Privacy Roundup #0136 • November 2017
November 2017 was defined by Uber's concealed mega-breach, a wave of leaky cloud buckets spilling military and corporate secrets, and fresh fights over location tracking, encryption and surveillance law.
1. Uber concealed a 2016 breach of 57 million riders and drivers
Uber disclosed that hackers had stolen the names, email addresses and phone numbers of 50 million riders and 7 million drivers in October 2016, along with around 600,000 driver licence numbers. The company had paid the attackers 100,000 dollars to delete the data and stayed quiet for more than a year, and it removed its security chief once the cover-up came to light.
2. Paradise Papers were not an inside job, says leaky offshore law firm
A consortium of journalists published the Paradise Papers, a leak of more than 13 million documents from offshore service provider Appleby and the registers of nineteen tax havens. Appleby said the records came from a criminal hack rather than an insider, even as the files detailed the hidden finances of politicians, multinationals and royalty.
3. Supreme Court hears arguments in historic cellphone tracking case
The Supreme Court heard oral argument in Carpenter v. United States, a case asking whether police need a warrant to obtain months of historical cell-site location records. The government had collected nearly 13,000 location points charting one suspect's movements over 127 days without probable cause.
4. Pentagon left 1.8 billion scraped social media posts exposed
Researchers found three Amazon S3 buckets tied to the Department of Defense that anyone with an account could read, holding 1.8 billion internet posts collected over eight years. A defunct contractor named VendorX had built the surveillance archive, which swept up ordinary people's online speech.
5. Classified Army and NSA intelligence data found on an open bucket
An exposed Amazon S3 bucket linked to Army intelligence command INSCOM held more than 100GB of files from a failed cloud project codenamed Red Disk. Some material was marked Top Secret and NOFORN, meaning it should never have been shared even with allied governments.
6. WikiLeaks released the source code of the CIA's Hive malware platform
WikiLeaks began its Vault 8 series by publishing the full source code for Hive, the CIA's covert command-and-control system for managing malware implants. The code showed how the agency disguised its servers and forged digital certificates impersonating firms such as Kaspersky to hide its tracks.
7. Android phones sent location data to Google with services switched off
An investigation revealed that Android devices had been gathering nearby cell-tower addresses and sending them to Google even when location services were disabled and no SIM card was present. The practice ran through Firebase Cloud Messaging, a service users could not turn off, and Google said it would stop the collection.
→ qz.com
8. Imgur disclosed a breach of 1.7 million accounts
The image-sharing site Imgur confirmed that a 2014 breach had exposed the email addresses and passwords of 1.7 million users, after a researcher passed it the stolen data. The passwords had been stored with the weak SHA-256 algorithm, and many had already been cracked into plain text.
9. FCC chairman unveiled a plan to repeal net neutrality
FCC chairman Ajit Pai announced the Restoring Internet Freedom Order, a proposal to scrap the net neutrality rules that barred internet providers from blocking or throttling traffic. Privacy advocates warned the rollback would let carriers monitor and shape what customers do online with far less oversight.
10. Estonia froze the certificates on 760,000 national ID cards
Estonia blocked the digital certificates on 760,000 ID cards after researchers found a flaw in the Infineon chips that could let an attacker compute a card's private key from its public key. The weakness threatened the e-identity that Estonians use to vote, bank and sign documents.
11. The FBI did not warn US officials targeted by Russian hackers
An Associated Press investigation found that the FBI had failed to alert scores of Americans that the Russian group Fancy Bear was trying to break into their personal email. Out of nearly eighty people interviewed, only two had received any warning, and several learned of the threat only from reporters.
12. OnePlus phones shipped with a hidden root backdoor
A researcher discovered that several OnePlus phones shipped with a factory app called EngineerMode that granted permanent root access, unlocked with the password "angela". Anyone with brief physical access to a device could exploit it to take control of the phone and its data.
13. Eavesdropper flaw exposed millions of private calls and messages
Security firm Appthority revealed the Eavesdropper vulnerability, caused by developers hard-coding Twilio credentials into nearly 700 mobile apps. The mistake exposed call records, text messages and voice recordings, including those from an app used by a federal law enforcement agency.
14. ICE memo claimed DJI drones were sending data to China
A leaked Immigration and Customs Enforcement bulletin alleged with moderate confidence that DJI drones were uploading footage and infrastructure data to servers in China that the government could access. DJI rejected the claims as false and misleading, saying US customer data stays on American servers by default.
15. Researchers showed Amazon Key could be quietly disabled by couriers
Researchers found that Amazon's new Key in-home delivery service, which lets couriers unlock your door under a watching camera, could be undermined with a Wi-Fi deauthorisation attack. The trick froze the camera on its last frame, letting someone re-enter and move around the home without being recorded.
16. UK announced changes to the Investigatory Powers Act after EU ruling
Home Secretary Amber Rudd opened a consultation on changes to the Investigatory Powers Act to comply with a European court judgment that limited bulk retention of communications data. Critics argued the proposals still fell short of the safeguards the court had demanded for access to people's records.
→ questions-statements.parliament.uk
17. Tor launched a more anonymous generation of onion services
The Tor Project shipped the first releases supporting next-generation onion services, replacing ageing cryptography with SHA3, ed25519 and curve25519. The redesign produced longer, harder to impersonate addresses and leaked far less information to the directory servers that help users find hidden sites.
18. Intel confirmed critical flaws in its hidden Management Engine
Intel confirmed eight vulnerabilities in the Management Engine, a secret processor embedded in vast numbers of its chips, that let attackers run code beneath the operating system. Because the engine sits out of sight of users and administrators, the flaws could be used to plant invisible backdoors.
19. Facebook asked users to upload their nude photos to fight revenge porn
Facebook defended a pilot that invited people to send the company their own intimate images so it could fingerprint them and block any future sharing. The plan drew alarm because human moderators would first review the uncensored photos, asking victims to trust the firm with their most private images.
20. A bug froze around 280 million dollars of Ethereum in Parity wallets
A flaw in Parity's multi-signature wallet code let one user take ownership of a shared library and then delete it, permanently locking the funds held in every wallet built on it. Researchers estimated roughly 280 million dollars in Ether was frozen, leaving owners unable to reach their own money.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: