Welcome to This Week’s [in]Security. Trending: Coronavirus update. The spread, the curve, and aftermath. Guidance, Response and Recovery. The good, the bad, and the ugly. Immunity and knowledge. 12 PCI FAQ's. Mega breach. Fines deferred. COVID Contact tracing tech. Online voting is still a bad idea. Ventilators. Corp.com. Spam-spam-spam. MS Exchange, VMware, Zoom, Vehicles bugs. Breakable smart-lock. Fingerprint cloning. Zero-days. BGP hijacking. COVID hacking wave and other impacts. Faking AI. Krakatau again. And More.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

New - Emerging Issues and Trending Stories

Coronavirus updates. We recently change the way we report COVID articles to you so it is less overwhelming. Many COVID articles will appear within our normal blog section headings each with a sub-group dedicated to COVID-19. For example:

• Facts about its spread, direct impact, and how people react will continue under Trending.
• Regulations and restrictions to counter the virus will be under Regulations.
• Privacy Implications, PCI/Payments, Cybercrime under their respective sections
• Treatments, Vaccines, Innovations, Coping methods under Defense
• Information on how/why it spreads, improvements understanding it, etc. under Vulnerabilities
• Economic impact and articles that don't fit into the other categories will be under Other Risk.
• Breaches (and Ransomware) under Breaches.

Our first regular reports on coronavirus can be found at https://controlgap.com/blog/this-weeks-insecurity-issue-147. And our first use of the trending topic section can be found https://controlgap.com/blog/this-weeks-insecurity-issue-149.

• The spread, the curve, and aftermath:

  • Excellent presentation on what flattening the curve means and getting life back to normal - keep your eyes on Austria https://youtu.be/h_EfQdoB5Ro
  • Thousands of US nursing home patients have died of coronavirus — far higher than the federal government has reported https://www.businessinsider.com/covid-19-death-toll-nursing-homes-federal-government-estimate-2020-4
  • The City That Has Flattened the Coronavirus Curve https://www.theatlantic.com/politics/archive/2020/04/coronavirus-san-francisco-london-breed/609808/
  • Ontario reports 401 new coronavirus cases, including 21 deaths as total cases top 7,000 https://globalnews.ca/news/6809479/ontario-coronavirus-covid-19-cases-april-12/
  • Norway Relaxes Coronavirus Restrictions, But Event Ban Continues https://www.forbes.com/sites/davidnikel/2020/04/07/norway-pm-relaxes-coronavirus-restrictions-but-event-ban-continues/
  • After Rejecting A Coronavirus Lockdown, Sweden Sees Rise In Deaths https://www.forbes.com/sites/carlieporterfield/2020/04/09/after-rejecting-a-coronavirus-lockdown-sweden-sees-rise-in-deaths/

• Guidance, Response and Recovery:

  • Canada Risk-informed decision-making guidelines for workplaces and businesses during the COVID-19 pandemic https://www.canada.ca/en/public-health/services/diseases/2019-novel-coronavirus-infection/guidance-documents/risk-informed-decision-making-workplaces-busin
  • FEMA Report Warned of Pandemic Vulnerability Months before COVID-19 https://www.scientificamerican.com/article/fema-report-warned-of-pandemic-vulnerability-months-before-covid-19/
  • Spain Plans Universal Basic Income To Fix Coronavirus Economic Crisis https://www.forbes.com/sites/pascaledavies/2020/04/06/spain-aims-to-roll-out-universal-basic-income-to-fix-coronavirus-economic-crisis/
  • What's at the end of the coronavirus tunnel? Local scholars share some ideas www.sandiegouniontribune.com/news/health/story/2020-03-29/end-of-coronavirus-pandemic-what-will-new-normal-look-like
  • The plans to reopen the economy are scary. https://www.vox.com/2020/4/10/21215494/coronavirus-plans-social-distancing-economy-recession-depression-unemployment
  • Prepare for the Ultimate Gaslighting (when the economy reopens) https://forge.medium.com/prepare-for-the-ultimate-gaslighting-6a8ce3f0a0e0

• Behaviour - the good, the bad, and the ugly:

  • Canadian Scout solves a PPE problem https://www.upworthy.com/boy-scout-makes-ear-masks-coronavirus-nurses
  • Coronavirus: US car insurers refund drivers stuck at home https://www.bbc.co.uk/news/business-52194521
  • 3M is suing a company accused of trying to re-sell fake N95 masks at a 600% markup https://www.businessinsider.com/3m-sues-company-for-trying-to-sell-fake-n95-masks-price-gouging-2020-4
  • Coronavirus: U.S. man charged in scheme to sell over $750M in ‘nonexistent’ PPE https://globalnews.ca/news/6809726/coronavirus-fraud-united-states-mask-scheme/
  • Just wrong. Three nurses in the UK forced to wear trash bags instead of real protective gear have tested positive for the coronavirus https://www.businessinsider.com/coronavirus-uk-nurses-forced-to-wear-bin-bags-test-positive-2020-4

• Immunity and knowledge:

  • What Immunity to COVID-19 Really Means https://www.scientificamerican.com/article/what-immunity-to-covid-19-really-means/
  • Fauci says the government is considering giving out COVID-19 'immunity cards' as part of push to reopen the economy https://www.businessinsider.com/the-government-is-considering-covid-19-immunity-cards-2020-4
  • WHO investigates reports of recovered coronavirus patients testing positive again https://www.businessinsider.com/who-investigates-reports-recovered-coronavirus-patients-testing-positive-again-2020-4
  • Our Knowledge of Viruses Is Badly Inadequate https://blogs.scientificamerican.com/blogs/observations/our-knowledge-of-viruses-is-badly-inadequate/
  • There are only 7 human coronaviruses, they're all linked to bats, discovered over the last 55 years https://www.forbes.com/sites/alexknapp/2020/04/11/the-secret-history-of-the-first-coronavirus-229e/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• COVID-19 Payments/PCI:

  • Mastercard, Visa Raise Tap Limits, And Stores Want Interac To Follow https://ca.news.yahoo.com/touchless-transactions-tap-145730032.html and https://www.digitaltransactions.net/card-networks-up-canadian-contactless-transaction-limits-to-limit-physical-contact/
  • New IRS Site Could Make it Easy for Thieves to Intercept Some Stimulus Payments https://krebsonsecurity.com/2020/04/new-irs-site-could-make-it-easy-for-thieves-to-intercept-some-stimulus-payments/

• PCI FAQs: 1 New, 11 Updated:

  • New 1743 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-is-the-role-of-acquirers-and-assessors-in-determining-the-applicability-of-PCI-DSS-requirements-for-a-merchant-s-PCI-DSS-assessment
  • 1251 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-is-the-process-to-use-previously-deployed-POI-devices-in-a-PCI-P2PE-solution
  • 1457 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-a-Software-based-PIN-Entry-on-COTS-Solution-eligible-for-a-P2PE-Solution-approval
  • 1434 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-do-PCI-PTS-approved-POI-device-expiry-dates-affect-a-PCI-listed-P2PE-solution
  • 1339 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-POI-devices-with-only-the-PTS-approved-firmware-i-e-no-additional-software-eligible-for-use-in-a-PCI-P2PE-solution
  • 1332 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-the-expiry-dates-for-PTS-POI-device-approvals
  • 1261 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Does-a-P2PE-validated-application-also-need-to-be-validated-against-PA-DSS
  • 1078 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/In-what-circumstances-is-multi-factor-authentication-required
  • 1138 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Does-PCI-SSC-provide-a-list-of-PCI-DSS-compliant-service-providers
  • 1210 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-audio-voice-recordings-permitted-to-contain-sensitive-authentication-data
  • 1281 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-point-of-sale-devices-required-to-be-physically-secured-e-g-with-a-cable-or-tether-to-prevent-removal-or-substitution-in-order-to-meet-PCI-DSS-Requirement-9-9
  • 1302 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-does-use-of-an-expired-PTS-device-affect-my-PCI-DSS-compliance
• Updated index of PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• 2020 PCI SSC North America and Europe Community Meeting Call for Speakers https://www.cvent.com/c/abstracts/55751531-5c39-4b8c-b93f-2cbf26393d46
• Women in Payments: Q&A https://blog.pcisecuritystandards.org/women-in-payments-q-and-a-with-tracey-long

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• 115 million Pakistani mobile users data found up for sale on dark web https://www.databreaches.net/115-million-pakistani-mobile-users-data-found-up-for-sale-on-dark-web/
• Italian Email provider 'Email.it' got hacked, data of 600,000 users now sold on the dark web https://www.zdnet.com/article/email-provider-got-hacked-data-of-600000-users-now-sold-on-the-dark-web/
• Hacker Hit Italy-Owned Bank’s Emails, Data Breach Unknown https://www.pymnts.com/news/security-and-risk/2020/hacker-hit-italy-owned-banks-emails-data-breach-unknown/
• San Francisco Intl Airport discloses data breach after hack https://www.databreaches.net/san-francisco-intl-airport-discloses-data-breach-after-hack/
• Vianet’s customer data compromised with latest leaks https://www.databreaches.net/vianets-customer-data-compromised-with-latest-leaks/
• Less than two weeks after an Indiana hospital reported a phishing-related HIPAA breach, they had a second one https://www.databreaches.net/less-than-two-weeks-after-an-indiana-hospital-reported-a-phishing-related-hipaa-breach-they-had-a-second-one/
• Newfoundland privacy commissioner ‘deeply concerned’ about Facebook’s response to health info breach https://www.databreaches.net/ca-n-l-privacy-commissioner-deeply-concerned-about-facebooks-response-to-health-info-breach/
• Maropost takes your privacy and security … but aren't listening https://www.databreaches.net/maropost-takes-your-privacy-and-security/
• HTC Mania - 1,488,089 breached accounts on HIBP https://haveibeenpwned.com/PwnedWebsites#HTCMania
• British Airways and Marriott UK data protection fines deferred again as coronavirus shutdown hits business https://www.theregister.co.uk/2020/04/06/ico_data_protection_fines_ba_marriott_hack_postponed/

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • Apple and Google Propose Contact Tracing App https://epic.org/2020/04/apple-and-google-propose-conta.html
  • EPIC Seeks Records About Oracle's Proposed System to Track COVID Patients https://epic.org/2020/04/epic-seeks-records-about-oracl.html
  • The Challenge of Proximity Apps For COVID-19 Contact Tracing https://www.eff.org/deeplinks/2020/04/challenge-proximity-apps-covid-19-contact-tracing
  • How to Protect Privacy When Aggregating Location Data to Fight COVID-19 https://www.eff.org/deeplinks/2020/04/how-protect-privacy-when-aggregating-location-data-fight-covid-19
  • Contact Tracing in the Real World https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/
  • Bluetooth signals from your smartphone could automate COVID-19 contact tracing https://scienmag.com/bluetooth-signals-from-your-smartphone-could-automate-covid-19-contact-tracing/
• EPIC Pursues Information About Predictive Policing Programs https://epic.org/2020/04/epic-pursues-information-about-1.html
• Thermal Imaging Cameras are Still Dangerous Dragnet Surveillance Cameras https://www.eff.org/deeplinks/2020/04/thermal-imaging-cameras-are-still-dangerous-dragnet-surveillance-cameras
• Online course: Privacy Management in the Digital Enterprise https://learn.utoronto.ca/programs-courses/certificates/privacy-management-digital-enterprise

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• The LawBytes Podcast, Episode 46: Matthew Herder on the Canadian Effort to Break Down Patent Barriers to Accessing Coronavirus Medicines http://www.michaelgeist.ca/2020/04/lawbytes-podcast-episode-46/

• Online voting is still a bad idea:

  • Despite COVID-19, experts warn against online voting https://sector.ca/despite-covid-19-experts-warn-against-online-voting/
  • Can Legislatures Safely Vote by Internet? https://freedom-to-tinker.com/2020/04/10/can-legislatures-safely-vote-by-internet/
• Signal sends smoke, er, signal: If Congress cripples anonymous speech with EARN IT Act, we'll shut US ops https://www.theregister.co.uk/2020/04/09/signal_earn_it/
• Taiwan joins Canada in banning Zoom for government video conferencing https://www.cbc.ca/news/technology/taiwan-zoom-video-conference-1.5524384
• Ruling: A Hacker’s Scheme is “Forthright;” Thus, No Computer Fraud Coverage for Ransomware Attacks https://www.databreaches.net/a-hackers-scheme-is-forthright-thus-no-computer-fraud-coverage-for-ransomware-attacks/
• NIST Extends Comment Period for Draft SP 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations until May 29 https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• COVID-19 countermeasures:

  • Formula 1: Mercedes make breathing aid freely available https://www.bbc.co.uk/sport/formula1/52189430
  • Xerox Will Mass Produce Disposable Ventilators In Partnership With Vortran To Fight Coronavirus https://www.forbes.com/sites/amyfeldman/2020/04/06/xerox-will-mass-produce-disposable-ventilators-in-partnership-with-vortran-to-fight-coronavirus/
  • Saskatoon lab now has the ability to disinfect N95 masks for re-use https://globalnews.ca/news/6802956/coronavirus-saskatoon-lab-disinfect-n95-masks/
• Microsoft Buys Corp.com So Bad Guys Can’t https://www.schneier.com/blog/archives/2020/04/microsoft_buys_.html and https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
• Introducing our new book “Building Secure and Reliable Systems” https://security.googleblog.com/2020/04/introducing-our-new-book-building.html
• Attack matrix for Kubernetes, using the MITRE ATT&CK framework https://www.schneier.com/blog/archives/2020/04/kubernetes_secu.html
• Zoom Promises Geo-Fencing, Encryption Overhaul for Meetings https://www.bankinfosecurity.com/zoom-promises-geo-fencing-encryption-overhaul-for-meetings-a-14061
• 9 Security Podcasts Worth Tuning In To https://www.darkreading.com/careers-and-people/9-security-podcasts-worth-tuning-in-to/d/d-id/1337474
• Six Key Advantages of (ISC)2 Online Instructor-Led Training https://blog.isc2.org/isc2_blog/2020/04/six-key-advantages-of-isc2-online-instructor-led-training.html
• Troy Hunt - No, I Won't Link to Your Spammy Article https://www.troyhunt.com/no-i-wont-link-to-your-spammy-article/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Official Government COVID-19 Apps Hide a Raft of Threats https://threatpost.com/official-government-covid-19-apps-threats/154512/
• Schneier on pandemic cybersecurity https://www.schneier.com/blog/archives/2020/04/cybersecurity_d.html
• Serious Exchange Flaw Still Plagues 350K Servers https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/
• Critical VMware Bug Opens Up Corporate Treasure to Hackers https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/
• Zoom’s Waiting Room Vulnerability https://citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/
• FAQ on Zoom Security Issues https://citizenlab.ca/2020/04/faq-on-zoom-security-issues/
• Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling 'Security! We have a problem...' https://www.theregister.co.uk/2020/04/09/which_car_hacking_report/
• 'Unbreakable' Smart Lock Draws FTC Ire for Deceptive Security Claims https://threatpost.com/unbreakable-smart-lock-ftc-deceptive-security-claims/154600/
• A Cheap 3D Printer Can Trick Smartphone Fingerprint Locks https://www.wired.com/story/cheap-3d-printer-trick-smartphone-fingerprint-locks/ and https://threatpost.com/fake-fingerprints-bypass-scanners-3d-printing/154535/
• Fingerprint cloning: Myth or reality? https://blog.talosintelligence.com/2020/04/fingerprint-research.html
• Bugcrowd vulnerability bounty platform snags $30 million in fresh funding round |https://www.zdnet.com/article/bugcrowd-vulnerability-bounty-platform-snags-30-million-in-fresh-funding-round/
• Schneier on the recent factoring of RSA-250 https://www.schneier.com/blog/archives/2020/04/rsa-250_factore.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• COVID-19 Crime and Cybercrime:

  • No Respite: Ransomware Keeps Pummeling Healthcare https://www.bankinfosecurity.com/no-covid-19-respite-ransomware-keeps-pummeling-healthcare-a-14072
  • NASA sees an “exponential” jump in malware attacks as personnel work from home https://arstechnica.com/information-technology/2020/04/nasa-sees-an-exponential-jump-in-malware-attacks-as-personnel-work-from-home/
• This Map Shows the Global Spread of Zero-Day Hacking Techniques https://www.wired.com/story/zero-day-hacking-map-countries/
• A Brisk Private Trade in Zero-Days Widens Their Use https://threatpost.com/brisk-private-trade-zero-days/154502/
• Russian Telco Hijacked Internet Traffic of Major Networks - Accident or Malicious Action? https://www.securityweek.com/russian-telco-hijacked-internet-traffic-major-networks-accident-or-malicious-action
• Hackers Have Been Quietly Targeting Linux Servers https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-linux-servers-for-years/
• This is why the vicious xHelper malware resists factory wipes and reboots https://www.zdnet.com/article/this-is-why-the-vicious-xhelper-malware-resists-factory-wipes-and-reboots/
• Apple App Store Riddled With Money-Sucking Fleeceware Apps https://threatpost.com/apple-app-store-riddled-with-money-sucking-fleeceware-apps/154671/
• Government VPN Servers Targeted in Zero-Day Attack https://threatpost.com/government-vpn-servers-zero-day-attack/154472/
• FBI Threatens ‘Zoom Bombing’ Trolls With Jail Time https://threatpost.com/fbi-threatens-zoom-bombing-trolls-with-jail-time/154495/
• SEC Settles With 2 Traders Over EDGAR Hacking Case https://www.bankinfosecurity.com/sec-settles-2-traders-over-edgar-hacking-case-a-14100

Other Security / Risk

Articles covering other types of risks.

• COVID-19 Other risks and impact:

  • The Case For Critical Thinking: The COVID-19 Pandemic And An Urgent Call To Close The Critical Thinking Gap In Education https://www.forbes.com/sites/colinseale/2020/04/10/the-case-for-critical-thinking-the-covid-19-pandemic-and-an-urgent-call-to-close-the-critical-thinking-gap-in-education/
  • Why Measles Deaths Are Surging--and Coronavirus Could Make it Worse https://www.nature.com/articles/d41586-020-01011-6
  • New Data Shows U.S. Companies Are Definitely Leaving China https://www.forbes.com/sites/kenrapoza/2020/04/07/new-data-shows-us-companies-are-definitely-leaving-china/
  • Psychology research: Vaccine skeptics actually think differently than other people https://scienmag.com/psychology-research-vaccine-skeptics-actually-think-differently-than-other-people/
  • Schneier on Hacking Society https://www.darkreading.com/application-security/schneier-on-hacking-society/d/d-id/1337526
  • Coronavirus: Canadian-born Second World War Dam Buster dies from COVID-19 https://globalnews.ca/news/6797951/coronavirus-canadian-born-second-world-war-dam-buster-dies-from-covid-19/
• Artificial Or Human Intelligence? Companies Faking AI https://www.forbes.com/sites/cognitiveworld/2020/04/04/artificial-or-human-intelligence-companies-faking-ai/
• The U.S. Needs China For Rare Earth Minerals? Not For Long, Thanks To This Mountain https://www.forbes.com/sites/jimvinoski/2020/04/07/the-us-needs-china-for-rare-earth-minerals-not-for-long-thanks-to-this-mountain/
• Seriously? Boeing 787s must be turned off and on every 51 days to prevent 'misleading data' being shown to pilots https://www.theregister.co.uk/2020/04/02/boeing_787_power_cycle_51_days_stale_data/
• Anak Krakatau's strongest eruption since 2018 occurs, shoots ash 15 km skywards https://www.theweathernetwork.com/ca/news/article/anak-krakatau-strongest-eruption-since-2018-occurs-shoots-ash-15-km-skywards-indonesia-java-sumatra%3Fref%3Dmsncda_news_hdln%26lin

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists Built a Device That Generates Electricity 'Out of Thin Air' https://www.sciencealert.com/in-good-news-scientists-built-a-device-that-generates-electricity-out-of-thin-air
• New Enzyme Breaks Down Plastic In Hours And Enables High-Quality Recycling https://www.forbes.com/sites/scottsnowden/2020/04/11/new-enzyme-breaks-down-plastic-in-hours/
• Pixar’s computer graphics pioneers have won the $1 million Turing Award https://www.technologyreview.com/2020/03/18/905239/pixars-computer-graphics-pioneers-have-won-the-1-million-turing-award/
• Remembering Apollo 13: Saved from disaster by a towel and duct tape https://www.bbc.co.uk/news/av/science-environment-52187916/apollo-13-deadly-diy-in-space
• NASa’s all-female team of 'aquanauts' https://www.bbc.co.uk/news/av/stories-52198996/nasa-s-all-female-team-of-aquanauts
• NASA’s Plans For a Lunar Base Camp https://www.universetoday.com/145595/nasas-plans-for-a-lunar-base-camp/
• Margaret Burbidge, Astronomer Who Studied the Inner Workings of Stars, Dies at 100 https://www.space.com/astronomer-margaret-burbidge-dies-at-100.html
• What Einstein May Have Gotten Wrong - numbers represnting reality may have limited precision https://www.theatlantic.com/science/archive/2020/04/passage-of-time-relativity-physics/609841/
• Are some parts of the Universe expanding faster than others? Maaaaaaybe. https://www.syfy.com/syfywire/are-some-parts-of-the-universe-expanding-faster-than-others-maaaaaaybe