Perpetual IT

Mayo? Mustard? Creep who takes your sandwich order plus the personal details you handed over for contact tracing?

That’s not what I ordered, said a woman in Auckland, New Zealand, whose trip to a Subway fast-food shop led to a restaurant worker reaching out to pester her on Facebook, Instagram, Messenger and via text.

As the local news outlet Newshub tells it, the worker has been suspended after the woman – who, understandably enough, declined to give her name and was only identified as “Jess” – complained to the restaurant chain.

Jess told Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down.

She’s feeling pretty queasy about that Subway visit now, after the guy who took her order used Jess’s contact information to repeatedly, persistently hit her up:

I felt pretty gross. He made me feel really uncomfortable.

He’s contacting me. I didn’t ask him to do that. I don’t want that.

I’m lucky that I live with quite a few people because if that was me by myself at home—he knows my address, you know?—I’d feel really, really scared. Even now I feel a bit creeped out and vulnerable.

Who can blame her? There are good reasons why we should hand out our personally identifying information (PII) as sparingly as possible. When crooks, lechers and governments get our details, it sets us up to be preyed on by a rogues’ gallery of horny creeps, burglars, rapists, surveillance-happy governments, targeted-advertising outfits run amok, spear phishers, spammers, and other physical and/or virtual stalkers.

More to the point, there are good reasons why companies and governments should be paying excruciating attention to how to protect privacy as countries and states gradually retreat from lockdown and institute ways to do so safely. At this point, it’s all over the map.

That was evidenced by a survey done last month by PwC, which has developed a contact-tracing app to help employers identify workers who may have been exposed to the virus. The survey found that, as of April, governments around the world had issued more than 60 directives regarding protecting data privacy while responding to the pandemic.

You may well ask how you do contact tracing without collecting people’s PII. Countries have certainly asked, and, fortunately, they’ve found what will hopefully turn out to be an approach that leaves people’s privacy intact. Late last month, Germany embraced a coronavirus tracking tool from Apple and Google that implements a decentralized Bluetooth-based approach instead of the more invasive location-tracking proposed in other tracing technologies.

The approach – called Exposure Notification – relies on Bluetooth to keep data local on people’s phones instead of being stored in a centralized database that could be used for mass state surveillance or to track people. It’s supported by Apple, Google and other European countries.

Where does a process of tracing people by having them hand over their PII in a form fit into all this?

We don’t know much about the form, but it sounds like it was paper, as opposed to digital, given that Subway told Newshub that starting on Wednesday, it will have installed a new digital contact tracing system at all restaurants.

Guests will electronically enter their details, and the information will be held securely, for the sole purpose of contact tracing. Newshub reports that the information “can only be accessed in response to government contact tracing requests.”

It should go without saying that there are plenty of ways to screw up when it comes to securing stored digital data. Just because Subway is switching to digital and away from what I assume was its previous, analog data storage doesn’t mean that employees won’t be able to use customers’ PII in place of a dating app.

Kind of like, say, when police use their access to personal data – think state driver’s license databases – to snoop on fellow officers, public safety personnel, and justice professionals. A court case was recently settled over abuse of such access when a jury awarded Minnesota police officer Amy Krekelberg $585,000, including $300,000 in punitive damages from two defendants who pawed through her personal data to ogle her photograph, address, age, height, and weight after she allegedly rejected their romantic advances.

Subway told Newshub that it’s spoken to Jess and that the employee has been suspended, pending the outcome of an investigation. The employee will reportedly be “disciplined” if the investigation finds that they misused personal data.

Newshub spoke with Privacy Commissioner John Edwards, who said that businesses should only be custodians of the information they’re given for public health purposes. Doing otherwise could leave the public with a strong distaste for handing over their details, he said:

It’s absolutely essential that businesses treat this information exclusively for pandemic management. If they let it be abused by staff members it’s going to undermine the whole system, and that can put people at risk.

What he said. Readers, what are your organizations doing to protect employee, citizen and/or customer privacy as we try to negotiate this pandemic? Please do feel free to share in the comments section below, and please do stay as safe as possible, both from viruses and from other, data-related dangers.

Latest Naked Security podcast

After a flurry of zero-day vulnerabilities in recent editions, May’s Patch Tuesday finally gives Windows users a month off having to fix ‘big’ exploited or public flaws.

The catch is it’s still one of the biggest patch rounds Microsoft has ever released, featuring 111 CVE-level bug fixes (the record being March’s 115 fixes), nearly half of which are in Windows itself.

Of these, 16 are rated critical, all but one of which are Remote Code Execution (RCE), again a smaller haul of top-rated flaws than has recently been the case.

Beyond that, Office SharePoint accounts for 12 CVEs, with 10 from the Windows Graphic Component, five in the Scripting Engine, and four in the Jet Database engine.

A good place to start is with the browser-related bugs, not because there are a lot of them but because they will affect lots of Windows computers.

These include CVE-2020-1062, a critical RCE bug affecting Internet Explorer code that’s still buried inside Windows 10, which doubles up with CVE-2020-1035, a VBScript RCE affecting IE 11. Neither is public, but the browser theme prompts Microsoft to mark it as “exploitation more likely,” which should be taken as a warning.

Edge provides CVE-2020-1056, a critical Elevation of Privilege (EoP) flaw which could be exploited by luring victims to a malicious website. Two more Edge issues marked ‘important’ are CVE-2020-1059, a spoofing bug, and CVE-2020-1096, which could be exploited using a malicious PDF opened via a link.

Other criticals to watch for include CVE-2020-1117 in the in Windows Microsoft Color Management dll, and CVE-2020-1126, a memory corruption problem in Windows Media Foundation. Both can be exploited by persuading a user to visit a malicious website.

Beyond the critical flaws, three marked ‘important’ stand out, again because Microsoft thinks they are more likely to be exploited. These are CVE-2020-1054 and CVE-2020-1143, both allowing EoP in Win32, and CVE-2020-1135, a flaw in the Windows Graphics Component discovered during this year’s virtual Pwn2Own hacking contest.

Adobe

Proof that Adobe has been saving up its fixes for Acrobat and Reader arrives in the form of APSB20-24, which addresses 24 CVEs, including 12 that are critical. The company also patches 12 flaws, including four marked critical, in the DNG Software Development Kit.

None of these are public or currently being exploited, but all flaws in ubiquitous programs such as Reader should be a priority fix.

That’s on top of a large pile of flaws Adobe fixed in its Magento, Bridge and Illustrator software in its stable two weeks ago.

Latest Naked Security podcast

TikTok: sometimes it’s funny, sometimes it’s cringey, pretty much all times it’s addictive (particularly for young people, and particularly during lockdown).

Also pretty much all the time, the app – which lets users share their short videos – is being investigated for how it handles children’s data. This time around, it’s the Dutch privacy watchdog’s turn.

On Friday, the Dutch Data Protection Authority (DPA) announced that it’s launched an investigation into how TikTok handles user privacy.

As it is, millions of children and teenagers all over the world are sharing their videos on the social media app, the DPA said. It’s grown to be a particularly important tool for staying in touch and spending time with friends, particularly during the coronavirus crisis. But what kind of danger is it exposing our children to?

From the DPA’s announcement:

In the Netherlands many children now have TikTok on their phones. The rise of TikTok has led to growing concerns about privacy.

Are the kids alright?

The watchdog noted that under Dutch law and under the EU General Data Protection Regulation (GDPR), children are seen as particularly vulnerable because they’re “less aware of the consequences of their actions, especially when it comes to sharing personal data on social media.”

Yes, they are, and that’s why TikTok has been scrutinized by other countries over its adherence to child protection law or lack thereof. In February 2019, the US hit TikTok with the biggest-ever fine for violating the nation’s child privacy law.

Next up came the UK. In July 2019, information commissioner Elizabeth Denham told a parliamentary committee that the US Federal Trade Commission’s (FTC’s) fine of $5.7 million had triggered a UK probe into how TikTok handles the safety and personal data of underage users.

In the US, at least some parents have already decided that TikTok has broken the law. In December 2019, two mothers filed a class-action suit against TikTok on behalf of their teenage daughters, who were under the age of 13 when they started using the app. In spite of their children being underage, the parents said, they were never asked for their verifiable consent. Lack of parental consent is a violation of the Children’s Online Privacy Protection Act (COPPA), which is the nation’s strictest child privacy law.

COPPA applies to any site or service that collects children’s personally identifiable information (PII), which TikTok does: users handed over their email addresses, phone numbers, usernames, first and last names, short bios in which users could choose to mention their age, and profile pictures. For a while, between December 2015 and October 2016, TikTok was also hoovering up users’ geolocation data, which let the app figure out where its users were located.

Musical.ly (bought by TikTok parent company ByteDance in 2017 and merged with the TikTok app in 2018) had all of that PII set to public view, by default. That meant that a child’s profile bio, username, picture, and videos could be seen by other users – including by adults and, potentially, by child predators. Even if a user switched their profile to private, their profile pictures and bios remained public, meaning that users/adults/predators could still send them direct messages, replete with colorful, cartoonish icons – animals, smiley faces, cars, trucks, hearts, that kind of thing.

In fact, there have been reports of adults posing as minors and messaging children, sometimes asking them for nude photos.

Lately, TikTok has been trying to better protect its adoring, underage users.

In April, the social media app blocked the live chat and video streaming function for users under 16 and introduced parental controls – what it refers to as “Family Pairing” – to restrict inappropriate content and manage screentime.

In a statement sent to Reuters, TikTok spokeswoman Gudrun Herrmann said that protecting users – particularly kids – is the company’s number one priority:

TikTok’s top priority is protecting our users’ privacy and safety, especially our younger users.

The Dutch DPA said it plans to examine whether the app clearly states how it uses data and whether “parental consent is required for TikTok to collect, store and use children’s personal data.”

The watchdog expects preliminary results later this year.

Latest Naked Security podcast

Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.

Another rich cache full of sensitive company data, or perhaps something stolen from a military power?

In fact, according to the security company that verified its authenticity, Cyble, this is data that a specialised group of internet users will find far more interesting – a database of criminal account holders of the now defunct WeLeakData.com breach data trading forum.

Such sites have sprung up in the wake of a tidal wave of public data breaches, giving criminals a one-stop shop for accessing the stuff without having to do unnecessary legwork.

But, of course, these sites themselves are vulnerable to the same hazard they trade in – namely having their own account data stolen.

It seems the WeLeakData site went offline in January, which gave rise to the idea that this might somehow be connected to the FBI’s seizure of similar-sounding site WeLeakInfo.com.

That connection remains unconfirmed – as do separate reports that the site admins were arrested by Europol – but not long after WeLeakData came down, a new site called leaksmarket.com suddenly appeared with all the same data.

In April, Cyble’s suspicions that this was evidence of a data breach was confirmed when it discovered WeLeakData.com had been put up for sale.

Investigating further, this data turned out to contain nuggets such as email addresses of account holders, their usernames, hashed passwords, and IP addresses – pretty much what would be part of any data breach. The haul also contained private messages between criminal members.

Assuming they don’t already have the data, this is the sort of thing that would be of big interest to law enforcement not to mention rival criminals.

How useful, of course, would depend on how careless normally paranoid criminals were about the IP addresses and email addresses they used when logging in, but even fragments of their activity could be enough to unmask them when combined with other information.

For now, it’s highly unlikely that WeLeakData is coming back:

Cyble researchers have verified the alias of WeLeakData owner is unresponsive and unreachable, however, the arrest claim is unverified at the time of writing this. Several cybercrime operators have mentioned that their operations have been disrupted due to the crackdown.

It seems that running cybercrime forums trading in stolen data has become a lot riskier these days.

In addition to the WeLeakInfo bust already mentioned, a separate forum called LeakedSource was taken down in late 2016. A Canadian citizen was later charged (and subsequently pleaded guilty) to being the admin behind that operation.

A year after that, an operation called LeakBase.pw suddenly disappeared.

Few will mourn their passing and ever fewer perhaps the irony of data thieves who – for once – find themselves on the receiving end.

Latest Naked Security podcast