Newsletters

Russia has some competition in the disinformation game.

The US administration's claim that the COVID-19 outbreak was caused by a laboratory accident was based on a report that has now been thoroughly debunked.

The Daily Beast asked Bellingcat and the Middlebury Institute to analyse a leaked 30-page report produced by DoD contractor Sierra Nevada Corporation, which circulated - and appears to have been taken seriously - by the White House and multiple Congressional committees. The Sierra Nevada report mined commercially-available cell phone location data to conclude that a disruptive event occurred at the Wuhan Institute of Virology in October 2019.  It casually attributed it to a coronavirus outbreak.

The United Kingdom has released the NHS COVID-19 app for users on the Isle of Wight. The app features a crafty workaround for keeping alive connections between iOS devices running in the background. The Financial Times also reports that an alternative version based on the Gapple framework is under parallel development, should it be required. The client-side source code for the NHS app was released on day one alongside high-level security designs, as was a lengthy justification by NCSC Director Dr Ian Levy of why the UK opted for a centralised approach. (Spoiler: UK authorities want to know more than which user was in proximity to a person that later tests positive to COVID-19. They don't want to miss out on the opportunity to build a social graph from incidental data pulled from an infected user's device - see 'other interaction data' on this infographic).

In Australia, government agencies are responding with newfound maturity to bugs in the COVIDSafe app after being grilled in a Senate Estimates hearing on Wednesday. Risky.Biz is aware of a new set of security and privacy bugs in COVIDSafe. One is a Denial-of-Service condition that impacts all derivatives of Singapore's TraceTogether (including COVIDSafe and ABTraceTogether in Alberta, Canada). Encouragingly, Australia's Digital Transformation Agency responded to security researchers within a day, validated the bug within a further three hours and promised a fix in a future release. The DTA also released client-side source code for the COVIDSafe contact tracing app. It doesn't reveal much more than what could be gleaned from decompiled code - so it's only a half-step to transparency at this point.

Europe continues to be split down the middle between centralised and decentralised approaches: Switzerland pilots its decentralised contact tracing app (based on DP-3T protocol) on May 13, and will pass similar laws to Australia that ban employers or other parties from forcing people to use the app. Austria's second attempt at a contact tracing app - also based on the decentralised DP-3T protocol - launches later today.  France's centralised app won't be available until June 2, while Germany has only just commissioned SAP and Deutsche Telekom to come up with an alternative.

How's this for a cogent data point: Catalin Cimpanu at ZDNet had the curiosity and foresight to search for the word 'ransomware' in recent SEC filings. Cimpanu found that over 1000 public US companies now list ransomware attacks as a forward-looking risk.

It wasn't long ago that a company getting popped in a ransomware attack would rate a mention on the Risky Business podcast. Today, it takes a novel attack to raise an eyebrow.

The risk community commonly views human-operated ransomware as a high impact event - the cost of attacks on Norsk Hydro (US$75m) and Travelex (US$30m) ensured it - but until recently it didn't score quite so high on the likelihood axis.

It's seriously risky business to shut the world's second-largest economy out of your telecommunications sector altogether.

This week the US Federal Communications Commission ordered three Chinese State-owned telcos to 'show cause' for why it shouldn't expunge their license to operate in the United States.

FCC previously banned Chinese networking equipment, blocked China Mobile from entering the US market and blocked Google from connecting undersea cables between the US and Hong Kong.

As discussed on our livestream, there are no technical impediments to capturing enrolment data in apps that make use of the Gapple API. Developers could feasibly link contact details captured at enrolment to notifications generated through the Gapple API to support existing manual contact tracing processes. The only change use of the Gapple framework imposes on an app is the order in which an at-risk individual is notified - first by the Gapple OS feature, followed by a call from health authorities.

This analysis assumes Apple and Google won't block apps that include these additional features. It's incumbent on the mobile OS companies to provide assurance to health authorities by clearly elucidating to the public what would constitute abuse of the service.

More broadly, the EU announced a minimum set of requirements for all contact tracing apps across Europe, insisting on user consent, no location tracking, anonymised data and a post-pandemic plan for switching off tracing features. EU academics are meanwhile split over whether to take a decentralised approach to contact tracing (using the DP-3T contact tracing protocol) or to allow health authorities greater control and access to data (the ROBERT protocol).

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use 'contact detection' APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral 'tracing keys') via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.

Videoconferencing startup Zoom will enact a 90-day feature freeze while it works to address a long list of security issues raised in recent weeks. Zoom’s user base has skyrocketed from 10m to 200m this year as schools, businesses and even politicians have scrambled to find easier ways to meet while under lockdown.

To the company’s credit, some misconfigurations - such as excessive data sharing with Facebook and LinkedIn and recently reported security vulnerabilities - have been addressed far faster than bugs found in 2019. It has also turned password-protection on by default.

But now - as the company responds to lawsuits and investigations - it can expect scrutiny over the more fundamental security attributes of the app. Citizen Lab has queried its access controls, its use of non-standard encryption and the occasional routing of cryptographic keys through China. Expect to see  significant changes in the weeks ahead.

Cybercrime gang FIN7 has added some old school tools to its arsenal - sending US targets malware-infected USB keys in the post. Expect the FBI’s warning on the subject to feature in future Powerpoint pitches for USB lockdowns. Is it now time to start including USB drops in the pen test scope again?

Ransomware source code unleashed: Researchers have noted that the source code for Dharma ransomware - which extorted at least US$24 million from victims last year alone - is for sale online for US$2k. Variants of Dharma already abound, but there’s naturally concern for how many bad actors might have it now.

Hot Plastic - Attackers installed a web skimmer to steal customer credit card details from the Tupperware website last week. Tupperware didn’t respond to warnings from security researchers for five days, but removed the code once ZDNet journalist Catalin Cimpanu published a story.

Lawmakers have asked US tech companies to contribute data to help health authorities monitor quarantine compliance and trace recent contacts of people infected with coronavirus.

As authorities the world over rush to flatten the curve of coronavirus infections, even the most diehard privacy advocates are exhibiting a willingness to temporarily let civil liberties slide in the name of saving lives.

You might be surprised by which of our regular Risky.Biz contributors said as much when we hosted a livestream discussion on cell phone tracking earlier today - which featured Dmitri Alperovitch, Adam Boileau, Patrick Gray and Alex Stamos.

Welcome to the first edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

If we hoped ransomware gangs would give hospitals a reprieve during a global health epidemic, prepare to be disappointed. Local Czech media reports that the University Hospital in Brno - the country’s second-largest - had to shut down and isolate systems and re-route some patients to counter a ransomware infection.