Privacy Roundup #0122 • September 2016
September 2016 was dominated by record breaches and record attacks, as Yahoo admitted to history's largest hack while a botnet of insecure cameras drove the biggest assaults the internet had then seen.
1. Yahoo admits a 2014 breach exposed at least 500 million accounts
Yahoo confirmed that hackers had stolen names, email addresses, phone numbers, birth dates and security questions from more than 500 million accounts in late 2014. It was the largest breach disclosed up to that point, and the company blamed a state sponsored actor.
2. A record DDoS attack knocks KrebsOnSecurity offline
Security journalist Brian Krebs saw his site pounded by traffic that peaked above 620 gigabits per second, one of the largest assaults the internet had then witnessed. The flood came from a botnet of hacked routers, cameras and video recorders later identified as Mirai.
3. French host OVH is hit by an attack exceeding 1 terabit per second
Days after the Krebs attack, the hosting provider OVH reported assaults that broke the terabit barrier and may have reached 1.5 terabits per second. The traffic came from roughly 150,000 compromised cameras and video recorders, underlining the danger of insecure connected devices.
4. Alleged operators of the vDOS attack service are arrested in Israel
After KrebsOnSecurity exposed the hacking of vDOS, a service that had powered more than two million denial of service attacks, two 18 year old Israelis were detained within hours. The pair were placed under house arrest and barred from the internet while police investigated.
5. Hamburg orders Facebook to stop harvesting WhatsApp data
Germany's Hamburg data protection authority ordered Facebook to halt the collection of data on the country's 35 million WhatsApp users and to delete what it already held. The regulator found that the August policy change lacked valid consent and swept up the contact details of people who had never joined either service.
6. Rights groups launch a campaign to pardon Edward Snowden
The ACLU, Amnesty International and Human Rights Watch launched a public petition urging President Obama to pardon the whistleblower. The campaign drew support from figures including Steve Wozniak and Daniel Ellsberg, and it coincided with the release of Oliver Stone's film about Snowden.
7. House Intelligence Committee brands Snowden no whistleblower
The committee released a three page unclassified summary of a two year investigation, accusing Snowden of stealing 1.5 million documents and causing grave harm to national security. Every member of the panel signed a letter urging the president not to grant a pardon.
8. EFF tells a court the government must reveal when it reads your email
In a brief supporting Microsoft, the Electronic Frontier Foundation argued that the government violates the Constitution when it serves cloud providers with warrants but never tells the affected users. The filing said Fourth Amendment protections apply to data no matter its format or where it is stored.
9. Congressional report slams OPM over its catastrophic breach
A 241 page House Oversight report chronicled how the Office of Personnel Management let attackers loot sensitive records and fingerprints on more than 21 million people. Investigators blamed a cascade of failures, from missing two factor authentication to outdated technology and leadership missteps.
10. Colin Powell's private emails are stolen and published by DCLeaks
Two years of the former secretary of state's personal correspondence appeared on DCLeaks, a site later tied to Russian intelligence. The messages, which Powell confirmed as genuine, contained candid remarks about both presidential candidates and exposed his private address book.
11. Researchers find iOS 10 local backups far easier to crack
Elcomsoft discovered that Apple had added a weaker password check to local iTunes backups in iOS 10, letting attackers try passwords roughly 2,500 times faster than before. Apple acknowledged the flaw and promised a fix, while noting that iCloud backups were not affected.
12. St. Jude Medical sues researchers over pacemaker hacking claims
The device maker filed a defamation suit against MedSec and short seller Muddy Waters, who had alleged its cardiac implants were dangerously insecure. The case put a spotlight on how security flaws in medical devices should be disclosed, and regulators later confirmed that vulnerabilities did exist.
13. Two men are charged over the Crackas With Attitude hacks of officials
Federal prosecutors arrested two North Carolina men accused of belonging to a group that broke into the personal accounts of senior security officials, including CIA director John Brennan. The conspiracy relied on social engineering rather than sophisticated tools, and other members in Britain remained under investigation.
14. Snowden warns the public not to use Google's new Allo app
Google launched Allo without end to end encryption switched on by default and confirmed it would store chat logs until users deleted them, reversing an earlier promise. Edward Snowden urged people to avoid the app, warning that its records could be handed to police on request.
15. Digital Rights Ireland files the first challenge to the Privacy Shield
On 16 September the advocacy group lodged an action with the EU General Court to annul the new transatlantic data transfer framework, arguing it failed to protect Europeans just as the defunct Safe Harbour had. The challenge came only weeks after the European Commission adopted the deal.
16. A 2012 Last.fm breach surfaces, exposing 43 million accounts
Stolen records from the music site finally appeared online, revealing usernames, email addresses and passwords protected only by weak MD5 hashing. Researchers cracked more than 96 percent of the passwords within hours, putting anyone who had reused them at risk.
17. Russia's Rambler portal is revealed to have lost nearly 100 million accounts
Details of a 2012 attack on Rambler emerged showing that close to 100 million usernames, email addresses and passwords had been taken. Compounding the harm, the company had stored those passwords in plain text rather than hashing them.
18. Guccifer 2.0 dumps more stolen Democratic National Committee files
A representative of the persona appeared remotely at a London security conference and released hundreds of megabytes of internal DNC material. The trove exposed donor analysis and personal details, and it formed part of an operation later attributed to Russian intelligence.
19. A forum breach exposes nearly 800,000 Brazzers users
Login details for almost 800,000 accounts on the adult site's forum surfaced after a 2012 attack that exploited a vBulletin flaw. The leaked records held email addresses, usernames and passwords stored in plain text, exposing both identities and private posts.
20. Google's Project Shield rescues KrebsOnSecurity after Akamai pulls support
When the record attack forced Akamai to drop its free protection, Brian Krebs' site went dark for several days. Google then took the site under Project Shield, a service designed to keep journalists and small news outlets online through such assaults.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: