At a glance.
- Credential breach at digital collectible shop Quidd.
- Tax fraud enabled by accounting firm breach.
- Concerns about Zoom's privacy continue.
- Apple reports on the privacy of its COVID-19 contact-tracking project.
Stolen Quidd credentials offered on a hacking forum.
Risk Based Security reports finding almost four-million user credentials for the "digital collectible" trading app Quidd posted to an online hackers' forum. They weren't being sold, merely posted, and they've been taken down at least once only to reappear. You may or may not be particularly interested in digitized collectibles. ("Like paper money being replaced by electronic payments and online banking, Quidd is ushering in the digitization of collecting, owning, and exchanging fine art, memorabilia, and collectibles. We're currently working on transforming over 2.1B virtual items into investment-grade assets," says Quidd's self-descriptive comment on CrunchBase.) But Risk Based Security notes that the credentials include email addresses, which make the breach potentially significant for business email compromise purposes.
Data breach at accounting firm enables fraudulent tax filings.
Criminals are paying their customary respects to income tax season, CyberScoop notes, filing returns with stolen taxpayer data in order to illicitly obtain refunds. In one noteworthy case they were able to use data stolen from a large California accounting firm, Weber and Company, to file the fraudulent returns. The firm's disclosure said the data the hackers got may have included names, addresses, Social Security numbers, W-2 and 1099 Forms, and bank account information, including routing numbers. Both the FBI and IRS are investigating.
Remote work remains pervasive, but concerns about Zoom persist.
Zoom itself has scrambled to close security and privacy holes, and the Verge reports that the company has decided to give paying customers the option of choosing the call center through which their traffic will be routed. That is, they can opt to keep their traffic out of China. Fast Company has a balanced overview of where Zoom can and cannot be trusted. CTO Vision for its part sends Zoom what amounts to a fan letter—it’s still their favorite “business grade” collaboration tool. The article praises Zoom for the work it’s done to address security and privacy issues, and argues that it’s better to trust a responsive company than one that never gets around to fixing things. It’s true that Zoom has been responsive, but some of its issues, notably the involvement of Chinese companies in producing its code, are tougher to untangle.
Zoom’s exploding market share has drawn a plague of hackers. BleepingComputer says that over half-a-million Zoom accounts are on offer in dark web souks. Some are free and some go for pennies. Others are pricier but still affordable, as these things go. More expensive are the exploits on offer. Mashable reports that these can command as much as $30,000 on the black market.
Apple describes privacy protections for its COVID-19 Triage Tools.
Apple responded to an inquiry from the US Senate about the implications of the contact tracking tools Cupertino is working to develop. The company said its agreement with the US Department of Health and Human Services specifies that the “COVID-19 Triage Tools” it develops will have strong privacy safeguards. Any sharing of data or analytics with the Centers for Disease Control will be anonymized, aggregated, and delivered only with the expressly given consent of the user. Information will be further disclosed to third parties only when such disclosure is required by law.
Apple’s screening site and the associated app are not, Apple thinks, subject to HIPAA (the Health Insurance Portability and Accountability Act). This is mostly because the users enter their own data, and no “covered entity” (like a healthcare provider, health insurance company, or healthcare clearinghouse) is touching the data. That said, Apple claims that it intends to “meet some of the technical safeguard requirements of HIPAA, such as access controls and transmission security.”
Apple says it collects “only the information necessary to support the operation of the COVID-19 website and app, such as users’ usage of the tool and app; this information does not include information entered by individuals. Apple only retains this information for so long as is necessary to support the operation of the COVID-19 website and app. Information no longer needed is deleted or rendered permanently unrecoverable in accordance with industry standards.”
The company says that users can access their personal information through Apple’s global privacy portal. There won’t, however, be much personal information there, as Apple says it’s strongly committed to data minimization. And Apple says it will refrain from using any data it collects with the tools for commercial purposes, and it will not sell any of those data to third parties.
In answer to the Senators' questions about cybersecurity, Apple repeated standard sorts of reassurances that could be offered with respect to its products generally. Data transmitted between users’ devices and Apple is encrypted with Transport Layer Security to protect it during transport. The company’s formal change management process will ensure that new versions of its code will be appropriately tested for security before fielding. And access to both data and source code will be restricted to authorized personnel only.