News for the cybersecurity community during the COVID-19 emergency: Thursday, April 30th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
Decentralized contact tracing (or exposure notification).
Apple and Google have released the first, “developer-focused” version of their jointly developed exposure notification API, TechCrunch reports. “Exposure notification” has replaced “contact tracing,” and that’s probably a more accurate description given the system’s decentralized design. The beta version allows developers to tailor alerts to specific exposure criteria, including proximity and duration, and it allows users to toggle their alerts on or off. Users may also opt in to sharing a COVID-19 diagnosis anonymously.
The Electronic Frontier Foundation (EFF) has expressed concerns, Threatpost says, that the exposure notification system suffers from a security vulnerability. There’s no reliable way, the EFF warns, of ensuring that the devices sending proximity warnings are in fact the devices they’re supposed to be, and that trolling can’t effectively be ruled out. “A well-resourced adversary could collect RPIDs [rolling proximity identifiers] from many different places at once by setting up static Bluetooth beacons in public places, or by convincing thousands of users to install an app. The tracker will receive a firehose of RPIDs at different times and places. With just the RPIDs, the tracker has no way of linking its observations together.”
And there are other problems with false positives that don’t require bad actors’ involvement. To take some of the examples the EFF considers—two cars with windows rolled up passing side-by-side in traffic, a patient near a nurse in full protective gear, and two people kissing—all these look about the same to Bluetooth.
The New York Times has a rundown of the concerns even decentralized exposure notification have raised.
Centralized contact tracing.
As the UK’s National Health Service proceeds with plans for a centralized contact tracing system, the Government Communications Headquarters (GCHQ) will receive such access to the NHS system as it requires to ensure the system’s integrity and security. “During the emergency, the network and information systems held by or on behalf of the NHS in England or those bodies which provision public health services in England must be protected to ensure those systems continue to function to support the provision of services intended to address coronavirus and Covid-19.” Computing and others quote GCHQ as saying that it has no interest in acquiring personal health data, and that the agency’s interest is solely the security of NHS systems.
Efficacy and mission creep.
ZDNet reports that more than one-hundred-seventy privacy and information security researchers in the UK have signed an open letter about NHSX’s development of a centralized COVID-19 contact tracing system. The signatories “urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved.”
They have roughly speaking three questions. First, they wish for some reasonable assurance that any contact tracing system would actually work as intended, and help to control the pandemic. Second, while politely expressing their appreciation for NHS’s commitment to transparency, they ask for assurances that anonymized data won’t be de-anonymized to associate individuals with the information being collected. And, third, they’re concerned that the system might be adapted to other purposes and retained even after it had served its purpose and the UK has emerged from the pandemic: “Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep.”
Doxing WHO, and others.
Following up on the release of credentials belonging to the World Health Organization, the Gates Foundation, and other groups involved in one way or another with attempts to control the COVID-19 pandemic, the Washington Post cites a study by the SITE Intelligence Group that connects the doxing to an American conspiracy theorist. The identity of the conspiracy theorist is so far unknown.
The Post characterizes the evidence as follows: “Based on comments and links on various social media sites that appear to be from the same person, however, SITE determined that the initial poster probably was an American who espoused conspiracy theories popular on the political right, including that government officials and news organizations are exaggerating covid-19 death counts to manipulate the public.”
SITE speculates, again on the basis of comments and links, that the goal of the doxing was to facilitate further compromise of organizations the conspiracy theorist believed complicit in various forms of misbehavior with respect to the pandemic. It’s of course entirely possible that there’s little or no hidden misbehavior of the sort the conspiracies envision. The leaked credentials aren’t new: they’re believed to derive from material posted online as early as 2016.
“Flattening the curve of cybercrime”: apparently we’re still waiting.
Bitdefender has taken a look at cyber criminals’ activity during the pandemic and concluded that all of the warnings about cybercrime, as good and widely received as they’ve been, really haven’t produced much of a reduction. They saw a fivefold increase in COVID-19-themed cyberattacks during March, and they think it likely that when April’s returns are in they’ll see a comparable rise.
A lot of the crime is conventional fraud and phishing with clickbait that appeals to the victims’ fears about the coronavirus. But the New York Police Department is seeing a more repellent form of criminal extortion: some hoods, the Daily Beast reports, are threatening to infect victims’ families with COVID-19 should the victims fail to pay protection. The racket is about as empty a threat as such an extortion scheme can be, and the NYPD wants people who receive the threat to recognize it as a bluff.
With that in mind one might turn to a Digital Shadows report on the apparently softer, more human side of the criminal underworld: “Charitable Endeavors on Cybercriminal Forums.” There’s some chatter, probably posted with a mixture of cunning, idleness, and a very small dollop of sincerity, that urges participants in criminal fora to engage in charity, diverting some of their take to the care of widows and orphans, and to other good causes.
The apparent nod toward the true worship commended in the Letter of St. James aside, the chatter is interesting because it shows another way in which criminal markets mimic legitimate ones, not only with customer service, competitive pricing, and other features of commerce, but even with gestures toward social responsibility and even philanthropy.
Some of the criminals are having none of it, pointing out that the sort of crime they’re engaged in is by its very nature immoral, and that therefore inter scelus silent leges; morality just isn’t in the picture. Others seem to worry about “karma,” a vague and unorthodox (in the Hindu sense) that the cosmos itself will exact some retribution for their crimes. They have some notion of making a kind of expiation for their crimes, and in a few cases there may actually be some serious purpose of amendment.
Some of the images Digital Shadows posts suggest that the donations they’ve attracted and perhaps even sought to deliver to the needy have tended to be pretty mingy. A note below one array of small toys and personal sanitation products suggests, with an obscenity in demotic American English, that the hoods themselves find their community’s altruism disappointing.
So, an interesting light on a corner of the criminal market. But don’t build too many hopes on the Robin Hood urge. Remember how those promises to leave hospitals alone worked out.