This Week In Security - 04/27/2020
Security Flaw Puts 2 billion Google Chrome Users at Risk
Google Chrome issued a quiet warning to users last week, alerting them to a security exploit it described as a “Use after free in speech recognizer”.
According to UK security specialist Sophos, use-after-free bugs of this nature can give hackers the ability “to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or ‘are you sure’ dialog”.
Google is remaining tight-lipped about the flaw, probably because it wants to prevent the details from falling into the wrong hands and giving potential hackers the chance to attack before most users have been able to upgrade.
The CVE-2020-6457 exploit “has been marked ‘Reserved’ by the National Vulnerability Database of the United States”, suggesting it might be a zero-day vulnerability.
Users can check if they have the latest 81.0.4044.113 version of the browser by clicking on the three dots situated in the top right corner of the browser window and following the prompts.
Dutch Coronavirus App Leaks User Data
In the race to produce an effective coronavirus tracing app that could facilitate the end of lockdown, the developers of the Covid19 Alert app accidentally breached their own user data.
Determined to achieve the necessary level of transparency, the Covid19 Alert app developers decided to publish the app’s source code but, at the same time, inadvertently “managed to post files containing 200 names, emails and encrypted passwords from another app it is linked to”.
Privacy advocates condemning the use of coronavirus tracing apps will see the leak as proof of their concerns, while it also comes as a timely reminder of the cost of developing software at speed.
The Covid19 Alert App was one of seven short-listed by the Dutch government, but it seems it’s unlikely to make it through the next round of scrutiny following its embarrassing data leak.
Earlier this month, a statement from a group of 100 civil liberties organizations highlighted the potential risks of coronavirus tracing apps and listed eight conditions that governments should meet to protect the rights of its citizens when implementing such technology. It seems unlikely the Covid19 Alert App will get the chance to meet those standards despite its well-intentioned efforts towards transparency.
Hospitals Face Double Extortion Cyber Threat
Hospitals warned to be on the alert for a new ransomware attack that extracts “large quantities of sensitive commercial information” before encrypting the victim’s databases. This type of attack places additional pressure on the victims to pay up or see the stolen data splashed all over the public domain.
A report by Check Point Research revealed that this latest form of ransomware puts “organizations in a double-jeopardy trap” – either they cough up the ransom or they refuse to pay and risk a data breach and the fines associated with such a breach.
Check Point Research warned that hospitals are “prime targets for ransomware attacks given their inundation with the coronavirus” despite assurances from the most prolific cybercrime groups “that they will not attack healthcare and medical targets during the coronavirus crisis”.
Hospitals in Czechoslovakia are only too aware of the dangers, having experienced several “unsuccessful attacks“ on their systems last week. According to the health minister, Adam Voitech, although the threats were blocked, the risk remains “very significant”.
The attacks on the Czechoslovakian healthcare system have caused concern in the US government, with senators calling on top cybersecurity experts to “take all necessary measures to protect these [healthcare] institutions during the coronavirus pandemic”.
UK Public Advised to Report Suspicious Emails
After taking down over 2,000 online scams last month, the UK’s National Cyber Security Centre (NCSC) is asking the public to assist in the fight against cybercrime.
The NCSC recently launched a Suspicious Email Reporting System to combat the increase in coronavirus-related phishing attacks and scams. The system is designed to make it easier for members of the public to report suspicious emails. “By forwarding messages to us, you will be protecting the UK from email scams and cybercrime,” said the NCSC CEO, Ciaran Martin.
The system forms part of a cross-government initiative “which aims to teach best practice cybersecurity tips”, including “how to securely use video calling apps such as Zoom”. The new scheme will consolidate the NCSC’s existing efforts by using an automated system that “will immediately test the validity of any linked site”.
Director of the Government Communications Headquarters, Jeremy Fleming said: “the scale of activity among opportunistic cyber-criminals seeking to profit from the virus should concern us all”.
The NCSC’s plans couldn’t have come at a better time as, earlier this month, a survey by the banking organization, TSB, found that “42% of people suspect they have been targeted by phishing attacks during the COVID-19 outbreak”.