Pardon the Intrusion #16: Phishing in the time of COVID-19

Pardon the Intrusion #16: Phishing in the time of COVID-19

Subscribe to this bi-weekly newsletter here!

Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.

Since COVID-19 began spreading all over the world, governments have embraced a variety of invasive contact-tracing measures via smartphones. Now Apple and Google have teamed up in a rare joint effort to do just that while possibly still preserving the privacy of individuals who use them.

A few weeks ago they proposed an opt-in automated system which will use Bluetooth-based identifiers to keep track of whether a smartphone’s owner has come into contact with someone who is later positively diagnosed with coronavirus.

Most importantly, it will be interoperable between the two dominant smartphone platforms — Android and iOS — and will turned off on a region-by-region basis when the pandemic is over.

The project — influenced by similar proposals from researchers at Carnegie Mellon (NOVID), MIT (Private Kit: Safe Paths), Stanford (COVID Watch), and TCN Coalition — is an important step because it makes zero use of location data. (This, however, doesn’t prevent apps using Google and Apple’s API from asking for your location data anyway.)

While it’s clear that the upcoming system has some privacy advantages, it’s essential that it doesn’t collect any information it shouldn’t and stores as much data as possible on the user’s device rather than in a central server.

Similar debates around Bluetooth tracking are taking place in Europe too, including approaches such as Decentralized Privacy-Preserving Proximity Tracing (DP3T) and Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT).

Digital contact tracing for tackling COVID-19 is far from perfect and ready for prime time, but the plan is to automate the process and hopefully lay the groundwork for something that could be useful against similar health emergencies in the future.

But even with this Bluetooth tech, there are still some hurdles: It would need a widespread adoption and people would have to “trust” the system enough to share their proximity data and infection status. Plus, such solutions may not adequately account for the potential abuse and the risk of false positives, or the possibility of a correlation attack.

“I suspect the tracing apps are really just do-something-itis,” security researcher Ross Anderson said.

Yet there’s a paradox here. If the app is voluntary, nobody really has an incentive to use it, and the efficacy of contact tracing becomes extremely limited. On the other hand, if it’s made compulsory in workplaces, schools, universities, and grocery stores, it could easily defeat the opt-in nature of the system — thus inadvertently feeding the mass surveillance system it was meant to stop.

After all, it’s impossible for Apple and Google to go after businesses and governments and stop them from forcing it on the society at large. This is an ethical dilemma that neither seem to be addressing as yet.

What’s trending in security?

Google is blocking more than 18 million malware and phishing emails related to COVID-19 daily, with over 240 million COVID-related spam messages filtered daily. Security firm Carbon Black said ransomware attacks against corporations it monitored jumped 148% in March from the previous month. In a piece of good news, Jitsi, the open-source video calling platform, said it’s working on end-to-end encryption.

  • The Tor Project, which is behind the Tor privacy browser, is laying off a third of its staff amidst the coronavirus outbreak. [Tor]
  • Zoom is still reeling from its security fallout. The Indian government has deemed the videoconferencing tool “unsafe” and is offering local tech companies $130K to build an encrypted alternative. [TNW]
  • More Zoom. The company fixed a vulnerability in its Waiting Rooms feature, and released a new version with “robust security enhancements.” On the flip side, more than 500,000 Zoom accounts were found being sold on the dark web. Plus, it also looks like its security woes were no secret to its business customers such as Dropbox, which brought to light a flawthat could allow an attacker to secretly take control of Mac users’ webcams. Zoom took months to repair the bug. [Citizen Lab / Bleeping Computer]
  • Financially motivated hackers continue to use pandemic fears as bait to install malware, steal information, and make some profit. Baddies are increasingly using COVID-19 lures to target public and private sector firms in Azerbaijan and Ukraine, while the US Federal Trade Commission said approximately $12 million was lost to coronavirus-related scams in the past four months. [Cisco Talos]

  • Travelex paid $2.3 million in ransom to recover access to its systems following a ransomware attack last December. [TNW]
  • Google ousted 49 Chrome browser extensions from its Web Store that posed as cryptocurrency wallets but contained malicious code to siphon off sensitive information and steal users’ digital funds. [The Hacker News]
  • Google said it’s backing Apple’s proposals for a common SMS-based one time password authentication format. [ZDNet]
  • Iranian state-sponsored hackers, dubbed “Charming Kitten,” are using chat apps such as Telegram for espionage operations. The same threat group had targeted the World Health Organization earlier this month, as government-backed attackers are ramping up coronavirus-themed themes as lure for phishing and malware attempts. [Bloomberg]
  • Pastebin, a popular paste site and a destination for hackers, quietly removed a scraping API due to abuse by third-parties, frustrating researchers and making it harder to search for lists of stolen passwords, announcements of data breaches, and malware. The company said it’s evaluating options to develop a model for independent researchers. [Motherboard]
  • Clearview, the controversial AI company, suffered a security lapse that made it possible for anyone on the internet to access the source code of its apps. [TechCrunch]
  • After months of lying low, state-backed Chinese actor — called “Evil Eye” — is once again targeting the Uyghur Muslim minority in China using a new iOS exploit that Apple patched with iOS 12.4. [The Hacker News]

  • A flaw in TikTok could allow an attacker to hijack any video content streamed to a user’s TikTok feed and swap it out with their own videos. [Tommy Mysk]
  • Brazil dropped plans to use surveillance tools to monitor people’s movements during the outbreak, citing privacy concerns. [ZDNet]
  • Zero-day flaws are being increasingly commodified to develop hacking tools and sell them to intelligence agencies around the world. [FireEye]
  • About 40 contracting facilities with access to classified information have been targeted by a China-linked “Electric Panda” hacking group since February. [Politico]
  • Highly targeted spearphishing emails are being sent to oil and gas companies in hopes of infecting them with the Agent Tesla spyware. [Bitdefender]
  • Apple is patching two security flaws impacting its native Mail app with iOS 13.4.5. They could allow an attacker to leak, modify, and delete emails, and have been leveraged by a threat actor to target high profile executives from Germany, Israel, Japan, and Saudi Arabia. [ZecOps]
  • Cyber baddies are selling Facebook data from more then 267 million profiles on criminal dark web forums for £500, or about $618. [Bleeping Computer]
  • IT services giant Cognizant suffered a Maze ransomware attack, causing disruptions to its clients. But hackers linked to Maze have denied involvement in the attack. [Cognizant]

Data point

Remediating security bugs can take a long time. At least, that’s the consensus from a new report from Kenna Security, which analyzed the time to remediation across a number of firms and “learned that 45% of vulnerabilities are closed in the first month, two-thirds are closed within three months, and just under 20% stick around longer than a year.”

Takeaway: To date, there are over 130,000 vulnerabilities published in the National Vulnerability Database (NVD). But it’s not just a matter of fixing them, as organizations need to identify every affected system and ensure they’re patched the right way. “In a world where a single high-risk vulnerability can have catastrophic consequences, effective patch prioritization and speed are the keys to security regardless of the type of device or software it sits on,” the report says.

That’s it. See you all in two weeks. Stay safe!

Ravie x TNW (ravie[at]thenextweb[dot]com)

Read next: Boston Dynamics is open-sourcing its robot tech to help hospitals fight coronavirus

Corona coverage

Read our daily coverage on how the tech industry is responding to the coronavirus and subscribe to our weekly newsletter Coronavirus in Context.

For tips and tricks on working remotely, check out our Growth Quarters articles here or follow us on Twitter.