Pete Recommends Weekly highlights on cyber security issues April 12, 2020

Subject: Zoom CEO: ‘I Really Messed Up’
Source: Newser

(Newser) – As many companies shift gears or close doors in the coronavirus economy, Zoom has had the enviable problem of managing what the Wall Street Journal calls “breakneck growth.” Except that, per the Journal, “it hasn’t been going well” as the videoconferencing company has been beset with security and privacy issues as hordes of businesses and the bored homebound alike have turned to its services. “‘If we mess up again, it’s done,’ I thought a lot last night,” CEO Eric Yuan, who founded the company nine years ago, says. Around 10 million people were using Zoom to meet each day at the end of 2019; that number is now 200 million. But Zoom proved popular with trolls, too, who hacked into meetings with hate speech and porn and coined the term “Zoombombing.”…

Filed in:


Subject: New York City schools banning Zoom after security concerns
Source: Business Insider

  • New York City teachers are banned from using Zoom for virtual teaching after the Department of Education cited safety and privacy concerns.
  • Schools are instead being directed to use Microsoft Teams, which the department has reportedly already started training teachers and staff to use.
  • However, some critics told Chalkbeat that the platform was not as attractive as Zoom, and could diminish some teachers’ ability to deliver live lessons.
  • Zoom has been plagued by privacy and security concerns in recent weeks as schools and other groups have moved online and witnessed “Zoombombing” incidents, prompting warnings from the FBI and demands for increased user privacy from the New York Attorney General.

Department of Education Chancellor Richard Carranza announced on April 4 that security and privacy issues were behind the department’s decision to ban the platform “as soon as possible,” according to a memo reported by Chalkbeat.

The platform is compliant with student privacy laws, including FERPA, the Family Educational Rights and Privacy Act.


Subject: Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others
Source: ZDNet

Rostelecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers.Earlier this week, traffic meant for more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers was suspiciously redirected through Rostelecom, Russia’s state-owned telecommunications provider.

The incident affected more than 8,800 internet traffic routes from 200+ networks. Impacted companies are a who’s who in the cloud and CDN market, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, and Linode.

Yet, progress on adopting these new protocols has been slow, and BGP hijacks continue to happen on a regular basis.

For example, in November 2018, a small Nigerian ISP hijacked traffic meant for Google’s network, while in June 2019, a large chunk of European mobile traffic was rerouted through China Telecom, China’s state-owned and largest telecom operator.

Subject: Government secrecy is growing during the coronavirus pandemic
Source: The Conversation via beSpacific

The Conversation: “Students at the University of Florida who want to know how they are being protected from the COVID-19 pandemic can’t find out. The university is hiding its emergency response plan under a legal loophole intended to keep terrorists and enemy combatants – not viruses – from exploiting government weaknesses. Since the spread of coronavirus accelerated in recent weeks, local, state and federal officials throughout the United States have locked down information from the public. Examples include:…

RSS for category:

Subject: Zoom Videoconferencing App Hid Security Flaws, Says Shareholder in Class-Action Lawsuit
Source: Newser

Class-action lawsuit also claims unauthorized disclosure of personal info. (Newser) – Shares in videoconferencing app Zoom hit record highs at the end of last month as COVID-19 forced people to work and socialize from home. Then came the drop, coinciding with concerns about “zoombombing” and other security and privacy issues. Another drop in stock price came Tuesday, with shares closing at a third of their market value in late March, as one of Zoom’s shareholders filed a class-action lawsuit in federal court. Michael Drieu accuses Zoom of concealing failures in software encryption, including that its service isn’t end-to-end encrypted, per Reuters. CEO Eric Yuan, who admitted he “really messed up,” has said end-to-end encryption is in the works but it’s still months off, per Bloomberg.

Subject: Discarded Gloves, Masks an Odd New Danger in Fight Against Coronavirus
Source: various news reports via Newser

(Newser) – From California and Texas to New Hampshire and New York, there’s a “new, disgusting trend” cropping up around the coronavirus, and it’s a potentially dangerous one. The Washington Post and other outlets report on the “small pops of color” suddenly showing up in parking lots, by the side of the road, in shopping carts, in people’s yards, and along nature trails: discarded face masks, sanitizing wipes, and latex gloves used to keep the virus at bay, dropped by people where they’re standing. Research suggests the virus that causes COVID-19 can linger for hours or even days on certain surfaces—including up to three days on plastic—meaning supermarket and sanitation workers may assume some risk by picking up such litter. “[People] throw these … and expect a homeowner or business owner to pick them up. What are they thinking?” a resident of a Chicago suburb tells the Daily Herald….

Subject: Instacart Workers Getting Scammed Out of Tips by Customers
Source: CNN Business via Newser
(Newser) – Instacart is an invaluable service for those who don’t want to venture out during the coronavirus pandemic to go grocery shopping. As details, the free app works like this: A customer places an online order with stores like Whole Foods, Publix, or Costco, after which the app sends out an alert to “gig workers,” who decide whether to snatch up the order based on such factors as how many stores they’ll have to go to, how many items they’ll need to shop for, and how much the offered tip is. And that last consideration is an important one, as tips can make up half of a worker’s income. That’s why some Instacart shoppers are fuming at what they tell CNN Business is a virtual bait-and-switch, in which they pick up a job based on an ample tip, only to have the customer lower the tip—or even change it to zero—after the delivery has been made.

Subject: FDA Has a Coronavirus Warning for Alex Jones
Source: Newser

Should Jones fail to comply, he could face legal action, have his products seized, and might be ordered to reimburse anyone who purchased them. There are currently no products proven to prevent or treat the virus. As Politico reports, the Android app for Jones’ show, Infowars, was recently banned by Google for spreading coronavirus misinformation. Apple had already banned the app back in 2018, Wired reports. (Jones has also been pushing a conspiracy theory about the virus.)

Subject: Firefox zero day in the wild: patch now!
Source: Naked Security

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild.If you’re on the regular version of Firefox, you’re looking to upgrade from 74.0 to 74.0.1 and if you’re using the Extended Support Release (ESR), you should upgrade from ESR 68.6.0 to ESR 68.6.1.

Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.

Subject: Interim Guidance for Implementing Safety Practices for Critical Infrastructure Workers Who May Have Had Exposure to a Person with Suspected or Confirmed COVID-19
Source: CDC

Printer friendly version – To ensure continuity of operations of essential functions, CDC advises that critical infrastructure workers may be permitted to continue work following potential exposure to COVID-19, provided they remain asymptomatic and additional precautions are implemented to protect them and the community.

A potential exposure means being a household contact or having close contact within 6 feet of an individual with confirmed or suspected COVID-19. The time frame for having contact with an individual includes the period of time of 48 hours before the individual became symptomatic.

Critical Infrastructure workers who have had an exposure but remain asymptomatic should adhere to the following practices prior to and during their work shift…

Posted in: Big Data, Civil Liberties, Communications, Cybercrime, Cyberlaw, Cybersecurity, E-Commerce, Government Resources, Healthcare, Legal Research