Newsletters

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use 'contact detection' APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral 'tracing keys') via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.

Videoconferencing startup Zoom will enact a 90-day feature freeze while it works to address a long list of security issues raised in recent weeks. Zoom’s user base has skyrocketed from 10m to 200m this year as schools, businesses and even politicians have scrambled to find easier ways to meet while under lockdown.

To the company’s credit, some misconfigurations - such as excessive data sharing with Facebook and LinkedIn and recently reported security vulnerabilities - have been addressed far faster than bugs found in 2019. It has also turned password-protection on by default.

But now - as the company responds to lawsuits and investigations - it can expect scrutiny over the more fundamental security attributes of the app. Citizen Lab has queried its access controls, its use of non-standard encryption and the occasional routing of cryptographic keys through China. Expect to see  significant changes in the weeks ahead.

Cybercrime gang FIN7 has added some old school tools to its arsenal - sending US targets malware-infected USB keys in the post. Expect the FBI’s warning on the subject to feature in future Powerpoint pitches for USB lockdowns. Is it now time to start including USB drops in the pen test scope again?

Ransomware source code unleashed: Researchers have noted that the source code for Dharma ransomware - which extorted at least US$24 million from victims last year alone - is for sale online for US$2k. Variants of Dharma already abound, but there’s naturally concern for how many bad actors might have it now.

Hot Plastic - Attackers installed a web skimmer to steal customer credit card details from the Tupperware website last week. Tupperware didn’t respond to warnings from security researchers for five days, but removed the code once ZDNet journalist Catalin Cimpanu published a story.

Lawmakers have asked US tech companies to contribute data to help health authorities monitor quarantine compliance and trace recent contacts of people infected with coronavirus.

As authorities the world over rush to flatten the curve of coronavirus infections, even the most diehard privacy advocates are exhibiting a willingness to temporarily let civil liberties slide in the name of saving lives.

You might be surprised by which of our regular Risky.Biz contributors said as much when we hosted a livestream discussion on cell phone tracking earlier today - which featured Dmitri Alperovitch, Adam Boileau, Patrick Gray and Alex Stamos.

Welcome to the first edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

If we hoped ransomware gangs would give hospitals a reprieve during a global health epidemic, prepare to be disappointed. Local Czech media reports that the University Hospital in Brno - the country’s second-largest - had to shut down and isolate systems and re-route some patients to counter a ransomware infection.

Welcome to the pilot edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

US Attorneys failed to convince a jury that former CIA exploit developer Josh Schulte dumped an archive about the agency’s offensive cyber weapons program to Wikileaks (the ‘Vault 7’ leaks).