This Week’s [in]Security – Issue 144 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: New Magecart tricks, Gas Pump skimmers rush to beat liability shift upgrades, ransomware shutters company, breached medical imaging system, Starbucks leaks API keys, Facebook health, Google drops insecure Xiaomi cameras, CCPA live, NY's SHEILD Act, Credential Stuffing, Suing cybercriminals, Iran hacks back, TikTok ban, absurd 11 calls, defamation settlements, various year-end reviews. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• New Magecart Skimmers Practice Steganography https://www.scmagazine.com/home/security-news/malware/new-magecart-skimmers-practice-steganography-data-transfer-via-websocket/ and https://www.bankinfosecurity.com/researcher-spots-new-tricks-in-web-payment-card-skimmers-a-13573
• Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline https://threatpost.com/cybercriminals-fill-up-gas-pump-transactions/151520/
• School management software provider , Active Networks , discloses severe security breach https://www.zdnet.com/article/school-management-software-provider-discloses-severe-security-breach/
• NYC Meters Won’t Take Credit Due To 2020 Bug https://www.pymnts.com/news/payment-methods/2020/nyc-meters-wont-take-credit-due-to-y2k-bug/
• Ransomware Attack Closes Company, Telemarketing Firm - The Heritage Company, Leaving Hundreds Jobless https://threatpost.com/ransomware-attack-topples-telemarketing-firm/151530/

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Starbucks Devs Leave API Key in GitHub Public Repo https://www.bleepingcomputer.com/news/security/starbucks-devs-leave-api-key-in-github-public-repo/
• Malware Infects Small Hospital's Medical Imaging Server affecting 29K people https://www.bankinfosecurity.com/roosevelt-general-hospital-breach-a-13577
• ("Virus" is generic and vague - could this be a breach or ransomware?) Travelex Knocked Offline by System-Wide Malware Attack https://threatpost.com/travelex-knocked-offline-malware-attack/151522/
• LifeLabs cyberattack one of 'several wake-up calls' for e-health security and privacy https://www.cbc.ca/news/technology/lifelabs-data-breech-security-ehealth-1.5400817
• Facebook Fined $1.65 Mn by Brazil over Cambridge Analytica https://www.securityweek.com/facebook-fined-165-mn-brazil
• Universarium - 564,962 breached accounts added to HIBPhttps://haveibeenpwned.com/PwnedWebsites#Universarium
• Welcome to the 2019 Data Breach Hall of Shame https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/
• The Worst Hacks of the Decade https://www.wired.com/story/worst-hacks-of-the-decade/
• 7 security incidents that cost CISOs their jobs https://www.csoonline.com/article/3510640/7-security-incidents-that-cost-cisos-their-jobs.html

Privacy

Articles about privacy related news, risks, and trends.

• Facebook Vows Strict Privacy Safeguards as it Rolls Out Preventive-Health Tool https://www.scientificamerican.com/article/facebook-vows-strict-privacy-safeguards-as-it-rolls-out-preventive-health-tool/
• Facebook, Google, and every other major tech company are updating their privacy policy in time for 2020 and the CCPA https://www.businessinsider.com/why-tech-companies-new-privacy-policy-2020-california-2019-12

• The Xiaomi Nest Hub incident:

  • Xiaomi Cameras Connected to Google Nest Expose Video Feeds From Others https://thehackernews.com/2020/01/google-nest-xiaomi-camera.html
  • Google Suspends Xiaomi From Nest Hub After Major Camera Breach—A Stark Warning For All https://www.forbes.com/sites/kateoflahertyuk/2020/01/03/google-suspends-xiaomi-from-nest-hub-after-major-camera-breach-a-stark-warning-for-all/
  • Google Boots Security Camera Maker From Nest Hub After Private Images Go Public https://threatpost.com/google-boots-security-camera-maker-from-nest-hub-after-private-images-go-public/151512/
• Mounties defend social media profiling after assembling portrait of activist https://www.cbc.ca/news/politics/rcmp-defends-social-media-profiling-1.5413580
• The Fight Against Government Face Surveillance: 2019 Year in Review https://www.eff.org/deeplinks/2019/12/year-fight-against-government-face-surveillance
• Consumer Privacy: Year in Review 2019 https://www.eff.org/deeplinks/2019/12/consumer-privacy-year-review-2019

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• New CA Privacy Law Requires Retailers To Disclose Data Collection https://www.pymnts.com/legal/2019/new-ca-privacy-law-requires-retailers-to-disclose-data-collection/
• Ready for the New York SHIELD Act? https://www.bankinfosecurity.com/new-york-shield-act-comes-into-focus-for-businesses-a-13564
• A new anti-robocall law pummels spam callers with fines and pressures phone companies to stop robocalls in their tracks — but it won't end them just yet https://www.businessinsider.com/robocall-law-traced-act-fines-spoof-spam-callers-carriers-2020-1
• CCPA is live and no one is ready for California’s new consumer privacy law https://www.theverge.com/2019/12/31/21039228/california-ccpa-facebook-microsoft-gdpr-privacy-law-consumer-data-regulation
• Startups Try To Capitalize On New CA Data Privacy Law https://www.pymnts.com/data/2020/startups-try-capitalize-new-california-data-privacy-law/
• Russian Regulators To Crack Down On US Big Tech In 2020 https://www.pymnts.com/news/international/2019/russian-regulators-to-crack-down-on-us-big-tech-in-2020/
• Challenge to recognise world's first AI inventor heads for High Court battle https://www.businessinsider.com/ai-inventor-legal-challenge-in-uk-and-europe-court-battle-2020-1

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• How Can Credential Stuffing Be Thwarted? https://www.bankinfosecurity.com/interviews/how-credential-stuffing-be-thwarted-i-4551
• Facebook has turned data against us. Here's how we fight back https://www.wired.co.uk/article/data-personalisation-algorithms
• Microsoft Seizes Web Domains Used by North Korean Hackers https://www.securityweek.com/microsoft-seizes-web-domains-used-north-korean-hackers
• Microsoft Sues North Korean Firm For Cybertheft https://www.pymnts.com/news/security-and-risk/2019/microsoft-sues-north-korean-firm-for-cybertheft/
• Ransomware Victim Southwire Sues Maze Operators https://www.darkreading.com/threat-intelligence/ransomware-victim-southwire-sues-maze-operators/d/d-id/1336719
• Analysis: Countering Nation-State Attacks in 2020 https://www.bankinfosecurity.com/interviews/analysis-countering-nation-state-attacks-in-2020-i-4561
• Promiscuous Cookies and Their Impending Death via the SameSite Policy https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
• Firefox 72 Will Let Users Delete Telemetry Data https://www.securityweek.com/firefox-72-will-let-users-delete-telemetry-data
• Lock Down Your Smartphone: The New York Times ‘Privacy Project’ Revelations (including some extreme options) https://www.forbes.com/sites/tjmccue/2020/12/31/lock-down-your-phone-the-new-york-times-privacy-project-revelations
• This guy made a USB kill switch for his laptop for $20, and you can make one too |https://www.pcgamer.com/this-guy-made-a-usb-kill-switch-for-his-laptop-for-dollar20-and-you-can-make-one-too/
• How to turn off the microphone in your Nest devices in 3 easy steps https://www.businessinsider.com/how-to-turn-off-microphone-in-nest-devices-2019-2
• How to delete your Google Maps search history on a computer or mobile device https://www.businessinsider.com/how-to-delete-google-maps-search-history
• (Interesting idea) Mean Time to Hardening: The Next-Gen Security Metric https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
• Breach investigation tool Ekultek/WhatBreach https://github.com/Ekultek/WhatBreach
• Cybersecurity Data Sharing: A Federal Progress Report https://www.bankinfosecurity.com/cybersecurity-data-sharing-federal-progress-report-a-13575
• Solving Escape Manor’s new room could land you a job as a Canadian codebreaker https://obj.ca/techopia-ottawa-escape-manor-cse-cybersecurity-recruit
• Prince William launches Earthshot Prize for innovations in solving environmental challenges https://www.cbc.ca/news/technology/prince-william-earthshotprize-1.5411389
• Surveillance Self-Defense: Year in Review 2019 https://www.eff.org/deeplinks/2019/12/year-surveillance-self-defense

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• 3 Critical Bugs Allow Remote Attacks on Cisco NX-OS and Switches https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/
• Warning Issued For Millions Of Microsoft Windows 10 Users [Updated] over buggy update https://www.forbes.com/sites/gordonkelly/2020/01/05/microsoft-windows-10-warning-file-explorer-crash-search-upgrade-windows-10/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Fallout from the US drone strike killing an Iraninan General:

  • First Suleimani Attack By ‘Iranian’ Hackers Hits U.S., Exposing ‘Noisy’ New Threat https://www.forbes.com/sites/zakdoffman/2020/01/05/first-suleimani-attack-by-iranian-hackers-hits-us-exposing-noisy-new-threat/
  • US Conflict With Iran Sparks Cybersecurity Concerns https://www.bankinfosecurity.com/iran-a-13576
  • "This is message from Islamic Republic of Iran:" U.S. agency site apparently hacked https://globalnews.ca/news/6367834/iran-hackers-us-government-website/
• Austrian foreign ministry says fighting cyberattack by nation state actor https://www.yahoo.com/news/austrian-foreign-ministry-says-fighting-223816389.html
• Ransomware in Node.js https://isc.sans.edu/diary/Ransomware+in+Node.js/25664
• DeathRansom evolves from joke to actual ransomware https://www.zdnet.com/article/deathransom-evolves-from-joke-to-actual-ransomware/

Other Security / Risk

Articles covering other types of risks.

• More allout from the US drone strike killing an Iraninan General:

  • Federal government tells Canadians to consider leaving Iraq https://globalnews.ca/news/6364360/canada-iraq-iran-travel-warning/
  • "Exercise a high degree of caution": Canada updates Middle East travel advisories https://globalnews.ca/news/6366531/canadian-travel-advisory-updates/
• TikTok app banned by US Army on work mobile phones https://www.bbc.co.uk/news/world-us-canada-50952473
• US Army Follows Navy in Banning TikTok App https://www.bankinfosecurity.com/us-army-follows-navy-in-banning-tiktok-app-report-a-13570
• Think Beyond IT When Assessing Cybersecurity Risks https://blog.dashlane.com/think-beyond-it-when-assessing-cybersecurity-risks/
• Organizations May 'Uncloud' Over Security, Budgetary Concerns https://www.darkreading.com/cloud/organizations-may-uncloud-over-security-budgetary-concerns/a/d-id/1336670
• Your Unconscious Bias Trainings Keep Failing Because You’re Not Addressing Systemic Bias https://www.forbes.com/sites/janicegassam/2020/12/29/your-unconscious-bias-trainings-keep-failing-because-youre-not-addressing-systemic-bias/
• Texas nurse likely killed on New Year’s Eve by ‘celebratory gunfire’ https://globalnews.ca/news/6355916/philippa-ashford-texas-celebratory-gunfire/
• It Is Possible to Die From a Cold, And Some of Us Are More at Risk Than Others https://www.sciencealert.com/it-is-possible-to-die-from-a-cold-and-some-of-us-are-more-at-risk-than-others
• AI can spot breast cancer better than humans, study finds https://globalnews.ca/news/6352110/ai-breast-cancer-detection/
• US atomic waste dump in Marshall Islands to be investigated https://www.bbc.co.uk/news/world-us-canada-50951981
• Encouraging Hacking School Surveillance Systems as Protest? https://www.schneier.com/blog/archives/2019/12/hackingschool.html
• Police in Waterloo region fighting 'global epidemic' of online child abuse https://www.cbc.ca/news/canada/kitchener-waterloo/police-waterloo-region-global-epidemic-online-child-abuse-1.5402922
• These Are the Biggest Climate Questions for the New Decade https://www.scientificamerican.com/article/these-are-the-biggest-climate-questions-for-the-new-decade/
• Goldman Sachs studied a century of history to nail down the 5 biggest triggers of recessions — and concluded that 2 pose risks we've never seen before https://www.businessinsider.com/next-recession-risks-economy-historical-causes-over-century-goldman-sachs-2020-1
• Alex Jones (InfoWars) ordered to pay $100,000 in Sandy Hook defamation case https://www.bbc.co.uk/news/world-us-canada-50960730
• Vancouver woman ordered to pay ex $200K after trashing his reputation online https://globalnews.ca/news/6362535/vancouver-woman-ex-200k-trashing-reputation-online/
• The Problem With Suing Boeing For Its 737 MAX: Consequences https://www.forbes.com/sites/willhorton1/2020/12/30/the-problem-with-suing-boeing-for-its-737-max-consequences/
• The Weird Commerce Of The Dark Web https://www.pymnts.com/news/retail/2020/the-weird-commerce-of-the-dark-web/
• "My parking spot is too small": B.C.’s 10 most absurd 911 calls of 2019 https://globalnews.ca/news/6348666/b-c-top-10-absurd-911-calls-2019/
• Don't let an AI (even an advanced one) make you a cocktail https://aiweirdness.com/post/189979379637/dont-let-an-ai-even-an-advanced-one-make-you-a

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Possible dementia vaccine closer after mice studies https://scienmag.com/possible-dementia-vaccine-closer-after-mice-studies/
• "Only in Canada": Social media reacts to York police tweet about 2 men fighting with hockey sticks https://globalnews.ca/news/6362352/two-men-fighting-hockey-sticks-richmond-hill-yrp-social-media/
• Does a new decade begin in 2020? Not everyone agrees (There is a difference between theory and practice) https://globalnews.ca/news/6351651/new-year-2020-new-decade-debate/
• There's an Unfinished 'City of The Future' Tucked Away in The Arizona Desert https://www.sciencealert.com/an-unfinished-city-of-the-future-is-hidden-away-in-the-arizona-desert
• Color-Changing Fibers Unravel a Knotty Mystery https://www.scientificamerican.com/article/color-changing-fibers-unravel-a-knotty-mystery/
• Physicists Just Achieved The First-Ever Quantum Teleportation Between Computer Chips https://www.sciencealert.com/scientists-manage-quantum-teleportation-between-computer-chips-for-the-first-time
• Meteor streaking across Saskatoon caught on video https://globalnews.ca/news/6347890/meteor-saskatoon-video/
• 800K year old crater found from asteroid that covered 10% of Earth's surface in debris https://astronomy.com/news/2020/01/crater-found-from-asteroid-that-covered-10-of-earths-surface-in-debris
• Tackling the Earth's orbiting space junk https://www.bbc.com/news/av/business-50976292/tackling-the-earth-s-orbiting-space-junk
• New Particle Accelerator Fits on a Silicon Chip https://www.scientificamerican.com/article/new-particle-accelerator-fits-on-a-silicon-chip/
• Groundhog day anyone? Astrophysicist - in theory spacetime can be twisted into loops https://futurism.com/astrophysicist-build-time-machine-past