Privacy Roundup #0128 • March 2017
March 2017 was dominated by the WikiLeaks Vault 7 disclosures and a Congressional vote to scrap broadband privacy rules, alongside a run of leaky databases and connected devices that spilled personal data.
1. WikiLeaks publishes Vault 7 "Year Zero" CIA hacking files
WikiLeaks released thousands of documents describing CIA tools for breaking into phones, computers and smart televisions. The trove, the largest publication of confidential CIA material to date, detailed malware, zero day exploits and remote control systems.
2. Vault 7 "Dark Matter" details CIA attacks on Apple firmware
The second Vault 7 release set out CIA techniques for gaining persistence on Mac computers and iPhones through firmware implants. It described tools that could infect factory fresh iPhones and survive an operating system reinstall.
3. Vault 7 "Marble" exposes CIA anti-forensic obfuscation
WikiLeaks published 676 source code files for the CIA's Marble Framework, used to scramble malware and frustrate attribution. The code could insert foreign language strings into samples to push investigators towards the wrong country.
4. Senate votes to repeal the FCC broadband privacy rules
The United States Senate voted 50 to 48 to overturn the FCC rules that would have required internet providers to obtain consent before selling browsing histories. The measure used the Congressional Review Act, which also bars the agency from making substantially similar rules in future.
5. EFF publishes its guide to digital privacy at the US border
The Electronic Frontier Foundation released a whitepaper on protecting data on devices when crossing the United States border. It noted that electronic media searches at the border had risen fivefold in a single year, from 4,764 in 2015 to 23,877 in 2016.
6. River City Media spam operation leaks 1.4 billion records
A misconfigured backup at spam outfit River City Media exposed close to 1.4 billion records, including email and IP addresses, names and physical addresses. Researcher Chris Vickery found the unsecured store, which was tied to one of the world's largest spam networks.
7. CloudPets breach prompts a US Senate inquiry
After the connected CloudPets toys exposed 800,000 credentials and two million children's voice recordings, Senator Bill Nelson wrote to maker Spiral Toys demanding answers. The letter questioned the company's security practices and its compliance with children's privacy law.
8. Check Point discloses WhatsApp and Telegram account takeover flaw
Researchers revealed a vulnerability in the web clients of WhatsApp and Telegram that let an attacker seize an account using a booby trapped image. End to end encryption left the services blind to the malicious payload until both firms shipped fixes.
9. Hijacked Twitter Counter app floods accounts with Nazi messages
Attackers abused the third party analytics service Twitter Counter to post swastikas and "Nazi Germany" messages from hundreds of prominent accounts. Forbes, Amnesty International, the UK Department of Health and Justin Bieber's Japanese account were among those affected.
10. McDonald's India app leaks data on 2.2 million users
An unprotected API in the McDelivery app exposed names, email addresses, phone numbers and home coordinates for about 2.2 million customers. Researchers at Fallible found that sequential customer IDs let anyone enumerate the records.
11. Saks Fifth Avenue exposes customer details in plain text
Tens of thousands of Saks Fifth Avenue waitlist records sat on publicly accessible pages with no encryption. The exposed data included email addresses, phone numbers and product codes, and the pages were pulled offline once the retailer was contacted.
12. Hackers threaten to wipe millions of iCloud accounts
A group calling itself the Turkish Crime Family demanded a ransom from Apple, threatening to factory reset hundreds of millions of iCloud accounts. Apple refused to pay and said any valid credentials had not come from a breach of its systems.
13. Google moves to distrust Symantec TLS certificates
Google announced that Chrome would gradually stop trusting certificates issued by Symantec after finding more than 30,000 questionable issuances. The phased plan required affected sites to obtain new certificates, and Symantec disputed the charge.
14. GAO report criticises the FBI face recognition system
At a House Oversight hearing, the Government Accountability Office reported that the FBI had not published a required privacy assessment or tested its face recognition system for accuracy. The bureau's database held photos covering roughly half of all American adults.
15. Slack patches token theft bug that exposed accounts
Detectify researcher Frans Rosen found a flaw that let a malicious web page steal a user's Slack token and take over the account. Slack responded within the hour and shipped a fix five hours after the report, saying no accounts had been compromised.
16. Verizon plans to preinstall AppFlash tracking software
Days after the privacy rules vote, Verizon began loading AppFlash onto an Android handset, software that could track which apps a customer had installed. The Electronic Frontier Foundation warned that the tool would feed targeted advertising based on sensitive app usage.
17. Amber Rudd calls encrypted messaging unacceptable
After the Westminster attack, Home Secretary Amber Rudd said it was completely unacceptable that security services could not read WhatsApp messages. She argued that technology firms should not offer encryption that the authorities cannot break in an emergency.
18. Dun & Bradstreet database leaks records on 33.6 million people
A 52GB marketing database tied to Dun & Bradstreet's NetProspex unit surfaced online, exposing contact details for roughly 33.7 million corporate and government employees. Researcher Troy Hunt confirmed the records held names, job titles, email addresses, phone numbers and employer details, with the Department of Defense the most heavily represented organisation.
19. Apple says many Vault 7 exploits were already patched
Responding to the CIA disclosures, Apple said an initial assessment showed the leaked iPhone and Mac vulnerabilities were years old and long since fixed. The company pointed out that one purported exploit affected only the iPhone 3G, a device patched back in 2009.
20. Trump signs the repeal of the broadband privacy rules
President Trump signed the joint resolution scrapping the FCC privacy protections into law. The Electronic Frontier Foundation warned that providers such as Comcast, AT&T and Verizon could now sell browsing histories and other sensitive data to marketers.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: