As more governments consider the use of contact tracing apps to prevent the spread of coronavirus, researchers say privacy will have to be at the forefront of efforts in order for civilians to use it.

Image: Ministry of Health Singapore

Governments around the world have begun exploring the use of contact tracing apps as a key means for tracking and reducing the spread of coronavirus. Contact tracing is a method for warning people when they have been exposed to someone who has contracted a serious illness like COVID-19. This method has previously been used to better understand and limit the spread of HIV, meningitis, and other diseases.

It also allows for governments or health authorities to identify individuals who may have been in close contact with an infected COVID-19 confirmed case.

SEE:Coronavirus: Critical IT policies and tools every business needs(TechRepublic Premium)

Traditionally, contact tracing required a very labour intensive process, Gnana Bharathy, a systems and modelling lecturer at the University of Technology Sydney (UTS) told TechRepublic. But with technology such as smartphones, this has made contact tracing more efficient and easier to perform.

"Now, it is possible to do [contact tracing] through mobile phone data -- that is assuming people seldom part with their phone. Therefore, you could take the signals and then see which signals are coming into contact with devices owned by people who have contracted COVID-19," Bharathy explained.

"It's essentially the identification of the signals that actually come into contact with any non-risk signal. This particular view is quite helpful from a health perspective because this is one of those illnesses that can even finish asymptomatically."

SEE:Coronavirus having major effect on tech industry beyond supply chain delays (free PDF)(TechRepublic)

Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC), said with a serious public health crisis like the COVID-19 pandemic, digital contact tracing is helpful as positive cases need to be identified quickly, and particularly if the patients involved are unable to communicate with those who they come into contact with.

Singapore's TraceTogether application

Image: Ministry of Health Singapore

"Having an asset record a timestamp and a period of time is going to be better than our memory I think that's a good thing and particularly for highly infectious public health issues," Falk said.

In Singapore, the government has already released a contact tracing app, called TraceTogether, which traces the location and movements of individuals via mobile phones. Australia is currently working on a similar app that is based on the Singaporean app's source code.

Australian Prime Minister Scott Morrison said last week that using location information may be necessary to save lives and livelihoods.

"If that tool is going to help them do that, then this may be one of the sacrifices we have to make," Morrison said last week.

On the industry side, Google and Apple have also been working on contact tracing -- with their aim being to provide governments and researchers with as much information as possible to understand the spread patterns of coronavirus.

Apple and Google's iteration of contact tracing entails creating application program interfaces (APIs) that would help public health authorities design apps with contact tracing capabilities. These apps would then be available in both Apple's App Store and the Google Play store.

Belal Alsinglawi, an AI modeller for COVID-19 and data science lecturer at Western Sydney University, said Google and Apple's contact tracing efforts would save time and resources in developing applications to track the virus' spread, as well as give a bigger data picture regarding the pandemic's impact.

SEE:COVID-19: How artificial intelligence can help companies plan for the future(TechRepublic)

He explained that algorithmic forecasts of the COVID-19 pandemic -- especially AI-powered ones -- could be much more accurate, but there has been a lack of data available. Due to this, most models used by governments for tracking and forecasting have not relied on AI.

"[AI predicative methods] involve finding trends in past data, and using these insights to forecast future events and there's currently too few Australian cases to generate such a forecast for the country, with this being the same for many other countries too," Alsinglawi said.

"Once we have enough data inputs about COVID-19, it will facilitate the mission for AI researchers to develop a predictive framework for the future epidemic events, and as a result, more lives being saved."

The sensitive nature of medical information, collected from contact tracing, means that ensuring its privacy is particularly important. Due to this, plans to roll out contact tracing apps have not been without their fair share of critics, who have expressed concern that these apps do not have enough substance on the privacy and data protection fronts.Addressing these concerns, Australia's Minister for Government Services Stuart Robert said on Monday that so long as contact tracing apps do not have geolocation, it would not be known what is happening when a block of 15 minutes or more has been logged between two people.

"All we care about is who the person was next to because there's no geolocation, no one knows where the young person was or what they were doing, there's no surveillance at all. It's simply who they were near from a health point of view," Stuart said.

A day later, Australian Prime Minister Scott Morrison said Australia's upcoming contact tracing app would put data into an encrypted national store that is only accessible by the states and territories' "health detectives".

"The Commonwealth can't access the data. No government agency at the Commonwealth level, not the tax office, not government services, not Centrelink, not Home Affairs, not Department of Education, not childcare -- the Commonwealth will have no access to that data," Morrison said.

SEE:COVID-19: How cell phones are helping to track future cases(TechRepublic)

Falk, who is currently reviewing Australia's COVID-19 tracing app alongside the Digital Transformation Agency (DTA), backed the government's comments that Australia's iteration of contact tracing would be reasonably secure and private.

"The moment when you upload the app and you enter that data, that data is actually sitting in your handset, so nothing is going anywhere at that stage at all," she said.

"That data is sitting on your hands, along with the data of other people you might come into contact with for the period of time to satisfy a digital note being named in that app without a contact. But at that stage, that data is not going anywhere," she added.

When asked about the privacy concerns surrounding when data is temporarily stored inside the encrypted national store however, Falk declined to comment as testing around the app was still in progress.

Falk did acknowledge though, that any participation in using contact tracing apps should be voluntary, with Australians being allowed to take a conservative approach to protecting their online security and privacy if they wished to do so.

"From my perspective, I'll be [using TraceTogether], but it's opt-in and I recognise it is up to the individual's approach. I think it's right that Australians take a conservative approach to protecting their online security and privacy," Falk said.

The Director of the University of Western Australia Centre for Software and Security Practice, David Glance, took a different perspective, telling TechRepublic that while it was reassuring to see the CSCRC and DTA perform security tests on Australia's contact tracing app, there will always be privacy concerns due to the role health authorities have in collecting and using the information gathered.

"You've got to trust the implementation of infrastructure performed by the health authorities, which I don't. They're notoriously bad at running infrastructure, especially for something like this. And so, I think that's the fundamental problem," Glance said.

Previous data projects created by Australia's health authorities, like My Health Record, have been lambasted for having a lack of security measures.

Glance added that Singapore's version of TraceTogether, which Australia's contact tracing will be based upon, uses keys that are generated by its health authority and "potentially gives access to the data on your phones".

"They have the IDs of people who they are tracing so that's great because that enables your authorities to quickly work out who's been exposed and how to get in contact with the people who have been affected.

"But that means, essentially, you're relying on the government producing a version of the application that doesn't do other things we have legislation in Australia that allows people to do that so what's to say that the government doesn't use this app, once it's on your phone, to target you for keyboard login or to infiltrate your messaging or anything else?"

With governments, such as Australia, already set on implementing contact tracing, Dr Mahmoud Elkhodr at Central Queensland University noted that while there will never be a "perfect solution" for privacy, there are various mechanisms that could be applied to improve the balance between privacy concerns and the public benefit.

"The right to be forgotten also known as the 'right to erasure' is an EU rule which gives EU citizens the right to request deletion of their personal data from Internet companies such as Google. In Australia, this law is non-existent. So perhaps the first measure the government should take to preserve the privacy of Australians when using the TraceTogether app is to draft legislations and implement features that allow them to simply delete their location information from the app," Elkhodr said.

Elkhodr also proposed that governments should make their contact tracing applications open source if they are serious about addressing the privacy concerns.

"This enables transparency and provides the public with much needed assurances. The government should also ensure that the application will not be used outside its intended scope such as penalising non-essential travel," he said.

SEE:COVID-19 demonstrates the need for disaster recovery and business continuity plans(TechRepublic Premium)

Currently, Singapore's TraceTogether app is not open source software and is not subject to audit or oversight, however, the island nation committed to doing so last month.

Regardless of what security measures are put in place however, Elkhodr said the effectiveness of contact tracing apps would simply come down to whether people trust putting their data in the hands of government.

Glance, meanwhile, said that contact tracing is not a "silver bullet" even if it is successful.

"Testing is obviously the key to controlling disease and it has to be widespread testing.

"The fundamental issue is really, again, going back to what do you do next? Apps are not going to help us with that -- they're not going to help us if we decide to open the border. There is going to be a certain amount of infection. The key to that is testing," he said.

At the time of writing, the World Health Organization reported that there have been over 2.4 million confirmed cases, with over 163,000 fatalities as a result of the virus.

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Verizon Media builds search engine to help researchers find COVID-19 documentsThe search engine was developed using Verizon's Vespa big data processing technology and comes in response to a nationwide open research data set challenge.

Robots assisting factory workers and retailers in fight against coronavirusRobots are playing an integral role in efforts to keep essential workers safe and transform factories for the effort against coronavirus.

Mayo Clinic uses self-driving shuttles to transport coronavirus tests on Florida campusAutonomous vehicles are delivering food to quarantined communities, and robots are disinfecting hospital rooms in China due to COVID-19.

New daily charts map out which states have flattened the COVID-19 death curveNone of the states with the highest COVID-related death rates such as Washington, New Jersey, New York, California, Michigan or Louisiana have flattened the curve. This data shows who has been successful.

Google Cloud launches new AI chatbot for COVID-19 informationThe Rapid Response Virtual Agent program includes open source templates for companies to add coronavirus content to their own chatbots.

Coronavirus data story tracks hot spots around the world and in the USAnalyst used Microsoft's Power BI and public data to visualize the rise and fall of the coronavirus country by country and state by state.

See the rest here:
COVID-19 contact tracing: The tricky balance between privacy and relief efforts - TechRepublic

Malware in software packages means even trusted repositories are not always safe

A researcher has uncovered malicious packages in the RubyGems repository, one of which was downloaded more than 2,000 times.

RubyGems, the standard package manager for Ruby, was studied by threat analyst Tomislav Maljic at ReversingLabs, who highlighted research based on analysing packages submitted to the repository that have similar names to existing popular gems possible cases of "typosquatting," where perpetrators name a package using a common misspelling or substitute a character to mislead developers into installing it by mistake.

The research found over 400 suspect gems including "atlas-client", which was downloaded 2,100 times by developers likely looking for the legitimate gem named atlas_client. The rogue gems contained Windows executables renamed with a .png extension, along with a Ruby script that renamed and ran the file. The malware then created a new VBScript file along with an autorun registry key to run it on startup old-school malware and nothing too technical.

"It starts an infinite loop where it captures the user's clipboard data... the script then checks if the clipboard data matches the format of a cryptocurrency wallet address," Maljic reported. "If it does, it replaces the address with an attacker-controlled one."

In truth, the malware is not very advanced. It is looking for a Ruby developer on Windows whose system is also used for Bitcoin transactions. "A rare breed indeed," remarked Maljic. "At the time of writing this blog, seemingly no transactions were made for this wallet."

He added that "the RubyGems security team has been contacted, and all packages from reported users have been removed from the repository".

The bigger concern is how easy it is to get malware into one of the most widely used package managers. Modern software development is reliant on packages downloaded from repositories, not only RubyGems but also via NPM (JavaScript libraries), NuGet (.NET packages), Maven (Java), Cargo (Rust), PEAR for PHP, PyPI (Python) and many others. Last year the same researcher reported on an NPM package that steals passwords. In 2018, malicious code was found in the NPM package event-stream and was downloaded nearly 8 million times, according to open-source security specialist Snyk.

In February, the Linux Foundation published a white paper [PDF] on the security of the open-source software supply chain, concluding: "Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are the developers and end users who leverage them. Unless and until the weaknesses inherent within their current designs and procedures are addressed, however, they will continue to expose the companies and developers who rely upon them to significant risk."

This includes not only malware, but also programming errors that introduce vulnerabilities.

The foundation undertook to convene "a meeting of global technology leaders in working across application and product security groups in order to design collective solutions to address these problems."

Tools exist to counter threats, including commercial software projects like OWASP Dependency Track, and the efforts of repositories to improve security. "We'll integrate GitHub and npm to improve the security of the open source software supply chain," GitHub CEO Nat Friedman said last week about the acquisition of NPM.

It is a tricky problem, and it is not only when writing code that developers should be careful what they type.

Sponsored: Webcast: Build the next generation of your business in the public cloud

More:
Typosquatting RubyGems laced with Bitcoin-nabbing malware have been downloaded thousands of times - The Register

When some DBS Bank employees tested positive for Covid-19 early this year, the bank was able to use data from office access cards and Microsoft Office 365 calendars to conduct contact tracing within days. And within weeks, it rolled out an application that enables business customers to submit forms without visiting a branch.

The speed and agility at which DBS, Southeast Asias biggest lender, would not have been possible without the investments it made a decade ago to modernise its IT infrastructure, applications and business processes to spearhead digital transformation.

In an interview with Computer Weekly, DBSs group CIO Jimmy Ng talks up the banks technology initiatives amid the coronavirus outbreak and the next steps in its digital transformation journey, while VMwares vice-president and managing director for Southeast Asia and Korea, Sanjay Deshmukh, explains how the software company is supporting DBS in that journey.

Can you give us sense of how DBS is approaching technology to sharpen its competitive edge, especially with the entry of new digital banking players in markets across the region?

Jimmy Ng: I think we need to take a step back during times of crisis like the current coronavirus outbreak, because that will have great bearing on whats going to happen after we emerge from the crisis. I sense that over the next two years, digital banking is going to be the main channel through which people are going to transact. Covid-19 has been the main catalyst for people to adopt digital banking and thats going to accelerate digital adoption.

Right now, the crisis may seem like the worst of times because IT folks are working hard to keep the lights on, but its also the best of times because it has brought forth the value of technology and the investments weve made over the past decade to modernise our technology stack. But the transformation weve undertaken is not just in the way weve architected our infrastructure.

One of the biggest things we realised was the change in the mindset of our people. In the past five years, weve adopted agile and continuous integration and continuous delivery (CI/CD), enabling us to roll out releases more than 10 times faster than before and it played out nicely during this crisis.

For example, when you have a crisis, customers do not want to come to the office to hand you trade documents because of social distancing rules. So, within a couple of weeks, weve implemented an application to enable customers to submit their documents digitally. Weve been able to move very quickly and nimbly because of our processes and the infrastructure weve put in place.

Another area that weve put in a lot of effort is the use of data to make decisions. During the outbreak, when some of our staff were infected, we were able to use data from office access cards and Office 365 calendars to do contact tracing within days.

We also used video analytics and internet of things (IoT) to understand how we can space out our people so they can maintain a social distance. Our agility and modern infrastructure enabled us to ingest the data very quickly and has paid off in a rapidly changing environment. Amid all of that, we were still able to deliver on existing initiatives.

As for the new digital banking players, they will be formidable competitors, but we think we are in a very good position. In fact, were a digital bank already. Were going to double up on our efforts and continue to provide digital offerings. I believe that this is going to be the battlefield, especially after Covid-19.

As we all know, digital transformation is an ongoing effort. Whats at the top of your mind at this point in time? How are you thinking two or three steps forward from a CIOs perspective?

Ng: As we are battling Covid-19, weve been looking into technologies that we should focus on moving forward. For me, 5G is going to be a main infrastructure that will make it easier for us to work from home and extend our services for example, mobile ATMs in more locations amid a pandemic or emergency.

Theres no such thing as winners or losers because at some point a particular technology will become dominant, and the rest will catch up eventually Jimmy Ng, DBS

Another area is IoT and video analytics which will allow us to monitor crowds at ATMs and branches. And there will be more use cases that combine 5G, IoT and blockchain to enable our customers to manage their business.

Finally, lets not forget artificial intelligence (AI) and machine intelligence (ML), because if we have 5G and IoT coupled with AI, ML and data, well get a formidable suite of tools to enable our customer businesses and support our internal operations.

At the heart of the initiatives you talked about is the application and infrastructure stack. What changes or tweaks do you need to make in your technology stack to support those initiatives?

Ng: Our modern applications and stack form the basis of our technology foundation. Over the past five years, we have moved very aggressively into a virtual private cloud (VPC) environment. Very few banks have gone down that route, which has brought us a lot of benefits and enabled our staff to very conversant in the technology.

The next step for us is containerisation and moving into a hybrid cloud environment to achieve productivity gains and scale. That includes the greater use of public cloud services. There will be cases where public cloud providers have better capabilities and scale from an infrastructure perspective, so the ability for us to adopt those capabilities, including native cloud services, will be key.

I understand that DBS is still running some legacy applications. How are you managing their transition to modern apps?

Ng: We have a dual-prong strategy to tackle that. First, we are containerising legacy applications that will give us the ability to adopt public cloud at scale. Second, we are chipping away our core banking system, so that it becomes a very small part of the entire infrastructure.

And this includes your mainframe applications? Are they going to be eliminated at some point?

Ng: I think mainframe technology has changed a lot and its getting modernised. Our strategy is still to chip it away, with only a small part of it remaining through containerisation. That said, I dont think mainframe technology is going to come to a standstill.

The fact that IBM has bought Red Hat shows that theres going to be some progress in how theyre going to provide a migration path or enabling the use of mainframe hardware in more productive ways. So, it remains to be seen and were keeping our options open depending on how things pan out.

You rightly mentioned that this space is still evolving. How do you then hedge against the risks that you might be taking on with the use of multiple technologies and platforms, such as VMware and Red Hat OpenShift in the Kubernetes space?

Ng: We have adopted a multi-pronged approach even as we use both Cloud Foundry and OpenShift as our application platforms. We think the universe is big enough for a couple of players to co-exist. A multi-supplier strategy has always been part of our approach because technology moves so fast.

Theres no such thing as winners or losers because at some point a particular technology will become dominant, and the rest will catch up eventually. So, using a diverse set of technologies will give us the best innovation from leading suppliers, and as others improve, we can still reap the benefits of their improvements. Even for cloud, were not going to go with just one cloud provider.

How are you dealing with the potential complexities that could arise?

Ng: Itll be a more complex environment and probably not as efficient because we have to maintain two or more technologies. However, the strive for efficiency needs to be balanced with technology obsolescence. Its not an efficiency play; rather its a resilience play so that we can move forward as technology evolves.

We are constantly looking at new technologies and players we can place bets on. For example, we adopted MariaDB in the initial days and have scaled up its use, but we are also looking at new databases that are coming to market. As we can scan the horizon, we will make some good choices and some bad choices, but hopefully more good ones than bad.

Sanjay Deshmukh: As customers like DBS go multi-cloud, they can choose AWS, Azure or Google. To solve the complexity of investing in multiple platforms, were giving them a common infrastructure fabric across multiple clouds, alleviating the need to train their employees on multiple technologies.

On the management side, Jimmy talked about chipping away old applications and putting them into containers. Lets say for discussion sake, they run some of these applications in different cloud environments and infrastructure. Our management capability offers a consistent operations framework, which means if I'm an administrator, I will have one screen that gives me the ability to manage applications that are running in my datacentre on VMware infrastructure or a public cloud. This will help to shield organisations from the complexity of taking a multi-cloud approach.

We have been in this journey for the past 10 years and we are getting very comfortable with how we work, whether it is operating in squads or pulling together people from different departments to work in small teams and respond quickly to changing environments Jimmy Ng, DBS

Id also share a couple of things in terms of our relationship with DBS. Jimmy talked about their initiative that enables their customers to submit trade forms without visiting the branch if you break that down at the technology level, there are two things that are needed to respond to that situation.

First is the agility in building the application to respond to the business need. Thats one area where weve been partnering with DBS very closely with our Pivotal technology that provides the agility to build software in days, not months.

The second aspect is when developers are trying to respond to these market needs, they need infrastructure. In a traditional bank, it takes months or more to make the infrastructure available. With our partnership with DBS, their developers are able to self-provision the infrastructure that they need within the same day and serve their customers quickly.

Can you elaborate on any cultural challenges that you are grappling with when it comes to getting everyone up to speed on what the bank needs to do to take things forward from a technology perspective?

Ng: We have been in this journey for the past 10 years and we are getting very comfortable with how we work, whether it is operating in squads or pulling together people from different departments to work in small teams and respond quickly to changing environments.

Second, our culture of using data to drive insights has been fully entrenched. I think what we need to do more is to get people to understand the application of AI and the use of data to help the business in even more productive ways.

The third area that weve been looking at over the past two years is what we call a platform construct that brings business and technology teams together as co-owners of a particular platform. They own the budget and make decisions on what they want to build or operate. Everyone has the same set of key performance indicators (KPIs), and the biggest win is the true alignment of business and technology.

How does the open source culture play a part in the culture youve just described?

Ng: We are looking at becoming an engineering company and we run very much like a technology company. If you look at the characteristics the big technology giants, embracing open source is always one of them. We have built a library of digital assets internally, and weve been debating whether some of those assets should be made open source because its part and parcel of being an engineering company.

So, dont be surprised if one day, some of the toolkits that we have built are put out as open source software. Weve benefited a lot from open source, so its also our responsibility to contribute to the open source community.

See the rest here:
How DBS is reaping the dividends of digital transformation - ComputerWeekly.com