Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
If you own a smartphone, you’re probably being tracked as part of a pandemic surveillance system.
As the coronavirus outbreak accelerates, governments worldwide have turned to technology such as phone tracking and facial recognition to battle the virus and contain the outbreak.
These are unprecedented times we live in. But is it worth sacrificing personal privacy for the collective public good? Let’s go through how each country is handling it — strap in, this will be a long run down.
The US is said to be discussing plans to and deploy thermal cameras and amasslocation data from Google, Facebook, and telcos. Meanwhile, China and Russia have rolled out facial recognition thermometers and cameras to detect coronavirus symptoms and enforce quarantine orders; Hong Kong is slapping tracking bracelets on the wrists of all entrants to ensure no one breaks containment.
South Korea has resorted to CCTV footage and tracking of bank card and mobile phone usage to identify people who have been in contact with COVID-19 patients. But it’s also made public the places they visited before testing positive for the virus, potentially exposing their private lives.
Likewise, those entering Thailand and Vietnam from “at risk” countries are being provided with SIM cards so that they can download a government-mandated app that automatically tracks their location.
Taiwan has debuted a mobile phone-based “electronic fence” that uses location tracking to make sure quarantined people stay in their homes, and alert police if they cross the perimeter or turn off their phones.
Iran, one of the worst affected countries, launched an Android app called “AC19” to diagnose coronavirus symptoms, but it also gathers precise movements of its citizens in real-time.
Elsewhere in Europe, mobile carriers are sharing data (e.g. patterns of user movements) with the health authorities in Italy, Germany, and Austria to help monitor whether people are complying with curbs on movement, while also respecting GDPR laws — meaning the data collected is anonymous and aggregated.
Likewise, Israel has passed an emergency law that grants law enforcement access to the entire country’s cellphone location data. The Israeli Ministry of Health also released a new mobile app called “The Shield” that alerts users if they have been at a location at the same time as a known Coronavirus patient. To allay privacy concerns, the data is stored only locally and the complete source code has been made publicly available on GitHub.
In Singapore, the government is using text messages to contact people, who must click on a link to prove they are at home. That’s not all. The country launched a TraceTogether contact-tracing app (now open-sourced) that works by exchanging Bluetooth signals between phones to detect other participating users within a two-meter range.
Just like The Shield app, not only will the records of encounters be stored locally on the phone, it’s encrypted and doesn’t require access to a user’s location. “TraceTogether’s functionality will be suspended after the epidemic subsides,” reads the App Store description of the app.
Slovakia, inspired by similar legislation in Singapore, South Korea, and Taiwan, has passed a new law allowing state use of telecom data to track movements of people infected with the coronavirus to ensure they abide by quarantine rules. The government clarified that only limited data would be collected and that it would be used only in connection with the outbreak.
Latest to join the location tracking bandwagon is India, which is currently in the midst of a 21-day long nationwide lockdown to avert the spread of the virus. The app, called CoWin-20 and presently in beta on both Android and iOS, aims to track individuals by smartphone location and Bluetooth signals to prevent community spread.
If there’s a silver lining in adopting these technologies, it’s that they have been extremely successful in stopping the outbreak in China, Singapore, South Korea, and Taiwan.
But it also raises questions about consent, such as whether users can opt-out before such data is collected and stored — not to mention the potential danger of turning a blind eye to its privacy risks. Specifically, how long will the data collection go on and when will it be deleted? It’s also crucial to ensure that the gathered anonymized data cannot be reverse-engineered to track people.
Cybersecurity expert Bruce Schneier said that any data collection and digital monitoring initiative “must be scientifically justified and deemed necessary by public health experts for the purpose of containment. And that data processing must be proportionate to the need.”
In a blog post outlining the need to protect civil liberties during the crisis, the Electronic Frontier Foundation said bypassing certain privacy protections is warranted, but warned that “any extraordinary measures used to manage a specific crisis must not become permanent fixtures in the landscape of government intrusions into daily life.”
The rush to develop digital methods to fight COVID-19 shouldn’t result in systems which would allow unprecedented surveillance of society at large.
Put differently, these programs shouldn’t pave the way for government overreach or draconian monitoring systems that will continue to live on even after the current outbreak has died down. Including strong privacy guarantees is the right means to make certain that “emergency measures don’t become the new normal.”
No doubt, it’s a slippery slope. In the race to stem its spread and control the situation, mobilizing a surveillance apparatus to help contain the outbreak of the coronavirus requires an adequate balance between transparency, meeting public health needs, and civil rights.
Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.
What’s trending in security?
Unsurprisingly, hackers are continuing to exploit the Coronavirus pandemic to scam users. In the past two weeks, the World Health Organization came under a cyberattack, personal details of more than 538 million Weibo users were available for sale, and Finastra became the victim of a ransomware attack.
- COVID-19 continues to be a goldmine of opportunity for attackers to stage a variety of malware attacks, phishing campaigns, and create scam sites and malicious tracker apps. Even the World Health Organization became a target of a cyberattack. [Reuters]
- The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, including real names, site usernames, gender, location, and — for 172 million users — phone numbers. [Abacus / ZDNet]
- Russian hacker group Digital Revolution is said to have breached a contractor for the FSB, Russia’s national intelligence service, and discovered details about a project intended for hacking IoT devices. [BBC Russia / ZDNet]
- The European Network of Transmission System Operators for Electricity, aka the ENTSO-E, an organization that ensures the coordination of energy markets across the EU, said its IT network was hacked. [Dragos]
- An academic study from School of Computer Science and Statistics at Trinity College found Microsoft’s Edge browser to be the least private, due to it sending privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages. [Web Browser Privacy]
- India is putting together plans to build a database to track citizens’ every move by 2021. [TNW via HuffPost]
- Cybercriminals are now impersonating hospitals to send out fake HIV test result emails in an attempt to trick recipients into opening malicious content embedded into the message. [Proofpoint]
- Researchers found a new hacking campaign that uses the “njRat” trojan to hijack a victim’s machine, giving the threat actors complete access that can be used for anything from conducting DDoS attacks to stealing sensitive data. Worse, the baddies behind the operation are spreading the malware by turning hacking tools and other installers into trojans and selling them in multiple forums. [Cybereason]
- A new kind of Android stalkerware, dubbed “MonitorMinor” and likely of Indian origin, abuses root permissions and accessibility features to access data present in chat apps such as Instagram, Facebook, Kik, Hangouts, Viber, Skype, Hike, and Snapchat. [Kaspersky]
- As the coronavirus pandemic rages on, here’s how you can protect yourself from scams and stay secure while working remotely. [McAfee / EFF]
- A new ransomware gang has been targeting the networks of French local government authorities with Pysa ransomware. In a separate development, fintech company Finastra was hit by ransomware. But there is some honor among thieves — for ransomware gangs have also pledged that they won’t attack healthcare organizations during the coronavirus pandemic. [CERT-FR]
- Microsoft has warned of new zero-day exploits impacting Windowsthat it can’t fix right away. [TNW via Microsoft]
- Kaspersky researchers have discovered a new “WildPressure” campaign that targets industrial entities in the Middle East to take remote control of the systems via a trojan called “Milum.” [Kaspersky]
- After MIT researchers disclosed glaring security holes in the Voatz mobile voting election app — including the possibility that hackers could change votes cast through the app — an independent “white-box” security audit of the platform has resulted in 79 findings, a third of which are high severity. Voatz has addressed eight issues and partially addressed six issues, while 34 technical issues still remain unfixed. [Trail of Bits]
- The past two weeks in data breaches and leaks: UK shopper records, and US citizens’ personal, demographic and real estate asset data are out in the open.
Tweet of the Week
Everyone working remotely:
ZOOM monitors the activity on your computer and collects data on the programs running and captures which window you have focus on.
If you manage the calls, you can monitor what programs users on the call are running as well. It’s fucked up.
— Wolfgang ʬ (@Ouren) March 21, 2020
That’s it. See you all in 2 weeks. Stay safe!
Ravie x TNW (ravie[at]thenextweb[dot]com)