Pardon the Intrusion #15: Zooming out

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Zoom is having a security reckoning.

Let’s face it. Zoom is everywhere. The video conferencing software has skyrocketed in use in the wake of the coronavirus pandemic, growing to more than 200 million daily active users in just a span of three months.

The latest is that one of Zoom’s shareholders is filing a class-action suit against the company for “overstating its privacy standards and failing to disclose that its service was not end-to-end encrypted.”

But let’s take a look at the last few rocky weeks for Zoom that have led up to this point. It’s almost drowned in a sea of privacy and security gaffes, including potential theft of user data, leaked email addresses, and, last but not least, the serious problem of Zoombombing, where trolls take advantage of open or unprotected meetings and poor default configurations to take over screen-sharing and broadcast porn or other explicit material.

As if these weren’t enough, its entire security architecture was called into question after concerns were raised about how it encrypts audio and video content of the meetings, with the keys generated for cryptographic operations delivered to the participants routed through servers in China. Taiwan, in response, has banned government bodies from using the app. So has the US Senate, which is urging members not to use Zoom.

Zoom CEO Eric S. Yuan responded to Citizen Lab’s findings, stating given the period of heavy traffic, they were forced to add server capacity quickly, and “in our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them.”

It has also announced a 90-day freeze on releasing new features to “better identify, address, and fix issues proactively,” and to conduct a comprehensive review with third-party experts.

On one hand, the company is dealing with an unprecedented surge in regular users who are now using what was originally meant to be an enterprise chat product to host everything from cabinet meetings to yoga classes. On the other hand, many of Zoom’s problems are the result of its sloppy architecture.

Zoom’s moment in the spotlight has been marred by privacy blunders and security woes. But if this public scrutiny can make it a more secure product, it can only be a good thing in the long run.

***

By the way, we have a new newsletter: Coronavirus in Context, our weekly update tracking the pandemic’s spread, and keeping tabs on the tech trying to stop it. Update your subscription preferences to receive it every Tuesday.

Do you have a burning cybersecurity question, or a privacy problem you need help with? Drop them in an email to me, and I’ll discuss it in the next newsletter! Now, onto more security news.

What’s trending in security?

The ongoing coronavirus outbreak is making companies resort to a variety of ways to track remote employees. And did I mention Marriott suffered a second data breach and the personal details of nearly 4.9 million Georgians were published on a hacker forum?

• Just because you’re working from home doesn’t mean you can slack off. The outbreak is leading companies to get creative in the ways they’re tracking their remote employees. [Bloomberg]
• The European Union adopted a pan-European approach on the use of mobile applications to track the spread of the coronavirus after a privacy watchdog called for strong data protections, instead of every country making its own. [EDPS]
• An international group of ~400 cybersecurity experts from over 40 countries have come together to fight hacking related to the coronavirus pandemic. [Reuters]
• City authorities in Moscow are tracking the movements of its residents through a mandatory app that needs to be installed on their smartphones. Don’t have a smartphone? The city is happy to lend you one. But an early version of the app was pulled from Google Play Store after it was dubbed “illegal” over its ability to access far more than a person’s location data. It also accessed the camera and address book, and sent the collected information back to the government’s servers, unencrypted. [TNW / NPR]

• It’s not just Russia. Close to 28 countries, including the US, the UK, Turkey, and India, are on board too. But Australia declared this kind of monitoring doesn’t align with national values. Privacy International suggested any such use of data must be subject to “extraordinary protections,” and pointed out it’s possible under some circumstances to deanonymize data. [Privacy International]
• Google’s Threat Analysis Group revealed an unnamed group of hackers used no fewer than five flaws in Internet Explorer, Chrome, and Windows to target North Korea‘s internet users in 2019. The group used phishing emails carrying malicious attachments or links that planted malware on victims’ machines. Russian security firm Kaspersky claims it’s the handiwork of “DarkHotel,” a hacking group that works for the South Korean government. [Google / WIRED]
• Google said it sent users 40,000 warnings about phishing or malware attempts from nation-states in 2019, a 25% drop year-over-year, with residents in the US, India, Pakistan, Japan, and South Korea collectively receiving more than 1,000 warnings. It also found North Korean and Iranian hackers impersonating journalists in phishing efforts. [Google]
• Coronavirus-themed cyberattacks show no signs of dying anytime soon. A new kind of malware wipes data stored in infected computers, while a malicious Android app targeting Spanish citizens poses as a virus tracker app to install banking trojans. [Interpol]
• Talk about irony! Facebook sought Israeli surveillance vendor NSO Group‘s help to buy software to better spy on its users. Speaking of NSO Group, the company is marketing software that uses mobile phone data to monitor and predict the spread of COVID-19. [Motherboard]
• Booz Allen Hamilton published an extensive report detailing 15 years (2004 to 2019) of cyber operations carried out by Russia‘s state-sponsored hackers to advance its foreign policy in the global arena. [Booz Allen Hamilton / ZDNet]

• We’re all familiar and (probably) used to apps tracking our every move and sharing them with other parties. Now, in a twist, more than 4,000 Android apps have been found to silently access the list of apps installed on your phone, too. [Ars Technica]
• A security researcher scored a $75,000 bounty for finding seven bugs in Apple’s Safari browser which could’ve made it possible for an attacker to access the device’s cameras without your permission. The bugs were fixed in a series of updates to Safari in versions 13.0.5 and 13.1. [Ryan Pickren]
• A group of Nigerian email scammers, dubbed “SilverTerrier,” carried out at least 92,000 business email compromise attacks monthly on average in 2019. [Palo Alto Networks]
• A Chinese hacking crew, named APT41, is exploiting flaws in Cisco and Citrix’s networking products and Zoho ManageEngine Desktop Central as part of a widespread espionage campaign. [FireEye]
• HackerOne, a company that pairs ethical hackers with organizations to fix software flaws, expelled mobile voting vendor Voatz from its security program over hostile interactions with researchers. This is the first time it’s cut ties with an organization. [CyberScoop]
• Twitter fixed a bug that cached private files sent or received via DMs on Firefox browsers. [ZDNet]
• The past two weeks in breaches, leaks, and ransomware: Chubb, Email.it, Kimchuk, Marriott, Tupperware, and the entire country of Georgia had their personal details leaked.

Data point

If there’s one thing for certain during a pandemic, it’s that hackers will exploit the crisis for their own gain. From cyberattacks to phishing scams to extortion emails and malicious websites, a long list of digital threats have piggybacked on the coronavirus outbreak in recent weeks.

Now, according to research from Sophos, spam emails related to coronavirus are taking up close to 2.5% of total spam volume, indicating a steady increase in March alone.

“With global spam volumes estimated to be in the hundreds of billions, for 2-3% of those to be COVID-19 themed is significant,” says Chet Wisniewski, Principal Research Scientist at Sophos. “Similar to A/B testing of advertisements and web pages, criminals often dip a toe in the water when there is a new or sensational topic in the news. If the new topic proves a more effective lure than the previous scam bait they begin switching to new lures.”

Takeaway: As governments and companies scramble to contain the situation, security researchers are trying to better understand and detect the current spike in malware. And as long as the threat from the coronavirus remains, so will the risk from hackers. All this has led the FBI to issue a PSA, urging users to watch out for fake CDC emails and phishing emails asking recipients to verify their personal information:

“Scammers are leveraging the COVID-19 pandemic to steal your money, your personal information, or both. Don’t let them. Protect yourself and do your research before clicking on links purporting to provide information on the virus; donating to a charity online or through social media; contributing to a crowdfunding campaign; purchasing products online; or giving up your personal information in order to receive money or other benefits.”

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)