Weekly Privacy Roundup #5
"What does censorship reveal? It reveals fear" - Julian Assange
Nintendo says 160,000 users impacted in recent account hacks
Japanese gaming company Nintendo confirmed today that hackers gained unauthorized access to around 160,000 user accounts since the start of the month.
Through a statement published on its Japanese site [translated], the company responded to a wave of user complaints that started surfacing over last weekend.
As ZDNet reported on Monday, Nintendo users took to social media to complain that hackers were accessing their Nintendo accounts and then abusing attached payment card info to buy Fortnite currency and other Nintendo games.
At the time, a credential stuffing attack was ruled out of the question. Many users reported using strong passwords that were unique to their Nintendo profiles, and almost impossible to guess or have leaked anywhere online.
How to track COVID-19 without invading privacy
The past few months have taught us an important lesson: We’re bad at handling highly contagious diseases. The Earth’s growing population and the ease with which we can travel long distances have contributed to the fast spread of the novel coronavirus to more than 200 countries.
For the moment, the main question is, how do we stop the spread of the virus? For states, the choice is between health and the economy. They must either shut down their economies and impose nationwide quarantines to prevent the spread of COVID-19, or continue business as usual and risk infecting millions of people with the virus. Most governments have chosen the former.
But even though our lives will never return to its former state, humanity will eventually overcome the coronavirus. The aftermath, however, the tragic deaths, the economic recession, and the shock of everything else we’re experiencing today will face our governments with a new question: How do we stop the next pandemic? The options will then shift to choosing between health and privacy.
Contact tracing apps unsafe if Bluetooth vulnerabilities not fixed
As more governments turn to contact tracing apps to aid in their efforts to contain the coronavirus, cybersecurity experts are warning this may spark renewed interest in Bluetooth attacks. They urge developers to ensure such apps are regularly tested for vulnerabilities and release patches swiftly to plug potential holes, while governments should provide assurance that their databases are secure and the data collected will not be used for purposes other than is originally intended.
Users also should take the necessary steps to safeguard their personal data and prevent their devices from becoming the target of cybercriminals.
According to Acronis' co-founder and technology president Stas Protassov, Bluetooth had several vulnerabilities in the past including as recent as February where BlueFrag, a critical vulnerability that affected Android devices, was patched, and multiple ones in Apple iOS devices.
Left unpatched, these devices could be breached by hackers within the vicinity and the user's personal data stolen, Protassov warned, and stressed the need for users to update their devices' firmware to ensure vulnerabilities were promptly fixed. And as with any app, they also should check the permissions that all contact tracing apps requested.
Facebook vs NSO Group lawsuit: 1,400+ users were targeted with Pegasus spyware
Facebook advocates have challenged a plea from spyware maker NSO Group to dismiss the legal dispute over the hacking accusations, arguing it has immunity from prosecution.
Now both companies are providing technical details requested by the cyber-security experts. according to court documents shared by ZdNet, Facebook linked at least 720 attacks against WhatsApp users to one single IP address.
The surveillance implant used by the NSO group used an exploit for a vulnerability, tracked as CVE-2019-3568, in the WhatsApp VoIP feature.
The attacks took place in the spring of 2019, Facebook states that more than 1,400 users were targeted with the NSO Pegasus spyware, including, journalists, human rights activists, political dissidents, diplomats, attorneys, and government officials.
“I have reviewed the malicious code sent during the attack described in the Complaint. That malicious code was designed to cause a WhatsApp user’s mobile device to connect to a remote server not associated with WhatsApp. The IP address of the remote server was included in the malicious code,” explained Claudiu Gheorghe, a software engineering for WhatsApp.
The coronavirus pandemic shouldn’t legitimize permanent surveillance after the crisis
In Shoshana Zuboff’s 2019 book The Age of Surveillance Capitalism, she recalls the response to the launch of Google Glass in 2012. Zuboff describes public horror, as well as loud protestations from privacy advocates who were deeply concerned that the product’s undetectable recording of people and places threatened to eliminate “a person’s reasonable expectation of privacy and/or anonymity.”
Apple and Google updates their Coronavirus contact-tracing API to reduce false positives
Earlier Apple and Google announced that they are working together to develop an API for iOS and Android which can be used by approved apps to detect who you come in contact with during the day and notify you if those people later turn out to be positive for coronavirus, and therefore indicate that you may need testing. The OS-level API would allow interoperability between iOS and Android and will allow public health authorities, universities, and NGOs around the world to develop opt-in contact tracing technology.
Australia rolls out COVID-19 tracking app with privacy concerns
COVID-19 contact tracing apps are arriving in earnest, and it’s clear that privacy is as much of an issue as the effectiveness of the apps. Australia has launched its tracing app, COVIDSafe, despite criticisms of its approach to privacy. The voluntary software is based on Singapore’s TraceTogether and uses a mix of Bluetooth and stored contact data on both the app and servers to let people know if they’ve been in close contact people who’ve tested positive for COVID-19. The Australian government has promised that its app doesn’t collect locations and only shares data with health officials after an infected person offers consent, but there are concerns it might still share more than users are comfortable with.
COVID-19 Contact Tracing Apps Fight Privacy Fears
Governments around the world are introducing apps to help health officials trace contacts of people newly infected with the novel coronavirus. They work by recording whom you come close to—then alerting those people if you contract COVID-19.
But questions remain about how these apps will preserve privacy. And not just the apps themselves, but also the cloud services behind them.
The new breed of apps are decentralized, and they don’t even think about the phone’s location. In today’s SB Blogwatch, we work out how.
Microsoft is bombarding Chrome-using Outlook.com visitors with ads for Edge
Microsoft is no stranger to hitting its customers with ads for its products and services, and it seems that the company is so keen that people make the switch to the new Chromium-based version of Edge that it is now bombarding Outlook.com users with banner ads.
The ads are targeting people who visit the web-based version of Outlook using Google Chrome, and they see Microsoft extolling the speed and performance of its most recent web browser.
Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks
The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.
Penned by independent security researcher Chris Culnane, University of Melbourne tutor, cryptography researcher and masters student Eleanor McMurtry, developer Robert Merkel and Australian National University associate professor and Thinking Security CEO Vanessa Teague and posted to GitHub, the analysis notes three concerning design choices.
The first-addressed is the decision to change UniqueIDs – the identifier the app shares with other users – once every two hours and for devices to only accept a new UniqueID if the app is running. The four researchers say this will make it possible for the government to understand if users are running the app.
“This means that a person who chooses to download the app, but prefers to turn it off at certain times of the day, is informing the Data Store of this choice,” they write.