Cybersecurity Roundup: March 24, 2020

This week we’ve got Zoom’s privacy nightmare, Hong Kong’s new mandatory location-tracking wristbands, the limits of DIY coronavirus safety gear, Instagram is a user-security tire fire, hackers helping with the pandemic, hackers making the pandemic worse, a really great guide for sex during these trying times, and more…

Get inbox delivery of this weekly brief for as little as $1.

Zoom in on the fine print

If, like an overwhelming number of people right now, you’re having to use Zoom while working remotely, you should know that the app is a privacy nightmare — which makes the company pretty evil to be doing invasions and overreach (nonconsensual data grabs) during a horrible pandemic. For example, last year EPIC made an official complaint to the FTC about Zoom’s egregious privacy invasions. The problems with this company are not new.

Anyway, I urge you to know the risks and make the best decisions you can for your situation (harm reduction; reducing harm as best you can while knowing the risks you’re taking). My educated guess is that this thing is a security nightmare, too. I mean, just read what Proton Mail wrote about Zoom’s privacy and security dumpster fire.

Zoom’s privacy page states: “Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products.” This includes, but is not limited to, your physical address, phone number, your job title, credit and debit card information, your Facebook account, your IP address, your OS and device details, and more.”

Further, the app allows your boss to spy on you far beyond what’s okay in an office setting. From EFF:

Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity … If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.
... [admins can]  see the operating system, IP address, location data, and device information of each participant. This ... includes the type of machine (PC/Mac/Linux/mobile/etc), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices [like if you name your AirPods]. Admins have the ability to join any call at any time on their organization’s instance of Zoom, without in-the-moment consent or warning for the attendees of the call.

Pwn All The Things wrote on Twitter, “PSA to everyone moving to Zoom for meetings & classes: you can use it direct from the browser, massively curtailing what info it can collect from you and limiting your exposure to their native app.”

Here’s how: PSA: Yes you can join a Zoom meeting in the browser (TechCrunch)

Stories and links worth a click:

“If the wristband is broken or the smartphone is disconnected or taken away from the confinee’s geofence, an alert will be sent to the Department of Health and Police.” – Location-tracking wristbands required on all incoming travelers to Hong Kong (Naked Security)

This is really, really great news: "Adafruit was deemed an essential service to distribute/make some PPE (Personal Protection Equipment) such as face shields, and manufacturer electronics for essential life-saving/preserving equipment and development which is needed in New York and beyond." - Adafruit Industries, Essential service and business: NYC – Executive Order 202.6 Capabilities and more (Adafruit)

But, if you're thinking of DIY-ing it -- “We don’t recommend 3D-printing masks and respirators … However, surgical masks can be sewn … When manufacturing PPE, follow these instructions recommended by Prusa Research” – Fast Face Shields (patterns and instructions, NYC Makes PPE)

“Instagram has faced a wave of hackers breaking into accounts to then extort their owners. Hackers have targeted everything from food to fashion to travel focused accounts. Victims have been confused and left stranded by Instagram’s account recovery methods, meaning they’ve had to turn to white hat hackers for help. One of these white hats gets so many requests, he now employs a team to help field requests from hacking victims, is charging thousands of dollars for his own service, and considers this his full-time job.” – Inside an Instagram Celebrity Hacking Campaign (Vice)

This post is fantastic; it’s about the ways hackers of all kinds can help fight all the circumstances we’re facing with COVID-19 (and the work various hackers are doing now). – Living In Corona Times (Hackaday)

“Malwarebytes found a new phishing campaign using the well-respected WHO name as a lure to trick people into downloading a fake Coronvavirus e-book that carries an infostealer. The e-book “My-Health” promises information to protect children and business from the virus.” – Cybercriminals weaponize the World Health Organization name to lure phishing victims (SC Magazine)
See also: Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike (Reuters)

“The infamous Maze Team has struck again, this time infecting an urgent walk-in care center in Texas with its system-crippling ransomware.” – Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus Outbreak (Hot for Security)

Remember last week, when I wrote a feature about sex and COVID-19, with sex-positive advice from professionals and healthcare workers? I know, it feels like that was ten years ago. Well, after that, the city of New York issued some extremely fantastic, sex-positive, kink-positive and straightforward guidelines for sex and the live under the coronavirus. – Sex and Coronavirus Disease 2019 (COVID-19) (NYC Health, .pdf)

“A naturalized US citizen who was working as a tour guide in San Francisco has been sentenced to four years in prison for being a Chinese spy … Between June 2015 and July 2018, Pen pulled off six dead drops at hotels in California and Georgia. He was on his way to pull off a seventh dead drop when he was busted at his home on 27 September 2019.” – Tour guide/Chinese spy gets four years for SD card dead drops (Naked Security)

Thank you for reading, commenting, sharing

I have a tiny bit of good news: I’ve been working nonstop since last week! It was a surprise, but an outlet I like contacted me and said they had a feature that they thought I’d be perfect to write for them … and then after I started conducting interviews, I came across another really cool story. I told the editor, and they said … do it all. So I’ve been working until three and up early every day. I’m hoping it leads to more work with this outlet. Fingers crossed.

It’s freakish though, to start seeing mass layoffs and have a bunch of work fall in my lap. I’m not complaining, I just see that writing and reporting is so critical right now, and especially that those of us who do it, do it right. Lives hang in the balance.

I feel like anyone writing posts and emails right now needs to acknowledge what we’re all going through — it’s weird if you don’t. I want everyone to be okay, but I want us all to be realistic too: this thing is very freaky, there are a ton of unknowns, and every insulated and privileged douchebag in a position of power is putting lives at risk. Plus, too many people aren’t taking this seriously, which puts the burden on those of us who do. 

Fortunately, we are not like the muggles who can’t social distance or are praying instead of washing their damn hands. We can carry extra water to make sure there’s a tomorrow, and we can shape the new normal into something better than before.

Speaking of doing the right thing, that contract still hasn’t paid me! I told them in November that getting paid was urgent, and in my last email to them (last week), the dude in charge didn’t respond to me — again. Which is kind of awful, especially considering everyone else I write for is rushing to make sure people get paid for some pretty obvious, apocalyptic reasons. So, if you’re settled in your bunker and have a little extra, here are some ways you can help me out. 

Main post image via Kate Layne on Twitter.

Become a patron to

Unlock 143 exclusive posts
Listen anywhere
Connect via private message