This Week's [in]Security - Issue 215

Welcome to This Week’s [in]Security. Magecart and more. Card Breaches. New breaches: Veterans, Durham, Chicago, New Ransomware: Colonial Pipeline, Darkside Shuttered, Insurance Irony, Ugliness & Triple Extortion, Bans, Deterrents. Follow-ups & Fall-out: Rapid-7, SolarWinds, HIBP. Privacy: Laws & Regs - Canada: C-10. US: Cyber EO, Forensic Transparency, Stupid Patent. UK, EU, HK: Facebook vs. EU, VPNs. Standards: NIST Crypto Update, IoT Confidence. Defense: Webinars, Webinars. Demystify Cyber, killing CAPTCHA, Passwordless GIT. Vulnerabilities: Acrobat, Wi-Fi's old flaws, e-Voting, Browser Scheme Flooding, Declassified Crypto. Cybercrime - Trends: Tor, Backdoored tools, Canada. Crime. Other Risks: DNA, Chips, Huawei. Health, Safety & Environment: Ventilation, Killer Asteroids, Chernobyl, Bitcoin impact, Batteries, Resignation backlog, Credit Confusion. Covid-19: Response. Immunity. Learned. Scientific Dogma. Impact. Covid Compliance. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• JavaScript Fraud: More Than Just Magecart and Skimming https://www.imperva.com/blog/javascript-fraud-more-than-just-magecart-and-skimming/
• Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons https://thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html
• AWS Configuration Issues Lead To Exposure Of 5 Million Records https://packetstormsecurity.com/news/view/32278/AWS-Configuration-Issues-Lead-To-Exposure-Of-5-Million-Records.html
• Herff Jones credit card breach impacts college students across the US https://www.bleepingcomputer.com/news/security/herff-jones-credit-card-breach-impacts-college-students-across-the-us/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • 200K Veterans' Medical Records May Have Been Stolen by Ransomware Gang https://threatpost.com/veterans-medical-records-ransomware/166025/
  • Information on 73,000 Durham students breached in 'cybersecurity incident' https://www.680news.com/2021/05/10/durham-district-school-board-student-information-cyber-incident/
  • City of Chicago Hit by Data Breach at Law Firm Jones Day https://www.securityweek.com/city-chicago-hit-data-breach-law-firm-jones-day

• New Ransomware and "Incidents":

  • Colonial Pipeline paid a $5 million ransom-and kept a vicious cycle turning https://arstechnica.com/information-technology/2021/05/colonial-pipeline-paid-a-5-million-ransom-and-kept-a-vicious-cycle-turning/ and https://www.zdnet.com/article/colonial-pipeline-paid-close-to-5-million-in-ransomware-blackmail-payment
  • DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/, https://arstechnica.com/gadgets/2021/05/pipeline-attacker-darkside-suddenly-goes-dark-heres-what-we-know/, and https://threatpost.com/darksides-servers-shutdown/166187/
  • FBI, CISA publish alert on DarkSide ransomware https://www.zdnet.com/article/fbi-cisa-publish-alert-on-darkside-ransomware
  • Insurer AXA hit by ransomware after dropping support for ransom payments https://www.bleepingcomputer.com/news/security/insurer-axa-hit-by-ransomware-after-dropping-support-for-ransom-payments/
  • De: Hackers attack Energy Hamburg Radio https://www.databreaches.net/de-hackers-attack-energy-hamburg-radio/
  • Ireland's Health Services hit with $20 million ransomware demand https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/
  • Jp: Two Salesforce incidents reportedly shut down online vaccination reservation systems, exposed other personal info https://www.databreaches.net/jp-two-salesforce-incidents-reportedly-shut-down-online-vaccination-reservation-systems-exposed-other-personal-info/
  • NC: Anson experiences cyberattack; county services including phone, email affected https://www.databreaches.net/nc-anson-experiences-cyberattack-county-services-including-phone-email-affected/
  • Ransomware Is Getting Ugly https://www.schneier.com/blog/archives/2021/05/ransomware-is-getting-ugly.html
  • Ransomware's New Swindle: Triple Extortion https://threatpost.com/ransomwares-swindle-triple-extortion/166149/
  • Popular Russian hacking forum XSS bans all ransomware topics https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
  • Paying a Ransom: Does It Really Encourage More Attacks? https://www.databreachtoday.com/paying-ransom-does-really-encourage-more-attacks-a-16623

• Follow-ups and fall-out:

  • Rapid7 source code, alert data accessed in Codecov supply chain attack https://www.zdnet.com/article/rapid7-source-code-alert-data-accessed-in-codecov-supply-chain-attack
  • SolarWinds Shares More Information on Cyberattack Impact, Initial Access Vector https://www.securityweek.com/solarwinds-shares-more-information-cyberattack-impact-initial-access-vector
  • DriveSure - 3,675,099 breached accounts https://haveibeenpwned.com/PwnedWebsites#DriveSure
  • WedMeGood - 1,306,723 breached accounts https://haveibeenpwned.com/PwnedWebsites#WedMeGood

Privacy

Articles about privacy related news, risks, and trends.

• Apple rejected over 215,000 apps in 2020 for privacy violations https://www.bleepingcomputer.com/news/apple/apple-rejected-over-215-000-apps-in-2020-for-privacy-violations/
• After EPIC-Led Coalition Letter, DC Area Facial Recognition System Will Shut Down https://epic.org/2021/05/after-epic-led-coalition-lette.html

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • Failing Analysis: Why the Department of Justice "Updated" Charter Statement Doesn't Address Bill C-10's Free Speech Risks https://www.michaelgeist.ca/2021/05/failing-analysis-why-the-department-of-justice-updated-charter-statement-doesnt-address-bill-c-10s-free-speech-risks/
  • Heritage Minister Steven Guilbeault Signals Canadian Government Abandoning Support for Net Neutrality https://www.michaelgeist.ca/2021/05/heritage-minister-steven-guilbeault-signals-canadian-government-reversal-on-support-for-net-neutrality/

• US:

  • New US Executive Order on Cybersecurity https://www.schneier.com/blog/archives/2021/05/new-us-executive-order-on-cybersecurity.html
  • EFF tells California Court that Forensic Software Source Code Must Be Disclosed to the Defendant https://www.eff.org/deeplinks/2021/05/eff-tells-california-court-forensic-software-source-code-must-be-disclosed
  • How A Camera Patent Was Used to Sue Non-Profits, Cities, and Public Schools https://www.eff.org/deeplinks/2021/05/how-camera-patent-was-used-sue-non-profits-cities-and-public-schools

• World:

  • Facebook loses bid to block a potentially major change to EU data sharing https://www.theverge.com/2021/5/14/22436486/facebook-data-privacy-order-ireland-eu-privacy-shield
  • Germany Halts Facebook Sharing WhatsApp Data https://www.securityweek.com/germany-halts-facebook-sharing-whatsapp-data
  • Are VPNs Legal? 2021 VPN Laws in The U.S., China & The World https://www.cloudwards.net/are-vpns-legal/

• Standards News:

  • NIST Requests Public Comments on Six Existing Cryptography Standards and Special Publications by June 11 (FIPS 197/AES, SP 800-xx xx=15, 25,32, 38A/PKI, Cipher modes. …) https://csrc.nist.gov/projects/crypto-publication-review-project
  • NIST publishes draft Cybersecurity White Paper "Establishing Confidence in IoT Device Security: How do we get there? " for comments until June 14 https://csrc.nist.gov/publications/detail/white-paper/2021/05/14/establishing-confidence-in-iot-device-security/draft
  • Federal Information Security Educators (FISSEA) Summer Forum June 17, 2021, 1:00pm-4:00 pm ET https://www.nist.gov/news-events/events/2021/06/fissea-summer-forum-june-17-2021

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Upcoming Webinars and Virtual Events:

  • NIST/NICE Webinar: May 19th 2-3pm Accredited Credential Programs- Building Trust Between Employers and Credential Providers Through Rigorous Assessments https://www.nist.gov/news-events/events/2021/05/nice-webinar-accredited-credential-programs-building-trust-between-0
  • Recordings of the Inaugural Space Cybersecurity Symposium: Access for Start-ups are posted https://www.nist.gov/news-events/events/2021/05/inaugural-space-cybersecurity-symposium-access-start-up
• How to 'Demystify' Cybersecurity https://www.databreachtoday.com/how-to-demystify-cybersecurity-a-16593
• Cloudflare wants to kill the CAPTCHA https://www.zdnet.com/article/cloudflare-wants-to-kill-the-captcha
• GitHub Prepares to Move Beyond Passwords https://threatpost.com/github-security-keys-passwords/166054/
• How to Get into the Bug-Bounty Biz: The Good, Bad and Ugly https://threatpost.com/how-to-bug-bounties/165657/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html
• Decades-Old 'Frag Attack' Flaws Affect Almost Every Wi-Fi Device https://www.wired.com/story/frag-attack-wi-fi-vulnerabilities
• A security researcher found Wi-Fi vulnerabilities that have existed since the beginning https://www.theverge.com/2021/5/12/22433134/fragattacks-wi-fi-vulnerabilities-update-security
• Microsoft May 2021 Patch Tuesday fixes 55 flaws, 3 zero-days https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2021-patch-tuesday-fixes-55-flaws-3-zero-days/
• Wormable Windows Bug Opens Door to DoS, RCE https://threatpost.com/wormable-windows-bug-dos-rce/166057/
• Google Patches 19 Vulnerabilities With Chrome 90 Update https://www.securityweek.com/google-patches-19-vulnerabilities-chrome-90-update
• Researchers Flag e-Voting Security Flaws https://threatpost.com/e-voting-security-flaws/166110/
• Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th) https://isc.sans.edu/diary/rss/27412
• Scheme Flooding' Allows Websites to Track Users Across Browsers https://threatpost.com/scheme-flooding-website-tracking/166185/
• Security researcher successfully jailbreaks an Apple AirTag https://arstechnica.com/information-technology/2021/05/security-researcher-successfully-jailbreaks-an-apple-airtag/
• Newly Declassified NSA Document on Cryptography in the 1970s https://www.schneier.com/blog/archives/2021/05/newly-unclassified-nsa-document-on-cryptography-in-the-1970s.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • Over 25% Of Tor Exit Relays Spied On Users https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html
  • FIN7 Backdoor Masquerades as Ethical Hacking Tool https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/
  • Microsoft: Threat actors target aviation orgs with new malware https://www.bleepingcomputer.com/news/security/microsoft-threat-actors-target-aviation-orgs-with-new-malware/
  • Fake Android, iOS apps promise lucrative investments while stealing your money https://www.zdnet.com/article/fake-android-ios-apps-promise-lucrative-investments-while-stealing-your-money
  • Cyberattacks on Canadian businesses up since remote work increased: report https://globalnews.ca/news/7854432/cyberattacks-canada-business-remote-work/

• Crime & Arrests, etc.:

  • Elon Musk and SNL: Scammers Steal Over $10 Million in Fake Bitcoin, Ethereum and Dogecoin Crypto Giveaways https://www.tenable.com/blog/elon-musk-snl-scammers-steal-over-10-million-in-bitcoin-ethereum-dogecoin-crypto-fake-giveaways
  • Operator of WeLeakInfo database marketplace sentenced to two years in prison https://www.databreaches.net/operator-of-weleakinfo-database-marketplace-sentenced-to-two-years-in-prison/
  • Feds break up alleged streaming password theft scheme https://www.theverge.com/2021/5/13/22434670/stolen-netflix-hbo-streaming-passwords-arrest-fraud
  • Amazon seized, destroyed two million fake products sent to warehouses in 2020 https://www.zdnet.com/article/amazon-seized-destroyed-two-million-fake-products-sent-to-order-warehouses-in-2020

Other Security / Risk

Articles covering other types of risks.

• How Your DNA-or Someone Else's-Can Send You to Jail https://www.eff.org/deeplinks/2021/05/how-your-dna-or-someone-elses-can-send-you-jail
• IBM says chip shortage could last two years https://www.bbc.co.uk/news/business-57105368
• Huawei's ability to eavesdrop on Dutch mobile users is a wake-up call for the telecoms industry https://theconversation.com/huaweis-ability-to-eavesdrop-on-dutch-mobile-users-is-a-wake-up-call-for-the-telecoms-industry-160316
• The child safety problem on platforms is worse than we knew https://www.theverge.com/2021/5/12/22432863/child-safety-platforms-thorn-report-snap-facebook-youtube-tiktok
• Microsoft is shutting down its Azure Blockchain Service https://www.zdnet.com/article/microsoft-is-shutting-down-its-azure-blockchain-service/

• Health, Safety & Environment:

  • Scientists rewrite the genesis of mosquito-borne viruses https://scienmag.com/scientists-rewrite-the-genesis-of-mosquito-borne-viruses/
  • Ventilation in buildings: where water sanitation was in the 1800s https://scienmag.com/ventilation-in-buildings-where-water-sanitation-was-in-the-1800s/
  • To prevent next pandemic, scientists say we must regulate air like food and water https://scienmag.com/to-prevent-next-pandemic-scientists-say-we-must-regulate-air-like-food-and-water/
  • Getting hospitals ready for the next pandemic https://www.theverge.com/22412046/hopsital-infrastructure-health-care-system-pandemic-coordination-covid
  • Ontario invests $35 million in nursing programs, adding 2,000 positions to the sector https://toronto.ctvnews.ca/ontario-invests-35-million-in-nursing-programs-adding-2-000-positions-to-the-sector-1.5427993
  • Alzheimer's might be an autoimmune disorder, Canadian research suggests https://globalnews.ca/news/7863300/alzheimers-autoimmune-disorder-research/
  • Tesla crash driver posted videos of himself riding without hands on wheel https://www.theguardian.com/us-news/2021/may/15/tesla-fatal-california-crash-autopilot
  • Lit cigarette, hand sanitizer ignite major car fire in Maryland https://globalnews.ca/news/7862813/hand-sanitizer-flammable-cigarette-car-fire/
  • Wind shatters glass bridge in China, leaving tourist stranded over drop https://globalnews.ca/news/7848048/glass-bridge-shatters-china-tourist/
  • Here's How Many Years in Advance We'd Need to Stop a Killer Asteroid Coming For Earth https://www.sciencealert.com/here-s-how-many-years-in-advance-we-d-need-to-stop-a-killer-asteroid-coming-for-earth
  • Chernobyl's nuclear fuel is smoldering again and there's a 'possibility' of another accident, scientists say https://www.businessinsider.com/chernobyl-nuclear-fuel-smolders-again-another-accident-is-possible-2021-5
  • Musk dumps Bitcoin over climate concerns. Is it bad for the environment? https://globalnews.ca/news/7858136/bitcoin-elon-musk-bad-environment/
  • Tesla stops taking Bitcoin for vehicle purchases, citing environmental harm https://www.theverge.com/2021/5/12/22433153/tesla-suspend-bitcoin-vehicle-purchase-cryptocurrency-elon-musk
  • Harvesting light like nature does https://scienmag.com/harvesting-light-like-nature-does/
  • 'Holy grail' battery breakthrough sees scientists solve 40-year problem https://www.independent.co.uk/life-style/gadgets-and-tech/battery-lithium-metal-electric-cars-b1846327.html
  • MIT unveils a new action plan to tackle the climate crisis https://scienmag.com/mit-unveils-a-new-action-plan-to-tackle-the-climate-crisis/
  • The grid needs to smarten up to reach clean energy goals https://www.theverge.com/22419206/smart-grid-renewable-energy-power-sector
  • Backyard chickens, rabbits, soybeans can meet household protein demand https://scienmag.com/backyard-chickens-rabbits-soybeans-can-meet-household-protein-demand/
• A workplace resignation boom may be looming. Here's why https://globalnews.ca/news/7863137/workplace-resignation-boom-why/
• Credit agencies can't tell my sister and me apart https://www.theverge.com/22421193/credit-reporting-infrastructure-errors-experian-equifax-transunion

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• Guidance, Response, and Recovery:

  • These Ontario municipalities are imposing restrictions on out-of-towners to discourage visitors https://toronto.ctvnews.ca/these-ontario-municipalities-are-imposing-restrictions-on-out-of-towners-to-discourage-visitors-1.5428881
  • The physical distancing circles are back at Trinity Bellwoods Park in Toronto https://toronto.ctvnews.ca/the-physical-distancing-circles-are-back-at-trinity-bellwoods-park-in-toronto-1.5426930

• Immunity and Vaccinations:

  • Canada marks over 18M COVID-19 vaccine doses administered as cases persist https://globalnews.ca/news/7866143/covid-19-canada-wrap-vaccine-doses/
  • Toronto vaccination clinic administers more than 10,000 doses in less than 24 hours https://toronto.ctvnews.ca/toronto-vaccination-clinic-administers-more-than-10-000-doses-in-less-than-24-hours-1.5430573
  • COVID-19 vaccines providing much needed mental health boost after troublesome year https://globalnews.ca/news/7867436/covid-19-vaccines-mental-health/
  • Vaccinated people can ditch masks and social distancing in most places, CDC says https://www.theverge.com/2021/5/13/22434645/vaccines-masks-social-distancing-cdc-covid
  • Pop-up clinic goers left waiting for second dose appointments https://toronto.ctvnews.ca/pop-up-clinic-goers-left-waiting-for-second-dose-appointments-1.5422771
  • AstraZeneca vaccine 1st dose recipients in limbo after some provinces press pause https://globalnews.ca/news/7855955/astrazeneca-covid-vaccine-first-dose-pause/
  • COVID-19 grey areas like 'one-dose summer' show challenges in communicating science: experts https://globalnews.ca/news/7863313/justin-trudeau-one-dose-summer-covid/
  • No One Actually Knows If You're Vaccinated https://www.theatlantic.com/health/archive/2021/05/america-covid-vaccine-honor-system/618891/

• Things we learned:

  • Scientific silos, a long held and erroneous medical belief about airborne disease ended up making the pandemic worse https://www.wired.com/story/the-teeny-tiny-scientific-screwup-that-helped-covid-kill/
  • COVID-19: Majority of infected children may not show typical symptoms https://scienmag.com/covid-19-majority-of-infected-children-may-not-show-typical-symptoms/

• Impact:

  • Toronto library sets world record with 8 million digital download during pandemic https://toronto.ctvnews.ca/toronto-library-sets-world-record-with-8-million-digital-download-during-pandemic-1.5428710
  • Covid economy: What economists got right (and wrong) https://www.bbc.co.uk/news/world-us-canada-56938750

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Over 1,000 charges laid by Toronto police in past 3 weeks due to large gatherings https://toronto.ctvnews.ca/over-1-000-charges-laid-by-toronto-police-in-past-3-weeks-due-to-large-gatherings-1.5428398

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Crack team scrambles to clean up egg yolk spill on Italian highway (love a good pun) https://globalnews.ca/news/7855701/egg-yolk-spill-crash-italy-highway/
• Never-ending detonations could blast hypersonic craft into space https://www.livescience.com/detonations-propel-hypersonic-craft-into-space.html
• NASA's OSIRIS-REx spacecraft begins its 2-year trip home with asteroid debris https://www.cbc.ca/news/science/osiris-rex-return-1.6021171
• Extrasolar Object Interceptor Would be Able to Chase Down the Next Oumuamua or Borisov and Actually Return a Sample https://www.universetoday.com/150393/extrasolar-object-interceptor-would-be-able-to-chase-down-the-next-oumuamua-or-borisov-and-actually-return-a-sample/
• In 1.3 Million Years, a Star Will Come Within 24 Light-Days of the Sun https://www.universetoday.com/151040/in-1-3-million-years-a-star-will-come-within-24-light-days-of-the-sun/