Search the Community
Showing results for tags 'philippines'.
steven36 posted a topic in Security & Privacy NewsPhilippines COVID-KAYA app allowed for unauthorized access typically protected by ‘superuser’ credentials and also may have exposed patient data. A platform used by healthcare workers in the Philippines designed to share data about COVID-19 cases contained multiple flaws that exposed healthcare worker data and could potentially could have leaked patient data. Vulnerabilities found in both the COVID-KAYA platform’s web and Android apps allowed for unauthorized users to access private data about the platform’s users and potentially patient data, according to a report from researchers at the The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto. The Citizen Lab’s report is the latest example of how the COVID-19 pandemic has spurred a host of security problems for the healthcare sector to deal with – including securing data and ransomware attacks. In addition to opportunistic threat actors using the pandemic and related issues for their own gain in socially engineered phishing and other campaigns, the flood of new data related to the pandemic is also testing the security of systems used to store and share this data. COVID-KAYA was deployed on June 2 to allow frontline healthcare workers in the Philippines to automate their collection and sharing of coronavirus case information with the country’s Department of Health. The app has web, iOS and Android versions and was built using Cordova, a cross-platform application development framework that allows developers to build applications using web technologies and then deploy the same code to both web and mobile platforms. “Our analysis found that both of these versions of COVID-KAYA contain vulnerabilities disclosing data otherwise protected by ‘superuser’ credentials,” according to the report, written by Citizen Lab’s Pellaeon Lin, Jeffrey Knockel, Adam Senft, Irene Poetranto, Stephanie Tran, and Ron Deibert. Researchers point to two vulnerabilities that have since been patched—one in the COVID-KAYA web app and another in the Android app—that attackers could have exploited to expose sensitive data from the system. The web app’s flaw resided in its authentication logic. The vulnerability allowed “otherwise restricted access to API endpoints, exposing the names and locations of health centers as well as the names of over 30,000 healthcare providers who have signed up to use the app,” researchers said. They also said the app could have exposed sensitive patient data, although this remains unconfirmed. Meanwhile, the COVID-KAYA Android app used hardcoded API credentials that also allowed access to the names of healthcare providers and potentially sensitive patient data as well, researchers wrote. The Citizen Lab team disclosed the web app vulnerability to the app’s developers—including officials from Dure Technologies, the Philippines Department of Health, and the World Health Organization (WHO) Philippines–on Aug. 18, and the Android app’s vulnerability on Sept.14. Both flaws have been identified and patched as of Oct. 29, and any leaked credentials have been invalidated, researchers confirmed. The authentication flaw in the web app stemmed from a login page used to authenticate valid users with a username and password. At first sight it appeared that the page functioned normally; if someone signed in with an invalid username and/or password, it let the person know, researchers reported. “However, in our testing, we found that, after attempting to sign in with an invalid username or password, the web app appeared to grant us, without notification, access to API endpoints and tools normally unavailable to users who were not logged in,” researchers wrote. “These API endpoints and tools were easily discoverable.” For example, the team discovered an API endpoint by taking the publicly accessible end point for resetting a user’s forgotten password and then deleting part of the URL. The new URL redirected them to a page that appeared to be a master directory of API endpoints, one of which seemed capable of enumerating all enumerating all 30,087 (at the time of access) users of the app, researchers said. Further modification of the URL allowed them to access the system and view all the health centers and healthcare providers were affiliated with the app, as organized by country and city, as well as access other sensitive data, researchers said. In their analysis of the COVID-KAYA Android app version 1.4.7, researchers found a flaw in how a source file of the app’s source code handled hard-coded credentials used for accessing the web interface of the system’s dashboard. The vulnerability could be used to access sensitive data from API endpoints by allowing unauthorized log-in to the log in to the dashboard, researchers said. Two weeks ago, another COVID-19-related data breach occurred when a cyber-attack hit COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories, the contractor for Russia’s “Sputinik V” COVID-19 vaccine, which is about to enter Phase 2 human trials. The company shut down its plants in Brazil, India, Russia, the U.K. and the U.S. as well as isolated data-centers services to apply remediations. Source
steven36 posted a topic in General NewsMANILA (Reuters) - Philippine rescuers worked with bare hands and shovels to try to free 23 people trapped under earth and rubble on Wednesday, after Typhoon Yutu dumped heavy rains on the northern mountainous region, triggering floods and deadly landslides. Six people were rescued and two bodies pulled out from a building that collapsed in northern Mountain province, part of the Cordillera region where authorities said 11 people were killed on Tuesday, all but one of them in landslides. Typhoon Yutu swept across the main island of Luzon on Tuesday with winds of 140 km per hour (87 miles per hour) and gusts of up to 230 kph (142 mph). It came six weeks after Super Typhoon Mangkhut caused nearly 50 landslides in the Cordilleras, killing more than 70 people. Some 360 police, soldiers, firefighters and public works personnel were digging through the mud that engulfed the building where 20 laborers, an engineer, three security guards and six or seven residents had taken shelter. Twenty-three were believed to still be trapped. “It was completely buried,” Edgar Posadas, spokesman for the Office of Civil Defence, told reporters. “Time is of the essence. The problem is not the personnel, but access.” Among those killed were four children aged between five and 11, and a man who drowned in an overflowing river. Radio reported a man was electrocuted in Isabela province, where Yutu made landfall. Thousands of people in the typhoon’s path were evacuated before the storm hit, mostly in mountainous, coastal and river areas at risk of floods, storm surges and mudslides. When it struck the Philippines, Yutu’s winds were half the strength of those it packed five days earlier, when as a super typhoon it piled into the U.S. Northern Mariana islands, about 6,000 km (3,700 miles) west of Hawaii, killing one person, wounding more than 130 and damaging critical infrastructure. Yutu, the 18th typhoon to hit the Philippines this year, was moving toward southern China on Wednesday and had weakened to a tropical storm with winds of 102 kph (63 mph), according to the U.S. Joint Typhoon Warning Center in Hawaii. Source
steven36 posted a topic in General NewsMANILA (Reuters) - Philippine authorities said on Friday they arrested 342 Chinese workers in a raid on an unlicensed gambling operation, part of a crackdown on illegal migration and an illicit gaming industry that is being fueled by mainland China’s appetite for betting. Image: Chinese workers illegally working at an unlicensed online gambling firm are arrested by Philippine authorities at an office building in Quezon City, Metro Manila, Philippines, December 19, 2019. Licensed online gaming operations introduced in 2016 have been a boon in bringing money to the Philippine economy, but illegal businesses attracting massive numbers of Chinese migrants have also mushroomed, due largely to vested interests, corruption and weak law enforcement. Illegal operations far outnumber those being regulated, and do not pay no tax. Law enforcement bodies and the Chinese government suspect some are fronts for crime, including money laundering. The Chinese arrested late on Thursday were at a registered gambling firm that had yet to secure a license from the state gaming regulator. “We had reason to suspect that the company is a front for illegal cyber activities and investment scams,” said Fortunato Manahan, chief of the Bureau of Immigration’s intelligence division. Though Philippine President Rodrigo Duterte has good relations with China, where gambling is prohibited, he has refused its request to ban gaming operations that cater to mainland Chinese. Chinese gaming companies and their employees have been blamed for driving up office and residential rent, so much so that Makati City, Manila’s main business hub, has banned the issue of new licenses to gaming firms. In August, Cambodia heeded Chinese pressure to ban online gambling, which has drawn both Chinese investment and crime to the country. Source