Marriott hacked again, 5.2 million guests affected

Bad actors accessed a range of personally identifiable information, including names, dates of birth and a lot more

For the second time within two years, hotel giant Marriott has disclosed that it has suffered a data breach. The new incident has affected 5.2 million of its guests, compromising a range of their personal information, including names, email and mailing addresses, and the names of their employers. Considering that the previous breach affected over half a billion people and exposed a wide range of personal data, some might view the new breach as less damaging.

According to the hotel operator’s investigation, the new incident originated in a franchise hotel that operates under the Marriott brand. The login credentials of two employees at the hotel were used by an unknown party to access the guests’ information. Once the breach was discovered, the credentials were disabled and an investigation was launched.

The probe revealed that the nefarious activity started in the middle of January 2020 and wasn’t discovered until late February, which left a period of around six weeks for the cybercriminals to harvest the data. It wasn’t until now that the international hotel chain disclosed the breach and notified the affected customers.

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” said Marriot in an official statement.

On the other hand, the exposed information consisted of contact details, including names, addresses, email addresses, phone numbers, loyalty account numbers and points balances, gender, partial birth dates and employer details, affiliated loyalty programs and stay preferences.

The company took steps to help its guests with the situation. It is offering a personal monitoring service free of charge for a year, although the service is not available for all countries. It also went to disable the current passwords to its benefit programs and its users will have to enable two-factor authentication once they change their passwords. The authorities were notified as well.

In an effort to ease fears of phishing attacks, Marriot also shared the official email address ([email protected]‑ that will be used for contacting guests about the situation. Using this self-service site, you can go ahead and check to see if you were affected.

This is the second major data breach involving a hotel operator that has been disclosed this year. MGM Resorts announced a data breach in February that affected 10.6 million of its guests, including singer Justin Bieber and Twitter CEO Jack Dorsey.

1 Apr 2020 – 04:42PM

Coronavirus con artists continue to spread infections of their own

The scam machine shows no signs of slowing down, as fraudsters dispense bogus health advice, peddle fake testing kits and issue malware-laced purchase orders

With the COVID-19 pandemic surging outside, people are hunkering down inside their houses. Companies are shifting to remote work and urging their employees to work from home while cities, even whole countries, are going on lockdown to limit the spread of the virus. Business trips have been halted as travel bans are being issued left and right, and there is a shortage of masks, respirators and hand sanitizers.

Not ones to shy away from making a pretty penny, cybercriminals continue to use the mounting emotional and financial toll of the pandemic to their advantage. Many campaigns target people with fake offers for personal protective equipment and bogus updates on the public health crisis, while businesses are often the intended targets of faux purchase orders and payment information.

Following up on our previous article dedicated to uncovering scams exploiting coronavirus fears, ESET researchers have shared new examples of campaigns aimed at stealing your personal information or money.

Don’t shoot but verify the messenger

As the situation constantly evolves, people are looking for verified information on how to protect themselves during the COVID-19 pandemic. The best source of such information is the World Health Organization (WHO) or national healthcare organizations, which make ideal targets for fraudsters to impersonate.

An example of their tactics would be to contact you via email asserting that the attachment contains pertinent information to help protect you from the disease. In the specific campaign below, ESET researchers found that the attachment contains a Trojan designed to steal your personal data.

The WHO is very well aware that scammers are impersonating it and preying on people. In an effort to combat these widespread scams, the organization has shared information on its methods of communication as well as examples of official email addresses on its website.

Besides the WHO, cybercriminals have started impersonating the US Centers for Disease Control and Prevention (CDC). The FBI warns against fraudulent emails claiming to come from the CDC and containing malware-infected links and attachments.

Late payments and urgent orders

As governments worldwide are issuing recommendations and orders daily on how people should adapt to the pandemic, companies are forced to react almost immediately to the developing situation. To limit the spread of the biological virus, companies are shifting to working from home while factories are either ramping up production or limiting their operations depending on the products they manufacture.

Riding on this wave of uncertainty, fraudsters are impersonating company representatives sending out urgent purchase orders for various materials. As some companies may be in desperate need to have at least some kind of revenue, the recipient may just click on the attached file without giving it further thought. In the example of this tactic below, downloading and running the booby-trapped file masquerading as the detailed order leads to the installation of malicious code.

Orders and payments go hand in hand, and late payments are understandable as financial institutions could be affected by the pandemic as well. That’s exactly what the fraudsters are banking on in the next example scam, where they send the recipient a proof of payment so that their supposed order gets taken care of. But similarly to the previous case; instead of a bank statement, the attached file contains a Trojan injector.

Mask off

Another type of scam that is making the rounds concerns products that are in high demand, but whose availability is severely limited. In this case, we’re talking about face masks. A fraudulent website is offering unwitting victims discounted “OxyBreath Pro” face masks. Since face masks are scarce, the outrageous price may still sound like a good deal to some. By purchasing the mask, the victim would be falling for a phishing attack and exposing their sensitive personal data to the fraudsters.

Fake testing kits

The short supply of respirators, masks, hand sanitizers, and other medical supplies has been a boon to criminals. Their despicable business has been booming of late, especially since they are offering fraudulent “corona cures”. Some of them have even started offering either fake or non-existent coronavirus testing kits under the guise of medical officials with the necessary certification for their products. The U.S. Food and Drug Administration (FDA) is cracking down heavily on these sellers and has issued warnings that it has not authorized any tests that could be purchased by people to test themselves.

Law enforcement agencies around the world are aware of these kits and other harmful and fraudulent medical supplies as well and have started to act. A global operation seized US$13 million worth of potentially hazardous pharmaceuticals and identified more than 2,000 links connected to bogus products related to COVID-19.

In summary

These aren’t nearly all the types of scams that are currently circulating, but they can provide a good insight into how cybercriminals operate, especially how they capitalize on the climate of fear sweeping the world.

It is important to keep your guard up, so that you are equally safe from both the raging coronavirus pandemic and the scam epidemic surging through the internet. Here are some tips to keep you protected from the latter:

Refrain from clicking on any links or downloading any files sent to you by email from a source that you cannot independently verify or from someone you don’t know If the email is purportedly from an official organization, do your due diligence and check it by going to their official website or contact them through their official channels to verify the veracity of the email Look out for suspicious offers and never order anything from an unverified vendor. If the offer or discount looks too good to be true, it usually is. Always be vigilant and find and evaluate reviews about the vendor Never underestimate the value of a good security endpoint solution that can help you stay safe from phishing attempts, as well as other varieties of cyber-threats. ESET

Have you backed up your smartphone lately?

With World Backup Day upon us, we walk you through the ways to back up your iPhone or Android phone so that your personal information remains safe

In your pocket, you carry a supercomputer that outperforms all the tech that landed Aldrin and Armstrong on the moon. Although you may have heard this claim before, it probably never really resonated with you. Now, if we rephrase that to “you carry a device in your pocket that stores almost every aspect of your life, from memories in the form of photographs to personal notes, reminders, passwords and all kinds of sensitive data”, suddenly it feels a bit more personal.

What if your phone gets locked up by a ransomware attack, stolen, bricked or even destroyed? Would you lose everything on it, or do you back it up regularly?

If you don’t back up your phone regularly, then you should start right now. And since we are celebrating World Backup Day today, we’re going to walk you through the ways to do it on both iOS and Android-powered devices.

Backing up your iOS device

When backing up your iPhone, or any other device running iOS, you have two main options to choose from. The first option is storing a backup of your device on your computer or on removable storage connected to it. If you are running macOS Mojave or an earlier version or Windows, the process is the same and uses iTunes. First of all, you’ll have to install Apple’s iTunes software onto your computer, since you will not be able to manage your device without it (Macs have it installed by default). If you’re running macOS Catalina, then instead of iTunes you’ll find the option in the Finder.

To start the process, connect your device to your computer, using the lightning cable you usually use to charge your device.

You will get a prompt to unlock your device, using your preferred method (FaceID, TouchID, code). You may also be prompted to choose to Trust This Computer so your device can sync with it without a problem.

You then click on your device in iTunes or in Finder depending on your operating system and proceed with the whole process. For an extra layer of security, you can choose to encrypt the backup that will be locally stored on your computer. Now just click on the Back Up Now button and you’re set to go. While you’re at it you can also choose to back up your most important data to your iCloud.

This leads us to the other available option, and that is backing up your iPhone to your iCloud straight from your device. Go to the settings on your device and tap on your name and then tap on the iCloud button. Now toggle the iCloud Backup button to turn it on and then press the Back Up Now option.

While backing up you should be connected to a trusted Wi-Fi network. You can set up your iPhone to automatically back up your device to iCloud when you’re connected to a Wi-Fi network. Depending on the storage space that you have on your iCloud, with the default being 5GB, you can also toggle the apps that store data on it.

For example, photos can be quite taxing since, depending on their quality, their size can range from approximately 1 MB to 10 MB, or even 100 MB if we’re talking about videos. So, you might need either to expand your storage or alternatively to move the media files to another repository.

RELATED READING: Types of backup and five backup mistakes to avoid

Backing up your Android device

Now, Androids are a different beast in that you don’t really need any software suite installed on your computer to manage your Android device or its storage. To back up your photos and media onto your computer, all you have to do is plug it into your computer using a USB cable.

The phone will then ask you if you will allow your computer to access your phone data, which you will agree to. Your phone will then appear in your File Explorer (Windows) or Finder (macOS) and you can browse through the files on your device and copy them or drag and drop them into the folder of your choice.

To put it in simple terms: your Android device basically functions as an external storage device such as a USB or an external drive. Although it’s worth mentioning that some manufacturers do have software, such as Samsung’s DeX, but you don’t necessarily have to use it.

As with iOS devices though, there is another option – you can back up your data to the cloud. Backup options here vary from brand to brand, with many offering their own take on how to store your data; to make this a bit simpler, we’re going to stick to Google’s version since it should be available across most Android devices.

The most straightforward route is going to the settings, then scrolling down until you find Google Settings. Once you’ve tapped on that button, it should redirect you to the Google Settings menu, where you’ll find the Backup option (which may have slightly different names on different versions of the OS).

You can toggle the Backup option on and then press the Back up now button, which will back up your data to Google Drive. There’s also a separate option to back up your photos and videos to the Google Photo app.

And always remember…

Regardless of which kind of device you have, the best practice is to have multiple backups of your data so that in case you lose your phone or one of your backups gets corrupted, you’ll have an extra one to fall back on. Never underestimate the value of planning ahead, since it can save you from a migraine later on.

31 Mar 2020 – 11:30AM

Work from home: Videoconferencing with security in mind

With COVID-19 concerns canceling face-to-face meetings, be aware of the security risks of videoconferencing and how to easily overcome them

At the time of writing one-third of the world’s population is enduring restricted movement to stem the spread of COVID-19. The lockdown has driven huge swaths of the working population to become remote workers, many for the first time. The sudden surge in employees, students, teachers, and many other professionals working from home is driving a huge increase in demand for videoconferencing, online collaboration tools and chat systems.

On March 11th, Kentik (a network operator based in San Francisco) reported a 200% increase in video traffic during working hours in North America and Asia, and this was before the official lockdown in California or other locations took effect.

Last week UK Prime Minister Boris Johnson shared a picture of himself chairing a cabinet meeting via the Zoom app, demonstrating social distancing even in the highest levels of Government.

This morning, I chaired the first ever video conference Cabinet meeting.

We must all do our bit to stop the spread of coronavirus, protect our NHS and save lives. #StayHomeSaveLives

— Boris Johnson #StayHomeSaveLives (@BorisJohnson) March 24, 2020

The decision was a wise one as he has since tested positive for the coronavirus. However, a meeting at this level over a public conferencing system raised questions about security and the UK’s National Cyber Security Centre confirmed there was no security reason why conversations below a certain classification could not take place this way.

If a UK Government meeting is authorized to be held online using a freely available videoconferencing tool, then companies forced to quickly adapt to employees working from home can probably do so with some confidence. However, that does not alleviate the need to understand the built-in security and the need to control how videoconferencing is conducted by using the features available.

Below we outline some key considerations.

Work environment

Check your environment to ensure that the video stream you are sharing does not contain sensitive information. A whiteboard behind you may have the remnants of a previous meeting, make sure all confidential or sensitive material is removed from the camera’s scrutiny. And while we’ve probably all laughed at cute viral videos of pets or toddlers entering a streaming video interview or meeting, consider the effects such interruptions could have on your meetings and ensure suitable mitigations are in place before starting your meeting.

Control access

Most videoconferencing platforms allow for the creation of groups of users or the ability to restrict access by internet domain so only users with an email address from your company would be able to join the call. Alternatively, only allow attendees that are invited by adding their email addresses to the invite when scheduling the call.

Set a meeting password, typically an option when creating the meeting, which adds a randomly generated password that invitees will need to input. A numerical password can be used to authenticate users who connect by phone. Do not embed the password in the meeting link.

Holding participants in a “waiting room” and approving the connection of each one gives the host ultimate control over who is in the meeting. To handle this for larger meetings you may be able to promote other trusted attendees to an organizer or moderator role.

Communication and file transfers

Enforce encrypted traffic. Do not take it for granted that systems have this option enabled by default for video communications. Some services encrypt chat by default but not video unless specifically requested.

If third-party endpoint client software is permitted, then ensure it complies with the requirements for end-to-end encryption.

If file transfers are needed, then consider limiting the types of files that can be sent; for example, don’t allow executable files (such as .exe files).

Manage engagement and attendees

It’s easy to get distracted on conference calls, email and other notification pop-ups and migrate your attention to the content rather than the call in-hand. The host, depending on the platform, may have the ability to request notification when the conferencing client is not the primary (active) window. If you’re a teacher, then this feature may be extremely useful if you want to ensure the attention of all your students.

Monitor who joined the call, either by enforcing a registration process to connect or by downloading an attendee list after the call. This is also likely to include the connect and disconnect time, showing whether the user was engaged for the whole call.

Screen sharing

Limit the ability for screen sharing to the host, or to a person the host selects. This removes the possibility of someone sharing content by mistake.

When screen sharing, only share the application needed, as opposed to the whole desktop. Even an icon or name of a file on a desktop can give away sensitive company information.

Apple’s iOS takes screen snapshots used when task switching between apps. To protect against this inadvertently including the capture of sensitive information, check to see if the conference system can blur this image.

Forewarned is forearmed

Take the time to step through all the options in the settings of the videoconferencing system you may already have or are thinking of using. As you can see from the snapshot of considerations above, there are many settings and finding the right configuration for your environment is an important task to undertake to ensure company communications remain secure.

Lastly, check the privacy policy of the service you are using. The adage that ‘if it’s free, you’re probably the product’ should be enough motivation for you to check whether the company is collecting, selling or sharing your data to fund the provision of its ‘free’ service.

If you want to learn more about the increased cybersecurity risks associated with teleworking, as well as about ways to counter them, you may want to read these articles:

COVID-19 and the shift to remote work
Work from home: How to set up a VPN
Work from home:

Week in security with Tony Anscombe

What COVID-19 may mean for privacy rights – Managing supply-chain risks – Two Windows zero-days remain unpatched

As health organizations and governments use technology to tackle the spread of COVID-19, what could the use of people’s personal data mean for privacy rights over the long term? The pandemic has also highlighted the need for robust supply chain planning, and we dive into the implications of supply-chain disruptions for businesses across the world. Microsoft alerts the public to two Windows zero-days that are being exploited for targeted attacks but will probably remain unpatched until Patch Tuesday in the middle of April. All this – and more – on

What happens when the global supply chain breaks?

If we can’t secure the supply chain, eventually everything else will break

Recent events have illustrated the need for robust continuity plans, and while these events are still unfolding, it also brings to light the need for robust supply chain planning. A review of the r/sysadmin group on Reddit reveals comments from systems administrators that their orders for laptops, servers, networking gear are being delayed for at least one to two months… so far. And that is for large enterprises, whose purchase contracts typically extend out over several quarters. Smaller businesses may find it even more difficult to obtain computers.

When your new PC shipments stall, for example, it creates a self-amplifying chain of events that increasingly impacts a whole series of business issues, such as having new hires being able to start working and upgrades for employees on older hardware. Some businesses may be able to cushion this blow by repurposing and recommissioning old hardware, or by continuing to use aging equipment. But the ability to maintain these is limited by the spare and refurbished parts available to keep them running.

Certain suppliers that make components like power supplies (or hard disk drives or RAM) rely on central manufacturing in high-density plants located in relative proximity to each other in a few parts of the world. From an economic perspective, this makes a lot of sense. From a return-on-investment viewpoint, clustering factories helps offset high operating costs and reduces final output costs to something affordable in a worldwide market by placing the facilities close enough to each other that it introduces economies of scale to building, staffing and operating them.

Paralyze a manufacturing plant due to supply issues, and the ripple effect can run amok, increasing the costs of parts used in technology around the world. As a real-life example of this, a single minute-long power outage at a Samsung Electronics memory chip plant took two-to-three days to resume normal operations and cost the company about US$25 million.

One concept that is taking shape is the restriction of manufacturing densities in single locations. Aimed at critical components and subsystems, this should help foster a globally diverse manufacturing landscape. That way, if there are regional issues, a global resiliency allows business to continue.

We know this from Disaster Response (DR) planning, a practice that many companies are required to have in place, especially if they operate in critical industries. We already know how to do DR, but business continuity plans usually rely on having off-site or even off-region facilities from which business activities can resume. When the affected area is the entire globe, even the most well-practiced continuity of business operations may show some flaws.

In the meantime, what can organizations do to keep up and running with a minimum of disruption to the business? For many of them, this means implementing work from home (WFH) plans. If your employees are already equipped with laptops and use a virtual private network (VPN) to connect back to company servers, you already have most of the work done. For more information about VPNs, see our article on how to set up a VPN. However, having a VPN to connect back to an office’s servers is not enough if the VPN connection is compromised. Last year, vulnerabilities in two business VPN products exposed around half a million servers to attackers. Securing company logins with multi-factor authentication (MFA) may prevent an attacker from entering your network, including over a VPN connection. For more information see our article on improving your security with MFA.

If you are responsible for implementing your organization’s WFH policy, you may find yourself stretched thin to provide all your employees with laptops. In some cases, you may have to configure employee’s desktop computers to use a VPN and allow employees to take them home. If you have an inventory of older or spare systems, it may be necessary to put these into use. You may even need to cannibalize some of them for parts to get the remaining systems in working order.

For servers, it can be a little more challenging: While IT staff usually keep a small number of critical parts around, this is usually a stop-gap solution meant to keep a server available until a vendor can deliver replacement parts. With the availability of replacement parts an open question, non-critical servers may need to be cannibalized to keep more business-critical ones operating. In some cases, the determination may be obvious: You may need more Terminal Services servers than print servers for the next few weeks. If you had plans to decommission servers and services, those plans could be placed on hold for the immediate future or, conversely, accelerated if they are needed to provide services to remote employees.

Perhaps you allow employees to connect using a BYOD solution and Remote Desktop Protocol (RDP). If that is the case, please see It’s time to disconnect RDP from the internet here on WeLiveSecurity. Oh, and if you are concerned about the recently-discovered SMBv3 vulnerability, ESET detects it as SMB/Exploit.CVE-2020-0796 by our Network Attack Protection module, which is an extension of ESET’s firewall technology present in ESET Internet Security and ESET Smart Security Premium for consumers, and ESET’s endpoint protection programs for businesses.

Even if most of your server infrastructure is in the cloud, your cloud service provider may be struggling to provide you with access due to increased use by all of their customers. An example of this is the March 16th outage of Microsoft Teams, which left some users without the ability to collaborate. This is not to say that Microsoft is at fault; the number of users logging in to work from home probably exceeded their wildest capacity estimations, and Microsoft has provided excellent guidance, such as this Guide to Optimizing Office 365 for Remote Staff. If you use G-Suite, Google has provided tips on working from home.

If you are involved in setting up, re-tasking, or otherwise repurposing computers, multiple manufacturers have issued prescriptive advice

6 tips for safe and secure remote working

Getting cybersecurity right in the work-from-home world can feel daunting. ESET Chief Security Evangelist Tony Anscombe shares 6 best practices that will steer you in the right direction.

The COVID-19 pandemic has changed the daily habits of millions of people, and working routines are no exception. With millions of people suddenly switching to telecommuting, we’re witnessing a seismic shift in how people work.

In the United States, only one in four full-time employees worked from home for around three hours per week in 2018. The percentage of remote workers has swollen considerably in recent weeks, and many people have to learn some new tools and tricks very quickly. In many cases, companies are bracing for months without their staff in offices, as the closures are not expected to be lifted any time soon.

Beyond other manifold challenges of remote work, this new normal comes with an increase in cybersecurity risks. Even under the usual circumstances, getting cybersecurity right can be challenging for many businesses and workers. In the current work-from-home world, however, managing the myriad cyber-risks can feel downright daunting.

Watch the video to learn how businesses and their employees can maintain at least a minimum level of cybersecurity amid the global health crisis. Among other things, you’ll learn:

How to beef up your logins How to avoid data loss should the device fall into the wrong hands How to access the company’s internal network from home How external storage devices come into play Why employees should audit their own IoT devices

If you want to learn more about the increased cybersecurity risks associated with teleworking, as well as about ways to counter them, you may want to read these articles:

COVID-19 and the shift to remote work
Work from home: How to set up a VPN
Work from home: Improve your security with MFA

Stay healthy – and safe!

26 Mar 2020 – 08:30PM

HPE issues fix to stop some SSDs from self‑destructing

If left unpatched, a firmware flaw in some enterprise-class solid-state drives could make data on them unrecoverable as early as this fall

Hewlett Packard Enterprise (HPE) has warned its customers about a bug in the firmware of some of its SAS solid‑state drives (SSDs) that will render the drives dead once they reach exactly 40,000 hours of operation.

In other words, from the time these SSDs are installed and start running, their operation time is exactly 4 years, 206 days, and 16 hours. The affected hardware is used in servers and storage systems.

The good news is that HPE has released a critical firmware upgrade to rectify the issue. Based on the dates that the company started to ship these drives, the drives should not start failing until October 2020 at the earliest. While this should give customers enough time to install the upgrade, the company advises to do so immediately.

“After the SSD failure occurs, neither the SSD nor the data can be recovered,” said HPE and added that it was alerted to the flaw by another SSD manufacturer.

The company noted that other SSD models that were put into service at the same time could also be affected and it was possible they would fail nearly simultaneously. It also stated that the bug isn’t unique to HPE and could affect all customers that have bought these drives.

The bug affects SSDs that are running a firmware version prior to HPD7. These drives are usually deployed in HPE server and storage products, such as HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, and StoreEasy 1000 Storage. The disk’s total power-on time can be checked using the Smart Storage Administrator. The full list of the impacted products is available in HPE’s advisory.

HPE released an update for a similar problem last year, when it announced that another firmware bug would cause a number of its SSDs to fail at 32,768 hours of operation.

Although glitches like these do not occur regularly, they bolster the case for why everybody, not just businesses, should back up their data – and do so regularly. So, if you haven’t done this in a while, or never, the time to start is now. If you’re not entirely sure how to go about it, you can also check out our article on various types of backups and the mistakes you should avoid while you’re doing it.

26 Mar 2020 – 01:43PM

Public health vs. personal privacy: Choose only one?

As the world turns to technology to track and contain the COVID-19 pandemic, could this spell the end of digital privacy rights?

Health organizations and governments all over the world are using technology to communicate, track, monitor and predict the spread of COVID-19. In recent years, data has proven to be a valuable resource – more valuable than oil in some instances – and the use of data to understand the movement of people and their interactions to help control the spread of infection during a global pandemic seems like an excellent use of technology. There are likely to be very few people who would object to the use of technology to track an infected person to ensure they maintain quarantine; I may even advocate such use.

However, unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use. In some instances, data is being extracted from smartphones on an individual basis or en masse. In the current age of COVID-19 concern, data potentially relevant to tracking the disease is being gathered, or there are proposals to gather it, via several mechanisms:

Custom apps developed to enable communication between health care professionals and patients, to keep people informed with official communications and to provide a warning if an individual has been in close proximity to someone testing positive. There are other use cases mentioned below. Mobile phone companies are being asked, or already have, subscribers’ geotracking data, or already have, allowing the modeling of infection predictions based on actual phone subscribers’ movements. Popular social media apps also track location, unless the member has elected not to share location data. There are stories circulating in the media that some governments have approached the leaders of social media companies to explore the opportunity of using their data to see if social distancing is effective. Coping with COVID-19

At the time of writing, there are infections in 172 countries and regions around the world, some with devastating numbers of both infections and deaths. Each country is developing its own strategy to limit the outbreak and included in this is the differing use of technology and tracking data.

At the start of the outbreak in China, the authorities there required citizens in Wuhan to provide personal information so that device tracking could be linked to individuals. The Guardian then reported that Taiwan used phone tracking to enforce self-quarantine, citing an example of automated text messages being sent when a quarantine-mandated individual left a  geofenced perimeter.

Singapore’s ministry of health made victims’ personal information publicly available, which allowed developers to create maps and show locations, raising security fears for those concerned. In the last few days the authorities there have also released an app called TraceTogether that identifies, using Bluetooth, if you have been in close proximity to a coronavirus patient.

In Germany, UK, Austria, Belgium, Italy and South Korea, mobile operators have been reported to be sharing aggregated or anonymized location data with health authorities. In South Korea, data was also shared by credit-card companies. The European countries where personal data is protected by the General Data Protection Regulation are using an option to suspend the regulation in face of a civil crisis. Article 9 of the GDPR allows for processing of health and other usually sacrosanct data when necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Despite the exceptions in regulations being used to share data with health and government authorities, the regulations that cover the protection of data should be adhered to. For example, the GDPR states that data must be encrypted when at rest and in transit, and these requirements are still mandatory.

In Israel, authorities approved new surveillance measures allowing citizens to be tracked by monitoring mobile phones. In contrast, Hong Kong tagged new arrivals to the region using wrist bands that log and transmit location data to authorities, maintaining the privacy of the individual’s phone.

An intriguing use of an app has been by the Polish authorities, requiring a quarantined individual to have an app released by the Ministry of Digital Affairs and for them to send a selfie with geo-metadata on a regular basis to prove compliance.

Several countries have passed emergency legislation to permit the use of personal data to combat the spread of the virus. For example, Italy lifted a restriction on the sharing of personal data when doing so was necessary for the performance of civil protection functions.

A few countries, including Russia and China, are using facial recognition technology to ensure that those identified as infected observe quarantine rules. The systems are collecting video through CCTV, drones and other camera-based systems.

Many of these initiatives demonstrate that innovative methods are being explored, and are in use, with governments, health professionals, technology and phone companies working together to combat the medical emergency facing the world. At the same time, privacy advocates are also being vocal about these issues. The BBC reports that in the UK a group identified as “responsible technologists” has urged for open disclosure of the UK government’s plans to collect personal data through an app being created to tackle COVID-19.

Exceptional circumstances call for exceptional actions; the issue, though, is what happens when these circumstances have passed. Will governments return to the emergency legislation and revoke the additional rights to use personal data? Will organizations that received the data be required to delete it? Will individuals whose data was affected be notified that it was shared?

It’s our responsibility as technologists and privacy advocates to ensure that normality is restored and that we return to a world where privacy rights are respected and enforced once the current emergency is resolved.

25 Mar 2020 – 08:05PM

Microsoft warns of two Windows zero‑day flaws

Updates for the critical-rated vulnerabilities, which are being actively exploited in the wild, are still weeks away

Attackers are actively exploiting two previously undisclosed security vulnerabilities that affect all supported as well as some of the no-longer-supported versions of the Windows operating system, Microsoft announced in an out‑of‑band advisory on Monday.

The security flaws, rated as critical, are being abused for limited targeted attacks. This would imply campaigns by advanced threat actors compromising carefully chosen targets. That said, citing the need to “help reduce customer risk until the security update is released”, the tech giant disclosed the flaws publicly.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” said the tech giant. Adobe Type Manager is a font management tool that helps Windows handle and render fonts.

There are several ways how bad actors can leverage the flaws, including by tricking their targets into opening a booby-trapped file or into viewing it in the Windows Preview pane, said Microsoft.

Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details.

— Security Response (@msftsecresponse) March 23, 2020


The flaws affect all supported versions of Windows, including Windows 10, as well as systems that are past end‑of‑life, notably Windows 7. Importantly, no patch is available for any of them, and Microsoft hinted that the fix wouldn’t arrive until the forthcoming Patch Tuesday rollout of security updates on April 14th. Even so, machines running the retired operating systems won’t receive the update even after it’s shipped – unless their owners are enrolled in Microsoft’s Extended Security Updates (ESU) program.

While the flaws are rated as critical for all affected systems, the company noted that on Windows 10 the potential for exploitation is limited. “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” said the tech giant. As of the time of writing, the vulnerabilities have yet to be assigned CVE identifiers.

Microsoft suggested a slew of temporary mitigations and workarounds to counter the risk while the patch is in the works. These include disabling the Preview Pane and Details Pane in Windows Explorer and renaming the library (atmfd.dll). Step-by-step guidance is available in the company’s advisory.

Weeks ago, Microsoft released patches for a critical cryptographic flaw in Windows and a zero-day in Internet Explorer. ESET researchers uncovered an exploit in 2018 that leveraged a pair of two zero-days in Adobe Reader and Windows, while last year they found an exploit that abused another Windows zero-day vulnerability (CVE‑2019‑1132).

24 Mar 2020 – 03:24PM