Everybody's worried about Zoom this week. As the video conferencing software rocketed to 200 million users amid widespread shelter-in-place orders, security and privacy pros have catalogued a litany of issues. It's probably perfectly fine for most people! But especially if you need true end-to-end encrypted meetings, maybe give Zoom a minute to get its act together.
Zoom's not the only one benefiting from novel coronavirus quarantines. Online credit card skimmers have stepped up their activity now that everyone's shopping from home, according to data from security company RiskIQ. The most notable of these groups is Magecart, which recently laid siege to blender vendor Nutribullet. Making matters worse: The workers who would normally be on top of responding to the attacks are also working from home, making it even harder to get a handle on things.
Speaking of not having a handle, Marriott has been hacked again. The hotel giant notably suffered one of the biggest breaches in history when up to 500 million of its customers had their personal information—including passport numbers—stolen in 2018. The latest breach, which started in January of this year, affects up to 5.2 million members of the company's Bonvoy loyalty program. You can see if you're one of them here.
But wait, there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
Countries like China and South Korea have already used smartphone apps to help track the spread of Covid-19. Experts are torn on how effective that measure is, especially given the inherent privacy tradeoffs. Into that muddles steps the NSO Group, a notorious seller of spyware allegedly used by authoritarian regimes to target journalists and dissidents. NSO Group has tried to sell its services to governments to aid with so-called contact tracing, used to determine who may have been exposed. Motherboard this week published some of the details of that pitch, which look perhaps unsurprisingly like a mass surveillance program.
The captain of the USS Theodore Roosevelt this week sounded the alarm that his aircraft carrier has a serious Covid-19 problem, suggesting that 90 percent of his crew needed to evacuate and self-quarantine. After some dithering from Naval secretary Mark Esper, 3,700 soldiers have left the ship. About 1,000 will remain onboard to look after essential functions, but with 90 crewmen already having tested positive for the virus, time is of the essence. Navy brass has somehow walked away from this incident with the view that the captain of the ship should be fired for sounding the alarm.
A group of hackers linked to Iran apparently tried to break into the email accounts of four WHO staffers, according to Reuters. The phishing attempts aren't especially surprising, given that Iran has suffered terribly due to the spread of Covid-19. It's unclear what the specific objective was, but anything from infection rates to global response plans would have value. Iran's also not the only country that has targeted the WHO recently; Reuters had previously reported that the South Korea-linked DarkHotel hacking group had made a run at the international organization as well.
For the first time, bug bounty platform HackerOne has evicted a company for its hostility toward ethical hackers. That honor goes to Voatz, the controversial voting app that has already been used in a limited capacity in West Virginia and Oregon. Voatz recently clashed with researchers from the Massachusetts Institute of Technology, who in February detailed several troubling flaws in Voatz's system. Voatz railed against the researchers, the latest in a series of combative encounters with third-party security professionals. Voatz told CyberScoop that it will soon launch its own public bug bounty program, but its relationship with the broader white hat hacking community is already frayed.