News for the cybersecurity community during the COVID-19 emergency
Privacy concerns run neck-and-neck with public health during the COVID-19 pandemic.
UK and US cybersecurity agencies issue joint advice.
Britain’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint public warning about ways in which the pandemic and the emergency measures put in place to contain it have given rise to a wave of cyberattacks. “Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:
- “Phishing, using the subject of coronavirus or COVID-19 as a lure,
- “Malware distribution, using coronavirus- or COVID-19- themed lures,
- “Registration of new domain names containing wording related to coronavirus or COVID-19, and
- “Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.”
The advisory summarizes the threats the agencies are seeing, and it offers brief but useful guidance on how individuals and enterprises might deal with them. Much of the malicious activity is being carried by email. CISA’s Assistant Director for Cybersecurity, Bryan Ware, said, “As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business. Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond. We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats.”
The NCSC’s cover note adds some sensible overarching cautionary advice: “This is a fast-moving situation and this advisory does not seek to catalogue all COVID-19 related malicious cyber activity. You should remain alert to increased activity relating to COVID-19 and take proactive steps to protect yourself and your organisation.”
India cautions against (and prosecutes) disinformation.
Reuters reports that the Indian government has asked both Facebook and TikTok to remove users they determine to be spreading misinformation about COVID-19. The authorities are particularly concerned about mis- or disinformation directed at Muslim audiences. According to the Mumbai Mirror, the authorities are serious about prosecuting those who promulgate “fake news” and “hateful posts” in social media. One-hundred-thirty-two cases are open, and thirty-five arrests have been made so far.
Zoom scrambles for better privacy and security as it receives close scrutiny.
ZDNet writes that Zoom, the teleconferencing service whose use exploded during the current pandemic emergency, has brought in Alex Stamos, formerly Facebook’s security chief and subsequently a fellow at Stanford, as an independent security consultant. Stamos emphasized in a blog post that he’s neither an employee nor an executive at Zoom, but that he’s attracted to the challenge of how a low-friction collaboration platform might scale without presenting attackers with an equally low-friction opportunity.
Taiwan has banned Zoom entirely, largely because of the company’s ties with Chinese enterprises, and because, the Register notes, Zoom sends much of its traffic through China.
Government contact tracking apps rack up a mixed privacy record.
Zoom is far from the only service struggling with privacy. Many governments are scrambling to find ways of tracking contacts at scale during the pandemic. As Computing reports, there’s a general search for tools that can do this in ways that don’t compromise individual privacy, but so far the apps being deployed aren’t inspiring confidence in this respect. Researchers at ZeroFox report that the governments of Italy, Colombia, and Iran have stumbled badly with respect to the privacy protections of the mobile apps they’ve pushed out. It seems reasonable to assume that this is a more general problem.