Security News

NSA warns against Wi-Fi, Bluetooth, and apps that expose location

Avast Security News Team, 7 August 2020

Plus, Zoom changes its business model with China and the FTC goes after Twitter for privacy infringement

The United States National Security Agency (NSA) issued an advisory this week on the dangers of location data exposure, providing various ways users can mitigate the risk. While the guidance in the document is intended for Department of Defense (DoD) employees, the NSA acknowledged the information will be useful to a wide range of users. “Location data can be extremely valuable and must be protected,” the advisory warns, listing GPS, Wi-Fi, and Bluetooth all as services that can leak location data. Mobile devices can expose location data whether they’re on or off, cautions the NSA. Also, location information can be gleaned from many apps, IoT devices, and social media platforms.

The NSA lists mitigations that will reduce – but not eliminate – location tracking risks. Some general measures one can take include disabling the location services setting on the device, disabling Bluetooth and Wi-Fi services when they’re not needed, setting privacy settings to ensure apps are not using or sharing location data, minimizing web-browsing on the device, and using a VPN to help obscure location. For military or any other special missions where it’s critical that location data is never revealed, the NSA recommends that all devices with wireless capabilities are secured in a non-sensitive location prior to the start of any activities. 

“These recommendations are for DoD employees, which are likely targets for state-sponsored attacks,” commented Avast Security Evangelist Luis Corrons. “This guidance can be useful to the rest of us, but switching off Bluetooth might not be such a great idea in the middle of this pandemic, when most COVID-19 tracing apps need Bluetooth to function.”

Zoom changes business model with China

Zoom sent an email to its customers in China on Monday announcing that as of August 23, the video conferencing platform will no longer offer direct sales to users in mainland China. The company is moving to a partner-only business model with the region, offering its utilities to third-party local Chinese companies. Users in China will still be able to use the platform, but they will have to access it through one of these third parties. According to Reuters, Zoom informed its users the move would provide them with “better local support.” This shift is yet another way the company is distancing itself from its operations with China. It has been criticized for sending its data through China, though the company quickly took action to prove it has changed that policy. The announcement also comes at a time when the U.S. government is seriously considering a ban on the China-based social media platform TikTok, a fate to which Zoom does not want to follow suit.

Google and Amazon spoofed for phishing attacks

While the sheer number of “brand phishing” attacks remained consistent through the first and second quarters of 2020, the positioning of the scams has pivoted from spoofing Apple to spoofing Google and Amazon. Threatpost reported this week that the majority of brand phishing scams – attacks where bad actors pretend to be known brands and create lookalike web pages – pretended to come from Apple in the first few months of the year. But once pandemic lockdown orders took effect and most of the world’s population started working from home, the most popular attack strategy shifted to impersonating Google and Amazon. Attackers endeavored to stay closely aligned with victims’ habits, as there was a surge in users looking up the virus on Google and ordering more items than usual from Amazon.

This week’s stat

35 million

That's the number of users in Meetup's user base. Meetup has fixed some critical flaws on its website that potentially could have allowed hackers to hijack Meetup "Groups" and access members' personal details. 

Google bans ads with hacked political content

This September, a couple of months ahead of the next U.S. presidential election, Google will start enforcing the Google Ads Hacked political materials policy, which bans any and all ads that present the viewer with hacked material related to political figures and entities, including deep fakes. Discussion about hacked materials or ads is allowed, provided it does not link to the actual content. Google intends the new policy to apply to all political ads globally, but it is beginning “with ads that feature entities in scope of our United States election ads policy.” By setting these new guidelines, the company hopes to prevent a repeat of the 2016 election, when fake news ran rampant and possibly swayed voters’ choices. 

FTC investigates Twitter for misuse of data

Twitter disclosed on Monday that it is under investigation by the U.S. Federal Trade Commission. The FTC alleges that the social platform violated a 2011 consent decree in which it vowed to work harder to safeguard users’ personal information. The allegations posit that between 2013 and 2019, Twitter collected users’ phone numbers and email addresses, data the company claimed was for security purposes but which were actually used to launch targeted advertising. Twitter spokespeople say the probe could end up costing the company around $250M. Read more on CNET.

This week’s ‘must-read’ on The Avast Blog

We wrote about the recent BootHole vulnerability, walking through the root cause of the threat and what's next for users who have been affected.