This Week's [in]Security - Issue 174 | insecurity | Control Gap

Welcome to This Week’s [in]Security. Twitter Hack Week 3 arrests. Covid-19: Spread, Curves, Spikes & Waves. Lockdown, Reopening, & The New Normal. Vaccine Progress. More of the Good, Bad, and Ugly. DSSv4. CPoC and SPoC updates. SSF Update. POS Malware Alert. Mag-stripes. New breaches: Zello, LG, Xerox, Source Code Gigaleak. Ransomware: Garmin, Pivot Tech. HIBP gets 50M+ accounts. Breach costs. Contact tracing. Facial Recognition. GDPR. Stingray Drones. War on Crypto Updates. CitizenLab. Fair use. Forensic Software. Multiple NIST Updates. Blackberry. Big-tech Scrutiny. Quantum. Black Hat. Supply Chain Attack Survey. 0-day Root Causes & detection. BootHole. Wordpress RCE. Magneto RCE. Zoom. More ICS risk. Cisco bugs. Halt and catch fire for real. Tor. Multiple FBI warnings. IoT. Deepfake scam. Malware auction. Events-based Controls. Toronto. Fake News & Disinformation. Espionage. And more.

Trending news and COVID-19 updates.

The COVID related articles here fit together. Other COVID articles will appear under our normal section headings like regulations, privacy, breaches, and other risks. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• Twitter Hack Week 3:

  • Three Charged in July 15 Twitter Compromise https://krebsonsecurity.com/2020/07/three-charged-in-july-15-twitter-compromise/
  • Twitter hackers used “phone spear phishing” in mass account takeover https://arstechnica.com/information-technology/2020/07/twitter-hackers-used-phone-spear-phishing-in-mass-account-takeover/
  • How the Alleged Twitter Hackers Got Caught https://www.wired.com/story/how-alleged-twitter-hackers-got-caught-bitcoin
  • Twitter Hacker Arrested https://www.schneier.com/blog/archives/2020/07/twitter_hacker_.html
  • Years before big hack, Twitter contractors reportedly spied on celebs, including Beyoncé https://www.theverge.com/2020/7/27/21340581/twitter-big-hack-contractors-spied-celebs-beyonce-bitcoin

• Facebook Ad boycott:

  • More Than 1,000 Companies Boycotted Facebook. Did It Work? https://www.nytimes.com/2020/08/01/business/media/facebook-boycott.html

• The spread, curves, spikes, and waves:

  • Iran cover-up of 3x deaths revealed by data leak https://www.databreaches.net/coronavirus-iran-cover-up-of-deaths-revealed-by-data-leak/
  • Mexico's death toll becomes world's third highest https://www.bbc.co.uk/news/world-latin-america-53618808
  • England highest level of excess deaths https://www.bbc.co.uk/news/health-53592881
  • How Canada’s first long-term coronavirus pandemic projections hold up today https://globalnews.ca/news/7229908/coronavirus-pandemic-projections-canada/
  • Ontario reports 89 new coronavirus cases, 2nd day in a row with cases under 100 https://globalnews.ca/news/7234123/ontario-coronavirus-cases-july-30-covid19/
  • Hamilton bar says patron with COVID-19 was on the premises Saturday night https://globalnews.ca/news/7221363/coronavirus-hamilton-bar-patron/
  • 3 Ottawa daycares now facing coronavirus outbreaks https://globalnews.ca/news/7220933/ottawa-daycares-coronavirus-outbreaks/
  • ‘The whole church has got it’: 40 people infected with coronavirus at Alabama event https://globalnews.ca/news/7220954/coronavirus-alabama-church-outbreak/
  • Malta says 65 rescued migrants test positive https://www.bbc.co.uk/news/world-europe-53576765

• Lockdown, reopening, and The New Normal:

  • Closing schools in March may have saved the lives of 40,000 Americans, a new analysis found https://www.businessinsider.com/coronavirus-school-closures-may-have-saved-40000-us-lives-2020-7
  • Alabama is restricting alcohol sales after 11 p.m. in bars, restaurants, and country clubs https://www.businessinsider.com/alabama-restricts-alcohol-sales-after-11-bars-restaurants-covid-19-2020-7
  • One of the first cruise ships to resume operations reports COVID-19 cases https://www.ctvnews.ca/health/coronavirus/one-of-the-first-cruise-ships-to-resume-operations-reports-covid-19-cases-1.5048206
  • Will Kids Follow the New Pandemic Rules at School? https://www.theatlantic.com/family/archive/2020/07/us-schools-reopen-kids-social-distance/614713/
  • Cancelling flu vaccination clinics will strain health resources amid COVID-19 https://globalnews.ca/news/7221783/vernon-interior-health-flu-clinics/
  • 2nd wave of coronavirus in countries around Asia prompts fresh lockdowns https://globalnews.ca/news/7220628/asia-second-wave-coronavirus-lockdowns/

• Treatments, Testing, Triage, and Trials, and things we learned:

  • A Statistician Explains How 1 Figure Shows The US Isn't Doing Enough Testing Yet https://www.sciencealert.com/the-us-isn-t-doing-enough-testing-yet-says-statistics-expert
  • How close are we to a coronavirus vaccine? https://globalnews.ca/news/7206435/coronavirus-vaccine-research/
  • A 20-year study on dozens of vaccines finds they are safer than 'almost any other modern medical intervention' https://www.businessinsider.com/vaccines-are-remarkably-safe-finds-20-year-study-2020-7
  • When a Vaccine Arrives, People Will Ignore the Anti-Vaxxers https://www.theatlantic.com/ideas/archive/2020/07/people-are-suffering-too-much-refuse-vaccine/614818/
  • Temper Your Expectations Around a Coronavirus Vaccine https://www.theatlantic.com/newsletters/archive/2020/07/coronavirus-vaccine-reality-check/614668/
  • Coronavirus: Russia plans mass vaccination campaign in October https://www.bbc.co.uk/news/world-europe-53621708
  • Sask. vaccine developer locks in Canadian manufacturers for human clinical trials https://www.cbc.ca/news/canada/saskatoon/vido-intervac-dalton-biodextris-early-phase-trials-1.5667898
  • 21 Existing Drugs Identified Appear to Block SARS-CoV-2 Replication in The Lab https://www.sciencealert.com/scientists-identify-21-existing-drugs-that-could-help-treat-covid-19
  • The six strains of SARS-CoV-2 https://scienmag.com/the-six-strains-of-sars-cov-2/

• Behaviour - the good, the bad, and the ugly:

  • Russia behind spread of coronavirus disinformation https://globalnews.ca/news/7228466/russia-coronavirus-disinformation/

• Masks, anti-maskers, and distancing:

  • Masks more important than disinfectant for COVID-19 prevention https://globalnews.ca/news/7231500/cleaning-disinfectant-coronavirus-surfaces/
  • Masks made mandatory in Australia’s coronavirus hot spot state Victoria https://globalnews.ca/news/7234058/australia-coronavirus-masks-mandatory/
  • Toronto makes masks mandatory in common areas of residential buildings https://globalnews.ca/news/7231225/toronto-mandatory-masks-apartments-condos/
  • This Gross Experiment Shows How Even Homemade Masks Can Stop Germs Spreading https://www.sciencealert.com/this-home-experiment-shows-why-even-homemade-masks-can-help-stop-covid-19-spread
  • Two Trader Joe’s customers were asked to put on masks. They attacked employees instead https://www.washingtonpost.com/nation/2020/07/29/covid-trader-joe-face-masks/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• PCI Updated their COVID page recently https://www.pcisecuritystandards.org/covid19
• A View into Feedback from the PCI DSS v4.0 RFC https://blog.pcisecuritystandards.org/a-view-into-feedback-from-the-pci-dss-v4-0-rfc
• What's Next for PCI SSC Mobile Payments Security Standards? https://blog.pcisecuritystandards.org/whats-next-for-pci-ssc-mobile-payments-security-standards
• CPoC Technical FAQs https://www.pcisecuritystandards.org/documents/Contactless_Payments_on_COTS_-_Technical_FAQs_v1.1.pdf
• SPoC Technical FAQs Updated https://www.pcisecuritystandards.org/documents/SPoC_Technical_FAQs_v1.6.pdf
• PFI Preliminary Incident Response Report Template https://www.pcisecuritystandards.org/documents/PFI_Preliminary_Incident_Response_Report_v3.1_July_2020.pdf
• PFI Final Incident Report Template https://www.pcisecuritystandards.org/documents/Final_PFI_Report_v3.1_July_2020.pdf
• Secure Software Program Guide https://www.pcisecuritystandards.org/documents/Secure-Software-Program-Guide-v1.0.1.pdf
• Visa Alert - New Malware Samples Identified In Point-Of-Sale Compromise http://click.broadcasts.visa.com/xfm/?40254/0/e72e19883ebb78a475570ab6dd5275ad/lonew
• Wirecard Was Fined Millions By Visa, Mastercard For Questionable Transactions https://www.pymnts.com/news/security-and-risk/2020/wirecard-was-fined-millions-by-visa-mastercard-for-questionable-transactions/
• Here’s Why Credit Card Fraud is Still a Thing https://krebsonsecurity.com/2020/07/heres-why-credit-card-fraud-is-still-a-thing/
• Is Your Chip Card Secure? Much Depends on Where You Bank https://krebsonsecurity.com/2020/07/is-your-chip-card-secure-much-depends-on-where-you-bank/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New breaches:

  • Why a Data Breach at a Genealogy Site Has Privacy Experts Worried https://www.nytimes.com/2020/08/01/technology/gedmatch-breach-privacy.html
  • Zello resets all user passwords after data breach https://www.bleepingcomputer.com/news/security/zello-resets-all-user-passwords-after-data-breach/
  • Ransomware gang publishes tens of GBs of internal data from LG and Xerox https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox
  • Some Cub Pharmacies in Minnesota report breaches due to looters https://www.databreaches.net/some-cub-pharmacies-in-minnesota-report-breaches-due-to-looters/
  • Leaky S3 buckets have gotten so common that they're being found by the thousands now, with lots of buried secrets https://www.theregister.com/2020/08/03/leaky_s3_buckets/
  • Data Breach at Crypto Wallet Firm Ledger Exposes User’s Personal Info https://www.databreaches.net/data-breach-at-crypto-wallet-firm-ledger-exposes-users-personal-info/
  • Kiwibank breach ‘significant’ – Privacy Commissioner https://www.databreaches.net/nz-kiwibank-breach-significant-privacy-commissioner/
  • Hackers Stole GitHub And GitLab OAuth Tokens From Git Analytics Firm Waydev https://www.zdnet.com/article/hackers-stole-github-and-gitlab-oauth-tokens-from-git-analytics-firm-waydev
  • Internal source code from 50 high-profile companies including Microsoft, Disney, and Nintendo has been leaked and posted online for people to access https://www.businessinsider.com/software-source-code-leaked-microsoft-nintendo-2020-7
  • Vermont Taxpayers Warned of Data Leak Over the Past Three Years https://threatpost.com/vermont-taxpayers-warned-of-data-leak-over-the-past-three-years/157856/
  • Argentina health officials expose personal data on 115,000 COVID-19 quarantine exemption applicants https://www.comparitech.com/blog/information-security/argentina-covid-permit-data-leak/

• New Ransomware:

  • Garmin Confirms Hackers Encrypted Several Systems https://www.databreachtoday.com/garmin-confirms-hackers-encrypted-several-systems-a-14713
  • Garmin staggers back to its feet: Aviation systems seem to be lagging https://www.theregister.com/2020/07/27/garmin_ransomware_recovery/
  • Hacker gang behind Garmin attack doesn't have a history of stealing user data https://www.zdnet.com/article/hacker-gang-behind-garmin-attack-doesnt-have-a-history-of-stealing-user-data
  • Ransomware attack on MSP failed, but attackers exfiltrated some data — Pivot Technology Solutions https://www.databreaches.net/ca-ransomware-attack-on-msp-failed-but-attackers-exfiltrated-some-data-pivot-technology-solutions/
  • First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo https://www.theregister.com/2020/07/31/carlson_wagonlit_travel_ragnarlocker_ransom_paid/
  • DXC says ransomware attack disrupted customer operations at insurance services arm but barely left a scratch https://www.theregister.com/2020/07/30/dxc_ransomware_attack/
  • Athens ISD paid $50k ransom to attackers https://www.databreaches.net/athens-isd-paid-50k-ransom-to-attackers/

• Follow-ups:

  • List of Blackbaud breach victims tops 120 https://www.computerweekly.com/news/252486910/List-of-Blackbaud-breach-victims-tops-120
  • Blackbaud's Bizarre Ransomware Attack Notification https://www.databreachtoday.com/blogs/blackbauds-bizarre-ransomware-attack-notification-p-2929
  • Heart and Stroke Foundation Warns of Privacy Breach at Third Party Company https://vocm.com/2020/08/01/privacy-breach-heart-and-stroke-foundation/
  • Questions Persist About Ransomware Attack on Blackbaud https://www.bankinfosecurity.com/ransomware-attack-questions-persist-over-blackbaud-hit-a-14734
  • Some potential victims of PaperlessPay breach are first finding out about the breach now https://www.databreaches.net/some-potential-victims-of-paperlesspay-breach-are-first-finding-out-about-the-breach-now/
  • OkCupid: Hackers want your data, not a relationship https://www.zdnet.com/article/okcupid-hackers-want-your-data-not-a-relationship
  • NZ police terminate contract with Gravitas after breach https://www.databreaches.net/nz-police-terminate-contract-with-gravitas-after-breach/
  • Health records found at Fort Simpson dump may have been stolen https://www.databreaches.net/ca-health-records-found-at-fort-simpson-dump-may-have-been-stolen-report/
  • Appen - 5,888,405 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Appen
  • Scentbird - 5,814,988 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Scentbird
  • Vakinha - 4,775,203 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Vakinha
  • Swvl - 4,195,918 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Swvl
  • Drizly - 2,479,044 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Drizly
  • Havenly - 1,369,180 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Havenly
  • Kreditplus - 768,890 breached accounts (June 2020) https://haveibeenpwned.com/PwnedWebsites#Kreditplus
  • Chatbooks - 2,520,441 breached accounts (March 2020) https://haveibeenpwned.com/PwnedWebsites#Chatbooks
  • 집꾸미기 - 1,298,651 breached accounts (March 2020) https://haveibeenpwned.com/PwnedWebsites#DecoratingTheHouse
  • TrueFire - 599,667 breached accounts (Feb 2020) https://haveibeenpwned.com/PwnedWebsites#TrueFire
  • Dunzo - 3,465,259 breached accounts (June 2019) https://haveibeenpwned.com/PwnedWebsites#Dunzo
  • Hurb - 20,727,771 breached accounts (March 2019) https://haveibeenpwned.com/PwnedWebsites#Hurb
  • LifeLabs goes to court to block results of investigation into 2019 privacy breach https://www.cbc.ca/news/business/lifelabs-data-breach-1.5667618
  • Morgan Stanley Hit with Class Lawsuit Over Alleged Data Breaches https://www.databreaches.net/morgan-stanley-hit-with-class-lawsuit-over-alleged-data-breaches/
  • LifeSpan Health System Hit With $1 Million HIPAA Fine https://www.databreachtoday.com/lifespan-health-system-hit-1-million-hipaa-fine-a-14714
  • Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach https://www.databreaches.net/lifespan-pays-1040000-to-ocr-to-settle-unencrypted-stolen-laptop-breach/
• IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs https://www.databreaches.net/ibm-security-2020-cost-of-data-breach-report-shows-10-annual-increase-in-healthcare-data-breach-costs/
• Today’s ‘mega’ data breaches now cost companies $392 million to recover from https://www.zdnet.com/article/todays-mega-data-breaches-now-cost-companies-392-million-in-damages-lawsuits

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • Why I Installed the COVID Alert App (Canada) https://www.michaelgeist.ca/2020/08/why-i-installed-the-covid-alert-app/
  • Canada launches COVID-19 tracking app — but only in Ontario https://globalnews.ca/news/7239119/coronavirus-exposure-notification-app-covid-19-ontario/
  • Coronavirus: Ontario restaurants, bars now required to keep 30-day log of patrons https://globalnews.ca/news/7239474/ontario-restaurants-bars-patron-log/

• More Facial Recognition:

  • NIST Investigation of Face Masks’ Effect on Face Recognition Software https://www.nist.gov/news-events/news/2020/07/nist-launches-investigation-face-masks-effect-face-recognition-software
  • This Tool Could Protect Your Photos From Facial Recognition https://www.nytimes.com/2020/08/03/technology/fawkes-tool-protects-photos-from-facial-recognition.html
  • Rite Aid deployed facial recognition systems in hundreds of U.S. stores https://www.reuters.com/investigates/special-report/usa-riteaid-software/
• GDPR Two Years On: Compliance Lessons Learned https://www.databreachtoday.com/gdpr-two-years-on-compliance-lessons-learned-a-14726
• San Francisco Police Accessed Business District Camera Network to Spy on Protestors https://www.eff.org/deeplinks/2020/07/san-francisco-police-accessed-business-district-camera-network-spy-protestors
• How Cops Can Secretly Track Your Phone https://theintercept.com/2020/07/31/protests-surveillance-stingrays-dirtboxes-phone-tracking/
• Incognito Mode May Not Work the Way You Think It Does https://www.wired.com/story/incognito-mode-explainer
• Reply-All storm flares as email announcing privacy policy puts 500 addresses in the 'To' field, not 'BCC' https://www.theregister.com/2020/07/29/substack_privacy_fail/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• Atlassian says encryption-busting law has damaged Australia's tech reputation https://www.zdnet.com/article/atlassian-says-encryption-busting-law-has-damaged-australias-tech-reputation/
• Encryption Under ‘Full-Frontal Nuclear Assault’ By U.S. Bills https://threatpost.com/encryption-under-full-frontal-nuclear-assault-by-u-s-bills/157748/
• Court Denies EFF, ACLU Effort to Unseal Ruling Rejecting DOJ Effort to Break Encryption https://www.eff.org/deeplinks/2020/07/court-denies-eff-aclu-effort-unseal-ruling-rejecting-doj-effort-break-encryption
• CitizenLab on Internet Governance https://citizenlab.ca/2020/07/internet-governance/
• EPIC to Congress: Reform Section 230 https://epic.org/2020/07/epic-to-congress-reform-sectio.html
• The PACT Act Is Not The Solution To The Problem Of Harmful Online Content https://www.eff.org/deeplinks/2020/07/pact-act-not-solution-problem-harmful-online-content
• Lawmakers Request FTC Privacy Investigation Into Adtech Industry https://epic.org/2020/07/lawmakers-request-ftc-privacy-.html
• What Really Does and Doesn’t Work for Fair Use in the DMCA https://www.eff.org/deeplinks/2020/07/what-really-does-and-doesnt-work-fair-use-dmca
• EFF and ACLU Tell Federal Court that Forensic Software Source Code Must Be Disclosed https://www.eff.org/deeplinks/2020/08/eff-and-aclu-tell-federal-court-forensic-software-source-code-must-be-disclosed

• The LawBytes Podcast, Episode 61: Senator James Cowan on the Extraordinary Battle for a Genetic Anti-Discrimination Law in Canada https://www.michaelgeist.ca/2020/07/lawbytes-podcast-episode-61/

  • NIST Open Field Message Bus (OpenFMB) Proof of Concept Implementation: NIST TN 2066 https://csrc.nist.gov/publications/detail/white-paper/2020/07/29/openfmb-proof-of-concept-implementation-research/final
• NIST National Initiative for Cybersecurity Education Newsletter - Summer 2020 https://content.govdelivery.com/accounts/USNIST/bulletins/2972ec3
• NIST (SP) 800-53B, Control Baselines for Information Systems and Organizations draft open for feedback until Sept 11 https://csrc.nist.gov/publications/detail/sp/800-53b/draft
• NIST(SP) 800-210, General Access Control Guidance for Cloud Systems https://csrc.nist.gov/publications/detail/sp/800-210/final
• BlackBerry Phone Cracked after 5 years https://www.schneier.com/blog/archives/2020/08/blackberry_phon.html
• Chinese and Russian hackers were just sanctioned by Europe for the first time https://www.technologyreview.com/2020/07/30/1005822/chinese-and-russian-hackers-were-just-sanctioned-by-europe-for-the-first-time/
• Google, Facebook May Have To Pay Australian News Publishers https://www.pymnts.com/news/regulation/2020/google-facebook-may-have-to-pay-australian-news-publishers/
• Grilled by Lawmakers, Big Tech Turns Up the Gaslight https://www.nytimes.com/2020/07/30/technology/big-tech-ceos.html
• The Tech Giants Are Dangerous, and Congress Knows It hhttps://www.theatlantic.com/ideas/archive/2020/07/tech-giants-are-dangerous-and-congress-knows-it/614740/
• Mark Zuckerberg told Congress that Facebook is not a monopoly. But in 2012, it boasted that it held '95% of all social media https://www.businessinsider.com/facebook-2012-95-percent-of-all-social-media-us-2020-7
• New Zealand to suspend extradition treaty with Hong Kong over national security law https://globalnews.ca/news/7224326/new-zealand-hong-kong-extradition/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• The quest for quantum-proof encryption just made a leap forward https://www.technologyreview.com/2020/08/03/1005891/search-for-quantum-proof-encryption-computing-nist/
• Google Adds Security Updates to Chrome Autofill https://www.darkreading.com/application-security/google-adds-security-updates-to-chrome-autofill/d/d-id/1338499
• No More Ransom: How 4 Million Victims of Ransomware Have Fought Back Against Hackers https://www.databreaches.net/no-more-ransom-how-4-million-victims-of-ransomware-have-fought-back-against-hackers/
• Flu vaccine may reduce risk of Alzheimer’s disease https://scienmag.com/flu-vaccine-may-reduce-risk-of-alzheimers-disease-new-study-shows/
• Artificial intelligence identifies prostate cancer with near-perfect accuracy https://scienmag.com/artificial-intelligence-identifies-prostate-cancer-with-near-perfect-accuracy/
• YOU... SHA-1 NOT PASS! Microsoft removes hash https://www.theregister.com/2020/07/29/microsoft_windows_sha_1/
• 11 Security Tools to Expect at the Black Hat USA 2020 Arsenal Virtual Event https://www.darkreading.com/11-security-tools-to-expect-at-the-black-hat-usa-2020-arsenal-virtual-event/d/d-id/1338473

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Survey of Supply Chain Attacks https://www.schneier.com/blog/archives/2020/07/survey_of_suppl.html
• Root Cause Analyses for 0-day In-the-Wild Exploits https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html
• Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
• 'BootHole' attack impacts Windows and Linux systems using GRUB2 and Secure Boot https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot
• Critical Security Flaw in WordPress Plugin Allows RCE https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/
• Critical Magento Flaws Allow Code Execution https://threatpost.com/critical-magento-flaws-code-execution/157840/
• Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes https://thehackernews.com/2020/07/zoom-meeting-password-hacking.html
• Critical Bugs in Utilities VPNs Could Cause Physical Damage https://threatpost.com/critical-bugs-utilities-vpns-physical-damage/157835/
• Intermediate certificates with OCSP capability cause trouble (Bulletproof TLS Newsletter Issue #67) https://www.feistyduck.com/bulletproof-tls-newsletter/issue_67_intermediate_certificates_with_ocsp_capability_cause_trouble
• Oh cool, more Cisco patches to apply. Happy Monday https://www.theregister.com/2020/08/03/roundup_security_july_31/
• Burn baby burn, plastic inferno! Infosec researchers turn 3D printers into self-immolating suicide machines https://www.theregister.com/2020/07/31/3d_printer_fire_firmware_hacks/
• Multiple Tor security issues disclosed, more to come https://www.zdnet.com/article/multiple-tor-security-issues-disclosed-more-to-come
• New Attack Leverages HTTP/2 for Effective Remote Timing Side-Channel Leaks https://thehackernews.com/2020/07/http2-timing-side-channel-attacks.html
• No wonder Brit universities report hacks so often: Half of staff have had zero infosec training https://www.theregister.com/2020/07/29/half_uk_uni_staff_no_infosec_training/
• U.S. Election Administrators Failed to Implement Phishing Protections https://www.securityweek.com/us-election-administrators-failed-implement-phishing-protections-study
• Netgear Won’t Patch 45 Router Models Vulnerable to Serious Flaw https://threatpost.com/netgear-wont-patch-45-router-models-vulnerable-to-serious-flaw/157977/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• FBI sees Rise in Online Shopping Scams https://www.ic3.gov/media/2020/200803.aspx
• FBI warns US companies on the use of Chinese Tax Software https://securityaffairs.co/wordpress/106444/intelligence/china-tax-software.html
• FBI Releases Flash Alert on Netwalker Ransomware https://www.tripwire.com/state-of-security/security-data-protection/fbi-releases-flash-alert-on-netwalker-ransomware/
• FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins https://www.zdnet.com/article/fbi-warns-of-new-ddos-attack-vectors-coap-ws-dd-arms-and-jenkins
• CISA Says Hackers Exploited BIG-IP Vulnerability in Attacks on U.S. Government https://www.securityweek.com/cisa-says-hackers-exploited-big-ip-vulnerability-attacks-us-government
• CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware https://www.zdnet.com/article/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/
• An Attacker's IoT Paradise: Billions of Insecure Devices https://www.databreachtoday.com/blogs/attackers-iot-paradise-billions-insecure-devices-p-2922
• Undetectable Linux Malware Targeting Docker Servers With Exposed APIs https://thehackernews.com/2020/07/docker-linux-malware.html
• This is what a deepfake voice clone used in a failed fraud attempt sounds like https://www.theverge.com/2020/7/27/21339898/deepfake-audio-voice-clone-scam-attempt-nisos
• Cerberus banking Trojan team breaks up, source code goes to auction https://www.zdnet.com/article/cerberus-banking-trojan-team-breaks-up-source-code-goes-to-auction
• GandCrab ransomware operator arrested in Belarus https://www.databreaches.net/gandcrab-ransomware-operator-arrested-in-belarus/
• Author of FastPOS malware revealed, pleads guilty https://www.zdnet.com/article/author-of-fastpos-malware-revealed-pleads-guilty/

Other Security / Risk

Articles covering other types of risks.

• COVID-19 Other risks and impact:

  • Banks reveal the 10 coronavirus scams to be wary of https://www.bbc.co.uk/news/business-53573408
  • Business ID Theft Soars Amid COVID Closures https://krebsonsecurity.com/2020/07/business-id-theft-soars-amid-covid-closures/
  • U.S. likely to report record-breaking economic plunge amid coronavirus pandemic https://globalnews.ca/news/7234057/coronavirus-u-s-economy-historic-plunge/
  • Effects of coronavirus pandemic will be felt for decades https://globalnews.ca/news/7239728/coronavirus-world-health-organization/
• Events-based Controls https://citizenlab.ca/2020/07/events-based-controls/
• Toronto is emerging as a tech superpower as immigrants choose Canada over the US https://www.businessinsider.com/toronto-canada-tech-hub-immigrants-h1b-visa-2020-7
• Hackers broke into real news sites to plant fake stories https://arstechnica.com/information-technology/2020/07/hackers-broke-into-real-news-sites-to-plant-fake-stories/ and https://www.schneier.com/blog/archives/2020/07/fake_stories_in.html
• Russia-aligned hackers running anti-Nato fake news campaign https://www.theguardian.com/technology/2020/jul/30/russia-aligned-hackers-running-anti-nato-fake-news-campaign-report-poland-lithuania
• 'Ghostwriter' – Widespread Disinformation Campaign Associated with Russia https://www.securityweek.com/ghostwriter-widespread-disinformation-campaign-associated-russia
• India has banned 47 more Chinese apps including a TikTok clone and is eyeing hundreds more https://www.businessinsider.com/india-bans-47-more-chinese-apps-2020-7
• US provides new expanded set of espionage charges against former Twitter employees https://www.databreaches.net/us-provides-new-expanded-set-of-espionage-charges-against-former-twitter-employees/
• Chinese agent exploited LinkedIn's 'relentless' algorithm to find contacts, gather intelligence https://www.businessinsider.com/chinese-agent-exploited-linkedins-relentless-algorithm-2020-7
• Chinese ambassador to UK threatens to withdraw Huawei, £3bn investment https://www.theregister.com/2020/07/29/chinese_ambassador_uk_threats_over_huawei/
• Service that uses AI to identify gender based on names looks incredibly biased https://www.theverge.com/2020/7/29/21346310/ai-service-gender-verification-identification-genderify
• GPT-3: an AI game-changer or an environmental disaster? https://www.theguardian.com/commentisfree/2020/aug/01/gpt-3-an-ai-game-changer-or-an-environmental-disaster
• GDP Is the Wrong Tool for Measuring What Matters https://www.scientificamerican.com/article/gdp-is-the-wrong-tool-for-measuring-what-matters/
• Mysterious Chinese Seed Packets Are Showing Up All Over The US https://www.sciencealert.com/mysterious-chinese-seed-packets-are-showing-up-all-over-the-us
• First Meta-Analysis Confirms Link Between Lithium in Drinking Water And Suicide Rates https://www.sciencealert.com/first-meta-review-of-its-kind-confirms-link-between-lithium-in-drinking-water-and-suicide-rates
• How To Get A Cybersecurity Job During The Pandemic https://medium.com/@paxterrarum/how-to-get-a-cybersecurity-job-during-the-pandemic-e2a5a399a4c4

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Nano-sponges of solid acid transform carbon dioxide to fuel and plastic waste to chemicals https://scienmag.com/nano-sponges-of-solid-acid-transform-carbon-dioxide-to-fuel-and-plastic-waste-to-chemicals/
• 1,000-Year-Old Onion And Garlic Remedy Kills Antibiotic-Resistant Biofilms https://www.sciencealert.com/a-1-000-year-old-recipe-for-eye-infections-could-make-a-comeback-as-a-modern-antiseptic
• ‘Fool’s gold’ may be valuable after all https://scienmag.com/research-brief-fools-gold-may-be-valuable-after-all/
• Reducing the carbon footprint of concrete production https://scienmag.com/reducing-the-carbon-footprint-of-concrete-production/
• First SpaceX crewed mission lands safely https://www.bbc.co.uk/news/science-environment-53631866
• Virgin Galactic releases renders of proposed supersonic jet that can reach Mach 3 https://www.theverge.com/2020/8/3/21352390/virgin-galactic-supersonic-aircraft-mach-3-rolls-royce
• Which AI-generated personality quiz are you? https://aiweirdness.com/post/625169439532482560/which-ai-generated-personality-quiz-are-you
• Scientists Detect Giant 'Megaripple' Structures Moving Across Mars https://www.sciencealert.com/giant-megaripple-structures-on-mars-are-actually-moving-scientists-discover
• Perseverance Rover Rumbles Off the Launchpad to Mars https://www.universetoday.com/147261/perseverance-rover-rumbles-off-the-launchpad-to-mars/
• The nearby supernova no one saw https://www.syfy.com/syfywire/the-nearby-supernova-no-one-saw
• Earth's asteroid impact rate took a sudden jump 290 million years ago https://www.syfy.com/syfywire/earths-asteroid-impact-rate-took-a-sudden-jump-290-million-years-ago