Tag Archives: Contact Tracing

Security News for the Week Ending June 12, 2020

Singapore Updates Contact Tracing App

Singapore is not exactly a democracy, so this isn’t a complete surprise. They are updating their contact tracing app to include foreigner’s passport number and scanning of barcodes to facilitate tracking when someone enters a store or mall or restaurant. They would like the program to run in the background, but Apple does not allow Bluetooth to be active in the background, so the software doesn’t work right on iPhones. So, for iPhone users, people who don’t have smartphones and people who won’t install the app, they are working on building a wearable device to perform the same function and possibly issuing a device to everyone in the country. Credit: ZDNet

Indian IT Company Ran Hack for Hire Operation

BellTroX, a small Indian IT company based in Delhi, ran (allegedly) a hack-for-hire operation that targeted thousands of high profile politicians, investors and journalists on six continents over the last 7 years. Initially thought to be state sponsored, investigators now think they were just in it for the money. The group is known as Dark Basin by researchers, who have begun to unravel their work and notify hacked individuals. Credit: The Hacker News

Thanos Ransomware as a Service Weaponizes RIPlace Vulnerability

Thanos Ransomware as a Service tool weaponizes the Windows RIPlace attack tactic. RIPlace is a technique that uses a legacy API to bypass enpoint protection (AKA anti-virus) tools. That that Thanos is available as a service to any wanna hacker, expect to see even more ransomware attacks. The Thanos developer continues to add features including a light version (as in less features) and a company (full featured) version. Credit: Threatpost

Copy Protection Comes in Many Flavors

GE has, apparently, “copy protected” the water filters for their refrigerators so that you cannot use a $13 filter that is physically the same and have to pay GE $55 for their filter.

One customer was sufficiently annoyed that he bought a domain, www.GEFilterGate.com and explained how to “hack” GE’s refrigerator. All you have to do it take GE’s RFID tag off a legit filter and put it in the right place on the fake GE filter. I am not sure if it is legal, but that was one ticked off user. Credit: Vice

Federal Agencies Spending Millions on Crossbow

Crossbow, AKA Stingray, version 2, has been purchased by multiple federal agencies including ICE. Stingray is a device made by Harris to intercept cell phone traffic and is used by the military. They are also being used by federal, state and local governments, including during protests. Think of it as a cell tower in a small suitcase. Whether version 1 or version 2, they can be used to track down fugitives or surveil anyone, anywhere. We have reports of finding many Stingrays around Washington, DC, likely placed there by UNfriendly countries. Harris was so keen to keep information about the Stingray quiet that police regularly dropped charges rather than reveal information. Assume that Crossbow will be the same. Credit: Vice

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

The Conundrum of Privacy Tracing Apps

States in the US and countries around the world are racing to contain the Covid-19 virus. Everyone knows that is a war. We have won or maybe are winning some of the battles in that war, but the war is far from over.

One “weapon” in that war is contact tracing. If we find an infected person, we would like to know who that person came in contact with since they became infected. That way we can test those people and see if they are infected. And so on and so forth.

Some countries, like China, don’t care about people’s privacy.

China is installing video surveillance cameras outside the door of people’s apartment that are under quarantine. You leave your apartment and the authorities will arrest you or, perhaps, you just disappear.

Google and Apple have a strategy and implemented, jointly, software that would trace the contacts of other phones that also had the software on it, but will keep the data local. If you become infected, you can give the government that data. The problem with this is that the government doesn’t get to own a massive database of your location and contact data, which is a problem for them. They like lots of data.

Utah rejected the Google/Apple strategy in favor of some software written by a startup. The company they chose was a social media startup. The company has 50 employees and wrote the app in three weeks with no oversight and no review. What could possibly go wrong? Do you remember the Iowa Caucus software?

The interesting story about the Utah experiment is that only 2% of Utah residents have opted to install the software. Experts say that you need about 60% for the data to have much use.

Other countries, like Singapore, South Korea and Israel are using existing data from credit card transactions, GPS data and surveillance cameras.

The UK’s National Health Service also rejected the Google/Apple solution, but leaked NHS documents show that they have privacy concerns. Part of their concern is that the data is self reported (other than the location itself) and may not even be correct.

Reuters has an article talking about the issues and the competing solutions.

When I started writing this I thought it would be controversial, but now that it is done, I am thinking it is less so.

Everyone has to decide for him or herself whether they trust the government to track them and collect terabytes of data that they will likely keep forever.

While some of these technologies claim that the data is anonymized, think about this. If the data is anonymous, how do they use it to find the infected people? And data scientists have shown, through many examples, that it is virtually impossible to truly anonymize data. If I have datapoints for your house, your work, your church and your gym, for example, I will de-anonymize that data.

I don’t have the answer. In fact, I don’t think there is a right answer. Everyone has to decide what is right for them.

What I think I can say is that it is highly unlikely that apps, written in a couple of weeks under intense pressure and enormous quantities of data collected by governments with very little advance planning will be secure. Even when companies and governments have lots of time and resources, apps and data are not very secure. To confirm this, all you need to do is check the news on a daily basis.

No easy answers. Sorry.