At a glance.
- COVID-19 tracing systems continue to face privacy challenges.
- Activision denies rumors of gamer data breach.
- Tips on telework from Fort Meade.
Next-gen COVID-19-tracing apps don’t sniff at privacy (but it's still proving tough to achieve).
Seven US states have launched new contact-tracing apps that rely on Bluetooth functionality and thus eliminate the need for location tracking, the Wall Street Journal reports. Earlier COVID apps flopped due to poor performance and privacy protections. Google and Apple technology enhances the next generation apps’ efficacy, and conspicuous privacy notices along with narrowly defined features are meant to assuage data security concerns. Virginia’s Covidwise, Alabama’s GuideSafe, and Nevada’s COVID Trace spell out what information they collect before the user does anything. Arizona’s Covid Watch and Wyoming and North Dakota’s Care 19 Alert use personalized recommendations to lure additional downloads.
One area for growth lies in inter-app communication. Currently tracing apps only work among those on the same platform. Apple and Google are developing a Bluetooth upgrade—Exposure Notifications Express—that could connect all users who opt-in in all states that opt-in.
By now most jurisdictions—national, sub-national, and local—are sensitive to the privacy pitfalls surrounding COVID-19 contact-tracing systems. That doesn't mean that such issues are necessarily easily overcome. The Indian state of Uttar Pradesh, for example, has deployed contact-tracing technology in an effort to support containment of the pandemic, but researchers at vpnMentor found that multiple problems with that system combined to expose large quantities of personal data: "An unsecured git repository revealing technical information, including passwords to admin accounts on the platform and a SQL data dump. This made the platform’s admin dashboard accessible to anyone with the passwords taken from the git repository." Also,"a separate index of CSV files containing daily COVID-19 patient reports – accessible without a password or any other login credentials" was found.
vpnMentor offers a timeline of the incident, as they observed it. The researchers' scans detected open systems on August 1st, they reviewed and analyzed the data breach by August 9th, and on August 10th they contacted the Israeli embassy in New Delhi. CERT-IN was warned on August 27th, and again on September 7th. They contacted the Uttar Pradesh cybercrime unit on September 3rd. On September 10th Uttar Pradesh secured the data.
Dereliction of Duty.
Dexerto says 500 thousand Call of Duty accounts have been exposed in an Activision hack by unnamed actors. Account log-in information is rumored to have been leaked, and then altered so owners are locked out. But this rumor seems to be exaggerated at least: Activision says there's been no compromise. Nonetheless, gamers are advised to change their password and update any duplicated passwords, unlink associated accounts, and delete saved payment information. Again, Activision itself denies that any customer accounts were compromised, Zee Business reports, but the company advises users to be on the qui vive, and to take sensible precautions against cyberattack.
An ounce of prevention.
NSA has put out two sets of cybersecurity tips designed for government employees but useful to anyone: one set is designed to help teleworkers identify and defeat threats, and the other is intended to help system administrators mitigate the impact of such threats, Security Week reports. Remote workers who spot problems can try resetting their router, updating their firmware, installing security software, or restoring their device to a previous state. System administrators should use strong VPNs and encryption protocols, and segregate operational from management traffic to quarantine infections, though these precautions are no substitute for regular network audits.