Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. COVID-19 accelerated the use of Zoom for video calling. But so did the security problems and revelations that it didn’t actually support end-to-end encryption (E2EE), misleading users about the security of the platform. In the aftermath, it promised to invest in E2EE on its platform, and acquired encrypted chat service Keybase in an attempt to secure its communications. All seemed well until yesterday: Zoom confirmed that it plans to offer stronger encryption features only for its paying users. It won’t be extended to the free tier. “Free users, for sure, we don’t want to give that [end-to-end encryption] because we also want to work it together with FBI and local law enforcement, in case some people use Zoom for bad purpose [sic],” Zoom CEO Eric Yuan said in an earnings call this week. The idea that encryption could hamper law enforcement’s ability to fight criminal acts — widely known as the “Going Dark” problem — is not new. Last year, Facebook ran into troubled waters after governments in the US, UK, and Australia called on the company to delay its plans to implement E2EE across its messaging apps until “there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” But by putting a premium on privacy, Zoom seems to be aiming for a tricky balancing act that improves security but also minimizes the risk of abuse. The move also puts it at odds with wider attempts to embrace encryption on the web. Alex Stamos, former Facebook’s chief security officer who’s now working as an outside consultant on Zoom’s security strategy, elaborated on this further in a Twitter thread:
— Alex Stamos (@alexstamos) June 3, 2020 In a climate where there’s no alternative that offers E2EE group calls (Signal and Jitsi‘s are limited to one-on-one), Zoom’s proposed encryption model is in the right direction. But by choosing to turn a basic security feature into a premium paid offering, Zoom is setting a wrong precedent wherein privacy is limited to those who can afford to pay for it.
What’s trending in security?
Apple fixed a critical security flaw in its “Sign In With Apple” feature, Google found more evidence of credential-stealing attacks exploiting COVID-19, and new details emerged about an iPhone spyware app, called Hide UI, used by law enforcement to unlock devices when it doesn’t have the user’s passcode.
Hacktivist group Anonymous has returned from the shadows, and has promised retribution against the Minneapolis Police Department (MPD) over the death of George Floyd. The MPD’s website was then temporarily taken offline in a suspected Distributed Denial of Service (DDoS) attack, but researcher Troy Hunt said the leaked data “has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one.” [Troy Hunt] For everyone who is protesting in support of Black Lives Matter and against George Floyd’s death at the hands of the Minneapolis Police Department — and those who are planning to attend one — here are some handy precautions to take before you go. Also make sure you turn off biometrics on your phone. [TNW] The baddies behind REvil (Sodinokibi) ransomware launched an eBay-like auction site to sell data stolen from the companies they hack. [ZDNet] Apple fixed a flaw in “Sign In With Apple” that could have allowed attackers to hijack any user’s accounts on third-party apps that offer the login option. [The Hacker News] A hacking group that calls itself ShinyHunters has been selling 200 million stolen records on the dark web from over a dozen companies. [WIRED]
COVID-19 themed malware attacks are still on the rise. Google said it found new activity from Indian “hack-for-hire” firms that have been impersonating the WHO in credential-stealing email campaigns to target business leaders in financial services, consulting, and healthcare corporations across the US, Slovenia, Canada, India, Bahrain, Cyprus, and UK. [Google] A vigilante hacker group called “CyberWare” has been targeting “scam” companies with ransomware and denial of service attacks. [Bleeping Computer] New “Octopus Scanner” malware was found compromising open-source GitHub projects to spread to Windows, Linux, and macOS systems, and deploying malicious backdoor. [GitHub A new study — (How) Do People Change Their Passwords After a Breach? — found that only around a third of users usually change their passwords following a data breach. [IEEE Security (PDF)] Sandworm, the hackers working for Russia’s military intelligence agency, have been exploiting a vulnerability in Exim Mail Transfer Agent software since August of last year for malicious motives. The NSA recommends patching Exim servers immediately by installing version 4.93 or newer. [NSA / WIRED] Kaspersky researchers uncovered a steganography-themed attack targeting industrial enterprises in Japan, Italy, Germany, and the UK to steal Windows account credentials. The hackers’ ultimate motive remains unclear. [Kaspersky]
An Android malware called Strandhogg 2.0 mimics apps’ login screens to hijack passwords and grant extensive permissions. It affects all versions of Android prior to 10. Google has already patched the flaw in a security update pushed last month. [Ars Technica] A new version of Valak malware has been found targeting Microsoft Exchange servers in the US and Germany to steal enterprise mailing information and passwords. [Cybereason] Amnesty International discovered a critical flaw in Qatar’s mandatory-to-use EHTERAZ contact-tracing app, which had it not been reported and fixed, could’ve allowed attackers access to highly sensitive data, “including the name, national ID, health status and location data of more than one million users.” [Amnesty International] US authorities arrested a Ukranian national, Denys Iarmak, an alleged member of the FIN7 cybercrime group that’s been accused of hacking Chipotle, Whole Foods, and Trump Hotels. FIN7 (also called Carbanak Group) has been tied to a string of financially-motivated attacks since 2015 to conduct fraudulent wire transfers to offshore accounts. [Motherboard] The fortnight in breaches and leaks: Thailand cellular network AIS, Livejournal, Mathway, Minted, Truecaller, Indonesian voter records, and India’s BHIM mobile payments platform.
Tweet of the Week
— Matthew Green (@matthew_d_green) June 3, 2020 That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com)