Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. During the first wave of COVID-19, contact tracing apps were touted as THE BIG SOLUTION to tackling the pandemic. Most countries rolled out their own versions, and later Apple and Google together built a unified exposure notification API that works across Android and iOS. This is all well and good, but there’s been no actual evidence yet they’re helping to stop COVID-19. Then there are the privacy and security worries. Contact tracing apps often rely on Bluetooth and location tracking as a means to alert people who’ve been near someone who has tested positive. One such app is Aarogya Setu, which is the Indian government’s official nationwide coronavirus tracker. After concerns were repeatedly raised about the app’s use of GPS data, the Android version of the app was eventually open-sourced in May (the iOS version has not been made available to date). But apparently, there’s more to worry about. India’s Central Information Commission has now warned the country’s Ministry of Electronics and Information Technology (MeitY) for “obstruction of information and providing an evasive reply” to questions raised by activist Saurav Das about the app’s conception, including details of private sector involvement. MeitY did put out a statement to address the issue, insisting the “app has been developed in the most transparent manner and all details and documents including Privacy Policy and Aarogya Setu Data Access & Knowledge Sharing Protocols.” While there is no denying contact tracing apps can be useful to track real-time spikes in exposures, transparency and accountability will go a long way towards instilling trust in the technology.
What’s trending in security?
The gang behind Maze ransomware shut down, offline messaging app Bridgefy added end-to-end encryption, and NSA whistleblower Edward Snowden was granted permanent residency in Russia.
WIRED’s Lily Hay Newman profiled Maddie Stone, who works for Google’s Project Zero elite bug-hunting team, tracking down some of the most severe vulnerabilities. “For me the driving factor of my work is how cool it would be if every person on Earth, regardless of how cheap or expensive their device, is had safe and secure access to the internet. That could propagate to so many different parts of humanity,” says Stone. [WIRED] Another long read. This time from Signal CEO Moxie Marlinspike, who is “trying to bring normality to the Internet.” [The New Yorker] NSA whistleblower and privacy activist Edward Snowden was granted permanent residency in Russia. [Reuters] Offline messaging app Bridgefy added support for end-to-end encryption, two months after researchers discovered a number of security flaws that could be used to deanonymize users, decrypt and read direct messages, and even shut down the network. [TechCrunch]
The group behind Maze ransomware shut down operations for good. [TechCrunch] Singapore amended its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without prior consent for selective purposes, such as business improvement and research. The revised regulation also allows for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million. [ZDNet] A data breach broker is selling account databases containing 34 million user records on behalf of a threat actor who broke into 17 companies this year. [Bleeping Computer]
The DHS, CISA, and FBI shared more info on how an Iranian state-sponsored hacking group was able to harvest voter registration data from U.S. state websites, including election sites. [CISA] Grayshift, the maker of the GrayKey device used by law enforcment to break into encrypted iPhones, raised $47 million. [Grayshift] Researchers managed to extract the secret key that encrypts microcode updates Intel provides to fix security vulnerabilities and other types of bugs in its CPUs. [Ars Technica] The last fortnight in data breaches, leaks and ransomware: Dr. Reddy’s, Folksam, Gunnebo Group, Lazada RedMart, Lupin, Mattel, Nitro PDF, Sopra Steria, The Press Trust of India, True, and Vastaamo.
Data Point
Even as the US government is warning of ransomware attacks against healthcare systems, cybersecurity firm ESET’s Threat Report for Q3 2020 shows an almost 20% decline in ransomware activity in the quarter. Based on telemetry data, Win/Filecoder.WannaCryptor led the category with more than 52% of detections. The Win/Filecoder.Crysis family ranked second with 6.6%, followed by Win/Filecoder.Phobos with 4.7% of detections.
Tweet of the Week
Talk about an opsec fail! The US government charged 6 Russian intelligence officers last month for carrying out some of the most destructive cyberattacks. It turns out 3 of those indicted, and 46 others, all registered their vehicles to a non-existent apartment in Moscow: “Svobody 21В.”
That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)