Welcome to This Week’s [in]Security. DSS Evolution. Compliance drops. ATMs. Magecart. TR-31. New breaches: New Ransomware. Contact tracing. Backdoors. NIST. DST Forever. Risk based auth. Win7. SMS2FA. Anti-Virus. new ACAS. And Dumber. Trickbot Disruption. Media Bias. Disinformation. AI fallibility. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Disinformation. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI Security Standards Council Provides Insights Into Evolution of the PCI Data Security Standard at Annual Community Meeting https://www.pcisecuritystandards.org/about_us/press_releases/pr_10092020
• PCI DSS Compliance Slumps 28% Since 2016 https://www.infosecurity-magazine.com/news/pci-dss-compliance-slumps-28-since/
• PCI & ATMIA: Beware of ATM Cash-Outs https://blog.pcisecuritystandards.org/pci-ssc-and-atmia-share-guidance-and-information-on-protecting-against-atm-cash-out and https://www.pcisecuritystandards.org/about_us/press_releases/pr_10072020
• Cybercriminals Target Conference Platform With Payment Card Skimmer https://www.securityweek.com/cybercriminals-target-conference-platform-payment-card-skimmer
• Boom! Mobile falls prey to Magecart card-skimming attack https://www.zdnet.com/article/boom-mobile-falls-prey-to-magecart-card-skimming-attack
• Credit card fraud in Europe hits $1.83B https://www.mobilepaymentstoday.com/news/credit-card-fraud-in-europe-hits-155-billion-euros/
• TR-31 and AS 2805 (Non)equivalence report https://eprint.iacr.org/2020/1196

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • Shopify announces data breach affecting fewer than 200 merchants https://ca.finance.yahoo.com/news/shopify-announces-data-breach-affecting-fewer-than-200-merchants-210547475.html
  • WiziShop - 2,856,769 breached accounts https://haveibeenpwned.com/PwnedWebsites#WiziShop
  • Chowbus - 444,224 breached accounts https://haveibeenpwned.com/PwnedWebsites#Chowbus
  • Dr Lal PathLabs, one of India’s largest blood test labs, exposed patient data https://www.databreaches.net/dr-lal-pathlabs-one-of-indias-largest-blood-test-labs-exposed-patient-data/
  • University Hospital Limerick writing to 630 patients after alleged major data breach which saw information posted on Twitter https://www.databreaches.net/university-hospital-limerick-writing-to-630-patients-after-alleged-major-data-breach-which-saw-information-posted-on-twitter/
  • Medical data of 150 Toronto hospital patients allegedly used to extort money from company https://www.databreaches.net/medical-data-of-150-toronto-hospital-patients-allegedly-used-to-extort-money-from-company/

• New Ransomware:

  • COVID-19 Clinical Trials Slowed After Ransomware Attack https://threatpost.com/covid-19-clinical-trials-ransomware/159877/
  • Lake George Land Conservancy reports they recovered from a ransomware attack by use of a backup, no ransom paid https://www.databreaches.net/lake-george-land-conservancy-reports-they-recovered-from-a-ransomware-attack-by-use-of-a-backup-no-ransom-paid/
  • German tech giant Software AG down after ransomware attack https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/
  • UN Maritime Agency Hit by 'Sophisticated Cyberattack' https://www.securityweek.com/un-maritime-agency-hit-sophisticated-cyberattack and https://www.zdnet.com/article/un-maritime-agency-says-it-was-hacked
  • Ransomware Attack Hits Clinical Trial Software Vendor https://www.databreachtoday.com/ransomware-attack-hits-clinical-trial-software-vendor-a-15125

• Follow-ups and fall-out:

  • Why Regulators Got Tough With H&M https://www.databreachtoday.com/interviews/analysis-regulators-got-tough-hm-i-4779
  • More Breach Fines for Community Health Systems https://www.databreachtoday.com/more-breach-fines-for-community-health-systems-a-15142
  • B.C. appeal court green-lights data breach class action lawsuit https://www.itworldcanada.com/article/b-c-appeal-court-green-lights-data-breach-class-action-lawsuit/435911
  • Blackbaud Data Breach: Non-Profit Foundations (Part One) https://www.databreaches.net/blackbaud-data-breach-non-profit-foundations-part-one/

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • Four Million Downloads and Counting: Everyone Should Install the COVID Alert App https://www.michaelgeist.ca/2020/10/four-million-downloads-and-counting-everyone-should-install-the-covid-alert-app/
• To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada https://citizenlab.ca/2020/09/to-surveil-and-predict-a-human-rights-analysis-of-algorithmic-policing-in-canada/
• Fitbit Spyware Steals Personal Data via Watch Face https://threatpost.com/fitbit-personal-data-watch-face/160003/
• Indoor Drones Raise Privacy Law Risks https://www.sans.org/blog/indoor-drones-raise-privacy-law-risksuntitled
• Announcing Global Privacy Control in Privacy Badger https://www.eff.org/gpc-privacy-badger

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• Orders from the Top: The EU’s Timetable for Dismantling End-to-End Encryption https://www.eff.org/deeplinks/2020/10/orders-top-eus-timetable-dismantling-end-end-encryption
• Swiss-Swedish Diplomatic Row Over Crypto AG https://www.schneier.com/blog/archives/2020/10/swiss-swedish-diplomatic-row-over-crypto-ag.html
• Congress Agrees: Big Tech Is Broken. https://www.nytimes.com/2020/10/07/technology/congress-big-tech.html

• New NIST:

  • Cybersecurity Framework Version 1.1 Manufacturing Profile: NISTIR 8183 Revision 1 https://csrc.nist.gov/publications/detail/nistir/8183/rev-1/final
  • NIST has released an updated Risk Management Framework for Systems and Organizations Introductory Course https://csrc.nist.gov/Projects/risk-management/rmf-training
• Five bar and cafe owners arrested in France for running no-log WiFi networks https://www.zdnet.com/article/five-bar-and-cafe-owners-arrested-in-france-for-running-no-log-wifi-networks
• Here's US Homeland Security collaring a suspected arsonist after asking Google for the IP addresses of folks who made a specific search https://www.theregister.com/2020/10/09/google_search_arrest/
• Cisco's $2.6 Billion Network Security Patent Infringement https://www.databreachtoday.com/ciscos-26-billion-network-security-patent-infringement-a-15145
• Ontario MPP puts forward bill to make Daylight Saving Time standard time https://globalnews.ca/news/7384245/ontario-mpp-bill-end-daylight-saving-time/ (Why this may be the wrong choice https://medium.com/@herf/why-standard-time-is-better-e586b500923))

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• On Risk-Based Authentication https://www.schneier.com/blog/archives/2020/10/on-risk-based-authentication.html
• Facebook Debuts Bug-Bounty ‘Loyalty Program’ https://threatpost.com/facebook-bug-bounty-loyalty-program/159993/
• Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities https://www.securityweek.com/microsoft-paid-out-over-374000-azure-sphere-vulnerabilities
• Welcoming the Canadian Government to Have I Been Pwned https://www.troyhunt.com/welcoming-the-canadian-government-to-have-i-been-pwned/
• Building an Information Security Program Post-Breach Part II https://www.sans.org/blog/building-an-information-security-program-post-breach-part-ii
• Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables https://threatpost.com/google-chrome-86-critical-payments-bug-password-check/159938/
• Google is adding cross-app account security alerts on iOS https://www.theverge.com/2020/10/7/21505036/google-security-alert-cross-app-guest-mode-assistant-safety-center

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Poll results: Here's why people are sticking with Windows 7 https://www.zdnet.com/article/poll-results-heres-why-people-are-sticking-with-windows-7/
• Why You Should Stop Using SMS Security Codes—Even On Apple iMessage https://www.forbes.com/sites/zakdoffman/2020/10/11/apple-iphone-imessage-and-android-messages-sms-passcode-security-update/
• New Flaws in Top Antivirus Software Could Make Computers More Vulnerable https://thehackernews.com/2020/10/antivirus-software-vulnerabilities.html
• Microsoft Azure Flaws Open Admin Servers to Takeover https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/
• CVE-2020-6925, CVE-2020-6926, CVE-2020-6927: Multiple Vulnerabilities in HP Device Manager https://www.tenable.com/blog/cve-2020-6925-cve-2020-6926-cve-2020-6927-multiple-vulnerabilities-in-hp-device-manager
• 55 New Security Flaws Reported in Apple Software and Services https://thehackernews.com/2020/10/apple-security.html
• Android's October 2020 Security Update Patches 48 Vulnerabilities https://www.securityweek.com/androids-october-2020-security-update-patches-48-vulnerabilities
• Hackers claim they can now jailbreak Apple's T2 security chip https://www.zdnet.com/article/hackers-claim-they-can-now-jailbreak-apples-t2-security-chip
• Hackers exploit Windows Error Reporting service in new fileless attack https://www.zdnet.com/article/hackers-exploit-windows-error-reporting-service-in-new-fileless-attack
• Tenda Router Zero-Days Emerge in Spyware Botnet Campaign https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/
• Comcast TV Remote Hack Opens Homes to Snooping https://threatpost.com/comcast-tv-remote-homes-snooping/159899/
• Enter the Vault: Authentication Issues in HashiCorp Vault https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html
• Meet the new aviation insecurity, same as the old aviation insecurity: Next-gen ACAS X just as vulnerable to spoofing as its predecessor https://www.theregister.com/2020/10/06/acasx_spoofing_vulnerability/
• "Breaking Into a Smart Home With A Laser Video - Smarter Every Day 229" https://youtu.be/ozIKwGt38LQ

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• US Warns: Hackers Chaining Zerologon, Other Vulnerabilities https://www.databreachtoday.com/us-warns-hackers-chaining-zerologon-other-vulnerabilities-a-15152
• Russia-Linked Hackers Targeting Russian Industrial Organizations https://www.securityweek.com/russia-linked-hackers-targeting-russian-industrial-organizations
• BAHAMUT Spies-for-Hire Linked to Extensive Nation-State Activity https://threatpost.com/bahamut-spies-nation-state/159925/
• Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work https://www.databreaches.net/amid-an-embarrassment-of-riches-ransom-gangs-increasingly-outsource-their-work/
• Custom-made UEFI bootkit found lurking in the wild https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/ and https://threatpost.com/bootkit-malware-north-korea-diplomats/159846/
• Hacker Uploads Own Fingerprints To Crime Scene In Dumbest Cyber Attack Ever https://www.forbes.com/sites/daveywinder/2020/10/04/hacker-uploads-own-fingerprints-to-crime-scene-in-dumbest-cyberattack-ever/
• US seizes Iranian government domains masked as legitimate news outlets https://www.zdnet.com/article/us-seizes-iranian-government-domains-masked-as-legitimate-news-outlets
• U.S. Cyber Command Behind Trickbot Disruption Tricks https://krebsonsecurity.com/2020/10/report-u-s-cyber-command-behind-trickbot-tricks/
• Hackers Breached Telegram, Email Accounts of 20 Israeli Crypto Execs https://www.databreaches.net/hackers-breached-telegram-email-accounts-of-20-israeli-crypto-execs-report/
• Industrial Espionage Campaign Uncovered https://www.databreachtoday.com/industrial-espionage-campaign-uncovered-a-15148
• John McAfee Arrested in Spain, and U.S. Seeks Extradition https://www.nytimes.com/2020/10/06/business/mcafee-arrested-tax-evasion.html

Other Security / Risk

Articles covering other types of risks.

• Bulletproof TLS Newsletter 69 https://www.feistyduck.com/bulletproof-tls-newsletter/issue_69_raccoon_attack_shows_design_flaw_in_old_tls
• Intro to The Media Bias Chart https://www.adfontesmedia.com/intro-to-the-media-bias-chart/

• Disinformation:

  • The Post-Fact Age: How to Teach News Literacy https://www.cambridge.org/elt/blog/2020/09/29/post-fact-age-how-teach-news-literacy/
  • False Rumors Often Start at the Top https://www.nytimes.com/2020/10/08/technology/misinformation-communication.html
  • Facebook to ban QAnon-themed groups, pages and accounts in crackdown https://www.theguardian.com/technology/2020/oct/06/qanon-facebook-ban-conspiracy-theory-groups
  • Etsy is banning QAnon merch https://www.theverge.com/2020/10/7/21505911/etsy-qanon-merch-ban

• AI fallibility:

  • Split-Second ‘Phantom’ Images Can Fool Tesla’s Autopilot https://www.wired.com/story/tesla-model-x-autopilot-phantom-images
  • Facebook's nudity-spotting AI mistook a photo of some onions for 'sexually suggestive' content https://www.businessinsider.com/facebook-mistakes-onions-for-sexualised-content-2020-10
  • Facebook’s Most Recent Transparency Report Demonstrates the Pitfalls of Automated Content Moderation https://www.eff.org/deeplinks/2020/10/facebooks-most-recent-transparency-report-demonstrates-pitfalls-automated-content
• Hidden cameras and secret trackers reveal where Amazon returns end up https://www.cbc.ca/news/canada/marketplace-amazon-returns-1.5753714
• Canada preparing for possibility of ‘some disruptions’ if U.S. election results unclear https://globalnews.ca/news/7386254/justin-trudeau-us-election-disruptions/
• Canada suspends exports of military drone technology to Turkey https://www.cbc.ca/news/politics/canada-turkey-drone-azerbaijan-armenia-1.5751266

• Health, Safety & Environment:

  • Poisonous furry caterpillars that look like wigs are popping up in Virginia https://www.businessinsider.com/poisionous-furry-puss-caterpillars-sighted-in-virginia-2020-10
  • Giant hogweed: One man's battle against 'toxic invader' https://www.bbc.co.uk/news/science-environment-54444038
  • How a Chilean raspberry scam made its way into Canada leading to a norovirus outbreak https://globalnews.ca/news/7380531/chilean-raspberry-scam-canada-norovirus-outbreak/
  • Setting a TRAP for pandemic-causing viruses https://scienmag.com/setting-a-trap-for-pandemic-causing-viruses/
  • As The World Focuses on Coronavirus Another Devastating Health Threat Is Brewing https://www.sciencealert.com/as-the-world-focuses-on-coronavirus-another-devastating-health-threat-is-brewing and https://www.sciencealert.com/a-bacterial-clone-is-behind-a-concerning-comeback-in-this-historical-epidemic
  • First relatives of rubella virus discovered in bats in Uganda and mice in Germany https://scienmag.com/first-relatives-of-rubella-virus-discovered-in-bats-in-uganda-and-mice-in-germany/
  • New Tinnitus Treatment Alleviates Annoying Ringing in the Ears https://www.scientificamerican.com/article/new-tinnitus-treatment-alleviates-annoying-ringing-in-the-ears1/

• Other risks relating to COVID and the new normal:

  • The post-pandemic future for major consultancies like PwC, Boston Consulting Group, and KPMG, and how they're adapting to the new normal. https://www.businessinsider.com/presenting-insiders-kpmg-pwc-bcg-future-management-consulting-2020-10
  • What CEOs Really Think About Remote Work https://www.wsj.com/articles/what-ceos-really-think-about-remote-work-11600853405
  • This FBI Wi-Fi warning could spoil your working from home escape plan https://www.zdnet.com/article/this-fbi-wi-fi-warning-could-spoil-your-working-from-home-escape-plan/
  • Infection Fears Could Give a Boost to a ‘Reverse ATM’ That Takes in Cash, Dispenses Cards https://www.digitaltransactions.net/infection-fears-could-give-a-boost-to-a-reverse-atm-that-takes-in-cash-dispenses-cards/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves - now reinfection:

  • This Data Scientist Has A Grim Pandemic Prediction https://sector.ca/this-data-scientist-has-a-grim-pandemic-prediction/
  • COVID-score: A tool to evaluate public perception of countries’ response to the pandemic https://scienmag.com/covid-score-a-tool-to-evaluate-public-perception-of-countries-response-to-the-pandemic/
  • How to tell which countries are coping best with Covid https://www.bbc.co.uk/news/world-europe-54391482
  • Canada adds 1,795 new coronavirus cases a day after setting daily record https://globalnews.ca/news/7384391/coronavirus-canada-october-7/
  • Ontario reports new record of 797 coronavirus cases, nearly 48.5K tests https://globalnews.ca/news/7385699/ontario-coronavirus-cases-october-8-covid19/
  • Ontario coronavirus: Nearly 50 COVID-19 cases linked to Hamilton spin studio https://www.cp24.com/news/47-cases-of-covid-19-linked-to-hamilton-spin-studio-1.5141686
  • 12 states reported record coronavirus case counts this weekend. This could be the beginning of the second wave. https://www.businessinsider.com/12-states-broke-coronavirus-infection-records-this-weekend-2020-10
  • Schools Aren’t Super-Spreaders https://www.theatlantic.com/ideas/archive/2020/10/schools-arent-superspreaders/616669/
  • Patients at Toronto hospital raise concerns about waiting room experience https://globalnews.ca/news/7380089/coronavirus-north-york-general-hospital-emergency-room/
  • Nearly 60% of coronavirus tests in Argentina return positive — the world’s highest rate https://globalnews.ca/news/7380368/coronavirus-argentina-infection-rate/
  • 34 people in Trump's orbit have tested positive for the coronavirus https://www.businessinsider.com/leaked-fema-report-34-people-trump-orbit-coronavirus-2020-10
  • U.S. Marine general tests positive for coronavirus after Pentagon meeting https://globalnews.ca/news/7385124/marine-general-coronavirus/

• Guidance, Response and Recovery:

  • WHO official urges world leaders to stop using lockdowns as primary virus control method https://www.washingtonexaminer.com/news/who-official-urges-world-leaders-to-stop-using-lockdowns-as-primary-virus-control-method
  • Northern towns straddling Canada-U.S. border push to become a pandemic bubble https://www.cbc.ca/news/canada/british-columbia/hyder-stewart-pandemic-restrictions-1.5752443
  • Operation Red Nose cancels drive-home service for holiday season due to COVID-19 https://globalnews.ca/news/7383136/operation-red-nose-nez-rouge-coronavirus/
  • U.S. government won't say why it allows Canadians to fly to U.S. despite border closure https://www.cbc.ca/news/business/canada-u-s-border-closure-fly-travel-covid-19-1.5754763
  • Boris Johnson's scientific advisers want 'urgent and drastic action' to stop a surge of coronavirus deaths in the UK https://www.businessinsider.com/england-faces-new-lockdown-as-coronavirus-cases-surge-2020-10

• Treatments, Testing, Triage, and Trials, and things we learned:

  • How an Excel 1M row limit may have caused loss of 16,000 test results in England https://www.theguardian.com/politics/2020/oct/05/how-excel-may-have-caused-loss-of-16000-covid-tests-in-england
  • Rapid bedside test shows promise in hospitals https://www.bbc.co.uk/news/health-54468993
  • Faster COVID-19 testing with simple algebraic equations https://scienmag.com/faster-covid-19-testing-with-simple-algebraic-equations/

• Things we learned:

  • COVID-19 Is Now the Third Leading Cause of Death in the U.S. https://www.scientificamerican.com/article/covid-19-is-now-the-third-leading-cause-of-death-in-the-u-s1/
  • CDC Finally Admitted How Far The Coronavirus Actually Travels in Enclosed Spaces https://www.sciencealert.com/the-cdc-has-just-updated-its-guidelines-coronavirus-can-travel-further-than-6-feet-in-poorly-ventilated-spaces
  • Canada still downplays risk of airborne spread of coronavirus despite WHO, CDC guidance https://www.cbc.ca/news/health/coronavirus-canada-airborne-spread-1.5758114
  • Detecting SARS-CoV-2 in the environment https://scienmag.com/detecting-sars-cov-2-in-the-environment/
  • COVID-19 virus can survive on smartphone screens for 28 days, claims researchers https://www.zdnet.com/article/covid-19-virus-can-survive-on-smartphone-screens-for-28-days-claims-researchers/
  • Do eyeglasses help keep coronavirus out? Johns Hopkins expert says more evidence needed https://scienmag.com/do-eyeglasses-help-keep-coronavirus-out-johns-hopkins-expert-says-more-evidence-needed/
  • COVID-free hospital zones could prevent cancer surgery complications, deaths https://globalnews.ca/news/7384031/covid-19-free-hospital-pathway-save-lives/
  • Every COVID-19 case seems different; these scientists want to know why https://scienmag.com/every-covid-19-case-seems-different-these-scientists-want-to-know-why/

• Disinformation:

  • Chinese virologists linked to Steve Bannon dropped another bogus paper claiming the new coronavirus is an 'unrestricted bioweapon' https://www.businessinsider.com/scientists-steve-bannon-coronavirus-engineered-chinese-bioweapon-2020-10

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Mask mandates shown to significantly reduce spread of COVID-19 https://scienmag.com/mask-mandates-shown-to-significantly-reduce-spread-of-covid-19/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• "Up here in Canada" song https://youtu.be/37nGeXn2K9c
• Supersonic baseball canon video https://youtu.be/cqidD7kVnxY
• Samuel L. Jackson Wants to Teach You to Swear in 15 Different Languages https://www.mentalfloss.com/article/632349/samuel-l-jackson-will-teach-you-to-swear-15-different-languages
• Why Do Mirrors Flip Things Horizontally But Not Vertically? https://www.sciencealert.com/why-do-mirrors-flip-things-horizontally-but-not-vertically-here-s-the-physics
• More Humans Are Growing an Extra Artery in Our Arms, Showing We're Still Evolving https://www.sciencealert.com/more-of-us-are-growing-an-additional-artery-in-our-arm-showing-we-re-still-evolving
• A Dutch company transformed the $330,000 Rolls-Royce Wraith into a beautiful wagon — tour the Silver Spectre https://www.businessinsider.com/custom-rolls-royce-wraith-inspired-shooting-brake-wagon-info-photos-2020-10
• This Boeing 727 lets passengers experience zero gravity by flying crazy maneuvers, and it's now on tour across the US https://www.businessinsider.com/zero-gravity-airplane-g-force-one-boeing-727-2020-10
• Boom Supersonic unveils its prototype for a commercial supersonic jet https://www.theverge.com/2020/10/7/21505653/boom-supersonic-reveal-xb1-demonstrator-speed
• Martian eclipses can be detected on a lander's… seismograph? https://www.syfy.com/syfywire/martian-eclipses-can-be-detected-on-a-landers-seismograph
• An earlier universe existed before the Big Bang, and can still be observed today https://www.telegraph.co.uk/news/2020/10/06/earlier-universe-existed-big-bang-can-observed-today/