Welcome to This Week’s [in]Security. PCI and payments: Skimmers, Training & events. New breaches: credit freezes, insiders, Red Cross, GiveSendGo. New Ransomware: decryptor, access brokers. Major outages: Canadian banks, Coinbase, Doh! Privacy: IRS and dating apps, Otter.ai, Google Sandbox & Enhanced Safety. Laws & Regs - Canada: Crypto, Web3. US: SEC cyber, Trolls, Copyright, Missouri, Texas vs. Meta, Clearview lawsuits. World: Police access, Australia. Standards: NIST, Random Number Feedback. Defense: Free tools, Github Scanner, Cisco passwords, Remote work. Vulnerabilities, Other Vulnerabilities: More Magento, email appliances, Snap PM, Cassandra, Ice phishing. Unredacter, Patching: Forced patching, Intel Firmware, Magento. Crypto-research, SHA3. Cybercrime: Trends: BEC, Teams. Nation States and mercenaries. Crime & Enforcement; Cyber-policing, OpenSea NFTs. Other Risks: Cloud? Facebook, AI, DRM protected paper. Disinformation, follow the money, Canada. Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Learned; Innovation and more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• Payment skimmers/malware/fraud:

  • Popular e-cigarette store was compromised to steal credit cards https://www.bleepingcomputer.com/news/security/popular-e-cigarette-store-was-compromised-to-steal-credit-cards/
  • Warning: Popular e-cigarette store hacked to steal credit cards https://www.bleepingcomputer.com/news/security/warning-popular-e-cigarette-store-hacked-to-steal-credit-cards/
  • Detecting Magecart-Style Attacks With Page Shield https://blog.cloudflare.com/detecting-magecart-style-attacks-for-pageshield/

• Educational events, webinars, courses, etc:

  • FISSEA Spring Forum, May 17, 2022 now accepting speaker submissions and innovator of the year nominations https://www.nist.gov/news-events/events/2022/05/fissea-spring-forum-may-17-2022

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Only 3% of consumers freeze credit after data breach https://www.databreaches.net/only-3-of-consumers-freeze-credit-after-data-breach/
  • Willful wrongdoing by healthcare workers continues to pose problems https://www.databreaches.net/willful-wrongdoing-by-healthcare-workers-continues-to-pose-problems/
  • Credit Suisse denies wrongdoing after big banking data leak https://www.bbc.co.uk/news/business-60456196
  • Hackers Had Access to Red Cross Network for 70 Days https://www.securityweek.com/hackers-had-access-red-cross-network-70-days
  • Au: Sensitive business addresses among 500,000 published in COVID data breach https://www.databreaches.net/au-sensitive-business-addresses-among-500000-published-in-covid-data-breach/
  • Metaverse-Like App Pauses User Registration Over Data Leak Claims https://www.databreaches.net/metaverse-like-app-pauses-user-registration-over-data-leak-claims/
  • GiveSendGo - 89,966 breached accounts https://haveibeenpwned.com/PwnedWebsites#GiveSendGo
  • Leak site says it has been given list of Canada truck convoy donors after reported hack https://www.databreaches.net/leak-site-says-it-has-been-given-list-of-canada-truck-convoy-donors-after-reported-hack/
  • OKC Police rape kit info exposed in data breach of DNA contractor https://www.databreaches.net/okc-police-rape-kit-info-exposed-in-data-breach-of-dna-contractor/
  • UK: Confidential patient data breached by ESNEFT staff https://www.databreaches.net/uk-confidential-patient-data-breached-by-esneft-staff/

• New Ransomware and "Incidents":

  • Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html
  • How the initial access broker market leads to ransomware attacks https://www.zdnet.com/article/from-start-to-finish-how-the-initial-access-broker-market-leads-to-ransomware-attacks
  • Conti ransomware gang takes over TrickBot malware operation https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/
  • AZ: La Posada notifies current and former employees of malware incident https://www.databreaches.net/az-la-posada-notifies-current-and-former-employees-of-malware-incident/

• Major outages/downs:

  • Canada's major banks go offline in mysterious hours-long outage https://www.bleepingcomputer.com/news/security/canadas-major-banks-go-offline-in-mysterious-hours-long-outage/
  • Crypto exchange Coinbase is forced to throttle traffic after its viral QR-code Super Bowl ad briefly crashes its website https://markets.businessinsider.com/news/currencies/coinbase-super-bowl-qr-code-commercial-website-crash-traffic-crypto-2022-2
  • Thanks, dad: Jammer used to stop kids going online, wipes out a town's internet by mistake https://www.zdnet.com/article/thanks-dad-jammer-used-to-control-kids-online-time-father-wipes-out-a-towns-internet-by-mistake

Privacy

Articles about privacy related news, risks, and trends.

• IRS, Department of Homeland Security Contracted Firm That Sells Location Data Harvested From Dating Apps https://theintercept.com/2022/02/18/location-data-tracking-irs-dhs-digital-envoy/
• Possible Government Surveillance of the Otter.ai Transcription App https://www.schneier.com/blog/archives/2022/02/possible-government-surveillance-of-the-otter-ai-transcription-app.html
• Google Introduces 'Privacy Sandbox' for Ads on Android https://www.securityweek.com/google-introduces-privacy-sandbox-android
• How to Use Google Chrome's Enhanced Safety Mode https://www.wired.com/story/how-to-use-google-chrome-enhanced-safety-mode

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • In US and Canada, Crypto Enforcement Moves From Words to Actions https://www.pymnts.com/cryptocurrency/2022/united-states-canada-crypto-enforcement-travel-rule-aml-trust/
  • The Law Bytes Podcast, Episode 117: Fight for the Future’s Sarah Roth-Gaudette on Web 3 Regulation and Alternatives to Big Tech https://www.michaelgeist.ca/2022/02/law-bytes-podcast-episode-117/
  • Canada Reforms Its Data Privacy Laws Through Enactment Of Quebec Bill 64 https://www.datex.ca/blog/canada-reforms-its-data-privacy-laws-through-enactment-of-quebec-bill-64

• US:

  • SEC Proposed Rule: Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies https://www.sec.gov/rules/proposed/2022/33-11028.pdf
  • The Federal Circuit Helps a Patent Troll Block Public Access to Court Records https://www.eff.org/deeplinks/2022/02/federal-circuit-helps-patent-troll-block-public-access-court-records
  • Copyright is Not a Shortcut Around the Constitution's Anonymous Speech Protections, EFF Tells Court https://www.eff.org/deeplinks/2022/02/copyright-not-shortcut-around-constitutions-anonymous-speech-protections-eff-tells
  • Missouri will not prosecute 'hacker' reporter for daring to view state website HTML https://www.zdnet.com/article/missouri-will-not-prosecute-hacker-reporter-for-daring-to-view-state-website-html
  • NPR: Texas sues Meta, saying it misused facial recognition data https://epic.org/npr-texas-sues-meta-saying-it-misused-facial-recognition-data/
  • Victory! More Lawsuits Proceed Against Clearview's Face Surveillance https://www.eff.org/deeplinks/2022/02/victory-another-lawsuit-proceeds-against-clearviews-face-surveillance
  • Influencers beware: promoting the wrong crypto could mean facing a class-action lawsuit https://www.theverge.com/2022/2/18/22941470/bitconnect-ponzi-bitcoin-securities-act-sec-lawsuit-influencers-youtube-tiktok

• World:

  • Police Spying Powers: 50 countries ranked on powers to access mobile devices https://www.comparitech.com/blog/vpn-privacy/police-cell-phone-spying/
  • Hackers to face 25 years in jail for cyber attacks on Australia's national infrastructure https://www.databreaches.net/hackers-to-face-25-years-in-jail-for-cyber-attacks-on-australias-national-infrastructure/
  • Ukraine Parliament Updates Law on Virtual Assets https://www.pymnts.com/news/international/2022/ukraine-parliament-updates-law-on-virtual-assets/

• Standards News:

  • Draft SP 800-219 Automated Secure Configuration Guidance from the macOS Security Compliance Project open for public comment through March 23 https://csrc.nist.gov/publications/detail/sp/800-219/draft
  • NIST SP 800-22 and GM/T 0005-2012 Tests: Clearly Obsolete, Possibly Harmful, by Markku-Juhani O. Saarinen https://eprint.iacr.org/2022/169
  • A remark on NIST SP 800-22 serial test, by Corina-Elena Bogos and Razvan Mocanu and Emil Simion https://eprint.iacr.org/2022/172

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• U.S. Cybersecurity Agency Publishes List of Free Security Tools and Services https://thehackernews.com/2022/02/us-cybersecurity-agency-publishes-list.html
• GitHub code scanning now finds more security vulnerabilities https://www.bleepingcomputer.com/news/security/github-code-scanning-now-finds-more-security-vulnerabilities/
• NSA Provides Guidance on Cisco Device Passwords https://www.securityweek.com/nsa-provides-guidance-cisco-device-passwords
• US Government sets forth Zero Trust architecture strategy and requirements https://www.microsoft.com/security/blog/2022/02/17/us-government-sets-forth-zero-trust-architecture-strategy-and-requirements/
• Enterprises Look Beyond Antivirus Software for Remote Workers https://www.darkreading.com/tech-trends/enterprises-require-more-mfa-less-antivirus-for-remote-workers
• Welcoming the New Zealand Government to Have I Been Pwned https://www.troyhunt.com/welcoming-the-new-zealand-government-to-have-i-been-pwned/
• (Interesting claims needing more explanation) Solving the Quantum Decryption 'Harvest Now, Decrypt Later' Problem https://www.securityweek.com/solving-quantum-decryption-harvest-now-decrypt-later-problem

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Other Vulnerabilities:

  • New RCE flaw added to Adobe Commerce, Magento security advisory https://www.zdnet.com/article/adobe-updates-critical-magento-commerce-vulnerability-advisory-with-new-threat
  • Attackers Can Crash Cisco Email Security Appliances by Sending Malicious Emails https://thehackernews.com/2022/02/attackers-can-crash-cisco-email.html
  • New Linux Privilege Escalation Flaw Uncovered in Snap Package Manager https://thehackernews.com/2022/02/new-linux-privilege-escalation-flaw.html
  • High-Severity RCE Bug Found in Popular Apache Cassandra Database https://threatpost.com/high-severity-rce-bug-found-in-popular-apache-cassandra-database/178464/
  • Microsoft warns of emerging 'ice phishing' threat on blockchain, DeFi networks https://www.zdnet.com/article/microsoft-warns-of-ice-phishing-on-blockchain-networks
  • New Tool, Unredacter, Can Retrieve Pixelated Text from Redacted Documents https://thehackernews.com/2022/02/this-new-tool-can-retrieve-pixelated.html

• Patching:

  • Millions of WordPress sites get forced update to patch critical plugin flaw https://arstechnica.com/information-technology/2022/02/millions-of-wordpress-sites-get-forced-update-to-patch-critical-plugin-flaw/
  • Critical Flaw Uncovered in WordPress Backup Plugin Used by Over 3 Million Sites https://thehackernews.com/2022/02/critical-flaw-uncovered-in-wordpress.html
  • Intel Software and Firmware Updates Patch 18 High-Severity Vulnerabilities https://www.securityweek.com/intel-software-and-firmware-updates-patch-18-high-severity-vulnerabilities
  • Patch now: Adobe releases emergency fix for exploited Commerce, Magento zero-day https://www.zdnet.com/article/patch-now-adobe-releases-emergency-fix-for-exploited-commerce-magento-zero-day
  • Researchers create exploit for critical Magento bug, Adobe updates advisory https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/

• Cryptography and Cryptographic Research:

  • Finding Collisions against 4-round SHA3-384 in Practical Time, by Senyang Huang and Orna Agmon Ben-Yehuda and Orr Dunkelman and Alexander Maximov https://eprint.iacr.org/2022/194
  • On the precision loss in approximate homomorphic encryption, by Anamaria Costache and Benjamin R. Curtis and Erin Hales and Sean Murphy and Tabitha Ogilvie and Rachel Player https://eprint.iacr.org/2022/162

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • FBI warns of BEC attackers impersonating CEOs in virtual meetings https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-attackers-impersonating-ceos-in-virtual-meetings/
  • Microsoft Teams Targeted With Takeover Trojans https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/
  • Trickbot abuses top brands including Bank of America, Wells Fargo in attacks against customers https://www.zdnet.com/article/trickbot-abuses-top-brands-including-bank-of-america-wells-fargo-in-attacks-against-customers

• Nation State Actors:

  • Russia Was Behind DDoS Attacks Against Ukraine, US Officials Say https://www.wired.com/story/ukraine-ddos-russia-crypo-roblox-security-news
  • Russian Actors Targeting US Defense Contractors in Cyber Espionage Campaign, CISA Warns https://www.darkreading.com/attacks-breaches/russian-actors-targeting-us-defense-contractors-in-cyber-espionage-campaign
  • Iranian hackers target VMware Horizon servers with Log4j exploits https://www.bleepingcomputer.com/news/security/iranian-hackers-target-vmware-horizon-servers-with-log4j-exploits/
  • PEARL 2 PEGASUS: Bahraini activists hacked with Pegasus just days after a report confirming other victims https://citizenlab.ca/2022/02/bahraini-activists-hacked-with-pegasus/

• Crime & Arrests, etc.:

  • Interpol: Policing model needs to change with cybercrime https://www.theregister.com/2022/02/17/interpol_cybercrime/
  • US to attack cyber criminals first, ask questions later – if it protects victims https://www.theregister.com/2022/02/21/doj_cyber_offensive_policy/
  • Elephant Beetle: Stealthy Hacker Group Stole Millions Undetected https://www.databreaches.net/elephant-beetle-stealthy-hacker-group-stole-millions-undetected/
  • Businessman admits to working as spyware broker in US and Mexico https://www.zdnet.com/article/businessman-admits-to-working-as-spyware-broker-in-us-and-mexico
  • $1.7 million in NFTs stolen in apparent phishing attack on OpenSea users https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft

Other Security / Risk

Articles covering other types of risks.

• If the Cloud Is More Secure, Then Why Is Everything Still Broken? https://www.darkreading.com/cloud/if-the-cloud-is-more-secure-then-why-is-everything-still-broken-
• Facebook is one bad Chrome extension away from another Cambridge Analytica scandal https://www.theregister.com/2022/02/17/chrome_meta_token/
• Google Drive flags macOS '.DS_Store' files for copyright violation https://www.bleepingcomputer.com/news/security/google-drive-flags-macos-ds-store-files-for-copyright-violation/
• Where AI Falls Down in Cybersecurity https://www.darkreading.com/edge-articles/where-ai-falls-down-in-cybersecurity
• Canadian banks get a pressure-test of their compliance practices with Emergencies Act https://www.businessinsider.com/canadas-emergencies-act-tests-banks-compliance-2022-2
• The Worst Timeline: A Printer Company Is Putting DRM in Paper Now https://www.eff.org/deeplinks/2022/02/worst-timeline-printer-company-putting-drm-paper-now
• An energy firm accidentally sent customers trillion-dollar checks in compensation for a power cut https://www.businessinsider.com/northern-powergrid-accidentally-checks-customers-power-cut-storm-arwen-uk-2022-2
• Who Is Behind QAnon? Linguistic Detectives Find Fingerprints https://www.nytimes.com/2022/02/19/technology/qanon-messages-authors.html

• Disinformation and misinformation:

  • Disinformation for profit: scammers cash in on conspiracy theories https://www.theguardian.com/media/2022/feb/20/facebook-disinformation-ottawa-social-media
  • How Facebook twisted Canada's trucker convoy into an international movement https://www.theverge.com/2022/2/19/22941291/facebook-canada-trucker-convoy-gofundme-groups-viral-sharing
  • Canada Sanctions 34 Crypto Wallets, Investigates ‘Freedom Convoy' Donations https://www.pymnts.com/cryptocurrency/2022/canada-sanctions-34-crypto-wallets-investigates-freedom-convoy-donations/
  • Ottawa police say convoy blockade ‘aggressive,' one arrested after gas launched https://globalnews.ca/news/8632832/ottawa-police-freedom-convoy-blockade/

• Health, Safety & Environment:

  • Mysterious 'Russian Flu' 130 Years Ago May Have Been a Coronavirus, Scientists Say https://www.sciencealert.com/scientists-are-wondering-if-the-1889-russian-flu-was-actually-caused-by-coronavirus
  • Scientists Convert Donor Lungs to Universal Blood Type in a Medical First https://www.sciencealert.com/lungs-converted-to-a-universal-blood-type-could-help-transplant-donor-shortages
  • Sickle cell: ‘The revolutionary gene-editing treatment that gave me new life' https://www.bbc.co.uk/news/health-60348497
  • New imaging scan reveals a culprit in cognitive decline of Alzheimer's https://scienmag.com/new-imaging-scan-reveals-a-culprit-in-cognitive-decline-of-alzheimers/
  • The US is considering a 'no-fly' list for unruly passengers as incidents continue, but creating it could be a long and complicated process https://www.businessinsider.com/us-considering-a-federal-no-fly-list-unruly-passengers-2022-2
  • The Sun Has Erupted Non-Stop All Month, And There Are More Giant Flares Coming https://www.sciencealert.com/the-sun-has-erupted-non-stop-all-month-and-there-are-more-giant-flares-coming
  • Onset of modern sea level rise began in 1863, international study finds https://scienmag.com/onset-of-modern-sea-level-rise-began-in-1863-international-study-finds/
  • US Could Get a Century's Worth of Sea Level Rise in Just 3 Decades, Report Warns https://www.sciencealert.com/us-sea-levels-could-rise-more-than-three-times-faster-than-last-century
  • NASA Says Tonga Eruption Sent Up Highest Ash Plumes Ever Captured by Satellite https://www.sciencealert.com/nasa-says-tonga-eruption-sent-highest-ash-plumes-ever-captured-by-satellite
  • Incredible photos show Spanish ghost village emerge after 30 years underwater https://globalnews.ca/news/8628758/ghost-village-spain-drought-reservoir-aceredo/
  • Carbon capture tech is advancing in the wrong direction https://www.theverge.com/2022/2/18/22940826/carbon-capture-tech-wrong-direction-power-plants-industrial-emissions
  • The ‘Doomsday Vault' Has Opened Its Doors to Receive New Seed Deposits https://www.mentalfloss.com/article/655432/svalbard-seed-bank-new-seeds

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, reinfection, and variant strains:

  • 1,056 people hospitalized in Ontario with COVID-19, 324 in intensive care https://globalnews.ca/news/8634203/ontario-covid-feb-20-2022/

• Guidance, Response, and Recovery:

  • U.K. to scrap COVID-19 self-isolation rules next week https://globalnews.ca/news/8634679/uk-scrap-covid-self-isolation-rules/
  • Boris Johnson: Do not throw caution to the wind on Covid https://www.bbc.co.uk/news/uk-60446908

• Treatments, Testing, Triage, Trials, and things we Learned:

  • Does Drinking Red Wine Really Protect Against COVID? Let's Look at The Data https://www.sciencealert.com/does-drinking-red-wine-really-protect-against-covid-19-let-s-look-at-the-evidence

• Immunity and Vaccinations:

  • Novavax COVID-19 vaccine approved for use in Canadian adults https://globalnews.ca/news/8627420/novavax-covid-vaccine-approved-for-use-in-canadian-adults/
  • Things we learned:
  • The Lab-Leak Hypothesis Made It Harder for Scientists to Seek the Truth https://www.scientificamerican.com/article/the-lab-leak-hypothesis-made-it-harder-for-scientists-to-seek-the-truth/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Innovations & Inventions:

  • Holographic Camera Instantly Peeks around Obstacles https://www.scientificamerican.com/article/holographic-camera-instantly-peeks-around-obstacles/
  • Generating landscapes without people https://www.aiweirdness.com/generating-landscapes-from-text/

• Other:

  • Finding Shackleton's ship in Antarctica is a deeper challenge than the Franklin discovery https://www.cbc.ca/radio/quirks/finding-shackletons-ship-1.6355811
  • Scientists reveal how Venus fly traps snaps shut https://scienmag.com/scientists-reveal-how-venus-fly-traps-snaps-shut/
  • 10 Mysterious Incidents at the Bermuda Triangle https://www.mentalfloss.com/article/655367/bermuda-triangle-mysterious-incidents
  • Behold, This Is The First Asteroid Ever Discovered to Have Three Moons https://www.sciencealert.com/this-is-the-first-asteroid-ever-discovered-to-have-three-moons
  • TESS Finds Almost 100 Quadruple Star Systems https://www.universetoday.com/154561/tess-finds-almost-100-quadruple-star-systems/