Weekly Privacy Roundup #9
“Sometimes the scandal is not what law was broken, but what the law allows.” – Edward Snowden
Inside the NSA’s Secret Tool for Mapping Your Social Network
IN THE SUMMER of 2013, I spent my days sifting through the most extensive archive of top-secret files that had ever reached the hands of an American journalist. In a spectacular act of transgression against the National Security Agency, where he worked as a contractor, Edward Snowden had transmitted tens of thousands of classified documents to me, the columnist Glenn Greenwald, and the documentary filmmaker Laura Poitras.
One of those documents, the first to be made public in June 2013, revealed that the NSA was tracking billions of telephone calls made by Americans inside the US. The program became notorious, but its full story has not been told.
The first accounts revealed only bare bones. If you placed a call, whether local or international, the NSA stored the number you dialed, as well as the date, time and duration of the call. It was domestic surveillance, plain and simple. When the story broke, the NSA discounted the intrusion on privacy. The agency collected “only metadata,” it said, not the content of telephone calls. Only on rare occasions, it said, did it search the records for links among terrorists.Wired
NTT Communications Data Breach Affects Customers, Threatens Supply Chain
Attackers managed to compromise NTT Communication’s Active Directory server and a construction information management server.
Japan-based systems integrator NTT Communications has disclosed a recent data breach that it said impacted hundreds of customers.
The total affected comes to as many as 621 customers, the company said, but security experts worry about the impacts of the data breach due to the company’s positioning as a systems integrator, which could create widespread ramifications for its supply-chain partners. NTT Communications is a subsidiary of Fortune 500 company Nippon Telegraph and Telephone Corp., the largest telecommunications company in Japan (and one of the largest worldwide).
“At this point, we have completed initial actions such as stopping the server that served as a stepping stone [for the breach], but we will contact customers who may have been affected in order. At the same time, we are implementing measures to prevent recurrence,” according to the company’s translated data-breach disclosure.Threatpost
Hacker leaks database of dark web hosting provider
A hacker has leaked online today the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web services.
The leaked data was obtained after the hacker breached DH earlier this year, on March 10, 2020. At the time, DH owner Daniel Winzen told ZDNet the hacker breached his portal, stole its database, and then wiped all servers.
On March 26, two weeks after the breach, DH shut down its service for good, urging users to move their sites to new dark web hosting providers. Around 7,600 websites — a third of all dark web portals — went down following DH’s shutdown.ZDNet
Joomla team discloses data breach
JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach. Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team)
Each backup copy included a full copy of the website, including all the data.
Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach.
The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters.Joomla.org
Data Breach in an Indian E-Governance Website Leaks Data of 7.26 Million Users
On Sunday, May 31, 2020, a few security researchers reported a major data breach related to a government website in India.
Security researchers Noam Rotem and Ran Locar from vpnMentor published a report detailing a breach of approximately 7.26 million records related to India’s e-Governance website.
The researchers stated that the data was exposed through a misconfigured Amazon Web Services (AWS) S3 storage bucket containing 409 GB of data, including sensitive profile information and financial data related to the BHIM app users.Cyware
Joomla Team Discloses Data Breach – 2,700 Individuals Were Affected
Joomla is a popular free and open-source content management system used for publishing web content. The team behind the CMS discloses the data breach last week.
The incident happens after a team member left an unencrypted full backup of the JRD site on an unsecured Amazon Web Services S3 bucket.
The company said that more than 2,700 users who have access to resources.joomla.org website are affected.GBHackers
Contact-tracer spoofing is already happening – and it’s dangerously simple to do
British people will soon begin receiving random phone calls from so-called “contact tracers” warning them about having been in close proximity with potential coronavirus carriers. One of many problems with this scheme is it’s dangerously easy to pose as a government contact tracer.
As detailed by the NHS, contact tracers will phone up and text people who report coronavirus symptoms to the government and demand lots of personally identifiable information – including information on other people.The Register
Contact Tracing: De-mystifying How an App Designed to Track People Can Ensure User Privacy and Security
Many governments in many countries around the world recognise that contact tracing plays a very important part to reduce the spread of the deadly disease, COVID-19. In this article, we take a look at the conventional method of contact tracking and comparing it against how technology helps contact tracing and its pro’s and con’s.
Traditional contact tracing is a technique that is used by public health authorities to help slow the spread of a disease. It relies on manually obtaining information from individuals who have been infected and who they have been in contact with. Once individuals have been identified, they are then contacted, and relevant advice can be given. However, this is an onerous process, consuming a lot of manpower and resources and quite often the results are mixed as individuals don’t necessarily remember who they have been in contact within the past days or where they have been.Tripwire
Amtrak discloses data breach, potential leak of customer account data
The National Railroad Passenger Corporation (Amtrak) has disclosed a data breach that may have resulted in the compromise of customer personally identifiable information (PII).
The data breach was discovered on April 16, 2020. In a letter to the Attorney General’s Office of Vermont, made public on April 29, the rail service said that an unknown third party managed to fraudulently access Amtrak Guest Rewards accounts.
The Amtrak Guest Rewards service allows passengers to rack up points when they travel to exchange for discounts, hotels, and gift cards, among other offerings.ZDNet
How to Protest Without Sacrificing Your Digital Privacy
Thousands of protesters are filling the streets of American cities to protest the police killing of George Floyd, an unarmed black man, and police brutality writ large. Police officers have shown they’re more than willing to escalate violence with pepper spray, tear gas, rubber bullets, vehicles, and other dangerous crowd suppression measures. In addition, law enforcement are likely heavily surveilling protests with all sorts of tech and spying gear. Already, we’ve seen a Customs and Border patrol drone flying over Minneapolis protests.Vice