Category Archives: Security

BBC Omits Central Database in Contact Tracing App Story



With the UK’s NHS Contract Tracing app being tested in the Isle of Wight this week, the BBC ran a story on how the app works in the evening news today. While the lovely graphics illustrated how the app worked, the story conveniently forgot to mention that all the contact data collected goes back to a central database.

Unlike much of the free world, instead of adopting the Google-Apple decentralised approach, the NHS has gone ahead with its plans to base its tracking on a central database – there’s more at The Register and The Guardian newspaper. Simplistically, while both versions use Bluetooth proximity to detect others nearby, in the Google-Apple model only the phones know with whom you have been in contact. In the NHS version, the contact data is passed back to a central server for contact matching. This is manna from heaven for a UK government which has a reputation for increasing levels of privacy abuse.

So it’s all very handy then that the BBC omitted to mention that all the app users’ contact tracing information, which will likely include location data, will be neatly shuffled back to a central server for review and matching by the NHS. Yes, it’s anonymised but it doesn’t take much to figure out who someone is if night-after-night they go back to the same address.

The programme is here but I’m not sure how long it will stay online for or if it’s available worldwide. Look at around the 7 minutes 45 seconds. There’s no mention of the central database in either the narrative or the infographics.

Sorry, NHS, I’ll not be downloading your app. BBC, stop lying by omission.

Update 4/5/20: The BBC has produced a more balanced article here.


Zoom Apologizes for Security Failures



Zoom, the company that makes the software that so many people are using now that they have to work from home, posted A Message to Our Users. In it, Zoom Founder and CEO, Eric S. Yuan, apologizes for security failures and provides details about the things they are doing to fix the problems.

Zoom starts by pointing out that usage of Zoom “ballooned overnight”. This includes over 90,000 schools across 20 countries that have taken Zoom up on their offer to help children continue their education remotely. According to Zoom, at the end of December 2019, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March of 2020, they reached more than 200 million daily meeting participants, both free and paid.

For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.

Here is a quick look at what Zoom has done to fix things:

  •  Offering training sessions and tutorials, as well as interactive daily webinars to users. The goal is to help familiarize users with Zoom.
  •  On March 20, Zoom posted a blog post to help users address incidents of harassment (or so-called “Zoombombing”) on the platform by clarifying the protective features that can help prevent this.
  •  On March 27, Zoom took action to remove the Facebook SDK in their iOS client and have reconfigured it to prevent it from collecting unnecessary device information from Zoom users.
  •  On March 29, Zoom updated their Privacy Policy to be more clear and transparent about what data they collect and how it is used.
  •  On April 1, Zoom permanently removed the attendee attention tracker feature. They also permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.

These changes are a very good thing for Zoom to be doing. After unexpectedly gaining so many new users, the last thing the company would want to have happen is for people to leave Zoom because of their concerns about its problematic handling of privacy. It seems to me that the apology offered by Zoom Founder and CEO, Eric S. Yuan is genuine, because the company did take actions to improve Zoom for users.


The Sale of Corp.com Could Be Dangerous



Mike O’Connor bought the domain name corp.com in 1994. He is now interested in selling it, but has concerns that someone working with organized cybercriminals, or state-funded hacking groups, will buy it. If that happens, it could be devastating to corporations failed to update the name of their active directory path.

Krebs on Security has a detailed blog about exactly what the problem is. In short, the issue is a problem known as “namespace collision”. It is a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

If I’m understanding this correctly, it appears that the instructions that Microsoft gave years ago were not entirely understood by people who set up a corporation’s IT system.

Krebs states that for early versions of Windows that supported Active Directory, the instructions gave the default example of a Active Directory path as “corp”. Unfortunately, many corporations quite literally named their Active Directory “corp” – and never bothered to change it to a domain name that they controlled. Then, these corporations built upon it – without renaming “corp” to something more secure.

I recommend that you read the article on Krebs on Security for full details. Tests were done to see what kind of traffic corp.com would receive. More than 375,000 Windows PCs tried to send corp.com information that it “had no business receiving”. Another test allowed corp.com to receive email, and the result of the experiment showed it was soon “raining credentials”.

The big concern right now is that “the bad guys” could buy corp.com and start harvesting the data that countless corporations unwittingly send to it.


U.S. Navy Bans TikTok from Government-Issued Mobile Devices



Reuters reported that the United States Navy banned TikTok from government-issued mobile devices because the app represented a “cybersecurity threat”.

A bulletin issued by the Navy on Tuesday showed up on a Facebook page serving military members, saying users of government=issued mobile devices who had TikTok and did not remove the app would be blocked from the Navy Marine Corps Intranet.

Reuters reported that the Navy would not provide details on what dangers TikTok presents. Pentagon spokesman Lieutenant Colonel Uriah Orland said in a statement that the order was part of an effort to “address existing and emerging threats.”

This comes after two senior members of Congress, Senate Majority Leader Charles E. Schumer (D-N.Y.) and Senator Tom Cotton (R-Ark.) asked U.S. intelligence officials to determine whether TikTok posed “national security risks”. The two Senators sent a letter to Acting Director of National Intelligence, Joseph Maquire, questioning TikTok’s data collection practices and whether the app could be used by the Chinese-owned social-networking app to limit what U.S. users could see.

Reuters reported that last month U.S. Army cadets were instructed not to use TikTok, after Senators Schumer and Cotton raised security concerns about the Army using TikTok in their recruiting.

I find this interesting because, at a glance, TikTok appears to be an app designed to encourage creativity. People make short videos that are intended to be humorous. Many people find the videos to be amusing, and they pass them around on social media.

Now, it seems that TikTok could actually be a security threat, and a strong enough one where various branches of the U.S. military are banning it from government-issued mobile devices. There appears to be concern about TikTok’s data collection practices. It is troubling that an app that appears to be lighthearted could potentially be dangerous.


Facebook and Twitter Removed Accounts Engaging in Inauthentic Behavior



Both Facebook and Twitter have announced that they have removed networks of accounts that were engaging in inauthentic behavior. The New York Times reported that the accounts used fake profile photos that were generated with artificial intelligence. The use of AI generated fake photos appears to be a new tactic.

Facebook announced that they removed two unconnected networks of accounts, Pages and groups for engaging in foreign and government interference. The first operation originated in the country of Georgia and targeted domestic audiences. Facebook removed 39 Facebook accounts, 344 Pages, 13 Groups and 22 Instagram accounts that were part of this group.

The second operation originated in Vietnam and the US and focused mainly on the US and some on Vietnam and Spanish and Chinese-speaking audiences globally. Facebook removed 610 accounts, 89 Facebook Pages, 156 Groups and 72 Instagram accounts that originated in Vietnam and the US and focused primarily on the US and some on Vietnam, Spanish and Chinese-speaking audiences globally.

Some of these accounts used profile photos generated by artificial intelligence and masqueraded as Americans to join Groups and post the BL content. To evade our enforcement, they used a combination of fake and inauthentic accounts of local individuals in the US to manage Pages and Groups. The page admins and account owners typically posted memes and other content about US political news and issues including impeachment, conservative ideology, political candidates, elections, trade, family values, and freedom of religion.

Facebook said its investigation linked this coordinated group to Epoch Media Group. The New York Times reported that Epoch Media Group is the parent company of the Falun Gong-related publication and conservative news outlet The Epoch Times. The Epoch Media Group has denied that it is linked to the network.

Twitter announced it removed 5,929 accounts for violating Twitter’s platform manipulation policies. Their investigation attributed these accounts to “a significant state-backed information operation” originating in Saudi Arabia.

The accounts represent the core portion of a larger network of more than 88,000 accounts engaged in spammy behavior across a wide range of topics. Twitter’s investigations traced the source of the coordinated activity to Smaat, a social media marketing and management company based in Saudi Arabia.

It is very important to realize that you cannot believe everything you see on social media. An account that appears to have a realistic photo could actually be one that was generated by AI. Do some fact checking before sharing things posted by accounts that are run by people you don’t know.


Wawa had a Data Breach that Affected All 700 Stores



Wawa revealed to its customers that a data security breach has impacted all of their store locations. The post was written by CEO Chris Gheysens, who apologized to customers and reassured them that the customers will not be responsible for any fraudulent charges on their payment cards.

Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations. Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present in most store systems by approximately April 22, 2019. Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.

The data breach included credit cards and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers at different points in time after March 4, 2019, and ending on December 12, 2019.

CEO Chris Gheysens says that no other personal information was affected by this malware. Debit card PIN numbers, credit card CW2 numbers, other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware.

As is typical after a company realizes a data breach has occurred, Wawa has information in its website for those who have been affected by the breach. It includes the usual advice one would expect. Wawa is offering free credit monitoring and identify theft protection to customers affected by the breach.

The Verge notes that CEO Chris Gheysens “doesn’t begin to suggest how the malware got there or who might have been trying to get customers’ payment information.”

It is too bad that Wawa failed to notice the malware until very recently. The unfortunate result is that Wawa customers now have to worry about whether their credit card information is secure while trying to finish buying gifts for loved ones during the holiday season.


New Orleans City Hall Hit by Ransomware



It is always worrying when a city government is hit by a ransomware attack. That appears to be what happened to the New Orleans City Hall on December 13, 2019. According to the New Orleans Times-Picayune, workers were told a cyberattack had struck the city government.

The workers were told to turn off and unplug their computers. City websites were down. In addition, the New Orleans Police Department was also told to shut down their computer equipment and remove everything from the network. This is not the first time Louisiana has had this problem.

State government was hit by a ransomware attack last month, though it was able to restore its system without giving in to demands. Gov. John Bel Edwards declared a state of emergency, and the state Office of Motor Vehicles was hit especially hard, with many of its offices forced to close for several days.

In a press conference, Chief Information Officer Kim LaGrue said there was evidence of both phishing attempts and ransomware. No city employees reported providing login information in response to the emails, thanks to cybersecurity training that started in the fall of this year. It was unclear if ransomware had been installed or had begun to encrypt any city systems.

The odd thing about this situation is that, according to Mayor LaToya Cantrell, no requests for money had been made as a result of the ransomware attack.

Typically, thieves who use ransomware demand a specific amount of money, in a certain currency, to be delivered to them before a deadline. If the attacker wasn’t after money – what were they looking for?