InfoSec Round-Up: June 19th 2020

Dating App Leak, Norwegian Tracing App and Security Camera Flaw

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

This week we are looking at the dating app data leak, Norwegian contract tracing app ruled intrusive and how secure is your home security camera? Welcome to the Hut Six Infosec Round-Up.

Niche Dating App Info Left Unsecured

Around 845GB of dating app data has been left publicly exposed as a results of a misconfigured AWS S3 bucket.

Believed to contain the data of hundreds of thousands of users, the exposed information was discovered by researchers at vpnMentor.

Made up of data from nine niche dating applications, explicit images, chats, and audio recordings were found in the breach. Data which could easily be used by cybercriminals to blackmail affected users.

Who exactly is responsible is unclear, though the researchers who discovered the data speculate a common developer, based on among other things, suspiciously similar website design.

Originally discovered on the 24^th of May, researchers stated, “We [provided] the URL of their misconfigured bucket and mentioned that other buckets owned by their apparent sister companies were open too (without saying which ones).

While we didn’t receive any further communication, the same day, all the buckets belonging to every other app were also secured, confirming our assumption about the common developer.”

Global Contact Tracing Issues Persist

Contact tracing programs face yet another setback with Norway’s health authority forced to delete all data gathered via is Covid-19 tracking app.

The Norwegian Data Protection Authority has ruled that the Smittestopp app intruded into users’ privacy and that health chiefs have not demonstrated a ‘strict necessity’ for the extent of data collected.

As well as the ongoing privacy concerns being faced by the UK’s contract tracking systems, across the world authorities continue to run into privacy and security problems.

An Amnesty Security Lab investigation has reviewed a plethora of similar apps from across the world, noting the invasiveness of apps developed for Norway, Bahrain and Kuwait in particular.

Claudio Guarnieri, Head of Amnesty International’s Security Lab stated the following:

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19. Privacy must not be another casualty as governments rush to roll out apps.” 

Adding, “there are better options available that balance the need to trace the spread of the disease without hoovering up [the] sensitive personal information of millions of people,”

100,000 UK Security Cameras at Risk of Hacking

Research conducted by consumer publication Which? suggests that up to 100,000 UK security cameras contain critical flaws that may leave them vulnerable to hacking.

Having tested a variety of cameras available from marketplaces such as eBay and Amazon, the publication reports that 47 brands contain serious security issues in design and software, potentially allowing hackers to access video streams.

With the extremely serious privacy implications needing no explanation, it is thought that 12,000 of these devices have been activated in UK homes over the past three months alone.

Though many of the cameras have been taken off the market, more than 3.5 million cameras worldwide are still at risk.

For anyone wanting help with checking the security of their camera, the NCSC provides a detailed guide of how to securely set up smart cameras, including measures that can be taken to minimise the chances of misuse. A link to which is provided in the description.

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.