Privacy and Cybersecurity Weekly Digest

Number of affected users in Adobe’s October breach rises again, now believed to be over 150 million accounts breached
Last week, news broke that the number of compromised records related to the Adobe data breach has once again increased. According to Paul Ducklin at Sophos’ NakedSecurity Blog, “a huge dump of the offending customer database listed 150 million breached records,” much more than 38 million records recently reported by Adobe. A few weeks ago, we provided a recap of the Adobe data breach story, first released by Brian Kerbs, and the discovery that the first noted number of affected users was “far greater in scope than originally believed.” What Adobe initially reported as a breach “relating to 2.9 million Adobe customers,” then raised to as many as 38 million customers, now seems to be well above both reported numbers. Additionally, Ducklin’s report states that “[w]ith very little effort, we have already recovered an awful lot of information about the breached passwords, including: identifying the top five passwords precisely, plus the 2.75 [percent] of users who chose them; and determining the exact password length of nearly one[-]third of the database.” Infosecurity Magazine also reported on Ducklin’s post, stating that the Adobe breach “is potentially a colossal blunder.” Jim Finkle with Reuters has more on the store here.
Facebook mines Adobe data breach records to warn its own users
In using the unfortunate breach of Adobe customer information to its advantage, Facebook has started mining the information to help its own customers. According to Brian Kerbs, “Facebook users who used the same email and password combinations at both Facebook and Adobe’s site are being asked to change their password and to answer some additional security questions.” A Facebook spokesman, Jay Nancarrow, informed Kerbs that “Facebook is constantly on the lookout for data leaked from other breach incidents that may endanger accounts of its own users.” Facebook’s utilization of leaked information demonstrates the need for companies to remain wary of the unhygienic security habits typical of most Internet users. As ZDNet’s Liam Tung explained, “To keep things simple, users not only pick easy-to-guess passwords, but they often use the same passwords for multiple online accounts. The problem with that is, if hackers nab a password for one service, they can typically use it to enter another.”
The Hill reports that White House may consider civilian NSA director
Brendan Sasso with The Hill reported on Saturday that “[t]he White House is considering whether to name a civilian to lead the National Security Agency.” According to Sasso, this would be the first time that the NSA would have a civilian leader since its creation in 1952. This would also mean, according to Sasso, that the Senate would have confirmation authority over its civilian director, “a power that it doesn’t currently have.” A civilian director, however, would only be named if a split between the NSA and Cyber Command were to occur (an option currently being discussed). Additional reporting on this story can be found by The Guardian‘s Spencer Ackerman here.
New FCC chairman demands mobile device unlocking standards from the CTIA
Tom Wheeler, the new chairman of the FCC, has demanded that the CTIA Wireless Association implement a standard that allows consumers to unlock their mobile devices at the conclusion of their contracts. The FCC and the CTIA have been working together to amend the CTIA’s Consumer Code for the last eight months. However, Wheeler’s public letter asks the CTIA to act voluntarily before the December holiday season, and threatens FCC regulation in the absence of voluntary action. According to Wheeler’s letter, the final sticking point in negotiations is the affirmative notification of customers when they are eligible for their devices to be unlocked. Wheeler insists that without notification, “any voluntary program would be a hollow shell.” Ina Fried of AllThingsD highlights how this issue gained importance in October 2012 when the Library of Congress ruled that unlocking mobile devices without the permission of carriers should be illegal.
GCHQ used LinkedIn, Slashdot, and Quantum Insert malware to target engineers and gain access to their workplace networks
Der Spiegel reports that the UK spy agency GCHQ targeted engineers working at Belgacom as well as individuals working at monetary clearing houses, and then used a sophisticated and highly individualized method to implant malware on the target’s computer. The GCHQ then accessed the target’s workplace servers and networks. This method, called “Quantum Insert,” requires conducting extensive digital surveillance on the intended target; constructing a fake malware-embedded LinkedIn page that is tailored for the targeted individual; and then serving the fake page to the target, who unintentionally downloads the malware. Bruce Schneier first reported on the “Quantum Insert” method in an article for The Guardian that was published earlier this month.
Google testifies before the Congressional Judiciary Committee for the first time since Snowden leaks
Google’s legal director, Richard Salgado, testified before the Senate Judiciary Committee’s Privacy, Technology and the Law Subcommittee on Wednesday. The Subcommittee hearing discussed Senator Al Franken’s proposed Surveillance Transparency Act of 2013. In Salgado’s written testimony, he called for an update to the Electronic Communications Privacy Act, as it currently “fails to preserve the reasonable privacy expectations of Americans today.” Salgado asked for a greater ability to inform the public about governmental requests for data. According to Salgado, this lack of transparency “has a negative impact on [Google’s] economic growth and security and on the promise of an Internet as a platform for openness and free expression.”
WikiLeaks publishes draft of the intellectual property chapter of the Trans-Pacific Partnership Agreement
On Wednesday, WikiLeaks published a complete draft of the intellectual property chapter of the Trans-Pacific Partnership Agreement (TPP). The leak is significant because the TPP has been negotiated in secret by the representatives of various corporations: even the governments of the countries participating in the negotiations have not had official access to the document. As a result, the TPP has received little to no public input. Reactions to the leaked document have been resigned and unenthusiastic. Timothy Lee of the Washington Post reports that the agreement reads as a “Hollywood wish list,” in which the U.S. has “pressure[d] its negotiating partners to make their laws more favorable to the interests of U.S. filmmakers, drug companies, and other large holders of copyright and patent rights.” The Electronic Frontier Foundation (EFF) has voiced strong opposition to the many portions of the agreement. The EFF opposes the DRM provisions; the “strict regulation of temporary copies,” which they claim could interfere with the essential function of the Internet; the imposition of “draconian copyright enforcement measures”; and the extension of copyright terms. Earlier this week, before WikiLeaks’ publication of the TPP, The New York Times Editorial Board appeared to offer an endorsement of either the TPP Agreement or the TPP process of developing an agreement. It is unclear whether the New York Times will maintain its endorsement now that the text is public.

One thought on “Privacy and Cybersecurity Weekly Digest

  1. Pingback: Privacy and Cybersecurity Weekly Digest | The CACR Supplement

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s