Privacy Roundup #0121 • August 2016
August 2016 was dominated by the Shadow Brokers dumping NSA hacking tools, a wave of point of sale and forum breaches, and fresh worries about state surveillance from Pegasus spyware to hacked voter rolls.
1. Shadow Brokers auction off claimed NSA spy tools
A group calling itself the Shadow Brokers published a cache of exploits and implants it said it had stolen from the Equation Group, widely linked to the National Security Agency. The group released about 40 per cent of the haul as proof and demanded a million bitcoin for the rest.
2. Cisco and Fortinet confirm leaked firewall flaws are real
Cisco and Fortinet examined the Shadow Brokers dump and confirmed that vulnerabilities in their firewall products were genuine and exploitable. The disclosure forced both vendors to warn customers and issue fixes for bugs that had lurked for years.
3. WhatsApp begins sharing user data with Facebook
WhatsApp changed its privacy policy to pass phone numbers and usage data to its parent company Facebook for advertising and friend suggestions. The Electronic Frontier Foundation warned that the opt out was buried and that new accounts could not refuse the sharing at all.
4. Pegasus iPhone spyware caught targeting a UAE activist
Citizen Lab revealed that human rights defender Ahmed Mansoor had been targeted with three iPhone zero day exploits that installed NSO Group's Pegasus spyware. Apple rushed out a patch after the researchers disclosed the chain of vulnerabilities.
5. Project Sauron espionage platform exposed after five years
Kaspersky Lab and Symantec disclosed a stealthy state grade malware platform, dubbed Project Sauron or Strider, that had spied on government and military networks since 2011. The malware used unique modules for each target and could even reach computers cut off from the internet.
6. Dropbox breach of 68 million accounts comes to light
A 2012 intrusion at Dropbox resurfaced when a database of about 68 million email addresses and hashed passwords began circulating online. Dropbox forced password resets for users who had not changed their credentials since the original hack.
7. Sage breach exposed UK firms through an internal login
The accounting software firm Sage warned customers that an unauthorised internal login may have exposed the personal and bank details of staff at nearly 300 UK businesses. Police later arrested an employee, underscoring the danger of insider threats.
8. Oracle's MICROS point of sale division breached
Brian Krebs reported that hackers tied to the Russian Carbanak gang had compromised Oracle's MICROS support portal, used by hundreds of thousands of cash registers worldwide. Stolen support credentials could have let attackers push card stealing malware onto customer terminals.
9. Australian census site collapses on census night
The Australian Bureau of Statistics took its online census offline after several denial of service attacks and a hardware failure on the evening of 9 August. The outage followed months of public anxiety over the agency's decision to retain names and addresses for four years.
10. Epic Games forums hacked for 800,000 accounts
Attackers exploited an outdated version of vBulletin to steal usernames, email addresses and birth dates from more than 800,000 Epic Games and Unreal Engine forum accounts. The flaw allowed SQL injection against forums that had not been kept up to date.
11. Opera resets passwords after sync server breach
Opera forced a password reset for roughly 1.7 million users after detecting that its browser sync servers had been breached. The company warned that account passwords and stored third party credentials might have been exposed.
12. Malware infected every Eddie Bauer store in North America
The retailer Eddie Bauer admitted that point of sale malware had captured payment card data at all of its 350 plus stores in the United States and Canada for the first half of 2016. The breach was part of a wider campaign hitting restaurants, hotels and shops.
13. HEI Hotels discloses card breach at 20 properties
HEI Hotels and Resorts told customers that point of sale malware had skimmed payment cards at 20 hotels it runs under brands such as Marriott, Hilton and Starwood. The intrusions stretched back to 2015 and captured names, card numbers and expiry dates.
14. QuadRooter flaws put 900 million Android devices at risk
Check Point disclosed four vulnerabilities in Qualcomm chipset drivers that could let a malicious app gain root access on around 900 million Android phones and tablets. An attacker exploiting the bugs could log keystrokes, track location and record audio and video.
15. St Jude cardiac devices called dangerously insecure
The firm MedSec and short seller Muddy Waters published claims that St Jude Medical's connected pacemakers and defibrillators lacked basic security. They warned that attackers could drain batteries or disrupt the devices, although some researchers questioned the findings.
16. Bitfinex loses about 120,000 bitcoin to hackers
The cryptocurrency exchange Bitfinex was drained of roughly 120,000 bitcoin, worth around 72 million dollars at the time, in a matter of hours. The theft hit accounts that the exchange managed jointly with BitGo and sent the bitcoin price tumbling.
17. Iranian hackers compromise Telegram and expose 15 million users
A group called Rocket Kitten broke into more than a dozen Telegram accounts and identified the phone numbers of over 15 million Iranian users. The attackers intercepted the SMS codes Telegram used to activate new devices, exposing activists and journalists.
18. EFF accuses Windows 10 of trampling user choice
The Electronic Frontier Foundation published a deep dive arguing that Microsoft had ignored user consent in pushing Windows 10 and collected large amounts of telemetry. It called on Microsoft to offer real opt outs and to stop bundling upgrades with security patches.
19. Baltimore police caught secretly spying from the air
A Bloomberg investigation revealed that Baltimore police had been quietly flying surveillance aircraft over the city for hours a day, recording residents below. The programme was financed by a private donor and run without informing the public or city officials.
20. FBI confirms hackers breached state voter databases
The FBI warned that intruders had targeted voter registration systems in Illinois and Arizona, downloading data on as many as 200,000 voters in one case. The breaches raised alarm about the security of election infrastructure ahead of the November vote.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: