Well, it finally happened: Defcon is canceled. Except, for real this time. The popular hacking conference and its sister event, Black Hat, have both been called off over Covid-19 concerns, meaning a longstanding meme has become reality. Don’t worry; organizers have promised online sessions to make sure those bugs and vulnerabilities still see the light of day.
In other Covid-19 news, India’s mandatory contact tracing app turns out to have serious privacy concerns. Because it uses GPS data by design, it’s possible to use a so-called triangulation attack to identify specific people who have reported as positive for the disease. A more privacy-friendly alternative is the Bluetooth-based solution that leaves location out of it altogether. The two companies shared mock-ups of potential interfaces for apps that take advantage of that framework; the apps themselves will have to be developed by public health officials.
Elsewhere we took a look at a data leak at adult cam site CAM4, which exposed 10.88 billion records to the open internet, including names, sexual orientations, payment logs, and email and chat transcripts. The good news is that a relatively very small number of people could actually have been identified by data, and CAM4 says no malicious hackers found it. The bad news is, well, pretty self-evident.
Other bad news: A Facebook bug caused popular iOS apps like Spotify and TikTok to crash repeatedly for a couple of hours this week. That’s not the end of the world, but it’s a reminder of just how far Facebook’s reach extends, and how much data it pulls from apps you use even if you don’t have a Facebook account. Separately, a new ransomware for hire called LockBit seems poised to cause big headaches on a large scale.
It’s not all doom and gloom! GitHub this week took a big step toward securing open source code, rolling out an Advanced Security tool that will automatically spot flaws and exposed credentials.
And there’s more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
As millions of isolated people have flocked to Zoom to connect with socially distanced family, friends, and coworkers, the company has faced criticism for security and privacy shortcomings. And while it’s taken steps in the last month or so to shore up its defenses—including signing on some high-profile advisers—its most significant step came this week, when it announced the acquisition of Keybase, a company that specializes in the kind of end-to-end encryption that Zoom has yet to fully implement. It’s important to note that Zoom’s security posture is not uniquely bad, or even all that concerning for the vast majority of people. But its robust response to public pressures gives it a chance to be one of the most secure video chat platforms out there, assuming it lives up to its promises.
Internet-connected cameras from Nest and Ring have a bit of an ignominious history of hackers breaking into user accounts and scaring the bejeebus out of their owners. For instance: A little over a year ago, a disembodied voice commanded emanated from dozens Nest cams commanding those within earshot to subscribe to PewDiePie’s YouTube Channel. These takeovers don’t stem from vulnerabilities in the products themselves, but owners reusing passwords, or making them easily guessable. To quash the hostilities, Nest announced this week that it will require two-factor authentication by default, meaning a password alone won’t be enough to force your way into someone’s account.
GoDaddy announced this week that it had suffered a breach affecting 28,000 of its 19 million customers. The attackers gained access to log-in information, but GoDaddy says it has no evidence yet that it used that access to add or modify hosted files. The attack also impacted only hosting accounts rather than primary GoDaddy accounts. The more troubling details in all this might be how long the breach persisted; attackers gained access on October 19 of last year, and weren’t discovered until April 23, which amounts to six months of lurking in the system.
As expected, the ransomware attacks have picked up amid the Covid-19 pandemic. This week, Europe’s largest private hospital chain, Fresenius, reported that it had been hit by Snake ransomware, a relatively new strain also known as Ekans that has historically targeted the industrial sector. Fortunately, patient care appears unaffected at this time.
More Great WIRED Stories