Privacy Roundup #0137 • December 2017
December 2017 closed the year with the FCC scrapping net neutrality, fresh leaks of bank and household data, and cryptocurrency miners turning ordinary devices into stealthy money machines.
1. PayPal subsidiary TIO Networks discloses breach hitting 1.6 million people
PayPal said the personal data of about 1.6 million customers of its newly acquired bill payment firm TIO Networks may have been stolen. The exposed records could include names, addresses, bank account details and Social Security numbers.
2. Stanford University admits three separate data exposures
Misconfigured file shares at Stanford left Social Security numbers and salaries for nearly 10,000 staff, confidential financial aid files and student sexual assault reports open to view. The leaks had sat exposed for months before students and reporters found them.
3. International operation dismantles the Andromeda botnet
Europol, the FBI and Microsoft seized control of the Andromeda malware network, which had infected more than two million computers across over 200 countries. Police sinkholed about 1,500 domains and arrested a suspect in Belarus.
4. Satori botnet hijacks Huawei routers through a zero-day flaw
A Mirai successor named Satori appeared on more than 280,000 addresses within twelve hours by exploiting a previously unknown flaw in Huawei home routers. Researchers warned the rapidly growing network could mount large denial of service attacks at any time.
5. Mailsploit lets attackers forge the sender address in email
A researcher disclosed Mailsploit, a set of bugs that let an attacker spoof the "from" line in messages and slip past SPF, DKIM and DMARC checks. More than thirty email clients, including Apple Mail and Thunderbird, mishandled encoded headers in ways that hid the real sender.
6. FBI director revives the "going dark" complaint about encryption
FBI director Christopher Wray told Congress that agents could not unlock almost 7,800 seized phones and urged manufacturers to weaken device encryption. Critics pointed out that he offered no evidence that access to those devices would actually improve public safety.
7. Hidden keylogger found in driver shipped on hundreds of HP laptops
A researcher discovered keylogging code buried in the Synaptics touchpad driver installed on more than 460 HP notebook models. The component was switched off by default, but anyone who set a registry value could turn it into a working keystroke recorder.
8. Group-IB exposes the MoneyTaker bank-robbing crew
Russian security firm Group-IB revealed MoneyTaker, a previously unknown group that had quietly stolen funds from banks in the United States, United Kingdom and Russia. The gang stole banking documentation and used custom modular malware to drain accounts over eighteen months.
9. Database of 1.4 billion plaintext credentials surfaces on the dark web
Researchers at 4iQ found a 41 gigabyte file containing 1.4 billion usernames and passwords stored in plain text. The interactive collection aggregated 252 earlier breaches and made password reuse trivial to search and exploit.
10. Triton malware targets industrial safety systems
FireEye and Dragos disclosed Triton, malware built to tamper with Schneider Electric safety controllers at an industrial plant in the Middle East. The code disabled an emergency shutdown function, raising fears that a digital attack could cause physical harm.
11. FCC votes to repeal net neutrality protections
The Federal Communications Commission voted three to two along party lines to scrap the 2015 net neutrality rules. The decision freed internet providers to block, throttle or prioritise traffic, with knock-on consequences for how they handle customer data.
12. Mozilla angers users by force-installing a Mr. Robot add-on
Mozilla pushed a promotional extension called Looking Glass into Firefox without asking, drawing accusations that it had betrayed its own privacy principles. The cryptic add-on, tied to the television show Mr. Robot, prompted a public apology within days.
13. Loapi Android trojan can physically wreck a phone
Kaspersky researchers described Loapi, a modular Android trojan that mines cryptocurrency, runs denial of service attacks and floods users with adverts. Its constant workload overheated test devices so badly that one battery bulged and deformed within two days.
14. Youbit cryptocurrency exchange collapses after a second hack
South Korean exchange Youbit filed for bankruptcy hours after thieves stole seventeen per cent of its holdings, its second breach of the year. Customers were told they could withdraw only about three quarters of their assets while the wind-up proceeded.
15. White House publicly blames North Korea for WannaCry
Homeland security adviser Tom Bossert formally attributed the May WannaCry ransomware outbreak to North Korea. The malware had locked roughly 300,000 computers in 150 countries, including systems at Britain's National Health Service.
16. Nissan Canada Finance warns 1.13 million customers of a breach
Nissan Canada Finance said an intruder may have accessed personal details of about 1.13 million customers, including names, addresses, credit scores and loan information. The company waited ten days after discovering the incident before telling the people affected.
17. Misconfigured Alteryx bucket exposes 123 million households
Marketing firm Alteryx left an Amazon storage bucket open that held detailed Experian and census data on 123 million American households. The records covered home addresses, contact details and analyses of purchasing behaviour, all reachable with a free account.
18. Digmine cryptocurrency miner spreads through Facebook Messenger
Trend Micro found Digmine, malware that posed as a video file and hijacked Facebook accounts to spread to a victim's contacts. The bot quietly mined Monero on infected Chrome installations across several countries.
19. Forever 21 confirms months of payment card theft
The clothing retailer admitted that malware had harvested card data at its stores from early April to mid November 2017. Encryption that should have protected the terminals was not always switched on, leaving card numbers and expiry dates exposed.
20. Card breach at Jason's Deli shows small chains are the new target
Brian Krebs reported that around 170,000 stolen cards traced to Jason's Deli had appeared for sale on a dark web market. The case highlighted how fraudsters have shifted from large retailers to smaller, less defended merchants four years after the Target breach.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: