Privacy Roundup #0115 • February 2016
February 2016 was dominated by the Apple and FBI fight over unlocking a San Bernardino iPhone, while ransomware, fresh breaches and surveillance rulings kept the pressure on everyone else.
1. Court orders Apple to help the FBI unlock the San Bernardino iPhone
A federal magistrate in California signed an order on 16 February requiring Apple to build software that would bypass the passcode protections on an iPhone tied to the San Bernardino attack. The directive, issued under the All Writs Act, opened the most consequential encryption fight of the decade.
2. Tim Cook publishes a public letter refusing the FBI demand
Apple chief executive Tim Cook posted an open letter to customers calling the order an unprecedented step that threatened the security of every iPhone user. He warned that building the requested tool would amount to a master key capable of unlocking millions of devices.
3. Brooklyn judge strikes down a separate order to unlock an iPhone
Magistrate Judge James Orenstein ruled on 29 February that the government could not use the All Writs Act to force Apple to extract data from an iPhone in a New York drug case. He found that Congress had considered and rejected legislation that would have granted such power.
4. Bill Gates wades into the Apple and FBI encryption dispute
The Microsoft founder suggested the government was asking for access in one specific case rather than a general backdoor, drawing wide criticism. He later said the comments did not capture his full view and that courts and Congress should find the right balance.
5. Apple supporters rally outside stores across the United States
Demonstrators gathered at Apple shops and FBI offices in dozens of cities to oppose the order to weaken iPhone security. The protests, organised quickly through online networks, turned a courtroom argument into a public privacy campaign.
6. Spy chief admits the Internet of Things could be used for surveillance
Director of National Intelligence James Clapper told a Senate committee that intelligence services might use connected home devices for identification, tracking and monitoring. The admission confirmed that smart televisions, locks and other gadgets could become tools for state surveillance.
7. Los Angeles hospital pays a ransom to recover its systems
Hollywood Presbyterian Medical Center paid attackers around 17,000 dollars in bitcoin after ransomware locked its files and forced staff back onto paper records. The case showed how readily criminals could hold critical health infrastructure hostage.
8. IRS reveals the Get Transcript breach was far larger than first thought
A nine month investigation found that thieves may have stolen tax records from as many as 724,000 taxpayer accounts, more than double the earlier estimate. Attackers used personal data gathered elsewhere to answer the identity questions guarding the online service.
9. Hacker dumps personal details of thousands of DHS and FBI staff
Investigators probed the online release of names, job titles, email addresses and phone numbers for thousands of Homeland Security employees, with FBI records said to follow. The intruder reportedly hijacked a Justice Department email account and talked their way into an internal portal.
10. Linux Mint website hacked and ISOs swapped for backdoored builds
Attackers compromised the Linux Mint site on 20 February and pointed downloads to a version of the operating system carrying an IRC backdoor. The project also lost its forum database, exposing around 145,000 email addresses and passwords.
11. Snapchat payroll data leaks after a phishing scam
A criminal impersonating chief executive Evan Spiegel tricked a payroll employee into emailing staff records, including salaries, bank details and social security numbers. The company reported the incident to the FBI and offered affected workers two years of identity protection.
12. ASUS settles FTC charges over insecure home routers
The Federal Trade Commission announced a settlement requiring ASUS to fix security failures that left routers and cloud storage open to attackers. The company agreed to twenty years of independent audits and to notify customers directly about security updates.
13. Critical glibc flaw leaves countless Linux systems exposed
Researchers disclosed CVE-2015-7547, a buffer overflow in the glibc getaddrinfo function that a malicious DNS reply could exploit to run code remotely. Because almost every Linux server and workstation relies on glibc, administrators raced to patch.
14. EU and US release the text of the Privacy Shield deal
The European Commission and the US Department of Commerce published the legal texts of the Privacy Shield, the replacement for the struck down Safe Harbour arrangement. Critics immediately questioned whether the framework would shield Europeans from bulk American surveillance.
15. MPs criticise the draft Investigatory Powers Bill
A parliamentary committee warned that the draft surveillance bill, known as the Snoopers' Charter, was vaguely worded and did too little to protect ordinary citizens. The report urged the government to add a dedicated section setting out privacy safeguards.
16. Comodo Chromodo browser found to disable a core web security protection
Google researcher Tavis Ormandy revealed that the Chromodo browser bundled with Comodo Internet Security switched off the same-origin policy by default. With that safeguard gone, a malicious website could read data from any other site a victim had open, exposing logins and personal records.
17. Survey finds encryption products thrive far beyond US borders
Bruce Schneier and colleagues catalogued 865 encryption products from 55 countries, two thirds of them made outside the United States. The findings undercut the argument that mandating backdoors in American software could stop determined users.
18. UK tribunal rules GCHQ hacking is lawful
The Investigatory Powers Tribunal held that GCHQ may hack computers and phones inside and outside Britain using broad thematic warrants. Privacy International, which brought the case, condemned the decision as a green light for mass equipment interference.
19. Superfish settles the Lenovo adware privacy lawsuit
Superfish agreed to pay one million dollars to settle a class action over its VisualDiscovery software, which was bundled on Lenovo laptops. The program injected ads into secure web pages by undermining Windows encryption, leaving users open to interception.
20. Insecure Nissan Leaf app lets strangers track owners and control the car
Researcher Troy Hunt disclosed that the NissanConnect app relied on APIs with no authentication, so anyone holding a vehicle identification number could pull a driver's journey logs and toggle the climate controls. Nissan disabled the app once the flaw became public, having exposed dates, times and distances of owners' trips.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: