Information Technology

We’ve known it was on the way for a few weeks, and now it’s finally here. Ahead of tomorrow’s Apple event — where we’re likely to see the new iPhone and release data for iOS 15 — iOS 14.8 is out. iOS 14.8According to Apple, this release contains two security updates and is recommended for all users. Both the security vulnerabilities patched “may have been actively exploited,” which makes this update all the more important to install. iOS 14.8 security fixesAs to whether this update contains any other surprises, we’ll have to wait and see. I’ll post a rundown of any other changes I see shortly. There’s also an iPadOS 14.8 for iPad users. To install the update, go to Settings > General > Software Update and download it from there. More

An unsecured database containing over 61 million records related to wearable technology and fitness services was left exposed online.

On Monday, WebsitePlanet, together with cybersecurity researcher Jeremiah Fowler, said the database belonged to GetHealth.  Based in New York, GetHealth describes itself as a “unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps.” The firm’s platform is able to pull health-related data from sources including Fitbit, Misfit Wearables, Microsoft Band, Strava, and Google Fit.  On June 30, 2021, the team discovered a database online that was not password protected.  The researchers said that over 61 million records were contained in the data repository, including vast swathes of user information — some of which could be considered sensitive — such as their names, dates of birth, weight, height, gender, and GPS logs, among other datasets.  While sampling a set of approximately 20,000 records to verify the data, the team found that the majority of data sources were from Fitbit and Apple’s HealthKit.
WebsitePlanet
“This information was in plain text while there was an ID that appeared to be encrypted,” the researchers said. “The geo location was structured as in “America/New_York,” “Europe/Dublin” and revealed that users were located all over the world.”
WebsitePlanet

“The files also show where data is stored and a blueprint of how the network operates from the backend and was configured,” the team added. References to GetHealth in the 16.71 GB database indicated the company was the potential owner, and once the data had been validated on the day of discovery, Fowler privately notified the company of his findings. GetHealth responded rapidly and the system was secured within a matter of hours. On the same day, the firm’s CTO reached out, informed him that the security issue was now resolved, and thanked the researcher.  “It is unclear how long these records were exposed or who else may have had access to the dataset,” WebsitePlanet said. “[…] We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.” ZDNet has reached out to GetHealth with additional queries and we will update when we hear back.
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Zoom announced a slate of new security features users can take advantage of as the school year begins and millions continue to work and learn remotely. At Zoomtopia, the company announced that end-to-end encryption, which they rolled out last October in Zoom Meetings, will now be available for Zoom Phone users.  Zoom Phone users can upgrade to end-to-end encryption “during one-on-one phone calls that occur via the Zoom client.””During a call, users can click ‘More’ to find the option to enable end-to-end encryption. The upgrade takes under a second and helps users get security protection against server compromise,” the company explained in a statement. “Users can optionally exchange security codes over the voice channel to rule out the presence of a ‘meddler in the middle.’ E2EE for Zoom Phone will be available in the coming year.”Zoom also announced two other features designed to enhance the security of its platform: Bring Your Own Key (BYOK) and Verified Identity. 

BYOK was designed to help customers who have to deal with stringent compliance requirements or data residency needs. The tool allows users to manage their own encryption keys, creating a system where people will own and manage a key management system in AWS. The system will contain a customer master key that Zoom cannot access or see.

“Zoom will interact with the customer’s KMS to obtain data keys for encryption and decryption and will use these data keys to encrypt and decrypt customer assets before those assets are written to long-term storage. Zoom will not store plaintext data keys in long-term data storage,” Zoom explained in a statement. “BYOK is a separate offering from E2EE and is not designed for real-time use cases like streaming video. It’s best used for the secure storage of larger assets, such as recording files. BYOK will roll out as a customer beta in the coming months for recordings for Zoom Meetings, recordings for Zoom Video Webinars, Zoom Phone voicemails and recordings, and calendar for Zoom Rooms.”Verified Identity was built to help address the growing sophistication of social engineering and phishing attacks. The Verified Identity feature allows users to determine if a meeting guest is actually who they say they are. Zoom said the tool would help users who deal with classified information, specialized services and more. Multi-factor authentication is used to vet users entering a meeting. The tool asks you to identify your role in an organization, your credentials and the network you use. It also provides information about your device, authentication apps, codes, biometrics and email addresses. It also uses passwords, security questions and profile information to verify users. “To make attestation and authentication integral to the Zoom experience, we’re working with Okta to help verify users as they join Zoom Meetings. Once they’re in a meeting, a user will have a checkmark next to their name and can share their verified profile information — including name, email address, and company domain — with meeting participants,” Zoom explained. “Meeting hosts can use in-meeting security controls to remove a participant if for some reason they are not verified, or the displayed information seems incorrect. Displaying verified profile information via Okta will be available sometime next year and is the start of Zoom’s long-term identity attestation and verification initiative strategy.” More

A Detectify researcher has explained how an investigation into Apple CloudKit led to the accidental downtime of Shortcuts functionality for users. 

In March, Apple users began to report error messages when they attempted to open shared shortcuts. As noted by 9to5Mac, this bizarre issue was of particular concern to content creators who shared shortcuts with their followers via iCloud, who suddenly found their links were broken.  Reports began to surface on March 24. A day later, the iPad and iPhone maker told MacStories editor-in-chief Federico Viticci that the company was “working to restore previously shared shortcuts as quickly as possible.” According to Detectify Knowledge Advisor and bug bounty hunter Frans Rosén, the root cause of the issue was a misconfiguration flaw he accidentally stumbled upon — and triggered — in Apple CloudKit. On Monday, Rosén published details on the situation, in which he was examining the security of Apple services. Rosén’s exploration began in February, and in particular, he wanted to investigate the CloudKit framework, a platform for creating containers suitable for data storage in the Apple ecosystem.  Rosén says that he noticed that many of Apple’s own applications stored information in databases based on CloudKit. He was “curious” to know if any specific apps’ data could be modified by obtaining access to their public CloudKit containers.The researcher found that various APIs were being used to connect to CloudKit. According to Rosén, there are three scopes in the containers: Private (information is only accessed by you), Shared (shareable between users), and Public (accessible to anyone). Zones are also set with varying permission levels. 

Rosén began testing these permissions and found several vulnerabilities in CloudKit relating to iCrowd+, Apple News, and Shortcuts which permitted him to tamper with content, including stock entries.  The most prominent and public issue, found in Shortcuts during March, “caused all Shortcut sharing links to break, and it was quickly noticed amongst Apple users, media reporters, and especially Shortcuts fans,” Detectify said.According to Rosén, he had previously tested different ways to delete public zones and permission was always denied — however, in the Shortcuts CloudKit database, the researcher was surprisingly able to create zones and was also given an “OK” message in an attempt to delete a default zone. A misconfiguration on Apple’s part caused this.  “All of them were gone,” the researcher said. “I now realized that the deletion did somehow work, but that the _defaultZone never disappeared. When I tried sharing a new shortcut, it also did not work, at least not to begin with, most likely due to the record types also being deleted.”At this point, Rosén reached out to Apple’s security team, who asked him to stop testing immediately. Apple Security then set to work resolving the issue, restoring Shortcuts functionality and patching the problem in the process by refining its security controls and removing the options to both create new and delete existing public zones.It should be noted that the break did not allow the researcher access to any user or sensitive data.While accidental and causing not only panic for the researcher but also unintentional downtime for users, Rosén was awarded a $28,000 bug bounty for his discovery via the Apple Security Bounty program. “Approaching CloudKit for bugs turned out to be a lot of fun, a bit scary, and a really good example of what a real deep-dive into one technology can result in when hunting bugs,” Rosén commented. “The Apple Security team was incredibly helpful and professional throughout the process of reporting these issues.”The vulnerabilities in iCrowd+ and Apple News also earned him bounties of $12,000 and $24,000.”We would like to thank this researcher for working side by side with us to keep our users and their data safe,” an Apple spokesperson told ZDNet. “He immediately reported his actions so that we were able to quickly fix the issues documented and restore functionality after the researcher unintentionally disrupted the ability to use iCloud sharing links for Shortcuts.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has mooted new laws that will arm the government with the ability to issue directives to various platforms, including social media and websites, to remove or block access to content deemed part of hostile information campaigns. The proposed Foreign Interference (Countermeasures) Bill aims to detect and prevent foreign interference in local politics, conducted through such campaigns and the use of local proxies. The country’s Ministry of Home Affairs (MHA) on Monday unveiled details of the proposed bill in parliament, describing foreign interference as a serious threat to its political sovereignty and national security. “During a hostile information campaign, hostile foreign actors can seek to mislead Singaporeans on political issues, stir up dissent and disharmony by playing up controversial issues such as race and religion, or seek to undermine confidence and trust in public institutions,” the ministry said in a statement. 

It noted that online comments critical of Singapore saw “abnormal” spikes on social media when the country faced bilateral issues with another country in late-2018 and 2019. MHA further pointed to instances in recent years where social media and communications technologies were used as vehicles to carry “covert, coordinated, and sophisticated” online information campaigns. These sought to push the interests of one country against other nations by manipulating public opinion on domestic political issues in the targeted nation, the ministry said. It cited foreign actors that set up troll farms ahead of the 2020 US presidential elections to highlight controversial domestic issues and promote or discredit certain candidates. There also were efforts to discredit the US government’s handling of the COVID-19 pandemic and sow scepticism of Western-developed vaccines.Hostile foreign actors used a range of tactics and tools to interfere in domestic political discussions, including bots on social media or creating inauthentic accounts to mislead users about their identity. 

MHA said: “As an open, highly digitally-connected, and diverse society, Singapore is especially vulnerable to foreign interference. To counter this evolving threat, we are strengthening our detection and response capabilities, as well as Singaporeans’ ability to discern legitimate and artificial online discourse.”To complement these efforts, our laws need to evolve, just as other countries have introduced new laws to tackle foreign interference. This bill will strengthen our ability to counter foreign interference, and ensure that Singaporeans continue to make our own choices on how we should govern our country and live our lives.”The Foreign Interference Bill would give MHA the powers to issue directives to various entities, such as social media, providers or relevant electronic services–including messaging apps and search engines–and internet access services, and owners of websites, blogs, and social media pages, to help authorities investigate and counter hostile communications that originate overseas. Because hostile information campaigns used sophisticated and covert methods, the bill would empower MHA to issue “technical assistance directions” to these entities on which “suspicious content” was carried, which then would have to disclose information authorities needed to ascertain if the communications were carried out on behalf of a foreign principal. For instance, these foreign actors might use fake accounts and bot networks that were highly sophisticated. Relevant authorities then would require information that resided within the social media companies to ascertain if foreign principals were behind these hostile information campaigns.Technical assistance directions would be issued if MHA had suspicions of plans to conduct an online communication activity in Singapore or on behalf of a foreign actor, and the ministry deemed it in public interest to issue the directive. In addition, “account restriction directions” would be issued to social media and relevant electronic services operators to block content, from accounts used in hostile information campaigns, from being viewed in Singapore. MHA also would be able to issue take-down content orders, which would be needed for content that could cause “immediate and significant harm” in Singapore, the ministry said. These included inciting violence or causing hostility between groups.Should internet intermediaries or communicators fail to comply with such directives, MHA might order internet services providers to block access to the content through an “access blocking direction”.Service restriction directions would require the relevant platforms to take “practicable and technically feasible actions” to restrict the dissemination of content used in hostile information campaigns. These could include disabling or limiting functions that allowed content to become viral, according to MHA. An “app removal direction” also could be issued to require an app distribution service to stop apps, known to be used by foreign principals to conduct such campaigns, from being downloaded in Singapore. The bill would not apply to Singaporeans expressing their personal views on political issues, unless they were agents of a foreign entity, MHA said. Foreigners and foreign publications reporting or commenting on Singapore politics in an “open, transparent, and attributable way” also would not be subject to the new rules. Singapore in May 2019 passed its Protection from Online Falsehoods and Manipulation Act (POFMA), following a brief public debate, which kicked in October 2019. The bill was passed amidst strong criticism that it gave the government far-reaching powers over online communication and would be used to stifle free speech as well as quell political opponents.RELATED COVERAGE More

Image: WhatsApp
WhatsApp announced on Friday it will be offering its users end-to-end encrypted backups later this year. Users will have a choice for how the encryption key used is stored. The simplest is for users to keep a record of the random 64-digit key themselves, akin to how Signal handles backups, which they would need to re-enter to restore a backup. The alternative would be for the random key to be stored in WhatsApp’s infrastructure, dubbed as a hardware security module-based (HSM) Backup Key Vault that would be accessible via a user-created password.”The password is unknown to WhatsApp, the user’s mobile device cloud partners, or any third party. The key is stored in the HSM Backup Key Vault to allow the user to recover the key in the event the device is lost or stolen,” the company said in a white paper [PDF]. “The HSM Backup Key Vault is responsible for enforcing password verification attempts and rendering the key permanently inaccessible after a certain number of unsuccessful attempts to access it. These security measures provide protection against brute force attempts to retrieve the key.” For redundancy purposes, WhatsApp said the key would be distributed through multiple data centres that operate on a consensus model.

WhatsApp said it would only know that a key exists in its vault, and would not know the key itself. The backups would store message text, as well as photos and videos received, WhatsApp said. “The backups themselves are generated on the client as data files which are encrypted using symmetric encryption with the locally generated key,” the Facebook-owned company said. “After a backup is encrypted, it is stored in the third party storage (for example iCloud or Google Drive). Because the backups are encrypted with a key not known to Google or Apple, the cloud provider is incapable of reading them.” Earlier this year, WhatsApp delayed enforcing a take-it-or-leave-it update to its privacy terms until May. WhatsApp originally presented users with a prompt to accept its new privacy terms by February 8, or risk not being able to use the app. In the wording used, WhatsApp said the policy would change how it partnered with Facebook to “offer integrations”, and that businesses could have used Facebook services to manage WhatsApp chats. By June, WhatsApp eventually dumped its update plans. Related Coverage More

Ransomware groups have shown no signs of slowing down their assault on hospitals, seemingly ramping up attacks on healthcare institutions as dozens of countries deal with a new wave of COVID-19 infections thanks to the potent Delta variant. Vice Society, one of the newer ransomware groups, debuted in June and made a name for themselves by attacking multiple hospitals and leaking patient info. Cybersecurity researchers at Cisco Talos said Vice Society is known to be “quick to exploit new security vulnerabilities to help ransomware attacks” and frequently exploits Windows PrintNightmare vulnerabilities during attacks. 

“As with other threat actors operating in the big-game hunting space, Vice Society operates a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands,” Cisco Talos explained last month. Cybersecurity firm Dark Owl added that Vice Society is “assessed to be a possible spin-off of the Hello Kitty ransomware variant based on similarities in the techniques used for Linux system encryption.” They were implicated in a ransomware attack on the Swiss city of Rolle in August, according to Black Fog. The Vice Society leak site. 
Cisco Talos
Multiple hospitals — Eskenazi Health, Waikato DHB and Centre Hospitalier D’Arles — have been featured on the criminal group’s leak site and the group made waves this week by posting the data of Barlow Respiratory Hospital in California.The hospital was attacked on August 27 but managed to avoid the worst, noting in a statement that “no patients were at risk of harm” and “hospital operations continued without interruption.”Barlow Respiratory Hospital told ZDNet that law enforcement was immediately notified once the hospital noticed the ransomware impacting some of its IT systems. 

“Though we have taken extensive efforts to protect the privacy of our information, we learned that some data was removed from certain backup systems without authorization and has been published to a website where criminals post stolen data, also known as the ‘dark web.’ Our investigation into the incident and the data that was involved, is ongoing,” the hospital said in a statement. “We will continue to work with law enforcement to assist in their investigation and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident. If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.” The attack on Barlow caused considerable outrage online considering the hospital’s importance during the COVID-19 pandemic. But dozens of hospitals continue to come forward to say they have been hit with ransomware attacks. Vice Society is far from the only ransomware group targeting hospitals and healthcare institutions. The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.Ransomware groups are also increasingly targeting hospitals because of the sensitive information they carry, including social security numbers and other personal data. Multiple hospitals in recent months have had to send letters out to patients admitting that sensitive data was accessed during attacks. Simon Jelley, general manager at Veritas Technologies, called targeting healthcare organizations “particularly despicable.””These criminals are literally putting people’s lives in danger to turn a profit. The elderly, children and any others who require medical attention likely will not be able to get it as quickly and efficiently as they may need while the hackers hold hospital systems and data prisoner,” Jelley said. “Not to mention that healthcare facilities are already struggling to keep up as COVID-19 cases surge once again in many places across the country. Preventing ransomware attacks is a noble effort, but as illustrated by the Memorial Health System attack and so many others like it in recent months, preparation for dealing with the aftermath of a successful attack is more important than ever.” More

Another week, another data breach, and this time involving another communications services provider in Singapore. With cybersecurity incidents now seemingly commonplace, more organisations must be realising it’s only a matter of time before they get hit, but they’ll be wrong to assume it’s their advance-to-go card and they get to skip doing their due diligence in safeguarding customer data.  MyRepublic on Friday said personal data of 79.388 of its mobile subscribers were compromised, following a security breach on a third-party data storage platform. The affected system had contained identity verification documents needed for mobile services registration, including scanned copies of local customers’ national identity cards and residential addresses of foreign residents.  I asked MyRepublic if the data storage service was cloud-based and whether it was the only client affected by the breach, but it declined to provide specifics citing confidentiality and security reasons. 

It did reveal, however, that it was informed of the breach by “an unknown external party” on August 29, which was the date it said the “unauthorised data access” was uncovered. It since had been plugged and incident “contained”, MyRepublic said.  The internet services provider is the third here to be hit by a cybersecurity breach in just six months. Just in August, local telco StarHub said a file containing personal data of its customers had been found on a dump site. The file contained mobile numbers, email addresses, and identity card numbers of 57,191 individuals who had subscribed to StarHub’s services before 2007. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business. Earlier in February, Singtel said personal details of 129,000 customers including name, date of birth, mobile number, and physical address, were compromised in a security breach that involved third-party file-sharing system, FTA. Launched by US cloud service provider Accellion 20 years ago, the FTA product was nearing retirement and had vulnerabilities that were not properly patched, impacting several organisations and their customers including Shell and Morgan Stanley. In Singtel’s case, financial details of employees of a corporate client also were compromised in the breach. 

In their respective security incident, both MyRepublic and StarHub highlighted that financial details such as credit card and bank account information were not affected. They also noted that none of their own systems were compromised. However, that should bring little comfort since third-party and supply chain attacks are on the rise, paving multiple ways for cybercriminals to breach their eventual targets–any organisation with access to large volumes of consumer data.  Furthermore, there’s little indication that organisations are taking the necessary steps to ensure their entire supply chain is resilient and secured. Are they constantly assessing the security posture of their third-party suppliers? Would MyRepublic have known there was a data breach if the “unknown external party” had not raised the alarm?  When I asked MyRepublic when it last assessed security measures implemented by the affected data storage vendor, it would not specify a date. It said only that it “regularly” reviewed such measures internally and externally, including that of the third-party vendor implicated in the breach.  Wouldn’t it be able to easily provide a specific date of its last assessment if that was the case? And should this be made a mandatory provision when companies report a security incident, alongside other details such as how the breach occurred and the parties involved in the breach. The data storage vendor wasn’t named in the MyRepublic breach, which should lead to further questions about whether other businesses, and their customer data, also were impacted.  All customer data should be properly securedFurthermore, that security breaches did not compromise financial data does not make these leaks any less critical. Singapore is small, with few key players in the telecoms market. Chances are subscribers here would have been customers of all three telcos at some point, which further increases the likelihood they were affected by all three breaches that occurred. This, in effect, means various aspects of their personal information, spanning their date of birth, national identity number, physical address, and mobile number, can be put together to establish a more complete profile.  It also means cybercriminals will be able to use these different datasets of personally identifiable information (PII), pulled together from separate security breaches, to clear security questions or verify and assume the identity of their victims. They can convince banks to issue replacement credit cards in the victim’s name, even if no financial data was compromised in any of the security breach. 

Data breach involving any PII should be a concern, especially as cyber threats and risks from third-party attacks continue to increase. At a panel discussion in Estonia this week, Singapore’s Minister for Communications and Information Josephine Teo described cybersecurity as a “wicked” challenge that could not be completely resolved.This, in fact, prompted the country to change its cybersecurity posture from one focused on prevention, to one of “assume breach” position, Teo said. With this mindset, it assumes systems have been breached or compromised, according to the minister, who pointed to the need for constant vigilance and monitoring to identify breaches.She said it was critical for governments to already have in place response mechanisms to swiftly recover in the event of a breach, including having clear communications to maintain public trust. But while it is true that It’s no longer a question of “if” but “when” organisations experience a security breach, this shouldn’t mean they can afford to take their feet off the accelerator in doing their due diligence and what is necessary to keep their customer data safe. An “assume breach” approach has motivated enterprises to focus on recovery and response, which in itself isn’t wrong, because it pushes these companies to minimise disruptions to service delivery. It also ensures they are able to quickly contain the breach and recover lost data. However, it can divert attention and investment away from threat monitoring and prevention, which are equally as important. In addition, risk management efforts typically will see companies putting more focus on securing more critical data–commonly perceived to be financial and payment details, or the company’s intellectual property assets. This sometimes means other non-financial customer data will be tagged less critical and parked away in a third-party or public cloud-based data storage platform, where security measures may not be as closely or regularly assessed by the organisation.It is likely the reason why, when security incidents occur, affected systems would contain personal customer data such as their mobile number or national identification number, but not their bank or credit card details. Organisations have a responsibility to safeguard all of their customers’ data, regardless of whether loss of that data has financial implications on their business and bottomline. As I mentioned above, theft of any PII can carry potential cyber risks for an individual, even if its loss is deemed to have little financial impact to a business. That means companies, including startups and mobile app platforms, that collect and store large volumes of customer information should take the necessary measures to ensure the data is secured.Telcos, in particular, made for bigger targets due to their access to large consumer databases and communications infrastructure, Joanne Wong, LogRhythm’s vice president for international markets, said in a note on MyRepublic’s breach.”As a digital-first nation, we need to get better at fending against these threats,” Wong said. “We know from experience that there can be far-reaching implications of a single weak link and cannot sit still, and watch the same incidents happen time and time again. Organisations, especially in these essential sectors — need to be proactive and have oversight across their entire digital supply chain, including any third-party vendors. Only when there is constant monitoring and surveillance, can they effectively identify and remediate threats with speed.” On how much organisations should invest in cybersecurity. Teo urged the need to understand their risk profile and allocate the appropriate amount of resources to protect their digital assets. She added that Singapore advised local businesses to carry out risk assessments and invest accordingly, rather than going for the minimum so they were in compliance with regulations. Above all, “assume breach” position does not mean consumers are expected to accept security breaches as part and parcel of dealing with businesses. It should mean organisations must be better able to demonstrate it has done its part in protecting all customer data, including non-financial information, within its own environment as well as across its supply chain. RELATED COVERAGE More