News for the cybersecurity community during the COVID-19 emergency: Tuesday, April 14th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.
High traffic and online mischief strain systems.
Pressure to provide online services strains governments.
Both attacks and legitimate demands on information services are stressing enterprises during the COVID-19 pandemic. As public services in the US have been driven online, the Wall Street Journal reports that state agencies involved in providing services to citizens—especially those that administer unemployment claims—are struggling to maintain (or achieve) enough capacity to handle demand. The Journal singles out New York, Colorado, and Oregon as particularly hard-hit, but adds that other states are feeling similar pressure.
US Department of Defense reports a surge in cyber espionage.
That surge is directed mostly at individuals, especially those who hold clearances, according to USA Today. It’s most manifest in a significant increase in spearphishing, and the Pentagon points to the usual suspects as the source of the attempts: Russia, China, North Korea, and Iran.
Disinformation: a long game.
The New York Times claims that Russia has been running a long campaign aimed at undermining the authority of US scientific consensus on a range of topics, but especially on health-related and biomedical research. The “decade long” disinformation campaign is said to have promoted quack treatments and questionable research, “undermining major institutions” and rendering outbreaks of disease more serious. The report sees some of the effects of that campaign manifesting themselves in the response to the COVID-19 pandemic. It’s a long game, and the goal is the usual one of darkening counsel and sowing mistrust.
Contact-tracking development proceeds, and privacy hawks are skittish.
A number of companies (most famously Apple and Google, rivals now cooperating on a common challenge) and governments are interested in developing and using contact-tracking tools to help follow and contain the transmission of the coronavirus. The Telegraph points out the difficulties of applying either Bluetooth or GPS to that challenge. There are technical obstacles to be overcome quite apart from the privacy issues the technologies raise.
Apple responded to an inquiry from the US Senate about the implications of the contact tracking tools Cupertino is working to develop. The company said its agreement with the US Department of Health and Human Services specifies that the “COVID-19 Triage Tools” it develops will have strong privacy safeguards. Any sharing of data or analytics with the Centers for Disease Control will be anonymized, aggregated, and delivered only with the expressly given consent of the user. Information will be further disclosed to third parties only when such disclosure is required by law.
Apple’s screening site and the associated app are not, Apple thinks, subject to HIPAA (the Health Insurance Portability and Accountability Act). This is mostly because the users enter their own data, and no “covered entity” (like a healthcare provider, health insurance company, or healthcare clearinghouse) is touching the data. That said, Apple claims that it intends to “meet some of the technical safeguard requirements of HIPAA, such as access controls and transmission security.”
Apple says it collects “only the information necessary to support the operation of the COVID-19 website and app, such as users’ usage of the tool and app; this information does not include information entered by individuals. Apple only retains this information for so long as is necessary to support the operation of the COVID-19 website and app. Information no longer needed is deleted or rendered permanently unrecoverable in accordance with industry standards.”
The company says that users can access their personal information through Apple’s global privacy portal. There won’t, however, be much personal information there, as Apple says it’s strongly committed to data minimization. And Apple says it will refrain from using any data it collects with the tools for commercial purposes, and it will not sell any of those data to third parties.
In answer to the Senators' questions about cybersecurity, Apple repeated standard sorts of reassurances that could be offered with respect to its products generally. Data transmitted between users’ devices and Apple is encrypted with Transport Layer Security to protect it during transport. The company’s formal change management process will ensure that new versions of its code will be appropriately tested for security before fielding. And access to both data and source code will be restricted to authorized personnel only.
The Washington Post summarizes the fears that public health measures, driven by fear of the pandemic, will lead to a general erosion of privacy and increase in government surveillance.
The contrary view can be found in Foreign Affairs, which has a long and exasperated op-ed on the tension between privacy and public health. The author argues that seeing such tension as an insurmountable obstacle to tracking the pandemic presents a false dilemma and a lazily drawn dichotomy, that there’s no devil’s pact necessarily involved, and that clear-eyed application of sound practices should enable governments, companies, and individuals to slip between the horns of that false dilemma.
Telework comes to the court house.
Telework has even entered the courthouse. Law360 says the US Supreme Court will begin hearing oral arguments via teleconferencing, and the New York Law Journal reports that New York State courts will expand their “virtual courts” even as they place a hold on new filings.
Remote work remains pervasive, but concerns about Zoom persist.
It’s not clear what tools the courts will use, but Zoom has clearly been the most widely employed teleconferencing service used by businesses and many government agencies. Military.com reports that Zoom’s now well-known struggles with privacy and security have induced the US Department of Defense to place most versions of the service off-limits to most of its organizations, and GCN says that the US Department of Homeland Security’s Immigration and Customs Enforcement has cautioned its personnel and contractors not to rely on Zoom.
Zoom itself has scrambled to close security and privacy holes, and the Verge reports that the company has decided to give paying customers the option of choosing the call center through which their traffic will be routed. That is, they can opt to keep their traffic out of China. Fast Company has a balanced overview of where Zoom can and cannot be trusted. CTO Vision for its part sends Zoom a mash note—it’s still their favorite “business grade” collaboration tool. The article praises Zoom for the work it’s done to address security and privacy issues, and argues that it’s better to trust a responsive company than one that never gets around to fixing things. It’s true that Zoom has been responsive, but some of its issues, notably the involvement of Chinese companies in producing its code, are tougher to untangle.
Zoom’s exploding market share has drawn a plague of hackers. BleepingComputer says that over half-a-million Zoom accounts are on offer in dark web souks. Some are free and some go for pennies. Others are pricier but still affordable, as these things go. More expensive are the exploits on offer. Mashable reports that these can command as much as $30,000 on the black market. Zoom’s troubled success has also drawn the attention of competitors: Microsoft, according to the Wall Street Journal, is pushing its Teams as a superior alternative.
Lots of phishing going on.
COVID-19 phishing expeditions continue, directed against both organizations and individuals. The attempts against organizations haven’t spared either hospitals or medical research organizations. VentureBeat has the dismal story, as told to them by Palo Alto Networks’ Unit 42.