Zoom has announced a freeze on new features as it grapples with emerging security and privacy issues, including three new security bugs revealed this week.
The video conferencing app has been catapulted into the mainstream after widespread COVID-19 government lockdowns across the globe force home working and schooling on a massive scale. The number of daily meeting participants has grown from 10 million in December to roughly 200 million in March, according to the firm.
However, this has led to increased scrutiny of the platform: researchers this week published details of a new vulnerability in the Zoom Windows client which could be exploited to steal user passwords, and two flaws in the macOS app which could be abused to remotely install malware or eavesdrop on users.
These follow discoveries of serious vulnerabilities in the product last year.
Although Zoom CEO Eric Yuan revealed in a post on Thursday that the firm had promptly patched all three bugs disclosed this week, concerns persist about the platform’s approach to security and privacy.
Organizations as diverse as the UK’s Ministry of Defence, SpaceX and NASA have banned employees from using the tool, and there has been widespread criticism after the firm appeared to mislead users into thinking their video meetings were end-to-end encrypted, when in fact they aren’t.
Yuan apologized for that, and clarified several steps that the firm is taking to improve privacy, including removing the Facebook SDK in its iOS client, after reports emerged that it was sending user data to the social network, even for non-Facebook users.
It has also permanently removed an “attention tracker” feature which critics claimed could allow employers to spy on their staff.
Zoom has also been trying to educate users into following best practices like not sharing meeting IDs online, and using protective features on the platform which could prevent “Zoombombing” — incidents where uninvited guests join and disrupt meetings.
Going forward, the firm will enact a “feature freeze” in order to devote all engineering resources to security and privacy issues. It will also carry out a comprehensive review with third-party experts to improve security in consumer use cases, and engage with security leaders via a new CISO council.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” Yuan argued.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”
A group of civil society organizations has called for restraint after warning that governments around the world are rolling out invasive surveillance programs on a massive scale to track and manage the spread of COVID-19.
A statement signed by 100 civil liberties groups argued that “efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.”
It claimed that human rights should still be respected even in extraordinary times.
“An increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities – undermining the effectiveness of any public health response,” the letter continued. “Such measures also pose a risk of discrimination and may disproportionately harm already marginalized communities.”
Privacy International claimed that telecoms-based tracking is already underway in 23 countries, while 14 have deployed tracking apps.
Back in mid-March, the UK government was revealed to be receiving tracking data from mobile carriers to check whether citizens were respecting its social distancing guidelines. A similar strategy is thought to be in play in the US.
However, that’s some way from the extreme surveillance seen in China, where some local authorities are offering people rewards for informing on ill neighbors, and even getting into one’s apartment or workplace requires scanning a QR code, and logging name, ID number, temperature and travel history.
“The wave of surveillance we’re seeing is truly unprecedented, even surpassing how governments across the world responded to 9/11,” argued Privacy International advocacy director, Edin Omanovic.
“The laws, powers and technologies being deployed around the world pose a grave and long-term threat to human freedom. Some measures are based on public health measures with significant protections, while others amount to little more than opportunistic power grabs.”
The rights groups have issued a list of eight conditions governments should meet, including the use only of “lawful, necessary and proportionate” surveillance which continues only as long as the pandemic.
The Internal Revenue Service (IRS) is warning taxpayers of a new wave of phishing calls and messages designed to trick victims into handing over financial details by capitalizing on the COVID-19 pandemic.
A large number of these scams attempt to use as a lure the government’s recent announcement of an economic impact payment of $1200 to every US citizen.
According to the IRS, they might use terms such as “Stimulus Check” or “Stimulus Payment” and ask victims to confirm personal and banking information to in order to ‘speed up’ payment.
In similar scams, the phisher could ask victims to sign over an economic impact check to them directly, or else mail them a fake one with an odd amount and then require the taxpayer to call a number or verify information online in order to cash it.
The range of these scams, across phone, email, social media, text and even face-to-face, show the lengths fraudsters are prepared to go to tap the huge federal emergency giveaway.
“History has shown that criminals take every opportunity to perpetrate a fraud on unsuspecting victims, especially when a group of people is vulnerable or in a state of need,” said IRS criminal investigation chief, Don Fort.
“While you are waiting to hear about your economic impact payment, criminals are working hard to trick you into getting their hands on it. The IRS Criminal Investigation Division is working hard to find these scammers and shut them down, but in the meantime, we ask people to remain vigilant.”
The IRS reminded taxpayers that in most cases their economic impact payment would be deposited directly into the account previously provided on tax returns. Those who have not previously provided this info will be able to enter their banking details online in a secure IRS portal in April. Otherwise a check will be mailed to the address the IRS has on file.
At least 19 websites have fallen victim to a new data skimmer that appears to have been developed by threat group Magecart Group 7.
Dubbed 'MakeFrame' by researchers at RiskIQ, the new data skimmer has been spotted out in the wild in several different versions.
Researchers first came across the skimmer on January 24. Since then, MakeFrame has been spotted hosting skimming code, loading the skimmer on other compromised websites, and exfiltrating stolen data.
"There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7," wrote researchers.
RiskIQ has identified three distinct versions of the skimmer with varying levels of obfuscation, from clear JS code to encrypted obfuscation. Some of these appear to be dev versions running debug processes, one of which even includes a version number.
"Magecart Group 7 also used victim sites for skimmer development, as we observed when they compromised OXO in 2017 and twice in 2018," said researchers.
The team at RiskIQ said the multiple versions of MakeFrame were evidence of threat actors' constant hunt for new ways to cheat and steal from yet more victims.
"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach," wrote researchers.
When studying the new threat, researchers noted that MakeFrame was targeting the same victim pool as Group 7.
"Each of the [compromised] sites belongs to a small or medium-sized business, and none are particularly well known, with OXO being a bit of an outlier in their history."
The nefarious data-stealing methods used by MakeFrame also echo those deployed by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration.
Researchers noted that data-skimming attacks were on the rise at a time when people the world over are working and shopping from home as a result of the COVID-19 outbreak.
"RiskIQ data shows Magecart attacks have grown 20% amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever," wrote researchers.
A digital wallet app with millions of users has become the latest organization to be caught storing customer data in unsecured Amazon Web Services (AWS) S3 buckets.
The Key Ring app allows users to upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. It is also commonly employed by users as a convenient way to scan and store copies of their ID, driver's license, gift cards, and credit cards.
The misconfigured buckets, which were set to "public" rather than "private," were found to contain 44 million images uploaded by Key Ring users.
Data exposed in the Key Ring data leak included government IDs, NRA membership cards, medical marijuana ID cards, credit cards with all the details, including the CVV numbers, and medical insurance cards.
Other information exposed in the data leak included CSV files detailing membership lists for prominent North American retailers who use Key Ring as a marketing platform. These lists contained the personally identifiable information (PII) data of millions of people.
Companies whose customers' details were exposed in the leak include Walmart, Kleenex, La Madeleine Bakery, Foot Locker, and Mattel.
VpnMentor researchers said that every Key Ring file they viewed could also be downloaded and stored offline, making them completely untraceable.
"These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud," said researchers.
"We can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring."
VpnMentor researchers discovered the buckets in January 2020 using web-scanning tools.
"Once the details of the leak were confirmed, we immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after," said researchers.
Scammers are targeting Londoners with fake fine notification texts that accuse victims of flouting the country's lockdown rules.
The malicious text has been designed to look like a genuine COVID-19 alert sent by the UK government. Victims who receive the message are told that they have been fined £35 after being spotted leaving their home on multiple occasions over the course of a single day.
Under current restrictions in place in the UK, people have been asked to only leave home for essential work, to purchase basic necessities, and to carry out "one form of exercise a day."
Under Welsh law, exercise must be taken outside “no more than once a day.” However, the law in England, Scotland, and Northern Ireland does not specify exactly how many times a day people can leave their home, so police cannot enforce a limit or issue fines to people for simply leaving their houses.
The malicious text appears to have been sent by the UK government, with the sender's details displayed as "UK.Gov." In a bid to look authentic, the text references a genuine media campaign currently in use by the government—to protect the National Health Service by staying at home and minimizing the spread of the novel coronavirus.
The message reads: "GOV.UK CORONAVIRUS ALERT. We would like to inform you that you have been recorded as leaving your home on 3 occasions yesterday. A fine of £35 has been added to your gov.uk account. For further information please visit gov.uk/coronavirus-penalty-payment-tracking. Protect the NHS. Save Lives."
Victims who click on the link contained with the message are asked to provide their payment details.
The timing and medium of the scam has been well-chosen to make the message appear genuine. After lockdown measures were announced, the British government sent a text message out across all the cell phone networks in the UK to inform the public of the new restrictions in force.
The local government in the London borough of Richmond upon Thames issued a warning on March 30 about this fake text and other malicious communications that are currently doing the rounds.
Cllr Gareth Roberts, leader of Richmond Council, said: "Anyone who receives this text should ignore it. It is simply another ruse to steal the payment details of users."
Infosecurity Europe 2020, due to take place June 2-4, has been postponed due to the COVID-19 pandemic, event organizers Reed Exhibitions have announced.
Held annually at London Olympia, Infosecurity Europe is Europe’s largest and most comprehensive information security event, attracting thousands of visitors from the information security industry every year.
A statement from Reed Exhibitions said:
“After monitoring the constantly evolving COVID-19 pandemic, we have made the decision to postpone Infosecurity Europe, which was scheduled to take place from June 2-4 in Olympia, London. The health and safety of our exhibitors, visitors, partners and staff remains our number one priority and we will remain guided by the expert advice of the public health authorities. We believe this is the best course of action for the information security industry and the communities we serve and it also reflects our desire to give everyone involved as much notice as possible.”
The statement explained that Reed Exhibitions is now working closely with its partners and venues to obtain new dates for the event later in the year and will announce the new dates on the Infosecurity Europe website as soon as possible.
“In the meantime, we want to ensure we keep the conversation going within our community and will be providing a program of virtual content 2-4 June 2-4,” the company added. “More information will be available on the Infosecurity Europe website soon.”
Over 2000 new phishing domains have been set up over the past month to capitalize on the surging demand for Zoom from home workers, according to new data from BrandShield.
The brand protection company analyzed data from its threat hunting system since the start of the year, and found 3300 new domains had been registered with the word “Zoom” in them.
The vast majority of these (67%) were created in March, as the COVID-19 pandemic forced lockdowns in multiple European countries and across parts of the US.
With surging levels of interest in Zoom and other video conferencing apps, comes renewed scrutiny from cyber-criminals.
Nearly a third (30%) of the new “Zoom” websites spotted by BrandSheild have activated an email server, which the firm claimed proves these domains are being used to facilitate phishing attacks.
These could include attempts to: covertly download malware to the victim’s machine, steal money from Zoom users who think they’re buying a subscription and harvest user details to compromise accounts and/or infiltrate sensitive calls.
“With global businesses big and small becoming increasingly reliant on video conferencing facilities like Zoom, sadly, cyber-criminals are trying to capitalize,” argued BrandShield CEO, Yoav Keren.
“Businesses need to educate their employees quickly about the risks they may face, and what to look out for. The cost of successful phishing attacks is bad for a company’s balance sheet at the best of times, but at the moment it could be fatal.”
The news comes as experts continue to warn Zoom users of the potential security risks involved in logging-on to the video conferencing app.
The app was banned for employee use by the UK’s Ministry of Defence (MoD), although the Prime Minister, Boris Johnson, still used it for a Cabinet meeting.
Experts have urged users not to share meeting IDs on social media, and to ensure they generate a password for each meeting, or else risk being “Zoombombed” — that, is having uninvited guests enter the meeting.
Trend Micro principal security strategist, Bharat Mistry, argued that cyber-criminals are always on the lookout for opportunities to make a fast buck from globally trending news.
“It’s no surprise that hackers are looking to take advantage and exploit the current situation with Covid-19 especially with the mass explosion of remote working and even remote social interactions taking place,” he told Infosecurity.
Privacy experts have also expressed concerns over employer monitoring of their staff, as admin settings can provide detailed usage statistics for each employee.
Toni Vitale, head of data protection at JMW Solicitors, argued that transparency is key.
“Employees need to be told that their activities are being monitored,” he said. “In the rush to get everyone online I doubt many companies checked their HR policies.”
Microsoft has been forced to alert several dozen hospitals in a “first of its kind notification” that their gateway and VPN appliances are vulnerable to ransomware groups actively scanning for exposed endpoints.
The tech giant claimed that attackers behind the REvil (Sodinokibi) variant, for one, are probing the internet for vulnerable systems, with VPNs in high demand at the moment as COVID-19 forces home working.
The group appears to be repurposing malware infrastructure it used last year in the new attacks, which aim to take advantage of vulnerable healthcare organizations already under extreme pressure dealing with infected patients.
These “human-operated” attacks differ from commodity ransomware efforts in that the hackers use their extensive knowledge of system administration and common network security misconfigurations, said Microsoft.
“Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network,” it continued.
“In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints or applications that have been compromised.”
Reports emerged earlier this year that ransomware attackers including REvil were targeting flaws in Citrix ADC and Gateway products. It’s also suspected that the group exploited vulnerabilities in the Pulse Security VPN platform to compromise Travelex last year.
The National Cyber Security Centre (NCSC) and the NSA pushed out alerts last October that these products were being targeted by APT groups.
Microsoft’s advice is to patch promptly, monitor remote access carefully, turn on attack surface reduction rules in Windows, and switch on AMSI for Office VBA in Office 365 environments.
A report it issued last month details further steps to mitigate targeted ransomware.
Businesses have been urged to tighten their data protection technologies, policies and procedures after a UK Supreme Court ruling yesterday left the door open for employers to be sued by their staff for insider breaches.
The case involved supermarket chain Morrisons, which suffered such a breach in 2014 when former internal auditor Andrew Skelton published online the details of nearly 100,000 employees — included NI numbers, birth dates and bank account data.
Some 5000 of these employees then brought civil proceedings against the firm, arguing it was liable for the misuse of their data. Both the High Court and the Court of Appeal ruled that, although the supermarket chain was not primarily to blame, as its security safeguards were sound, it was “vicariously liable” for Skelton’s actions.
“In simple terms Morrisons had to underwrite Skelton’s actions as an employee,” explained legal firm Cordery Compliance. “This was in part because they had selected Skelton for the trusted position of being the middle-man in transferring the [HR data] to KPMG.”
However, the Supreme Court has now ruled in Morrisons’ favor: in effect saying that in this case the employer cannot be held vicariously liable as the employee (Skelton) was pursuing a vendetta.
This is a victory for the supermarket, and several legal experts have argued that employers will also be breathing a sigh of relief that they won’t be held liable in similar circumstances.
Yet firms aren’t completely off the hook, according to Claire Greaney, senior associate at Charles Russell Speechlys.
“It wasn’t all good news for businesses today. The court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open,” she argued.
“In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.”
Cordery Compliance speculated that the case may also have gone differently had the subject of primary liability been considered.
“Under GDPR there is a very strong emphasis on organizations having ‘technical and organizational measures’ (TOMs) in place to ensure GDPR compliance, including with regard to keeping data secure,” it argued.
“Whilst the law was similar pre-GDPR it could be argued that employers should be more conscious of TOMs like access rights and data loss prevention now that GDPR is in force. With this in mind, had the Morrisons case been decided under GDPR might there have been a different outcome as regards primary liability and the personal data that left Morrisons’ systems?”
It’s also true that companies can still be held liable for the actions of their staff in a data breach context, if those employees are not acting outside the course of their employment: i.e. accidental leaks and negligence.
A cybersecurity company has launched a lockdown-friendly hacking competition that doesn't require any travel or socializing.
Participants of Cyber 2.0's new Home Hackers Challenge can compete for a cash prize without having to leave their houses.
The competition is open to every hacker in the world, and the premise is simple—the first competitor to break into a computer-simulated organization scoops the glory and 10,000 NIS, equivalent to 2,850 USD.
Protecting the fake organization is the company's own patented cybersecurity solution, the Cyber 2.0 program.
Cyber 2.0's Sneer Rozenfeld has no qualms about laying the reputation of the company and its cybersecurity products on the line. He said previous attempts to break through their protective layer by private hackers, companies, and specialized military units had all failed.
"We did two hacking challenges already—this is our third one. We ran the first one in 2018 in Israel; no-one succeeded. Then in 2019, we ran a second competition in Atlanta, Georgia, with a $100,000 prize, and no-one succeeded. So, we do believe our system will not be hacked."
The competition will take place on April 6 between 11 a.m. and 3 p.m. (GMT+3). Hackers can enter through the company's website, cyber20.com.
Rozenfeld said: "The prize will go to the first hacker who breaks in with no prize for second place."
In previous years, when no hacker was able to defeat the company's cybersecurity program, Cyber 2.0 kept the prize money. However, this year, if no hacker manages to successfully break into the faux organization, the prize money will be donated to an Israeli charity that supports families in need.
Rozenfeld said: "Everyone is affected by the coronavirus, so we want to be humble and this time not keep the money but give it away."
The ongoing health crisis has meant that Cyber 2.0 can only give hackers a short window in which to complete the challenge.
Rozenfeld said: "Holding this sort of challenge takes a lot of resources of the company so we decided to do it for 4 hours. Due to coronavirus regulations in Israel, we can't have more than 2 people on the premises, and we need more than 2 for supporting the challenge."
An American healthcare provider whose patients' records were allegedly published online in a ransomware attack has told patients their data is secure.
Affordacare runs an urgent care walk-in clinic network out of five locations in Texas. The organization was hit by a ransomware attack in February.
In a breach notification published on the organization's website, Affordacare wrote: "Hackers attacked Affordacare’s servers and were able to compromise some limited, confidential information on or around Feb. 1, 2020. The hackers also installed ransomware on the servers."
The healthcare provider said that data exposed in the incident included names, addresses, telephone numbers, dates of birth, ages, dates and locations of visits, reasons for visits, insurance plan providers, insurance plan policy numbers, insurance group numbers, treatment codes and descriptions, and comments from health care providers.
Despite refusing to pay the ransom, Affordacare told patients that "this incident did not affect your electronic health records, labs, Social Security number or any personal payment information."
The healthcare provider said that the majority of health care records were stored in a cloud-based electronic health records system that was not affected by the incident.
Ransomware group MAZE has claimed responsibility for the February attack on Affordacare. The threat group claims to have exfiltrated more than 40 GB of data from the healthcare provider, including sensitive patient health data.
MAZE published what it claims is Affordacare data in a data dump on February 1 at http(colon)//mazenews(dot)top/site after the healthcare provider allegedly refused to pay the ransom.
After viewing the alleged Affordacare data, Emsisoft threat analyst Brett Callow told Infosecurity Magazine: "The dump includes information relating to numerous patients, including reports that were presumably requested by Affordacare from other medical practices, as well as details relating to Affordacare’s own payroll and the resumes of people who had applied for employment."
What appear to be Affordacare patient records published online by MAZE and viewed by Infosecurity Magazine included names, Social Security numbers, and details of a testicular sonogram.
After notifying patients about the breach by letter on March 30, Affordacare stated on its website: "At this time, we do not know if your information was actually taken or misused."
More ransomware victims than ever before are complying with the demands of their cyber-attackers by handing over cash to retrieve encrypted files.
New research published March 31 by CyberEdge shows that both the number of ransomware attacks and the percentage of attacks that result in payment have increased every year since 2017.
The CyberEdge 2020 Cyberthreat Defense Report states 62% of organizations were victimized by ransomware in 2019, up from 56% in 2018 and 55% in 2017.
"Ransomware is trending in the wrong direction . . . again," states the report's authors.
"This rise is arguably fueled by the dramatic increase in ransomware payments."
In 2017, just 39% of organizations hit by ransomware paid to retrieve their encrypted data. That figure rose to 45% in 2018, then shot up to 58% in 2019.
To create the annual report, CyberEdge surveyed 1,200 qualified IT security decision makers and practitioners from organizations with over 500 employees in 19 different industries. The organizations were located in 17 countries across North America, Europe, the Middle East, Africa, Asia Pacific, and Latin America.
Another key finding of the report was that last year, for the first time ever, more than a third (35.7%) of organizations experienced six or more successful attacks.
When questioned over the future cybersecurity of their organization, respondents revealed that they were picking up bad vibes.
"The number of respondents saying that a successful attack on their organization is very likely in the coming 12 months reached a record level," states the report.
Of those IT security professionals surveyed, 69% believe a successful attack to be in the cards in 2020. This doom-laden percentage was up from 65% in 2019 and 62% in 2018.
As for which cyber-threats caused the greatest amount of concern, survey respondents said malware was the biggest problem, closely followed by phishing and ransomware, which tied in second place.
This year was the first time that the CyberEdge survey respondents were asked if they were concerned about attacks on brand and reputation in social media and on the web. This new threat tied in tenth place with watering-hole attacks, but the report's authors predict it will place higher next year.
They wrote: "We think this category (which includes hijacking social media accounts, using typo squatting website for fraud, and selling counterfeit goods online) will become more of a concern in the cybersecurity community."
UK businesses could be putting customer data at risk by having a low understanding of important data protection legislation. Research from IONOS has shown that 44% of IT decision makers in the UK do not have a comprehensive understanding of the US CLOUD Act. In contrast, 92% had a comprehensive understanding of the EU’s General Data Protection Regulation (GDPR).
The survey included 500 UK-based IT decision makers, analyzing their knowledge of key data legislation, attitudes towards data storage and cloud services usage. In particular, it highlighted a significant lack of understanding of the US CLOUD Act, passed into law in 2018. Among the provisions of the Act, it gives US law enforcement agencies the power to request data stored by most major cloud providers. Around six months ago, the UK and US signed the CLOUD Act agreement, making it applicable to UK businesses.
The study revealed that 47% of the IT decision makers were unaware that, under the legislation, US cloud hosting providers may be required to disclose customers’ data to US officials. This applies regardless of whether the information was stored inside or outside of the US, and is irrespective of GDPR regulations.
“GDPR compliance has been a key focus for many European and global businesses since it was introduced, but IT professionals are under pressure to keep up with the constantly evolving data security landscape,” explained Achim Weiss, CEO at IONOS. “The US CLOUD Act adds another layer of potential misunderstanding for those hosting with US cloud providers.”
Surprisingly, a high proportion of those polled were willing to store sensitive information in the cloud, including personal customer and employee details (54%) and accounting data (50%).
Weiss added that much more education around the US CLOUD Act as well as storage best-practice is required for UK businesses to ensure their data is safe and secure.
Chinese conspiracy theories that COVID-19 was some kind of US military bioweapon date back to January, months before a foreign ministry official in Beijing began to spread the same fake news, according to a new study.
An analysis from the Stanford University Cyber Policy Center has revealed how fringe conspiracy theories can eventually become weaponized by governments to further their geopolitical ends.
Zhao Lijian, a deputy director-general of the Chinese Foreign Ministry’s Information Department, took to Twitter on March 12 to suggest “the US army brought the epidemic to Wuhan.” He included a clip from the chief of the US Center for Disease Control who merely said that some patients who died from COVID-19 might not have been tested.
This was followed a few hours later by another tweet of Zhao's which shared an article from a conspiracy theory site that “the virus originated in the US.”
After Washington complained at the unfounded allegations, Chinese ambassador to the US, Cui Tiankai, distanced Beijing from the rumors.
Stanford’s analysis revealed that these could be found online as far back as January 2, when a Chinese language YouTube video dismissed the idea of COVID-19 as a US bioweapon. Chinese Twitter users at the end of the month took the opposite line, claiming the coronavirus was a US creation. These posts remain online, despite the social media site’s crackdown on COVID-19 misinformation.
By February 1, speculation began to spread that the virus was linked to US attendance at the Military World Games, which took place in Wuhan in October 2019.
The Stanford report authors urged online users to exercise skepticism at what they read online, even when posted by government officials.
“In times of uncertainty, speculation and political blame games, continued vigilance is key when it comes to assessing and sharing information — even, or sometimes especially, when it comes from state channels,” they said.
“Social media companies need to maintain their efforts to proactively remove unfounded speculation and disinformation on their own platforms, regardless of who posts it. Citizens and journalists should question the intentions an actor promoting online content may have before possibly amplifying misleading voices.”.
Online threats have risen by as much as six-times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyber-attacks, according to Cloudflare.
The web security and content delivery vendor analyzed UK traffic figures for the past four weeks compared to the previous month and noted a sharp uptick in malicious activity.
It revealed that hacking and phishing attempts were up 37% month-on-month, while on some days, the firm was blocking between four- and six-times the number of attacks it would usually see.
The firm said the uptick was the result of “recreational” hackers with more time on their hands. However, professional cyber-criminals are also using the global incident to further their own agendas.
Phishing attempts have soared by over 600% since the end of February, including traditional impersonation scams but also business email compromise (BEC) and extortion attacks, according to Barracuda Networks.
In Hong Kong, likely state-sponsored attackers are even using the virus as a lure to trick users into clicking on news links booby-trapped with iOS spyware.
Domain registrars are ramping up efforts to halt automatic registration of any website names that are linked to COVID-19, for fear they may be phishing sites or those selling counterfeit goods like surgical masks and pharmaceuticals.
Interpol announced last week that it had already managed to seize $14m worth of such fake goods.
Even the National Cyber Security Centre (NCSC) has been stepping in to remove malicious and phishing sites.
Aside from the rise in threat levels, Cloudflare also noted an overall uptick in internet use of 17%, as the majority of the country is urged to stay indoors and work from home.
Online searches for tutoring grew most during the past four weeks, up 400%, while politics (320%), TV (210%) and gardening (200%) also spiked.
The NCSC has carried out research, determining the path to certification for Cyber Essentials could be made clearer, that the standard was being implemented consistently across the UK and that assessor and advisor standards were consistent. Its research showed that customers were confused by the use of five different organizations to deliver the scheme, as each organization operated the scheme in a slightly different way.
After a tender process, the NCSC has appointed a single Cyber Essentials Partner – The IASME Consortium, with effect from today.
Introduced in 2014, Cyber Essentials enables organizations to demonstrate that they meet defined standards of online security and seeks to identify that organizations have key controls in place. The scheme provides successful applicants with a certificate that lasts for 12 months.
It was intended to enable companies to understand the basic controls all organizations should implement to mitigate the risk from common internet-based threats, and concentrated on five key controls:
- Boundary firewalls and internet gateways
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organization
- Access control – ensuring only those who should have access to systems have access and at the appropriate level
- Malware protection
- Patch management – ensuring the latest supported version of an application is used and all necessary patches have been applied
IASME said that today’s new partnership will help make fundamental cyber-protection more understandable, accessible and practical. Dr Emma Philpott, MBE, chief executive of IASME, said: “IASME contributed to the original writing of the scheme and has been involved in its delivery ever since. We welcome the prospect of continuing to work in partnership with NCSC to further develop and grow the Cyber Essentials scheme.
“We are particularly looking forward to working with the wider network which includes all Cyber Essentials Certification Bodies which will allow us to offer expert support and certification to organizations across the whole of the UK and Crown Dependencies.”
IASME welcomed new certification bodies whom had come on board during the transition period, and thanked other certification bodies that had been a part of the journey to date. “Together we will provide a comprehensive, UK-wide network of licensed Certification Bodies to ensure regional support is available to all those who need it.”
Anne W from the NCSC, added: “The move to a single Cyber Essentials Partner allows us to work closely with IASME to develop the scheme and build further on the success to date. Cyber Essentials is an important scheme within the NCSC’s extensive portfolio of tools and guidance, all of which make a significant contribution to making the UK one of the safest places in the world to live and do business online.”
A company claiming to provide “the world’s most secure online backup” leaked metadata and customer information in over 135 million records after misconfiguring an online database, Infosecurity has learned.
The team at vpnMentor discovered the privacy snafu as part of its ongoing web mapping project that has already uncovered major cloud data leaks at brands including Decathlon, PhotoSquared and Yves Rocher.
It was traced to Californian-headquartered SOS Online Backup, which claims to be a multi-award winning provider with 12 data centers around the globe. The firm was contacted on December 10 and again seven days later. Although it never replied to the researchers, the incident was mitigated on December 19.
“The exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup. This included structural, reference, descriptive, and administrative metadata covering many aspects of SOS Online Backup’s cloud services,” vpnMentor explained.
The trove also included PII such as names, emails, phone numbers, business details (for corporate customers) and account usernames.
“By exposing so much metadata and user PII, SOS Online Backup has made itself and its customers vulnerable to a wide range of attacks and fraud,” warned vpnMentor.
“This database could have been a goldmine for cyber-criminals and malicious hackers, with access to cloud storage highly sought after in the online criminal underworld.”
Aside from the impact of potential reputational damage on the firm, the incident could be investigated by Californian regulators of the new CCPA data protection law, as well as GDPR regulators, if EU citizens’ data is included.
“Finally, the exposed database showed the structure of their cloud-based backup technology, accounts’ systems, and how they work. Hackers could use this information to plan effective attacks and embed malicious software in their system,” vpnMentor suggested.
“This would allow them to steal customer data and files, or attack SOS Online Backup directly.”
The Office of the Inspector General (OIG) has said it lacks confidence that the Federal Bureau of Investigation is executing its Woods Procedures in line with FBI policy when applying for court permission to surveil people in the United States.
The FBI implemented its Woods Procedures in 2001 following errors in numerous Foreign Intelligence Surveillance Act (FISA) applications submitted to the Foreign Intelligence Surveillance Court (FISC) in FBI counterterrorism investigations. The procedures, named for FBI agent Michael Woods, who helped devise them, require that every fact submitted in support of a wiretap application must be verified.
FBI policy requires case agents who will be requesting the FISA application to create and maintain a "Woods File" that contains supporting documentation for every factual assertion contained in the application together with the results of required database searches and other verifications.
A report published by the OIG on March 30 states that a recent audit of the FBI found that in some FISA applications, Woods Files had gone missing or may not have ever existed.
Over the past two months, auditors visited 8 FBI field offices and reviewed a judgmentally selected sample of 29 applications relating to US persons and involving both counterintelligence and counterterrorism investigations.
The OIG report states that "we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed."
In all 25 of the FISA applications the OIG were able to review, auditors identified errors or inadequately supported facts.
The OIG said: "For all 25 FISA applications with Woods Files that we have reviewed to date, we identified facts stated in the FISA application that were: (a) not supported by any documentation in the Woods File, (b) not clearly corroborated by the supporting documentation in the Woods File, or (c) inconsistent with the supporting documentation in the Woods File."
The auditors' findings led the OIG to conclude that the FBI's FISA applications were not as accurate as they should be.
"We believe that a deficiency in the FBI’s efforts to support the factual statements in FISA applications through its Woods Procedures undermines the FBI’s ability to achieve its 'scrupulously accurate' standard for FISA applications," stated the OIG.
Hotel chain Marriott International announced today that it has suffered a second data breach.
According to an incident notification published on their website, the company spotted unusual activity occurring in an app that guests use to access services during their stay.
An investigation into the activity revealed that the login credentials of two Marriott employees had been used to access "an unexpected amount" of guest information.
Marriott said guest data that may have been compromised in the breach included contact details, loyalty account information, personal details such as birth dates, and information concerning linked partnerships and affiliations like airline loyalty programs.
Precisely what information was accessed varied from guest to guest, but in some cases email addresses, phone numbers, and employer details were exposed.
Marriott said: "At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020."
While the investigation into the data breach is ongoing, Marriott said that "we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers."
On March 31, 2020, Marriott sent emails about the incident to guests involved. The hotel chain has offered guests affected by the incident a year's worth of personal information monitoring from IdentityWorks free of charge.
Marriott said: "We have also set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved."
This latest data breach has affected approximately 5.2 million Marriott guests. The hotel chain has advised Marriott Bonvoy account holders to change account passwords and to monitor their accounts for suspicious activity.
In November 2018, Marriott reported a data breach that saw the records of approximately 339 million guests exposed. In a catastrophic and ongoing cybersecurity incident, threat actors were found to have had unauthorized access to the hotel's Starwood network since 2014.