early and to watch for signs that their Social Security numbers had been abused.
19. EFF pries more zero-day policy from the government
After EFF pressed its FOIA lawsuit, the government released a far less redacted version of its Vulnerabilities Equities Process, the secret framework for deciding whether to disclose or hoard software flaws. The newly visible text admitted that agencies weigh offensive and defensive uses of vulnerabilities, confirming that officials sometimes keep flaws secret to exploit them.
20. Threat intelligence firm Norse Corp implodes
Reports described the sudden collapse of Norse Corp, a security company known for its flashy live map of supposed cyberattacks, amid layoffs and the removal of its chief executive. Critics had long questioned the quality of its threat data, and the unwinding raised doubts about hype-driven intelligence products.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: