Information Technology

The Office of the Australian Information Commissioner (OAIC) has released its second six-monthly report on the privacy and security of Australia’s controversial COVIDSafe app.While there were no reports of breaches, no complaints made, and no investigations underway, the OAIC said the app, paraded by Prime Minister Scott Morrison as “digital sunscreen”, was the subject of 14 “enquiries”.This comprised 12 enquiries from individuals and two from businesses during the period 16 November 2020 to 15 May 2021.”We provided general information in response to 11 enquiries and provided assistance on how to make a complaint in response to three enquiries,” the report [PDF] said.During Senate Estimates last month, Information and Privacy Commissioner Angelene Falk said the OAIC, by the end of April, received around 25 inquiries from members of the public seeking information about COVIDsafe and their privacy rights. Breaking down the types of enquiries, the report said the OAIC received 10 enquiries raising general issues or concerns about COVIDSafe, including an enquiry about the changes to the Privacy Act relating to COVIDSafe and an enquiry from an individual seeking to delete data uploaded to the National COVIDSafe Data Store. The OAIC also received four enquiries about a request to download or use COVIDSafe, which the report explained as an enquiry about a venue refusing an individual entry unless they used COVIDSafe or signed in using a QR code and an enquiry about whether an employer could require an employee to download COVIDSafe.

The legislation wrapped around COVIDSafe prevents a directive from an employer or venue to require the app’s download.Falk told Senators last month the OAIC has implemented a series of assessments or audits of the COVIDSafe app, which she said assess the privacy safeguards in relation to the Privacy Act and follow the “information lifecycle” of the COVIDsafe app.”We’re assessing the security and access protections to the national COVIDSafe’s data storage facility,” she said. “We’re also assessing the manner in which information is accessed by the states and territories. And the legislation passed by Parliament at this time last year, gave my office jurisdiction in relation to the states and territories handling of that COVIDSafe app data.”The OAIC has four assessments underway. The report said the OAIC has progressed draft reports for all of them.The agency also provided guidance for state and territory health authorities regarding COVIDSafe and COVID app data during the reported period.Also included in the OAIC document is a report from the Inspector-General of Intelligence and Security (IGIS).IGIS reviewed the compliance of agencies it has oversight of between 16 November 2020 and 15 May 2021 and said it remained satisfied that these agencies have appropriate policies and/or procedures in place and are taking reasonable steps to avoid the intentional collection of COVID app data.”IGIS staff have conducted inspections of these agencies to determine whether COVID app data that has been collected incidentally as part of agency functions has not been accessed or used, and that any COVID app data has been deleted as soon as practicable after the agency becomes aware it has been collected,” IGIS wrote in its brief report.”While relevant agencies have incidentally collected COVID app data, which the Privacy Act recognises may occur, IGIS had found that there is no evidence to suggest that these agencies have deliberately targeted or have decrypted, accessed, or used such data.”IGIS has not received any complaints or public interest disclosures about COVIDSafe app data, but said there were ongoing discussions between relevant parties regarding the application of the prohibition against “disclosure” as set out in the Privacy Act.COVIDSafe, according to the Digital Transformation Agency, had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts. The agency said there have been 779 uploads to the National Data Store since inception last year.Earlier this week, the government of Western Australia introduced legislation that would keep the information obtained via the SafeWA check-in app by contact tracers away from the state’s law enforcement authorities.The state currently lacks protections for such information, with WA Police having used it to investigate “two serious crimes”.”The system was introduced in the middle of the global pandemic and while access to this information was lawful, the WA government’s intention was for contact registers to only be used for contact tracing purposes,” the government said.”Information collected through the SafeWA app has never been able to be used for commercial purposes. This will remain the case under the new legislation.”The ABC on Wednesday reported the state government was forced to introduce legislation after failing to reach an agreement with police. The report indicates Premier Mark McGowan found out in April that police were accessing the data to find witnesses to a number of serious crimes, including a murder, but was previously unaware.”We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” he told ABC Radio Perth.WA Police Commissioner Chris Dawson said the circumstances that required access to the SafeWA data were exceptional.”I accept that people don’t always read fine print on insurance policies or whatever, and this is a very important principle, but the police have only got information twice out of 240 million transactions and they were exceptional circumstances, and it is lawful,” he said, speaking on 6PR radio.”Police have a duty to investigate crime, and we’re talking about a man who was shot in a public arena with an allegedly high-powered weapon, and other people were injured.”The state opposition has called it “a breach of trust”.RELATED COVERAGE More

Image: Apple
Tim Cook has claimed in an interview with Brut that if Apple was forced to allow sideloading of apps, as Android does, it would destroy security and privacy of iOS. Speaking to the Digital Markets Act proposed by the European Commission, Cook said sideloading was not in the “best interests of the user”. “That would destroy the security of the iPhone and a lot of the privacy initiatives that we’ve built into the App Store where we have privacy nutrition labels and app tracking transparency, where it forces people to get permission to track across apps,” Cook said. “These things would would not exist anymore except in people that stuck in our ecosystem and so I worry deeply about privacy and security.” The Apple CEO said Android has 47 times more malware than iOS, and this was directly due to Apple’s ecosystem being tied down to one app store and all apps being reviewed. “That keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we’re going to be standing up for the user in in the discussions and we’ll see where it goes,” he said. Cook did say there were parts of the Digital Services Act (DSA) that could be used to fight online disinformation.

“We do suffer today from vast disinformation … it’s clear that there needs to be something done here,” he said. “This is not an acceptable state of the world and as I look at the DSA, there’s some parts of it that I think will help this, but I’m not sure that anybody yet has a handle on how to fix it entirely and I think it deserves more discussion and more debate.” In recent testimony as part of the Epic vs Apple trial, Cook said without curation, Apple’s App Store would be a toxic mess. Related Coverage More

Image: Getty Images
Researchers from Macquarie University have found what they labelled as serious problems with privacy and inconsistent privacy practices in health apps.The researchers estimated that just over 99,000 apps out of the 2.8 million on Google Play and 1.96 million on the Apple App Store relate to health and fitness. They include the management of health conditions and symptom checking, as well as step and calorie counters and menstruation trackers.They probed 15,000 free health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps. They found that while these apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data.”For example, about two thirds could collect advert identifiers or cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation,” the researchers wrote in a study published by The BMJ.See also: Fertility-tracking app Flo Health settles FTC allegations of inappropriate data sharingOnly 4% of the health-related apps actually transmitted data, which was mostly user’s name and location information. “This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps,” they added.

The analysis of app files and code identified 65,068 data collection operations; on average four for each app. Analysis of app traffic identified 3,148 transmissions of user data across 616 different apps. The main types of data collected by these apps include contact information, user location, and several device identifiers such as IMEI, MAC address, and IMSI, which is an international mobile subscriber identity.Privacy analysis of mobile health apps
Image: Macquarie University
87.5% of data collection operations and 56% of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, the research found. 23% of user data transmissions occurred on insecure communication channels, they added.665 unique third party entities were identified but those responsible for most of the data collection operations, the researchers said, were the likes of Google, Facebook, and Yahoo!.”The apps collected user data on behalf of hundreds of third parties, with a small number of service providers accounting for most of the collected data,” the research says.The researchers also found that 28% — 5,903 — of the apps it analysed did not offer any privacy policy text, and at least 25% — 15,480 — of user data transmissions violated what was stated in the privacy policies. “Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients,” the researchers concluded. “Such privacy risks should be articulated to patients and could be made part of app usage consent. “We believe the trade-off between the benefits and risks of ‘mHealth’ apps should be considered for any technical and policy discussion surrounding the services provided by such apps.”RELATED COVERAGEApple’s new privacy tool lets you choose which apps can see and share your data. Here’s what you need to knowThe Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.Google says iOS privacy summaries will arrive when its apps are updatedSearch and advertising giant says it is working to ‘understand and comply’ with Apple’s upcoming changes to app tracking.These dating apps are tracking your locationWhile dating apps are a simple click away on the app stores, as soon as you download them, they become a treasure trove of personal information that can be used against you.Contact-tracing apps: Android phones were leaking sensitive data, find researchersAndroid phones have been keeping track of contact-tracing apps’ data in system logs, which some third-party apps can easily access. More

The Ukrainian National Police announced a series of raids on Wednesday that ended with the arrest of six people allegedly part of the group behind the Clop ransomware. The group is responsible for some of the most headline-grabbing ransomware attacks seen over the last two years, with hundreds of victims ranging from Shell and Kroger to Stanford University, the University of Maryland, and the University of Colorado. Ukrainian police said the total damage done by their attacks amounts to an estimated $500 million.The Cyberpolice Department of the Ukrainian National Police released a lengthy report Wednesday morning on the raids that included photos and video. Working with South Korean police officers, members of Interpol and unnamed US agencies, officers in Ukraine raided 21 different residences in Kyiv and nearby towns.During the raid, dozens of computers and expensive cars were seized in addition to about $185,000. The report said server infrastructure was taken down and the homes were seized. The six people arrested are facing up to eight years in prison for a variety of crimes related to the group’s ransomware attacks and the laundering of money brought in from ransoms. 
Ukranian National Police
The Ukranian National Police noted that South Korean officials were particularly interested in the raid because of ransomware attacks launched by Clop against four South Korean companies in 2019. More than 800 internal servers and computers from the companies were infected in the attacks.The group also attacked South Korean e-commerce giant E-Land in November, crippling the company for days. Clop members became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Bombardier. The Reserve Bank of New Zealand, Washington State Auditor, and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability.

Kim Bromley, senior cyber threat intelligence analyst at Digital Shadows, said the Clop ransomware has been active since February 2019 and generally targets large organizations. “Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti,'” Bromley explained.In spite of the press around the raid, many online noted that the leak site used by Clop members is still up. A source from cybersecurity company Intel 471 threw cold water on the excitement around the raid in an interview with Bleeping Computer. They told the news outlet that they do not think any of the major players behind Clop were arrested in the raid because they live in Russia. They added that the people arrested were mostly involved in the money laundering part of the ransomware operation.  Clop rose to prominence in 2020 after they demanded a ransom of more than $20 million from Software AG, one of the largest software companies in the world. Multiple cybersecurity companies have reported that Clop has ties to a malware distribution group named TA505 and a cybercrime group known as FIN11.Ransomware groups are facing increased scrutiny from law enforcement globally as hundreds of organizations continue to deal with the crippling aftereffects of attacks. Bromley noted that last week, the Avaddon ransomware shut down its operations and the Ziggy ransomware did the same earlier this year, signaling that the increasing law enforcement pressure was having an effect. “Arrests and operations targeting ransomware infrastructure must continue in the short term, in order to maintain pressure on ransomware operators,” Bromley added.  Vectra CTO Oliver Tavakoli, said raids like this are one of the key levers that can be used to shrink the lucrative ransomware ecosystem. “When the likelihood of repercussions rise, less people will be drawn into the business of ransomware,” Tavakoli said. “When periodic disruptions occur in the supply chain of ransomware and sometimes ransoms are reclaimed (as the FBI recently did with some of the Colonial Pipeline ransom payments), the business of ransomware itself becomes less lucrative and less people are drawn into it.”Other experts noted the timing of the raid, which came on the same day as the summit between US President Joe Biden and Russian President Vladimir Putin. Ransomware was a significant topic of discussion, Biden said after the meeting. “This is a bold move, especially given Ukraine’s tensions with Russia. It would be better to see comprehensive global law enforcement efforts take hold,” said Hitesh Sheth, CEO at Vectra. “Cybersecurity has displaced nuclear arms as the premier superpower security issue of our era. We can hope the Biden-Putin summit leads to cooperation and structural progress in this area.” More

A new report from Auth0 has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks. 

ZDNet Recommends

Auth0, which was recently acquired by Okta for $6.5 billion, released startling statistics of what they are seeing in their State of Secure Identity report.In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March. About 15% of all attempts to register a new account can be attributed to bots, according to Auth0, which found that for certain industries, the numbers are even higher. The report also said that Auth0 maintains a constantly-growing database of username-password pairs that were known to be compromised in data breaches. For the first 90 days of 2021, the Auth0 platform detected an average of more than 26,600 breached passwords being used each day. On Feb. 9, the numbers reached a high for 2021 at more than 182,000.Attackers will spend between $50 and $1,000 for validated credentials from credit card records, crypto accounts, social media accounts and even Netflix accounts, according to the report. The most commonly detected threats on Auth0’s platform include credential stuffing, fraudulent registrations, MFA bypass, and breached password usage. 

Auth0’s platform found that 39% of IP addresses associated with credential stuffing attacks are based in the US. The technology and travel industries account for more than 50% of all SQL injection attacks seen on the platform. Travel and retail enterprises are targeted the most by brute attacks activities, followed by government institutions, industrial services companies and technology organizations. The technology industry faces the most MFA brute force attempts at 42% on Auth0’s platform, followed by consumer goods at 15% and financial services at 13%.Auth0 noted that attackers often target rewards programs offered by restaurants or stores because “they are rarely secured well and the benefits are easily monetized.”Companies in the financial services industry lead the way in MFA adoption, followed by technology and industrial services, according to the report. While most people choose email or SMS as their MFA factor, many use time-based one-time passcodes as well. Many organizations in the technology, financial services and industrial services industries are also using bot detection programs as a way to slow down or limit credential stuffing attacks. Duncan Godfrey, vice president of security engineering at Auth0, said it is becoming harder and harder for security companies to secure their customers’ identities because of the widespread failure to protect data and the prevalence of breached passwords. The availability of automated attack tools has made the humble password “a protective measure from the past,” Godfrey explained.Multiple breaches and cyberattacks in the last month originated from reused passwords or account details that had been leaked in previous attacks.  More

McAfee has uncovered a vulnerability in Peloton’s Bike+ line and Tread exercise equipment that would give an attacker full, unnoticed access to the device, including its camera and microphone. 

McAfee worked with Peloton in March to fix the issue and Peloton has since released an update that solves the vulnerability. In a blog post, McAfee’s Advanced Threat Research team researchers Sam Quinn and Mark Bereza explained that the flaw was with the bike’s Android Verified Boot process, which they said was initially out of scope and left the Peloton vulnerable.Quinn and Bereza shared a video of their work demonstrating how they were able to bypass the Android Verified Boot process and compromise the Android OS. The blog describes a variety of ways the vulnerability could have been used by attackers with physical access to a Bike+ or Tread exercise equipment. The researchers included a map that lists all of the publicly available Peloton equipment available in spaces like gyms, hotels, apartment complexes, and even cruise ships.
PeloBuddy
“A worst-case scenario for such an attack vector might involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely. Since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device,” Quinn and Bereza wrote. “This sort of attack could be effectively delivered via the supply chain process. A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know. Another scenario could be that an attacker could simply walk up to one of these devices that is installed in a gym or a fitness room and perform the same attack, gaining root access on these devices for later use.”

There were even ways for attackers to make their presence permanent by modifying the OS, putting themselves in a man-in-the-middle position. In this case, an attacker would have full access to network traffic and SSL encrypted traffic using a technique called SSL unpinning, the blog explained. “Intercepting and decrypting network traffic in this fashion could lead to users’ personal data being compromised. Lastly, the Peloton Bike+ also has a camera and a microphone installed. Having remote access with root permissions on the Android tablet would allow an attacker to monitor these devices and is demoed in the impact video [above],” the researchers said. The simplicity of the vulnerability prompted Quinn and Bereza to reach out to Peloton, which later discovered that the problem extended beyond just the Bike+ to the Tread exercise equipment.The company released a fix for the problem that no longer allows for the “boot” command to work on a user build, mitigating this vulnerability entirely, according to the researchers. Adrian Stone, Peloton’s head of global information security, said that if an attacker is able to gain physical access to any connected device in the home, additional physical controls and safeguards become increasingly important. “To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue,” Stone added. 

ZDNet Recommends More

In another example of misconfigured cloud services impacting security, over a billion records belonging to CVS Health have been exposed online.  

On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protected and had no form of authentication in place to prevent unauthorized entry.Upon examination of the database, the team found over one billion records that were connected to the US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna.  The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information — such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend.  Search records exposed also included queries for medications, COVID-19 vaccines, and a variety of CVS products, referencing both CVS Health and CVS.com. “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” the report states.  The researchers say the unsecured database could be used in targeted phishing by cross-referencing some of the emails also logged in the system — likely through accidental search bar submission — or for cross-referencing other actions. Competitors, too, may have been interested in the search query data generated and stored in the system. 

WebsitePlanet sent a private disclosure notice to CVS Health and quickly received a response confirming the dataset belonged to the company.  CVS Health said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.  “In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata,” CVS Health told ZDNet. “We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.” Update 15.49 BST: Clarified over a billion records rather than billions. ZDNet regrets this error. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has announced some improvements to Microsoft Defender for Endpoint (formerly Defender ATP) that should help remote workers with Androids and iPhones more securely access information from the corporate network. Microsoft has refreshed the look and feel of the Microsoft Defender for Endpoint apps for Android and iOS. It’s also enabled mobile application management for devices that aren’t enrolled in Microsoft’s Intune mobile device management (MDM) platform, and enabled jailbreak detection for iOS. Previously, Microsoft Defender for Endpoint worked on devices that were enrolled using Intune mobile device management (MDM) only.  Microsoft Defender for Endpoint is a cloud-based service and distinct from Microsoft Defender antivirus. In April, Microsoft released a preview of Microsoft Defender for Endpoint that supported unmanaged devices running Windows, Linux, macOS, iOS and Android as well as network devices. Part of its functionality is aimed at helping security teams investigate and secure unmanaged PCs, mobile devices, servers, and network devices on a network.This update is about broadening mobile application support for organizations that are using Intune but might have devices that aren’t enrolled in an MDM, including popular third-party MDM solutions. “With this update Microsoft Defender for Endpoint can protect an organization’s data within a managed application for those who aren’t using an MDM but are using Intune to manage mobile applications,” Microsoft said in a blogpost. 

“It also extends support to customers who use other enterprise mobility management solutions such as AirWatch, MobileIron, MaaS360, and others, while still using Intune for mobile application management.”The other interesting feature is the product can now detect jailbreaks on iOS devices. “Jailbreaking an iOS device elevates root access that is granted to the user of the device,” Microsoft says. “Once this happens, users can easily sideload potentially malicious applications and the iPhone won’t get critical, automatic iOS updates that may fix security vulnerabilities.”The jailbreak detection feature for Microsoft Defender for Endpoint has now reached general availability. It detects both unmanaged and managed devices that have been jailbroken and sends an alert when it happens to Microsoft 365 Defender. “These kinds of devices introduce additional risk and a higher probability of a breach to your organization,” Microsoft says. It should be easier now to enroll iOS devices since users no longer need to provide VPN permissions to get anti-phishing protection. Admins can now just push the VPN profile to enrolled devices. Lastly, Microsoft Tunnel VPN within the Microsoft Defender for Endpoint app for Android has reached general availability. 
Microsoft More