News for the cybersecurity community during the COVID-19 emergency: Monday, May 18th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
In contact tracing, privacy is up, but efficacy may be down. And criminals like hitting APIs.
Privacy, interoperability, and contact tracing.
ComputerWeekly reports signs that the National Health Service's contact-tracing system, now being piloted on the Isle of Wight, may be about to undergo a major reinvention. At issue is the centralized approach to data collection and use. Privacy concerns have apparently been sufficiently widespread to induce NHS to consider moving to a decentralized approach to the problem. The London office of Swiss firm Zuhlke Engineering has received "a multimillion-pound contract" from NHSX that observers believe may be connected to development of a decentralized contact-tracing app.
Quartz has an account of how the two basic approaches to contact tracing (or exposure notification) are being followed in different countries, contrasting Germany's attempt to develop a decentralized system with the centralized approach being taken in Australia. ZDNet reports that Australia's Digital Transformation Agency has provided details of the COVIDSafe "trace tracking application," including the decision to use Amazon Web Services for key elements of the system. The decentralized exposure notification system developed by Apple and Google has, the Wall Street Journal reports, been overcoming initial skepticism among European governments as they've come to place a greater emphasis on privacy. But the Washington Post writes that health officials are complaining that the decentralized system is of little value to them in tracking and isolating infection.
Different national systems in Europe are groping toward interoperability. TechCrunch describes the ways in which it remains unclear how well national apps will cross borders.
Reassessing expectations of privacy during the pandemic.
Privacy concerns have been widespread, and not only in the UK. They've especially come to the fore with the expanded attack surface remote work presents, and given public health organizations' desire to collect data that may help identify and isolate COVID-19 infections in the hope of containing the spread of the disease. Some see the pandemic as forcing a reassessment of privacy.“The coronavirus has forced us to re-evaluate many fundamental beliefs, including our expectations of privacy,” John Dermody, counsel in the Washington, D.C., office of international law firm O’Melveny & Myers and member of the firm’s Data Security & Privacy Group. He sees a potential "evolution" in data sharing and protection practices:
“When it comes to COVID contact tracing, privacy and public health imperatives are aligned. Contact tracing applications are only going to be effective if there is widespread adoption and regular use. And that is only going to happen if people trust that their data will protected and used appropriately.
“Hackers will pursue that data not just for its value, but potentially for the more nefarious goal of seeding distrust in the public health response. Protecting the security of the information will be a no fail mission."
Dermody's colleague, Scott Pink, who works in O'Melveny's Silicon Valley offices, added, “Many privacy laws allow for the collection and sharing of data in a public health emergency and in response to governmental requests." US privacy law remains a patchwork of state regulations, but California’s Consumer Protection Act "offers the country’s most comprehensive privacy protections." Pink says:
“CCPA provides California consumers important rights to notice and rights to know, access, delete and say no to the sale of tracking information and not to be discriminated against for exercising these rights. However, some of those rights may be trumped by a company’s obligation to comply with public health agency requests, so there will be a tension between an individual’s CCPA rights and a company’s obligations."
Criminals under lockdown prefer attacking APIs.
On op-ed in Infosecurity Magazine describes the threat bots pose to APIs. Three of the common attacks are account takeover attacks, automated account creation, and web scraping. These techniques are showing up at increased rates during the COVID-19 pandemic. Cequence Security, in a post “Tales from the Front Lines: Attackers on Lockdown Focus on APIs,” sees a lot of activity (including bot activity) directed against API endpoints. If the criminals are also in lockdown, they appear to have more time to focus their efforts, and APIs seem to have become attractive targets. Jason Kent, research team member and Cequence hacker in residence, explained the issue in an email, and argued that malicious bot traffic calls for a response based on artificial intelligence:
"Legitimate traffic represents revenue, and operations teams want to make sure their revenue-generating traffic is prioritized and able to flow. From an operational perspective, then, organizations have to take on the greater load from their attackers, or their applications are going to start to perform poorly. How can you ensure that these expensive infrastructure investments are paying off? As malicious bot traffic keeps increasing, AI will be key in helping mitigate against these attacks."
Laurence Pitt, Technical Security Lead at Juniper Networks, offered an account of why such APIs represent attractive targets under current conditions:
“The API as an attack vector is common because of the rich rewards which can be reaped from a successful breach, or the damage to the business from bots overwhelming the service and causing a Denial of Service for valid customers. These attacks will continue to escalate, so developers need to look at how to limit the value for anyone gaining access. If they are unable to steal useful information (data or code), the API becomes less attractive as a target.
“There are different ways to lock-down an API, but in many cases, it is enough to ensure that it uses HTTPS for communication so that network traffic cannot easily be sniffed. Combine with additional authentication for access – perhaps using certificates for sensitive data – and the API now has protection in place.
“Secure communication is not a perfect method as it will not prevent access from a stolen credential set. Still, it does prevent bots (or meddling researchers, sometimes!) from sniffing the internet to find out what’s exposed. To further strengthen security, the company controlling the API must ensure that they are not sharing information considered as sensitive when viewed publicly.”
Unemployment fraud during the pandemic.
US state agencies administering unemployment relief funds are experiencing a surge in both legitimate and fraudulent claims as COVID-19 takes a toll on jobs, the Washington Post reports. The New York Times sees weak identity verification systems as the root of the fraud problem.
Here are some notes on issues in various states. Late last week the state of Washington halted payments when, as the Seattle Times writes, authorities determined that criminals had skimmed some $1.6 million in relief funds during April, up from a mere $40 thousand lost to fraud in March. Arkansas sustained a data breach Friday night when an applicant gained unauthorized access to a site established to provide unemployment assistance during the pandemic, KNWA reports. And the Chicago Tribune records that Illinois Governor Pritzker has disclosed that his state's unemployment system has sustained a data breach that exposed the personal information on thousands of applicants for aid.
Some of the fraud is domestic, of course, but KrebsOnSecurity reports that the US Secret Service warns that much of it originates from Nigerian gangs long famous for advance fee scams. They're taking advantage of the crisis to tap emergency unemployment funds.
Economic notes from the state of emergency.
The Sovereign Wealth Fund Institute circulates more evidence from CompTIA that IT jobs have lost much of the security they may have been thought to enjoy. Some 112,000 IT jobs were lost in the US during April.
And while there are indications that venture capital has pulled in its horns during the state of emergency, there are signs that tech sector consolidation at least may be poised to continue as before. "The coronavirus has brought a halt to many things, but it has not prevented consolidation in the channel from continuing at a steady pace," ComputerWeekly reports.