Location-tracking wristbands required on all incoming travelers to Hong Kong

By Lisa Vaas

Welcome to Hong Kong, traveler, and to the mandatory, Disney MagicBand-esque tracking wristband we’re about to slap onto your potentially infectious arm.

The city-state had already been requiring arrivals from mainland China to self-isolate at home for 14 days. But as the area undergoes a COVID-19 resurgence, mostly brought in by travelers coming from European, US and Asian countries, it’s now enforcing the quarantine on all incoming travelers, with the wristbands helping to ensure that they adhere to movement restrictions.

The government announced on Monday that starting at midnight on Thursday (19 March), it was planning to put all arriving passengers under a two-week quarantine and medical surveillance.

On Wednesday evening, Government Chief Information Officer Victor Lam told reporters at the airport that the Privacy Commissioner for Personal Data had been consulted about the technology and had assured everybody that it won’t threaten people’s privacy.

CIO Lam:

The app will not capture, directly, the location. It will only capture the changes in location, especially the telecommunication signals around the confinee, to ensure that he’s staying at home.

Hong Kong confirmed 16 new cases of coronavirus on Thursday, bringing the city’s total to 208, according to the South China Morning Post. The new cases – 11 men and five women, aged 19 to 51 – had traveled to Europe, Britain and/or Canada. Hong Kong’s chief executive, Carrie Lam, said that of the 57 new cases Hong Kong recorded in the past two weeks, 50 were travelers from overseas.

Read more at https://nakedsecurity.sophos.com/2020/03/20/location-tracking-wristbands-required-on-all-incoming-travelers-to-hong-kong/

COVID-19 disruption delays release of Chrome version 81

By John E Dunn

It’s the COVID-19 shortage nobody expected – not toilet rolls, tinned goods or headache pills this time but Google software engineers.

It’s a problem that many believe explains the abrupt decision by Google to delay the release of Chrome 81, the stable version of which was scheduled to start appearing on users’ computers on 17 March.

This was a bit of a shock – pulling the release of a browser version so late in the day is highly unusual, especially when the Chrome developers’ Twitter account had reportedly already announced its arrival in a now-deleted tweet.

The same delay applies for future Chrome versions, which should have appeared roughly every five weeks after that. Said the brief note from the Chrome Release Team:

Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases. Our primary objectives are to ensure Chrome continues to be stable, secure, and work reliably for anyone who depends on them.

The phrase “adjusted work schedules” is not surprising given that the company last week ordered many employees to work from home to enable social distancing to cope with COVID-19.

Read more at https://nakedsecurity.sophos.com/2020/03/20/covid-19-disruption-delays-release-of-chrome-version-81/

Exchange rate service’s customer details hacked via AWS

By Danny Bradbury

Online exchange rate data provider Open Exchange Rates has exposed an undisclosed amount of user data via an Amazon database, according to a notification letter published on Twitter this week.

Open Exchange Rates provides foreign exchange data for over 200 currencies worldwide, including digital ones. Software developers can access it using an application programming interface (API). It lets software applications query the Open Exchange Rates service, which delivers their results back in a machine- and human-readable format, JSON.

The company runs its service in the Amazon Web Services (AWS) cloud. Unfortunately, this was the focus of a breach that started on 9 February 2020, the company said in a notification that it sent to customers on 12 March. Linux and open source engineer Sylvia van Os tweeted the notification:

@troyhunt https://t.co/HfAwV7gtVq

—

Sylvia van Os (@SylvieLorxu) March 12, 2020

This incident is different from many of the AWS-based exposures we report here because it wasn’t due to a public database or S3 bucket exposure. In those incidents, organizations publish information on the web for all to see, usually through database or cloud misconfiguration. Instead, this appears to have been a targeted attack.

Open Exchange Rates explained that it started getting complaints about its API performance on 2 March, which it tracked to a misconfiguration in its network. When fixing the issue, it found that an unauthorized account had been tampering with its AWS environment. According to the letter, they used a compromised secure access key.

Read more at https://nakedsecurity.sophos.com/2020/03/20/exchange-rate-services-customer-details-hacked-via-aws/

Delayed Adobe patches fix long list of critical flaws

By John E Dunn

Notice anything missing from last week’s Microsoft Patch Tuesday?

Obscured by a long list of Microsoft patches and some fuss about a missing SMB fix, the answer is Adobe, which normally times its update cycle to coincide with the OS giant’s monthly schedule.

It’s mostly a practical convenience – admins and end-users get all the important client patches at once, which includes Adobe’s ubiquitous Acrobat and Reader software.

And yet March’s roster was Adobe-less. This week the company made amends, issuing fixes for an unusually high CVE-level 41 vulnerabilities, 21 of which are rated critical.

It’s not clear what caused the delay although it might simply be their number and the need to finalize patches before making them public.

The two patching hotspots are the 22 CVEs in Photoshop and 13 in Acrobat and Reader.

Of these, 16 uncovered in Photoshop/CC for Windows and macOS are rated critical compared to a more modest 9 in Acrobat and Reader.

That said, Reader is ubiquitous on Window and Macs, which is why admins will probably zero in on those as the top priority.

Read more at https://nakedsecurity.sophos.com/2020/03/19/delayed-adobe-patches-fix-long-list-of-critical-flaws/

Facebook accidentally blocks genuine COVID-19 news

By Lisa Vaas

Fake news, bogus miracle cures: Facebook has been dealing with a lot, and COVID-19 isn’t making it any easier.

Like many other companies, Facebook is trying to keep its employees safe by allowing them to opt for working remotely, so as to avoid infection.

But when humans are taken out of the content moderation loop, it might suggest that automated systems are running the show. Facebook is denying that a recent content moderation glitch has anything to do with workforce issues, but it’s also saying that automated systems are to blame for being overzealous in stamping out misinformation.

On Tuesday, Guy Rosen, Facebook’s VP of Integrity, confirmed user complaints about valid posts about the pandemic (among other things) having been blocked by mistake by automated systems:

We’ve restored all the posts that were incorrectly removed, which included posts on all topics - not just those rel… twitter.com/i/web/status/1…

—

Guy Rosen (@guyro) March 18, 2020

On Wednesday, a Facebook spokesperson confirmed that all affected posts have now been restored. While users may still see notifications about content having been removed when they log in, they should also see that posts that adhere to community standards are back on the platform, the spokesperson said.

Facebook says it routinely uses automated systems to help enforce its policies against spam. The spokesperson didn’t say what, exactly, caused the automated systems to go haywire, nor how Facebook fixed the problem.

Read more at https://nakedsecurity.sophos.com/2020/03/19/facebook-accidentally-blocks-genuine-covid-19-news/

Cryptojacking is almost conquered – crushed along with coinhive.com

By Danny Bradbury

Cryptojacking may not be entirely dead following the shutdown of a notorious cryptomining service, but it isn’t very healthy, according to a paper released this week.

Cryptomining websites embed JavaScript code that forces the user’s browser to begin mining for cryptocurrency. The digital asset of choice is normally Monero, which is often used in cybercrime because of its enhanced anonymity features.

Some cryptomining sites sought the visitor’s permission to co-opt their browser, often in exchange for blocking ads. Others did it surreptitiously (which is what we call cryptojacking). Either way, one name kept cropping up in these cases: Coinhive.

Coinhive provided Monero cryptomining scripts for use on websites, retaining 30% of the funds for itself. It showed up on large numbers of cryptomining and cryptojacking sites. Researchers tracked them with a tool called CMTracker.

Monero underwent a hard fork and its price plummeted. This contributed to Coinhive shuttering its service in March 2019, claiming that falling prices made it economically unviable.

Given Coinhive’s popularity, how prevalent is cryptojacking now? That’s what researchers at the University of Cincinnati and Lakehead University in Ontario, Canada explored in their paper, called Is Cryptojacking Dead after Coinhive Shutdown?

The researchers checked 2,770 websites that CMTracker had previously identified as cryptomining sites to see if they were still running the scripts. They found that 99% of sites had ceased activities, but that around 1% (24 sites) were still operating with working scripts that mined cryptocurrency. Manual checks on a subset of the sites found that a significant proportion (11.6%) were still running Coinhive scripts that were trying to connect to the operation’s dead servers.

Read more at https://nakedsecurity.sophos.com/2020/03/19/cryptojacking-is-almost-conquered-crushed-along-with-coinhive-com/

NIST shared dataset of tattoos that’s been used to identify prisoners

By Lisa Vaas

In 2017, the Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) lawsuit looking to force the FBI and the National Institute of Standards and Technology (NIST) to cough up info about Tatt-C (also known as the Tattoo Recognition Challenge): a tattoo recognition program that involves creating an “open tattoo database” to use in training software to automatically recognize tattoos.

For years, the EFF has been saying that developing algorithms that the FBI and law enforcement can use to identify similar tattoos from images – similar to how automated facial recognition systems work – raises significant First Amendment questions. The thinking goes like this: you can strip out names and other personally identifiable information (PII) from the tattoo images, but the images themselves often contain PII, such as when they depict loved ones’ faces, names, birthdates or anniversary dates, for example.

As part of the Tatt-C challenge, participating institutions received a CD-ROM full of images to test the third parties’ tattoo recognition software. That dataset has 15,000 images, and most were collected from prisoners, who have no say in whether their biometrics are collected and who were unaware of what those images would be used for.

Since 2017, when the EFF used a FOIA lawsuit to get at the names of the participating institutions, it’s been trying to find out whether the entities realize that there’s been no ethical review of the image collection procedure, which is generally required when conducting research with human subjects.

On Tuesday, the EFF presented a scorecard with those institutions’ responses.

The results: nearly all of the entities that responded confirmed that they’d deleted the data. However, 15 institutions didn’t bother to respond, or said “You can count us as a non-response to this inquiry”, to a letter sent by the EFF in January.

Read more at https://nakedsecurity.sophos.com/2020/03/19/nist-shared-dataset-of-tattoos-thats-been-used-to-identify-prisoners/