This Week In Security - 02/24/2020
Coronavirus Compromises Great Firewall of China
The consequences of the outbreak of coronavirus in China are far-reaching, but who’d have thought it would reach cyberspace?
China has long been famous for the stranglehold it maintains over its citizens, their access to information, and their freedom of speech, but it seems its grip is not quite as vice-like as we supposed.
As Chinese citizens have taken to the internet to express their frustration and anger at how authorities are handling the outbreak, so they are proving that it is, “easier to dam a river than it is to silence the voice of the people”.
While some believe the online tide is changing in favor of the Chinese people, giving them more freedom, others, like the deputy editor of China Digital Times, Samuel Wade, says, the current situation “is less a demonstration of public empowerment than of the limitations of official control”.
Prof. Zhou of Renmin University doubts the coronavirus outbreak alone will have a long-lasting effect but does believe it has “allowed more people to see the institutional factors behind the outbreak and the importance of freedom of speech”.
If the government continues to disappoint, however, so its citizens will continue to turn to social media to vent their frustration.
10.6 Million Users Exposed in MGM Hack
MGM Resorts hotels confirmed it was the victim of a massive data breach last summer which saw over 10 million users’ details exposed and subsequently dumped on a hacking forum.
MGM said “the vast majority of those affected had “phone book information” breached such as name, phone number, and address”, although some 1,300 users lost more sensitive data, including personally identifiable information from documents including passports, military ID cards, and driver’s licenses.
The leaked files include names, dates of birth, email and home addresses and phone numbers and those affected are believed to include “celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies”.
The data breach occurred when a cloud server was hacked into, giving cybercriminals access to sensitive information, although MGM is “confident that no financial, payment card or password data was involved in this matter”.
The hotel and casino company “promptly notified” those affected in August, but the incident didn’t come to light until Under the Breach picked up a “data dump” last week.
Those responsible for the breach have yet to be identified, although MGM is working closely with both law enforcement agencies and cybersecurity forensic firms to investigate the incident.
When Britain left the EU, Did Privacy Leave With It?
Now that the UK has severed its ties with the European Union, Google has decided to move all UK users’ data to the US, thereby placing them beyond the reach of the stringent data privacy legislation, the General Data Protection Regulation (GDPR).
Although the UK government has said it “plans to keep the GDPR regulations as is after it has left the Union”, Google isn’t convinced. According to the UK newspaper, The Guardian, “Google decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data”.
Data relating to UK Google users was previously kept in Ireland but, in an apparent desire “not be caught in between two different governments”, Google is shifting it to the US which “has among the weakest privacy protections of any major economy”.
Google has promised that “the protections of the UK GDPR will still apply to these users”, but its difficult to see how. Jill Killock is the executive director of the digital rights organization, Open Rights Group, and believes that “Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it”.
US Dream of Smartphone Voting Thwarted Again
The highly anticipated Voatz internet voting app that made its debut recently in four different states has “elementary security flaws” that leave them open to attack.
Researchers at the Massachusetts Technology Institute released a report last week that revealed a “pervasive set of vulnerabilities”. Not only could attackers intercept communications between the voter’s smartphone and the server, but they could also “alter the user’s vote and trick the user into believing their vote was transmitted accurately”.
Developers of the voting app have been boasting of their use of blockchain technology to boost the security of the system, but it seems this hasn’t been utilized correctly and, in its current state, the transfer is protected by little more than an HTTPS connection.
University of Michigan Professor of Science, Alex Halderman, said, “there’s nothing more advanced going on in protecting the vote transmission from the app than there would be just with a simple web browser”.
Voatz responded, saying the researchers tested an old version of the app while using an “imagined version of the Voatz servers“. Smartphone voting promises improved “accessibility, security, and resilience” but software developers may not be able to keep those promises just yet.