This Week's [in]Security - Issue 202 | insecurity | Control Gap

Welcome to This Week’s [in]Security. PCI HSM Update RFC. Vampire Skimmer. New breaches: New Ransomware. Encryption and Breaches. SolarWinds. NIST. Zero Days. Defender. Drivers. TCP Stacks. SAP. SonicWall. WordPress. SuperMicro. Trends. Water Plant Hack. Nation States. Supply-Chain Attack. Arrests, etc. SIM Swappers. AI Manipulators. Ambivalence. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. New Variants. Immunity, Vaccines, and Vaccination. The Good, Bad, and Ugly (Behaviour). And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Request for Comments: PTS HSM Security Requirements v4.0 https://blog.pcisecuritystandards.org/request-for-comments-pts-hsm-security-requirements-v4.0
• Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer https://www.schneier.com/blog/archives/2021/02/web-credit-card-skimmer-steals-data-from-another-credit-card-skimmer.html

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Brazilian authorities start probe as 102 million consumers are exposed in new leak https://www.databreaches.net/brazilian-authorities-start-probe-as-102-million-consumers-are-exposed-in-new-leak/
  • Hacker Blackmails Pirate IPTV Services, Threatens To Send User Data To Police https://www.databreaches.net/hacker-blackmails-pirate-iptv-services-threatens-to-send-user-data-to-police/
  • Made in India Koo app denies claims of data leak, talks about Chinese connection https://www.databreaches.net/made-in-india-koo-app-denies-claims-of-data-leak-talks-about-chinese-connection/
  • mHealth Apps Expose Millions to Cyberattacks https://www.databreaches.net/mhealth-apps-expose-millions-to-cyberattacks/
  • NC: SSA first sends confidential records to the wrong people, then refuses credit monitoring https://www.databreaches.net/nc-ssa-first-sends-confidential-records-to-the-wrong-people-then-refuses-credit-monitoring/
  • NC: Stolen Chatham county data posted online after cyber incident, includes personnel files, other sensitive documents https://www.databreaches.net/nc-stolen-chatham-county-data-posted-online-after-cyber-incident-includes-personnel-files-other-sensitive-documents/
  • Notification of Breach Affecting 219,000 Delayed https://www.databreachtoday.com/notification-breach-affecting-219000-delayed-a-15986
  • NY: Syracuse University email hack compromises personal info of 9,800 https://www.databreaches.net/ny-syracuse-university-email-hack-compromises-personal-info-of-9800/
  • TX: Threat actors dump patient files from Nocona General Hospital https://www.databreaches.net/tx-threat-actors-dump-patient-files-from-nocona-general-hospital/
  • University of Colorado responds to Accellion breach https://www.databreaches.net/university-of-colorado-responds-to-accellion-breach/

• New Ransomware and "Incidents":

  • Yandex suffers data breach after sysadmin sold access to user emails https://www.databreaches.net/yandex-suffers-data-breach-after-sysadmin-sold-access-to-user-emails/
  • Singtel Suffers Zero-Day Cyberattack, Damage Unknown https://threatpost.com/singtel-zero-day-cyberattack/163938/
  • Bannock County, Idaho – Notice of Data Security Event https://www.databreaches.net/bannock-county-idaho-notice-of-data-security-event/
  • CD Projekt Red hacked, refuses to pay ransom, opts for transparency https://www.databreaches.net/cd-projekt-red-hacked-refuses-to-pay-ransom-opts-for-transparency/
  • ECU Worldwide chief confirms IT systems are down after ‘cyber incident’ https://www.databreaches.net/ecu-worldwide-chief-confirms-it-systems-are-down-after-cyber-incident/
  • FR: Mutuelle Nationale des Hospitaliers et des professionnels de la santé et du social (MNH) discloses cyberattack https://www.databreaches.net/fr-mutuelle-nationale-des-hospitaliers-et-des-professionnels-de-la-sante-et-du-social-mnh-discloses-cyberattack/
  • FR: The Dax hospital center targeted by a large-scale cyber attack https://www.databreaches.net/fr-the-dax-hospital-center-targeted-by-a-large-scale-cyber-attack/

• Follow-ups and fall-out:

  • WeChat Data Leak Leads To Arrest Of Tencent Executive Zhang Feng https://www.databreaches.net/wechat-data-leak-leads-to-arrest-of-tencent-executive-zhang-feng/
  • When to Report a Breach: Consideration of Encryption States https://www.databreaches.net/when-to-report-a-breach-consideration-of-encryption-states/

Privacy

Articles about privacy related news, risks, and trends.

• Dev creeped out after he fired up Ubuntu VM on Azure, was immediately approached by Canonical sales rep https://www.theregister.com/2021/02/11/microsoft_azure_ubuntu_data_sharing/
• Unmasking COVID apps, identifying insurrectionists, and staying hopeful about democracy https://mailchi.mp/citizenlab.ca/unmasking-covid-apps-identifying-insurrectionists-and-staying-hopeful-about-democracy

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• US:

  • Senators Demand More Coordination in SolarWinds Investigation https://www.databreachtoday.com/senators-demand-more-coordination-in-solarwinds-investigation-a-15965
  • White House Taps Neuberger to Lead SolarWinds Probe https://www.databreachtoday.com/white-house-taps-neuberger-to-lead-solarwinds-probe-a-15976
  • Minneapolis prohibits use of facial recognition software by its police department https://www.theverge.com/2021/2/13/22281523/minneapolis-prohibits-facial-recognition-software-police-privacy
  • 11th Circuit’s strict new rule for data breach standing will figure in Equifax appeal https://www.databreaches.net/11th-circuits-strict-new-rule-for-data-breach-standing-will-figure-in-equifax-appeal/
  • Big Tech’s Unlikely Next Battleground: North Dakota https://www.nytimes.com/2021/02/14/technology/north-dakota-tech-apps.html
  • No joy for Julian Assange as Uncle Sam confirms it will keep pushing for WikiLeaker's extradition to America https://www.theregister.com/2021/02/10/julian_assange_dept_justice/
  • Victory! EFF Scores Another Win for the Public’s Right of Access against Patent Owner Fighting for Secrecy https://www.eff.org/deeplinks/2021/02/victory-eff-scores-another-win-publics-right-access-against-patent-owner-fighting

• World:

  • The Netherlands: 440,000 EUR fine for hospital for inadequate authentication and logging https://www.databreaches.net/the-netherlands-440000-eur-fine-for-hospital-for-inadequate-authentication-and-logging/

• Platforms

  • Clapper permanently bans QAnon-related content https://www.theverge.com/2021/2/11/22278480/clapper-tiktok-clone-bans-qanon-content-parler-deplatforming-capitol-riot

• New and Updated Standards:

  • NIST is pleased to announce the release of the final NISTIR 8323, Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services. https://csrc.nist.gov/publications/detail/nistir/8323/final

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• The Importance of a Good Software Security Policy https://blog.isc2.org/isc2_blog/2021/02/the-importance-of-a-good-software-security-policy.html
• The time for Insider Risk Management is now: Code42 2021 Data Exposure Report Reveals a Perfect Storm https://threatpost.com/the-time-for-insider-risk-management-is-now-code42-2021-data-exposure-report-reveals-a-perfect-storm/163754/
• How AI Is Learning to Identify Toxic Online Content https://www.scientificamerican.com/article/can-ai-identify-toxic-online-content/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• The Untold History of America’s Zero-Day Market https://www.wired.com/story/untold-history-americas-zero-day-market
• A Windows Defender Flaw Lurked Undetected for 12 Years https://www.wired.com/story/windows-defender-vulnerability-twelve-years and https://arstechnica.com/information-technology/2021/02/a-windows-defender-vulnerability-lurked-undetected-for-12-years/
• Intel Squashes High-Severity Graphics Driver Flaws https://threatpost.com/intel-graphics-driver-flaws/163810/
• Microsoft Patch Tuesday, February 2021 Edition https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/
• NUMBER:JACK: Nine Vulnerabilities Across 11 Open Source TCP/IP Stacks https://www.tenable.com/blog/numberjack-nine-vulnerabilities-across-multiple-open-source-tcpip-stacks
• Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing https://www.securityweek.com/vulnerabilities-tcpip-stacks-allow-tcp-connection-hijacking-spoofing
• SAP Commerce Critical Security Bug Allows RCE https://threatpost.com/sap-commerce-critical-security-bug/163822/
• SonicWall Zero-Day https://www.schneier.com/blog/archives/2021/02/sonicwall-zero-day.html
• Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover https://www.securityweek.com/vulnerabilities-nextgen-gallery-plugin-exposed-many-wordpress-sites-takeover
• Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events:

  • Ransomware Profitability https://www.schneier.com/blog/archives/2021/02/ransomware-profitability.html
  • Android Devices Hunted by LodaRAT Windows Malware https://threatpost.com/android-devices-lodarat-windows/163769/
  • Hacks and zoom-bombings continue to plague educational facilities https://www.databreaches.net/hacks-and-zoom-bombings-continue-to-plague-educational-facilities/
  • Hybrid, Older Users Most-Targeted by Gmail Attackers https://threatpost.com/hybrid-older-users-gmail-attackers/163826/
  • LodaRAT Windows Malware Now Also Targets Android Devices https://thehackernews.com/2021/02/lodarat-windows-malware-now-also.html
  • Military, Nuclear Entities Under Target By Novel Android Malware https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/
  • Free decrypter released for Avaddon ransomware victims… aaand, it’s gone! https://www.databreaches.net/free-decrypter-released-for-avaddon-ransomware-victims-aaand-its-gone/

• Water Plant Hack:

  • What’s most interesting about the Florida water system hack? That we heard about it at all. https://krebsonsecurity.com/2021/02/whats-most-interesting-about-the-florida-water-system-hack-that-we-heard-about-it-at-all/
  • 5 Critical Questions Raised by Water Treatment Facility Hack https://www.databreachtoday.com/5-critical-questions-raised-by-water-treatment-facility-hack-a-15955
  • Florida Water Plant Hack: Leaked Credentials Found in Breach Database https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/
  • Poor Password Security Led to Recent Water Treatment Facility Hack https://thehackernews.com/2021/02/poor-password-security-lead-to-recent.html

• Nation State Actors:

  • Chinese APT Group Deploys ‘Most Sophisticated’ Shellcode https://www.databreachtoday.com/chinese-apt-group-deploys-most-sophisticated-shellcode-a-15962
  • Chinese Supply-Chain Attack on Computer Systems https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html
  • Dependency Confusion Supply-Chain Attack Hit Over 35 High-Profile Companies https://thehackernews.com/2021/02/dependency-confusion-supply-chain.html
  • North Korean attacks on crypto exchanges reportedly netted $316m in two years https://www.theregister.com/2021/02/10/north_korea_cryptocurrency/
  • NoxPlayer Android Emulator Supply-Chain Attack https://www.schneier.com/blog/archives/2021/02/noxplayer-android-emulator-supply-chain-attack.html
  • Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/

• Crime:

  • 10 SIM Swappers Arrested for Stealing $100M in Crypto from Celebrities https://thehackernews.com/2021/02/10-sim-swappers-arrested-for-stealing.html and https://www.databreachtoday.com/sim-swapping-hackers-steal-celebrities-cryptocurrency-a-15964
  • Prosecutor charges former phone company employee in SIM-swap scheme https://arstechnica.com/information-technology/2021/02/former-phone-carrier-employee-accused-of-accepting-bribes-in-sim-swap-scam/
  • Arrest, Raids Tied to ‘U-Admin’ Phishing Kit https://krebsonsecurity.com/2021/02/arrest-raids-tied-to-u-admin-phishing-kit/
  • Egregor ransomware operators arrested in Ukraine https://www.databreaches.net/egregor-ransomware-operators-arrested-in-ukraine/
  • Yandex said it caught an employee selling access to users' inboxes https://www.zdnet.com/article/yandex-said-it-caught-an-employee-selling-access-to-users-inboxes
  • NY: Man Pleads Guilty to Stealing Nude Photos of Dozens of Victims https://www.databreaches.net/ny-man-pleads-guilty-to-stealing-nude-photos-of-dozens-of-victims/

Other Security / Risk

Articles covering other types of risks.

• City of Winnipeg responds to 352 frozen pipe calls https://globalnews.ca/news/7637214/city-of-winnipeg-frozen-pipe-calls/
• AI Can Now Learn to Manipulate Human Behavior https://www.sciencealert.com/ai-can-now-learn-to-manipulate-human-behavior
• New psychology research indicates that ambivalent people make less biased judgments https://www.psypost.org/2021/02/new-psychology-research-indicates-that-ambivalent-people-make-less-biased-judgments-59611
• How to Stop Doomscrolling News and Social Media https://www.scientificamerican.com/article/how-to-stop-doomscrolling-news-and-social-media/
• Universities need to wise up – or risk being consigned to history | John Naughton https://www.theguardian.com/commentisfree/2021/feb/13/universities-need-to-wise-up-or-risk-being-consigned-to-history

• Health, Safety & Environment:

  • Caution: 1918 influenza provides warning for potential future pandemic reemergence https://scienmag.com/caution-1918-influenza-provides-warning-for-potential-future-pandemic-reemergence/
  • 'Game-Changer' Drug Promotes Weight Loss Like No Medicine Ever Seen, Scientists Say https://www.sciencealert.com/game-changer-drug-promotes-weight-loss-like-no-medicine-ever-seen-scientists-say

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, and reinfection:

  • 7-day average of new COVID-19 cases in U.S. drops below 100K for 1st time since November https://globalnews.ca/news/7640407/us-coronavirus-cases-below-100k-daily/
  • Ontario logs nearly 1,100 new COVID-19 cases and 18 deaths; Toronto data issue continues https://toronto.ctvnews.ca/ontario-logs-nearly-1-100-new-covid-19-cases-and-18-deaths-toronto-data-issue-continues-1.5306441

• New Variants:

  • ‘It’s a forest fire’: experts predict rise of COVID-19 variant cases, warn of 3rd wave https://globalnews.ca/news/7639265/coronavirus-canada-third-wave/
  • U.K. variant detected in three more cases at North York meat plant as Toronto releases workplace outbreak data https://toronto.ctvnews.ca/u-k-variant-detected-in-three-more-cases-at-north-york-meat-plant-as-toronto-releases-workplace-outbreak-data-1.5305974

• Guidance, Response, and Recovery:

  • Fully vaccinated people can skip quarantines, CDC says https://edition.cnn.com/world/live-news/coronavirus-pandemic-vaccine-updates-02-10-21/h_fb531acd5e7a48cb9b57b588a2a7379b
  • FULL LIST: Where is your region placed in Ontario’s 2021 COVID-19 reopening framework https://toronto.ctvnews.ca/where-is-your-region-placed-in-ontario-s-2021-covid-19-reopening-framework-1.5306959
  • Ontario reveals who will be prioritized next for the COVID-19 vaccine https://toronto.ctvnews.ca/ontario-reveals-who-will-be-prioritized-next-for-the-covid-19-vaccine-1.5308644
  • Study finds U.S. first responders have mixed feelings about COVID-19 vaccine https://scienmag.com/study-finds-u-s-first-responders-have-mixed-feelings-about-covid-19-vaccine/
  • New Zealand Auckland lockdown ordered https://www.bbc.co.uk/news/world-asia-56059960
  • Japan has the most beds per capita in the developed world. So why is its health system crashing? https://www.cnn.com/2021/02/10/asia/japan-healthcare-coronavirus-dst-intl-hnk/index.html
  • Some Cultures Have Fared Better With COVID-19. Here's What They Have in Common https://www.sciencealert.com/tighter-cultures-have-handled-covid-19-much-better-study-suggests

• Treatments, Testing, Triage, Trials, and things we Learned:

  • Why all the world's coronavirus would fit in a can of cola - http://www.bbc.com/future/article/20210210-why-the-entire-coronavirus-would-fit-in-a-can-of-coca-cola
  • Halifax microbiology lab looks at building capacity to test for COVID-19 variants https://globalnews.ca/news/7635209/halifax-lab-covid-19-variant-testing/
  • Why It's So Hard to Make Antiviral Drugs for COVID and Other Diseases https://www.scientificamerican.com/article/why-its-so-hard-to-make-antiviral-drugs-for-covid-and-other-diseases/
  • China refused to give WHO investigators raw data on early coronavirus cases: team member https://globalnews.ca/news/7639426/china-who-investigators-data/
  • Wuhan's COVID-19 outbreak probably 500% bigger than first thought, WHO team tells CNN https://www.businessinsider.com/who-signs-wider-wuhan-covid-19-outbreak-december-2019-cnn-2021-2
  • Coronavirus may linger for years, but could change into mild annoyance: experts https://globalnews.ca/news/7640399/coronavirus-linger-years/
  • Covid infecting humans through animal host 'probable' https://www.bbc.co.uk/news/world-56060616
  • Listen: A Forever Pandemic https://www.theatlantic.com/health/archive/2021/02/a-forever-pandemic/618023/
  • Scientists Think They've Figured Out What's Triggering Brain Fog in COVID-19 Patients https://www.sciencealert.com/scientists-may-have-identified-what-causes-brain-fog-in-people-with-covid-19
  • The Atlantic Daily: The Pandemic Can Still End Without Herd Immunity https://www.theatlantic.com/newsletters/archive/2021/02/what-if-we-never-reach-herd-immunity/618025/
  • Nun who survived flu pandemic, both world wars and coronavirus celebrates 117th birthday with red wine https://www.washingtonpost.com/nation/2021/02/10/nun-117-survive-covid-france/

• Immunity, Vaccines, and Vaccination:

  • Is It Safe to Delay a Second COVID Vaccine Dose? https://www.scientificamerican.com/article/is-it-safe-to-delay-a-second-covid-vaccine-dose/
  • Covid: Oxford-AstraZeneca vaccine to be tested on children https://www.bbc.co.uk/news/uk-56052673
  • Japan approves its 1st coronavirus vaccine, set to begin inoculations within days https://globalnews.ca/news/7640555/japan-coronavirus-vaccine/
  • Why Canada is falling behind in Covid vaccinations https://www.bbc.co.uk/news/world-us-canada-56035306

• More of the good, the bad, and the ugly:

  • COVID-19 positive man used forged document to appear negative at Pearson Airport https://toronto.citynews.ca/2021/02/10/covid-19-positive-man-used-fake-document-to-appear-negative-at-pearson-airport-police/
  • Covid-19 Vaccine Scams Spread Under Facebook's Watch https://www.wired.com/story/covid-19-vaccine-scams-spread-facebook-telegram

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • 2 masks are better than 1 to protect against coronavirus, CDC confirms https://globalnews.ca/news/7633081/2-masks-better-than-1-cdc/
  • Researchers propose that humidity from masks may lessen severity of COVID-19 https://scienmag.com/researchers-propose-that-humidity-from-masks-may-lessen-severity-of-covid-19/
  • The CDC just outlined 5 new tricks to make your face mask more protective https://www.businessinsider.com/cdc-tips-improve-face-mask-protection-2021-2
  • Regina woman fined $2,800 for violating COVID-19 public health orders https://globalnews.ca/news/7636955/regina-woman-covid-19-public-health-orders/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• 11 Objects Mistaken for UFOs https://www.mentalfloss.com/article/641697/objects-mistaken-ufos
• Can You Solve Albert Einstein’s Famous House Riddle? https://www.mentalfloss.com/article/638892/can-you-solve-einstein-house-riddle
• A 45 Ft 'Ice Volcano' Has Emerged in Kazakhstan. Here's How It Works https://www.sciencealert.com/a-45-ft-ice-volcano-has-just-recently-emerged-in-kazakhstan
• Why It Matters That Some Pigs Are Actually Pretty Good at Playing Video Games https://www.sciencealert.com/pigs-can-play-video-games-on-a-computer-using-their-snout-to-move-a-joystick
• Nasa's pioneering black women https://www.bbc.co.uk/news/stories-56029760
• Emirates Mars Mission Arrives at the Red Planet Today! https://www.universetoday.com/150047/emirates-mars-mission-arrives-at-the-red-planet-today/
• Striking NASA animation reveals the harrowing descent to Mars that the Perseverance rover is about to attempt https://www.businessinsider.com/nasa-animation-shows-perseverance-mars-rover-descent-landing-2021-2
• Plasma Thruster Could Dramatically Cut Down Flight Times to the Outer Solar System https://www.universetoday.com/150066/plasma-thruster-could-dramatically-cut-down-flight-times-to-the-outer-solar-system/
• Voyager 2 Has Entered the Space Between Solar Systems https://www.nytimes.com/2018/12/10/science/voyager-2-solar-system.html
• Have astronomers finally found a planet around Alpha Centauri? Maaaaaaaaaybe. https://www.syfy.com/syfywire/have-astronomers-finally-found-a-planet-around-alpha-centauri-maaaaaaaaaybe
• Is It a Planet? Astronomers Spy Promising Potential World around Alpha Centauri https://www.scientificamerican.com/article/is-it-a-planet-astronomers-spy-promising-potential-world-around-alpha-centauri/
• NASA’s TESS discovers new worlds in a river of young stars https://scienmag.com/nasas-tess-discovers-new-worlds-in-a-river-of-young-stars/
• Possible Super-Earth in the Habitable Zone at Alpha Centauri https://www.universetoday.com/150088/possible-super-earth-in-the-habitable-zone-at-alpha-centauri/
• Study of supergiant star Betelgeuse unveils the cause of its pulsations https://phys.org/news/2021-02-supergiant-star-betelgeuse-unveils-pulsations.html
• Could a Human Enter a Black Hole to Study It – And Survive the Event Horizon? https://scitechdaily.com/could-a-human-enter-a-black-hole-to-study-it-and-survive-the-event-horizon/
• See How Many Balloons It Would Take to Lift the House from Pixar's Up https://www.mentalfloss.com/article/642260/how-many-balloons-to-lift-pixar-up-house