Well, finally has occurred: Defcon is canceled. Except, for real this time. The popular hacking conference and its sister event, Black Hat, have both been canceled due to Covid-19 issues, meaning a long-standing meme has come true. Do not worry; organizers have promised online sessions to ensure these bugs and vulnerabilities still emerge.
In other Covid-19 news, India’s mandatory contact tracing application is found to have serious privacy concerns. Because it uses GPS data by design, it is possible to use a so-called triangulation attack to identify specific people who have tested positive for the disease. A more privacy-friendly alternative is the Bluetooth-based solution that leaves out location altogether. The two companies have shared mock-ups of potential interfaces for applications that take advantage of this framework; the applications themselves will have to be developed by public health officials.
Elsewhere, we looked at a data leak on the adult cam site CAM4, which exposed 10.88 billion records to the open Internet, including names, sexual orientations, payment logs and transcripts. emails and chats. The good news is that a relatively small number of people could have been identified by the data, and CAM4 says no malicious hackers found it. The bad news is, well, pretty obvious.
More bad news: A Facebook bug caused iOS apps like Spotify and TikTok to crash repeatedly for a few hours this week. It’s not the end of the world, but it’s a reminder of the extent of Facebook’s reach and the amount of data it extracts from the apps you use even if you don’t have a Facebook account. . Separately, a new ransomware for rent called LockBit looks set to cause big headaches on a massive scale.
All is not pessimistic! GitHub this week took a big step towards securing open source code, deploying an advanced security tool that will automatically detect vulnerabilities and exposed credentials.
And there’s more. Every Saturday, we put together the security and privacy stories that we haven’t disclosed or reported in depth, but which you should know about. Click on the titles to read them and stay safe.
As millions of isolated people have flocked to Zoom to connect with socially distant family, friends and colleagues, the company has come under fire for security and privacy gaps. And while it has taken steps over the past month to strengthen its defenses, including recruiting senior advisors, its biggest milestone came this week, when it announced the acquisition of Keybase, a company specializing in the kind of end-to-end encryption that Zoom has not yet fully implemented. It’s important to note that Zoom’s security posture isn’t just bad, or even a concern for the vast majority of people. But its robust response to public pressure gives it a chance to be one of the most secure video chat platforms, assuming it delivers on its promises.
Nest and Ring’s internet-connected cameras have an ignominious history of hackers breaking into user accounts and scaring their owners bejeebus. For example: Just over a year ago, a disembodied voice emanated from dozens of Nest cameras ordering people within earshot to subscribe to PewDiePie’s YouTube channel. These takeovers don’t come from vulnerabilities in the products themselves, but from owners reusing passwords or making them easily guessable. To cancel hostilities, Nest announced this week that it will require two-factor authentication by default, which means that a password alone won’t be enough to force your access to someone’s account.
GoDaddy announced this week that it had suffered a breach affecting 28,000 of its 19 million customers. Attackers were given access to login information, but GoDaddy says it does not yet have evidence that they used that access to add or modify hosted files. The attack also only affected hosting accounts rather than primary GoDaddy accounts. The most disturbing detail in all of this might be the length of the breach; the attackers gained access on October 19 last year and were not discovered until April 23, which equates to six months of hiding in the system.
As expected, ransomware attacks have escalated amid the Covid-19 pandemic. This week, Europe’s largest private hospital chain, Fresenius, reported that it had been hit by Snake ransomware, a relatively new strain also known as Ekans that historically targeted the industrial sector. Fortunately, patient care does not appear to be affected at this time.
More great WIRED stories