Welcome to the latest copy of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we analyze the wild world of security.

COVID-19 accelerated the use of Zoom for video calling. But so did the security problems and revelations that it didn’t absolutely abutment end-to-end encryption (E2EE), ambiguous users about the aegis of the platform.

In the aftermath, it promised to invest in E2EE on its platform, and acquired encrypted chat annual Keybase in an attack to secure its communications. All seemed well until yesterday: Zoom confirmed that it plans to offer stronger encryption features only for its paying users. It won’t be continued to the free tier.

“Free users, for sure, we don’t want to give that [end-to-end encryption] because we also want to work it calm with FBI and local law enforcement, in case some people use Zoom for bad purpose [sic],” Zoom CEO Eric Yuan said in an balance call this week.

webrok
The idea that encryption could hamper law enforcement’s adeptness to fight bent acts — widely known as the “Going Dark” botheration — is not new.

Last year, Facebook ran into afflicted waters after governments in the US, UK, and Australia called on the aggregation to delay its plans to apparatus E2EE across its messaging apps until “there is no abridgement to user safety and after including a means for lawful access to the agreeable of communications to assure our citizens.”

But by putting a premium on privacy, Zoom seems to be aiming for a tricky acclimation act that improves aegis but also minimizes the risk of abuse. The move also puts it at odds with wider attempts to embrace encryption on the web.

Alex Stamos, former Facebook’s chief aegis administrator who’s now alive as an alfresco adviser on Zoom’s aegis strategy, abundant on this added in a Cheep thread:

In a altitude where there’s no another that offers E2EE group calls (Signal and Jitsi‘s are bound to one-on-one), Zoom‘s proposed encryption model is in the right direction.

But by allotment to turn a basic aegis affection into a exceptional paid offering, Zoom is ambience a wrong antecedent wherein aloofness is bound to those who can afford to pay for it.

What’s trending in security?

Apple fixed a analytical aegis flaw in its “Sign In With Apple” feature, Google found more affirmation of credential-stealing attacks base COVID-19, and new capacity emerged about an iPhone spyware app, called Hide UI, used by law administration to unlock accessories when it doesn’t have the user’s passcode.

  • Hacktivist group Anonymous has alternate from the shadows, and has promised avengement adjoin the Minneapolis Police Department (MPD) over the death of George Floyd. The MPD’s website was then briefly taken offline in a doubtable Distributed Denial of Annual (DDoS) attack, but researcher Troy Hunt said the leaked data “has almost absolutely been pulled out of absolute data breaches in an attack to falsely assemble a new one.” [Troy Hunt]
  • For anybody who is agitation in abutment of Black Lives Matter and adjoin George Floyd’s death at the hands of the Minneapolis Police Department — and those who are planning to attend one — here are some handy precautions to take before you go. Also make sure you turn off biometrics on your phone. [TNW]
  • The baddies behind REvil (Sodinokibi) ransomware launched an eBay-like bargain site to sell data stolen from the companies they hack. [ZDNet]
  • Apple fixed a flaw in “Sign In With Apple” that could have accustomed attackers to hijack any user’s accounts on third-party apps that offer the login option. [The Hacker News]
  • A hacking group that calls itself ShinyHunters has been affairs 200 actor stolen annal on the dark web from over a dozen companies. [WIRED]

webrok

  • COVID-19 themed malware attacks are still on the rise. Google said it found new action from Indian “hack-for-hire” firms that have been impersonating the WHO in credential-stealing email campaigns to target business leaders in banking services, consulting, and healthcare corporations across the US, Slovenia, Canada, India, Bahrain, Cyprus, and UK. [Google]
  • A vigilante hacker group called “CyberWare” has been targeting “scam” companies with ransomware and denial of annual attacks. [Bleeping Computer]
  • New “Octopus Scanner” malware was found compromising open-source GitHub projects to spread to Windows, Linux, and macOS systems, and deploying awful backdoor. [GitHub
  • A new study — (How) Do People Change Their Passwords After a Breach? — found that only around a third of users usually change their passwords afterward a data breach. [IEEE Aegis (PDF)]
  • Sandworm, the hackers alive for Russia’s aggressive intelligence agency, have been base a vulnerability in Exim Mail Transfer Agent software since August of last year for awful motives. The NSA recommends patching Exim servers anon by installing adaptation 4.93 or newer. [NSA / WIRED]
  • Kaspersky advisers baldheaded a steganography-themed attack targeting automated enterprises in Japan, Italy, Germany, and the UK to steal Windows annual credentials. The hackers’ ultimate motive charcoal unclear. [Kaspersky]

webrok

  • An Android malware called Strandhogg 2.0 mimics apps’ login screens to hijack passwords and grant all-encompassing permissions. It affects all versions of Android prior to 10. Google has already patched the flaw in a aegis update pushed last month. [Ars Technica]
  • A new adaptation of Valak malware has been found targeting Microsoft Exchange servers in the US and Germany to steal action commitment advice and passwords. [Cybereason]
  • Amnesty International apparent a analytical flaw in Qatar’s mandatory-to-use EHTERAZ contact-tracing app, which had it not been appear and fixed, could’ve accustomed attackers access to highly acute data, “including the name, civic ID, health status and area data of more than one actor users.” [Amnesty International]
  • US authorities arrested a Ukranian national, Denys Iarmak, an declared member of the FIN7 cybercrime group that’s been accused of hacking Chipotle, Whole Foods, and Trump Hotels. FIN7 (also called Carbanak Group) has been tied to a string of financially-motivated attacks since 2015 to conduct counterfeit wire transfers to adopted accounts. [Motherboard]
  • The fortnight in breaches and leaks: Thailand cellular arrangement AIS, Livejournal, Mathway, Minted, Truecaller, Indonesian voter records, and India’s BHIM mobile payments platform.

Tweet of the Week

That’s it. See you all in two weeks. Stay safe!

webrok

Read next: Facebook begins agreement labels on posts by 'state-controlled media'

Corona coverage

Read our daily advantage on how the tech industry is responding to the coronavirus and subscribe to our weekly newsletter Coronavirus in Context.