This Week In Security - 03/23/2020
Could COVID19 Prove Fatal for US Cybersecurity?
As millions of people resort to working from home to curb the COVID19 pandemic, so America’s cybersecurity is struggling under the increased burden.
There’s already a significant upsurge in phishing threats and social engineering scams with cybercriminals “using fear of the coronavirus to get a recipient to click on a malicious attachment or link”.
Few of those now working from home have the same technological protections as they do at work, leaving them more vulnerable to malware infections and phishing attacks.
Some fear that the worst is yet to come and, while US authorities are distracted by the burgeoning effect of the pandemic, “US adversaries may see this as a chance to ramp up other cyber campaigns”, including meddling with the upcoming election or disrupting global supply chains.
Despite the multiple vulnerabilities in US cybersecurity, the US is not giving up and is “encouraging government agencies and the private sector to do what they can to improve their cybersecurity posture”.
Individuals, especially those working from home, are being cautioned to look out for potentially malicious emails appearing to come from “legitimate agencies such as the U.S. Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO)”.
US Proposes Contentious EARN IT Act to Protect Children Online
In a bipartisan effort to combat online child sexual exploitation, the EARN IT bill is designed to hold online platforms responsible for what appears on their sites. Under Section 230, such platforms enjoyed automatic legal immunity but, under the new act, this would disappear, although sites could “win back immunity by certifying compliance with a set of best practices”.
Meanwhile, digital rights activists and privacy advocates fear the act will do little to protect children online but a lot to damage both free speech rights and online privacy. According to Free Press representative Gaurav Laroia, “The EARN IT Act is constitutionally suspect. It threatens key First and Fourth Amendment rights”.
One of the concerns is that the EARN IT Act, while it doesn’t mention encryption directly, it could lead to the Department of Justice introducing back doors to encrypted products which would weaken privacy standards.
The Electronic Freedom Frontier has been unsurprisingly outspoken about the Act, saying, “It doesn’t help organizations that support victims. It doesn’t equip law enforcement agencies with resources to investigate claims of child exploitation … Rather, the bill’s authors have shrewdly used defending children as the pretense for an attack on our free speech and security online”.
Privacy Hangs in the Balance as US Considers Tracking COVID19 Patients
Both the US and Israeli governments are considering using location-based data gathered from mobile apps to help combat the spread of COVID19 and track anyone infected with the disease.
US authorities have approached tech giants like Google and Facebook, as well as medical experts, to see if there is any way to use location data “to track whether people are practicing social distancing or to track the movements of those infected with COVID-19, in order to stem the outbreak”.
The US is following in the steps of the Israeli government which is already using technology created to “track Palestinian militants in the region” to “keep a watchful eye on the movements of COVID-19 patients”.
While some feel “in a technological society, it makes sense to use such technology to save lives”, others perceive the use of tracking technologies, even in challenging times such as these, as a “severe violation of privacy and basic civil liberties.”
The director of privacy at Stanford University’s Center for Internet and Society, Albert Gidari, admitted that “The balance between privacy and pandemic policy is a delicate one… Technology can save lives, but if the implementation unreasonably threatened privacy, more lives may be at risk”.
Careless Whisper: “The Safest Place on the Internet” Exposed
Branded as a secret-sharing app, Whisper promised secure, encrypted messaging but ending up spilling unprotected secrets left, right, and center.
Launched in 2012, Whisper promised users a safe haven in which to share their most intimate secrets anonymously but was “inadvertently exposing sensitive information about its users for years through a public online database”.
Although users’ identities are hidden behind a random nickname assigned when they join up, other personal information, like “age, location, ethnicity, residence, in-app nickname, and membership in any of the app’s groups” was left publicly exposed.
The records were stored in a non-password-protected database that anyone could access and contained 1.3 million records relating to users who had listed themselves as being 15 years of age, even though, according to Whisper’s terms and conditions, only people over the age of 17 can use the app.
Security researcher Dan Ehrlich said, “sexual fetish groups, suicide groups, and hate group membership of users can all be seen” on the database and accused Whisper of violating “the societal and ethical norms we have around the protection of children online”.
Creators of the anonymous sharing app, MediaLab, defended itself, saying the database exposed by The Post was “not designed to be queried directly”.