Welcome to This Week’s [in]Security. Magecart exfiltration. More FPE Weakness. Big-Hacks: Exchange Hack. F5 Attacks. SolarWinds. New breaches: WeLeakInfo. New Ransomware. Acer. Ransomware cost. Big Brother UK. Find My Device. Privacy Theatre. Background Checking Your Date. Internet Blocking. Apple & Russia. Interrupts. Ransomware protection. DevSECops. SMS Hijacking. Power Grid. Pickle Files. File Nesting. Spectre POC. Fiserv. ZeroDays. Trends. Worms. Nation States. Hacking Spree. Telcos. Crime. FBI Crime Report. Camera Arrest. DarkWeb. Smart Doorbell Risk. H2O. Voting Machines. Insider Risk. Infrastructure and Platform Risk. Illegal Blockchain. Big Microsoft Outage. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Impact. Immunity, Vaccines, and Vaccination. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI At-a-Glance https://www.pcisecuritystandards.org/documents/At_a_Glance_Role_of_the_PCI_SSC.pdf
• Magecart Attackers Save Stolen Credit-Card Data in .JPG File https://threatpost.com/magecart-attackers-stolen-data-jpg/164815/
• Three Third Generation Attacks on the Format Preserving Encryption Scheme FF3, by Ohad Amon and Orr Dunkelman and Nathan Keller and Eyal Ronen and Adi Shamir https://eprint.iacr.org/2021/335
• DOJ investigating Visa debit charges https://www.reuters.com/article/us-visa-investigation-idUSKBN2BB1OV

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Major incidents:

  • Exchange flaws could be much worse than thought: Six hacking groups suspected of using the zero days pre-patch https://www.theregister.com/2021/03/15/in_brief_security/
  • Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/
  • How Did the Exchange Server Exploit Leak? https://www.databreachtoday.com/blogs/how-did-exchange-server-exploit-leak-p-3005
  • Microsoft Exchange: Server Attack Attempts Skyrocket https://www.databreachtoday.com/microsoft-exchange-server-attack-attempts-skyrocket-a-16194
  • Canadian systems compromised by malware in the Microsoft Exchange breach https://globalnews.ca/news/7701080/microsoft-exchange-breach-canada/
  • Critical F5 BIG-IP Flaw Now Under Active Attack https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/
  • Mimecast: SolarWinds Attackers Stole Source Code https://threatpost.com/mimecast-solarwinds-attackers-stole-source-code/164847/
  • Health Insurer Sues Accellion in Wake of Hacking Incident https://www.databreachtoday.com/health-insurer-sues-accellion-in-wake-hacking-incident-a-16215

• New Breaches:

  • WeLeakInfo Leaked Customer Payment Info https://krebsonsecurity.com/2021/03/weleakinfo-leaked-customer-payment-info/
  • UK: Journalists’ personal and bank details made public after publisher data breach https://www.databreaches.net/uk-journalists-personal-and-bank-details-made-public-after-publisher-data-breach/

• New Ransomware and "Incidents":

  • Acer Falls Victim To $50 Million Ransomware Attack https://www.pcmag.com/news/acer-falls-victim-to-50-million-ransomware-attack
  • Ca: Nunavut schools confirm school information system vendor suffered ransomware attack https://www.databreaches.net/ca-nunavut-schools-confirm-school-information-system-vendor-suffered-ransomware-attack/
  • Ransomware attacks on US government organizations cost $18.9bn in 2020 https://www.comparitech.com/blog/information-security/government-ransomware-attacks/

Privacy

Articles about privacy related news, risks, and trends.

• The UK Is Secretly Testing a Controversial Web Snooping Tool https://www.wired.com/story/uk-secretly-testing-controversial-web-snooping-tool
• Security Analysis of Apple’s “Find My…” Protocol https://www.schneier.com/blog/archives/2021/03/security-analysis-of-apples-find-my-protocol.html
• Apple's Find My Device (Offline Finding) is the World's Largest Crowd-Sourced Location Tracking Network https://arxiv.org/abs/2103.02282
• Google and the Age of Privacy Theater https://www.wired.com/story/google-floc-age-privacy-theater/
• Tinder and OkCupid Could Soon Let You Background Check Your Date — for a Price http://feeds.propublica.org/link/9499/14361403/tinder-and-okcupid-could-soon-let-you-background-check-your-date-for-a-price
• Google Reveals What Personal Data Chrome and Its Apps Collect On You https://thehackernews.com/2021/03/google-to-reveals-what-personal-data.html

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • The Law Bytes Podcast, Episode 80: A Roundtable on the Canadian Challenges of Delivering Universal, Affordable Internet Access https://www.michaelgeist.ca/2021/03/law-bytes-podcast-episode-80/
  • Blocking is Back: Why Internet Blocking is the Next Big Canadian Policy Battle https://www.michaelgeist.ca/2021/03/blocking-is-back/

• US:

  • Additional Regulations Approved for the California Consumer Privacy Act https://www.eff.org/deeplinks/2021/03/additional-regulations-approved-california-consumer-privacy-act
  • California Bans 'Dark Patterns' That Subvert CCPA's Opt-out Rights https://epic.org/2021/03/california-bans-dark-patterns-.html
  • FCC Moving Toward Banning 3 Chinese Telecom Firms From U.S. https://www.databreachtoday.com/fcc-moving-toward-banning-3-chinese-telecom-firms-from-us-a-16214
  • Records Show FTC Botched Google Antitrust Investigation https://epic.org/2021/03/records-show-ftc-botched-googl.html
  • Thank You for Speaking Against a Terrible Copyright Proposal https://www.eff.org/deeplinks/2021/03/thank-you-speaking-against-terrible-copyright-proposal
  • EFF Joins Effort to Restrict Automated License Plate Readers in California https://www.eff.org/deeplinks/2021/01/eff-joins-effort-restrict-automated-license-plate-readers-california

• World:

  • Apple Bent the Rules for Russia. Other Nations Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law
  • French Data Watchdog CNIL Opens Probe Into Clubhouse App https://www.databreaches.net/french-data-watchdog-cnil-opens-probe-into-clubhouse-app/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Linus Torvalds on how AMD and Intel are changing how processor interrupts are handled https://www.zdnet.com/article/linus-torvalds-on-how-amd-and-intel-are-changing-how-processor-interrupts-are-handled/
• Windows 10 Ransomware Protection In 2021: Some Surprises, Says Report https://www.forbes.com/sites/brookecrothers/2021/03/14/state-of-windows-10-ransomware-protection-2021-some-surprises-says-report/
• Rethinking the Sec in DevSecOps: Security as Code https://www.sans.org/blog/rethinking-sec-in-devsecops-survey
• Google, HTTPS, and device compatibility https://security.googleblog.com/2021/03/google-https-and-device-compatibility.html
• DtSR Episode 439 - TPA Open Source Endpoint Defense http://podcast.wh1t3rabbit.net/dtsr-episode-439-tpa-open-source-endpoint-defense
• Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace https://blog.trailofbits.com/2021/03/19/un-bee-lievable-performance-fast-coverage-guided-fuzzing-with-honeybee-and-intel-processor-trace/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Easy SMS Hijacking https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html
• Can We Stop Pretending SMS Is Secure Now? https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
• A Hacker Got All My Texts for $16 https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
• GAO: Electrical Grid's Distribution Systems More Vulnerable https://www.databreachtoday.com/gao-electrical-grids-distribution-systems-more-vulnerable-a-16234
• Never a dill moment: Exploiting machine learning pickle files https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/
• Security Researcher Hides ZIP, MP3 Files Inside PNG Files on Twitter https://threatpost.com/researcher-hides-files-in-png-twitter/164881/
• Google Releases PoC Exploit for Browser-Based Spectre Attack https://www.securityweek.com/google-releases-poc-exploit-browser-based-spectre-attack
• Fintech Giant Fiserv Used Unclaimed Domain https://krebsonsecurity.com/2021/03/fintech-giant-fiserv-used-unclaimed-domain/ and https://threatpost.com/fiserv-forgets-to-buy-domain-it-used-as-system-default/164903/
• Live CISO, FBI Deputy & Sr. Cyber Analyst Panel: Open Databases Invite Data Breaches https://www.databreachtoday.com/webinars/live-ciso-fbi-deputy-sr-cyber-analyst-panel-open-databases-invite-data-w-3060
• On Closed-Cycle Loops and Applicability of Nonlinear Product Attacks to DES, by Nicolas T. Courtois and Matteo Abbondati and Hamy Ratoanina and Marek Grajek https://eprint.iacr.org/2021/336

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Google Chrome Zero-Day Under Attack, Again https://www.securityweek.com/google-chrome-zero-day-under-attack-again
• In-the-Wild Series: October 2020 0-day discovery https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html

• Trends, Alerts, and Events (other than major Exchange, SolarWinds, F5, and Accellion):

  • What could possibly go wrong? Sublet your home broadband to strangers who totally won't commit crimes https://www.theregister.com/2021/03/19/reselling_home_broadband/
  • Attackers are trying awfully hard to backdoor iOS developers’ Macs https://arstechnica.com/gadgets/2021/03/attackers-are-trying-awfully-hard-to-backdoor-ios-developers-macs/
  • 50 years of malware? Not really. 50 years of computer worms? That's a different story..., (Tue, Mar 16th) https://isc.sans.edu/diary/rss/27208
  • Researchers Uncover Widely Used Malware Crypter https://www.databreachtoday.com/researchers-uncover-widely-used-malware-crypter-a-16212
  • CISA-FBI Joint Advisory on TrickBot Malware https://www.databreaches.net/cisa-fbi-joint-advisory-on-trickbot-malware/

• Nation State Actors:

  • “Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/
  • Google: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation https://www.securityweek.com/google-sophisticated-apt-group-burned-11-zero-days-mass-spying-operation
  • US Office of National Intelligence says Russia, Iran tried to mess with 2020 elections, China sat it out https://www.theregister.com/2021/03/17/2020_us_election_security_report/
  • Finland pins Parliament hack on Chinese hacking group APT31 https://www.databreaches.net/finland-pins-parliament-hack-on-chinese-hacking-group-apt31/
  • Hacking Group Conducted Espionage Campaign Targeting Telcos https://www.databreachtoday.com/hacking-group-conducted-espionage-campaign-targeting-telcos-a-16203

• Crime & Arrests, etc.:

  • FBI releases annual IC3 crime report https://www.databreaches.net/fbi-releases-annual-ic3-crime-report/
  • Swiss security provocateur who leaked Intel secrets indicted by US authorities https://www.theregister.com/2021/03/19/till_kottmann_indicted/
  • Federal Police arrest hacker suspected of the largest data leak in Brazil https://www.databreaches.net/federal-police-arrest-hacker-suspected-of-the-largest-data-leak-in-brazil/
  • Feds Charge Verkada Camera Hacker With 'Theft and Fraud' https://www.databreachtoday.com/feds-charge-verkada-camera-hacker-theft-fraud-a-16217
  • Swiss Police Raid Over Hack on U.S. Security-Camera Company https://www.securityweek.com/swiss-police-raid-over-hack-us-security-camera-company
  • Ripoff Report Hacker Gets 12 Months in Prison https://www.securityweek.com/ripoff-report-hacker-gets-12-months-prison
  • Florida Teen Pleads Guilty in 2020 Twitter Hack https://www.databreachtoday.com/florida-teen-pleads-guilty-in-2020-twitter-hack-a-16199
  • Cops are the only ones being lawful on the dark web, AFP declares https://www.zdnet.com/article/cops-are-the-only-ones-being-lawful-on-the-dark-web-afp-declares/

Other Security / Risk

Articles covering other types of risks.

• Smart doorbells on business premises make your property more attractive to burglars, warns researcher https://www.theregister.com/2021/03/15/smart_locks_attract_burglars_business_premises/
• Tech Vendors' Lack of Security Transparency Worries Firms https://www.darkreading.com/operations/tech-vendors-lack-of-security-transparency-worries-firms/d/d-id/1340455
• Downed Iran plane: Families of Edmonton victims demand real truth in wake of final report https://globalnews.ca/news/7705768/edmonton-victims-iran-plane-crash-final-tsb-report/
• America’s Drinking Water Is Surprisingly Easy to Poison http://feeds.propublica.org/link/9499/14358279/hacking-water-systems
• On the Insecurity of ES&S Voting Machines’ Hash Code https://www.schneier.com/blog/archives/2021/03/on-the-insecurity-of-ess-voting-machines-hash-code.html
• A New Paradigm in Data Security: Insider Risk Management https://threatpost.com/a-new-paradigm-in-data-security-insider-risk-management/164768/
• Infrastructure – the Good, the Bad and the Ugly https://www.lightbluetouchpaper.org/2021/03/18/infrastructure-the-good-the-bad-and-the-ugly/
• Illegal Content and the Blockchain https://www.schneier.com/blog/archives/2021/03/illegal-content-and-the-blockchain.html
• Microsoft's latest cloud authentication outage: What went wrong https://www.zdnet.com/article/microsofts-latest-cloud-authentication-outage-what-went-wrong/
• Azure Active Directory issue takes down Teams, Office, Dynamics and more for some users https://www.zdnet.com/article/azure-active-directory-issue-takes-down-teams-office-dynamics-and-more-for-some-users/

• Health, Safety & Environment:

  • Rare disease transmitted by bat and bird droppings discovered in rural Alberta https://globalnews.ca/news/7704434/alberta-rare-bat-bird-droppings-disease-histoplasmosis/
  • Ontario Provincial Police say traffic collisions down, but fatalities up in 2020 https://toronto.ctvnews.ca/ontario-provincial-police-say-traffic-collisions-down-but-fatalities-up-in-2020-1.5349113
  • Child killed in 'tragic' Peloton treadmill accident https://www.bbc.co.uk/news/business-56451430

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, and reinfection:

  • Man in his 30s dies after large COVID-19 outbreak at student residence in Peterborough, Ont. https://toronto.ctvnews.ca/man-in-his-30s-dies-after-large-covid-19-outbreak-at-student-residence-in-peterborough-ont-1.5349567
  • No vaccines, no leadership, no end in sight. How Brazil became a global threat https://www.cnn.com/2021/03/20/americas/brazil-coronavirus-crisis-vaccine-distribution-shortfalls-latam-intl/index.html

• Guidance, Response, and Recovery:

  • Toronto's top doctor says city not ready for red zone, but outdoor dining and fitness classes should be permitted https://toronto.ctvnews.ca/toronto-s-top-doctor-says-city-not-ready-for-red-zone-but-outdoor-dining-and-fitness-classes-should-be-permitted-1.5350649
  • 'Let's be very careful': Ontario's top doctor confirms province is in third wave of COVID-19 pandemic https://toronto.ctvnews.ca/let-s-be-very-careful-ontario-s-top-doctor-confirms-province-is-in-third-wave-of-covid-19-pandemic-1.5352869
  • U.S.-Canada land border restrictions extended for at least another month https://www.ctvnews.ca/health/coronavirus/u-s-canada-land-border-restrictions-extended-for-at-least-another-month-1.5352275
  • Provinces aren't using COVID Alert app properly or widely enough, says report https://www.cbc.ca/news/politics/covid-alert-app-report-1.5954089
  • China is opening borders to visitors who have taken Chinese vaccines. That raises tough questions for global travel https://www.cnn.com/travel/article/covid-vaccine-travel-visa-rules-intl-hnk/index.html

• Impact:

  • Ontario nursing homes losing staff to Amazon and film industry, association says https://toronto.ctvnews.ca/ontario-nursing-homes-losing-staff-to-amazon-and-film-industry-association-says-1.5349151

• Immunity, Vaccines, and Vaccination:

  • U.S. plans to send 1.5M doses of AstraZeneca vaccine to Canada https://www.ctvnews.ca/health/coronavirus/u-s-plans-to-send-1-5m-doses-of-astrazeneca-vaccine-to-canada-1.5352524
  • EU countries to resume rollouts of AstraZeneca jab https://www.bbc.co.uk/news/world-europe-56440139

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• NASA’s future Moon rocket completes critical hot-fire test https://www.theverge.com/2021/3/18/22338638/nasa-space-launch-system-hot-fire-test
• Massive Piece Of Space Junk Tossed From ISS Sets Record https://www.accuweather.com/en/space-news/massive-piece-of-space-junk-tossed-from-iss-sets-record/916013