At a glance.
- NSA and CISA issue a factsheet on secure use of VPNs.
- Edtech software may expose student data.
- Campus Wi-Fi's evil twin.
- FinSpy grows more evasive.
- Private vaccine passport app exposes user data.
Security agencies warn of VPN challenges.
The US National Security Agency and the Cybersecurity and Infrastructure Security Agency combined forces to offer advice on securing virtual private networks, or VPNs, against attack. VPNs are often targeted by nation-state threat actors who exploit network vulnerabilities in order to steal data or hijack corporate networks. To protect against such threats, the info sheet recommends choosing VPN devices on the well-tested National Information Assurance Partnership (NIAP) Product Compliant List. Advice also includes using multi-factor authentication, updating regularly to ensure all security patches have been executed, and disabling non-VPN-related features.
Educational software exposes student data.
During the height of the pandemic, many schools became reliant on virtual education software to allow for distance learning, and the 74 Million reports that one such software offering potentially exposed the data of millions of students. After examining Netop Vision Pro Education’s monitoring software, used by 9,000 school systems and designed to allow teachers to keep tabs on students’ school-issued devices, researchers at McAfee detected four critical vulnerabilities that left teacher-student communications unencrypted and could inadvertently allow hackers to hijack student devices. McAfee explains, “The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.” Netop was notified of the issues, most of which were corrected earlier this year, but the incident highlights the security issues faced recently by education surveillance tech companies like ProctorU and Gaggle.
Evil twin Wi-Fi pilfers university credentials.
Also in the world of education, researchers at WizCase uncovered a bug in the software of Wi-Fi company eduroam, provider of free Wi-Fi for universities and other higher education institutions. A simple configuration error could allow hackers to create a malicious dupe eduroam network, an “evil twin” that could fool users’ devices into exposing user credentials. It’s worth noting that the error is not strictly eduroam’s fault, but more an issue of improper configuration instructions disseminated by administrators. When notified, eduroam responded, “We are indeed occasionally made aware of eduroam Identity Providers who do not follow the requirements of the eduroam policy, and leave their own users unprotected. We are absolutely in line with your thinking that this is an unacceptable behaviour on their end.”
Stealthy FinSpy attack dodges detection.
Kaspersky’s researchers have found that FinSpy spyware has the ability to take over a machine’s Windows UEFI bootloader in order to infect target devices. The lawfulness of the “lawful interception” spyware has been previously called into question, and now Security Week reports that FinSpy’s software was able to bypass firmware security checks to replace the bootkit with a malicious loader. What’s more, updates made since 2018 allow the spyware to hide behind four levels of obfuscation in order to evade security analysis. “The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive...It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself,” said Kaspersky’s Igor Kuznetsov.
Vaccine passport suffers a data exposure incident.
CBC News reports that the Portpass app, a private vaccine passport widely used in Canada has experienced a data exposure incident. The CBC says that the data at risk of compromise include "email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver's licences and passports." Trevor Morgan, product manager with comforte AG, sees this sort of carelessness with data as making its own unfortunate contribution to vaccine skepticism:
"According to the report, the sensitive data including driver’s license information was not encrypted and could be easily viewed in plain text. Political views aside, this type of exposure is a main reason that many in the general public look askance at mandatory digital and mobile-based vaccine information—unless the app vendor goes to great lengths to apply data-centric security such as format-preserving encryption or tokenization to protect sensitive data by obfuscating sensitive data elements, situations like this one will happen again and again, and people will hesitate to adopt such tools. Any time an organization collects and processes peoples’ health information, it has the ultimate responsibility to protect that data and ensure it is never presented in readable format to unauthorized users. Situations like this definitely do not get a pass!”