Welcome to This Week’s [in]Security. New breaches. New Ransomware. Testing CFAA. 5G. NIST. Encryption. Windows Kerberos. Facebook Messenger. Drupal. Fortinet. Tesla. Partitioning Oracles. Trends. Notifications gone bad. Spotify Stuffed. Fake FBI. Mobile Iron. Minecraft. Nation States. Arrests. Election Security. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Vaccine Progress. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI Training Schedule for the first half of 2021 https://training.pcisecuritystandards.org/elearning-with-online-certification-exam
• PCI Assessors have a new resource document in the PCI Portal "Assessor Resources: PCI SSC Published Guidance To the Most Common Questions in PCI DSS Assessments" listing important FAQ's by topic (Private link - you must have an assessor ID with PCI)
• ATM Operators Praise a Proposed OCC Rule That Would Wipe Away Years-Old Regulatory Roadblocks https://www.digitaltransactions.net/atm-operators-praise-a-proposed-occ-rule-that-would-wipe-away-years-old-regulatory-roadblocks/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • Imagine things are bad enough that you need a payday loan. Then imagine flaws in systems of loan lead generators leave your records in the open... for years https://www.theregister.com/2020/11/24/payday_loan_lead_generators_fix/
  • Sophos Warns Customers of Possible Data Leak https://www.databreachtoday.com/sophos-warns-customers-possible-data-leak-a-15470 and https://www.databreaches.net/sophos-notifies-customers-of-data-exposure-after-database-misconfiguration/
  • Networking equipment vendor Belden discloses data breach https://www.databreaches.net/networking-equipment-vendor-belden-discloses-data-breach/
  • Canon publicly confirms August ransomware attack, data theft https://www.databreaches.net/canon-publicly-confirms-august-ransomware-attack-data-theft/
  • Personal data of 16 million Brazilian COVID-19 patients exposed online by Albert Einstein Hospital employee error https://www.databreaches.net/personal-data-of-16-million-brazilian-covid-19-patients-exposed-online-by-albert-einstein-hospital-employee-error/
  • Thousands of patients’ information potentially accessed after cyber breach at Louisiana State University Health https://www.databreaches.net/thousands-of-patients-information-potentially-accessed-after-cyber-breach-at-louisiana-state-university-health/
  • Eye Care Center Operator's Customer Data Hacked https://www.databreachtoday.com/eye-care-center-operators-customer-data-hacked-a-15425
  • Fairchild Medical Center server was exposing patient information for 4.5 years until a security firm alerted them https://www.databreaches.net/fairchild-medical-center-server-was-exposing-patient-information-for-4-5-years-until-a-security-firm-alerted-them/
  • Hackers selling data of 21,000 British motorists on the dark web https://www.databreaches.net/hackers-selling-data-of-21000-british-motorists-on-the-dark-web/
  • Client data stolen from Indian e-commerce platform https://www.databreaches.net/client-data-stolen-from-e-commerce-platform/

• New Ransomware and "Incidents":

  • Ransomware: IT Services Firm Faces $60 Million Recovery https://www.databreachtoday.com/ransomware-services-firm-faces-60-million-recovery-a-15465
  • Ransomware Attack Closes Baltimore County Public Schools https://www.nytimes.com/2020/11/29/us/baltimore-schools-cyberattack.html
  • Danish News Agency Rejects Ransom Demand After Hacker Attack https://www.securityweek.com/danish-news-agency-rejects-ransom-demand-after-hacker-attack
  • Australian Legal Service Provider Firm, Law In Order, hit by ransomware attack https://www.databreaches.net/law-in-order-hit-by-ransomware-attack/
  • Retail giant E-Land closes nearly half of stores due to ransomware attack https://www.databreaches.net/retail-giant-e-land-closes-nearly-half-of-stores-due-to-ransomware-attack/
  • PA: Part of Delaware County Computer System Down After Attacked By Hackers https://www.databreaches.net/pa-part-of-delaware-county-computer-system-down-after-attacked-by-hackers/
  • Pakistan International Airlines Data Hacked: Threat Actor Put Databases Up For Sale At Dark Web https://www.databreaches.net/pakistan-international-airlines-data-hacked-threat-actor-put-databases-up-for-sale-at-dark-web/

• Follow-ups and fall-out:

  • Ticketmaster Lawyers argue no liablity for credit card breach that started pre-GDPR https://www.theregister.com/2020/11/25/ticketmaster_gdpr_fine_chicanery/
  • Home Depot Settles 2014 Breach Lawsuit for $17.5 Million https://www.databreachtoday.com/home-depot-settles-2014-breach-lawsuit-for-175-million-a-15451

Privacy

Articles about privacy related news, risks, and trends.

• Canadian soldier claiming $60,000 in damages from armed forces after they spread his medical information https://www.databreaches.net/canadian-soldier-claiming-60000-in-damages-from-armed-forces-after-they-spread-his-medical-information-lawsuit/
• Marketers for an Open Web ask UK competition watchdog to block launch of Google's anti-tracking Privacy Sandbox https://www.theregister.com/2020/11/24/google_mow_chrome/

Laws, Regulations, Standards, and Public Policy

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• US:

  • U.S. Supreme Court to Weigh, Computer Fraud and Abuse Act, Anti-Hacking Law’s Limits on Access https://www.databreaches.net/u-s-supreme-court-to-weigh-anti-hacking-laws-limits-on-access/
  • Let’s Stand Up for Home Hacking and Repair https://www.eff.org/deeplinks/2020/11/lets-stand-home-hacking-and-repair
  • How programmers communicate through code, legally https://freedom-to-tinker.com/2020/11/23/how-programmers-communicate-through-code-legally/
  • Government Watchdog Calls for 5G Cybersecurity Standards https://www.databreachtoday.com/government-watchdog-calls-for-5g-cybersecurity-standards-a-15469
  • Bill Looks to Close Federal Cybersecurity Loopholes https://www.databreachtoday.com/bill-looks-to-close-federal-cybersecurity-loopholes-a-15439
  • Data Breach Cases: An Analysis of Standing and Best Causes of Action https://www.databreaches.net/data-breach-cases-an-analysis-of-standing-and-best-causes-of-action/

• World:

  • Getting Ready for the New Zealand Privacy Act 2020 https://blog.isc2.org/isc2_blog/2020/11/getting-ready-for-the-new-zealand-privacy-act-2020.html
  • UK Telecommunications Security Bill Would Ban Huawei https://www.databreachtoday.com/uk-telecommunications-security-bill-would-ban-huawei-a-15445
  • Ron Deibert Delivers Massey Lectures and Publishes RESET https://citizenlab.ca/2020/11/ron-deibert-delivers-massey-lectures-and-publishes-reset/

• New NIST:

  • NICE Webinar December 16th, Competencies – The Next Frontier for Closing the Cybersecurity Skills Gap https://content.govdelivery.com/accounts/USNIST/bulletins/2ad9c6f

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Design and implementation of HElib: a homomorphic encryption library https://eprint.iacr.org/2020/1481
• Indistinguishability Obfuscation https://www.schneier.com/blog/archives/2020/11/indistinguishability-obfuscation.html
• Smart (and simple) ways to prevent symlink attacks in Go https://blog.trailofbits.com/2020/11/24/smart-and-simple-ways-to-prevent-symlink-attacks-in-go/
• Why Replace Traditional Web Application Firewall (WAF) With New Age WAF? https://thehackernews.com/2020/11/why-replace-traditional-web-application.html
• IoT security: how Microsoft protects Azure Datacenters https://www.microsoft.com/security/blog/2020/11/23/iot-security-how-microsoft-protects-azure-datacenters/
• Go inside the new Azure Defender for IoT including CyberX https://www.microsoft.com/security/blog/2020/11/25/go-inside-the-new-azure-defender-for-iot-including-cyberx/
• Penetration testing isn’t enough, you need to activate full offensive operations https://www.theregister.com/2020/11/23/sans_institute_course_lineup/
• 2021 Healthcare Cybersecurity Priorities: Experts Weigh In https://threatpost.com/2021-healthcare-cybersecurity-priorities/161596/
• It’s Time to Stop Sharing Your Passwords With Your Partner https://www.wired.com/story/its-time-to-stop-sharing-your-passwords-with-your-partner

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Microsoft Releases Out-of-Band Update for Kerberos Authentication Issues https://www.securityweek.com/microsoft-releases-out-band-update-kerberos-authentication-issues
• Facebook Messenger Bug Allows Spying on Android Users https://threatpost.com/facebook-messenger-bug-spying-android/161435/
• Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits https://www.securityweek.com/drupal-releases-out-band-security-updates-due-availability-exploits
• Fortinet FortiOS System File Leak https://us-cert.cisa.gov/ncas/current-activity/2020/11/27/fortinet-fortios-system-file-leak
• Tesla Hacked and Stolen Again Using Key Fob https://threatpost.com/tesla-hacked-stolen-key-fob/161530/
• A new type of crypto attack, Partitioning Oracle Attacks https://eprint.iacr.org/2020/1491
• (Historical)Automated ciphertext-only attack on the Wheatstone Cryptograph and related devices https://eprint.iacr.org/2020/1492

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events:

  • Be Very Sparing in Allowing Site Notifications https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/
  • 300K+ Credentials Stuffed as Spotify Users Hit with Rash of Account Takeovers https://threatpost.com/spotify-account-takeovers/161495/ and https://www.databreaches.net/over-300k-spotify-accounts-hacked-in-credential-stuffing-attack/
  • FBI Warns of Spoofed FBI-Related Domains https://www.securityweek.com/fbi-warns-spoofed-fbi-related-domains
  • Botnet Operators Ditch Banking Trojans for Ransomware https://www.databreachtoday.com/botnet-operators-ditch-banking-trojans-for-ransomware-a-15455
  • Hackers Exploit MobileIron Flaw https://www.databreachtoday.com/hackers-exploit-mobileiron-flaw-a-15453
  • Linux Botnet Disguises Itself as Apache Server https://www.databreachtoday.com/linux-botnet-disguises-itself-as-apache-server-a-15461
  • Google binned two apps by China’s Baidu, which says researchers got it wrong by linking it to personal info leaks https://www.theregister.com/2020/11/25/palo_alto_detects_leaking_baidu_apps/
  • ‘Minecraft Mods’ Attack More Than 1 Million Android Devices https://threatpost.com/minecraft-mods-attack-android-devices/161567/

• Nation State Actors:

  • Chinese Hacking Group Rebounds With Fresh Malware https://www.databreachtoday.com/chinese-hacking-group-rebounds-fresh-malware-a-15448
  • Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca https://www.databreaches.net/suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca/
• EU Law Enforcement Prevents $47.5 Million in Payment Fraud https://www.databreachtoday.com/eu-law-enforcement-prevents-475-million-in-payment-fraud-a-15471

• Crime:

  • Three Montrealers arrested after Quebec teachers’ personal information stolen https://www.databreaches.net/three-montrealers-arrested-after-quebec-teachers-personal-information-stolen/
  • Two Romanians Arrested for Running Malware Encryption Services https://www.securityweek.com/two-romanians-arrested-running-malware-encryption-services
  • Interpol Busts Massive Nigerian BEC Gang https://www.databreachtoday.com/interpol-busts-massive-nigerian-bec-gang-a-15466

Other Security / Risk

Articles covering other types of risks.

• Massive Amazon Web Services outage hits cloud customers https://www.bnnbloomberg.ca/amazon-web-services-outage-hits-cloud-customers-1.1527791
• Summary of the Amazon Kinesis Event in the Northern Virginia (US-EAST-1) Region https://aws.amazon.com/message/11201/
• WarGames for real: How one 1983 exercise nearly triggered WWIII https://arstechnica.com/information-technology/2020/11/wargames-for-real-how-one-1983-exercise-nearly-triggered-wwiii/
• Audit finds risks with Baltimore County schools networkhttps://www.washingtonpost.com/local/audit-finds-risks-with-baltimore-county-schools-network/2020/11/27/04216e2c-30d2-11eb-9dd6-2d0179981719_story.html
• Opinion: COVID and Tech Insecurity https://deibert.citizenlab.ca/2020/11/globe-and-mail-opinion-covid-and-tech-insecurity/

• Election Security:

  • More on the Security of the 2020 US Election https://www.schneier.com/blog/archives/2020/11/more-on-the-security-of-the-2020-us-election.html
  • Three Paper Thursday: Vēnī, Vīdī, Vote-y – Election Security https://www.lightbluetouchpaper.org/2020/11/26/three-paper-thursday-veni-vidi-vote-y-election-security/
  • "Blockchain Voting is a spectacularly dumb idea" https://www.schneier.com/blog/archives/2020/11/on-blockchain-voting.html
• The famous Fear and Greed index is flashing warning signals https://www.businessinsider.com/stock-market-outlook-fear-and-greed-index-extreme-dennis-debusschere-2020-11
• Alaskan idea - The Case for 'Universal Property' https://www.scientificamerican.com/article/the-case-for-universal-property/

• Health, Safety & Environment https://www.scientificamerican.com/article/the-case-for-universal-property/

  • UK to pilot blood test that may detect 50 types of cancer https://www.cnn.com/2020/11/27/health/cancer-blood-test-pilot-gbr-intl/index.html
  • Canada bans mass exports of prescription drugs https://www.bbc.co.uk/news/world-us-canada-55119428 and https://globalnews.ca/news/7490565/canada-blocks-prescription-drug-export-donald-trump-import/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, and waves - now reinfection:

  • The US surpassed 13 million COVID-19 cases — less than a week after hitting 12 million cases https://www.businessinsider.com/us-surpasses-13-million-covid-19-cases-days-last-million-2020-11
  • English Covid cases 'fall by 30% over lockdown' https://www.bbc.co.uk/news/health-55124286
  • Canada surpasses 360K coronavirus cases as Quebec, Alberta break daily infection records https://globalnews.ca/news/7490677/coronavirus-canada-update-nov-28/
  • Alberta reports new daily record of 1,731 COVID-19 cases, 5 deaths Saturday https://globalnews.ca/news/7490660/alberta-covid-19-cases-november-28-2020/
  • Ontario reports 1,708 new coronavirus cases, 24 deaths https://globalnews.ca/news/7491079/ontario-coronavirus-cases-nov-29-covid19/
  • 62 cases of COVID-19 linked to outbreak at window factory in Vaughan https://toronto.ctvnews.ca/62-cases-of-covid-19-linked-to-outbreak-at-window-factory-in-vaughan-1.5209585
  • 11 confirmed cases linked to Vaughan indoor sports facility https://toronto.ctvnews.ca/11-confirmed-cases-linked-to-vaughan-indoor-sports-facility-8-businesses-charged-for-breaking-covid-19-rules-1.5208822
  • How a B.C. birthday became a COVID-19 superspreader event https://globalnews.ca/news/7490792/bc-coronavirus-birthday-superspreader/
  • Boy under 10 years old the youngest COVID-19 death in Manitoba https://globalnews.ca/news/7490432/10-year-old-boy-covid-19-death-manitoba/

• Guidance, Response and Recovery:

  • The Pandemic Safety Rule That Really Matters - Don’t spend time indoors with other people https://www.theatlantic.com/health/archive/2020/11/10-simple-rules-surviving-pandemic-holidays/617122/
  • First toilet paper, now Christmas trees? Coronavirus sparks potential new shortages https://globalnews.ca/news/7490624/coronavirus-canada-christmas-tree-demand/
  • 'I'm going to buy for a month': Panic buying strikes again as Toronto, Peel Region under lockdown https://toronto.ctvnews.ca/i-m-going-to-buy-for-a-month-panic-buying-strikes-again-as-toronto-peel-region-under-lockdown-1.5199406
  • Calgary nurse’s post defending front-line workers to ‘internet trolls’ goes viral https://globalnews.ca/news/7489766/calgary-nurses-post-front-line-workers-alberta-covid-viral/

• Treatments, Testing, Triage, and Trials:_Vaccines Progress:

  • AstraZeneca manufacturing error raises questions about vaccine study results https://www.cbc.ca/news/health/astrazeneca-oxford-vaccine-error-trial-results-1.5816852
  • How do you vaccinate 7.7 billion people? https://www.bbc.co.uk/news/health-55115753
  • New Evidence Suggests COVID-19 Immunity Can Last 6 to 8 Months After Infection https://www.sciencealert.com/evidence-grows-favouring-coronavirus-immunity-lasting-6-to-8-months-after-infection
  • Support for mandatory coronavirus vaccine keeps falling even as cases spike https://globalnews.ca/news/7488523/coronavirus-covid-19-vaccine-canada-mandatory-ipsos/
  • Pay people at least $1,000 to get a COVID-19 vaccine https://www.businessinsider.com/covid-19-vaccine-payment-economists-stimulus-recovery-coronavirus-aid-2020-11

• Canada's Vaccine Timeline is Delayed

  • Justin Trudeau's comments on COVID-19 vaccine timeline 'very concerning,' Ontario health minister says https://toronto.ctvnews.ca/justin-trudeau-s-comments-on-covid-19-vaccine-timeline-very-concerning-ontario-health-minister-says-1.5206066
  • 'The clock is ticking': Ontario calls on federal government to provide clear timelines for COVID-19 vaccines https://toronto.ctvnews.ca/the-clock-is-ticking-ontario-calls-on-federal-government-to-provide-clear-timelines-for-covid-19-vaccines-1.5206983
  • Top general to lead vaccine rollout, aims to immunize majority by September https://www.ctvnews.ca/health/coronavirus/top-general-to-lead-vaccine-rollout-aims-to-immunize-majority-by-september-pm-1.5207122

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Police charge organizer of anti-mask protest held in downtown Hamilton https://toronto.ctvnews.ca/police-charge-organizer-of-anti-mask-protest-held-in-downtown-hamilton-1.5209529
  • 'These antics help no one': More than $47,000 in fines issued following house party in Mississauga https://toronto.ctvnews.ca/these-antics-help-no-one-more-than-47-000-in-fines-issued-following-house-party-in-mississauga-ont-1.5209374
  • Toronto BBQ restaurant owner who opened despite COVID-19 lockdown granted bail https://toronto.ctvnews.ca/toronto-bbq-restaurant-owner-who-opened-despite-covid-19-lockdown-granted-bail-1.5207357
  • Vaughan Mills among 8 businesses ticketed in York Region on Saturday https://toronto.citynews.ca/2020/11/28/vaughan-mills-among-8-businesses-ticketed-in-york-region-on-saturday/
  • Man facing charges over anti-mask confrontation in Victoria grocery store https://globalnews.ca/news/7490416/victoria-mask-confrontation/
  • Some masks offer far less coronavirus protection than others https://www.businessinsider.com/worst-face-masks-for-coronavirus-protection-2020-11
  • COVID-19 helmet https://www.businessinsider.com/canadian-inventor-vyzr-technologies-designed-covid-19-helmet-2020-11

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• New Wind Turbine Blades Could be Recycled Instead of Landfilled https://www.scientificamerican.com/article/new-wind-turbine-blades-could-be-recycled-instead-of-landfilled/
• BBC - Travel - The little-known US-Canada border war http://www.bbc.com/travel/story/20191215-the-little-known-us-canada-border-war
• 'Fireball' dazzles in the sky in Japan https://www.bbc.co.uk/news/world-asia-55121824
• Can You Find All of Kevin McCallister’s Booby Traps From Home Alone? https://www.mentalfloss.com/article/637493/home-alone-booby-trap-map
• ESA Is Going To Spend $102 Million To Remove a Single Piece of Space Junk https://www.universetoday.com/148963/esa-is-going-to-spend-102-million-to-remove-a-single-piece-of-space-junk/
• Our Solar System Is Going to Totally Disintegrate Sooner Than We Thought https://www.sciencealert.com/our-solar-system-is-going-to-totally-disintegrate-sooner-than-we-thought
• Earth Is a Whole Lot Closer to Our Galaxy's Supermassive Black Hole Than We Thought https://www.sciencealert.com/earth-is-significantly-closer-to-our-galaxy-s-supermassive-black-hole-than-we-thought