At a glance.
- Hupigon RAT is back.
- Contact tracing and its implications for privacy.
- National approaches to contact tracing and quarantine enforcement.
Hupigon remote access Trojan is back, again.
Proofpoint reports that the venerable Hupigon remote access Trojan—venerable by Internet standards, since it's been around since 2006—has been repurposed to lure American university students with adult-themed dating phishbait designed to attract the lovelorn and insufficiently skeptical. While Hupigon has been used by state-sponsored organizations, Proofpoint thinks that in this present round it's being distributed by criminal gangs with commonplace criminal goals. But should you receive an offer to get to know Ashley, a student who’s “looking for adventure,” or to make the acquaintance of Lora, an artist who “loves funny men,” please do think twice. You will receive a nice helping of Hupigon, whose features include, Proofpoint says, giving “access [to] the infected machine,” “rootkit functionality, webcam monitoring, and the ability to log keystrokes and steal passwords.”
Contact-tracing app update.
Android Police describes how Apple and Google intend to make their contact-tracing technology more private, and more acceptable. One change is in branding: they now refer to their technology as an "exposure notification apparatus," which the companies believe better captures the tech's purpose, and which in their view sounds less intrusive and not so threatening. A device with the app installed would use Bluetooth Low Energy to ping other Android or iOS devices within, roughly, ten to fifteen feet (about three to four-and-a-half meters). The entire process is voluntary: not only would users have to opt-in, but they'd also have to self-report any positive COVID-19 diagnosis. Bluetooth metadata would be encrypted, and the generation of ID keys will be completely randomized. The apparatus is expected to become available in mid-May.
National approaches to contact tracing.
With Apple refusing to budge on privacy standards, Reuters reports that Germany yesterday abandoned its plans for a centralized approach to contact tracing. Berlin had through Friday at least strongly favored the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) system. The reversal means Germany is likely to adopt the exposure notification apparatus Apple and Google have been working on.
The UK's National Health Service (NHS) is working to build trust in its own version of a Bluetooth Low Energy contact-tracing system, according to ComputerWeekly. NHSX, the Service's "digital innovation unit" hopes to field its app, which is based on work done by Oxford University’s Nuffield Departments of Medicine and Population Health, soon. It's being tested at a Royal Air Force facility in Yorkshire.
Indonesia has also deployed its own version of a Bluetooth Low Energy based proximity tracer, PeduliLindungi, the Jakarta Post writes. Concerns being expressed locally, at least according to the Post, are more about security than privacy: people are being warned to keep their Bluetooth devices up-to-date.
Given that most of the decentralized systems are opt-in, how many people are actually opting in? About 1.9 million in Indonesia (a country of 268 million) according to the Jakarta Post. Norway's Smittestop system has done better: Forbes says more than 1.4 million Norwegians have downloaded the app, which for a country of less than 5.4 million isn't that bad.
For an account of some recent work on contact tracing, see the CyberWire's Research Saturday for 4.25.20.