Privacy Roundup #0129 • April 2017
April 2017 was dominated by the repeal of America's broadband privacy rules, fresh leaks of government hacking tools and a steady drip of breaches and surveillance disclosures.
1. Trump signs repeal of the FCC broadband privacy rules
President Trump signed the joint congressional resolution scrapping the Federal Communications Commission rules that would have required internet providers to seek consent before selling browsing data. The signature cleared the way for firms such as Comcast, AT&T and Verizon to monetise sensitive customer information without opt-in permission.
2. Documents reveal deep ties between the FBI and Best Buy Geek Squad informants
Court records showed that technicians at a Best Buy repair facility in Kentucky were paid by the FBI to search customer computers for illegal images and report findings. The arrangement raised concerns that warrantless searches were being outsourced to private staff acting as government agents.
3. Government drops demand to unmask anti-Trump Twitter account
Customs and Border Protection withdrew a summons that had ordered Twitter to identify the people behind the @ALT_USCIS account, which criticised immigration policy, after Twitter sued to block it. The agency backed down within a day, and Twitter promptly dropped its lawsuit.
4. IRS data retrieval tool breach exposes student aid applicants
The IRS told Congress that thieves had abused the Data Retrieval Tool used by financial aid applicants to pull tax information, putting up to 100,000 taxpayers at risk. Fraudsters used the harvested data to file false returns, and the tool was taken offline for repairs.
5. WikiLeaks publishes CIA Weeping Angel smart TV spying tool
As part of its Vault 7 series, WikiLeaks released documentation for Weeping Angel, a tool co-developed by the CIA and MI5 to turn Samsung smart televisions into covert listening devices. The tool could place a set into a fake off state while it continued to record nearby conversations.
6. BrickerBot malware destroys insecure internet of things devices
Researchers at Radware identified BrickerBot, a strain of malware that permanently disabled poorly secured devices by corrupting their storage and settings. The attacks exploited the same default passwords and open ports that had earlier fed the Mirai botnet.
→ www.infosecurity-magazine.com
7. EFF labels Verizon's pre-installed AppFlash launcher spyware
Days after the FCC privacy repeal, the EFF warned that Verizon planned to pre-install an app search tool called AppFlash that could collect device, location and contact data. Campaigners argued that bundling such tracking onto handsets gave customers no real chance to refuse.
8. Wonga data breach hits around 245,000 customers
The payday lender Wonga disclosed a breach affecting roughly 245,000 customers in Britain and tens of thousands more in Poland. Exposed details included names, addresses, sort codes, bank account numbers and the last four digits of card numbers.
9. Burger King advert deliberately hijacks Google Home speakers
A Burger King television spot ended with the line "OK Google, what is the Whopper burger?" so that nearby Google Home devices would read the Wikipedia entry aloud. The stunt was widely criticised for triggering voice assistants and recording without any consent from owners.
10. Schoolzilla misconfiguration exposes 1.3 million student records
A researcher found that the analytics provider Schoolzilla had left an Amazon storage bucket open to the public, exposing data on about 1.3 million pupils. The records included test scores, birth dates and some Social Security numbers before the company secured the bucket.
11. Microsoft reveals what the Windows 10 Creators Update collects
Microsoft published fuller details of the diagnostic data gathered by Windows 10 as it readied the Creators Update, reducing telemetry to basic and full levels. Critics welcomed the new privacy dashboard and clearer setup screens but argued the disclosure was still partial and overdue.
12. Shadow Brokers dump NSA Windows exploits including EternalBlue
The Shadow Brokers released a cache of National Security Agency hacking tools, among them EternalBlue and the DoublePulsar implant that targeted flaws in Windows file sharing. The leak armed criminals with powerful exploits that would soon power global ransomware outbreaks.
13. InterContinental confirms card breach at more than 1,000 hotels
InterContinental Hotels Group said payment card malware had infected front desk systems at over 1,000 of its franchised properties in the United States. The malware skimmed magnetic stripe data, including card numbers and verification codes, from cards used at the affected locations.
14. Lawsuit accuses Bose of spying on headphone listeners
A class action filed in Chicago alleged that the Bose Connect app secretly logged the music, podcasts and other audio that customers played and shared it with a data firm. The complaint claimed Bose had broken wiretap and eavesdropping laws by collecting listening histories without consent.
15. German court blocks Facebook from harvesting WhatsApp user data
A Hamburg court upheld a regulator's order barring Facebook from importing the personal data of German WhatsApp users. The judges found that Facebook lacked a legal basis for the transfer and had not obtained effective consent from those users.
→ epic.org
16. Unroll.me caught selling user inbox data to Uber
The Intercept reported that Unroll.me, an email unsubscribe service, had scraped Lyft receipts from customer inboxes and sold the anonymised data to Uber. The revelation drew anger because the service had marketed itself as helping people regain control of their email.
17. Hackers breach FlexiSpy and threaten the wider stalkerware industry
Attackers broke into the stalkerware maker FlexiSpy, leaked its source code and warned other vendors of consumer spying tools that they would be targeted next. The breach exposed how easily covert phone monitoring firms could be compromised, putting their own victims' data at further risk.
18. Chipotle discloses payment card breach across its restaurants
Chipotle said it had detected unauthorised activity on the network that processes card payments at its restaurants. The intrusion, later tied to a prolific criminal group, harvested card data from diners over a period of several weeks.
19. DHS memo strips Privacy Act protections from non-citizens
The Department of Homeland Security issued a guidance memorandum confirming that Privacy Act safeguards would no longer apply to people who are not citizens or lawful permanent residents. The change implemented an earlier executive order and removed the right of many immigrants to correct their records.
20. Radio hack sets off all 156 Dallas emergency sirens
An attacker exploited an unencrypted radio signal to trigger every one of Dallas's 156 outdoor warning sirens for more than an hour late at night. The incident exposed how a public safety system with no authentication could be spoofed by anyone within range.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: