Archives

security

EMA warns over doctored COVID-19 vaccine data hacked and leaked online

The European Medical Agency (EMA) has warned that information on COVID-19-related medicines and vaccines, which was stolen in a cyber attack last December and leaked online earlier this week, includes correspondence that’s been manipulated prior to publication “in a way which could undermine trust in vaccines”.

It’s not clear exactly how the information — which includes schematics of drug structures and correspondence relating to evaluation processes for COVID-19 vaccines — has been doctored.

We’ve reached out to the agency with questions.

One security researcher, Lukasz Olejnik, who has raised concerns about the leak via Twitter suggested the doctored data will be “perfect for sowing distrust” because the biotechnical language involved in the leaked correspondence will not be widely accessible.

Equally, it also seems possible that the high bar of expertise required to properly parse the data could limit how much damage the manipulated versions can do by limiting their viral appeal.

But it’s notable the EMA has raised concerns over the risk to trust in coronavirus vaccines.

“Two EU marketing authorisations for COVID-19 vaccines have been granted at the end of December/beginning of January following an independent scientific assessment,” the EMA writes in the latest update on the hack.

“Amid the high infection rate in the EU, there is an urgent public health need to make vaccines available to EU citizens as soon as possible. Despite this urgency, there has always been consensus across the EU not to compromise the high-quality standards and to base any recommendation on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.

“EMA is in constant dialogue with the EC, and other regulators across the network and internationally. Authorisations are granted when the evidence shows convincingly that the benefits of vaccination are greater than any risks of the vaccine. Full details of the scientific assessments are publicly available in the European Public Assessment Reports on EMA’s website,” it adds.

At the time of writing a criminal investigation into the cyber attack remains ongoing.

The attack has not been attributed to a specific hacking group or state actor and there’s no confirmation of who is responsible for trying to sew coronavirus-related disinformation by seeding doctored medical documents online.

However, last November Microsoft warned that hackers backed by Russia and North Korea had targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.

Back in June, the European Commission also raised concerns about the risks of coronavirus vaccine disinformation spreading in the coming months — simultaneously name-checking China and Russia as foreign entities it said it had confirmed as being behind state-backed disinformation campaigns targeting the region.

So suspicion seems likely to fall on the usual ‘hostile suspect’ states.

We’ve seen similar ‘doctored leak’ tactics attributed to Russia before — typically related to attempts to interfere with elections by smearing candidates for high political office.

Researchers have suggested that the hackers responsible for the 2015-16 breaches of the Democratic National Committee’s network snuck doctored data into the leaked emails — an attack that was subsequently attributed to Russia.

While, more recently, there was the infamous ‘Hunter Biden’ laptop incident — which supporters of president Trump sought to leverage against his challenger for the White House (now president-elect) in last year’s presidential race.

In that case, any disinformation punch fizzled out amid a raft of dubious claims around the finding and timing of the claimed data cache (along with much greater general awareness about the risk of digital fake smear tactics in political campaigns in the wake of revelations about the scale of Russia’s social media influence disops in the 2016 US presidential election).

In an earlier incident, from 2017, emails linked to the French president Emmanuel Macron’s election campaign also leaked online shortly before the vote — coinciding with a document dump on an Internet forum that suggested the presidential frontrunner had a secret bank account in the Cayman Islands. A claim Macron’s political movement said was fake.

While in 2019 Reddit also linked account activity involving the leak and amplification of sensitive UK-US trade talks on its platform during the UK election campaign to a suspected Russian political influence operation.

It’s not clear whether that leaked trade dossier had been doctored or not (it was heavily redacted). And it certainly did not deliver a landslide election win to Jeremy Corbyn’s Labour Party — which used the leaked data in its campaign. But a similar, earlier operation which was also attributed to Russia had involved the leak of fake documents on multiple online platforms. (That disinformation operation was identified and taken down by Facebook in May 2019.)

The emergence of leaks of doctored medical data linked to COVID-19 vaccines and treatments looks like a troubling evolution of hostile cyber disops which seek to weaponize false data to generate unhelpful outcomes for others — as there’s a direct risk to public health if trust in vaccine programs are undermined.

There have been state level hacks targeting medical data before too — albeit without the pandemic-related backdrop of an ongoing public health emergency.

Back in 2016, for example, the World Anti-Doping Agency confirmed that confidential medical data related to the Olympic drug tests of a number of athletes had been leaked by the Russia-linked cyber hacking group, ‘Fancy Bear’. In that case there were no reports of the data being doctored.

A security researcher commandeered a country’s expired top-level domain to save it from hackers

In mid-October, a little-known but critically important domain name for one country’s internet space began to expire.

The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.

Clearly, a domain of such importance wasn’t supposed to expire; someone in the Congolese government probably forgot to pay for its renewal. Luckily, expired domains don’t disappear immediately. Instead, the clock started on a grace period for its government owners to buy back the domain before it was sold to someone else.

By chance, Fredrik Almroth, a security researcher and co-founder of cybersecurity startup Detectify, was already looking at nameservers of country code top-level domains (or ccTLDs), the two-letter suffixes at the end of regional web addresses, like .fr for France or .uk for the United Kingdom. When he found this critical domain name was about to expire, Almroth began to monitor it, assuming someone in the Congolese government would pay to reclaim the domain.

But nobody ever did.

By the end of December, the clock was almost up and the domain was about to fall off the internet. Within minutes of the domain becoming available, Almroth quickly snapped it up to prevent anyone else from taking it over — because, as he told TechCrunch, “the implications are kind of huge.”

It’s rare but not unheard of for a top-level domain to expire.

In 2017, security researcher Matthew Bryant took over the nameservers of the .io top-level domain, assigned to the British Indian Ocean Territory. But malicious hackers have also shown interest in targeting top-level domains hack into companies and governments that use the same country-based domain suffix.

Read more on TechCrunch

Taking over a nameserver is not supposed to be an easy task because they are a vital part of how the internet works.

Every time you visit a website your device relies on a nameserver to convert a web address in your browser to the machine-readable address that tells your device where on the internet to find the site you’re looking for. Some liken nameservers to the phone directory of the internet. Sometimes your browser looks no further than its own cache for the answer, and sometimes it has to ask the nearest nameserver for the answer. But the nameservers that control top-level domains are considered authoritative and know where to look without having to ask another nameserver.

With control of an authoritative nameserver, malicious hackers could run man-in-the-middle attacks to silently intercept and redirect internet users going to legitimate sites to malicious webpages.

These kinds of attacks have been used in sophisticated espionage campaigns aimed at cloning websites to trick victims into handing over their passwords, which hackers use to get access to company networks to steal information.

Worse, Almroth said with control of the nameserver it was possible to obtain valid SSL (HTTPS) certificates, allowing for an attacker to intercept encrypted web traffic or any email mailbox for any .cd domain, he said. To the untrained eye, a successful attacker could redirect victims to a spoofed website and they would be none the wiser.

“If you can abuse the validation schemes used to issue certificates, you can undermine the SSL of any domain under .cd as well,” Almroth said. “The capabilities of being in such a privileged position is scary.”

Almroth ended up sitting on the domain for about a week as he tried to figure out a way to hand it back. By this point the domain had been inactive for two months already and nothing had catastrophically broken. At most, websites with a .cd domain might have taken slightly longer to load.

Since the remaining nameserver was running normally, Almroth kept the domain offline so that whenever an internet user tried to access a domain that relied on the nameserver under his control, it would automatically timeout and pass the request to the remaining nameserver.

In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.

We reached out to the Congolese authorities for comment but did not hear back.

ICANN, the international non-profit organization responsible for internet address allocation, said country code top-level domains are operated by their respective countries and its role is “very limited,” a spokesperson said.

For its part, ICANN encouraged countries to follow best practices and to use DNSSEC, a cryptographically more secure technology that makes it nearly impossible to serve up spoofed websites. One network security engineer who asked not to be named as they were not authorized to speak to the media questioned whether DNSSEC would be effective at all against a top-level domain hijack.

At least in this case, it’s nothing a calendar reminder can’t solve.

Amazon’s Ring Neighbors app exposed users’ precise locations and home addresses

A security flaw in Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app.

Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues.

While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes.

But the exposed data wasn’t visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers.

Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts — even from users who aren’t geographically nearby.

Ring Neighbors app (left), and the data it was pulling in, including location data (right). (Image: TechCrunch)

The Neighbors app appeared to have about 4 million posts by the end of 2020.

Ring said it had fixed the issue.

“At Ring, we take customer privacy and security extremely seriously. We fixed this issue soon after we became aware of it. We have not identified any evidence of this information being accessed or used maliciously,” said Ring spokesperson Yassi Shahmiri.

Ring currently faces a class-action suit by dozens of people who say they were subjected to death threats and racial slurs after their Ring smart cameras were hacked. In response to the hacks, Ring put much of the blame on users for not using “best practices” like two-factor authentication, which makes it harder for hackers to access a user’s account with the user’s password.

After it emerged that hackers were reportedly creating tools to break into Ring accounts and over 1,500 user account passwords were found on the dark web, Ring made two-factor authentication mandatory for every user.

The smart tech maker has also faced increasing criticism from civil rights groups and lawmakers for its cozy relationship with hundreds of U.S. police departments that have partnered with Ring for access to homeowners’ doorbell camera footage.