Welcome to This Week’s [in]Security. Trending: Coronavirus: New Zealand, Canada, Brazil, Russia, Belgium, Mississippi. Vaccines, anti-bodies, treatments. Guidance, Response and Recovery. More good, the bad, and the ugly. Payments, PCI & Covid. Breaches & ransomware: Banco BCR (cards), GDPR site, Tokopedia (15M), 9M UK licence plate trip logs, TaiLieu(7M), LineageOS. How to respond to a breach tip. Contact tracing and privacy. Facebook settlement. Biometrics & De-anonymizing device IDs. Patents. NIST updates. Fuzzing Apple. Power Grid defense. Saving ".org". SQL on a firewall! OpenSSL, Teams, Wordpress, Saltstack, Magneto, Adobe, Belkin NetCams. Lock-picking. Shade ransomware keys released. Tricky phone scam. Deep-fakes and identity theft. COVID cabin fever. Trolling AI's. Ad more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

New - Emerging Issues and Trending Stories

Coronavirus updates. We recently change the way we report COVID articles to you so it is less overwhelming. Many COVID articles will appear within our normal blog section headings each with a sub-group dedicated to COVID-19. For example:

• Facts about its spread, direct impact, and how people react will continue under Trending.
• Regulations and restrictions to counter the virus will be under Regulations.
• Privacy Implications, PCI/Payments, Cybercrime under their respective sections
• Treatments, Vaccines, Innovations, Coping methods under Defense
• Information on how/why it spreads, improvements understanding it, etc. under Vulnerabilities
• Economic impact and articles that don't fit into the other categories will be under Other Risk.
• Breaches (and Ransomware) under Breaches.

Our first regular reports on coronavirus can be found at https://controlgap.com/blog/this-weeks-insecurity-issue-147. And our first use of the trending topic section can be found https://controlgap.com/blog/this-weeks-insecurity-issue-149.

• The spread, the curve, and aftermath:

  • Coronavirus cases in Canada surpass 50,000 https://globalnews.ca/news/6872292/coronavirus-cases-in-canada-surpass-50000/
  • Are self-isolation measures working? The latest Covid-19 case numbers for the GTA show signs of hope https://torontolife.com/city/the-latest-covid-coronavirus-numbers-for-toronto-gta/
  • Brazil is letting the coronavirus run wild with little intervention, and the results are strikingly bad https://www.businessinsider.com/brazil-coronavirus-no-nationwide-lockdown-results-are-grim-2020-5
  • Russia's cases rise by over 10K to 145K in one-day record https://www.bbc.com/news/world-europe-52521426
  • How New Zealand got its coffees and fries back https://www.bbc.com/news/world-asia-52450978
  • Why so many people are dying in Belgium https://www.bbc.com/news/world-europe-52491210
  • Mississippi's governor backtracked on ending the state's lockdown after the state saw its biggest increase in coronavirus deaths and cases https://www.businessinsider.com/mississippi-governor-backs-down-on-reopening-after-biggest-covid-spike-2020-5
  • Listen: The Georgia Experiment https://www.theatlantic.com/health/archive/2020/05/the-georgia-experiment/610993/
  • Good information, maps, data, wiki "Mythbusters" section - The Center for Coronavirus Information https://ncov2019.live/wiki
  • Is R0 the crucial number for ending lockdown? https://www.bbc.com/news/health-52473523
  • What is the R number and why does it matter? https://www.bbc.com/news/av/health-52494495/coronavirus-r0-what-is-the-r-number-and-why-does-it-matter
  • A new way to accurately estimate COVID-19 death toll https://scienmag.com/a-new-way-to-accurately-estimate-covid-19-death-toll/
  • Do Your Genes Predispose You to COVID-19? https://www.scientificamerican.com/article/do-your-genes-predispose-you-to-covid-19/
  • COVID-19 Deaths Are Being Linked to Vitamin D Deficiency. Here's What That Means https://www.sciencealert.com/covid-deaths-are-being-linked-with-vitamin-d-deficiency-here-s-what-that-means
  • A US researcher who worked with a Wuhan virology lab gives 4 reasons why a coronavirus leak would be extremely unlikely https://www.businessinsider.com/why-coronavirus-did-not-leak-from-wuhan-lab-researcher-2020-4
  • Remdesivir: Drug has 'clear-cut' power to fight coronavirus https://www.bbc.com/news/health-52478783
  • Bill Gates says that US testing data is 'bogus' because it still takes 3 to 4 days to get results https://www.businessinsider.com/bill-gates-us-coronavirus-testing-data-bogus-inequality-delays-2020-5
  • Antibody test has been approved for use in Europe after success in the US https://www.businessinsider.com/abbott-coronavirus-antibody-test-99-percent-effective-europe-approved-2020-4
  • A coronavirus antibody test that is more than 99% accurate is now cleared for emergency use in the US https://www.businessinsider.com/antibody-test-that-is-more-than-99-accurate-gets-emergency-clearance-by-fda-2020-5
  • Should You Get an Antibody Test? And yes, it's complicated now but it will get better. https://www.theatlantic.com/health/archive/2020/05/coronavirus-antibody-test-immunity/611005/
  • World needs a plan ensure a COVID-19 vaccine can reach everyone https://globalnews.ca/news/6891501/covid-19-vaccine-distribution-plan/

• Guidance, Response and Recovery:

  • Ontario set to release ‘sector-specific’ workplace reopening guidelines https://globalnews.ca/news/6877981/coronavirus-ontario-labour-workplace-reopening-guidelines-covid-19/
  • Why can I get a haircut, but not see my friends? Your COVID-19 questions answered https://www.cbc.ca/news/haircut-friends-covid-questions-answered-1.5551240
  • Disaster recovery experts and IT specialists offer 8 steps companies should take before reopening the office to protect their team's health and business safety https://www.businessinsider.com/disaster-recovery-experts-steps-companies-take-before-opening-office-pandemic-2020-5
  • What Percentage Of Workers Can Realistically Work From Home? New Data From Norway Offer Clues https://www.forbes.com/sites/traversmark/2020/04/24/what-percentage-of-workers-can-realistically-work-from-home-new-data-from-norway-offer-clues/
  • Inside the ICU: What staff at a Toronto hospital have learned about COVID-19 https://globalnews.ca/news/6898135/coronavirus-icu-toronto-hospital/
  • Doctors communicating with baby monitors in sealed rooms due to coronavirus https://globalnews.ca/news/6878409/baby-monitors-doctors-canada/
  • Doctors pose nude to call for more PPE in Germany’s coronavirus fight https://globalnews.ca/news/6876781/coronavirus-doctors-nude-photos-ppe/
  • New York and six other states are pooling their purchasing power to buy ventilators, protective gear, and coronavirus tests https://www.businessinsider.com/new-york-gov-cuomo-announces-coronavirus-state-purchasing-coalition-2020-5
  • Costco Will Require All Shoppers To Wear Face Masks Starting Monday https://www.forbes.com/sites/rachelsandler/2020/04/29/costco-will-require-all-shoppers-to-wear-face-masks-starting-monday/
  • Swedish city covers park in chicken poo to stop covidiots from partying https://globalnews.ca/news/6886663/coronavirus-sweden-chicken-poo/
  • India’s new coronavirus contact tracing app will be mandatory for all workers https://globalnews.ca/news/6897295/indias-coronavirus-tracing-app-workers/
  • Will thermal cameras help to end the lockdown? https://www.bbc.co.uk/news/av/business-52479043/will-thermal-cameras-help-to-end-the-lockdown
  • Robots are taking over during COVID-19 (and there's no going back) https://www.zdnet.com/article/robotics-firms-seeing-strong-backing-during-covid-19-pandemic/
  • Pandemic forces Ontario justice system ‘stuck in the 1970s’ to modernize https://globalnews.ca/news/6885464/coronavirus-ontario-justice-system-modernize/
  • Outrage, secrecy, confusion: Medical officer of health orders summer cottagers away https://nationalpost.com/news/outrage-secrecy-confusion-medical-officer-of-health-orders-summer-cottagers-away
  • Outcry as Spanish beach sprayed with bleach https://www.bbc.com/news/world-europe-52471208
  • (Really?) In the Name of Coronavirus Relief, Belgian Officials Are Asking Citizens to Eat Extra Fries https://www.mentalfloss.com/article/623772/belgian-officials-are-asking-citizens-to-eat-extra-fries-during-coronavirus
  • Toronto sleeping in later during pandemic, electricity stats reveal https://toronto.citynews.ca/2020/04/22/toronto-sleeping-in-later-during-pandemic-electricity-stats-reveal/
  • ‘Grim reaper’ stalks Florida beaches to remind locals of the coronavirus threat https://globalnews.ca/news/6894469/coronavirus-death-grim-reaper-beach/
  • The Dr. Fauci Of The 1918 Spanish Flu (and they look a bit alike too) https://www.forbes.com/sites/alexknapp/2020/04/28/the-dr-fauci-of-the-1918-spanish-flu/
  • 11 New Words and Phrases Inspired by the Coronavirus https://www.mentalfloss.com/article/623726/new-words-inspired-coronavirus

• Behaviour - the Good, the Bad, and the Ugly:

  • Ontario dairy farmers to ramp up milk donations to food banks amid novel coronavirus pandemic https://globalnews.ca/news/6878661/coronavirus-ontario-dairy-farmers-donations-food-banks/
  • Rogers, Bell, MLSE and Tangerine team up to help healthcare workers, their families and community agencies https://mobilesyrup.com/2020/04/24/rogers-bell-mlse-tangerine-help-healthcare-workers-families-community-agencies/
  • Disinfecting Disinformation: How Clorox And Lysol Took The White House To The Cleaners (And Likely Saved Lives) https://www.forbes.com/sites/aaronkwittken/2020/04/27/disinfecting-disinformation-how-clorox-and-lysol-took-the-white-house-to-the-cleaners-and-likely-saved-lives/
  • Google 'Task Force' Fights Bad COVID-19 Ads https://www.securityweek.com/google-task-force-fights-bad-covid-19-ads
  • ‘FREE AMERICA NOW’: Elon Musk Goes Full Lockdown Skeptic On Twitter https://www.forbes.com/sites/rachelsandler/2020/04/29/free-america-now-elon-musk-goes-full-lockdown-skeptic-on-twitter/
  • China secretly hoarded global pandemic supplies https://torontosun.com/opinion/columnists/goldstein-china-secretly-hoarded-global-pandemic-supplies-according-to-report
  • Darknet Markets Push Fake Coronavirus Vaccines, Test Kits https://www.bankinfosecurity.com/darknet-markets-pump-coronavirus-test-kits-cures-a-14212
  • COVIDIOTS: Anti-quarantine activist diagnosed with COVID-19 https://torontosun.com/news/weird/covidiots-anti-quarantine-activist-diagnosed-with-covid-19

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• COVID-19 Payments/PCI:

  • Additional Remote Assessment Considerations During COVID-19 https://blog.pcisecuritystandards.org/additional-remote-assessment-considerations-during-covid-19
  • COVID-19 Impact on PCI P2PE Assessments https://training.pcisecuritystandards.org/covid-19-impact-on-p2pe-assessments
  • Maintaining POS Device Security and Cleanliness https://blog.pcisecuritystandards.org/maintaining-pos-device-security-and-cleanliness
• Maze ransomware operators claim to have stolen millions of credit cards from Banco BCR https://www.databreaches.net/maze-ransomware-operators-claim-to-have-stolen-millions-of-credit-cards-from-banco-bcr/
• Visa and Mastercard - contactless use increase in COVID-19 world https://www.mobilepaymentstoday.com/news/visa-says-contactless-use-surged-amid-covid-19/ and https://www.mobilepaymentstoday.com/news/mastercard-study-shows-covid-related-shift-to-contactless/
• Visa Will Postpone Its Fuel-Pump EMV Liability Shift for Six Months https://www.digitaltransactions.net/visa-will-postpone-its-fuel-pump-emv-liability-shift-for-six-months-c-store-group-says/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• GDPR Compliance Site Leaks Git Data, Passwords https://threatpost.com/data-leak-gdpr-advice-site/155199/
• Tokopedia Investigates Data Breach Compromising 15m User Accounts https://jakartaglobe.id/business/tokopedia-investigates-data-breach-compromising-15m-user-accounts and added to HIBP https://haveibeenpwned.com/PwnedWebsites#Tokopedia
• Hackers Leak Biopharmaceutical Firm ExecuPharm’s Data Stolen in Ransomware Attack https://threatpost.com/hackers-leak-biopharmaceutical-firms-data-stolen-in-ransomware-attack/155237/
• Huiying Medical Breached; Source Code for AI-assisted COVID-19 Detection, and Experimental Data of COVID-19 on Sale https://www.databreaches.net/huiying-medical-breached-source-code-for-ai-assisted-covid-19-detection-and-experimental-data-of-covid-19-on-sale/
• Home affairs data breach may have exposed personal details of 770,000 migrants https://www.databreaches.net/home-affairs-data-breach-may-have-exposed-personal-details-of-770000-migrants/
• ‘Smart’ parking meter vendor had data stolen in ransomware attack https://www.databreaches.net/smart-parking-meter-vendor-had-data-stolen-in-ransomware-attack/
• Warwick University was hacked and kept breach secret from students and staff https://www.databreaches.net/uk-warwick-university-was-hacked-and-kept-breach-secret-from-students-and-staff/
• Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard https://www.theregister.co.uk/2020/04/28/anpr_sheffield_council/
• Troves of Zoom Credentials Shared on Hacker Forums https://threatpost.com/troves-of-zoom-credentials-shared-on-hacker-forums/155163/
• Personal data of thousands of “Figaro” readers exposed on a server https://www.databreaches.net/personal-data-of-thousands-of-figaro-readers-exposed-on-a-server/
• Alabama Dept. of Labor fixes app after personal information revealed https://www.databreaches.net/alabama-dept-of-labor-fixes-app-after-personal-information-revealed/
• Loan site buckling under COVID-19 strain shows man another applicant’s data https://arstechnica.com/information-technology/2020/04/man-applying-for-online-loan-presented-with-application-of-a-perfect-stranger/
• Poland: UODO begins investigation of data breach at SWPS University https://www.databreaches.net/poland-uodo-begins-investigation-of-data-breach-at-swps-university/
• Zaha Hadid Architects held to ransom by cyberhacker https://www.databreaches.net/zaha-hadid-architects-held-to-ransom-by-cyberhacker/
• Ransomware Crews Don't Leave After Being Paid https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ and https://www.law360.com/articles/1268770/report-finds-ransomware-crews-don-t-leave-after-being-paid
• Colorado Hospital Latest Cyberattack Victim Amid COVID-19 https://www.bankinfosecurity.com/parkview-a-14189
• NTPC (Canada) website apparently hijacked in what looks like a ransomware attack https://www.databreaches.net/ca-ntpc-website-apparently-hijacked-in-what-looks-like-a-ransomware-attack/
• TaiLieu - 7,327,477 breached accounts from Nov 2019 on HIBP https://haveibeenpwned.com/PwnedWebsites#TaiLieu
• Dakota Carrier Network hit by Maze ransomware https://www.databreaches.net/dakota-carrier-network-hit-by-maze-ransomware/
• Hackers breach LineageOS servers via unpatched vulnerability https://www.zdnet.com/article/hackers-breach-lineageos-servers-via-unpatched-vulnerability/
• Convict in LA Times Hack Again Accused of Attacking Media https://www.securityweek.com/convict-la-times-hack-again-accused-attacking-media
• LabCorp Shareholder Sues Company Over Data Breaches https://www.bankinfosecurity.com/labcorp-suit-a-14208
• Banner Health Data Breach Settlement Calls for Enhanced Security Measures https://www.bankinfosecurity.com/data-breach-settlement-calls-for-enhanced-security-measures-a-14200
• Data Breaches: How to Respond to a Tipoff of a Problem https://www.bankinfosecurity.com/data-breaches-how-to-respond-to-tipoff-problem-a-14191

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • States Are Using the Pandemic to Roll Back Americans’ Rights https://www.theatlantic.com/ideas/archive/2020/04/states-are-using-pandemic-roll-back-americans-rights/610825/
  • State Will Not Adopt Digital Contact Tracing Without Privacy Protections https://epic.org/2020/05/massachusetts-governor-state-w.html
  • Contact-Tracing App Privacy: Apple, Google Refuse to Budge - won't give location data to governments https://www.bankinfosecurity.com/contact-tracing-privacy-apple-google-refuse-to-budge-a-14186
  • Academics demand answers from NHS over potential data timebomb ticking inside new UK contact-tracing app https://www.theregister.co.uk/2020/04/29/academics_open_letter_nhs_coronavirus_app/
  • Ronald Deibert Delivers Testimony to the House of Commons on Parliamentary Duties and the COVID-19 Pandemic https://citizenlab.ca/2020/04/ronald-deibert-delivers-testimony-to-the-house-of-commons-on-parliamentary-duties-and-the-covid-19-pandemic/
  • The Dangers of COVID-19 Surveillance Proposals to the Future of Protest https://www.eff.org/deeplinks/2020/04/some-covid-19-surveillance-proposals-could-harm-free-speech-after-covid-19
  • Australian contact-tracing app leaks telling info and increases chances of third-party tracking https://www.theregister.co.uk/2020/04/28/covidsafe_analysis/
• Researchers Uncover Novel Way to De-anonymize Device IDs to Users' Biometrics https://thehackernews.com/2020/04/deanonymize-device-biometrics.html
• Judge Approves FTC's $5 Billion Settlement With Facebook https://www.bankinfosecurity.com/judge-approves-ftcs-5-billion-settlement-facebook-a-14187

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Senators to Introduce COVID-19 Data Protection Bill https://epic.org/2020/05/senators-to-introduce-covid-19.html
• US patent office rules that artificial intelligence cannot be a legal inventor https://www.theverge.com/2020/4/29/21241251/artificial-intelligence-inventor-united-states-patent-trademark-office-intellectual-property
• The “Inventor Rights Act” is an Attack on True Invention https://www.eff.org/deeplinks/2020/04/inventor-rights-act-attack-true-invention
• Who’s A Patent Troll, and Who’s An Inventor? https://www.eff.org/deeplinks/2020/04/whos-patent-troll-and-whos-inventor
• Supreme Court Affirms That No One Owns the Law https://www.eff.org/deeplinks/2020/04/supreme-court-affirms-no-one-owns-law
• The Very Real Threat of Political 'Deepfakes' Laws https://www.eff.org/deeplinks/2020/04/not-hoax-very-real-threat-political-deepfakes-laws
• LawBytes#48 Podcast Copyright and Fair Dealing During a Pandemic http://www.michaelgeist.ca/2020/04/lawbytes-podcast-episode-48/
• Disney+ sparks backlash with ‘terms of use’ #Maythe4th tweet https://globalnews.ca/news/6882931/disney-backlash-maythe4th-tweet/
• Trump bans acquisition of foreign power grid equipment, citing hacking threats https://www.zdnet.com/article/trump-bans-acquisition-of-foreign-power-grid-equipment-citing-hacking-threats/
• Iran's government newspaper .com domain seized under sanctions - paper accuses US of theft https://www.securityweek.com/iran-paper-accuses-us-stealing-its-com
• NIST updates:
• NISTIR 8011 Volume 4, Automation Support for Security Control Assessments: Software Vulnerability Management, provides an operational approach for automating security control assessments to manage vulnerabilities in software https://csrc.nist.gov/publications/detail/nistir/8011/vol-4/final
• NISTIR 8294 Symposium on Federally Funded Research on Cybersecurity of Electric Vehicle Supply Equipment (EVSE) https://csrc.nist.gov/publications/detail/nistir/8294/final
• Draft Cybersecurity White Paper, Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases open for comments until June 2nd https://csrc.nist.gov/publications/detail/white-paper/2020/04/28/hardware-enabled-security-for-server-platforms/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• COVID-19 countermeasures:

  • Scientists Have Figured Out The Best Materials to Use if You're Making a Mask at Home https://www.sciencealert.com/if-you-re-making-your-own-mask-at-home-researchers-show-the-best-materials-to-use
  • Do I sound sick to you? Researchers are building AI that would diagnose COVID-19 by listening to people talk. https://www.businessinsider.com/ai-labs-diagnose-covid-19-voice-listening-talk-2020-4
• Machine That Keeps Livers Alive for a Week Can Repair Damaged Organs https://www.scientificamerican.com/article/machine-that-keeps-livers-alive-for-a-week-can-repair-damaged-organs/
• Stopping Deforestation Can Prevent Pandemics https://www.scientificamerican.com/article/stopping-deforestation-can-prevent-pandemics/
• New Version of Infection Monkey Maps to MITRE ATT&CK Framework https://www.securityweek.com/new-version-infection-monkey-maps-mitre-attck-framework
• Fuzzing Apples' ImageIO framework highlights dependant code library vulnerabilities https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html
• Protecting your organization against password spray attacks https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/

• Defending the power grid against supply chain attacks (long running series):

  • Part 1: The risk defined https://www.microsoft.com/security/blog/2020/02/18/defending-the-power-grid-against-supply-chain-attacks-part-1-the-risk-defined/
  • Part 2: Securing hardware and software https://www.microsoft.com/security/blog/2020/03/23/defending-power-grid-against-supply-chain-attacks-part-2-securing-hardware-software/
  • Part 3 – Risk management strategies for the utilities industry https://www.microsoft.com/security/blog/2020/04/22/defending-power-grid-against-supply-chain-attacks-3-risk-management-strategies-utilities-industry/
• MITRE ATT&CK APT 29 evaluation proves Microsoft Threat Protection provides deeper end to end view of advanced threats https://www.microsoft.com/security/blog/2020/04/21/mitre-attack-evaluation-prove-microsoft-threat-protection-against-threats/
• Biometric Digital Identity: Proxy Acquires Smart Ring Startup Motiv For ‘Man-Machine Symbiosis’ https://www.forbes.com/sites/johnkoetsier/2020/04/27/biometric-digital-identity-proxy-acquires-smart-ring-startup-motiv-for-man-machine-symbiosis/
• Here's the NSA's guide for choosing a safe text chat and video conferencing service (based on recent news about Zoom this would seem to be an incomplete list of checks) https://www.zdnet.com/article/heres-the-nsas-guide-for-choosing-a-safe-text-chat-and-video-conferencing-service/
• US govt updates Microsoft Office 365 security best practices https://www.bleepingcomputer.com/news/security/us-govt-updates-microsoft-office-365-security-best-practices/
• How To Detect and Prevent Web Shells https://www.datex.ca/blog/how-to-detect-and-prevent-web-shells
• This Is How to Do Simple, Fast and Accurate Web App Security https://www.tenable.com/blog/this-is-how-to-do-simple-fast-and-accurate-web-app-security
• CISA Reminds Federal Agencies to Use Its DNS Service https://www.securityweek.com/cisa-reminds-federal-agencies-use-its-dns-service
• ISC Top 10 Attacked Ports Dashboard https://isc.sans.edu/top10.html
• Victory! ICANN Rejects .ORG Sale to Private Equity Firm Ethos Capital https://www.eff.org/deeplinks/2020/04/victory-icann-rejects-org-sale-private-equity-firm-ethos-capital
• This new cybersecurity school will teach kids to crack codes from home https://www.zdnet.com/article/this-new-cybersecurity-school-will-teach-kids-to-crack-codes-from-home/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• (Netsweeper's internet filter) What's worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there's no patch? https://www.theregister.co.uk/2020/05/01/netsweeper_filtering_flaw/
• Bulletproof TLS #64 talks about OpenSSL bug, COVID delays on TLS 1.0/1.1 deprecation, COVID disrupting CAcert.org https://www.feistyduck.com/bulletproof-tls-newsletter/issue_64_gcc_code_analyzer_finds_bug_in_openssl
• Hackers Mount Zero-Day Attacks on Sophos Firewalls - using (wait for it) SQL injection https://threatpost.com/hackers-zero-day-attacks-sophos-firewalls/155169/
• Teams was vulnerable to account hijacking due to a combination of vulnerable servers and an evil file (GIF) https://www.zdnet.com/article/this-is-how-viewing-a-gif-in-microsoft-teams-triggers-account-hijacking-bug/
• Critical vulnerabilities in WordPress plugins lead to e-learning platform hijacking https://www.zdnet.com/article/critical-vulnerabilities-in-wordpress-plugins-can-lead-to-e-learning-platform-hijacking/
• Critical SaltStack configuration framework RCE Bug (CVSS Score 10) Affects Thousands of Data Centers https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html
• Critical Security Patches Released for Magento, Adobe Illustrator and Bridge https://thehackernews.com/2020/04/adobe-software-updates.html
• Belkin pulls plug on Cloud service bricking NetCam security cameras https://www.forbes.com/sites/charlesradclyffe/2020/04/29/belkin-may-never-be-trusted-again-after-this-story/
• We're going on a vuln hunt. We're going catch a big one: Researchers find Windows bugs dominate – but fixes are fast https://www.theregister.co.uk/2020/04/28/vulnerabilities_report_9_million/
• The Man Who Picked Victorian London's Unpickable Lock https://www.mentalfloss.com/article/501820/man-who-picked-victorian-londons-unpickable-lock

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• (Interesting) Shade (Troldesh) ransomware shuts down and releases decryption keys https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/
• LockBit Is the New Ransomware for Hire https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/
• Would You Have Fallen for This Phone Scam? https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-scam/
• Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies https://thehackernews.com/2020/04/targeted-phishing-attacks-successfully.html
• RDP brute-force attacks are skyrocketing due to remote working https://www.bleepingcomputer.com/news/security/rdp-brute-force-attacks-are-skyrocketing-due-to-remote-working/
• Cybercriminals are using Google reCAPTCHA to hide their phishing attacks https://www.databreaches.net/cybercriminals-are-using-google-recaptcha-to-hide-their-phishing-attacks/
• Hackers Knew How to Target PLCs in Israel Water Facility Attacks https://www.securityweek.com/hackers-knew-how-target-plcs-israel-water-facility-attacks-sources
• Ransomware: Average Business Payout Surges to $111,605 https://www.bankinfosecurity.com/ransomware-average-business-payout-surges-to-111605-a-14205
• Unusual New Ransomware Does Not Demand Cryptocurrency https://bitcoinerx.com/crime-beat/unusual-new-ransomware-does-not-demand-cryptocurrency/
• Microsoft Teams Impersonation Attacks Flood Inboxes https://threatpost.com/microsoft-teams-impersonation-attacks/155404/
• Israel Says Hackers Targeted SCADA Systems at Water Facilities https://www.securityweek.com/israel-says-hackers-targeted-scada-systems-water-facilities
• 5-Year-Long Cyber Espionage Campaign Hid in Google Play https://www.darkreading.com/endpoint/5-year-long-cyber-espionage-campaign-hid-in-google-play/d/d-id/1337676
• Microsoft Warns of Malware Hidden in Pirated Film Files https://www.darkreading.com/threat-intelligence/microsoft-warns-of-malware-hidden-in-pirated-film-files/d/d-id/1337688
• New attack traffic on TCP port 9673 (IoT) https://isc.sans.edu/diary/Attack+traffic+on+TCP+port+9673/26074
• DOJ Finds Evidence Of PPP Loan Fraud https://www.pymnts.com/news/b2b-payments/2020/doj-finds-evidence-of-ppp-loan-fraud/

Other Security / Risk

Articles covering other types of risks.

• COVID-19 Other risks and impact:

  • Canada has slipped into recession due to COVID-19 https://globalnews.ca/news/6892098/coronavirus-canada-economy-recession/
  • U.S. sees steepest quarterly GDP drop since Great Recession https://globalnews.ca/news/6881975/us-gdp-q1-2020-coronavirus/
  • When people pause the Internet goes quiet https://blog.cloudflare.com/when-people-pause/
  • Savings Rate Surges To Highest Level In 39 Years https://www.pymnts.com/news/banking/2020/savings-rate-surges-to-highest-level-in-39-years/
  • Mute buttons and decorating tips: the House of Commons stumbles through an online session https://www.cbc.ca/news/politics/covid-coronavirus-pandemic-house-of-commons-zoom-1.5548447
• The virus hunters who search bat caves to predict the next pandemic https://www.cnn.com/2020/04/26/health/virus-hunters-bat-cave-coronavirus-hnk-intl/index.html
• How well can algorithms recognize your masked face? https://arstechnica.com/tech-policy/2020/05/how-well-can-algorithms-recognize-your-masked-face/
• Return of the Asian Murder-Hornet https://bc.ctvnews.ca/asian-giant-hornets-aka-the-murder-hornet-expected-back-in-b-c-1.4922871
• New assault weapon ban does little to target criminals https://globalnews.ca/news/6896583/new-assault-weapon-ban-alberta-jason-kenney/
• Election Security in the Age of Social Distancing https://www.darkreading.com/edge/theedge/-election-security-in-the-age-of-social-distancing/b/d-id/1337693
• The Rise of Deepfakes and What That Means for Identity Fraud https://www.darkreading.com/endpoint/authentication/the-rise-of-deepfakes-and-what-that-means-for-identity-fraud/a/d-id/1337633
• Automatic Instacart Bots https://www.schneier.com/blog/archives/2020/04/automatic_insta.html
• Fooling NLP Systems Through Word Swapping https://www.schneier.com/blog/archives/2020/04/fooling_nlp_sys.html
• ‘Gargantuan’ hail in Argentina may have smashed world record https://scienmag.com/gargantuan-hail-in-argentina-may-have-smashed-world-record/
• New Model Predicts Sudden Rogue Waves https://www.scientificamerican.com/article/new-model-predicts-sudden-rogue-waves/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• For your COVID shelter-in-place cabin fever:

  • The worlds largest puzzle at 51K pieces https://www.mentalfloss.com/article/623636/worlds-largest-puzzle-kodak (On a more modest but evil note, any of the Krypt Silver Blank, Pure White Hell, and Purple Dred jigsaw puzzles will keep you busy)
  • Kids bored - check out these science experiments https://www.mentalfloss.com/article/53612/15-science-experiments-you-can-do-your-kids
• Army researchers see path to quantum computing at room temperature https://scienmag.com/army-researchers-see-path-to-quantum-computing-at-room-temperature/
• The trees that survived the bombing of Hiroshima https://www.bbc.com/news/av/stories-52459140/the-trees-that-survived-the-bombing-of-hiroshima
• What's the Science Behind Why We Hiccup? https://www.quickanddirtytips.com/education/science/what-causes-hiccups
• How a Landmark Physics Paper from the 1970s Uncannily Describes the COVID-19 Pandemic https://blogs.scientificamerican.com/observations/how-a-landmark-physics-paper-from-the-1970s-uncannily-describes-the-covid-19-pandemic/
• These pop songs were written by OpenAI’s deep-learning algorithm https://www.technologyreview.com/2020/05/01/1000942/pop-songs-katy-perry-elvis-openai-neural-network-deep-learning-algorithm/
• (Trolling AI's) The Easy Questions That Stump Computers https://www.theatlantic.com/technology/archive/2020/05/computers-common-sense/611050/ https://globalnews.ca/news/6895038/metro-vancouver-meteor-fireball/
• Dashcam captures ‘fireball’ over Metro Vancouver in broad daylight https://globalnews.ca/news/6895038/metro-vancouver-meteor-fireball/
• So, those Navy videos showing UFOs? I’m not saying it’s not aliens, but it’s not aliens. https://www.syfy.com/syfywire/navy-videos-showing-ufos-not-aliens
• 'A new era in human spaceflight': SpaceX to launch first test flight with humans in 39 years https://www.cbc.ca/news/technology/spacex-demo-2-launch-1.5552763
• Mars Helicopter gets a Name: Ingenuity https://www.universetoday.com/145912/mars-helicopter-gets-a-name-ingenuity/
• Hubble telescope's 30th anniversary was possible because it could be repaired https://www.cbc.ca/radio/quirks/hubble-telescope-s-30th-anniversary-was-possible-because-it-could-be-repaired-1.5551996
• Our Sun is less active than similar stars https://scienmag.com/sun-is-less-active-than-similar-stars/
• First-Ever Detection of a Fast Radio Burst in Our Own Galaxy? https://www.sciencealert.com/a-galactic-magnetar-just-spat-out-something-shockingly-like-a-fast-radio-burst
• Can wormholes act like time machines? https://www.universetoday.com/145880/can-wormholes-act-like-time-machines/
• In Search of Naked Singularities https://blogs.scientificamerican.com/blogs/observations/in-search-of-naked-singularities/
• New Tests Suggest a Fundamental Constant of Physics Isn't The Same Across The Universe https://www.sciencealert.com/new-tests-suggest-the-fundamental-forces-of-nature-aren-t-constant-across-the-universe