Privacy Roundup #0138 • January 2018
January 2018 opened with the Meltdown and Spectre chip flaws and closed with the Strava heatmap exposing military bases, a month when hardware, fitness apps and national databases all leaked at once.
1. Meltdown and Spectre flaws expose memory in almost every modern processor
Researchers disclosed two side-channel attacks that let one program read memory it should never see, affecting nearly every Intel, AMD and ARM chip made in the past two decades. The flaws could only be addressed through operating system patches that often slowed machines down.
2. Western Digital My Cloud drives shipped with a hard-coded backdoor
A researcher published details of a secret administrator account, with the username and password baked into the firmware, across a dozen Western Digital My Cloud storage models. Anyone on the network could use it to read personal photos and videos or take over the device entirely.
3. Tribune reporter buys access to a billion Aadhaar records for 500 rupees
An investigation by The Tribune found agents selling login credentials that returned the name, address, photo, phone number and email of any holder in India's Aadhaar database. A further payment bought software to print fake Aadhaar cards.
4. WhatsApp group chats found vulnerable to silent infiltration
Researchers at Ruhr University Bochum showed that anyone controlling WhatsApp's servers could add a new member to a private group without the administrator's consent. Every participant's phone would then share its keys with the intruder, granting full access to future messages.
5. ICO fines Carphone Warehouse £400,000 over 2015 breach
The Information Commissioner's Office penalised Carphone Warehouse for security failures that let intruders reach the data of more than three million customers and a thousand staff. Investigators found outdated software, missing security testing and historic records that should have been purged.
6. India's UIDAI introduces a Virtual ID to limit Aadhaar exposure
Facing mounting privacy criticism, the authority running Aadhaar announced a sixteen-digit Virtual ID that holders could share in place of their real number. It also promised a limited form of verification that would hand agencies only the details they needed.
7. macOS High Sierra unlocked App Store settings with any password
A bug in macOS 10.13.2 let anyone open the locked App Store preferences pane by typing an administrator name and any password at all. The flaw gave physical attackers a way to disable automatic security and software updates.
8. Norwegian health authority breach may have hit nearly three million patients
Health South-East RHF confirmed that attackers described as advanced and professional had compromised systems holding records for about half of Norway's population. Police, military intelligence and the national security authority opened an investigation into whether data had been stolen.
9. Kaspersky uncovers Skygofree, a powerful Android surveillance tool
Researchers detailed an implant active since 2014 that could read WhatsApp messages, record audio when a phone entered a chosen location and quietly connect devices to attacker-controlled Wi-Fi. The victims so far were all in Italy, and the toolkit appeared to be the work of an Italian surveillance vendor.
10. EFF and Lookout expose the Dark Caracal espionage campaign
The two organisations traced a global operation that used fake messaging apps to steal hundreds of gigabytes from thousands of victims across more than twenty countries. The infrastructure appeared to run from a Lebanese security directorate building in Beirut.
11. President signs a six-year renewal of Section 702 surveillance powers
The FISA Amendments Reauthorization Act extended the warrantless foreign intelligence programme that also sweeps up Americans' communications until the end of 2023. The President said he would have preferred to make the powers permanent.
→ trumpwhitehouse.archives.gov
12. OnePlus credit card breach hits up to 40,000 shoppers
A malicious script planted on the OnePlus store skimmed card numbers, expiry dates and security codes as customers typed them into the payment page. The company disabled card payments and offered affected buyers free credit monitoring.
13. Tinder's lack of encryption let snoops watch your swipes
Researchers at Checkmarx found that Tinder sent profile photos over unencrypted connections, so anyone on the same network could see them and inject their own images. Subtle differences in response sizes also revealed whether a user swiped left, right or super-liked.
14. Blizzard games carried a flaw exposing millions of PCs
Google's Tavis Ormandy found that the update agent shared across World of Warcraft, Overwatch, Hearthstone and StarCraft was open to a DNS rebinding attack. A booby-trapped web page could have sent privileged commands to a player's machine.
15. Lenovo Fingerprint Manager Pro found to hold a hard-coded password
The fingerprint utility for older ThinkPad, ThinkCentre and ThinkStation machines stored Windows credentials and fingerprint data with weak encryption and a hidden password. A local non-administrator could use it to bypass the scanner and reach sensitive data.
16. Coincheck loses around 500 million dollars in the largest crypto theft yet
Hackers drained the Japanese exchange of roughly 523 million NEM coins held in an internet-connected hot wallet without multi-signature protection. The company later pledged to repay its 260,000 affected customers from its own funds.
17. Strava heatmap reveals secret military bases and patrol routes
Strava's global activity map, glowing with two years of fitness data, traced the perimeters and supply routes of military sites in Syria, Iraq and Afghanistan. The discovery prompted a United States defence review of how personal fitness trackers could endanger operations.
18. Jason's Deli warns two million payment cards may have been stolen
The restaurant chain disclosed that RAM-scraping malware had sat on point-of-sale terminals at 164 locations since the previous June. Card issuers spotted stolen details for sale on the dark web and alerted the company.
19. Popular Chrome extension caught mining cryptocurrency on users' machines
The Archive Poster extension, installed by more than a hundred thousand people, was found to be running Coinhive to mine Monero without consent. The mining quietly slowed computers as it diverted their processing power.
20. Cisco patches a maximum-severity flaw in its security appliances
Cisco disclosed a remote code execution bug in the VPN feature of its Adaptive Security Appliance software, rated a perfect ten out of ten and exploitable without any login. An attacker could send crafted packets to seize full control of the firewall protecting a network.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: