STE WILLIAMS

Roundup It is time for another Reg security summary.

Scammers impersonate WHO boss

As happens every time there is a major news event, scumbags exploit the public’s interest to spread malware. This time, criminals have picked on the World Health Organization’s handling of the global COVID-19 coronavirus pandemic. Researchers at IBM X-Force report the HawkEye malware is being spread under the guise of an email alert from WHO director general Tedros Adhanom Ghebreyesus.

Victims are asked to open an attachment, launching the password-and-Bitcoin-harvesting Windows malware.

“One thing worth mentioning is that the attackers put some effort in hiding the real intention of it,” X-Force said. “The environmental awareness of our sample was quite good and average users would most likely not notice an info-stealer being installed.”

While most Reg readers know better than to fall for these scams, it is worth pointing out to keep less tech-savvy friends and family safe in these times of panic.

Pwn2Own results

With everything going on, it’s easy to overlook this year’s Pwn2Own hacking competition, in which elite exploit developers are challenged to find vulnerabilities and compromise big-name products for big prizes. Among the winners this year were the team from Georgia Tech Systems Software and Security Lab, the hacking team Fluoroacetate, and the STAR LABS hacking team.

Software exploited by contestants included Ubuntu Linux, Oracle VirtualBox, Microsoft Windows, and Apple macOS: more details of the bugs that were found, exploited during the contest, and privately reported to vendors, will be shared when patches are available to install.

Drupal emits fixes

Admins running the Drupal CMS will want to make sure they are running the latest updates, following the release of a security update to address a cross-site-scripting hole.

“Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users,” Drupal says of the fix. “An attacker that can create or edit content may be able to exploit this Cross Site Scripting (XSS) vulnerability to target users with access to the WYSIWYG CKEditor, and this may include site admins with privileged access.”

Mozilla walks back TLS 1.0, 1.1 cuts

Mozilla is dialing back plans to drop support for the outdated and weak TLS 1.0 and 1.1 web encryption protocols in the Firefox browser. The move was meant to be a security measure, but has been called off for the time being to maintain support during the coronavirus pandemic.

“We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information,” Mozilla says.

Russian contractors hacked

A biz said to be working with Russia’s FSB was reportedly been hacked and outed as constructing an IoT botnet for the intel agency. The intruders said ODT (Oday) LLC was working to develop a Mirai-based botnet for the Russian government.

Personal info for 538 million Weibo users, including 172 million phone numbers, was discovered up for sale on the dark web.

FCC sounds alarm over Coronavirus scams

America’s comms watchdog, the FCC, has weighed in [PDF] on the trend of phishing and robocall scams around the coronavirus outbreak. The scams range from fake cures and test kits to HVAC cleaning services.

“We’re tracking scams and sharing information to arm consumers about how imposters use spoofing and other tactics to steal their money and their identity,” said FCC consumer and governmental affairs bureau chief Patrick Webre. “The FCC fights these types of scams through enforcement of its rules, but our primary goal is to be proactive so Americans don’t fall victim to these bad actors.”

New Mirai variant detected

Palo Alto Networks’ Unit 42 has a rundown of Mukashi, an IoT botnet based on Mirai. The malware has been targeting Zyxel NAS boxes.

“Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,” Unit42 said.

“Multiple, if not all, Zyxel NAS products running firmware versions up to 5.21 are vulnerable to this pre-authentication command injection vulnerability.”

Rogers warns of data leak

Canadian telecoms giant Rogers admitted some customer information was left sitting out in an exposed database.

The Canuck ISP said the database was used by one of its marketing partners and didn’t contain any passwords nor payment card numbers.

“Customer information that was used by the service provider to fulfill promotional offers on behalf of Rogers was included in the vendor database,” Rogers said the exposed info. “This was limited to customer name, address, account number, email address and telephone number.” ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/23/security_roundup_march20/

Tracking the movements of suspected COVID-19 coronavirus carriers has proved an essential tool in controlling the pandemic, says Professor Marylouise McLaws.

She should know: she’s a technical adviser to the World Health Organization’s Infection Prevention and Control Global Unit.

McLaws – a professor at the University of New South Wales’ School of Public Health and Community Medicine in Australia, and a member of European, US and UK epidemiology and infection control bodies – told The Register tracking played a key role in nations that were able to flatten the exponential curve of COVID-19 cases – particularly Singapore, Taiwan, and South Korea.

Singapore, an air travel hub in the Asia-Pacific region, has 455 confirmed COVID-19 cases, and two deaths, as of the weekend. Taiwan has just 195, and also two deaths.

Professor McLaws said that, in Singapore, those who may have been exposed to the novel coronavirus – particularly if returning from overseas – were subject to “stay-home notices” that required them to self-isolate for 14 days. Confirmed patients were hospitalized, and those at high risk of falling to the bio-nasty were quarantined, we note.

Tech won’t save you from lockdown disaster: How to manage family and free time while working from home

READ MORE

To enforce the stay-at-home notices, officials told people to enable location services on their smartphones and periodically click on a link sent by SMS. That link reported their location, confirming they were in fact staying at home. Messages must be responded to in a short period of time to prevent people cheating by leaving their phones behind while they ventured outside.

Visits were also made to confirm the location of those under lockdown orders.

McLaws is happy with this approach because the data she’s seen suggests the majority of COVID-19 cases can be traced to international travelers, or those who have come into contact with international travelers. Ensure those people stay away from the general population for two weeks thwarted the spread of the virus.

“I like technology, and I am surprised that we are not using it on the group who are at highest risk – international travelers – and who are not being checked that they are actually self-isolating,” she told us today.

“It is all very well and good to say self-isolate, now is the time to say it must be done. And now that mild confirmed cases are being told to stay at home, we need to make sure they are not out shopping.”

She also feels that using technology to track the COVID-19 pandemic may be less damaging to the social fabric than other means.

“Let’s not turn into police,” she advised. “Reporting people you see puts you at odds with the people we live with. Electronic monitoring is much kinder.” ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/23/track_phones_coronavirus_who/

Proof-of-concept exploit code has emerged for last month‘s data-leaking KrØØk vulnerability present in a billion-plus Wi-Fi-connected devices and computers.

The team at infosec outfit Hexway told The Register on Friday it has crafted a working exploit for the flaw which is present in equipment that uses Broadcom’s communications chipsets. This design blunder can be abused by nearby miscreants to snatch snapshots of private data, such as web requests, messages, and passwords, over the air from devices as they are transmitted, if said data is not securely encrypted using an encapsulating protocol, such as HTTPS, DNS-over-HTTPS, a VPN, and SSH.

Crucially, to pull this off, a hacker does not need to be on the same Wi-Fi network as the victim: just within radio range of a vulnerable phone, gateway, laptop, or whatever is being probed.

“Among the devices vulnerable to this attack are the ones from Samsung, Apple, Xiaomi and other popular brands,” Hexway told The Register. “To perform the KrØØk attack, a hacker just needs his or her victim to be connected to the Wi-Fi.”

Designated CVE-2019-15126, the KrØØk bug revolves around the transmission data buffers in Broadcom chips. Researchers at ESET found that, in specific circumstances, an attacker can force a nearby device to disconnect from its Wi-Fi point, causing it to emit any data still in its transmit buffer with an encryption key value of zero. Thus a nearby snooper can decrypt this transmitted information flushed from the buffer. If the data isn’t wrapped up in additional encryption, such as HTTPS, it can be read as plain text.

Hexway has managed to weaponize the design error in Broadcom’s hardware by using a Raspberry Pi 3 with a Python script. This setup was able to yield keys and private data from a Sony Xperia Z3 Compact and Huawei Honor 4X, because they use the vulnerable chipset.

Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you’re using HTTPS, SSH, VPNs… right?

READ MORE

It is also believed that certain models of Amazon Echo and Kindle, Google Nexus smartphones, and both the iPad and iPhone are vulnerable to the flaw.

“After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept,” Hexway said in an advisory accompanying its code.

“Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a Wi-Fi chip.”

Those so inclined can get the script from Hexway via GitHub. Meanwhile, security outfit Thice has cooked up its own exploit proof-of-concept as well.

The Thice report includes further details on the flaw, which may not be as bad as feared.

“So, yeah, KrØØk is real and not that hard to exploit when a vulnerable router is involved,” says the Thice recap. “However, the amount of data that you can steal this way is limited since it is only a couple of packets per disconnect.”

If you haven’t already done so, and if you’re able to, and if it’s necessary, check for and install software patches from your devices’ manufacturers to address the KrØØk vulnerability. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/20/kr00k_wifi_bug_poc/

Researchers have not determined who owns the database, which was one of several large exposed instances disclosed this week.

Researchers discovered an unprotected database holding 800GB of personal user information, including 200 million detailed user records. The entirety of the database was wiped on March 3.

User records inside the database held what appeared to be profiles of US users, according to researchers with Lithuanian research group CyberNews. Data contained exposed individuals’ full names and titles, email addresses, phone numbers, birthdates, credit ratings, home and mortgage real estate addresses, demographics, mortgage and tax records, and information about personal interests, and investments, as well as political, charitable, and religious donations.

“We were shocked by the sheer scale of the data exposed: The combination of personal, demographic and real estate asset data was an absolute goldmine for cybercriminals,” the CyberNews team says.

It seems much of the data in this “main folder” may have originated in the United States Census Bureau, researchers report. When they found the database on Shodan.io in late January, they reached out to the US Census Bureau as a potential owner and have not heard a response. They watched the database for a couple of months, they say, but assume it was exposed for longer.

Finding the database was “not that difficult,” the researchers say, but attackers would need some basic technical knowledge to understand what they were looking for. While someone could have accessed the database by mistake, the chances of this happening would be low.

In addition to the main folder of unsecured data, the database contained two more folders seemingly unrelated to the trove of personal records held in the main folder. These folders held the emergence call logs of a US-based fire department, as well as a list of some 74 bike stations that formerly belonged to a bike-share program. The bike-share stations are owned by Lyft.

While the two smaller folders did not hold personal data, the fire department call logs did have dates, time, locations, and other metadata dating back to 2010. “The presence of the folders that contained bike-sharing and fire department service call data was what confused us the most,” they say. It’s possible the data in these two folders may have been stolen or was used by several parties at the same time, the researchers hypothesize. They were unable to confirm this.

“The structure of the data led us to believe that the database belonged to a data marketing firm, or a credit or real estate company,” the team says. For example, categories and sections were marked as codes in a fashion similar to the dictionaries used by data marketers. The codes themselves, they explain, were specific to the US Census Bureau or used in its classifications.

Information in this database, if accessed, could be “incredibly useful” to phishers, scammers, and other cybercriminals who could use the personal details within it to launch sophisticated phishing campaigns, spam attacks, and social engineering attempts.

This wasn’t the only large misconfigured database found exposing sensitive information this week. Just yesterday, a misconfigured Elasticsearch database exposed more than 5 billion records related to data breaches between 2012 and 2019. A UK research firm collected detailed information on the breaches, including domain, source, contact email address, and password.

Earlier this week, vpnMentor researchers discovered an unprotected AWS S3 bucket holding 425GB of data, representing some 500,000 files related to MCA Wizard, a mobile app that acts as a tool for a Merchant Cash Advance. Data in the documents included credit reports, bank statements, contracts, legal documents, purchase orders, tax returns, and Social Security data.

Related Content:

• Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
  
• New Study Calls Common Risk Figure into Question
• Assessing Cybersecurity Risk in Today’s Enterprise
• 7 Cloud Attack Techniques You Should Worry About

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/200m-records-of-us-citizens-leaked-in-unprotected-database/d/d-id/1337377?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

With so much of the world self-isolating, physically distancing themselves from others and remotely working from home, people are flocking to remote-work apps such as Microsoft, Slack and Zoom – anything that can make them feel connected by teleconference or videoconference.

Well, hang on to your hats, hosts: before you set up meetings, you need to know how to block the trolls. Specifically, if you’re using the Zoom videoconferencing app to connect people, you need to configure meetings so your participants don’t wind up connecting to the closest receptacle as their guts suddenly start to churn.

I’m talking about ZoomBombing: a new form of trolling in which asshats use Zoom’s screensharing feature to scorch other viewers’ eyeballs with the most revolting videos they can find, be they violent, pornographic, or a mixture of multiple revolting ingredients into a bile-rising cocktail.

As TechCrunch reports, on Tuesday, WFH Happy Hour – a popular daily public Zoom call hosted by The Verge reporter Casey Newton and investor Hunter Walk – got ZoomBombed. Dozens of attendees were suddenly exposed to disturbing imagery when a troll entered the call and screenshared a brain-scorching fetish video along with other “horrifying” sexual videos, Josh Constine reports.

Attendees of the WFH Happy Hour videoconference found it futile to block the barrage. The perpetrator simply re-entered the call under a new name and kept up the screensharing of nastiness. Since they couldn’t stop the assaults, the hosts simply ended the call.

It doesn’t have to be this way

Unfortunately, it’s Zoom policy that enables the infliction of this abhorrent content. To wit:

The host does not need to grant screen share access for another participant to share their screen.

By default, any participant in a meeting can share their video, screen, and audio.

“By default?” To avoid this kind of horror show, the setting should really be “screensharing only with moderator permission.” Be that as it may, hosts can disable the option in settings, pre-meeting, by changing screensharing to “Host Only.” Otherwise, during the meeting, hosts can turn on that setting as soon as they see that the screensharing feature is being abused.

Here’s where you can check out Zoom’s instructions on managing participants in a meeting.

As well, Tech Crunch passed along these tips from entrepreneur Alex Miller on other ways to protect your Zoom calls:

• Disable “Join Before Host” so people can’t cause trouble before you arrive.
• Enabling “Co-Host” so you can assign others to help moderate.
• Disable “File Transfer” so there’s no digital virus sharing.
• Disable “Allow Removed Participants to Rejoin” so booted attendees can’t slip back in.

Don’t be like The Verge’s Newton, who found himself apologizing to his parents, who were on the #WFHappyHour call on Tuesday for the first time. He told Tech Crunch that he didn’t capture screenshots of the attack since he was too busy screaming. Constine quoted him sometime after his heart rate returned to normal:

Today we all learned an important lesson about disabling screen sharing and saw once again the importance of good content moderation.

Haven’t we learned this lesson before?

Yes, we kind of have: ZoomBombing is the latest iteration of an ancient fad known as bluejacking that first popped up in 2003. It allowed pranksters to exploit mobile phones’ Bluetooth technology, which lets devices communicate with each other up to a range of about 30 feet. When Bluetooth is activated, it automatically seeks out other Bluetooth devices in the vicinity, and that lets people send anonymous messages to each other.

Or, say, pictures of their junk. In 2017, one woman was subjected to 120 down-the-pants selfies via iPhone AirDrop while riding public transport.

Now’s as good a time as any to remind everybody that inflicting depictions of wobbly flesh on others is a crime. In England, sending indecent images is classified under section 66 of the Sexual Offences Act (2003), given that it’s the same as exposing genitals and intending that the recipient “see them and be caused alarm or distress”. At least back in 2017, the penalty for breaking the law was a prison term of up to two years.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9yhhnqHMkxQ/

This week, Duck advises on how to keep your company safe while working remotely, Peter discusses malwareless ransomware attacks, and Mark shares the latest in the EARN IT saga.

Host Anna Brading is joined by Sophos experts Paul Ducklin, Peter Mackenzie and Mark Stockley.

Listen now!

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CbkmPqc92Wo/

British police are saying coronavirus-related fraud reports have spiked by 400 per cent over the past six weeks as the COVID-19 illness continues its inexorable march through humanity.

Although absolute numbers of reports are low, perhaps kept that way because the public now knows Action Fraud is largely useless, the National Fraud Intelligence Bureau (NFIB) said there were a total of 200 reports of coronavirus scams made to them since 1 February.

“The majority of reports are related to online shopping scams where people have ordered protective face masks, hand sanitiser, and other products, which have never arrived,” said the NFIB in a statement.

The police unit’s chief, Superintendent Sanjay Andersen, added: “The majority of scams we are seeing relate to the online sale of protective items, and items that are in short supply across the country, due to the COVID-19 outbreak. We’re advising people not to panic and to think about the purchase they are making. When you’re online shopping it’s important to do your research and look at reviews of the site you are buying from.”

This links into both private sector and public sector figures showing that coronavirus-related phishing messages are spreading like – well, like a global pandemic.

Infosec biz Check Point said earlier this week it had seen an uptick in cybercrime forum activity, including criminals offering discounts to fellow crims for using coronavirus-themed bait in online scams and phishing attacks. Yaniv Balmas, the firm’s head of cyber research, gloomily observed: “Furthermore, we are seeing hackers use the attention on COVID-19 to spread their harmful ‘goods’ in as many places as possible through COVID-19 specials and discounts on the dark net.”

Earlier this week the GCHQ-owned National Cyber Security Centre warned of “bogus emails with links claiming to have important updates, which once clicked on lead to devices being infected.” Those scam emails included ones appearing to come from the US Centre for Disease Control and the World Health Organisation, offering paid-for access to a live map of nearby COVID-19 infection cases.

Clicking the link in the email takes you to a credential-stealing webpage so cybercrooks can empty unwitting marks’ bank accounts.

Another common one doing the rounds, according to the police NFIB, is a variation on the old HM Revenue and Customs tax refund scam. These versions display the HMRC logo and feature bait text that looks reasonably convincing.

🚨 I’ve received this email personally into my email inbox…ITS A HMRC SCAM 🚨 ‘Dear Taxpayer’ is the first sign, it’s from [email protected] and finally HMRC don’t correspond via email. I did not click on the link instead I’ve reported it to @actionfrauduk 🌟 @TakeFive pic.twitter.com/N8w6LCExyM

— Georgina Kate Woodcock (@GeorginaWoodco) March 9, 2020

With political wonks filling Twitter with shrill demands for the government to hand out money directly to citizens instead of providing loans and grants to businesses, this particular scam may sucker in even switched-on netizens.

Paul Chichester, NCSC’s director of operations, said in a canned statement: “We know that cyber criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the Coronavirus outbreak.”

Emails seen by NCSC were being used to spread the Emotet banking trojan, a particular hazard in an era where virtually everyone below a certain age has become dependent on online banking as a result of lockdowns and growing rumours of mandatory home curfews in the UK.

Stay safe – and that means online as well as offline. ®

Breaking news

Prime Minister Boris Johnson has ordered bars, restaurants, clubs, gyms, and similar businesses to close immediately, and for people to socially distance themselves and work from home if possible, to prevent the spread of coronavirus in Blighty. The UK government has also offered to cover 80 per cent of wages for employees unable to work, up to £2,500 a month.

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/20/coronavirus_scam_reports_police_up_400pc/

The code demonstrates a relatively simple method to exploit a vulnerability in more than a billion devices.

Researchers at HexWay have demonstrated a proof-of-concept (PoC) exploit of kr00k, a significant Wi-Fi vulnerability first described by Eset researchers in February. The vulnerability forces a device to use an encryption key of all zeroes under certain circumstances. The PoC shows that the circumstances are not difficult to achieve.

In the PoC, a python script called r00kie-kr00kie is used to force a device to disassociate from the network; any data packets left in the device’s Wi-Fi chip are encrypted with all zeros and can then be flushed and read. The action can be conducted repeatedly, potentially gathering large amounts of unencrypted data from the victim.

kr00k was estimated to have had an impact on well over 1 billion devices, including some from Apple, Amazon, Google, Raspberry Pi, Samsung, and Xiaomi. Device owners are urged to be sure that their devices have been updated to the latest operating system and firmware releases.

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/proof-of-concept-released-for-kr00k-wi-fi-vulnerability/d/d-id/1337371?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here’s a little something to snuggle up with if you’re on lockdown.

Snuggle up with your hot beverage of choice, take a break from the perils of facing reality, and hack away at The Edge’s first Dark Reading cybersecurity crossword puzzle. It might be just what you need to ease burnout while thinking about work at the same time.

Have a hard time coming up with the answers to these puzzle questions? We know a great place to look for more clues …

Head to http://crossword.info/DarkReading/DRCrossword032020 to fill out your crossword online or print out a PDF version. 

Across

    1  something you have too many of 

    5  IoT security researcher Santamarta 

    8  technology that extends a private network across a public network 

    9  PoisonIvy, Dark Comet, or Blackshades 

  10  thing you need to encrypt or sing well 

  11  Mini, Cozy, Onion and Cosmic 

  12  e-commerce attack that hit Macy’s 

  17  place to outsource security tasks 

  18  mobile phone social engineering attack 

  21  exploited in Equifax breach 

  23  network security tool that tries to stop infiltrators 

  25  US government office that exposed millions of federal employees’ PII in 2015 

  27  tool for stealing credit card numbers 

  28  popular place to put misconfigured, leaky cloud buckets 

  29  convert passwords to unreadable strings or a good way to prepare potatoes 

  33  ransomware that took down the City of Atlanta 

  36  international interbank messaging system exploited in bank heists 

  37  retail company hit with record-setting breach

  38  certification for pen testers

 

Down

    1  healthcare insurer that exposed 78.8 million  records in 2015 

    2  ransomware known for long dwell time, human operators, that took down Tribune Publishing 

    3  entertainment company hit with massive IP theft and wiper in 2014 

    4  retailer that was compromised via a third-party HVAC contractor and exposed 40 million credit card numbers 

    6  Microsoft RDP vulnerability that prompted out-of-band patches 

    7  office that set landmark cybersecurity policy for New York finance industry 

    8  exploitable software bug, for short 

  13  European privacy law 

  14  common infosec certification 

  15  kind of bounty 

  16  something you have too many of 

  17  fastest-spreading virus of its time, in 1999 

  19  Austrian privacy activist 

  20  ransomworm that stormed the world in 2018 

  22  the worst kind of privileges to be exposed

  24  SMS attack 

  26  a type of attack that intercepts communications 

  30  sophisticated attack group, for short 

  31  white, black, or gray item 

  32  unlawful data exposure 

  34  tool for finding malware, for short 

  35  home base for security first responders 

 Good luck!

 

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/theedge/dark-reading-cybersecurity-crossword-puzzle/b/d-id/1337370?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Welcome to Hong Kong, traveler, and to the mandatory, Disney MagicBand-esque tracking wristband we’re about to slap onto your potentially infectious arm.

The city-state had already been requiring arrivals from mainland China to self-isolate at home for 14 days. But as the area undergoes a COVID-19 resurgence, mostly brought in by travelers coming from European, US and Asian countries, it’s now enforcing the quarantine on all incoming travelers, with the wristbands helping to ensure that they adhere to movement restrictions.

The government announced on Monday that starting at midnight on Thursday (19 March), it was planning to put all arriving passengers under a two-week quarantine and medical surveillance.

On Wednesday evening, Government Chief Information Officer Victor Lam told reporters at the airport that the Privacy Commissioner for Personal Data had been consulted about the technology and had assured everybody that it won’t threaten people’s privacy.

CIO Lam:

The app will not capture, directly, the location. It will only capture the changes in location, especially the telecommunication signals around the confinee, to ensure that he’s staying at home.

Hong Kong confirmed 16 new cases of coronavirus on Thursday, bringing the city’s total to 208, according to the South China Morning Post. The new cases – 11 men and five women, aged 19 to 51 – had traveled to Europe, Britain and/or Canada. Hong Kong’s chief executive, Carrie Lam, said that of the 57 new cases Hong Kong recorded in the past two weeks, 50 were travelers from overseas.

Declan Chan, a Hong Kong resident who returned from Zurich on Tuesday and who was required to put on one of the wristbands at the airport, told CNBC that it felt “a bit weird” because of “privacy reasons,” but that he understood why it had to be done.

I was just expecting we’d have to fill out a form. I didn’t realize there would be a wristband.

The form Chan filled out suggested that passengers had the option of sharing their location data with the government either via messaging platforms, like WeChat and WhatsApp, or by agreeing to wear the electronic wristband. The government must have rethought that either/or option, given that Chan soon learned that the messaging apps weren’t actually an option and that all passengers must wear the wristbands.

Chan told CNBC that he was instructed to walk around the corners of his house once he got home, so that the technology could precisely track his geofence: i.e., the coordinates of the living space where he’d remain under quarantine.

The wristbands pair with a smartphone, and they aren’t easy to remove. The government says that it won’t directly capture location – only the changes in location, “especially the telecommunication and communication signals around the confinee to ensure that he (or she) is staying at home.”

If the wristband is broken or the smartphone is disconnected or taken away from the confinee’s geofence, an alert will be sent to the Department of Health and Police.

And just to make sure that people haven’t somehow subverted the technology location tracking, the government has a backup plan: surprise calls. From the government’s press release:

The staff at the communication centres set up by the Office of the Government Chief Information Officer will check the location of people under quarantine from time to time and make surprise video calls to ensure that they are staying at their dwelling places.

CNBC got hold of a handout now being to passengers. It threatens fines or imprisonment for those who mess with the quarantines:

A person who contravenes or knowingly gives false information to Department of Health is liable on conviction to a $5000 HKD (USD $644) fine and to imprisonment for 6 months.

Chan doesn’t feel like he’s being needlessly surveilled. In fact, he finds it comforting to be in a place where the government is taking the pandemic seriously, unlike, say, places where government allows people to flock to Florida beaches, hug each other in evangelical church meetings (“This Bible school is open because we’re raising up revivalists, not pansies.”), or stand shoulder to shoulder as they watch Disneyworld fireworks or cram into a bar to celebrate St. Patrick’s Day.

Chan:

It’s quite safe to be in Hong Kong where the situation of the virus is now in control.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AIYh-JuCGbY/