This Week's [in]Security - Issue 182

Welcome to This Week’s [in]Security. Draft DSS v4 RFC. Breach Reporting. New breaches: XP Source. Bing. Shopify. Spots. games. Airbnb. New Ransomware. Autonomous Indoor Drone? Facial Recognition. Taxing Tech. NIST Updates, Drafts & Workshops. YAYA and Chronicle Detect Threat Hunters. IoT. CBC Encryption. Russians hacking Russians. Arrests, Charges & Sentencings. Election Security. Phishing awareness fail. Homework fraud. Pastebin. Hurricane names. Medical AI. brain-computer interfaces. Near misses. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Request for Comments: PCI DSS Version 4.0 Draft Standard https://blog.pcisecuritystandards.org/request-for-comments-pci-dss-version-4.0-draft-standard

• PCI P2PE Expired listings pages:

  • https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions_expired
  • https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications_expired
  • https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_components_expired
• PCI PIN Security in Practice Case Study: Gertec https://blog.pcisecuritystandards.org/pci-pin-security-in-practice-case-study-gertec
• Exposing Your Face Isn't a More Hygienic Way to Pay https://www.eff.org/deeplinks/2020/09/exposing-your-face-isnt-more-hygienic-way-pay

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Breach Reporting:

  • The High Cost of Reporting a Non-Reportable Data Breach https://www.databreaches.net/the-high-cost-of-reporting-a-non-reportable-data-breach/
  • Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics https://www.theregister.com/2020/09/24/how_to_admit_youve_been_hacked/

• New breaches:

  • Windows XP Source Code Reportedly Leaked, Posted to 4chan https://www.tomshardware.com/news/windows-xp-source-code-reportedly-posted-to-4chan
  • Microsoft leaks 6.5TB in Bing search data via unsecured Elastic server https://www.theregister.com/2020/09/23/microsoft_leaks_over_65tb_bing/
  • Shopify says two support staff stole customer data from sellers https://techcrunch.com/2020/09/23/shopify-data-merchant-breach/
  • Gym chain Town Sports exposes 600,000 records of members and staff https://www.comparitech.com/blog/information-security/gym-chain-town-sports-exposes-personal-details-of-600000-members-staff-online-report/
  • Details of 540,000 sports referees taken in failed ransomware attack https://www.databreaches.net/details-of-540000-sports-referees-taken-in-failed-ransomware-attack/
  • Data breach at New York Sports Clubs owner exposed customer data https://www.databreaches.net/data-breach-at-new-york-sports-clubs-owner-exposed-customer-data/
  • Activision Accounts Hacked? 500,000 Call Of Duty Players Could Be Affected https://www.databreaches.net/activision-accounts-hacked-500000-call-of-duty-players-could-be-affected-report/
  • Razer accidentally leaked the personal information for over 100,000 gamers https://www.theverge.com/2020/9/14/21436160/razer-data-leak-elasticsearch-sever-misconfiguration
  • Singapore: ShopBack, RedDoorz report breaches https://www.databreaches.net/singapore-shopback-reddoorz-report-breaches/
  • Customers’ bank details stolen as hackers target Staffordshire firm https://www.databreaches.net/customers-bank-details-stolen-as-hackers-target-staffordshire-firm/
  • AU: University of Tasmania IT bungle leads to mass student data breach https://www.databreaches.net/au-university-of-tasmania-it-bungle-leads-to-mass-student-data-breach/
  • Airbnb Accounts Exposed to Hijacking Due to Phone Number Recycling https://www.securityweek.com/airbnb-accounts-exposed-hijacking-due-phone-number-recycling
  • OH: Stark Summit Ambulance notified patients and employees of data breach https://www.databreaches.net/oh-stark-summit-ambulance-notified-patients-and-employees-of-data-breach/

• New Ransomware:

  • SFU ransomware attack exposed data from 250,000 accounts, documents show https://www.cbc.ca/news/canada/british-columbia/sfu-ransomware-attack-1.5732027
  • Hungarian banks, telecoms services briefly hit by cyber attack: Magyar Telekom https://www.databreaches.net/hungarian-banks-telecoms-services-briefly-hit-by-cyber-attack-magyar-telekom/
  • Leading U.S. laser developer IPG Photonics hit with ransomware https://www.databreaches.net/leading-u-s-laser-developer-ipg-photonics-hit-with-ransomware/
  • Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/
  • AL: St. Clair County is latest victim of cyberattack https://www.databreaches.net/al-st-clair-county-is-latest-victim-of-cyberattack/

• Follow-ups:

  • 'BlueLeaks' data breach involved 38 Canadian police forces https://www.cbc.ca/news/canada/ottawa/blueleaks-published-thousands-of-documents-from-canadian-police-agencies-1.5734311
  • Legal misinterpretation to blame for delay in reporting Kentucky unemployment breach https://www.databreaches.net/legal-misinterpretation-to-blame-for-delay-in-reporting-kentucky-unemployment-breach/
  • Premera Blue Cross Slapped With $6.8 Million HIPAA Fine https://www.databreachtoday.com/premera-blue-cross-slapped-68-million-hipaa-fine-a-15067
  • HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals https://www.databreaches.net/hipaa-business-associate-pays-2-3-million-to-settle-breach-affecting-protected-health-information-of-over-6-million-individuals/
  • Hefty $1.5M HIPAA Fine After Breach Involving 'The Dark Overlord' https://www.databreachtoday.com/hefty-hipaa-fine-after-breach-involving-the-dark-overlord-a-15039
  • Cambridge Analytica's Ex-CEO Banned From Running Companies https://packetstormsecurity.com/news/view/31610/Cambridge-Analyticas-Ex-CEO-Banned-From-Running-Companies.html

Privacy

Articles about privacy related news, risks, and trends.

• (Seriously?) Of course I want an Amazon drone flying inside my house. Don't you? https://www.zdnet.com/article/of-course-i-want-an-amazon-drone-flying-inside-my-house-dont-you/, https://www.theverge.com/2020/9/25/21455197/amazon-ring-drone-home-security-surveillance-sidewalk-halo-privacy, and https://www.theverge.com/2020/9/24/21453709/ring-always-home-cam-indoor-drone-security-camera-price-specs-features-amazon
• Students Are Pushing Back Against Proctoring Surveillance Apps https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps
• This company's Zoom policy may be the worst I've ever heard https://www.zdnet.com/article/this-companys-zoom-policy-may-be-the-worst-ive-ever-heard/
• WannaCry Has ~IoT~ special purpose machines in its crosshairs https://www.darkreading.com/risk/wannacry-has-iot-in-its-crosshairs/a/d-id/1338894 Failed to Protect Sensitive Biometric Information in Test of Facial Recognition Program https://epic.org/2020/09/cbp-failed-to-protect-sensitiv.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• Canada's “Get Money from Web Giants” Grows:

  • Canadian Heritage Minister Guilbeault Says Government Working on a New Data Tax https://www.michaelgeist.ca/2020/09/get-money-from-web-giants-grows-canadian-heritage-minister-guilbeault-says-government-working-on-a-new-data-tax/
  • Why Canadian Heritage Minister Steven Guilbeault’s Top Legislative Priority is Risky Business https://www.michaelgeist.ca/2020/09/get-money-from-web-giants-why-canadian-heritage-minister-steven-guilbeaults-top-legislative-priority-is-risky-business/
  • An Anti-Digital Agenda: Forget the Digital Policy Reboot, the Government Just Hit Delete Instead https://www.michaelgeist.ca/2020/09/antidigitalagenda/

• NIST updates and drafts:

  • NIST Cybersecurity Practice Guide—Special Publication (SP) 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events https://csrc.nist.gov/publications/detail/sp/1800-11/final
  • Security and Privacy Controls for Information Systems and Organizations: NIST Publishes SP 800-53, Revision 5 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  • Performance Measurement Guide for Information Security: Pre-Draft Call for Comments until November 18 https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft
• Trump Administration Takes Aim At Internet Legal Protections https://www.pymnts.com/legal/2020/trump-administration-takes-aim-at-internet-legal-protections/
• Judge rejects TikTok creators’ request to delay ban, says they won’t suffer ‘irreparable harm’ https://www.theverge.com/2020/9/27/21458242/judge-rejects-tiktok-creators-request-ban-says-they-wont-suffer-irreparable-harm
• Labor Dept Floats ‘Tests’ To Define Independent Contractors https://www.pymnts.com/gig-economy/2020/labor-dept-floats-tests-to-define-independent-contractors/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab https://www.eff.org/deeplinks/2020/09/introducing-yaya-new-threat-hunting-tool-eff-threat-lab
• Google Announces Chronicle Detect threat detection https://cloud.google.com/blog/products/identity-security/introducing-chronicle-detect-from-google-cloud
• Congress Questions NASA on Cybersecurity Efforts https://www.databreachtoday.com/congress-questions-nasa-on-cybersecurity-efforts-a-15030
• A Tip From a Kid Helped Uncover a Slew of Scam Apps https://www.wired.com/story/a-tip-from-a-kid-helped-uncover-a-slew-of-scam-apps
• FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities https://www.securityweek.com/ferc-nerc-conduct-study-cyber-incident-response-electric-utilities
• Ring plans to offer end-to-end encryption by the end of the year https://www.theverge.com/2020/9/24/21453581/ring-end-to-end-encryption-video-neighbors-app-amazon

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• When coffee makers are demanding a ransom, you know IoT is screwed https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/
• Chrome Vulnerabilities Expose Users to Attacks Via Malicious Extensions https://www.securityweek.com/chrome-vulnerabilities-expose-users-attacks-malicious-extensions
• ACE in Chains : How Risky is CBC Encryption of Binary Executable Files ? https://eprint.iacr.org/2020/1159

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, Events, and legal:

  • Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/ and https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/
  • Microsoft Kills 18 Azure Accounts Tied to Nation-State Attacks https://threatpost.com/microsoft-azure-chinese-hackers/159551/
  • Federal Agency Hacked Using Stolen Office 365 Credentials https://www.databreachtoday.com/federal-agency-hacked-using-stolen-office-365-credentials-a-15068
  • (Biting the hand that feeds them?) Russian Hackers Target Russian Companies With Ransomware https://www.securityweek.com/russian-hackers-target-russian-companies-ransomware
  • Fileless Malware Tops Critical Endpoint Threats for 1H 2020 https://threatpost.com/fileless-malware-critical-ioc-threats-2020/159422/
  • Iranian Government Hacking Android https://www.schneier.com/blog/archives/2020/09/iranian-government-hacking-android.html
  • CISA warns of notable increase in LokiBot malware https://www.zdnet.com/article/cisa-warns-of-notable-increase-in-lokibot-malware/
  • KuCoin cryptocurrency exchange hacked for $150 million https://www.zdnet.com/article/kucoin-cryptocurrency-exchange-hacked-for-150-million

• Arrests, Charges & Sentencings:

  • 179 Arrested in Massive Global Dark Web Takedown https://www.wired.com/story/operation-disruptor-179-arrested-global-dark-web-takedown
  • Police Crack SMS Phishing Operation https://www.databreachtoday.com/police-crack-sms-phishing-operation-a-15049
  • Amazon staffers took bribes, manipulated marketplace, leaked data including search algorithms https://www.theregister.com/2020/09/21/amazon_fraud_bribery_charges/
  • Former 'Silk Road' Associate Pleads Guilty to Lying to Feds https://www.databreachtoday.com/former-silk-road-associate-pleads-guilty-to-lying-to-feds-a-15046
  • British Hacker Sentenced to 5 Years for Blackmailing U.S. Companies https://thehackernews.com/2020/09/british-hacker-jailed.html
  • Nigerian Man Sentenced to Three Years in Prison for Computer Hacking Scheme that Targeted Government Employees https://www.databreaches.net/nigerian-man-sentenced-to-three-years-in-prison-for-computer-hacking-scheme-that-targeted-government-employees/
  • Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping https://www.zdnet.com/article/polish-police-shut-down-hacker-super-group-involved-in-bomb-threats-ransomware-sim-swapping

Other Security / Risk

Articles covering other types of risks.

• Election Security:

  • Election Security and Transparency in 2020 https://freedom-to-tinker.com/2020/09/24/election-security-and-transparency-in-2020/
  • Pennsylvania's Supreme Court Prohibits Election Officials from Counting 'Naked Ballots;' PA Voters Must Use Secrecy Envelopes https://epic.org/2020/09/pennsylvanias-supreme-court-pr.html
  • In North Carolina, Black Voters’ Mail-In Ballots Much More Likely to Be Rejected Than Those From Any Other Race http://feeds.propublica.org/link/9499/13900020/in-north-carolina-black-voters-mail-in-ballots-much-more-likely-to-be-rejected-than-those-from-any-other-race
  • Twitter prepares for US election with new security training, penetration tests https://www.zdnet.com/article/twitter-prepares-for-us-election-with-new-security-training-penetration-tests
  • FBI, CISA Warn of Election Results Disinformation Campaigns https://www.databreachtoday.com/fbi-cisa-warn-election-results-disinformation-campaigns-a-15043
  • The Election That Could Break America https://www.theatlantic.com/magazine/archive/2020/11/what-if-trump-refuses-concede/616424/
• Let's Encrypt postpone the ISRG Root transition https://scotthelme.co.uk/lets-encrypt-postpone-isrg-root-transition/
• Phishing Awareness Gone Wrong https://www.databreachtoday.com/blogs/how-phishing-awareness-test-went-very-wrong-p-2948
• The Internet did my homework https://blog.talosintelligence.com/2020/09/the-internet-did-my-homework.html
• Pastebin adds 'Burn After Read' and 'Password Protected Pastes' to the dismay of the infosec community https://www.zdnet.com/article/pastebin-adds-burn-after-read-and-password-protected-pastes-to-the-dismay-of-the-infosec-community
• Texan City Told to Avoid Tap Water After Brain-Eating Microbe (amoebas) Found in Water Supply https://www.sciencealert.com/brain-eating-microbes-found-in-texas-city-water-residents-warned-to-boil-tap-water
• Old television took out an entire village’s broadband for 18 months https://www.zdnet.com/article/this-how-an-old-television-took-out-an-entire-villages-broadband-for-18-months/
• Proposed US fix for Boeing 737 Max software woes does not address Ethiopian crash scenario https://www.theregister.com/2020/09/23/boeing_737_max_faa_balpa/
• (Who knew?) A Man Died From Eating Too Much Black Licorice—Here's How That Can Happen https://www.mentalfloss.com/article/631316/man-dies-from-black-licorice
• (So that's what comes after Hurricane Z*) Tropical Storm Beta forms in the Gulf of Mexico, shattering records https://www.accuweather.com/en/hurricane/tropical-storm-beta-forms-in-the-gulf-of-mexico-shattering-records/815250
• Algorithms used in medicine are trained on data from only a few states https://www.theverge.com/21455946/medical-algorithm-ai-geography-research-accuracy
• If we put computers in our brains, strange things might happen to our minds https://www.zdnet.com/article/if-we-put-computers-in-our-brains-strange-things-might-happen-to-our-minds/
• (This is a near miss) Earth will exact a toll this week on this small, close-passing asteroid https://earthsky.org/space/asteroid-2020-sw-very-close-pass-sept-24-2020
• The ISS just avoided a ‘piece of unknown space debris’ https://www.theverge.com/2020/9/23/21451587/iss-space-junk-debris-avoidance-maneuver
• How much gold is there left to mine in the world? https://www.bbc.co.uk/news/business-54230737
• The Cheating Scandal That Ripped the Poker World Apart https://www.wired.com/story/stones-poker-cheating-scandal

• COVID-19 Other risks and impact:

  • Canadians dealing with ‘COVID fatigue’ as pandemic drags on https://globalnews.ca/news/7358555/covid-fatigue-pyschologist/
  • Canada’s federal deficit hits $148.6B amid coronavirus pandemic https://globalnews.ca/news/7359503/canada-coronavirus-deficit/ and https://globalnews.ca/news/7355369/canada-deficit-spending-coronavirus/
  • Canadians can now see conflicts of interest declared by COVID-19 vaccine task force https://globalnews.ca/news/7351016/covid-19-vaccine-task-force-conflicts-of-interest-disclosures/
  • British Columbians heading to the polls on October 24 in fall election https://globalnews.ca/news/7344215/british-columbians-heading-to-the-polls-on-october-24-in-fall-election/
  • Elections Saskatchewan recruiting up to 17K workers for pandemic vote https://globalnews.ca/news/7354909/elections-saskatchewan-pandemic-vote-coronavirus/
  • Aruba Is Inviting People Who Work From Home to Work From The Beach Instead https://www.mentalfloss.com/article/630451/aruba-invites-remote-workers-to-stay-months
  • As Movie Theaters Struggle, Farmers Are Running Out of Room for Unsold Popcorn https://www.mentalfloss.com/article/630808/movie-theater-closures-create-popcorn-surplus
  • The new 2020 iPad isn’t enough for Zoom school https://www.theverge.com/21451699/apple-ipad-2020-review-eighth-generation-bionic-processor-zoom
  • Dr. Bonnie Henry says she’s received death threats during B.C’s COVID-19 response https://globalnews.ca/news/7352062/dr-bonnie-henry-says-shes-recieved-death-threats-during-b-cs-covid-19-response/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves - now reinfection:

  • U.S. surpasses 7 million coronavirus cases as Midwest states become latest hotspots https://globalnews.ca/news/7357987/us-coronavirus-7-million-cases/
  • Coronavirus numbers are surging in Canada. But who’s getting sick and why? https://globalnews.ca/news/7350503/coronavirus-cases-surging-canada-why/
  • Canada adds 1,454 COVID-19 cases as diagnoses soar in Ontario (491), Quebec (896) https://globalnews.ca/news/7362771/coronavirus-canada-update-september-27/
  • Huge crowds show up in Wasaga Beach, Ont., for car rally despite coronavirus restrictions https://globalnews.ca/news/7362338/huge-crowds-wasaga-beach-car-rally/
  • U.S. researchers project Canada could see over 16,000 coronavirus deaths by January https://globalnews.ca/news/7355042/canada-coronavirus-deaths-projections-january/
  • Canada schools debate removing common cold symptoms from coronavirus checklist https://globalnews.ca/news/7358167/coronavirus-school-common-cold-symptoms/
  • 2,500 Swiss students quarantined for coronavirus after off-campus partying https://globalnews.ca/news/7355249/2500-students-quarantined-coronavirus-swiss-school/
  • 40 people had a BBQ at an Ottawa park. Days later 105 people are quarantined for coronavirus https://globalnews.ca/news/7352681/coronavirus-ottawa-park-bbq-quarantine-spread/

• Guidance, Response and Recovery:

  • The Atlantic Daily: Why the U.S. Stopped Caring About COVID-19 Deaths https://www.theatlantic.com/newsletters/archive/2020/09/200-000-covid-19-deaths-us/616440/
  • Google introduces COVID-19 layer to Maps, revealing hotspot infection areas https://www.zdnet.com/article/google-introduces-covid-19-layer-to-maps-reveals-hotspot-areas/

• Treatments, Testing, Triage, and Trials, and things we learned:

  • Woman waits 7 hours for COVID-19 test, calls it ‘unacceptable in a modern city like Toronto’ https://globalnews.ca/news/7354842/woman-waits-7-hours-covid-test-toronto/
  • Dogs Deployed at Helsinki Airport Can Detect COVID-19 With Almost 100% Accuracy https://www.sciencealert.com/dogs-deployed-at-helsinki-airport-can-detect-covid-19-with-near-perfect-accuracy
  • Coronavirus Mutations: What We've Learned So Far https://www.sciencealert.com/coronavirus-mutations-what-we-ve-learned-so-far
  • SARS-CoV-2 Seems to Block Some Pain Signals - inreases likelihood of spread https://www.sciencealert.com/sars-cov-2-appears-to-stop-us-feeling-pain-which-could-be-why-it-s-spreads-so-easily
  • Fauci: General Public Might Get COVID-19 Vaccine Doses By March, April 2021 https://www.pymnts.com/coronavirus/2020/fauci-general-public-might-get-covid-19-vaccine-doses-by-march-april-2021/
  • Coronavirus Vaccines Still Aren't Being Tested in Kids, And Experts Are Concerned https://www.sciencealert.com/potential-covid-19-vaccines-still-aren-t-being-tested-in-children

• Masks, anti-maskers, and distancing:

  • 2 people given $100 tickets for not wearing face masks on Edmonton transit https://globalnews.ca/news/7359861/2-people-100-ticket-not-wearing-face-mask-edmonton/
  • 4 businesses being ordered closed by Toronto Public Health https://globalnews.ca/news/7360017/coronavirus-toronto-public-health-businesses-ordered-closed/
  • Megachurch pastor who held no-mask services misses hearing after refusing to wear mask in court https://www.washingtonpost.com/nation/2020/09/23/louisiana-pastor-mask-court/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• First Compelling Evidence of Organisms That Eat Viruses as a Food Source https://www.sciencealert.com/first-compelling-evidence-of-organisms-that-actually-eat-viruses-as-a-food-source
• Experimental Cancer Treatment Destroys Cancer Cells Without Using Any Drugs https://www.sciencealert.com/a-new-cancer-treatment-uses-a-trojan-horse-approach-and-no-drugs
• More Than 650 New Words Have Been Added to Dictionary.com—Here Are 50 of Them https://www.mentalfloss.com/article/630470/dictionarycom-adds-650-new-words-and-phrases
• Earth Is Set to Get a New Mini-Moon Next Month https://www.mentalfloss.com/article/631295/earth-gets-new-mini-moon
• NASA Makes Nuclear Fusion Breakthrough: State of Nuclear Fusion https://www.popularmechanics.com/science/energy/a34096117/nasa-nuclear-lattice-confiment-fusion/
• Young physicist 'squares the numbers' on time travel without paradox https://phys.org/news/2020-09-young-physicist-squares.html
• So, um, maybe the Sun will eventually swallow the Earth. Bummer. https://www.syfy.com/syfywire/so-um-maybe-the-sun-will-eventually-swallow-the-earth-bummer
• Ron Cobb, a Pioneer in Science Fiction Design, Dies at 83 https://www.nytimes.com/2020/09/23/arts/ron-cobb-dies.html