At a glance.
- Zoom's approach to end-to-end encryption draws criticism (and a nuanced defense).
- Britain's COVID-19 contact-tracing app can't shake privacy concerns.
- "Ransomware 2.0" concentrates on the cloud.
- Maze and NetWalker ransomware attacks accompanied by data theft and exposure.
- Chartered Professional Accountants of Canada (CPA) discloses data breach.
Zoom's approach to end-to-end encryption draws criticism (and a nuanced defense).
Teleconferencing service Zoom, whose explosive growth during the pandemic emergency has been both a blessing (in terms of market share) and a curse (in terms of security and privacy issues) has fixed two vulnerabilities Cisco researchers discovered. SecurityWeek describes the two vulnerabilities, CVE-2020-6109 and CVE-2020-6110, both of which could expose systems to remote code execution.
Zoom's decision to offer strong, end-to-end encryption only to paid users, leaving the users of the free product to bucket along with transport encryption, has been criticized by privacy advocates, Law360 reports. Since Zoom has mentioned that it would, under limited circumstances mostly related to child abuse, be willing to make some information available to law enforcement agencies, the issue has become a skirmish in the crypto wars. Stanford's Alex Stamos, who's among those Zoom has engaged to help it with privacy, offers a more nuanced account of what's going on. It's not that Zoom is committed to being a stool pigeon, but rather that there are real trade-offs to consider, and that while end-to-end encryption is the best privacy protection, optional end-to-end encryption on top of transport encryption isn't a bad compromise at all.
Britain's COVID-19 contact-tracing app can't shake privacy concerns.
Most of the countries who have attempted to develop technological adjuncts to traditional contact tracing have opted for a decentralized approach. The UK's NHSX, however, is still working on its centralized system, and the security of the government's data as well as the privacy implications of even a voluntary system have made their approach a hard sell. Infosecurity Magazine has an op-ed explaining the persistent concerns. Gizmodo sees the two central privacy issues as data retention and data security.
"Ransomware 2.0" concentrates on the cloud.
Forbes has an essay on "ransomware 2.0," the more sophisticated style of attack that's become a multi-billion dollar criminal sector: "Cybercriminals release more sophisticated algorithms each year. They are completely different from what we saw last year and spread more easily across networks. New ransomware blocks on-premises antiviruses and backup agents. It can delete backed-up data and download sensitive data. It can steal the victim’s saved credentials from web browsers and email clients and threaten to upload it to public view if the victim doesn't pay the ransom." Thus, again, a successful ransomware attack must be considered a data breach.
Maze and NetWalker ransomware attacks accompanied by data theft and exposure.
IT services giant Conduent sustained a Maze ransomware attack on May 28th. Operations were disrupted for a few hours, but service was soon restored. Unfortunately the attackers also stole data during the incident. Computer Business Review reports that the Maze gang quickly posted samples of the information they obtained during the attack. SC Magazine reports that the University of California San Francisco was also the victim of an information-stealing ransomware attack, this one by the NetWalker operation.
Chartered Professional Accountants of Canada (CPA) discloses data breach.
BleepingComputer has an account of a data breach at CPA Canada, a national organization whose more than 217,000 members render it one of the largest accounting professional associations in the world. CPA Canada's disclosure said that the breach may have affected more than just members, including "stakeholders" in an announced total of more than 329,000 affected individuals. Much of the data lost are associated with the distribution of CPA Magazine: names, addresses, email addresses, and employer names.
The security industry was quick to weigh in with comment on the incident. We hear from Lucy Security, Comparitech, and Pixel Privacy.
Colin Bastable, Lucy Security's CEO, wrote, “One has to ask why they did not take appropriate steps to secure their systems before the attack? Attacks cascade and reverberate long after the headlines have faded and the 12 months credit monitoring has ended. 329,000 professionals are now at risk of sustained attacks, and therefore their clients are at risk. Accounting firms’ numbers of clients can range from the tens to the hundreds – these clients are where the money is. Expect to see multiple CEO fraud, business email compromise (BEC) fraud, ransomware attacks and ongoing phishing attacks against the accountants and, subsequently, their clients.”
Comparitech privacy advocate Paul Bischoff commented, “Accountants in Canada who belong to the CPA should be on the lookout for targeted phishing and scam emails from cybercriminals posing as clients, employers, and other accountants. Don't click on links or attachments in unsolicited emails and always double check email addresses and URLs for correct spelling. If you're not sure whether an email is legitimate or not, reach out to the other party through contact information found elsewhere, such as a web search.”
And Chris Hauk, consumer privacy champion at Pixel Privacy, said, “The CPA Canada data breach underscores the need for all users to stay alert for phishing scams, even when they haven't been notified of a breach that their information was involved in. Never respond to emails that request you to disclose sensitive personal or business information, and never download attachments or click links in emails unless you are absolutely sure of the source of the email, and that you have requested the link or attachment.”