Security Summary – August 202002-09-2020 Author: DSwiss
Our short monthly review for August summarizes important news and blog posts, which focus on IT security, cloud computing and privacy protection.
1. Interpol: more cybercriminal attacks on hospitals
The Corona pandemic inspired an alarming increase in cyberattacks, with the victims mostly government institutions and hospitals which in turn suffered an increase in data theft, as reported in a survey by several member states of the Interpol police authority. In the period from February to March, according to Interpol, there was a marked increase in the number of dangerous web addresses containing the keywords "Coronavirus" and "Covid". Interpol warns that cyber crime will continue to grow in the near future. In addition to the “home office situation”, the authority also cites the spread of fake news about the Sars-Cov-2 virus combined with malicious software as a growing problem.
2. New at Threema: video calls
Threema users have recently been able to contact each other via video without having to forego the high level of data protection that the Messenger app is all about. The video calls are end-to-end encrypted, with not only the content encrypted, but also all metadata. The new function has been activated for both iOS and Android devices and was part of the August 10 update.
Threema’s main pledge is to guarantee a high level of data protection, leaving the least possible data trail. In 2019, security researchers confirmed that the messenger service is absolutely secure: They found no critical security holes in the current version at the time.
3. Security community uses corona crisis to uncover more security gaps
The Microsoft Security Response Center (MSRC) operates a so-called bug bounty program*. The company performed an evaluation and has come to the following conclusion: The Corona crisis has led to more security gaps being found by third parties and reported to the company, subsequently allowing many of these to be closed.
* Bug bounty programs reward people for discovering and reporting software bugs to the corresponding companies. An overview of all bug bounty programs 2020 can be found here: https://de.vpnmentor.com/blog/die-komplette-liste-...
4. Visa contactless security bug
A team of scientists from Switzerland has uncovered a security gap in Visa: Criminals who come into possession of a Visa card can use it to purchase expensive products contactlessly without having to enter a PIN. This is possible due to a design error in the EMV standard, but also in Visa's contactless protocol, which means an attacker can change data, making it possible, among other things, to override the set limit for contactless payments without a PIN. So as not to cause a stir, the “payer” pretends to pay with their cell phone, but in reality the transaction is made using the stolen Visa card worn on their body.
5. 235 million social media profiles leaked
The data broker Social Data has managed to search public social media profiles for information, apparently without the knowledge or consent of the companies. The organization was caught due to a data breach, which was based on an unsecured database containing identical copies of approximately 235 million social media profiles. The data was unprotected without a password – apparently due to a configuration error. The whole thing was discovered by security researchers from the comparison portal Comparitech.
6. Key copied by sound
Researchers have succeeded in using a 3D printer to recreate keys for pin locks using the sounds produced when the key is inserted. When you put a key in a pin lock, the pins hit different notches, creating clicks that reveal how deep those notches are. Simple microphones, for example those of cell phones, were found to be sufficient to hear the differences in clicks. However, in this particular experiment, software was used to calculate the heights and depths of the notches, thanks to which the researchers were able to determine the three most compatible key bits, of which one is most likely to be suitable.
7. Twitter plan: labeling of state-controlled media accounts
Twitter increases its transparency and announces that the user accounts of state-controlled media will be marked as such. The short message service says: "Unlike independent media, state-affiliated media use their reporting as a means of promoting a political agenda." Among others, the Kremlin-close foreign broadcaster RT (formerly: Russia Today) is also featured. Media that receive state funding but are independent in their reporting, such as the British broadcaster BBC, will not however be marked.