COVID app includes privacy problem, watch for suspicious spreadsheet and Mathway hacked

Welcome to Cyber Security Today. It’s Monday May 25th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To our American listeners, thanks for tuning in on this holiday.

To hear the podcast click on the arrow below:

Cyb er Security Today on Amazon AlexaCyber Security Today on Google PodcastsSubscribe to Cyber Security Today on Apple Podcasts

Software developers are touting the use of smartphone apps to help public health officials fight the COVID-19 virus. But apps are notoriously leaky with snippets of private information. Take for example the app called Care19 commissioned and released by the state of North Dakota. A security company called Jumbo Privacy did an analysis of the app and found the versions it tested didn’t keep up to its promises. The privacy policy says location data is private. Not so — each user’s location data was shared with a mobile advertising company called Foursquare. The app data is supposed to be protected by an anonymous code. Sure — but the code goes to Foursquare, and another firm along with an advertising identifier. The Washington Post had a chat with the company that developed the app, which said the location data isn’t used for commercial purposes. And the app says Foursquare is being used to show nearby businesses. That, of course, isn’t the point. Location data from this particular shouldn’t be transmitted at all. Foursquare says it promptly discards any data the app sends it. True, the purpose of this particular app is to use location data to help users remember where they have been. So location data has to be collected. But there’s no need to transmit the location data to a third party. The developer said it will clarify the apps privacy policy and how it shares data.

This app works differently from the contact-tracing apps in other states and countries. Those apps have more explicit rules on what data is collected. Some don’t collect location data at all. Usually COVID app data stays on the phones or only goes to a health authority. But this incident shows that governments have to do a better job at monitoring and testing apps they approve before being released if they want the public to trust them.

By the way, if your state, province or country approves an app watch out for phony COVID contact messages to appear in your email or text. That’s what’s happened in England where an app is being publicly tested. People there are getting messages that they have come into contact with someone who tested positive for the coronavirus, so they should click on a link. It goes to a fake medical website that asks people to put in personal details like their birthdate. That can be used for impersonation.

Phishing emails often include attached malicious text documents like letters. They may pretend to be from couriers, government officials or lawyers. They really open links to malware. But spreadsheets can also be used as weapons. Microsoft says it recently discovered a massive COVID-related phishing campaign that tries to trick victims into opening infected Excel spreadsheets. These email claim to come from Johns Hopkins University. The attachments are supposed to be graphs or situations reports, with the file names ending in .xls. They are just as dangerous as text or PDF attachments. Always be careful before opening attachments.

Subscribers to the mathematics problem-solving website called Mathway should carefully watch their email for spam. That’s because a criminal web site is selling a database of 25 million stolen user records including email addresses and passwords. The passwords are hashed, a way of scrambling them. If done right there’s little chance these passwords can be accessed. However, the email addresses weren’t protected. A criminal could use them for sending email messages with malware.

With more people staying or working from home because of COVID Videoconferencing apps have soared in popularity. But be careful of where you get an app from. As a recent blog from security company Trend Micro notes, criminals are distributing infected popular apps. One of them is for the Zoom service. The safest source for an app is the company web site, the Google Play store and the Apple Store — and not from a link in a social media post, an email or a text message.

Finally, note that Google released a new version of the Chrome web browser, while Microsoft did the same with its Edge browser. Both fix bugs.

That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Share on LinkedIn Share with Google+
More Articles