Srsly Risky Biz: Tuesday, April 7, 2020

Written by

Brett Winterford
Brett Winterford

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.

Zoom gets schooled on security

Videoconferencing startup Zoom will enact a 90-day feature freeze while it works to address a long list of security issues raised in recent weeks. Zoom’s user base has skyrocketed from 10m to 200m this year as schools, businesses and even politicians have scrambled to find easier ways to meet while under lockdown.

To the company’s credit, some misconfigurations - such as excessive data sharing with Facebook and LinkedIn and recently reported security vulnerabilities - have been addressed far faster than bugs found in 2019. It has also turned password-protection on by default.

But now - as the company responds to lawsuits and investigations - it can expect scrutiny over the more fundamental security attributes of the app. Citizen Lab has queried its access controls, its use of non-standard encryption and the occasional routing of cryptographic keys through China. Expect to see some significant changes in the weeks ahead.

The Risky.Biz view - as discussed in last week’s podcast - was that using Zoom for your kid’s trombone class is probably fine but there are better platforms for sharing cabinet-level secrets.

Germany, England follow Asia into contact tracing apps

Germany and the UK are working on privacy-preserving apps that use Bluetooth to trace who may have come into contact with COVID-19.

Germany is planning the release of an opt-in app called Pepp-PT in mid-April that allows a user to switch on Bluetooth-based contact tracing for authorities, while providing them the choice to retain anonymity. The UK National Health Service (NHS) is working on a similar app via which users can opt-in to release warnings to other users if and when they test positive to COVID-19, without necessarily sending the data to authorities.

The US Government has a number of privacy-preserving academic efforts to choose from: MIT’s Safepath (released, GPS-based) or Stanford-based COVID-Watch (unreleased, Bluetooth-based) among them - assuming US tech giants don’t already have something of their own in the works.

The app that inspired many of these efforts appears to be floundering. Around 1 in 8 Singaporeans (1 million) have downloaded TraceTogether contact tracing app after being “strongly encouraged” by the government. Now the authorities concede that all citizens need to download it and have it running in the foreground for it to be effective. The app still hasn’t been released to open source, as previously promised.

Tracking Quarantine Surveillance

Here is a quick recap of how various countries are using technology for quarantine surveillance:

  • Quarantine surveillance efforts in China vary according to region, with 900 million monitored using the colour-coded ‘Health Code’ app. Surveillance efforts appear increasingly fragmented - with reports that some regions rely on party officials, nosy neighbours and door alarms to physically constrain movement.
  • South Korea and Taiwan both compel quarantined individuals to download an app that tracks their movements using GPS. An opt-in app called the ‘Corona 100’, meanwhile, uses this data to warn users if they come within 100m of locations where COVID-positive individuals traversed.
  • Russia has applied facial recognition systems to its extensive CCTV network in Moscow to crack down on people that break quarantine.
  • In Israel, intelligence service Shin Bet was granted permission to use its cell phone and credit card tracking systems to identify individuals breaking quarantine. It claims to have identified 500 violations to date. Israeli authorities are also investigating use of an NSO Group tool to augment this effort.
  • Hong Kong asks quarantined individuals to wear a wristband marked with a QR code and download the StayHomeSafe smartphone app. The app claims to calibrate for a user’s premises by asking the user to frequently scan in as they walk around its perimeter, allowing the app to ‘map’ the premises against nearby WiFi and Bluetooth signals. Reviews suggest the app is defective, and that the QR code wears off within days. Support lines for the app are choked.
  • Poland and the Indian states of Karnataka and Telangana ask quarantined COVID-carriers to upload and send a photo of themselves once an hour so that authorities can check their GPS coordinates. Polish citizens have complained that the iOS and Android apps are defective - they get constant Police visits as a result.

Social networks grapple with COVID misinformation overload

Facebook, Twitter and Google continue to adapt their content moderation strategies, two weeks into their agreement to tackle misinformation. Google removed ‘thousands’ of misleading YouTube videos and Twitter removed 1000+ posts deemed to contain a call to action that poses harm to human health.

Twitter and Facebook deleted posts from Brazilian President Jair Bolsonaro and Venezuelan President Nicolas Maduro (Twitter-only) that perpetuated harmful advice. Concerned about Chinese propaganda efforts, US lawmakers asked Twitter to remove the Chinese Communist Party from the platform entirely.

Neither platform has moderated Western leaders that made similar statements earlier in the crisis. Facebook argues that US citizens “should be allowed to make their own judgements about what politicians are saying.” This week’s Risky Business Live webcast features a chat between Alex Stamos (Stanford University) and Zeynep Tufecki (University of North Carolina) on the subject.

Facebook-owned WhatsApp is testing tweaks that limit the forwarding of a single message and offer message recipients a one-click function to run the text of the message in a search engine to check on its authenticity. The Global Disinformation Index, meanwhile, called out the big name brands who (knowingly or not) have advertised on websites spreading COVID-19 misinformation.

Attackers interested in your internal web apps

This week there has been an influx of reports about attackers scanning for internal enterprise apps erroneously exposed to the internet.

One report discusses brute-force attacks against MS-SQL databases compromising ~3000 servers a day to install crypto-mining software. Another reports of 15,000 unprotected Elasticsearch databases being deleted by attackers. Security researchers have also released data about misconfigured Docker containers and Atlassian Jira servers - but these only number in the hundreds.

So yes, it’s really just another day on the internet. But just to be sure, here’s a few recommended security configs for Elasticsearch, SQL server, Atlassian Service Desk and Docker.

Apple moves to lock down webcams, microphones

You could be mistaken for thinking Zoom is the only video conferencing tool under the microscope by security researchers.

Apple has fixed three security vulnerabilities found in its Safari browser that - when chained together - could be used to take control of a victim’s webcam and microphone. The bugs could collectively convince iOS or MacOS that the attacker’s code was an application trusted to use the devices. Apple patched the bugs in its January and March updates.

Apple has also introduced a safety mechanism in its latest iPads and Macs that logically disconnects the microphone on the device once it is closed, a tacit acknowledgement that Apple devices aren’t immune from remote access trojans and other malware.

Three reasons to actually be cheerful this week:

  1. MITRE ATT&CK gets more useful: MITRE has introduced ‘sub-techniques’ to its much-loved ATT&CK framework, providing intel analysts and tool vendors additional granularity to map attacker behaviour.
  2. Insider threat ≠ poor security: Morrison Supermarkets has won a UK Supreme Court appeal that would otherwise have made it liable for the malicious actions of an IT auditor that used his privileged access to leak the company’s payroll data. The breach wasn’t for lack of controls and the company’s response wasn’t terrible.
  3. Microsoft eradicated an entire class of Windows bug thanks to the work of a single security researcher. Hurrah, Gil Dabah.

Shorts

Chinese VPNs under attack: Chinese security researchers claim that Chinese Government networks are under attack via a zero-day in a popular VPN SSL server, attributing the activity to South Korean group DarkHotel. The report serves to amplify CCP claims that China is a victim of cyberattacks as often as it is a perpetrator.

Android apps let devs back in: An academic study found that 8% of Android apps allow developers remote access via hidden access keys or secret commands.

Russian BGP hijack: Russia’s state-owned telco Rostelecom redirected traffic for 200+ networks through its network for more than an hour last week. They are yet to explain why.

GoDaddy phished: Traffic to Escrow.com was briefly redirected to a third party after an attacker successfully compromised a staff member of its domain registrar, GoDaddy. The registrar claims the attack only affected six of its clients.

COVID-flavoured BEC: The FBI warns that Business Email Compromise actors are using COVID-19 as a convenient cover story when spoofing suppliers. Be wary of any email asking for a change in supplier payment details, especially those that claim the change was necessary because of COVID-19.

US gearing for mail-in election: Our hot tip is that most ballots will be distributed electronically, marked by hand and returned in the post for the General Election in November. See our feature story in Risky.Biz.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at editorial@risky.biz.