This Week’s [in]Security – Issue 152

Welcome to This Week’s [in]Security. Trending: Coronavirus impact update: spread, defense, and impact. More crypto-wars fallout: Crypto AG criminal investigation. Throwing out Huawei and ZTE. Deepfakes and Payment Fraud. Samsung, Straffic 48M records, Hong Kong and Rotherwood Healthcare breaches. Clearview and DISA breach followups. Ransomware frees accused. Lifelabs blocking regulator. Desjardins' $108M breach cost. Shunning breached companies. SimpleTax buyer renegs on privacy. Alexa's listening. Sidewalk Labs privacy. Formalizing right to be forgotten. $200M FTC fine over cellphone location data.FB vs analytics firm. NY cybersecurity enforcement. NSA metadata collection. NIST Cyber security roadmap. Encrypted DNS update. Cloud risk mitigation. Preventing leaks. IOT class actions. TLS cert and signature changes. Memory encryption. Cybersecurity Humble Bundle . Ransomware gets to the backups. Zyxel zero-day hits more products. AWS firewall bypass. Ancient Tomcat bug found. IoT vacuum sucks camera data too. 2FA and unpatched phones. 2FA malware. Attacking healthcare for profit. PayPal abuse. RSA conference. DDoS as a smokescreen. Russian provocations. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

New - Emerging Issues and Trending Stories

This special section is dedicated to emerging issues and trending stories that cross multiple of our regular news categories.

• Coronavirus not Pandemic yet?

  • Iran's deputy health minister and vice-president test positive for coronavirus https://www.aljazeera.com/news/2020/02/iran-deputy-health-minister-tests-positive-coronavirus-200225131520852.html and https://globalnews.ca/news/6603204/iran-saudi-arabia-coronavirus/
  • Coronavirus spread prompts cities to cancel major events https://qz.com/1808672/coronavirus-spread-prompts-cities-to-cancel-major-events/
  • The US' newest coronavirus patient had no known exposure to anyone sick and hadn't gone to China, which suggests containment might be impossible https://www.businessinsider.com/coronavirus-community-spread-us-health-systems-tested-2020-2
  • How to prepare for coronavirus in the U.S. (Spoiler: Not sick? No need to wear a mask.) https://www.washingtonpost.com/health/2020/02/26/how-to-prepare-for-coronavirus/
  • Canada prepares pandemic response plan as coronavirus cases continue to climb https://www.cbc.ca/news/politics/pandemic-response-cornavirus-canada-1.5473738
  • The CDC Releases Predictions For How COVID-19 Will Spread in The US https://www.sciencealert.com/the-cdc-has-a-prediction-for-how-the-coronavirus-will-affect-the-us
  • No, The CDC Is Not Telling People to Shave to Avoid The Coronavirus https://www.sciencealert.com/no-the-cdc-is-not-telling-people-to-shave-to-avoid-covid-19
  • Feeling Anxious Over The Coronavirus? Here's What You Can Do https://www.sciencealert.com/here-s-some-expert-advice-on-ways-to-ease-anxiety-over-the-coronavirus-threat
  • China bans human consumption and trade of wild animals https://www.ctvnews.ca/sci-tech/china-bans-human-consumption-and-trade-of-wild-animals-1.4824540
  • Study reveals how drug meant for Ebola may also work against coronaviruses https://scienmag.com/study-reveals-how-drug-meant-for-ebola-may-also-work-against-coronaviruses/
  • Five countries, five responses https://www.bbc.co.uk/news/av/world-51649358/coronavirus-five-countries-five-responses
  • WHO page on disease emergencies, epidemic and Pandemics https://www.who.int/emergencies/diseases/en/
  • Wikipedia list of epidemics https://en.wikipedia.org/wiki/List_of_epidemics
  • WHO Says Coronavirus is Not Yet a Pandemic, But Urges Countries to Prepare https://www.statnews.com/2020/02/24/who-tells-countries-prepare-coronavirus-pandemic-too-soon-to-make-call/
  • The Week in Tech: Coronavirus Disrupts the Industry https://www.nytimes.com/2020/02/28/technology/coronavirus-disrupts-industry.html
  • Stock markets sell off as coronavirus spread threatens global economy https://www.cbc.ca/news/business/markets-monday-coronavirus-1.5473520
  • Coronavirus Decimates US Stock Market $1.7T In 48 Hours https://www.pymnts.com/news/investment-tracker/2020/coronavirus-decimates-us-stock-market-1-7t-in-48-hours/
  • Economic hurt felt globally as nearly 60 countries report coronavirus cases https://globalnews.ca/news/6607996/coronavirus-outbreak-global-economy/

• More crypto-wars fallout:

  • Switzerland Files Criminal Complaint Over Crypto AG Spying “Operation Rubicon” https://www.reuters.com/article/us-swiss-spying-crypto-idUSKBN20O1VD
  • Senate passes ‘rip and replace’ bill to remove old Huawei and ZTE equipment from networks https://techcrunch.com/2020/02/27/senate-passes-rip-and-replace-bill-to-remove-old-huawei-and-zte-equipment-from-networks/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Fraud Schemes Get ‘Scary’ as Chip Cards Push Crime Away From the Point of Sale https://www.digitaltransactions.net/fraud-schemes-get-scary-as-chip-cards-push-crime-away-from-the-point-of-sale/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Samsung admits data breach following Find My Mobile fail https://www.tomsguide.com/news/samsung-admits-data-breach-following-find-my-mobile-fail
• Israeli Marketing Company Exposes Contacts Elasticsearch Database https://www.databreachtoday.com/israeli-marketing-company-exposes-contacts-database-a-13785 and credentials addred to Have I Been Pwned 48,580,249 accounts https://haveibeenpwned.com/PwnedWebsites#Straffic
• Data breach concerns after ‘theft’ of Hong Kong gov’t phones containing details of quarantined coronavirus residents https://www.databreaches.net/hk-data-breach-concerns-after-theft-of-hong-kong-govt-phones-containing-details-of-quarantined-coronavirus-residents/
• Rotherwood Healthcare AWS bucket security fail left elderly patients’ DNR choices freely readable online https://www.databreaches.net/uk-rotherwood-healthcare-aws-bucket-security-fail-left-elderly-patients-dnr-choices-freely-readable-online/
• Clearview AI’s breached client list includes 2,200 organizations spanning law enforcement to universities https://www.theverge.com/2020/2/27/21156678/clearview-ai-client-macy-fbi-doj-twitter-facebook-youtube and https://www.forbes.com/sites/kateoflahertyuk/2020/02/26/clearview-ai-the-company-whose-database-has-amassed-3-billion-photos-hacked/
• Last week breach list included DISA - the agency in charge of securing White House communications https://threatpost.com/data-breach-occurs-at-agency-in-charge-of-secure-white-house-communications/153160/
• Massachusetts Electric Utility Hit by Ransomware https://www.securityweek.com/massachusetts-electric-utility-hit-ransomware
• US Railroad Contractor Reports Data Breach After Ransomware Attack https://www.databreaches.net/us-railroad-contractor-reports-data-breach-after-ransomware-attack/
• Six suspected drug dealers went free after police lost evidence in ransomware attack https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/
• LifeLabs fights bid to keep data breach report out of the hands of the Information and Privacy Commissioner https://www.vancourier.com/news/lifelabs-fights-bid-for-report-on-cyberattack-in-wake-of-data-breach-1.24087603
• Desjardins Group says 2019 theft of 4.2 million members’ data cost $108 million https://globalnews.ca/news/6599224/desjardins-data-theft-cost-108-million/
• One in four Americans won’t do business with data-breached companies https://www.zdnet.com/article/one-in-four-americans-wont-do-business-with-data-breached-companies/

Privacy

Articles about privacy related news, risks, and trends.

• The Canadian tech company that changed its mind about using your tax return to sell stuff https://www.cbc.ca/radio/costofliving/the-canadian-tech-company-that-changed-its-mind-about-using-your-tax-return-to-sell-stuff-1.5471400
• Don't worry, Alexa and friends only record you up to 19 times a day https://www.zdnet.com/article/dont-worry-alexa-and-friends-only-record-you-up-to-19-times-a-day/
• Google asked to justify Toronto 'digital-city' plan https://www.bbc.com/news/technology-51658116
• Privacy by Design' Implementation Tips https://www.bankinfosecurity.com/interviews/privacy-by-design-implementation-tips-i-4603
• Formalizing Data Deletion in the Context of the Right to be Forgotten https://eprint.iacr.org/2020/254
• If you're serious about browser privacy, you should probably pass on Edge or Yandex https://www.theregister.co.uk/2020/02/27/edge_and_yandex_browser_privacy_shame/
• FTC Publishes Privacy and Data Security Update for 2019 https://epic.org/2020/02/ftc-publishes-privacy-and-data.html
• Guess what? GDPR Enforcement Is On Fire! https://www.datex.ca/blog/guess-what-gdpr-enforcement-is-on-fire
• F.C.C. to Fine Cellphone Carriers AT&T, Sprint, Verizon, and T-Mobile $200M for Selling Customers’ Locations https://www.nytimes.com/2020/02/27/technology/fcc-location-data.html https://www.theverge.com/2020/2/27/21156555/verizon-sprint-att-tmobile-fcc-fine-carriers-consumer-data-disclosure
• Facebook Sues Analytics Firm for Data Misuse https://www.securityweek.com/facebook-sues-analytics-firm-data-misuse

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• New York State Expected to Increase Enforcement of Cybersecurity Practices https://www.databreaches.net/new-york-state-expected-to-increase-enforcement-of-cybersecurity-practices/
• Newly Declassified Study Demonstrates Uselessness of NSA's Phone Metadata Program / The Costs of Spying https://www.schneier.com/blog/archives/2020/02/newly_declassif.html and https://www.theatlantic.com/ideas/archive/2020/02/costs-spying/607177/
• NIST Internal Report (NISTIR) 8287: A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce https://csrc.nist.gov/publications/detail/nistir/8287/final

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Firefox Enables DNS over HTTPS https://www.schneier.com/blog/archives/2020/02/firefox_enables.html and https://www.theverge.com/2020/2/25/21152335/mozilla-firefox-dns-over-https-web-privacy-security-encryption
• White Paper on Cloud Security Risks - And How To Mitigate Them https://blog.isc2.org/isc2_blog/2020/02/white-paper-on-cloud-security-risks-and-how-to-mitigate-them.html
• How to Prevent an AWS Cloud Bucket Data Leak https://www.darkreading.com/application-security/database-security/how-to-prevent-an-aws-cloud-bucket-data-leak--/d/d-id/1337093
• Securing the Internet of Things through Class-Action Lawsuits https://www.schneier.com/blog/archives/2020/02/securing_the_in.html
• Bulletproof TLS Newsletter #62 One-year certificate lifetimes are coming, 3DES and SHA-1 signature deprecation begins https://www.feistyduck.com/bulletproof-tls-newsletter/issue_62_one_year_certificate_lifetimes_are_coming
• Unmasking Data Masking https://www.datex.ca/blog/unmasking-data-masking-0
• Data Encryption on Android with Jetpack Security https://security.googleblog.com/2020/02/data-encryption-on-android-with-jetpack.html
• Improving Malicious Document Detection in Gmail with Deep Learning https://security.googleblog.com/2020/02/improving-malicious-document-detection.html
• Cybersecurity alliance launches first open source messaging framework for security tools https://www.zdnet.com/article/cybersecurity-alliance-launches-first-open-source-messaging-framework-for-security-tools/
• Intel promises Full Memory Encryption in upcoming CPUs https://arstechnica.com/gadgets/2020/02/intel-promises-full-memory-encryption-in-upcoming-cpus/
• Humble Bundle's 2020 Cybersecurity Books https://www.schneier.com/blog/archives/2020/02/humble_bundles_.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Ransomware victims thought their backups were safe. They were wrong https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
• Intel KVM Virtualization Hit By Vulnerability Over Unfinished Code https://phoronix.com/scan.php?page=news_item&px=Intel-KVM-CVE-2020-2732
• Zyxel Fixes 0day in Network Storage Devices https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
• Zyxel 0day Affects its Firewall Products, Too https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/
• Cloud Snooper' Attack Circumvents AWS Firewall Controls https://www.darkreading.com/cloud/cloud-snooper-attack-circumvents-aws-firewall-controls/d/d-id/1337171
• Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
• Chrome 80 update cripples AZORult malware and top cybercrime marketplace https://www.zdnet.com/article/chrome-80-update-cripples-top-cybercrime-marketplace/
• Google Patches Chrome Browser Zero-Day Bug, Under Attack https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/
• Unpatched Security Flaws Open Connected Vacuum to Takeover https://threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/
• Don't run your 2FA authenticator app on these smartphones https://www.tomsguide.com/uk/news/mobile-auth-app-hack-rsa20
• New Kr00k vulnerability lets attackers decrypt WiFi packets https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/
• New Evasion Encyclopedia Shows How Malware Detects Virtual Machines https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/
• The Long Path out of the Vulnerability Disclosure Dark Ages https://www.wired.com/story/vulnerability-disclosure-bug-bounties/
• How a Hacker's Mom Broke Into a Prison—and the Warden's Computer https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Android malware can steal Google Authenticator 2FA codes https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
• Hackers Cashing In On Healthcare Industry Security Weaknesses https://threatpost.com/hackers-cashing-in-on-healthcare-industry-security-weaknesses/153238/
• PayPal accounts abused en-masse for unauthorized payments https://www.zdnet.com/article/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments/
• Stalkerware infections grew by 40% in 2019, https://www.zdnet.com/article/stalkerware-infections-grew-by-40-in-2019-says-kaspersky/
• Raccoon: The Story of a Typical Infostealer https://www.cyberark.com/threat-research-blog/raccoon-the-story-of-a-typical-infostealer/
• FBI Warned Of Fraudster’s Paradise: Up To 130,000 Hacked Asus Routers On Sale For A Few Dollars https://www.databreaches.net/fbi-warned-of-fraudsters-paradise-up-to-130000-hacked-asus-routers-on-sale-for-a-few-dollars/
• Winnipeg police warn of bank investigator scams cost Manitobans over $1M in 2019 https://globalnews.ca/news/6615775/winnipeg-police-scam-manitobans/
• FBI arrests neo-Nazi group Atomwaffen’s leader on swatting charges https://www.theverge.com/2020/2/26/21154536/fbi-atomwaffen-division-neo-nazi-graveyard-irc-arrest-swatting
• Former Microsoft Engineer Convicted of $10M Insider Fraud https://www.bankinfosecurity.com/former-microsoft-engineer-convicted-insider-fraud-a-13793
• FBI Makes Arrest in DDoS Attack on Candidate's Website https://www.bankinfosecurity.com/fbi-makes-arrest-in-ddos-attack-on-candidates-website-a-13754

Other Security / Risk

Articles covering other types of risks.

• RSAC 2020: Blockchain is 'Garbage In', Voting Needs Paper Ballots https://threatpost.com/rsac-2020-blockchain-is-garbage-in-voting-needs-paper-ballots/153221/
• RSAC 2020: Lack of Machine Learning Laws Open Doors To Attacks https://threatpost.com/rsac-2020-lack-of-machine-learning-laws-open-doors-to-attacks/153259/
• Bruce Schneier Proposes 'Hacking Society' for a Better Tomorrow https://threatpost.com/bruce-schneier-proposes-hacking-society-for-a-better-tomorrow/153342/
• DDoS as a smokescreen(Distract Then Steal) https://www.imperva.com/blog/ddos-as-a-smokescreen/
• Russia Is Trying to Tap Transatlantic Cables https://www.schneier.com/blog/archives/2020/02/russia_is_tryin.html
• FBI Official: Russia Wants to See US 'Tear Ourselves Apart' https://www.securityweek.com/fbi-official-russia-wants-see-us-tear-ourselves-apart
• National Security Experts Call for Eliminating Greenhouse Gas Emissions https://www.scientificamerican.com/article/national-security-experts-call-for-eliminating-greenhouse-gas-emissions/
• Canada’s terrorism offenders are coming out of prison still radicalized https://globalnews.ca/news/6574722/terrorism-in-canada-deradicalization-programs-parole/
• Looming lawsuits, threats of job losses and other takeaways from the CRTC hearings on cell service https://www.cbc.ca/news/politics/crtc-cellphone-affordability-1.5480807
• Teck Frontier cancellation over "uncertainty" should be ‘wake-up call’ for Canada https://globalnews.ca/news/6610976/teck-frontier-withdrawal-chrystia-freeland/
• US output contracts for the first time since October 2013 https://www.forexfactory.com/news/982185-us-output-contracts-for-the-first-time-since
• A battle is brewing between Google and Microsoft over Edge and their app stores https://www.zdnet.com/article/google-says-microsoft-edge-isnt-secure-i-asked-why/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Small quartz disc can store 360TB of data forever https://www.zmescience.com/research/technology/quartz-disk-5d-storage-52543/
• ‘Leaning Tower of Dallas’ survives wrecking ball, becomes off-kilter sensation https://globalnews.ca/news/6602952/leaning-tower-of-dallas-collapse/
• 11 historic events that happened on February 29, also known as 'Leap Day' https://www.businessinsider.com/leap-year-history-february-29-2012-2
• Lake Erie snowstorm encases Hamburg NY homes in up to three feet of ice https://www.dailymail.co.uk/news/article-8062153/Snowstorm-freezes-homes-Lake-Erie.html
• Scientific Rebel Freeman Dyson Dies https://blogs.scientificamerican.com/cross-check/scientific-rebel-freeman-dyson-dies/
• Famous NASA Mathematician Katherine Johnson Has Died Aged 101 https://www.sciencealert.com/katherine-johnson-black-nasa-mathematician-portrayed-in-hidden-figures-dies-at-101
• More (entertaining) weirdness in the world of competitive Chess https://slate.com/culture/2020/02/magnus-carlsen-speed-chess-drdrunkenstein-pseudonyms-twitch-youtube.html
• Here’s How The Size Of Asteroids Compares To New York City https://www.boredpanda.com/size-of-asteroids-alvaro-gracia-montoya/
• Earth has a new 'minimoon', scientists announce https://www.independent.co.uk/news/science/earth-moon-minimoon-space-asteroid-meteor-a9361486.html
• Smithsonian releases 2.8 million free images for broader public use https://scienmag.com/smithsonian-releases-2-8-million-free-images-for-broader-public-use/
• Two commercial satellites just docked in space for the first time https://www.theverge.com/2020/2/26/21154426/commercial-satellites-docking-space-northrop-grumman-intelsat
• Astronomers Just Witnessed The Biggest Explosion in The Universe Ever Recorded https://www.sciencealert.com/astronomers-have-just-recorded-the-biggest-explosion-since-the-big-bang