COVID app includes privacy problem, watch for suspicious spreadsheet and Mathway hacked
Welcome to Cyber Security Today. It’s Monday May 25th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To our American listeners, thanks for tuning in on this holiday.
To hear the podcast click on the arrow below:
This app works differently from the contact-tracing apps in other states and countries. Those apps have more explicit rules on what data is collected. Some don’t collect location data at all. Usually COVID app data stays on the phones or only goes to a health authority. But this incident shows that governments have to do a better job at monitoring and testing apps they approve before being released if they want the public to trust them.
By the way, if your state, province or country approves an app watch out for phony COVID contact messages to appear in your email or text. That’s what’s happened in England where an app is being publicly tested. People there are getting messages that they have come into contact with someone who tested positive for the coronavirus, so they should click on a link. It goes to a fake medical website that asks people to put in personal details like their birthdate. That can be used for impersonation.
Phishing emails often include attached malicious text documents like letters. They may pretend to be from couriers, government officials or lawyers. They really open links to malware. But spreadsheets can also be used as weapons. Microsoft says it recently discovered a massive COVID-related phishing campaign that tries to trick victims into opening infected Excel spreadsheets. These email claim to come from Johns Hopkins University. The attachments are supposed to be graphs or situations reports, with the file names ending in .xls. They are just as dangerous as text or PDF attachments. Always be careful before opening attachments.
Subscribers to the mathematics problem-solving website called Mathway should carefully watch their email for spam. That’s because a criminal web site is selling a database of 25 million stolen user records including email addresses and passwords. The passwords are hashed, a way of scrambling them. If done right there’s little chance these passwords can be accessed. However, the email addresses weren’t protected. A criminal could use them for sending email messages with malware.
With more people staying or working from home because of COVID Videoconferencing apps have soared in popularity. But be careful of where you get an app from. As a recent blog from security company Trend Micro notes, criminals are distributing infected popular apps. One of them is for the Zoom service. The safest source for an app is the company web site, the Google Play store and the Apple Store — and not from a link in a social media post, an email or a text message.
Finally, note that Google released a new version of the Chrome web browser, while Microsoft did the same with its Edge browser. Both fix bugs.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.