Privacy Roundup #0145 • August 2018
August 2018 was dominated by Google's covert location tracking, fresh corporate breaches, and a sharpening fight over state surveillance.
1. Reddit breach shows the limits of SMS two-factor authentication
Reddit disclosed that an attacker had intercepted SMS codes to break into employee accounts and steal an early user database. The incident exposed old email addresses and password hashes and pushed the company towards token based authentication.
2. Leaked documents reveal Google's censored China search engine
The Intercept published internal documents describing Dragonfly, a search app Google was building to comply with Chinese censorship. The project would blacklist queries about human rights, democracy, and peaceful protest, and it provoked an internal staff revolt.
3. Google keeps a history of your locations even when Location History is off
An Associated Press investigation found that Google services on Android and iPhone continued to store time stamped location data after users turned off Location History. Princeton researchers confirmed the findings, which affected billions of devices.
4. EPIC tells the FTC that Google's tracking breaks its consent order
The Electronic Privacy Information Center wrote to the Federal Trade Commission arguing that Google's hidden location collection violated its 2011 settlement. The FTC confirmed it was reviewing whether the company had breached the order.
5. Google sued over deceptive location tracking
Within days of the AP report, a California resident filed a proposed class action accusing Google of secretly storing location data against users' wishes. The suit claimed violations of California privacy law and sought to represent both Android and iPhone owners.
6. Snapchat source code leaked and posted to GitHub
Snap confirmed that an iOS update in May had inadvertently exposed a portion of its source code, which an unauthorised party then uploaded to GitHub. The company used a copyright takedown to pull the code down and said its users were not affected.
7. Children hack replica election systems at DEF CON
At the DEF CON Voting Village in Las Vegas, an eleven year old changed the results on a replica state election website in under ten minutes. The exercise underlined how poorly defended American voting infrastructure remained ahead of the midterms.
8. Foreshadow flaw exposes secrets inside Intel SGX enclaves
Researchers disclosed Foreshadow, a speculative execution attack that could read data Intel chips were supposed to protect inside SGX enclaves. The flaw also threatened virtual machines and cloud tenants, undermining a hardware feature marketed as a privacy guarantee.
9. Australia releases draft decryption legislation
The Australian government published an exposure draft of the Assistance and Access Bill, which would compel technology providers to help agencies access encrypted communications. Civil society groups warned the powers could undermine encryption for everyone.
10. Apple forces Facebook to pull the Onavo VPN
Apple told Facebook that its Onavo Protect VPN broke App Store rules by harvesting data about which other apps people used. Facebook agreed to remove the app, which had been quietly feeding usage intelligence back to the company.
11. T-Mobile says hackers stole customer data
T-Mobile disclosed that an intruder had accessed records belonging to around two million customers, including names, billing zip codes, phone numbers, and account details. The carrier said it detected and shut down the access and began notifying affected users by text.
12. Animoto breach exposes personal and geolocation data
The video service Animoto confirmed a breach that exposed names, dates of birth, email addresses, and location data for tens of millions of accounts. Salted password hashes were also taken, prompting a wave of breach notifications.
13. DNC voter database scare turns out to be a phishing test
The Democratic National Committee called the FBI after spotting what looked like an attempt to phish access to its voter file. The alarm was a false one, as a state party had commissioned the simulated attack without telling national staff.
14. Senator Wyden confirms cell-site simulators disrupt 911 calls
The EFF reported that Senator Ron Wyden had confirmed Harris Corporation's Stingray devices completely cut off targeted phones from calls, texts, and data. That meant the surveillance tools could block emergency 911 calls for the people they tracked.
15. Instagram accounts hijacked through Russian email addresses
Hundreds of Instagram users were locked out as attackers changed their passwords, phone numbers, and recovery emails to Russian addresses. Many victims struggled to recover accounts because the linked email had been swapped out entirely.
16. Fiserv flaw exposed customer data at hundreds of banks
Brian Krebs reported that a weakness in technology provider Fiserv had exposed personal and financial details across the web platforms of hundreds of banks. A predictable identifier let any logged in customer enumerate other people's contact and account information.
17. FBI warns of a global ATM cashout scheme
The FBI privately warned banks that criminals were preparing a coordinated ATM cashout operation following a breach at a financial institution. The alert foreshadowed real heists that emptied cash machines across several countries.
18. EFF lays out how to strengthen California's new privacy law
The EFF published detailed proposals for improving the California Consumer Privacy Act before it took effect. The group urged opt in consent for data collection, a stronger private right of action, and protections against punishing users who exercise their rights.
19. Superdrug rebuffs ransom demand after account breach
The British retailer Superdrug warned customers after hackers claimed to hold the details of thousands of online shoppers and demanded a ransom. The company blamed credential stuffing with passwords reused from other sites rather than a breach of its own systems.
20. Instagram adds security tools after a wave of takeovers
Following the spate of account hijackings, Instagram rolled out support for third party authenticator apps and a way to verify official accounts. Brian Krebs welcomed the changes while noting they did not go far enough to protect ordinary users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: