This Week's [in]Security - Issue 186 | insecurity | Control Gap

Welcome to This Week’s [in]Security. Magecart? New breaches. New Ransomware. Facial Recognition. Facebook vs. NYU. COVID Alert App. Crypto-wars. NIST. Password Usability. Fast Fuzzing. Shodan Alternative. Adversarial ML. NSA top 25 Vulns. FPE weakness? Oracle megapatch. Chrome. Cisco DDoS. Magento. Power Grid. Phishing. Overlays. Trump's Password. Robinhood. Nation States. Legal actions. Election Security and Disinformation. AI fallibility. Health, Safety & Environment. Twinkies. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Contact Tracing. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI 2020 Community Meeting Presentations Available to Attendees https://www.pcisecuritystandards.org/communitymeeting/2020online/northamerica_cm_login
• COVID-19 Impact on P2PE Assessments https://training.pcisecuritystandards.org/covid-19-impact-on-p2pe-assessments
• Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Account Testing Attacks https://www.pcisecuritystandards.org/about_us/press_releases/pr_10212020
• PCI Security Standards Council Bulletin: The Threat of Account Testing to Payment Security https://blog.pcisecuritystandards.org/beware-of-account-testing-attack and https://www.pcisecuritystandards.org/pdfs/PCI_SSC_NCFTA_Account_Testing_Bulletin_Final.pdf
• US retailer Made in Oregon confirms website data breach https://portswigger.net/daily-swig/us-retailer-made-in-oregon-confirms-website-data-breach
• PAX Technology and Moneris Solutions launch A920 in Canada https://www.pax.us/pax-technology-and-moneris-solutions-launch-a920-in-canada/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • U.S. Voter Data Traded on Hacker Forums: Researchers https://www.securityweek.com/us-voter-data-traded-hacker-forums-researchers
  • A nightmare breach involving psychotherapy records just got worse https://www.databreaches.net/a-nightmare-breach-involving-psychotherapy-records-just-got-worse/
  • Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports https://www.databreaches.net/misconfigured-cloud-storage-bucket-exposed-pfizer-drug-safety-related-reports-researchers/
  • Japanese drug firm Shionogi hit by cyberattack and data breach https://www.databreaches.net/japanese-drug-firm-shionogi-hit-by-cyberattack-and-data-breach/
  • Probe ordered after phone data theft https://www.databreaches.net/probe-ordered-after-phone-data-theft/
  • Twitter-Owned SDK Leaking Location Data of Millions of Users https://www.databreaches.net/twitter-owned-sdk-leaking-location-data-of-millions-of-users/
  • Robo-advice firm suffers data breach https://www.databreaches.net/robo-advice-firm-suffers-data-breach/
  • Threat actors dump some student data from Walled Lake Consolidated Schools https://www.databreaches.net/threat-actors-dump-some-student-data-from-walled-lake-consolidated-schools/
  • Data on 2,750 partner firms of Japan Post unit leaked https://www.databreaches.net/data-on-2750-partner-firms-of-japan-post-unit-leaked/
  • Instagram Investigated for Exposure of Minors' Details https://www.databreachtoday.com/instagram-investigated-for-exposure-minors-details-a-15197

• New Ransomware:

  • Montreal’s STM public transport system hit by ransomware attack https://www.databreaches.net/montreals-stm-public-transport-system-hit-by-ransomware-attack/
  • Another REvil attack creates havoc for the Caribbean’s biggest conglomerate https://www.databreaches.net/another-revil-attack-creates-havoc-for-the-caribbeans-biggest-conglomerate/
  • Ransomware Knocks Out Voter Database in Georgia https://www.databreachtoday.com/ransomware-knocks-out-voter-database-in-georgia-a-15235
  • Ransomware Takes Down Network of French IT Giant https://threatpost.com/ransomware-french-it-giant/160484/
  • Sonoma Valley Hospital computer systems shut down by ‘security incident’ https://www.databreaches.net/sonoma-valley-hospital-computer-systems-shut-down-by-security-incident/
  • Parker County Texas Impacted by Computer Security Incident https://www.databreaches.net/tx-parker-county-impacted-by-computer-security-incident/

• Follow-ups and fall-out:

  • OSF Healthcare notifying patients of the Blackbaud incident https://www.databreaches.net/osf-healthcare-notifying-patients-of-the-blackbaud-incident/
  • Electronics retailer, Courts, fined $9,000 for second data breach in two years https://www.databreaches.net/courts-fined-9000-for-second-data-breach-in-two-years/

Privacy

Articles about privacy related news, risks, and trends.

• Activists Turn Facial Recognition Tools Against the Police https://www.nytimes.com/2020/10/21/technology/facial-recognition-police.html
• Facial recognition datasets are being widely used despite being taken down due to ethical concerns. https://freedom-to-tinker.com/2020/10/21/facial-recognition-datasets-are-being-widely-used-despite-being-taken-down-due-to-ethical-concerns-heres-how/
• Facebook wants the NYU Ad Observer to quit collecting data about its ad targeting https://www.theverge.com/2020/10/23/21531232/facebook-nyu-ads-politics-data-election
• Victory! EFF Wins Appeal for Access to Wiretap Application Records https://www.eff.org/deeplinks/2020/10/victory-eff-wins-appeal-access-wiretap-application-records
• Genetic genealogy technique used in Christine Jessop cold case comes with privacy concerns https://www.cbc.ca/radio/thecurrent/the-current-for-oct-19-2020-1.5767530/genetic-genealogy-technique-used-in-christine-jessop-cold-case-comes-with-privacy-concerns-warns-expert-1.5767904
• The LawBytes Podcast, Episode 66: Ann Cavoukian on Why Canadians Can Trust the COVID Alert App https://www.michaelgeist.ca/2020/10/lawbytes-podcast-episode-66/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• Crypto-wars:

  • The encryption war is on again, and this time government has a new strategy https://www.zdnet.com/google-amp/article/the-encryption-war-is-on-again-and-this-time-government-has-a-new-strategy/
  • Berlin to Give Secret Services Access to Encrypted Conversations https://www.securityweek.com/berlin-give-secret-services-access-encrypted-conversations
  • New Report on Police Decryption Capabilities https://www.schneier.com/blog/archives/2020/10/new-report-on-police-decryption-capabilities.html
  • And if you thought the FBI were the only ones able to unlock encrypted phones? Pretty much every US cop can get the job done https://www.theregister.com/2020/10/21/us_phone_cracking/
  • Sweden Bans Huawei, ZTE From 5G, Calls China Biggest Threat https://www.securityweek.com/sweden-bans-huawei-zte-5g-calls-china-biggest-threat
  • FCC Wants More Information on Threat Posed by China Unicom https://www.databreachtoday.com/fcc-wants-more-information-on-threat-posed-by-china-unicom-a-15202

• Canada:

  • How Can Linking to an Article be Immoral When the Media Source Itself Does the Posting, Part 2: A Day in the Life of the Toronto Star on Facebook https://www.michaelgeist.ca/2020/10/a-day-in-the-life-of-the-toronto-star-on-facebook/
  • Submission to the Government of Canada on the Renewal of the Responsible Business Conduct Strategy https://citizenlab.ca/2020/10/submission-government-canada-on-renewal-of-responsible-business-conduct-strategy/
• Canadian News Media Lobby Group Calls for Creation of Government Digital Media Regulatory Agency https://www.michaelgeist.ca/2020/10/canadian-news-media-lobby-group-calls-for-creation-of-government-digital-media-regulatory-agency/

• US:

  • Judge again blocks Trump administration push to ban WeChat in the US https://www.theverge.com/2020/10/23/21531154/judge-denies-trump-administration-ban-wechat-tencent-china
  • Poll: Is Google guilty of antitrust violations? https://www.zdnet.com/article/zdnet-poll-is-google-guilty-of-antitrust-violations/
  • Tesla’s ‘Full Self-Driving’ beta test has caught the attention of federal safety regulators https://www.theverge.com/2020/10/23/21530411/teslas-full-self-driving-beta-test-nhtsa
  • After first floating $20bn penalty, DoJ suggests $60m fine for UMC's theft of Micron’s DRAM secrets https://www.theregister.com/2020/10/23/doj_decides_60m_is_enough/
  • EPIC Urges Massachusetts Supreme Court to Reject the Third Party Doctrine for Electronic Data Collected for a Service https://epic.org/2020/10/epic-urges-massachusetts-supre.html

• New NIST:

  • DRAFT Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services open for comment until November 23 https://csrc.nist.gov/publications/detail/nistir/8323/draft
  • NIST Technical Note: An Empirical Study on Flow-based Botnet Attacks Prediction https://csrc.nist.gov/publications/detail/white-paper/2020/10/22/an-empirical-study-on-flow-based-botnet-attacks-prediction/final

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Finally: a usable and secure password policy backed by science https://techxplore.com/news/2020-10-usable-password-policy-science.html
• More control over windows updates https://www.computerworld.com/article/3586968/my-new-favorite-windows-update-setting.html
• 8 New and Hot Cybersecurity Certifications for 2020 https://www.darkreading.com/edge/theedge/8-new-and-hot-cybersecurity-certifications-for-2020/b/d-id/1339213
• Let’s build a high-performance fuzzer with GPUs! https://blog.trailofbits.com/2020/10/22/lets-build-a-high-performance-fuzzer-with-gpus/
• An Alternative to Shodan, Censys with User-Agent CensysInspect/1.1 https://isc.sans.edu/diary/rss/26718
• Microsoft, MITRE Release Adversarial Machine Learning Threat Matrix https://www.securityweek.com/microsoft-mitre-release-adversarial-machine-learning-threat-matrix
• How To Make Encrypted Data More Secure https://sector.ca/how-to-make-hashed-data-more-secure/
• CISSP Exam Retake Policy Change https://blog.isc2.org/isc2_blog/2020/10/cissp-exam-retake-policy-change.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• NSA publishes list of top vulnerabilities currently targeted by Chinese hackers https://www.zdnet.com/article/nsa-publishes-list-of-top-25-vulnerabilities-currently-targeted-by-chinese-hackers/
• Cryptanalysis of Feistel-Based Format-Preserving Encryption https://eprint.iacr.org/2020/1311
• How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes https://www.theregister.com/2020/10/21/oracle_october_patches/
• Google releases Chrome security update to patch actively exploited zero-day https://www.zdnet.com/article/google-releases-chrome-security-update-to-patch-actively-exploited-zero-day/
• Cisco Warns of Severe DoS Flaws in Network Security Software https://threatpost.com/cisco-dos-flaws-network-security-software/160414/
• Adobe Patches 9 Vulnerabilities in Magento https://www.securityweek.com/adobe-patches-9-vulnerabilities-magento
• How 30 Lines of Code Blew Up a 27-Ton Generator https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator
• Nvidia Warns Gamers of Severe GeForce Experience Flaws https://threatpost.com/nvidia-gamers-geforce-experience-flaws/160487/
• Be Prepared, Microsoft Is Rolling Out The Big Windows 10 October 2020 Update https://www.forbes.com/sites/marcochiappetta/2020/10/20/be-prepared-microsoft-is-rolling-out-the-big-windows-10-october-2020-update/
• Here's why you might see Office PWAs auto-installing on Windows 10 https://www.zdnet.com/article/heres-why-you-might-see-office-pwas-auto-installing-on-windows-10/
• Discord desktop app vulnerability chain triggered remote code execution attacks https://www.zdnet.com/article/discord-desktop-app-vulnerable-to-remote-code-execution-bug/
• The Unsinkable Maddie Stone, Google's Bug-Hunting Badass https://www.wired.com/story/maddie-stone-project-zero-reverse-engineering/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events:

  • A Top Launching Pad For Phishing Attacks https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
  • Phishing groups are collecting user data, email and banking passwords via fake voter registration forms https://www.zdnet.com/article/phishing-groups-are-collecting-user-data-email-and-banking-passwords-via-fake-voter-registration-forms/
  • Microsoft Teams Phishing Attack Targets Office 365 Users https://threatpost.com/microsoft-teams-phishing-office-365/160458/
  • New remote overlay malware attacks on banking https://www.zdnet.com/article/this-new-malware-uses-remote-overlay-attacks-to-hijack-your-bank-account/
  • Donald Trump’s Twitter password is “maga2020!”, and there’s no 2FA, claims hacker https://www.databreaches.net/donald-trumps-twitter-password-is-maga2020-and-theres-no-2fa-claims-hacker/
  • White House Denies Trump's Twitter Account Was Hacked https://www.databreachtoday.com/white-house-denies-trumps-twitter-account-was-hacked-a-15228
  • Troy Hunt on Trumps password https://www.troyhunt.com/weekly-update-214/
  • LockBit Ransomware Uses Automation Tools to Pick Targets https://www.databreachtoday.com/lockbit-ransomware-uses-automation-tools-to-pick-targets-a-15236
  • Mysterious 'Robin Hood' hackers donating stolen money https://www.bbc.co.uk/news/technology-54591761

• Nation State Actors:

  • FBI, CISA: Russian hackers breached US government networks, exfiltrated data https://www.zdnet.com/article/fbi-cisa-russian-hackers-breached-us-government-networks-exfiltrated-data/

• Arrests, Charges & Sentencings:

  • 6 Russian military officers charged with a worldwide cyberattack https://www.cnn.com/2020/10/19/politics/russian-nationals-charged-justice-department/index.html
  • EU Sanctions 2 Russians for German Parliament Hack https://www.databreachtoday.com/eu-sanctions-2-russians-for-german-parliament-hack-a-15237
  • Hackers behind life-threatening attack on chemical maker are sanctioned https://arstechnica.com/information-technology/2020/10/us-sanctions-russian-hackers-who-hit-chemical-maker-with-dangerous-malware/

Other Security / Risk

Articles covering other types of risks.

• Election Security and Disinformation:

  • Cybercriminals Step Up Their Game Ahead of U.S. Elections https://threatpost.com/cybercriminals-step-up-game-us-elections/160373/
  • Election Tech That’s Super Simple https://www.nytimes.com/2020/10/19/technology/election-technology.html

• AI fallibility:

  • Split-Second Phantom Images Fool Autopilots https://www.schneier.com/blog/archives/2020/10/split-second-phantom-images-fool-autopilots.html

• Health, Safety & Environment:

  • Scientists Analysed Twinkies Kept in a Basement For 8 Years and ... https://www.sciencealert.com/fungi-make-a-meal-of-8-year-old-twinkies-proving-they-don-t-last-forever
  • Purdue Pharma to plead guilty, pay more than $8 billion and shut down for its role in opioid crisis https://www.cnn.com/2020/10/21/business/purdue-pharma-guilty-plea/index.html
  • ‘Murder hornet’ nest discovered near British Columbia border https://globalnews.ca/news/7418652/murder-hornet-nest-bc-border/
  • 2020 ties with 2005 for most named storms 'Zeta' https://www.accuweather.com/en/hurricane/tropical-storm-zeta-to-strike-yucatan-peninsula-before-taking-aim-at-us-gulf-coast/837558 and https://www.ncdc.noaa.gov/sotc/tropical-cyclones/200513
  • 2 small asteroids zipped by Earth closer than the moon https://www.space.com/2-asteroids-earth-flyby-same-day-october-2020
• NSS Labs Shuttered https://www.darkreading.com/vulnerabilities---threats/nss-labs-shuttered/d/d-id/1339220
• A Deepfake Porn Bot Is Being Used to Abuse Thousands of Women https://www.wired.com/story/a-deepfake-porn-bot-is-being-used-to-abuse-thousands-of-women
• Private Peering, DDoS, and Qanon and 8Chan go osffline https://krebsonsecurity.com/2020/10/qanon-8chan-sites-briefly-knocked-offline/
• Vermont backyard cam captures men sneaking across U.S.-Canada border https://montreal.ctvnews.ca/vermont-backyard-cam-captures-men-sneaking-across-u-s-canada-border-1.5151599

• Other risks relating to COVID and the new normal:

  • Experts say counterfeit hand sanitizer recall at Dollarama is a lesson for retailers https://toronto.citynews.ca/2020/10/21/experts-say-counterfeit-hand-sanitizer-recall-at-dollarama-is-a-lesson-for-retailers-2/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves - now reinfection:

  • U.S. shatters record with over 84,000 new coronavirus cases in single day https://globalnews.ca/news/7418793/coronavirus-us-new-record-cases/
  • Argentina becomes 5th country to surpass 1 million coronavirus cases https://globalnews.ca/news/7407215/argentina-1-million-coronavirus-cases/
  • Canada adds more than 2,500 new coronavirus cases Friday https://globalnews.ca/news/7417898/canada-coronavirus-cases-oct-23/
  • Ontario reports more than 1,000 new cases of COVID-19 on Sunday https://toronto.citynews.ca/2020/10/25/ontario-reports-more-than-1000-new-cases-of-covid-19-on-sunday/
  • Alberta reports 898 new cases of COVID-19, 4 additional deaths since Friday https://globalnews.ca/news/7406475/alberta-covid-19-update-october-19/
  • Toronto Public Health begins sharing more coronavirus testing data for neighbourhoods https://globalnews.ca/news/7406420/coronavirus-toronto-public-health-neighbourhoods-data/

• Contact Tracing:

  • When senior citizens are the early adopters https://www.theverge.com/21509117/contact-tracing-apps-digital-senior-nursing-homes

• Guidance, Response and Recovery:

  • China's Covid success compared to Europe shows lockdowns are the first step, not a solution https://www.cnn.com/2020/10/20/asia/china-europe-coronavirus-intl-hnk/index.html
  • EU removes Canadians from list of approved travellers because of COVID-19 https://www.cbc.ca/news/business/eu-travel-canada-1.5770782
  • ScareHouse: How a Famously In-Your-Face Haunted House Is Using the Pandemic to Its Advantage https://www.mentalfloss.com/article/633967/scarehouse-haunted-house-adapting-to-covid-19

• Treatments, Testing, Triage, and Trials:

  • A closer look at Canada's homegrown COVID-19 vaccine candidates https://www.cbc.ca/news/technology/canadian-vaccine-candidates-covid-coronavirus-1.5764874
  • Dr Fauci: Covid vaccine result could come by end of 2020 https://www.bbc.co.uk/news/uk-politics-54680499

• Things we learned:

  • Researchers Discover a Second 'Key' That Makes The New Coronavirus So Infectious https://www.sciencealert.com/a-second-key-used-by-sars-cov-2-to-enter-cells-could-explain-why-it-s-so-infectious
  • Research team discovers molecular processes in kidney cells that attract and feed COVID-19 https://scienmag.com/research-team-discovers-molecular-processes-in-kidney-cells-that-attract-and-feed-covid-19/

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Universal mask wearing could save 130,000 US lives before March, mitigating the worst of this third coronavirus surge https://www.businessinsider.com/universal-masks-save-lives-mitigate-third-surge-model-2020-10
  • Rapper Scams $1.2M in COVID-19 Relief, Gloats with ‘EDD’ Video https://threatpost.com/rapper-scams-covid-19-relief-video/160315/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Cars can’t crush the diabolical ironclad beetle, 2020’s latest horror https://globalnews.ca/news/7415690/diabolical-ironclad-beetle-uncrushable-car-video/
• Moog’s limited-edition theremin marks 100 years of weird sounds https://www.theverge.com/2020/10/22/21528892/moog-claravox-centennial-theremin-clara-rockmore
• 3 stunning 1950s-era concept cars have hit the market https://www.businessinsider.com/futuristic-1950s-alfa-romeo-concept-cars-auction-20-million-2020-10
• New world's fastest production car speed records at 316 mph https://www.cnn.com/2020/10/20/cars/ssc-tuatara-intl-hnk/index.html
• Solar Is Cheapest Energy: Renewable Energy vs. Fossil Fuels Cost https://www.popularmechanics.com/science/a34372005/solar-cheapest-energy-ever/
• Driver of the largest mass extinction in the history of the Earth identified https://phys.org/news/2020-10-driver-largest-mass-extinction-history.html and https://www.universetoday.com/148445/scientists-think-they-know-what-caused-the-deadliest-mass-extinction-in-the-history-of-the-earth/
• Geologists Have Found the Earth’s Missing Tectonic Plate https://www.universetoday.com/148487/geologists-have-found-the-earths-missing-tectonic-plate/
• Can a Moon Base Be Safe for Astronauts? https://www.scientificamerican.com/article/can-a-moon-base-be-safe-for-astronauts/
• NASA and Nokia to build internet on the moon https://www.independent.co.uk/life-style/gadgets-and-tech/nasa-nokia-internet-4g-moon-apollo-mission-b1157478.html
• Voyager Spacecraft Detect an Increase in The Density of Space Outside The Solar System https://www.sciencealert.com/for-some-reason-the-density-of-space-is-higher-just-outside-the-solar-system
• New nuclear engine concept could help realize 3-month trips to Mars https://newatlas.com/space/nuclear-thermal-propulsion-ntp-nasa-unsc-tech-deep-space-travel/
• What Would a Realistic Space Battle Look Like? https://www.universetoday.com/148433/what-would-a-realistic-space-battle-look-like/
• When we look out at alien worlds, are those alien worlds looking back? https://www.syfy.com/syfywire/when-we-look-out-at-alien-worlds-are-those-alien-worlds-looking-back
• Rogue Rocky Planet Found Adrift in the Milky Way https://www.scientificamerican.com/article/rogue-rocky-planet-found-adrift-in-the-milky-way/
• Stranger Than Fiction: The Monster in the Middle of the Milky Way Is…Spinning Slowly? https://scitechdaily.com/stranger-than-fiction-the-monster-in-the-middle-of-the-milky-way-isspinning-slowly/