This Week’s [in]Security – Issue 159

Welcome to This Week’s [in]Security. Trending: COVID-19 update: stats live, Wuhan stats updated, infection hotspots, sewage early warning, reopening, conspiracies and threats, hacking researchers, virus sniffer dogs, vaccines including measles vs COVID. Surveillance law expired? Vulnerability Priority Rating vs CVSS. ISP BGP security. Zoom's DIY crypto. Rewards for cyber-spies. More zoom-bombing. Russia vs SFO. Domestic Terrorism. Opioid alternative. Hot Qubits. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

New - Emerging Issues and Trending Stories

Coronavirus updates. We recently change the way we report COVID articles to you so it is less overwhelming. Many COVID articles will appear within our normal blog section headings each with a sub-group dedicated to COVID-19. For example:

• Facts about its spread, direct impact, and how people react will continue under Trending.
• Regulations and restrictions to counter the virus will be under Regulations.
• Privacy Implications, PCI/Payments, Cybercrime under their respective sections
• Treatments, Vaccines, Innovations, Coping methods under Defense
• Information on how/why it spreads, improvements understanding it, etc. under Vulnerabilities
• Economic impact and articles that don't fit into the other categories will be under Other Risk.
• Breaches (and Ransomware) under Breaches.

Our first regular reports on coronavirus can be found at https://controlgap.com/blog/this-weeks-insecurity-issue-147. And our first use of the trending topic section can be found https://controlgap.com/blog/this-weeks-insecurity-issue-149.

• The spread, the curve, and aftermath:

  • COVID-19 statistics https://ncov2019.live/
  • China outbreak city Wuhan raises death toll by 50% https://www.bbc.co.uk/news/world-asia-china-52321529
  • What led to Alberta's biggest outbreak? Cargill meat plant's hundreds of COVID-19 cases https://www.cbc.ca/news/canada/calgary/cargill-alberta-covid-19-deena-hinshaw-1.5537377
  • What a deadly 1911 epidemic in China can teach us about the coronavirus pandemic https://www.cnn.com/2020/04/18/china/great-manchurian-plague-china-hnk-intl/index.html

• Guidance, Response and Recovery:

  • If Canada’s coronavirus lockdown eases, could sewage act as an early warning system? https://globalnews.ca/news/6815600/coronavirus-lockdown-sewage-early-warning-system/
  • COVID-19 — Impact of containment measures in Italy: 200,000 hospitalizations avoided in March https://scienmag.com/covid-19-impact-of-containment-measures-in-italy-200000-hospitalizations-avoided-in-march/
  • With weekend lockdowns and age-specific restrictions, Turkey takes a different coronavirus approach https://www.cnn.com/2020/04/17/europe/turkey-coronavirus-lockdown-response-intl/index.html
  • Without More Tests, America Can’t Reopen https://www.theatlantic.com/ideas/archive/2020/04/were-testing-the-wrong-people/610234/
  • One Decision on Social Distancing Could Have Prevented 90% of US Coronavirus Deaths https://www.sciencealert.com/starting-isolation-two-weeks-sooner-could-have-saved-9-out-of-10-us-coronavirus-deaths

• Behaviour - the good, the bad, and the ugly (okay, just the bad and ugly this week):

  • Aussie Shopper Tries To Return 4,800 Rolls Of Toilet Paper And 150 Litres Of Hand Sanitiser https://www.ladbible.com/news/news-aussie-shopper-tried-to-return-4800-rolls-of-toilet-paper-20200414
  • An anti-lockdown protest in Austin, Texas, drew anti-vaxxers and Trump supporters chanting 'Fire Fauci' https://www.businessinsider.com/photos-texas-lockdown-protesters-anti-vaxxers-chant-fire-fauci-2020-4

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI SSC Call for Speakers open until May 1st https://www.cvent.com/c/abstracts/55751531-5c39-4b8c-b93f-2cbf26393d46
• PCI updated FAQ#1247 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Who-can-use-SAQ-P2PE
• Updated index of PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• Visa Warns E-Commerce Merchants Using Older Versions of Magento To Upgrade Quickly https://www.digitaltransactions.net/visa-warns-e-commerce-merchants-using-older-versions-of-magento-to-upgrade-quickly/
• More on COVID-19 Tap liimit update in Canada https://www.moneris.com/en/covidupdate/contactless-limit-update

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

COVID-19 related breaches:

• FBI says state hackers have broken into US coronavirus research https://www.databreaches.net/fbi-says-state-hackers-have-broken-into-us-coronavirus-research-report/
• Canadian passengers from virus-stricken Zaandam cruise ship hit by federal gov't privacy breach https://www.cbc.ca/news/business/zaandam-cruise-privacy-breach-canadians-1.5531124

• Breaches:

  • Aptoide - 20,012,235 breached accounts added to HIBP https://haveibeenpwned.com/PwnedWebsites#Aptoide
  • Account details for 4 million Quidd users shared on hacking forum https://www.databreaches.net/account-details-for-4-million-quidd-users-shared-on-hacking-forum/
  • New York State Investigates Network Hack https://www.databreachtoday.com/new-york-state-investigates-network-hack-a-14124
  • Wappalyzer discloses 16K record security breach after hacker starts emailing users https://www.zdnet.com/article/wappalyzer-discloses-security-breach-after-hacker-starts-emailing-users/
• Medical Device Maker Faces California Privacy Suit After Breach https://www.databreaches.net/medical-device-maker-faces-california-privacy-suit-after-breach/

• Randsomware:

  • Double Extortion: Ransomware's New Normal Combining Encryption with Data Theft https://www.securityweek.com/double-extortion-ransomwares-new-normal-combining-encryption-data-theft and https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/
  • Ransomware attacks lock 2 Manitoba law firms out of computer systems https://www.cbc.ca/news/canada/manitoba/winnipeg-law-firms-computer-virus-ransomware-1.5530825
  • Cognizant attacked by Maze ransomware https://www.databreaches.net/cognizant-attacked-by-maze-ransomware/
  • Accounting firm MNP hit with cyberattack https://www.databreaches.net/ca-leading-accounting-firm-mnp-hit-with-cyberattack/
  • Shipping Giant MSC Confirms Outage Caused by Malware Attack https://www.securityweek.com/shipping-giant-msc-confirms-outage-caused-malware-attack

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • Apple and Google Respond to Covid-19 Contact Tracing Concerns https://www.wired.com/story/apple-google-contact-tracing-strengths-weaknesses/
  • Contact Tracing COVID-19 Infections via Smartphone Apps https://www.schneier.com/blog/archives/2020/04/contact_tracing.html
  • The Internet’s Titans Make a Power Grab https://www.theatlantic.com/ideas/archive/2020/04/pandemic-facebook-and-twitter-grab-more-power/610213/
  • Europe publishes draft rules for coronavirus contact-tracing app development, on a relaxed schedule https://www.theregister.co.uk/2020/04/17/european_contact_tracing_app_spec/
  • UK NHS in standoff with Apple and Google over coronavirus tracing https://www.theguardian.com/technology/2020/apr/16/nhs-in-standoff-with-apple-and-google-over-coronavirus-tracing
• Bad news: So much of your personal data has been hacked that lesson manuals on how to use it are the latest hot property https://www.theregister.co.uk/2020/04/16/cybercrimeby_fraud_lessons/
• (Confusing?) Privacy breach company remains part of B.C. health data sharing https://www.databreaches.net/ca-privacy-breach-company-remains-part-of-b-c-health-data-sharing/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Section 215 Expired. Now What? https://www.eff.org/deeplinks/2020/04/yes-section-215-expired-now-what
• NIST extends public comment period for Draft NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) until May 20 https://csrc.nist.gov/publications/detail/nistir/8286/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• What Is Vulnerability Priority Rating (VPR) and How Is It Different from CVSS? https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss
• You Can Now Check If Your ISP Uses Basic Security Measures https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/
• Welcoming the Icelandic Government to Have I Been Pwned https://www.troyhunt.com/welcoming-the-icelandic-government-to-have-i-been-pwned/

• COVID-19 countermeasures:

  • Here's What We Know about the Most Touted Drugs Tested for COVID-19 https://www.scientificamerican.com/article/heres-what-we-know-about-the-most-touted-drugs-tested-for-covid-191/
  • Covid-19 patients reportedly recovering quickly after getting experimental drug https://www.cnn.com/2020/04/16/health/coronavirus-remdesivir-trial/index.html
  • A US Lab Just Launched an Antibody Test For Detecting if You've Had The Coronavirus https://www.sciencealert.com/us-lab-is-rolling-out-antibody-test-to-detect-whether-you-ve-had-the-coronavirus
  • Medical detection dogs able to sniff 750 people an hour could help identify coronavirus cases https://www.businessinsider.com/sniffer-dogs-answer-to-the-covid-19-testing-crisis-mirror-2020-4
  • Scientists Are Using The Measles Vaccine to Develop a 'Trojan Horse' Against COVID-19 https://www.sciencealert.com/scientists-use-the-measles-vaccine-to-develop-trojan-horse-against-covid-19
  • At Least 70 Coronavirus Vaccines Are Already in Development https://www.sciencealert.com/who-report-gives-update-on-how-we-re-going-with-a-covid-19-vaccine

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• (DIY Crypto is a bad idea and Zoom made at least one kindergarden crypto mistake) Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
• Cisco IP Phone Harbors Critical RCE Flaw https://threatpost.com/critical-cisco-ip-phone-rce-flaw/154864/
• No creds needed for critical VMware vuln allowingd anyone on your network to create new admin users https://www.theregister.co.uk/2020/04/17/vmware_vcenter_critical_vuln_anyone_create_admin_users/
• GitHub Shares Details on Six Chrome Vulnerabilities https://www.securityweek.com/github-shares-details-six-chrome-vulnerabilities
• Linksys asks users to reset passwords after hackers hijacked home routers last month https://www.zdnet.com/article/linksys-asks-users-to-reset-passwords-after-hackers-hijacked-home-routers-last-month/
• IoT: Hackers Made the Snoo Smart Bassinet Shake and Play Loud Sounds https://www.wired.com/story/snoo-smart-bassinet-vulnerabilities-shaking-loud-noise/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• COVID-19 Crime and Cybercrime:

  • PPE, COVID-19 Medical Supplies Targeted by BEC Scams https://threatpost.com/ppe-covid-19-medical-supplies-bec-scams/154806/
  • Google blocking 18m coronavirus scam emails every day https://www.bbc.co.uk/news/technology-52319093
  • Kansas AG warns of text scam saying you've come into contact with someone who has COVID-19 http://www.kake.com/story/42016641/kansas-ag-warns-of-text-scam-saying-youve-come-into-contact-with-someone-who-has-covid-19
  • Gamaredon APT Group Use Covid-19 Lure in Campaigns https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
  • Teenage hacker arrested in Madrid for hacking medical data and leaking information on a politician positive for COVID-19 https://www.databreaches.net/teenage-hacker-arrested-in-madrid-for-hacking-medical-data-and-leaking-information-on-a-politician-positive-for-covid-19/
• US Offers $5 Million Reward for N. Korea Hacker Information https://www.bankinfosecurity.com/us-offers-5-million-reward-for-n-korea-hacker-information-a-14134
• Zoom Bombing Attack Hits U.S. Government Meeting https://threatpost.com/zoom-bombing-attack-hits-u-s-government-meeting/154903/
• Hackers Update Age-Old Excel 4.0 Macro Attack https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/
• Bitcoin stealer infected 700+ libraries of major programming language https://decrypt.co/26025/rubygems-bitcoin-stealing-software-reversinglabs
• The secret behind “unkillable” Android backdoor called xHelper has been revealed https://arstechnica.com/information-technology/2020/04/solved-how-android-backdoor-called-xhelper-survives-factory-resets/
• Russian Hackers Went After San Francisco International Airport https://www.wired.com/story/russian-hackers-san-francisco-airport-windows-zero-days-security-roundup/
• Another day, another Google cull: Chocolate Factory axes 49 malicious Chrome extensions from web store https://www.theregister.co.uk/2020/04/15/google_malicious_chrome/
• Dutch Police Shutter 15 DDoS 'Booter' Sites https://www.bankinfosecurity.com/dutch-police-shutter-15-ddos-booter-sites-a-14108

Other Security / Risk

Articles covering other types of risks.

• COVID-19 Other risks and impact:

  • Climate Science Deniers Turn to Attacking Coronavirus Models https://www.scientificamerican.com/article/climate-science-deniers-turn-to-attacking-coronavirus-models/
  • Third-Party Risk Considerations During COVID-19 Crisis https://www.databreachtoday.com/interviews/third-party-risk-considerations-during-covid-19-crisis-i-4656
  • Bill Gates is now the leading target for coronavirus conspiracies and a right-wing target https://www.theverge.com/2020/4/17/21224728/bill-gates-coronavirus-lies-5g-covid-19, https://www.nytimes.com/2020/04/17/technology/bill-gates-virus-conspiracy-theories.html
  • Bats Are a Key Source of Human Viruses--but They May Not Be Special https://www.scientificamerican.com/article/bats-are-a-key-source-of-human-viruses-but-they-may-not-be-special/
• 25 Years After Oklahoma City, Domestic Terrorism Is on the Rise https://www.wired.com/story/oklahoma-city-bombing-christopher-wray/
• Earth's Atmosphere Is 4x Dustier Than We Thought, Which Could Change Climate Models https://www.sciencealert.com/earth-is-way-way-dustier-than-we-thought-and-that-has-big-implications-for-climate-change

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• A Safe Alternative to Opioid Painkillers Could Come From Tarantula Venom https://www.sciencealert.com/the-alternative-to-opioid-painkillers-could-come-from-tarantula-venom
• Solar Cell Technology Has Smashed Three Big Records https://www.sciencealert.com/solar-cell-technology-has-toppled-three-new-records-just-this-month
• 'Hot' Qubits Overcame a Huge Quantum Computing Problem https://www.sciencealert.com/new-technology-could-overcome-quantum-computing-hurdles-using-hot-qubits
• The Secret of Scooby-Doo’s Enduring Appeal https://www.theatlantic.com/magazine/archive/2020/05/the-secret-of-scooby-doos-enduring-appeal/609091/
• More things that saved Apollo 13 from disaster https://www.universetoday.com/145636/even-more-things-that-saved-apollo-13-part-1-the-barbecue-roll/, https://www.universetoday.com/145670/even-more-things-that-saved-apollo-13-charging-the-batteries/, https://www.universetoday.com/145704/even-more-things-that-saved-apollo-13-the-nail-biting-re-entry-sequence/, the original article https://www.universetoday.com/62339/13-things-that-saved-apollo-13/
• Astronomers Might Have Imaged a Second Planet Around Nearby Proxima Centauri – and it Might Have a Huge Set of Rings https://www.universetoday.com/145697/astronomers-might-have-imaged-a-second-planet-around-nearby-proxima-centauri-and-it-might-have-a-huge-set-of-rings/
• This Is Why Space Needs To Be Continuous, Not Discrete https://www.forbes.com/sites/startswithabang/2020/04/17/this-is-why-space-needs-to-be-continuous-not-discrete/