Welcome to This Week’s [in]Security. VoIP skimmers? New breaches: New Ransomware. Contact tracing. Facial Recognition. Supreme Court and Security Research. CRA class-action. Link tax. Post-Quantum-Crypto. ICS. Raccoon. BLURtooth. BitCoin. Election Security. Nvidia/Arm. AI. Deepfaking. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Lockdown, Reopening, & The New Normal. Vaccine Progress. More of the Good, Bad, and Ugly. And more.

Note: The COVID section appears later in the article.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• NIST and PCI SSC Find Common Ground in Development of Software Frameworks https://blog.pcisecuritystandards.org/nist-and-pci-ssc-find-common-ground-in-development-of-software-frameworks
• New PIN Verification Bypass Flaw Affects Visa Contactless Payments https://thehackernews.com/2020/09/emv-payment-card-pin-hacking.html
• Visa Issues Alert for 'Baka' JavaScript Skimmer https://www.securityweek.com/visa-issues-alert-baka-javascript-skimmer
• 2020_5 Compliance Regulations and Their Impacts on Mainframe Vulnerability Scanning (using a host based tool) https://www.krisecurity.com/compliance-regulations-mainframe-vulnerability-scanning/
• CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind? https://controlgap.com/blog/CDRThief-VoIP-Linux-Malware and https://www.zdnet.com/article/new-cdrthief-malware-targets-voip-softswitches-to-steal-call-detail-records
• Kount ecommerce Fraud Prevention for Moneris Merchants https://community.moneris.com/blogs/b/announcements/posts/kount-ecommerce-fraud-prevention-for-moneris-merchants

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • The Internet’s Biggest Webmaster Forum Had a Data Leak https://www.databreaches.net/the-internets-biggest-webmaster-forum-had-a-data-leak/
  • Inova Suffers Third-Party Data Breach https://www.darkreading.com/attacks-breaches/inova-suffers-third-party-data-breach/d/d-id/1338872
  • Zhenhua Data leak: personal details of millions around world gathered by China tech company https://www.theguardian.com/world/2020/sep/14/zhenhua-data-full-list-leak-database-personal-details-millions-china-tech-company
  • Gaming hardware manufacturer Razer suffered a data leakSecurity Affairs https://securityaffairs.co/wordpress/108207/data-breach/razer-data-leak.html
  • Singapore Says Grab’s Fourth Privacy Breach Is Concerning https://www.bloomberg.com/news/articles/2020-09-12/singapore-says-grab-s-fourth-privacy-breach-is-concerning
  • Giggle: AI-powered 'female only' app gets in Twitter kerfuffle over breach notification https://www.theregister.com/2020/09/11/giggle_female_app_data_breach_notification/
  • CU Collections Notifies Customers of Data Security Incident https://www.databreaches.net/cu-collections-notifies-customers-of-data-security-incident/
  • US staffing firm Artech discloses ransomware attack, data breach https://www.databreaches.net/us-staffing-firm-artech-discloses-ransomware-attack-data-breach/
  • A United Airlines website bug may have exposed about 100,000 customers' ticket data, a new report claims https://www.businessinsider.com/united-airlines-website-bug-refund-data-2020-9

• New Ransomware:

  • Ransomware takes down Chile's state-owned bank https://risky.biz/newsletter25
  • Data center giant Equinix discloses ransomware incident https://www.zdnet.com/article/data-center-giant-equinix-discloses-ransomware-incident
  • SegurCaixa Adeslas activates its contingency plan due to a ransomware attack https://www.databreaches.net/segurcaixa-adeslas-activates-its-contingency-plan-due-to-a-ransomware-attack/

• Follow-ups:

  • 2020 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/dbir/
  • Ransomware: Huge rise in attacks this year as cyber criminals hunt bigger pay days https://www.zdnet.com/article/ransomware-huge-rise-in-attacks-this-year-as-cyber-criminals-hunt-bigger-pay-days/
  • Blackbaud Ransomware Victim Count Climbing https://www.databreachtoday.com/blackbaud-ransomware-victim-count-climbing-a-14972
  • Interim Report on the Blackbaud Breach: 3.4 Million Patients and Counting https://www.databreaches.net/interim-report-on-the-blackbaud-breach-3-4-million-patients-and-counting/
  • NorthShore health system reports 348,000 affected by Blackbaud breach https://www.databreaches.net/northshore-health-system-reports-348000-affected-by-blackbaud-breach/

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • California Still Needs Privacy Protections for COVID Tracking Apps https://www.eff.org/deeplinks/2020/09/california-still-needs-privacy-protections-covid-tracking-apps
  • Govt.-Backed Contact-Tracing Apps Raise Privacy Hackles https://threatpost.com/govt-contact-tracing-apps-privacy/159109/
• Workplace Surveillance in Times of Corona https://www.eff.org/deeplinks/2020/09/workplace-surveillance-times-corona
• Portland City Council Votes to Ban Facial Recognition https://epic.org/2020/09/portland-city-council-votes-to.html
• Swiss Official Airs Concerns About Data Privacy in US https://www.securityweek.com/swiss-official-airs-concerns-about-data-privacy-us
• Facebook May Be Ordered to Change Data Practices in Europe https://www.nytimes.com/2020/09/09/technology/facebook-european-union-data-privacy.html
• Ireland unfriends Facebook: Oh Zucky Boy, the pipes, the pipes are closing…from glen to US, and through the EU-side https://www.theregister.com/2020/09/10/facebook_ireland/ and https://www.zdnet.com/article/irish-regulators-demand-facebook-stops-sending-european-user-data-to-the-us
• Customs and Border Protection paid to access a private company's network of cameras that spans the US https://www.businessinsider.com/cbp-vigilant-learn-camera-network-tracking-2020-9

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• Legality of Security Research to be Decided in US Supreme Court Case https://www.darkreading.com/risk/legality-of-security-research-to-be-decided-in-us-supreme-court-case/d/d-id/1338874
• CRA's handling of COVID-19 benefit cyberattacks 'reprehensible,' alleges proposed class-action lawsuit https://www.cbc.ca/news/canada/british-columbia/cra-covid-19-benefit-cyberattacks-lawsuit-1.5705796
• Canadian Heritage Minister Guilbeault Says Social Media Sites Linking to News Content Without Payment is “Immoral” https://www.michaelgeist.ca/2020/09/canadian-heritage-minister-guilbeault-says-social-media-sites-linking-to-news-content-without-payment-is-immoral/
• As Heritage Minister Steven Guilbeault Plans Link Taxes and Internet Content Regulation, Where Is Navdeep Bains? https://www.michaelgeist.ca/2020/09/as-heritage-minister-steven-guilbeault-plans-link-taxes-and-internet-content-regulation-where-is-navdeep-bains/
• Guide to Enterprise Telework Security: Pre-Draft Call for Comments Available on Special Publication 800-46 Rev. 2 until October 30 https://csrc.nist.gov/publications/detail/sp/800-46/rev-3/draft
• More on NIST’s Post-Quantum Cryptography https://www.schneier.com/blog/archives/2020/09/more_on_nists_p.html
• Human Rights and TPMs: Lessons from 22 Years of the U.S. DMCA https://www.eff.org/deeplinks/2020/09/human-rights-and-tpms-lessons-22-years-us-dmca

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Basic security measures could have reduced losses from cyber attacks, says insurance provider https://www.itworldcanada.com/article/basic-security-measures-could-have-reduced-losses-from-cyber-attacks-says-insurer/435633
• Five Eyes Cybersecurity Agencies Release Incident Response Guidance https://www.securityweek.com/five-eyes-cybersecurity-agencies-release-incident-response-guidance
• The Third Edition of Ross Anderson’s Security Engineering https://www.schneier.com/blog/archives/2020/09/the_third_editi.html
• Goodbye Feature Policy and hello Permissions Policy! https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
• STRONTIUM: Detecting new patterns in credential harvesting https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
• Microsoft Announces Public Preview of Automatic VM Guest Patching in Azure https://www.securityweek.com/microsoft-announces-public-preview-automatic-vm-guest-patching-azure
• Google Reveals Work Profile Privacy Features in Android 11 https://www.securityweek.com/google-reveals-work-profile-privacy-features-android-11
• Gain thinking time - the rule of awkward silence https://www.inc.com/justin-bariso/intelligent-minds-like-tim-cook-jeff-bezos-embrace-rule-of-awkward-silence-you-should-too.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Microsoft Patch Tuesday, Sept. 2020 Edition https://krebsonsecurity.com/2020/09/microsoft-patch-tuesday-sept-2020-edition/
• Windows 10 themes can be abused to steal Windows passwords https://www.databreaches.net/windows-10-themes-can-be-abused-to-steal-windows-passwords/
• Palo Alto Networks Patches 6 Firewall Vulnerabilities https://www.databreachtoday.com/palo-alto-networks-patches-6-firewall-vulnerabilities-a-14977
• CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed https://www.tenable.com/blog/cve-2020-2040-critical-buffer-overflow-vulnerability-in-pan-os-devices-disclosed
• Don't be BlindSided: Watch speculative memory probing bypass kernel defenses, give malware root control https://www.theregister.com/2020/09/10/dont_be_blindsided_speculative_memory/
• Vulnerabilities in CodeMeter Licensing Product Expose ICS to Remote Attacks https://www.securityweek.com/vulnerabilities-codemeter-licensing-product-expose-ics-remote-attacks and https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/
• The Life Cycle of a Compromised (Cloud) Server https://www.trendmicro.com/en_us/research/20/i/the-life-cycle-of-a-compromised-cloud-server.html
• Raccoon attack allows hackers to break TLS encryption 'under certain conditions' https://www.zdnet.com/article/raccoon-attack-allows-hackers-to-break-tls-encryption-under-certain-conditions
• BLURtooth vulnerability lets attackers overwrite Bluetooth authentication keys https://www.zdnet.com/article/blurtooth-vulnerability-lets-attackers-overwrite-bluetooth-authentication-keys and https://threatpost.com/bluetooth-bug-mitm-attacks/159124/
• Researcher kept a major Bitcoin bug secret for two years to prevent attacks https://www.databreaches.net/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks/
• WordPress Plugin Flaw Allows Attackers to Forge Emails https://threatpost.com/wordpress-plugin-flaw/159172/
• Kids' Smartwatches Are a Security Nightmare Despite Years of Warnings https://www.wired.com/story/kid-smartwatch-security-vulnerabilities

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Office 365 Phishing Attack Leverages Real-Time Active Directory Validation https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
• Spyware Labeled ‘TikTok Pro’ Exploits Fears of U.S. Ban https://threatpost.com/spyware-labeled-tiktok-pro-exploits-fears-of-us-ban/159050/
• Russian Military Hackers Targeted Credentials at Hundreds of Organizations in US, UK https://www.securityweek.com/russian-military-hackers-targeted-credentials-hundreds-organizations-us-uk
• Russian, Chinese and Iranian hackers all targeting 2020 election, Microsoft says https://www.cnn.com/2020/09/10/politics/microsoft-election-hacking-report/index.html
• The Russian hackers who interfered in 2016 were spotted targeting the 2020 US election https://www.technologyreview.com/2020/09/10/1008297/the-russian-hackers-who-interfered-in-2016-were-spotted-targeting-the-2020-us-election/
• Microsoft confirms Chinese, Iranian, and Russian cyber-attacks on Biden and Trump campaigns https://www.zdnet.com/article/microsoft-confirms-chinese-iranian-and-russian-cyber-attacks-on-biden-and-trump-campaigns
• Biden campaign firm targeted by Russian hackers, no breach detected https://globalnews.ca/news/7325954/russia-biden-campaign-hacked/
• Russia’s Fancy Bear Hackers Are Hitting US Campaign Targets Again https://www.wired.com/story/russias-fancy-bear-hackers-are-hitting-us-campaign-targets-again
• DOJ Says Russian Went Beyond Election Disinformation https://www.databreachtoday.com/doj-says-russian-went-beyond-election-disinformation-a-14984
• Three middle-aged Dutch hackers slipped into Donald Trump's Twitter account days before 2016 US election https://www.theregister.com/2020/09/11/trump_twitter_account_recycled_password/
• Now that's a somewhat unexpected insider threat: Zoombombings mostly blamed on rogue participants https://www.theregister.com/2020/09/10/zoombombing_attacks_texas/
• Adult site users targeted with malicious ads redirecting to exploit kits, malware using Flash, IE https://www.zdnet.com/article/adult-site-users-targeted-with-malicious-ads-redirecting-to-exploit-kits-malware/

Other Security / Risk

Articles covering other types of risks.

• COVID-19 Other risks and impact:

  • (Opinion)How Covid-19 Signals the End of the American Era https://www.rollingstone.com/politics/political-commentary/covid-19-end-of-american-era-wade-davis-1038206/
• Nvidia is acquiring Arm for $40 billion https://www.theverge.com/2020/9/13/21435507/nvidia-acquiring-arm-40-billion-chips-ai-deal
• A robot wrote this entire article. Are you scared yet, human? https://www.theguardian.com/commentisfree/2020/sep/08/robot-wrote-this-article-gpt-3
• AI supervillains https://aiweirdness.com/post/628791398606471168
• (RYO AI is probably a bad thing)A sheriff launched an algorithm to 'predict' who might commit a crime. Dozens of people said they were harassed by deputies for no reason. https://www.businessinsider.com/predictive-policing-algorithm-monitors-harasses-families-report-2020-9
• I learned to make a lip-syncing deepfake in just a few hours (and you can, too) https://www.theverge.com/21428653/lip-sync-ai-deepfake-wav2lip-code-how-to
• Deloitte Becomes First Of Big Four To Break Up Business https://www.pymnts.com/news/b2b-payments/2020/deloitte-becomes-first-of-big-four-to-break-up-business/
• Hundreds of customers say Amazon's own products are melting, exploding and even bursting into flames https://edition.cnn.com/2020/09/10/business/amazonbasics-electronics-fire-safety-invs/index.html
• The Most Common Pain Relief Drug in The World Induces Risky Behaviour https://www.sciencealert.com/the-most-common-pain-relief-drug-in-the-world-induces-risky-behaviour-study-finds
• Hundreds of people planted Chinese mystery seeds delivered to them https://www.vice.com/en_us/article/akz9qk/hundreds-of-americans-planted-chinese-mystery-seeds
• A Successful Self-Service Password Reset (SSPR) Project Requires User Adoption https://thehackernews.com/2020/09/self-service-password-reset.html
• Winnipeg cop loses magazine, ammo https://globalnews.ca/news/7324595/winnipeg-cop-loses-magazine-ammo/
• Why more municipalities are putting radio-frequency tags on garbage bins https://www.cbc.ca/news/canada/edmonton/more-municipalities-putting-radio-frequency-tags-garbage-1.5716251
• Turns Out There's Another Ocean Creature That Scares The Hell Out of Great White Sharks https://www.sciencealert.com/turns-out-there-s-another-ocean-creature-that-scares-the-hell-out-of-great-white-sharks
• (They spent money on this?)Phone calls create stronger bonds than text-based communications https://scienmag.com/phone-calls-create-stronger-bonds-than-text-based-communications/
• Earth Is Barreling Toward a 'Hothouse' State Not Seen in 50 Million Years https://www.sciencealert.com/scientists-say-earth-is-barreling-toward-hothouse-state-not-seen-in-50-million-years
• Voting by mail in NJ 2020 https://freedom-to-tinker.com/2020/09/12/voting-by-mail-in-nj-2020/
• Toronto police enhancing training following discussions on Suicide Prevention Day https://globalnews.ca/news/7328387/toronto-police-suicide-prevention-day/
• Body cameras may have little effect on police and citizen behaviors https://scienmag.com/body-cameras-may-have-little-effect-on-police-and-citizen-behaviors/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves - now reinfection:

  • WHO reports record daily rise in new infections https://www.bbc.co.uk/news/world-54142502
  • India sets another global record for new cases in a single day https://edition.cnn.com/world/live-news/coronavirus-pandemic-09-10-20-intl/h_2783aafa073d1c649eb8df21bf28eeaa
  • Cases in France leap past 10,000 a day https://www.bbc.co.uk/news/world-europe-54137319
  • 4 U.S. teachers die of coronavirus after school year begins https://globalnews.ca/news/7326056/u-s-teacher-deaths-coronavirus-school-year/
  • Frequent weddings in cross-border Peace Arch Park spur COVID-19 concerns https://globalnews.ca/news/7324970/peace-arch-border-weddings/
  • COVID-19 outbreak declared at Auburn Bay school in Calgary https://globalnews.ca/news/7332808/covid-19-outbreak-declared-at-auburn-bay-school-in-calgary/
  • Canada adds 630 new coronavirus cases as worldwide tally hits 28M https://globalnews.ca/news/7328026/canada-coronavirus-cases-sept-10/
  • Quebec reports 188 new COVID-19 cases as hospitalizations rise again https://globalnews.ca/news/7326379/quebec-coronavirus-sept-10/
  • Nova Scotia investigates 1st possible COVID-19 reinfection https://globalnews.ca/news/7324366/covid-19-reinfection-canada/

• Lockdown, reopening, and The New Normal:

  • Ontario will publicly report school outbreaks https://globalnews.ca/news/7324607/ontario-will-report-school-coronavirus-outbreaks-ford-says/
  • Parks closed, tickets handed out for students partying in Kingston https://globalnews.ca/news/7325990/kingston-students-tickets-partying-parks-closed-coronavirus/
  • Social gatherings above six banned in England from 14 September https://www.bbc.co.uk/news/uk-54081131
  • Paging Dr. Hamblin: Why Didn’t America’s Shutdowns Work? https://www.theatlantic.com/health/archive/2020/09/united-states-lockdown-again/616228/

• Treatments, Testing, Triage, and Trials, and things we learned:

  • Covid vaccine: 8,000 jumbo jets needed to deliver doses globally https://www.bbc.co.uk/news/business-54067499
  • Designed antiviral proteins inhibit SARS-CoV-2 in the lab https://scienmag.com/designed-antiviral-proteins-inhibit-sars-cov-2-in-the-lab/
  • Small proteins against SARS-CoV-2 neutralize infection in cell culture https://scienmag.com/small-proteins-against-sars-cov-2-neutralize-infection-in-cell-culture/
  • World's Leading COVID-19 Vaccine Trial Was Just Put on Hold Due to Safety Concerns https://www.sciencealert.com/coronavirus-setback-after-leading-vaccine-trial-is-put-on-hold-over-safety-concerns
  • Patient who prompted vaccine trial pause developed severe neurological symptoms https://www.ctvnews.ca/health/coronavirus/patient-who-prompted-vaccine-trial-pause-developed-severe-neurological-symptoms-1.5099757
  • Why a pause on AstraZeneca’s coronavirus vaccine trial isn’t entirely bad news https://globalnews.ca/news/7323701/astrazeneca-coronavirus-vaccine-experts/
  • The Oxford University COVID-19 Vaccine Trial Is Officially Back On https://www.sciencealert.com/the-oxford-university-covid-19-vaccine-trial-has-officially-started-again
  • Scientists Concerned Over 'Data Inconsistencies' in Russian COVID-19 Vaccine Trial https://www.sciencealert.com/researchers-raise-concerns-over-russia-s-vaccine-trial-s-data-inconsistencies
  • These Are The World's Most Troubling Hotspots of Vaccine Hesitancy https://www.sciencealert.com/vaccine-confidence-is-a-problem-around-the-globe-here-are-the-concerning-hotspots
  • These Are The Key Reasons Parents Are Hesitant to Vaccinate Their Children https://www.sciencealert.com/disgust-and-mistrust-are-key-reasons-parents-are-hesitant-to-vaccinate-their-children-new-study-finds
  • Mark Zuckerberg says Facebook won't remove anti-vaccine posts despite Covid concerns https://www.theguardian.com/technology/2020/sep/09/mark-zuckerberg-facebook-not-rightwing-echo-chamber
  • Seven in 10 Americans willing to get COVID-19 vaccine, survey finds https://scienmag.com/seven-in-10-americans-willing-to-get-covid-19-vaccine-survey-finds/
  • A Toronto woman contracted coronavirus in March. She’s still exhibiting symptoms https://globalnews.ca/news/7318344/what-is-a-coronavirus-long-hauler/
  • Punctured lung affects one in a 100 hospitalized COVID-19 patients https://scienmag.com/punctured-lung-affects-one-in-a-100-hospitalized-covid-19-patients/
  • Coronavirus: How It Infects Us and How We Might Stop It https://www.scientificamerican.com/video/coronavirus-how-it-infects-us-and-how-we-might-stop-it/
  • A supercomputer found a promising theory about why COVID-19 cases go downhill fast. It even explains the bizarre range of symptoms. https://www.businessinsider.com/coronavirus-symptoms-supercomputer-theory-bradykinin-storm-2020-9
  • Antibody responses in COVID-19 patients could guide vaccine design https://scienmag.com/antibody-responses-in-covid-19-patients-could-guide-vaccine-design/

• Behaviour - the good, the bad, and the ugly:

  • A group of students knew they had covid-19. They hosted a party over Labor Day anyway. https://www.washingtonpost.com/nation/2020/09/11/miami-university-ohio-party-covid-19/

• Masks, anti-maskers, and distancing:

  • Family’s WestJet flight privileges ‘revoked’ following Tuesday mask incident https://calgaryherald.com/news/local-news/familys-westjet-flight-privileges-revoked-following-tuesday-mask-incident
  • ‘A little bit befuddling’: Saskatoon store’s anti-mask sign sparks concern https://globalnews.ca/news/7325202/saskatoon-store-anti-mask-sign/
  • New York announces $50 fine for anyone who rides the subway, bus, or train without a mask https://www.businessinsider.com/new-york-50-dollar-fine-subway-bus-train-without-mask-2020-9

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Can plastic-eating mealworms help solve our pollution crisis? https://www.cnn.com/2020/09/10/world/mealworms-bacteria-plastic-waste-c2e-spc-intl/index.html
• Scientists turn nuclear waste into diamond batteries https://bigthink.com/philip-perry/scientists-turn-nuclear-waste-in-diamond-batteries-thatll-last-for-thousands-of-years
• Bricks Can Be Turned into Batteries https://www.scientificamerican.com/podcast/episode/bricks-can-be-turned-into-batteries/
• First U.S. Small Nuclear Reactor Design Is Approved https://www.scientificamerican.com/article/first-u-s-small-nuclear-reactor-design-is-approved/
• Experiments reveal why human-like robots elicit uncanny feelings https://scienmag.com/experiments-reveal-why-human-like-robots-elicit-uncanny-feelings/
• How Good a Diet Is Intermittent Fasting? https://www.scientificamerican.com/article/how-good-a-diet-is-intermittent-fasting/
• Amateur Astronomer Finds Kilometer-size Asteroid https://skyandtelescope.org/astronomy-news/amateur-astronomer-finds-kilometer-size-asteroid/
• (Astronomers get all the cool toys) The world's largest digital camera has taken the first 3,200 megapixel photo https://www.zdnet.com/article/the-worlds-largest-digital-camera-has-taken-the-first-3200-megapixel-photo/
• Mystery of Jupiter's persistent geometric storms may be solved https://www.space.com/jupiter-polar-vortices-stability.html