This Week's [in]Security - Issue 195 | insecurity | Control Gap

Welcome to This Week’s [in]Security. SolarWinds. Carders Shut. New breaches. New Ransomware. Contact tracing. Facial Recognition. NIST. APIs. Signal. Zero Days. DNS Poison. Quantum. Trends. Arrests, etc. Baloney Detection. Cheating. Deepfakes. Neurotech. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Vaccine Updates. And more.

Trending news

The SolarWinds Nation State Supply Chain Hack variously called Solar-Gate, Solorigate, (and yes even Breaking-Wind) dominates the headlines and has organizations scrambling to see just how bad it was. This is a major event and fast moving story with far reaching implications.

• What Happened during week 2:

• Who's Affected:

  • Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack https://www.theverge.com/2020/12/21/22194183/intel-nvidia-cisco-government-infected-solarwinds-hack
  • SolarWinds Hack Infected Critical Infrastructure, Including Power Industry https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/
  • Millions of Devices Affected by Vulnerabilities Used in Stolen FireEye Tools https://www.securityweek.com/millions-devices-affected-vulnerabilities-used-stolen-fireeye-tools

• How and What Happened:

  • A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html

• Mitigations and Reaction:

  • Breached SolarWinds issues urgent security fix https://www.bbc.co.uk/news/technology-55442732
  • CSE warns companies to check IT systems following SolarWinds hack https://www.cbc.ca/news/politics/cse-solarwinds-warning-1.5854614
  • CISA Warns SolarWinds Incident Response May Be Substantial https://www.databreachtoday.com/cisa-warns-solarwinds-incident-response-may-be-substantial-a-15661
  • Ex-NSA Director: SolarWinds Breach Is 'A Call for Action' https://www.databreachtoday.com/ex-nsa-director-solarwinds-breach-a-call-for-action-a-15655
  • Analysis: Supply Chain Management After SolarWinds Hack https://www.databreachtoday.com/interviews/analysis-supply-chain-management-after-solarwinds-hack-i-4814
  • The SolarWinds Breach Reinforces Why Boards And Audit Committees Need More Tech Expertise https://www.forbes.com/sites/noahbarsky/2020/12/26/solarwinds-cybersecurity-breach-reinforces-board-technology-needs/

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Law Enforcement Seizes Joker's Stash — Stolen Credit Card Marketplace https://thehackernews.com/2020/12/law-enforcement-seizes-jokers-stash.html
• Will Retailers Need a POS Terminal After Covid? https://www.entrepreneur.com/article/361191

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Russian hackers compromised Microsoft's cloud customers through a third party, putting email and other data at risk https://www.washingtonpost.com/national-security/russia-hack-microsoft-cloud/2020/12/24/dbfaa9c6-4590-11eb-975c-d17b8815a66d_story.html, and https://www.theglobeandmail.com/world/article-suspected-russian-hackers-used-microsoft-vendors-to-breach-customers/
  • Data breach hits 30,000 signed up to workplace pensions provider https://www.theguardian.com/technology/2020/dec/23/data-breach-hits-30000-signed-up-to-workplace-pensions-provider
  • RU: Freedom Finance admits data leak of 16,000 clients https://www.databreaches.net/ru-freedom-finance-admits-data-leak-of-16000-clients/
  • Hackers threaten to leak plastic surgery pictures https://www.bbc.co.uk/news/technology-55439190
  • Misconfigured AWS Bucket Exposes Hundreds of Social Influencers https://www.databreaches.net/misconfigured-aws-bucket-exposes-hundreds-of-social-influencers/
  • Hacked Ledger Database Dumped On Raidforums https://www.databreaches.net/hacked-ledger-database-dumped-on-raidforums/

• New Ransomware and "Incidents":

  • NL: Cyber ​​attack hits IP telephony supplier Innovaphone https://www.databreaches.net/nl-cyber-%e2%80%8b%e2%80%8battack-hits-ip-telephony-supplier-innovaphone/
  • Vermont Hospital Says Cyberattack Was Ransomware https://www.securityweek.com/vermont-hospital-says-cyberattack-was-ransomware
  • NetGalley breach: Publishing industry website forces password reset following ‘security incident’ https://www.databreaches.net/netgalley-breach-publishing-industry-website-forces-password-reset-following-security-incident/
  • FL: Agency for Community Treatment Services, Inc. Notification of Ransomware Attack https://www.databreaches.net/fl-agency-for-community-treatment-services-inc-notification-of-ransomware-attack/

• Follow-ups and fall-out:

  • What was just a hope a few years ago, is now a reality: more coordinated state AG actions investigating breaches https://www.databreaches.net/what-was-just-a-hope-a-few-years-ago-is-now-a-reality-more-coordinated-state-ag-actions-investigating-breaches/

Privacy

Articles about privacy related news, risks, and trends.

• COVID-19 Contact tracing:

  • FAQ: An Analysis of Indonesia and the Philippines’ Government-launched COVID-19 Apps https://citizenlab.ca/2020/12/faq-an-analysis-of-indonesia-and-the-philippines-government-launched-covid-19-apps/

• Facial Recognition:

  • EPIC Urges CBP to Halt Use of Facial Recognition for Biometric Entry/Exit https://epic.org/2020/12/epic-urges-cbp-to-halt-use-of-.html

Laws, Regulations, Standards, and Public Policy

News about laws, regulations, and standards affecting security, privacy, technology, and public interest.

• US:

  • New York Enacts Law Suspending Use of Facial Recognition in Schools https://epic.org/2020/12/new-york-enacts-law-suspending.html
  • The CASE Act Is Just the Beginning of the Next Copyright Battle https://www.eff.org/deeplinks/2020/12/case-act-hidden-coronavirus-relief-bill-just-beginning-next-copyright-battle

• New NIST:

  • Securing Picture Archiving and Communication System (PACS)—Cybersecurity for the Healthcare Sector: NIST SP 1800-24 https://csrc.nist.gov/publications/detail/sp/1800-24/final

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Cryptographic competitions https://eprint.iacr.org/2020/1608
• A New Improved AES S-box With Enhanced Properties https://eprint.iacr.org/2020/1597
• Third-Party APIs: How to Prevent Enumeration Attacks https://threatpost.com/third-party-apis-enumeration-attacks/162589/
• No, Signal – the world’s most encrypted app – was not hacked by Israeli firm Cellebrite https://www.haaretz.com/israel-news/tech-news/.premium-no-signal-the-world-s-most-encrypted-app-was-not-hacked-by-israeli-firm-cellebr-1.9398118
• Signal: Cellebrite claimed to have cracked chat app's encryption https://www.bbc.com/news/technology-55412230

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Zero-Days:

  • Windows Zero-Day Still Circulating After Faulty Fix https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/
  • Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html
• Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk https://portswigger.net/daily-swig/cross-layer-attacks-new-hacking-technique-raises-dns-cache-poisoning-user-tracking-risk
• Attack Beyond-Birthday-Bound MACs in Quantum Setting https://eprint.iacr.org/2020/1595

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than SolarWinds):

  • Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers https://thehackernews.com/2020/12/microsoft-warns-crowdstrike-of-hackers.html
  • As SolarWinds takes the headlines, DOE secretary issues new order against China to protect U.S. power supply in digital age https://energycentral.com/c/iu/solarwinds-takes-headlines-doe-secretary-issues-new-order-against-china-protect
  • Up to 3 million devices infected by malware-laced Chrome and Edge add-ons https://arstechnica.com/information-technology/2020/12/up-to-3-million-devices-infected-by-malware-laced-chrome-and-edge-add-ons/
  • Russian crypto-exchange Livecoin hacked after it lost control of its servers https://www.zdnet.com/article/russian-crypto-exchange-livecoin-hacked-after-it-lost-control-of-its-servers
  • Malicious Word Document Delivering an Octopus Backdoor https://isc.sans.edu/diary/rss/26918

• Crime:

  • Police Arrest 21 WeLeakInfo Customers Who Bought Breached Personal Data https://thehackernews.com/2020/12/police-arrest-21-weleakinfo-customers.html
  • DOJ Seizes Fake Domains Impersonating Moderna, Regeneron https://www.databreachtoday.com/doj-seizes-fake-domains-impersonating-moderna-regeneron-a-15638
  • Police Dismantle Cybercrime 'Bulletproof Hosting Service' https://www.databreachtoday.com/police-dismantle-cybercrime-bulletproof-hosting-service-a-15650

Other Security / Risk

Articles covering other types of risks.

• Carl Sagan's "Baloney Detection Kit": A Toolkit That Can Help You Scientifically Separate Sense from Nonsense https://www.openculture.com/2018/03/carl-sagans-baloney-detection-kit.html
• 2 Delta passengers open the door of a moving plane and slide out (with a dog) at LaGuardia Airport https://www.cnn.com/2020/12/21/us/la-guardia-delta-flight-passengers-exit/index.html
• Large explosion occurs at steel plant in Hamilton, Ont. https://toronto.ctvnews.ca/large-explosion-occurs-at-steel-plant-in-hamilton-ont-1.5245099
• Cheating a 'free-for-all' at virtual high schools, teachers say https://www.ctvnews.ca/canada/cheating-a-free-for-all-at-virtual-high-schools-teachers-say-1.5245949
• ExamSoft Flags One-Third of California Bar Exam Test Takers for Cheating https://www.eff.org/deeplinks/2020/12/examsoft-flags-one-third-california-bar-exam-test-takers-cheating
• Bitcoin rival Ripple XRP crashes spectacularly amid legal battle https://www.independent.co.uk/life-style/gadgets-and-tech/ripple-xrp-price-sec-bitcoin-b1778581.html
• Queen Elizabeth’s deepfake Christmas message a ‘stark warning’ https://globalnews.ca/news/7540882/queen-elizabeth-deepfake-christmas-message/
• The family with no fingerprints https://www.bbc.co.uk/news/world-asia-55301200
• The Ethical Challenges of Connecting Our Brains to Computers https://www.scientificamerican.com/article/the-ethical-challenges-of-connecting-our-brains-to-computers/

• Health, Safety & Environment:

  • The Most Common Pain Relief Drug in The World Has Been Linked to Risk-Taking Behaviour https://www.sciencealert.com/the-most-common-pain-relief-drug-in-the-world-has-been-linked-to-risk-taking-behaviour
  • The Caspian Sea is dying https://www.sciencealert.com/climate-change-is-making-most-seas-rise-but-it-s-shrinking-this-one

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, and reinfection:

  • Another, More Infectious Coronavirus Variant Has Arrived in The UK From South Africa https://www.sciencealert.com/another-coronavirus-variant-found-in-the-uk-could-be-more-infectious-than-the-first
  • Another new coronavirus variant appears to emerge in Nigeria https://globalnews.ca/news/7540767/coronavirus-new-variant-nigeria/
  • Canada adds over 6,800 COVID-19 cases on Christmas Eve as provinces post record infections https://globalnews.ca/news/7542022/coronavirus-canada-update-dec-24/
  • Ontario confirms Canada’s 1st known cases of U.K. coronavirus variant https://globalnews.ca/news/7542830/ontario-canada-first-cases-uk-coronavirus-variant/
  • 39 dead amid COVID-19 outbreak at Scarborough long-term care home https://globalnews.ca/news/7543341/tendercare-living-centre-coronavirus-outbreak/
  • Quebec reports 6,783 new cases of COVID-19 over 3-day holiday weekend https://globalnews.ca/news/7543402/quebec-coronavirus-update-holiday-weekend-2020/
  • Ontario records more than 2,000 new COVID-19 cases, 18 additional deaths https://toronto.ctvnews.ca/ontario-records-more-than-2-000-new-covid-19-cases-18-additional-deaths-1.5245802
  • Alberta reports 2,100 total COVID-19 cases on Christmas Eve and Christmas Day https://globalnews.ca/news/7542679/alberta-covid-19-update-saturday-december-26-2020/
  • Canada could see ‘grotesque’ spike in coronavirus cases after holidays https://globalnews.ca/news/7540186/canada-coronavirus-christmas-spike/
  • Workers at a lab that processes 50,000 coronavirus tests a day have been hit by their own COVID-19 outbreak https://www.businessinsider.com/uks-biggest-coronavirus-testing-lab-hit-by-covid-19-outbreak-2020-12

• Guidance, Response and Recovery:

  • What the data say about border closures and COVID spread https://www.nature.com/articles/d41586-020-03605-6
  • US requires negative coronavirus test from UK travelers https://www.theverge.com/2020/12/25/22199682/covid-test-uk-travelers-us-cdc-virus-mutation
  • COVID-19 pandemic doesn’t stop Calgary shoppers on Boxing Day https://globalnews.ca/news/7542815/calgary-boxing-day-shopping-covid-19/
  • Crowds pack Lower Mainland ski hills amid COVID-19 restrictions https://globalnews.ca/news/7541352/lower-mainland-ski-hill-covid/
  • Hiding Covid-19: How the Trump Administration Suppresses Photography of the Pandemic https://theintercept.com/2020/12/27/covid-photography-hospitals/
  • ‘People are being shown no mercy’: Online evictions raise alarm in Ontario https://globalnews.ca/news/7542579/online-coronavirus-evictions-ontario/
  • How COVID Changed Content Moderation: Year in Review 2020 https://www.eff.org/deeplinks/2020/12/how-covid-changed-content-moderation-year-review-2019

• Treatments, Testing, Triage, Trials, and things we Learned:

  • The U.K. Coronavirus Mutation Is Worrying but Not Terrifying https://www.scientificamerican.com/article/the-u-k-coronavirus-mutation-is-worrying-but-not-terrifying/
  • Fresh air 'forgotten weapon' in fight https://www.bbc.co.uk/news/health-55435914
  • What's Your Risk of Catching COVID? These Tools Help You Find Out https://www.scientificamerican.com/article/whats-your-risk-of-catching-covid-these-tools-help-you-find-out/
  • Post-exposure antibody protection trialled https://www.bbc.co.uk/news/health-55438758
  • Are two phases of quarantine better than one? https://scienmag.com/are-two-phases-of-quarantine-better-than-one/

• Vaccine Updates:

  • My Emergency Room Is Full of Patients No Vaccine Can Help https://www.theatlantic.com/ideas/archive/2020/12/coronavirus-vaccines-wont-save-usyet/617492/
  • First Moderna vaccine doses arrive in Canada https://www.ctvnews.ca/health/coronavirus/first-moderna-vaccine-doses-arrive-in-canada-1.5244535
  • Should provinces reserve COVID-19 vaccine 2nd doses or administer them all right away? https://globalnews.ca/news/7541668/provinces-coronavirus-vaccine-doses/
  • Canada has approved 2 coronavirus vaccines. How are other candidates progressing? https://globalnews.ca/news/7540636/canada-coronavirus-vaccines-list-update/
  • AstraZeneca's vaccine is expected to work on new COVID-19 strains https://www.businessinsider.com/astrazeneca-vaccine-seen-working-for-new-covid-19-strains-2020-12
  • Over 1 million Americans receive coronavirus vaccine as millions more doses sit on ice https://globalnews.ca/news/7540743/us-coronavirus-vaccine-doses-million/
  • EU countries begin mass vaccination https://www.bbc.co.uk/news/world-55456189
  • Irish government authorises Pfizer-BioNTech vaccine https://www.bbc.co.uk/news/world-europe-55440223
  • ‘Everyone is scared’: Nations face COVID-19 vaccine challenges amid wars, instability https://globalnews.ca/news/7543404/coronavirus-vaccine-poor-nations-war-instability/
  • NY health network faces criminal investigation over unauthorized COVID-19 vaccine distribution https://www.capebretonpost.com/news/world/ny-health-network-faces-criminal-investigation-over-unauthorized-covid-19-vaccine-535035/

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Dozens of airline passengers in Canada hit with fines, warning letters for refusing to wear a mask https://www.cbc.ca/news/politics/airline-passengers-masks-fines-covid-1.5850825

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Researchers Find a Way to Pull Carbon Out of The Air And Turn It Into Jet Fuel https://www.sciencealert.com/researchers-find-way-to-pull-carbon-out-of-the-air-and-make-it-jet-fuel
• Rotating Sails Help to Revive Wind-Powered Shipping https://www.scientificamerican.com/article/rotating-sails-help-to-revive-wind-powered-shipping/
• The Strange, Enduring History of Fruitcake https://www.mentalfloss.com/article/639236/fruitcake-holiday-food-history
• Uses for a flamethrower in a winter climate https://www.ctvnews.ca/lifestyle/watch-this-kentucky-man-uses-a-flamethrower-to-clear-snow-off-his-driveway-1.5245899
• Derided in the West, spam is so beloved in Asia that one company has invented a meat-free version of it https://www.cnn.com/2020/12/26/asia/spam-asia-cuisine-omnifoods-dst-intl-hnk/index.html
• 'Super recogniser' policeman spots 2,000 suspects https://www.bbc.co.uk/news/uk-england-birmingham-55458847
• Octopus punches fish in the head (just because it can) https://www.livescience.com/octopuses-punch-fish.html
• Could Floating Cities Be a Haven as Coastlines Submerge? https://www.scientificamerican.com/article/could-floating-cities-be-a-haven-as-coastlines-submerge/
• NASA’s Mars 2020 Perseverance Rover Landing 7 Minutes of Hell Animation https://www.youtube.com/watch?v=rzmd7RouGrM
• If a Planet Has a Lot of Methane in its Atmosphere, Life is the Most Likely Cause https://www.universetoday.com/149351/if-a-planet-has-a-lot-of-methane-in-its-atmosphere-life-is-the-most-likely-cause/
• CERN Discovers Another Clue to The Mystery of The Universe's Missing Antimatter https://www.sciencealert.com/cern-discovers-another-clue-to-the-mystery-of-the-universe-s-missing-antimatter