This Week’s [in]Security – Issue 152 | insecurity

This Week’s [in]Security – Issue 152

02 Mar 2020.

Tags:

insecurity
x

Welcome to This Week’s [in]Security. Trending: Coronavirus impact update: spread, defense, and impact. More crypto-wars fallout: Crypto AG criminal investigation. Throwing out Huawei and ZTE. Deepfakes and Payment Fraud. Samsung, Straffic 48M records, Hong Kong and Rotherwood Healthcare breaches. Clearview and DISA breach followups. Ransomware frees accused. Lifelabs blocking regulator. Desjardins' $108M breach cost. Shunning breached companies. SimpleTax buyer renegs on privacy. Alexa's listening. Sidewalk Labs privacy. Formalizing right to be forgotten. $200M FTC fine over cellphone location data.FB vs analytics firm. NY cybersecurity enforcement. NSA metadata collection. NIST Cyber security roadmap. Encrypted DNS update. Cloud risk mitigation. Preventing leaks. IOT class actions. TLS cert and signature changes. Memory encryption. Cybersecurity Humble Bundle . Ransomware gets to the backups. Zyxel zero-day hits more products. AWS firewall bypass. Ancient Tomcat bug found. IoT vacuum sucks camera data too. 2FA and unpatched phones. 2FA malware. Attacking healthcare for profit. PayPal abuse. RSA conference. DDoS as a smokescreen. Russian provocations. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

New - Emerging Issues and Trending Stories

This special section is dedicated to emerging issues and trending stories that cross multiple of our regular news categories.

Coronavirus not Pandemic yet?
- Iran's deputy health minister and vice-president test positive for coronavirus https://www.aljazeera.com/news/2020/02/iran-deputy-health-minister-tests-positive-coronavirus-200225131520852.html and https://globalnews.ca/news/6603204/iran-saudi-arabia-coronavirus/
- Coronavirus spread prompts cities to cancel major events https://qz.com/1808672/coronavirus-spread-prompts-cities-to-cancel-major-events/
- The US' newest coronavirus patient had no known exposure to anyone sick and hadn't gone to China, which suggests containment might be impossible https://www.businessinsider.com/coronavirus-community-spread-us-health-systems-tested-2020-2
- How to prepare for coronavirus in the U.S. (Spoiler: Not sick? No need to wear a mask.) https://www.washingtonpost.com/health/2020/02/26/how-to-prepare-for-coronavirus/
- Canada prepares pandemic response plan as coronavirus cases continue to climb https://www.cbc.ca/news/politics/pandemic-response-cornavirus-canada-1.5473738
- The CDC Releases Predictions For How COVID-19 Will Spread in The US https://www.sciencealert.com/the-cdc-has-a-prediction-for-how-the-coronavirus-will-affect-the-us
- No, The CDC Is Not Telling People to Shave to Avoid The Coronavirus https://www.sciencealert.com/no-the-cdc-is-not-telling-people-to-shave-to-avoid-covid-19
- Feeling Anxious Over The Coronavirus? Here's What You Can Do https://www.sciencealert.com/here-s-some-expert-advice-on-ways-to-ease-anxiety-over-the-coronavirus-threat
- China bans human consumption and trade of wild animals https://www.ctvnews.ca/sci-tech/china-bans-human-consumption-and-trade-of-wild-animals-1.4824540
- Study reveals how drug meant for Ebola may also work against coronaviruses https://scienmag.com/study-reveals-how-drug-meant-for-ebola-may-also-work-against-coronaviruses/
- Five countries, five responses https://www.bbc.co.uk/news/av/world-51649358/coronavirus-five-countries-five-responses
- WHO page on disease emergencies, epidemic and Pandemics https://www.who.int/emergencies/diseases/en/
- Wikipedia list of epidemics https://en.wikipedia.org/wiki/List_of_epidemics
- WHO Says Coronavirus is Not Yet a Pandemic, But Urges Countries to Prepare https://www.statnews.com/2020/02/24/who-tells-countries-prepare-coronavirus-pandemic-too-soon-to-make-call/
- The Week in Tech: Coronavirus Disrupts the Industry https://www.nytimes.com/2020/02/28/technology/coronavirus-disrupts-industry.html
- Stock markets sell off as coronavirus spread threatens global economy https://www.cbc.ca/news/business/markets-monday-coronavirus-1.5473520
- Coronavirus Decimates US Stock Market $1.7T In 48 Hours https://www.pymnts.com/news/investment-tracker/2020/coronavirus-decimates-us-stock-market-1-7t-in-48-hours/
- Economic hurt felt globally as nearly 60 countries report coronavirus cases https://globalnews.ca/news/6607996/coronavirus-outbreak-global-economy/
More crypto-wars fallout:
- Switzerland Files Criminal Complaint Over Crypto AG Spying “Operation Rubicon” https://www.reuters.com/article/us-swiss-spying-crypto-idUSKBN20O1VD
- Senate passes ‘rip and replace’ bill to remove old Huawei and ZTE equipment from networks https://techcrunch.com/2020/02/27/senate-passes-rip-and-replace-bill-to-remove-old-huawei-and-zte-equipment-from-networks/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

Fraud Schemes Get ‘Scary’ as Chip Cards Push Crime Away From the Point of Sale https://www.digitaltransactions.net/fraud-schemes-get-scary-as-chip-cards-push-crime-away-from-the-point-of-sale/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

Samsung admits data breach following Find My Mobile fail https://www.tomsguide.com/news/samsung-admits-data-breach-following-find-my-mobile-fail
Israeli Marketing Company Exposes Contacts Elasticsearch Database https://www.databreachtoday.com/israeli-marketing-company-exposes-contacts-database-a-13785 and credentials addred to Have I Been Pwned 48,580,249 accounts https://haveibeenpwned.com/PwnedWebsites#Straffic
Data breach concerns after ‘theft’ of Hong Kong gov’t phones containing details of quarantined coronavirus residents https://www.databreaches.net/hk-data-breach-concerns-after-theft-of-hong-kong-govt-phones-containing-details-of-quarantined-coronavirus-residents/
Rotherwood Healthcare AWS bucket security fail left elderly patients’ DNR choices freely readable online https://www.databreaches.net/uk-rotherwood-healthcare-aws-bucket-security-fail-left-elderly-patients-dnr-choices-freely-readable-online/
Clearview AI’s breached client list includes 2,200 organizations spanning law enforcement to universities https://www.theverge.com/2020/2/27/21156678/clearview-ai-client-macy-fbi-doj-twitter-facebook-youtube and https://www.forbes.com/sites/kateoflahertyuk/2020/02/26/clearview-ai-the-company-whose-database-has-amassed-3-billion-photos-hacked/
Last week breach list included DISA - the agency in charge of securing White House communications https://threatpost.com/data-breach-occurs-at-agency-in-charge-of-secure-white-house-communications/153160/
Massachusetts Electric Utility Hit by Ransomware https://www.securityweek.com/massachusetts-electric-utility-hit-ransomware
US Railroad Contractor Reports Data Breach After Ransomware Attack https://www.databreaches.net/us-railroad-contractor-reports-data-breach-after-ransomware-attack/
Six suspected drug dealers went free after police lost evidence in ransomware attack https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/
LifeLabs fights bid to keep data breach report out of the hands of the Information and Privacy Commissioner https://www.vancourier.com/news/lifelabs-fights-bid-for-report-on-cyberattack-in-wake-of-data-breach-1.24087603
Desjardins Group says 2019 theft of 4.2 million members’ data cost $108 million https://globalnews.ca/news/6599224/desjardins-data-theft-cost-108-million/
One in four Americans won’t do business with data-breached companies https://www.zdnet.com/article/one-in-four-americans-wont-do-business-with-data-breached-companies/

Privacy

Articles about privacy related news, risks, and trends.

The Canadian tech company that changed its mind about using your tax return to sell stuff https://www.cbc.ca/radio/costofliving/the-canadian-tech-company-that-changed-its-mind-about-using-your-tax-return-to-sell-stuff-1.5471400
Don't worry, Alexa and friends only record you up to 19 times a day https://www.zdnet.com/article/dont-worry-alexa-and-friends-only-record-you-up-to-19-times-a-day/
Google asked to justify Toronto 'digital-city' plan https://www.bbc.com/news/technology-51658116
Privacy by Design' Implementation Tips https://www.bankinfosecurity.com/interviews/privacy-by-design-implementation-tips-i-4603
Formalizing Data Deletion in the Context of the Right to be Forgotten https://eprint.iacr.org/2020/254
If you're serious about browser privacy, you should probably pass on Edge or Yandex https://www.theregister.co.uk/2020/02/27/edge_and_yandex_browser_privacy_shame/
FTC Publishes Privacy and Data Security Update for 2019 https://epic.org/2020/02/ftc-publishes-privacy-and-data.html
Guess what? GDPR Enforcement Is On Fire! https://www.datex.ca/blog/guess-what-gdpr-enforcement-is-on-fire
F.C.C. to Fine Cellphone Carriers AT&T, Sprint, Verizon, and T-Mobile $200M for Selling Customers’ Locations https://www.nytimes.com/2020/02/27/technology/fcc-location-data.html https://www.theverge.com/2020/2/27/21156555/verizon-sprint-att-tmobile-fcc-fine-carriers-consumer-data-disclosure
Facebook Sues Analytics Firm for Data Misuse https://www.securityweek.com/facebook-sues-analytics-firm-data-misuse

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

New York State Expected to Increase Enforcement of Cybersecurity Practices https://www.databreaches.net/new-york-state-expected-to-increase-enforcement-of-cybersecurity-practices/
Newly Declassified Study Demonstrates Uselessness of NSA's Phone Metadata Program / The Costs of Spying https://www.schneier.com/blog/archives/2020/02/newly_declassif.html and https://www.theatlantic.com/ideas/archive/2020/02/costs-spying/607177/
NIST Internal Report (NISTIR) 8287: A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce https://csrc.nist.gov/publications/detail/nistir/8287/final

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

Firefox Enables DNS over HTTPS https://www.schneier.com/blog/archives/2020/02/firefox_enables.html and https://www.theverge.com/2020/2/25/21152335/mozilla-firefox-dns-over-https-web-privacy-security-encryption
White Paper on Cloud Security Risks - And How To Mitigate Them https://blog.isc2.org/isc2_blog/2020/02/white-paper-on-cloud-security-risks-and-how-to-mitigate-them.html
How to Prevent an AWS Cloud Bucket Data Leak https://www.darkreading.com/application-security/database-security/how-to-prevent-an-aws-cloud-bucket-data-leak--/d/d-id/1337093
Securing the Internet of Things through Class-Action Lawsuits https://www.schneier.com/blog/archives/2020/02/securing_the_in.html
Bulletproof TLS Newsletter #62 One-year certificate lifetimes are coming, 3DES and SHA-1 signature deprecation begins https://www.feistyduck.com/bulletproof-tls-newsletter/issue_62_one_year_certificate_lifetimes_are_coming
Unmasking Data Masking https://www.datex.ca/blog/unmasking-data-masking-0
Data Encryption on Android with Jetpack Security https://security.googleblog.com/2020/02/data-encryption-on-android-with-jetpack.html
Improving Malicious Document Detection in Gmail with Deep Learning https://security.googleblog.com/2020/02/improving-malicious-document-detection.html
Cybersecurity alliance launches first open source messaging framework for security tools https://www.zdnet.com/article/cybersecurity-alliance-launches-first-open-source-messaging-framework-for-security-tools/
Intel promises Full Memory Encryption in upcoming CPUs https://arstechnica.com/gadgets/2020/02/intel-promises-full-memory-encryption-in-upcoming-cpus/
Humble Bundle's 2020 Cybersecurity Books https://www.schneier.com/blog/archives/2020/02/humble_bundles_.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

Ransomware victims thought their backups were safe. They were wrong https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
Intel KVM Virtualization Hit By Vulnerability Over Unfinished Code https://phoronix.com/scan.php?page=news_item&px=Intel-KVM-CVE-2020-2732
Zyxel Fixes 0day in Network Storage Devices https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
Zyxel 0day Affects its Firewall Products, Too https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/
Cloud Snooper' Attack Circumvents AWS Firewall Controls https://www.darkreading.com/cloud/cloud-snooper-attack-circumvents-aws-firewall-controls/d/d-id/1337171
Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
Chrome 80 update cripples AZORult malware and top cybercrime marketplace https://www.zdnet.com/article/chrome-80-update-cripples-top-cybercrime-marketplace/
Google Patches Chrome Browser Zero-Day Bug, Under Attack https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/
Unpatched Security Flaws Open Connected Vacuum to Takeover https://threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/
Don't run your 2FA authenticator app on these smartphones https://www.tomsguide.com/uk/news/mobile-auth-app-hack-rsa20
New Kr00k vulnerability lets attackers decrypt WiFi packets https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/
New Evasion Encyclopedia Shows How Malware Detects Virtual Machines https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-shows-how-malware-detects-virtual-machines/
The Long Path out of the Vulnerability Disclosure Dark Ages https://www.wired.com/story/vulnerability-disclosure-bug-bounties/
How a Hacker's Mom Broke Into a Prison—and the Warden's Computer https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

Android malware can steal Google Authenticator 2FA codes https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
Hackers Cashing In On Healthcare Industry Security Weaknesses https://threatpost.com/hackers-cashing-in-on-healthcare-industry-security-weaknesses/153238/
PayPal accounts abused en-masse for unauthorized payments https://www.zdnet.com/article/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments/
Stalkerware infections grew by 40% in 2019, https://www.zdnet.com/article/stalkerware-infections-grew-by-40-in-2019-says-kaspersky/
Raccoon: The Story of a Typical Infostealer https://www.cyberark.com/threat-research-blog/raccoon-the-story-of-a-typical-infostealer/
FBI Warned Of Fraudster’s Paradise: Up To 130,000 Hacked Asus Routers On Sale For A Few Dollars https://www.databreaches.net/fbi-warned-of-fraudsters-paradise-up-to-130000-hacked-asus-routers-on-sale-for-a-few-dollars/
Winnipeg police warn of bank investigator scams cost Manitobans over $1M in 2019 https://globalnews.ca/news/6615775/winnipeg-police-scam-manitobans/
FBI arrests neo-Nazi group Atomwaffen’s leader on swatting charges https://www.theverge.com/2020/2/26/21154536/fbi-atomwaffen-division-neo-nazi-graveyard-irc-arrest-swatting
Former Microsoft Engineer Convicted of $10M Insider Fraud https://www.bankinfosecurity.com/former-microsoft-engineer-convicted-insider-fraud-a-13793
FBI Makes Arrest in DDoS Attack on Candidate's Website https://www.bankinfosecurity.com/fbi-makes-arrest-in-ddos-attack-on-candidates-website-a-13754

Other Security / Risk

Articles covering other types of risks.

RSAC 2020: Blockchain is 'Garbage In', Voting Needs Paper Ballots https://threatpost.com/rsac-2020-blockchain-is-garbage-in-voting-needs-paper-ballots/153221/
RSAC 2020: Lack of Machine Learning Laws Open Doors To Attacks https://threatpost.com/rsac-2020-lack-of-machine-learning-laws-open-doors-to-attacks/153259/
Bruce Schneier Proposes 'Hacking Society' for a Better Tomorrow https://threatpost.com/bruce-schneier-proposes-hacking-society-for-a-better-tomorrow/153342/
DDoS as a smokescreen(Distract Then Steal) https://www.imperva.com/blog/ddos-as-a-smokescreen/
Russia Is Trying to Tap Transatlantic Cables https://www.schneier.com/blog/archives/2020/02/russia_is_tryin.html
FBI Official: Russia Wants to See US 'Tear Ourselves Apart' https://www.securityweek.com/fbi-official-russia-wants-see-us-tear-ourselves-apart
National Security Experts Call for Eliminating Greenhouse Gas Emissions https://www.scientificamerican.com/article/national-security-experts-call-for-eliminating-greenhouse-gas-emissions/
Canada’s terrorism offenders are coming out of prison still radicalized https://globalnews.ca/news/6574722/terrorism-in-canada-deradicalization-programs-parole/
Looming lawsuits, threats of job losses and other takeaways from the CRTC hearings on cell service https://www.cbc.ca/news/politics/crtc-cellphone-affordability-1.5480807
Teck Frontier cancellation over "uncertainty" should be ‘wake-up call’ for Canada https://globalnews.ca/news/6610976/teck-frontier-withdrawal-chrystia-freeland/
US output contracts for the first time since October 2013 https://www.forexfactory.com/news/982185-us-output-contracts-for-the-first-time-since
A battle is brewing between Google and Microsoft over Edge and their app stores https://www.zdnet.com/article/google-says-microsoft-edge-isnt-secure-i-asked-why/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

Small quartz disc can store 360TB of data forever https://www.zmescience.com/research/technology/quartz-disk-5d-storage-52543/
‘Leaning Tower of Dallas’ survives wrecking ball, becomes off-kilter sensation https://globalnews.ca/news/6602952/leaning-tower-of-dallas-collapse/
11 historic events that happened on February 29, also known as 'Leap Day' https://www.businessinsider.com/leap-year-history-february-29-2012-2
Lake Erie snowstorm encases Hamburg NY homes in up to three feet of ice https://www.dailymail.co.uk/news/article-8062153/Snowstorm-freezes-homes-Lake-Erie.html
Scientific Rebel Freeman Dyson Dies https://blogs.scientificamerican.com/cross-check/scientific-rebel-freeman-dyson-dies/
Famous NASA Mathematician Katherine Johnson Has Died Aged 101 https://www.sciencealert.com/katherine-johnson-black-nasa-mathematician-portrayed-in-hidden-figures-dies-at-101
More (entertaining) weirdness in the world of competitive Chess https://slate.com/culture/2020/02/magnus-carlsen-speed-chess-drdrunkenstein-pseudonyms-twitch-youtube.html
Here’s How The Size Of Asteroids Compares To New York City https://www.boredpanda.com/size-of-asteroids-alvaro-gracia-montoya/
Earth has a new 'minimoon', scientists announce https://www.independent.co.uk/news/science/earth-moon-minimoon-space-asteroid-meteor-a9361486.html
Smithsonian releases 2.8 million free images for broader public use https://scienmag.com/smithsonian-releases-2-8-million-free-images-for-broader-public-use/
Two commercial satellites just docked in space for the first time https://www.theverge.com/2020/2/26/21154426/commercial-satellites-docking-space-northrop-grumman-intelsat
Astronomers Just Witnessed The Biggest Explosion in The Universe Ever Recorded https://www.sciencealert.com/astronomers-have-just-recorded-the-biggest-explosion-since-the-big-bang

previous

This Week’s [in]Security – Issue 151

next