FOXTROT/ALFA: Xiaomi Indirectly Admits They Did Wrong, Virgin Media and O2 Eyeing Merger in the UK, COVID App from the NHS May Sell Your Data

May the fourth be with you and welcome to issue 113 of FOXTROT/ALFA for Monday, 4 May 2020. I hope you are well! Here are the tech news from today and whatever piled up over the weekend.

Attacks on Oracle WebLogic Server Happening in the Wild

You should really apply that latest Oracle update, says Oracle.

Oracle has recently received reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883, which affects multiple versions of Oracle WebLogic Server.

Oracle strongly recommends that customers apply the April 2020 Critical Patch Update.

Oracle Java Cloud Services customers should refer to MOS Support Note: “Security Notification for WLS CVE-2020-2883 in Java Cloud Service” (Doc ID 2664856.1) for detailed technical instructions.

Ghost.org and LineageOS Hacked via Salt Vulnerability

Those Salt vulnerabilities? The infrastructure for the website and hosting service of the Ghost blog engine and the website of the open source Android distro LineageOS were hacked over the weekend using it.

Patched last week, the vulnerabilities in the Salt configuration tool can allow an attacker to gain complete control over an exposed installation. Originally discovered by F-Secure, the issues were patched in Salt 3000.2 and also in the previous stable release, 2019.2.4. Older releases required something a little more manual. Systems that were not set to automatically update from SaltStack’s repo could well be vulnerable, and a scan by F-Secure found over 6,000 instances exposed to the public internet.

Ghost.org, which powers a variety of websites and lays claim to over 2 million installs, first reported problems in the small hours of 3 May, at 03:24 BST, but it later admitted that the intrusion occurred around 02:30 BST, when “an attacker used a CVE in our saltstack master to gain access to our infrastructure.”

Both Ghost(Pro) sites and the billing services for Ghost.org were affected and the gang had to “clean and rebuild our entire network” having flung up new firewalls and security precautions as the horse disappeared over the horizon, leaving the stable door flapping in the breeze.

Ghost.org insisted that no credit card information had been affected, and said it would be cycling sessions, passwords and keys as well as reprovisioning all servers. It appears that the miscreants popped some crypto-mining software onto the company’s network. The software rapidly overloaded the servers, tipping off administrators with CPU alerts. As of 09:29 BST today, Ghost.org reckoned that all traces of the nasty were gone and things were getting back to normal.

Also affected was the infrastructure used by LineageOS, which suffered an outage during the morning of 3 May. The attack knocked all services offline and the team were forced to re-provision servers. LineageOS is a free and open-source OS for mobile devices, and hails from the CyanogenMod project. As of the beginning of May, the OS accounted for over 1.7 million active installs.

To be clear, the attack occurred at LineageOS’s end and the company was quick to point out that signing keys were unaffected (and stored entirely separately from its main infrastructure) and builds had already been paused due to “unrelated issue since April 30th.” The group later emitted a tweet adding that the source code for the OS was also unaffected.

Xiaomi Releases a Privacy Patch for Those Phones That Didn’t Do Anything Wrong

You know when Xiaomi said they weren’t spying on their users? You know, last week… Weeeeell… that was last week. Now is now.

Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this “aggregated data collection” included URLs even in incognito mode. Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this “aggregated data collection” included URLs even in incognito mode.

I told you they were full of crap. You could tell by their PR response. I’ll say it again: Unbelievable how brazen they are.

Virgin Media and O2 to Merge in the UK

Virgin Media and O2 are negotiating a merger in the UK. As fas as I understand it, this affects only O2’s business in the UK.

Should the deal – details of which are not yet known – complete, it would see the creation of the UK’s largest entertainment and telco provider, spanning mobile, fixed-line telecommunications, broadband, and pay TV. O2 parent, Spanish comms bigwig Telefónica, confirmed the existence of talks today via a filing to the Spanish National Securities Market Commission.

O2 is the largest mobile provider in the UK, with 34.5 million customers as of February this year. The firm’s infrastructure also underpins several MVNOs, including Giffgaff (also owned by Telefónica), Tesco Mobile, and LycaMobile. Meanwhile, according to Virgin Media’s preliminary results for Q4 2019, the firm has six million customers across the UK and Ireland, who collectively have 14.6 million broadband, video, and fixed-line subscriptions. Virgin Mobile, which runs as an MVNO on the EE network, has a further 3.3 million customers.

Any such merger would ramp up the pressure on rivals BT (which owns EE, as well as its own fixed-line and pay TV services) and Sky (which sells subscription TV as well as its own MVNO running on O2’s network). A tie-up would also potentially cause grief for Three and Vodafone, which both lack their own fixed-line networks, and therefore would be unable to provide “all-in” packages to customers, containing TV, broadband, and mobile.

Not sure this is going to happen, though. Maybe they are trying to use the global situation to get around antitrust concerns.

O2 had previously tried to merge with Three, with Hutchinson Whampoa owner Li-Ka Shing promising Telefónica £10.25bn, but the buy was blocked by the European Commission over competition concerns.

Analyst Paolo Pescatore, of PP Foresight, argues the O2 and Virgin Media proposal is more likely to win regulatory backing than “two mobile operators coming together.” Pescatore also argues that both Telefónica and Virgin Media owner Liberty Global have been keen to offload these assets for some time. In the case of O2, Telefónica has fielded offers from the likes of Three and BT over the past decade; Virgin Media, meanwhile, has been a “problem child” for its owners, amid disputes with rivals Sky and UKTV, as well as a recent data breach that ensnared around 900,000 users.

Once You Send Your Data in the UK’s Contact Tracing App, You Can Never Get It Back – And the NHS Can Sell It

People are always aghast that I caution against what we might do during the COVID-19 scare, because I think all of this will come back and bite us in the ass. “But Fab, it’s only until the crisis is over!” Yeah, see, I don’t buy that. And the stories like this crop up to remind me why I’m always so sceptical.

Britons will not be able to ask NHS admins to delete their COVID-19 tracking data from government servers, digital arm NHSX’s chief exec Matthew Gould admitted to MPs this afternoon. Gould also told Parliament’s Human Rights Committee that data harvested from Britons through NHSX’s COVID-19 contact tracing app would be “pseudonymised” – and appeared to leave the door open for that data to be sold on for “research”.

Sold. For research. If it’s for research and your data is collected by the publicly funded national health care system, why would you need to sell it? Am I the only one who finds this highly suspect?

In response to questions from Scottish Nationalist MP Joanna Cherry this afternoon, Gould told MPs: “The data can be deleted for as long as it’s on your own device. Once uploaded all the data will be deleted or fully anonymised with the law, so it can be used for research purposes.” De-anonymising such data was successfully demonstrated in 2015.

But it’s OK, you’re saving the country!

The government’s contact-tracing app will be rolled out in Britain this week. The Register understands the app has been completed and function tested, with the previously announced Isle of Wight trial to begin in the latter part of this week.

I can tell you one thing: If I was still living in London, I’d be doing many things next week. Installing that app wouldn’t be on of them.

Also Noteworthy

Some other stories I read today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.