At a glance.
- Avaddon hits political parties on opposite sides of the globe.
- Peloton deals with an API vulnerability.
- Privacy risks of fertility apps.
- Fraudulent biotech sites pose a privacy threat.
Maltese political party hit by Avaddon ransomware.
Malta’s Nationalist party was hit by a ransomware attack, Lovin Malta reports, and while the attackers have graciously extended the ransom deadline, party leaders say they have no intention of paying up. The attackers are allegedly demanding a ransom of €5,000 in exchange for data stolen in a mid-April Avaddon malware attack. While some of the data have already been leaked on the web, the hackers moved the deadline from the end of April to this Friday, allowing the party a few more days to prevent the release of the rest of the documents. However, officials have made it clear they will not negotiate. Maltese magistrate Victor Axiaq is leading a magisterial inquiry.
Avaddon also attacks NSW Labor Party.
Meanwhile in Australia, the New South Wales Labor Party was also the target of a ransomware attack by the Avaddon threat group, Brisbane Times reports. The attackers acquired sensitive documents from the party’s system including passport images, driver’s licenses, and employment contracts. They’ve given the party ten days to comply, otherwise they will not only release the data but also potentially launch a distributed denial-of-service attack. As this is the latest in a string of attacks down under, Defence Minister Peter Dutton suggested earlier this week that the country’s cyber spy agency would need to improve its strategies in order to better protect the nation against these incidents.
Peloton API breached.
Researchers at Pen Test Partners disclosed they discovered a vulnerability in Peloton’s API allowing an unauthorized individual to access users’ private data including location, gender, age, and live class statistics, even if the class is in private mode. When first notified of the security flaw back in January, the company acknowledged receipt but ignored subsequent inquiries asking what action was being taken. Peloton quietly partially resolved a few days later, blocking access to unauthenticated intruders, but leaving the data vulnerable to any attacker willing to sign up for a membership.
After ninety days of the cold shoulder, Pen Test reached out to a journalist at TechCrunch who also happens to be a Peloton user, grabbing his attention immediately by sending him a screenshot of his private data. “My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history,” journalist Zack Whittaker recounted. “But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.” The journalist’s firsthand experience was apparently enough to make Peloton shift gears, as they quickly repaired the issue and released an official statement. “We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts,”
Peloton spokesperson Amelise Lane explained. “Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported.” But the question remains why the bug existed at all, and why Peloton was so slow to address it. As Jason Kent of Cequence Security told Threatpost, “Companies that make bicycles aren’t the greatest source of trusted data exchanges or data storage, and thus these tools should be locked down as tightly as possible.”
Jason Kent, Hacker in Residence at Cequence Security, sees the problems as the sort that can arise during periods of rapid corporate growth:
"One of the biggest trends sparked by COVID, Peloton, is now realizing the impact fast growth can have if you don’t take appropriate security measures into account. With 4.4 million members on the platform, the company’s foundation is in building a workout community no matter where users are - allowing friends, family members and even strangers to exercise “together” while being apart in these uncertain times. But in doing so, have they put the community at risk?
"The world of API security is set in 2009’s web security paradigm and many of the same flaws we already know how to fix are present in APIs. Experian, John Deere, and now a major consumer brand have been breached within the last month via their APIs because of immaturity in the way security on APIs is being handled. The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right. In needing to build an API that allows some users to share information and build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data. The information might not show in the application itself, but developers and security teams need to also confirm that the APIs themselves conform to the security measures in place. If 2013 was the year of the web attack, 2021 is shaping up to be the year of the API attack. Organizations need to react quickly to first, find all of their API endpoints and secondly, understand their security posture."
Uriel Malmon, senior director of emerging technologies at PerimeterX, noted the complexity of contemporary apps, and of the unpredictable ramifications of the vulnerabilities that arise in them:
“Modern web apps are no longer the monolithic, UI-centric, custom-built applications of the early Internet. Today’s web is geared towards devices, communication with other apps and with human users. Modern web apps utilize standardized components rather than being all built in-house. While this has vastly accelerated the speed and agility of bringing digital technology to market, it is also a fertile ground for security issues. For example, the fact that API communication is “invisible” to humans makes it harder to test in traditional QA settings. And the mixing of various components, most of which are not developed in-house, causes a lack of clarity about where verification or validation should happen. Modern apps built with components are also open to abuse anywhere in the “supply chain” of components that make up a site.
"It’s important to remember that when sensitive information leaks, it doesn’t affect just the website that leaked it. The users can be affected for years to come in completely unexpected ways. For example private information can be used to create synthetic identities that are then used to generate fraudulent credit card or loan applications which inevitably affects the original users but also the financial institution. It also affects the original website whose brand and image will inevitably suffer and whose reporting obligations and liability may be very costly.
"Web app security is everyone’s problem, and we must all work together to make the web a safer place.”
Peloton, makers of the popular smart exercise bikes and treadmills that helped lockdown shut-ins sweat away their pandemic stress, is having a rough ride in other respects, so the news about its API comes at a difficult time for the company. Quartz reports that the US Consumer Product Safety Commission (CPSC) announced a recall of Peloton’s Tread+ and Tread treadmills after reports that children and small pets were injured by the machines, even resulting in one death. Less than a month ago, when the reports first came to light, Peloton minimized the issue and called the CPSC’s warnings misleading. However, apparently experts at backpedaling, they’ve changed tone with the recall announcement. Peloton CEO John Foley stated, “I want to be clear, Peloton made a mistake in our initial response to the Consumer Product Safety Commission’s request that we recall the Tread+. We should have engaged more productively with them from the outset. For that, I apologize.”
Privacy risks of highly rated fertility apps.
A study conducted by UK’s Newcastle University and Sweden’s Umeå University shows that many leading fertility tracking apps are sharing data without users’ permission, EurekaAlert reports. The study examined the privacy practices of thirty of the fertility apps with the highest ratings in the Google Play Store and found that most of these platforms are breaking General Data Protection Regulation (GDPR) legislation, on average activating 3.8 trackers immediately upon installation, before the user has even seen the privacy notice. The data entered by users are by their nature extremely intimate, including stats about sexual activity and medical information, classified by the GDPR as “special category” data worthy of stronger regulation. However, most of the apps are categorized in app stores as “Health & Fitness” instead of “Medical.” Dr. Teresa Almeida of Umeå University’s Department of Informatics stated "While digital health technologies help people better manage their reproductive lives, risks increase when data given voluntarily are not justly protected and data subjects see their reproductive rights challenged to the point of e.g. personal safety."
Ilia Kolochenko CEO, Founder and Chief Architect at ImmuniWeb, thinks a resolution won't be technically trivial, in whatever app store handles products that deal in such private, sensitive matters:
“From a technical viewpoint, it’s an arduous task for Google to control applications’ privacy. Google is already undertaking a considerable amount of effort to scan Google Play apps for malware and simple OWASP Mobile Top 10 vulnerabilities.
"An application’s privacy, however, almost always require human effort and solid legal expertise. Moreover, some of the data protection and privacy practices, taking place on the application developer’s side, are impossible to be properly verified unless you perform a comprehensive on-site audit.
"The reported violations of privacy undoubtedly violate GDPR and most other modern privacy laws such as CCPA in California, LGPD in Brazil or PDPA in Singapore. Moreover, in some jurisdictions including some EU countries, intentional misuse and mishandling of sensitive PII may trigger a criminal prosecution in addition to harsh monetary penalties imposed by GDPR.
"In view of the aggressive privacy enforcement and regulatory regime in the EU, we may expect that Google will sooner or later be held liable for wrongful privacy practices of Google Play mobile applications. On one side, it will provide greater certainty and safety to the users, on the other, Google will likely shift the cost of privacy audits to the developers. This will make the app marketplace much less competitive by pushing SMEs away by exorbitant costs.”
Possible privacy implications of fraudulent biotech websites.
COVID-19 scams, whether counterfeited vaccination records or bogus nostrums, continue to be hawked online, but they’re also attracting more attention from law enforcement. The Wall Street Journal reports that demand for such things is particularly high in Europe, which has seen more delays and stoppages in vaccination than have the UK, Israel, and the US, but of course the problem isn’t exclusively an Old World one. The US Food and Drug Administration this week announced that the US Attorney for the District of Maryland had taken down a fraudulent website misrepresenting itself as a biotechnology company working on COVID vaccines. It’s the ninth such bogus site the Feds have taken down during the pandemic.
Eric Howes, Principal Lab Researcher at KnowBe4, commented on the potential privacy implications of sites like the one seized by the US Justice Department:
"A couple of things strike me about today's report that federal authorities have seized and shut down a domain purporting to be the website of a vaccine manufacturer.
"First, the domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people's misery. A bogus vaccine website offers bad actors a wide range of potential social engineering schemes, from offers for free access to vaccine supplies to bogus investment schemes. COVID-19 has been the gift that keeps on giving for fraud artists over the past year.
"Second, while authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet. Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?
"Third, authorities claim that this fraudulent website 'was allegedly used to collect the personal information of individuals visiting the site, in order to use the information for nefarious purposes.' Setting aside the COVID-19 angle of this particular website, that allegation accurately describes the main purpose or function of thousands, if not millions of websites.
"'Personal information' is the lifeblood of innumerable operations on the web, ranging from legitimate social media platforms to online advertising networks and onto outright criminal schemes, such as the one shut down by federal authorities today. And users have historically proven all too willing to provide their private information in exchange for something of dubious value or benefit, despite those users claiming in poll after poll to be very concerned about their own personal privacy online."