Privacy Roundup #0125 • December 2016
December 2016 closed the year with record breaches, a landmark European ruling against mass data retention and fresh state-sponsored hacking that pushed surveillance and security to the centre of the privacy debate.
1. Yahoo discloses breach of one billion more accounts
Yahoo revealed on 14 December that a separate 2013 intrusion had exposed data from more than one billion accounts, the largest breach disclosed up to that point. Names, email addresses, telephone numbers, dates of birth and security questions were taken, deepening the company's troubles as it negotiated its sale to Verizon.
2. European court rules mass data retention unlawful
On 21 December the Court of Justice of the European Union held in the Tele2 and Watson cases that general and indiscriminate retention of communications data breaches EU law. The judgment cast doubt over Britain's newly passed Investigatory Powers Act and other national surveillance regimes.
3. Expanded Rule 41 hacking powers take effect
Amendments to Rule 41 of the Federal Rules of Criminal Procedure came into force on 1 December, letting magistrate judges authorise remote searches of computers whose location is hidden or that span many districts. The Electronic Frontier Foundation warned that the change handed the government sweeping hacking authority without proper congressional debate.
4. Police dismantle the Avalanche crime network
On 1 December an international operation took down Avalanche, a platform that had distributed malware and laundered money since 2009. Investigators seized or blocked more than 800,000 domains in what Europol called the largest ever use of sinkholing against botnet infrastructure.
5. Methbot fraud siphons millions from advertisers
Researchers at White Ops described Methbot, a Russian operation that faked up to 300 million video advertisement views each day from a network of dedicated servers. The scheme generated between three and five million dollars daily by tricking advertisers into paying for views no human ever saw.
6. Operation Tarpit targets buyers of attack-for-hire services
On 13 December police across thirteen countries conducted more than a hundred interviews and several arrests aimed at customers of stresser and booter services. The action sought to deter the everyday users who rent denial-of-service tools to knock websites offline.
7. Evernote retreats on plan to let staff read notes
Evernote announced a policy change that would have allowed some employees to read user notes to test its machine learning, prompting an immediate backlash. Within days the company reversed course and made the access opt-in, with its chief executive admitting it had messed up.
8. United States sanctions Russia over election hacking
On 29 December President Obama expelled thirty-five Russian officials and imposed sanctions on intelligence agencies blamed for hacking Democratic Party systems during the campaign. The move named the GRU and FSB and shut two Russian compounds used for intelligence work.
9. US-CERT warns users to stop using vulnerable Netgear routers
A command injection flaw in several Netgear router models, unpatched for three months, was publicly disclosed on 13 December. US-CERT rated it 9.3 out of 10 and advised owners to stop using affected devices until a fix arrived, since an attacker could gain root control with a single malicious web page.
10. Holiday Inn parent IHG investigates card breach
On 28 December banks reported fraud patterns pointing to a payment card breach across InterContinental Hotels Group properties. The malware harvested card data at front desks of Holiday Inn and Holiday Inn Express franchises, an incident that later proved far wider than first thought.
11. Hackers knock out part of Ukraine's power grid
On 17 December attackers cut power at a transmission substation north of Kiev, the second winter strike on Ukraine's electricity network. Researchers later linked the attack to tailor-made malware built to manipulate industrial control systems, raising fears for critical infrastructure elsewhere.
12. PayAsUGym breach exposes hundreds of thousands of accounts
On 17 December the fitness booking service PayAsUGym confirmed that an attacker had accessed one of its servers and taken customer email addresses and passwords. The company said no payment card details were stored on the breached server but urged users to change their passwords.
13. ThyssenKrupp reveals theft of industrial secrets
On 9 December the German steel and engineering group disclosed that professional attackers had stolen technical know-how and research from several of its divisions. The company said the intruders did not disrupt production but did make off with intellectual property in a case of industrial espionage.
→ www.infosecurity-magazine.com
14. Stegano exploit kit hides malware in advertising pixels
ESET disclosed on 6 December a stealthy campaign that buried malicious code in the pixels of banner advertisements served on popular news sites. More than a million readers were exposed to the Stegano kit, which scanned for Flash flaws and dropped credential-stealing malware.
15. Privacy groups file complaint over spying toys
On 6 December consumer and privacy groups, including EPIC, asked the Federal Trade Commission to investigate the My Friend Cayla doll and the I-Que robot. They alleged that the connected toys recorded children's conversations and shared the data without proper consent, in breach of children's privacy law.
16. Popcorn Time ransomware asks victims to infect friends
Researchers found a ransomware strain in December that offered victims a free decryption key if they infected two other people who then paid. The scheme turned the hacked into accomplices and showed how extortion tactics were growing more manipulative.
17. Uber begins tracking riders after their trips end
From 1 December Uber started collecting location data from the start of a ride until five minutes after it ended, even when the app was closed. The change replaced the option to share location only while using the app and drew criticism over needless surveillance of passengers.
18. Twitter cuts off Dataminr access for surveillance hubs
On 15 December Twitter told Dataminr to stop supplying its alerts to the seventy-seven state fusion centres after pressure from civil liberties groups. The decision followed evidence that police had used the tool for keyword and location-based monitoring of protests and journalists.
19. ESEA gaming network breached after extortion attempt
The E-Sports Entertainment Association confirmed in late December that around 1.5 million player records had been leaked after it refused to pay a ransom. The exposed data included names, email addresses, telephone numbers, dates of birth and gaming platform identifiers.
20. Tordow Android trojan roots phones to steal data
On 15 December researchers detailed version two of the Tordow trojan, which gained root access on Android devices to plunder contacts, photos and browser credentials. Spread through repackaged popular apps on third-party stores, it was so deeply embedded that removal often meant reinstalling the operating system.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: