This Week's [in]Security - Issue 175 | insecurity | Control Gap

Welcome to This Week’s [in]Security. Covid-19: Spread, Curves, Spikes & Waves. Lockdown, Reopening, & The New Normal. P2PEv3. Magecart. Fallback fraud. New breaches: Intel Documents, Leaky VPNs, 7 others. New Ransomware. NSA advice on location tracking saftey. NIST Webinars. US Splinernet? AWS Tools. Open Sourcing. DNS Intel. Voting machines. Defcon & Blackhat 12+ presentations! FBI alert. Cisco alerts. Multi-Processor Side Channel Attacks. Android/Qualcomm. STUXNET Redux. IoT Smart (un)Locks. Light bulb pwnage. Lockpicking. Pivoting through medical devices! Identity theft and COVID. Weaponizing DoH. MFA low hanging fruit. Recalls. Beirut explosion. Flawed AI. And more.

Trending news and COVID-19 updates.

The COVID related articles here fit together. Other COVID articles will appear under our normal section headings like regulations, privacy, breaches, and other risks. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves:

  • 'Don't they care?': Europeans astonished as U.S. hits 5 million cases https://www.ctvnews.ca/health/coronavirus/don-t-they-care-europeans-astonished-as-u-s-hits-5-million-cases-1.5057041
  • Brazil passes 100,000 Covid-19 deaths, as cases top 3 million https://www.cnn.com/2020/08/08/world/brazil-covid-19-deaths-intl/index.html
  • Canada sees 343 new coronavirus cases as global infections top 18.4 million https://globalnews.ca/news/7250319/coronavirus-canada-aug-4/
  • N.B. health officials warn of potential COVID-19 exposure on 2 Air Canada flights https://globalnews.ca/news/7257781/new-brunswick-coronavirus-covid-19-exposure-air-canada-flights/
  • Private parties in Vancouver area linked to at least 45 COVID-19 cases https://globalnews.ca/news/7256362/private-parties-vancouver-coronavirus/
  • At least 3 cruise ships are battling coronavirus outbreaks https://www.businessinsider.com/coronavirus-outbreaks-cruise-ships-bad-sign-industry-return-2020-8

• Lockdown, reopening, and The New Normal:

  • Florence’s Plague-Era Wine Windows Are Back in Business https://www.mentalfloss.com/article/627264/florence-plague-era-wine-windows
  • Canada’s coronavirus restrictions could last years even with vaccine https://globalnews.ca/news/7249803/coronavirus-vaccine-restrictions-theresa-tam/

• Treatments, Testing, Triage, and Trials, and things we learned:

  • T-cells: Common Colds May Have 'Primed' Some People's Immune Systems For COVID-19 https://www.sciencealert.com/common-colds-may-have-primed-some-people-s-immune-systems-for-covid-19
  • Harvard Scientist Says We Need More Cheap, 'Crappy' Tests For COVID-19 https://www.sciencealert.com/harvard-researchers-want-more-crappy-tests-for-covid-19
  • Temperature checks and ‘deep cleaning’ aren’t good at stopping coronavirus. So why do we bother? https://globalnews.ca/news/7257464/coronavirus-prevention-ineffective/
  • Some COVID-19 patients report hair loss months later https://globalnews.ca/news/7255624/coronavirus-hair-loss/
  • More than a million people in the UK have quit smoking since the start of the coronavirus pandemic https://www.businessinsider.com/coronavirus-smokers-quit-record-numbers-study-2020-8

• Masks, anti-maskers, and distancing:

  • Walmart Canada making masks mandatory in all stores starting Aug. 12 https://globalnews.ca/news/7255942/walmart-canada-mandatory-masks-august-12/
  • Canada to release mask guidelines for children, recommend them for kids aged 10+ https://globalnews.ca/news/7250340/canada-mask-guidelines-children-coronavirus/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI P2PEv3 Technical (Mandatory) FAQs https://www.pcisecuritystandards.org/documents/PCI-SSC_P2PEv3_Technical_FAQs.pdf
• Magecart group uses homoglyph (Unicode look-alike) attacks to fool you into visiting malicious websites https://www.zdnet.com/article/magecart-group-uses-homoglyph-attacks-to-fool-you-into-visiting-malicious-websites
• Fallback fraud - Issuer Security - EMV Bypass Cloning now exploited in the wild https://www.zdnet.com/article/theoretical-technique-to-abuse-emv-cards-detected-used-in-the-real-world/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • Intel investigating breach after 20GB of internal documents leak online https://www.zdnet.com/article/intel-investigating-breach-after-20gb-of-internal-documents-leak-online/ and https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/
  • Hacker leaks passwords for 900+ enterprise VPN servers https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers
  • Argentina exposes COVID-19 health data in error https://www.databreaches.net/argentina-exposes-covid-19-health-data-in-error/
  • Robocall Legal Advocate Leaks Customer Data https://krebsonsecurity.com/2020/08/robocall-legal-advocate-leaks-customer-data/
  • They say the tooth will set you free... so Brit dentist trade union tells members: 'Bad news – we've been hacked' https://www.theregister.com/2020/08/04/british_dental_association_hacked/
  • Scholarship America notifies individuals of breach https://www.databreaches.net/scholarship-america-notifies-individuals-of-breach/
  • Second Data Breach at Kentucky Unemployment System https://www.databreaches.net/second-data-breach-at-kentucky-unemployment-system/
  • Montreal-area teachers concerned about personal info being compromised after government data breach https://www.iheartradio.ca/cjad/news/montreal-area-teachers-concerned-about-personal-info-being-compromised-after-government-data-breach-1.13172353
  • Metrolinx investigating privacy breach after 2K email addresses of fined riders revealed https://www.databreaches.net/ca-metrolinx-investigating-privacy-breach-after-2k-email-addresses-of-fined-riders-revealed/

• New Ransomware:

  • Ransomware Threatens Production of 300 Ventilators Per Day https://www.databreaches.net/ransomware-threatens-production-of-300-ventilators-per-day/
  • Canon suffers ransomware attack, Maze claims responsibility https://www.zdnet.com/article/canon-suffers-ransomware-attack-maze-claims-responsibility
  • Data of Trent University alumni, faculty may have been copied during cybersecurity attack https://globalnews.ca/news/7254553/data-trent-university-cyberattack/

• Follow-ups:

  • ProctorU - 444,453 breached accounts (June 2020) now on HIBP https://haveibeenpwned.com/PwnedWebsites#ProctorU
  • Capital One Fined $80 Million for 2019 Data Breach Affecting 106 Million Users https://thehackernews.com/2020/08/capital-one-data-breach.html
  • Health records found at Fort Simpson dump in 2018 may have been stolen https://www.databreaches.net/ca-health-records-found-at-fort-simpson-dump-may-have-been-stolen-report/

Privacy

Articles about privacy related news, risks, and trends.

• No to Blockchain Credentials of COVID-19 Test Results for Entry to Public Spaces (combines several terrible ideas) https://www.eff.org/deeplinks/2020/08/no-blockchain-credentials-covid-19-test-results-entry-public-spaces
• Seismic Shift in Privacy Risks and Obligations https://www.datex.ca/blog/seismic-shift-in-privacy-risks-and-obligations
• Massachusetts Supreme Court Rejects (Warrantless) Long-Term Video Surveillance of Residents' Homes https://epic.org/2020/08/massachusetts-supreme-court-rejects.html
• The NSA on the Risks of Exposing Location Data https://www.schneier.com/blog/archives/2020/08/the_nsa_on_the_.html and https://www.wired.com/story/nsa-tips-smartphone-data-canon-ransomware-twitter-bug-security-news/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• NIST Webinars:

  • Virtual Workshop on Considerations in Migrating to Post-Quantum Cryptographic Algorithms (August 24, 2020) https://www.nccoe.nist.gov/events/virtual-workshop-considerations-migrating-post-quantum-cryptographic-algorithms
  • An Invitational Virtual Workshop on the Automation of the NIST Cryptographic Module Validation Program (CMVP) (September 1, 2020) https://www.nccoe.nist.gov/events/invitational-virtual-workshop-automation-nist-cryptographic-module-validation-program-cmvp
• UK data watchdog having a hard time making GDPR fines stick https://www.theregister.com/2020/08/05/marriott_starwood_gdpr_fine_british_airways/
• A protester tried to ID a police officer on Twitter. Now he faces a felony — along with four who retweeted him https://www.washingtonpost.com/nation/2020/08/07/black-lives-matter-tweet-police-felony/
• Trump administration labels WeChat, TikTok ‘threats’ to national security, bans transactions with both https://www.theregister.com/2020/08/07/us_wechat_tiktok_national_security_threats/
• Is The US About To Split The Internet? https://www.bbc.com/news/technology-53686390
• China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
• Ever wonder how a pentest turns into felony charges? Coalfire duo explain Iowa courthouse arrest debacle https://www.theregister.com/2020/08/05/coalfire_pentest_iowa_black_hat/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• NIST/NICCS Cyber Career Pathways Tool https://niccs.us-cert.gov/workforce-development/cyber-career-pathways
• Augmenting AWS Security Controls https://threatpost.com/divvycloud-augmenting-aws-security-controls/158132/
• Facebook open-sources one of Instagram's security tools, Pysa, for Python Code analysis https://www.zdnet.com/article/facebook-open-sources-one-of-instagrams-security-tools
• Open Sourcing the Have I Been Pwned https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/
• Firefox 79 includes protections against redirect tracking https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/
• DNSDB 2.0 - new capabilities for finding malicious domains https://www.darkreading.com/threat-intelligence/new-spin-on-a-longtime-dns-intel-tool/d/d-id/1338576
• Voting Machine Makers Are Finally Playing Nice With Hackers https://www.wired.com/story/voting-machine-makers-hackers-ess
• Defcon Safe Mode. Many interesting talks, and everything's online this year. https://defcon.org/html/defcon-safemode/dc-safemode-villages.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• FBI issues warning over Windows 7 end-of-life https://www.zdnet.com/article/fbi-issues-warning-over-windows-7-end-of-life/
• Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows https://www.zdnet.com/article/cisco-alert-four-high-severity-flaws-in-routers-switches-and-anyconnect-vpn-for-windows/
• Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks https://thehackernews.com/2020/08/foreshadow-processor-vulnerability.html
• Microsoft Teams Patch Bypass Allows RCE https://threatpost.com/microsoft-teams-patch-bypass-rce/158043/
• Qualcomm Bugs Open 40 Percent of Android Handsets to Attack https://threatpost.com/qualcomm-bugs-opens-40-percent-of-android-devices-to-attack/158194/
• A Flaw Used by Stuxnet Wasn't Fully Fixed https://www.databreachtoday.com/flaw-used-by-stuxnet-wasnt-fully-fixed-a-14767
• Smart locks opened with nothing more than a MAC address https://www.zdnet.com/article/smart-locks-opened-with-nothing-more-than-a-mac-address/
• Don’t be silly - it’s only a lightbulb https://research.checkpoint.com/2020/dont-be-silly-its-only-a-lightbulb/
• Inside the hidden world of competitive lockpicking https://www.cnet.com/news/inside-the-hidden-world-of-competitive-lockpicking/
• Hacking medical devices to hijack secure facilities https://www.databreaches.net/hacking-medical-devices-to-hijack-secure-facilities/
• New tool brings back 'domain fronting' as 'domain hiding' https://www.zdnet.com/article/def-con-new-tool-brings-back-domain-fronting-as-domain-hiding
• Influence Campaigns Are a Cybersecurity Problem https://threatpost.com/black-hat-hacking-public-opinion/158167/
• When it comes to hacking societies, Russia remains the master at sowing discord and disinformation online https://www.theregister.com/2020/08/06/china_russia_disinformation_black_hat/
• Using Botnets to Manipulate Energy Markets for Big Profits https://threatpost.com/black-hat-2020-using-botnets-to-manipulate-energy-markets-for-big-profits/158102/
• ‘Zero-Click’ MacOS Exploit Chain Uses Microsoft Office Macros https://threatpost.com/black-hat-zero-click-macos-exploit-chain-microsoft-office-macros/158112/
• Satellite Comms Globally Open to $300 Eavesdropping Hack https://threatpost.com/black-hat-satellite-comms-eavesdropping-hack/158146/
• Researcher Discovers New HTTP Request Smuggling Attack Variants https://www.securityweek.com/researcher-discovers-new-http-request-smuggling-attack-variants
• Dutch Hackers Found a Simple Way to Mess With Traffic Lights https://www.wired.com/story/hacking-traffic-lights-netherlands
• Mercedes-Benz E-Series Rife with 19 Bugs https://threatpost.com/black-hat-19-flaws-connected-mercedes-benz-vehicles/158144/
• Decades-Old Email Flaws Could Let Attackers Mask Their Identities https://www.wired.com/story/decades-old-email-flaws-could-let-attackers-mask-identities

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/
• Cybercrime in the Age of COVID-19 https://www.schneier.com/blog/archives/2020/08/cybercrime_in_t.html
• Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH) https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/
• Attackers Horn in on MFA Bypass Options for Account Takeovers https://threatpost.com/attackers-mfa-bypass-account-takeovers/158189/
• Chinese Malware Targeting IT Service Providers https://www.databreachtoday.com/alert-chinese-malware-targeting-service-providers-a-14763
• Chrome Web Store slammed again after 295 ad-injecting, spammy extensions downloaded 80 million times https://www.theregister.com/2020/08/07/chrome_web_store_slammed/
• Hackers are defacing Reddit with pro-Trump messages https://www.zdnet.com/article/hackers-are-defacing-reddit-with-pro-trump-messages/
• US DOJ Charges 14 With $28M In PPP Fraud https://www.pymnts.com/news/security-and-risk/2020/us-doj-charges-14-with-28m-in-ppp-fraud/
• Bulgarian police arrest hacker Instakilla https://www.zdnet.com/article/bulgarian-police-arrest-hacker-instakilla/
• Porn Clip Disrupts Virtual Court Hearing for Alleged Twitter Hacker https://krebsonsecurity.com/2020/08/porn-clip-disrupts-virtual-court-hearing-for-alleged-twitter-hacker/

Other Security / Risk

Articles covering other types of risks.

• Health Canada recalls more than 50 hand sanitizers in evolving list https://www.cbc.ca/news/health/sanitizer-recall-expands-canada-1.5675182
• US Offers $10 Million Reward Against Election Interference https://www.securityweek.com/us-offers-10-million-reward-against-election-interference
• Software developers: How plans to automate coding could mean big changes ahead https://www.zdnet.com/article/software-developers-how-plans-to-automate-coding-could-mean-big-changes-ahead/
• (Video) More than 100 killed, thousands injured in blast in Lebanon’s capital https://globalnews.ca/news/7249393/massive-explosion-beirut-lebanon/
• The Beirut explosion - impact contrasted with Canadian cities https://www.ctvnews.ca/sci-tech/mapping-the-beirut-explosion-what-the-impact-would-look-like-in-canadian-cities-1.5053932
• Explosion magnitudes 1916&1917 WWI Sommes/Messines, 1917 Halifax Explosion (3Kt), Beirut (1.8KT) https://en.wikipedia.org/wiki/Largest_artificial_non-nuclear_explosions and [https://en.wikipedia.org/wiki/TNT\equivalent](https://en.wikipedia.org/wiki/TNT_equivalent)
• A British AI Tool to Predict Violent Crime Is Too Flawed to Use https://www.wired.com/story/a-british-ai-tool-to-predict-violent-crime-is-too-flawed-to-use
• More than 750 Canadians have received ‘unsolicited seeds’ by mail: CFIA https://globalnews.ca/news/7256844/canada-seeds-mail-investigation/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Video (image stack) of Comet NeoWise from Canada's NEOSSat space telescope https://www.youtube.com/watch?v=1NxnUnLlnM8
• Arecibo Observatory weathers Tropical Storm Isaias to track potentially dangerous asteroid https://www.space.com/arecibo-observatory-tracks-asteroid-2020-nk1-tropical-storm-isaias.html
• Here's How Your Soft Hair Continues to Ruin Even The Sharpest Steel Razors https://www.sciencealert.com/here-s-why-the-sharpest-steel-razors-get-dulled-when-shaving-soft-hair
• What?! Physicists Demonstrate a Weird Effect Where Heating Particles Causes Them to Freeze https://www.sciencealert.com/physicists-demonstrated-a-weird-effect-where-heating-particles-causes-them-to-freeze
• Astronomers use Hubble during an eclipse to detect life on Earth so we can detect life elsewhere https://www.syfy.com/syfywire/astronomers-use-hubble-during-an-eclipse-to-detect-life-on-earth
• Model Suggests Toxic Transformation on Venus https://www.scientificamerican.com/article/model-suggests-toxic-transformation-on-venus/
• Some Stars Could Support as Many as 7 Habitable Planets https://www.universetoday.com/147294/some-stars-could-support-as-many-as-7-habitable-planets/
• You Can Play Real Music on This 3622-Piece LEGO Grand Piano https://www.mentalfloss.com/article/627158/3622-piece-lego-grand-piano-set