April 28, 2020
Coronavirus tracking tool from Apple and Google embraced by Germany
By Lisa Vaas
Germany on Sunday pulled an about-face regarding the best way to use smart phones to trace people’s contacts with those infected by COVID-19, embracing a decentralized Bluetooth-based approach instead of the more invasive location tracking proposed in other approaches.
The Bluetooth approach – which keeps data local on people’s phones instead of being stored on a centralized database that could be used for mass state surveillance or to track people – is supported by Apple, Google and other European countries, Reuters reported.
Apple and Google first announced their contact tracing collaboration two weeks ago, on 10 April. Instead of “contact tracing,” though, they’re calling it an Exposure Notification system.
As the companies have explained in an FAQ about their approach, it will come in two phases, both of which will use Bluetooth technology on mobile devices to aid in contact tracing efforts.
The first phase will be an API that works across iOS and Android devices for public health agencies to integrate into their own apps. That’s due in May. The second phase, due in coming months, will be introduced at devices’ operating system levels to ensure broad adoption – a key element in the success of contact tracing.
It will be done on a strictly opt-in basis. After the operating system updates and a user has opted in, the Exposure Notification system will start pinging the Bluetooth beacons of nearby devices. Preliminarily, users won’t have to install an app to get those notifications. But if a match is detected that shows a user has come into contact with somebody who’s infected, the user will be notified.
Read more at https://nakedsecurity.sophos.com/2020/04/28/coronavirus-tracking-tool-from-apple-and-google-embraced-by-germany/
‘Evil GIF’ account takeover flaw patched in Teams
By John E Dunn
Microsoft has quickly fixed a flaw in its Teams videoconferencing and collaboration program that could have allowed attackers to launch a wormlike attack on multiple accounts by sending one victim a malicious GIF image.
Discovered by Israeli security company CyberArk, the underlying weakness is a combination of two issues.
The first concerns the way Teams manages authentication tokens.
Teams can generate a lot of these, depending on what it is accessing (SharePoint, Outlook, for example), which gives the user the right to view content or resources from a Microsoft subdomain accessed during a session.
To simplify, the ability to view an image is defined by two tokens, skypetoken_asm
and authtoken
, that also control lots of requests a user can make through the Teams API and Skype, such as sending and reading messages, creating groups, adding users and changing permissions.
Importantly, if an attacker could somehow get hold of an authtoken they could generate their own skypetoken. That should be impossible because such tokens are only sent to Microsoft subdomains… which is where the second weakness becomes important.
Read more at https://nakedsecurity.sophos.com/2020/04/28/evil-gif-account-takeover-flaw-patched-in-teams/
5 common mistakes that lead to ransomware
By Paul Ducklin
If you’re a system administrator, the network you look after is almost certainly way more spread out since coronavirus stay-at-home regulations kicked in.
But even if your colleagues are using their own computers now, and connecting in via their own internet connections, it’s still “your” network, and it still represents a valuable target – as a network, not just as numerous individual computers – to cybercriminals.
And one of the most dramatic all-at-once attacks that your network can suffer is, of course, ransomware.
Read more at https://nakedsecurity.sophos.com/2020/04/27/5-common-mistakes-that-lead-to-ransomware/