Here are the stories that caught our eye this week:
A Netwalker criminal gang attacked the University of California San Francisco (UCSF) on June 1st. Cybersecurity experts say these sorts of negotiations are happening all over the world – sometimes for even larger sums – against the advice of law-enforcement agencies, including the FBI, Europol, and the UK’s National Cyber Security Centre. An anonymous tip-off enabled BBC News to follow the ransom negotiations in a live chat on the dark web. Netwalker alone has been linked to at least two other ransomware attacks on universities in the past two months. Its dark web homepage looks like a standard customer service website with a FAQ tab, an offer of a “free” sample of its software, and a live-chat option. There is a countdown timer ticking down to a time when the hackers either double the price of their ransom or delete the data they have scrambled with malware. Instructed to log in – either by email or a ransom note left on hacked computer screens. After a day of back-and-forth negotiations, UCSF said it had pulled together all available money and could pay $1.02m – but the criminals refused to go below $1.5m. The university came back with details of how it had procured more money and a final offer of $1,140,895. It told BBC News: “The data that was encrypted is important to some of the academic work the authors pursue as a university serving the public good. “We made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained. Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organizations in this situation are without a good option, but why would a ruthless criminal enterprise delete data that it may be able to further monetize at a later date?” Most ransomware attacks begin with a booby-trapped email and research suggests criminal gangs are increasingly using tools that can gain access to systems via a single download. In the first week of this month alone, Proofpoint‘s cyber-security analysts say they saw more than one million emails using a variety of phishing lures, including fake Covid-19 test results, sent to organizations in the US, France, Germany, Greece, and Italy.
In the coming months, tens of thousands of workers at Anglo American in South Africa will be asked to use a new piece of equipment: it could be a phone, watch-based, or built into existing personal protective equipment like hard hats. The company says it’s “too early to be specific” about how its system will work, but one thing is for sure: it will track their every move, and will be able to detect when and who they have come in contact with. The FTSE 100-listed mining giant is part of a cohort of companies that aren’t holding their breath for governments, Apple, or Google to deliver a workable contact tracing app. Soter Analytics is a UK health tech start-up that mainly made trackers for employee posture to avoid injuries until offices and factories closed due to Covid-19 and work disappeared – so it pivoted into contact tracing wearables. The government’s planned NHSX solution – which it switched last week to rely on the Google-Apple collaboration software – requires everyone to download an app to their phone and enable Bluetooth, so it logs anonymous distance data with any phones that are nearby. The system is great for employers; if an employee catches coronavirus traceable contact history can identify which other workers need to quarantine without closing the entire business, and it can pinpoint where contacts take place, so a company can put in place extra measures, like a one-way system. The system, called Distance Assistant, uses camera footage in Amazon’s buildings to help identify high-traffic areas and it is testing a wearable device that lights up and makes an audio alert when workers are too close to each other, according to an internal memo seen by Reuters.
Facebook got itself into a sensitive data scandal when it did shady business with Cambridge Analytica, Instagram confirmed a security issue exposing user accounts and phone numbers, but these apps are basically online security havens compared to TikTok, according to one senior software engineer with about 15 years of professional experience. Two months ago, Reddit user bangorlol made a comment in a discussion about TikTok. Bangorlol claimed to have successfully reverse-engineered it and shared what he learned about the Chinese video-sharing social networking service. He strongly recommended that people never use the app again, warning about its intrusive user tracking and other issues. Considering that TikTok was the 4th most popular free iPhone app download in 2019, this is quite alarming. “The last several years of my career has been based around reversing mobile applications, analyzing how they work, and building additional third-party functionality around them,” he told Bored Panda. I’d go into the Android or iOS version, find the requests that get the correct data, and build a third-party tool to give users this functionality.” Bangorlol thinks that we as a society have normalized giving away personal information and have no expectations of privacy and security anymore, so giving TikTok the data together with the money is nothing surprising. “The general consensus among most ‘normal’ people is that they can’t/won’t be targeted, so it’s fine. He strongly encourages security researchers who are much smarter than him and have more free time to take a look at the app and scrutinize every little detail they can. There’s a lot of stuff going on in the native libraries for at least the Android version that I wasn’t able to figure out and didn’t have the time to investigate further,” he added.
There have been surges in malvertising – ads laced with malicious code. These ads appear when users visit popular mainstream sites on weekends and holidays. The messages that appear typically include something like “you’ve won big money from T-Mobile, click here now!” or “your device has a serious virus, you must click here now!” Users may be scared into clicking. Data from clean.io, a cybersecurity company that protects enterprises from malicious and untrusted code execution shows examples of malvertising surges observed during recent holidays. With all of these factors, it seems like this year could be the perfect storm for a malvertising surge on the 4th of July.” GeoEdge, a cybersecurity company that guards digital businesses against malicious, unwanted, offensive, and inappropriate ads, predicts that malvertising ads will increase this 4th of July weekend. Due to COVID-19, users have been at-home on weekdays, weekends, and as a result, we are witnessing different patterns of behavior from attackers. Site owners, including mainstream publishers, should keep a close eye on any surges of ads from new or unknown advertisers, even if they appear to be coming from legitimate demand sources.
The California Consumer Privacy Act enters the enforcement phase on July 1, despite pleas by some business groups to delay it because of Covid-19 coronavirus impacts. The law has been in effect since January 1, 2020, but until enforcement was limited to civil actions brought by consumers against violators. Ameesh Divatia, co-founder and CEO of Baffle, Inc. said that the CCPA has been compared to Europe’s General Data Protection Regulation (GDPR), but noted that there are important differences. “GDPR is more focused on customer rights. CCPA has this but is focused on identifying businesses that are violating them. It’s not as focused on individual rights.” If you’re already GDPR compliant, you are most of the way to being CCPA compliant as well. As is the case with GDPR, where you’re required to comply if you collect data on Europeans, with the CCPA, you’re required to comply if you have data on California consumers, even if you’re not located in California. How the California AG plans to enforce the CCPA on a non-resident company remains to be seen, but in any case, it’s probably better to be compliant so you don’t have to find out the hard way. Make sure your website contains the required information on your protection practices, the kind of data you collect and retain, contact information for inquiries, a statement about any sales of consumer information, and a means to opt-out of such sales.
Meme of the Week!