This Week's [in]Security - Issue 291

Welcome to This Week’s [in]Security.PCI updates P2PE program, See Tickets 2+ year card breach. Canada - Cashless & Surcharge backlash. New breaches: Amazon, Bed Bath & Beyond, Twillo. New Ransomware: NY Post, Poland & Slovakia. DDoS, Follow-ups. Privacy: age verification, smart toys. Laws & Regs - Canada: Cyber-law, Online News. US: PA breach notifications. World: Australia, India. Defense - Newsletters. Tools & Techniques: Bucket Scanner, Microsoft, PayPal. Vulnerabilities - Advisories: CISA. Patching: Chrome, AnyConnect. Significant: Roundup, VMware, Open SSL. Research & cryptography: Randomness, RC4. Cybercrime - active campaigns, crimes & enforcement, nation states and mercenaries. Other Risks - Child ID fraud, Cloud TCO. Health, Safety, Environment, Russia v. Ukraine. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• PCI Updates P2PE Program after PA-DSS sunset:
• P2PE Qualification Requirements https://docs-prv.pcisecuritystandards.org/Programs%20and%20Certification/Point%20to%20Point%20Encryption%20Assessors/P2PE_Qualification_%20Requirements%20_v3.1.pdf
• Appendix A: P2PE Assessor Addendum https://docs-prv.pcisecuritystandards.org/Programs%20and%20Certification/Point%20to%20Point%20Encryption%20Assessors/P2PE_Appendix_A_Assesor_Addendum_v3.1.docx
• Appendix B: P2PE Assessor Company - Application https://docs-prv.pcisecuritystandards.org/Programs%20and%20Certification/Point%20to%20Point%20Encryption%20Assessors/P2PE_Appendix_B_Company_v3.1.docx
• Appendix C: P2PE Assessor Employee - Application https://docs-prv.pcisecuritystandards.org/Programs%20and%20Certification/Point%20to%20Point%20Encryption%20Assessors/P2PE_Appendix_C_Employee_3.1.docx
• Payment skimmers/malware/fraud:
• See Tickets discloses 2.5 years-long credit card theft breach https://www.bleepingcomputer.com/news/security/see-tickets-discloses-25-years-long-credit-card-theft-breach/
• Other payment related:
• Cashless Canada: Why Canadians are leaders in the cashless trend https://globalnews.ca/news/9233528/cashless-canada-digital-future/
• The ugliness of credit card surcharges:
• Toronto restaurant getting bombed with one-star reviews for credit card surcharges https://www.blogto.com/eat_drink/2022/10/samosa-sweet-factory-toronto-credit/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:
• Amazon accidentally exposed an internal server packed with Prime Video viewing habits https://www.databreaches.net/amazon-accidentally-exposed-an-internal-server-packed-with-prime-video-viewing-habits/
• Bed Bath & Beyond reviewing possible data breach https://www.databreaches.net/bed-bath-beyond-reviewing-possible-data-breach/
• Twilio discloses another hack from June, blames voice phishing https://www.bleepingcomputer.com/news/security/twilio-discloses-another-hack-from-june-blames-voice-phishing/
• Iran's atomic energy agency hacked as protests persist https://globalnews.ca/news/9220211/iran-atomic-energy-agency-hack/
• Hive claims ransomware attack on Tata Power, begins leaking data https://www.databreaches.net/hive-claims-ransomware-attack-on-tata-power-begins-leaking-data/
• Notice: Multi-Color Corporation Statement on Data Security Incident https://www.darkreading.com/attacks-breaches/notice-multi-color-corporation-statement-on-data-security-incident
• Australian Health Insurer Medibank Suffers Breach Exposing 3.9 Million Customers' Data https://thehackernews.com/2022/10/australian-health-insurer-medibank.html
• Australian Clinical Labs says data of 223,000 people hacked https://www.databreaches.net/australian-clinical-labs-says-data-of-223000-people-hacked/
• NY: Fulton data breach compromised personal data of thousands https://www.databreaches.net/ny-fulton-data-breach-compromised-personal-data-of-thousands/
• New Ransomware and "Incidents":
• New York Post hacked with offensive headlines targeting politicians https://www.bleepingcomputer.com/news/security/new-york-post-hacked-with-offensive-headlines-targeting-politicians/
• Slovak, Polish Parliaments Hit by Cyberattacks https://www.securityweek.com/slovak-polish-parliaments-hit-cyberattacks
• Pendragon car dealer refuses $60 million LockBit ransomware demand https://www.bleepingcomputer.com/news/security/pendragon-car-dealer-refuses-60-million-lockbit-ransomware-demand/
• Major outages/downs:
• Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/
• Meet the Windows servers that have been fueling massive DDoSes for months https://arstechnica.com/information-technology/2022/10/researchers-id-12k-microsoft-servers-that-are-a-ddosers-best-friend/
• Follow-ups and fall-out:
• Paying off hackers is common, says top Australian govt cybersecurity firm https://www.databreaches.net/paying-off-hackers-is-common-says-top-australian-govt-cybersecurity-firm/
• Doomworld - 34,478 breached accounts https://haveibeenpwned.com/PwnedWebsites#Doomworld
• E-Pal - 108,887 breached accounts https://haveibeenpwned.com/PwnedWebsites#EPal

Privacy

Articles about privacy related news, risks, and trends.

• Online age-verification system could create ‘honeypot' of personal data and pornography-viewing habits, privacy groups warn https://www.theguardian.com/technology/2022/oct/31/online-age-verification-system-could-create-honeypot-of-personal-data-and-pornography-viewing-habits-privacy-groups-warn
• Watching from the cot: are smart toys and baby products worth it for parents? https://www.theguardian.com/lifeandstyle/2022/oct/31/watching-from-the-cot-are-smart-toys-and-baby-products-worth-it-for-parents

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:
• The Law Bytes Podcast, Episode 143: Canada's Information Commissioner Caroline Maynard on Why Government Needs a Culture of Providing Information Instead of Hiding It https://www.michaelgeist.ca/2022/10/law-bytes-podcast-episode-143/
• Cybersecurity bill a 'bad law' with secrecy powers that must be amended, research report warns https://nationalpost.com/news/canada/liberal-cybersecurity-bill-a-bad-law-that-must-be-amended-research-report-warns/wcm/9c218aaa-bc0c-4edf-9986-a178afa2d441/
• Canadian Heritage Minister Pablo Rodriguez's Credibility Problem, Part One: The Laith Marouf/CMAC Issue https://www.michaelgeist.ca/2022/10/canadian-heritage-minister-pablo-rodriguezs-credibility-problem-part-one/
• Canadian Heritage Minister Pablo Rodriguez's Credibility Problem, Part Two: Misleading and Missing Data on Bill C-18 https://www.michaelgeist.ca/2022/10/canadian-heritage-minister-pablo-rodriguezs-credibility-problem-part-two/
• Making Sense of the Indifference to Bill C-18's Cutting Out Small Media Outlets While Giving Hundreds of Millions to Bell, Rogers and the CBC https://www.michaelgeist.ca/2022/10/what-if-bill-c-18s-cutting-out-small-media-outlets-while-giving-hundreds-of-millions-to-bell-rogers-and-the-cbc-is-a-feature-and-not-a-bug/
• Facebook warns it could block news in Canada over proposed legislation https://www.theverge.com/2022/10/23/23418928/facebook-warns-block-news-canada-legislation-meta
• US:
• PA: Data breach notification legislation heads to Gov. Wolf https://www.databreaches.net/pa-data-breach-notification-legislation-heads-to-gov-wolf/
• Blockchain Association Seeks to Intervene in SEC Lawsuit Against Ripple https://www.pymnts.com/blockchain/2022/blockchain-association-seeks-to-intervene-in-sec-lawsuit-against-ripple/
• World:
• Australia Increases Fines for Massive Data Breaches https://www.schneier.com/blog/archives/2022/10/australia-increases-fines-for-massive-data-breaches.html
• Indian government creates body with power to order social media content takedowns https://www.theregister.com/2022/10/30/asia_in_brief/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• National Initiative for Cybersecurity Education Fall 2022 Newsletter https://content.govdelivery.com/accounts/USNIST/bulletins/33489ac
• Methods, Techniques, Tools, and Products:
• New open-source tool scans public AWS S3 buckets for secrets https://www.bleepingcomputer.com/news/security/new-open-source-tool-scans-public-aws-s3-buckets-for-secrets/
• How to prevent lateral movement attacks using Microsoft 365 Defender https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lateral-movement-attacks-using-microsoft-365-defender/
• Secure your endpoints with Transparity and Microsoft https://www.microsoft.com/en-us/security/blog/2022/10/24/secure-your-endpoints-with-transparity-and-microsoft/
• PayPal: So Long Passwords, Hello Passkeys https://www.digitaltransactions.net/paypal-so-long-passwords-hello-passkeys/
• Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11, (Sun, Oct 30th) https://isc.sans.edu/diary/rss/29200
• Big Changes are Afoot: Expanding and Enhancing the Have I Been Pwned API https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Advisories:
• CISA Warns of Attacks Exploiting Cisco, Gigabyte Vulnerabilities https://www.securityweek.com/cisa-warns-attacks-exploiting-cisco-gigabyte-vulnerabilities
• Patching:
• Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html
• Cisco warns admins to patch AnyConnect flaw exploited in attacks https://www.bleepingcomputer.com/news/security/cisco-warns-admins-to-patch-anyconnect-flaw-exploited-in-attacks/
• Microsoft OneDrive crashes because of recent Windows 10 updates https://www.bleepingcomputer.com/news/microsoft/microsoft-onedrive-crashes-because-of-recent-windows-10-updates/
• Microsoft: Windows domain joins may fail after October updates https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-domain-joins-may-fail-after-october-updates/
• Significant:
• Control Gap Vulnerability Roundup: October 15th to October 21st https://www.controlgap.com/blog/vulnerability-roundup-october-15th-october-21st
• VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation https://arstechnica.com/information-technology/2022/10/vmware-patches-vulnerability-with-9-8-10-severity-rating-in-cloud-foundation/
• Exploit released for critical VMware RCE vulnerability, patch now https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-rce-vulnerability-patch-now/
• Critical Vulnerability in Open SSL https://www.schneier.com/blog/archives/2022/10/critical-vulnerability-in-open-ssl.html
• Other Vulnerabilities:
• Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973) https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/leeloo-multipath-authorization-bypass-and-symlink-attack-in-multipathd-cve-2022-41974-and-cve-2022-41973
• Stranger Strings: An exploitable flaw in SQLite https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
• Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products https://www.securityweek.com/windows-event-log-vulnerabilities-could-be-exploited-blind-security-products
• CVE-2022-42889: Detect Text4Shell via Qualys Container Security https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/cve-2022-44889-detect-text4shell
• How the "pizza123" password could take down an organization https://www.bleepingcomputer.com/news/security/how-the-pizza123-password-could-take-down-an-organization/
• Research on new vulnerabilities:
• Uncovering Security Blind Spots in CNC Machines https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-spots-in-cnc-machines.html
• On the Randomness of Automatic Card Shufflers https://www.schneier.com/blog/archives/2022/10/on-the-randomness-of-automatic-card-shufflers.html
• Cryptography and Cryptographic Research:
• RC4 Is Still Considered Harmful https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
• Supersingular Curves You Can Trust https://eprint.iacr.org/2022/1469
• A Side-Channel Attack on a Hardware Implementation of CRYSTALS-Kyber https://eprint.iacr.org/2022/1452
• One-Time Programs https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/
• Policy-Based Redactable Signatures https://eprint.iacr.org/2022/1485
• Quagmire ciphers and group theory: What is a Beaufort cipher? https://eprint.iacr.org/2022/1488

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):
• Thousands of GitHub repositories deliver fake PoC exploits with malware https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/
• Massive cryptomining campaign abuses free-tier cloud dev resources https://www.bleepingcomputer.com/news/security/massive-cryptomining-campaign-abuses-free-tier-cloud-dev-resources/
• Typosquat campaign mimics 27 brands to push Windows, Android malware https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/
• Hackers use Microsoft IIS web server logs to control malware https://www.bleepingcomputer.com/news/security/hackers-use-microsoft-iis-web-server-logs-to-control-malware/
• Where is the Origin?: QAKBOT Uses Valid Code Signing https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html
• Android malware droppers with 130K installs found on Google Play https://www.bleepingcomputer.com/news/security/android-malware-droppers-with-130k-installs-found-on-google-play/
• Quebec man charged in phone scam targeting Toronto seniors https://globalnews.ca/news/9233122/toronto-telephone-scam-seniors-quebec-man-charged/
• Crime & Arrests, etc.:
• British Hacker Charged for Operating "The Real Deal" Dark Web Marketplace https://thehackernews.com/2022/10/british-hacker-charged-for-operating.html
• U.S. Charges Ukrainian Hacker Over Role in Raccoon Stealer Malware Service https://thehackernews.com/2022/10/us-charges-ukrainian-hacker-over-role.html
• Nation State Actors:
• Liz Truss phone hack claim prompts calls for investigation https://www.bbc.co.uk/news/uk-politics-63442813
• Hacked Documents: How Iran Can Track and Control Protesters' Phones https://www.databreaches.net/hacked-documents-how-iran-can-track-and-control-protesters-phones/
• Iran's atomic energy agency hacked as protests persist https://globalnews.ca/news/9220211/iran-atomic-energy-agency-hack/
• Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html
• Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
• Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers https://thehackernews.com/2022/10/researchers-uncover-stealthy-techniques.html
• Norway charges man accused of being Russian spy https://www.bbc.co.uk/news/world-europe-63429520

Other Security / Risk

Articles covering other types of risks.

• General:
• Child Identity Fraud: The Perils of Too Many Screens and Social Media https://www.databreaches.net/child-identity-fraud-the-perils-of-too-many-screens-and-social-media/
• 'A weapon to target Chinese overseas': So-called police stations allegedly target foreign nationals https://toronto.ctvnews.ca/a-weapon-to-target-chinese-overseas-so-called-police-stations-allegedly-target-foreign-nationals-1.6130412
• Why we're leaving the cloud https://world.hey.com/dhh/why-we-re-leaving-the-cloud-654b47e0
• The RISC Deprogrammer https://blog.erratasec.com/2022/10/the-risc-deprogrammer.html
• Phoenix system overpaid bureaucrats by $500M — now it's time to claw that back: watchdog https://globalnews.ca/news/9231644/phoenix-pay-system-auditor-general/
• RCMP investigating Chinese 'police' stations in Canada https://www.cbc.ca/news/rcmp-investigating-chinese-police-stations-canada-1.6627166
• Health:
• More than one million deaths linked to air pollution exposure in Africa https://scienmag.com/more-than-one-million-deaths-linked-to-air-pollution-exposure-in-africa/
• Nurses leaving Canada doubled in the last five years amid health-care crisis https://toronto.ctvnews.ca/nurses-leaving-canada-doubled-in-the-last-five-years-amid-health-care-crisis-1.6126807
• Short bursts of vigorous activity linked with increased longevity https://scienmag.com/short-bursts-of-vigorous-activity-linked-with-increased-longevity/
• New BQ.1 and BQ.1.1 Omicron subvariants growing twice as fast as BA.5 in Ontario https://toronto.ctvnews.ca/new-bq-1-and-bq-1-1-omicron-subvariants-growing-twice-as-fast-as-ba-5-in-ontario-1.6129573
• Time for Ontario to reinstate mask mandates: ex science table adviser https://globalnews.ca/news/9235094/ontario-masking-mandate-reinstate-ex-science-table-adviser/
• New Hybrid Virus Discovered as Flu And RSV Fuse Into Single Pathogen https://www.sciencealert.com/new-hybrid-virus-discovered-as-flu-and-rsv-fuse-into-single-pathogen
• Ancient 15,000-Year-Old Viruses Found in Melting Tibetan Glaciers https://www.sciencealert.com/ancient-15000-year-old-viruses-found-in-melting-tibetan-glaciers
• Safety:
• Snapchat's disappearing message function helped teenagers obtain fentanyl with deadly consequences, lawsuit argues https://www.businessinsider.com/snapchat-disappearing-messages-helped-teenagers-obtain-fentanyl-lawsuit-2022-10
• People of interest detained and released after potential explosive device at Toronto airport destroyed https://globalnews.ca/news/9220256/toronto-airport-suspicious-package-released/
• 'We shouldn't be building houses in floodplains': Critics sound concern over Ford government's plan to explore building homes in conservation lands https://toronto.ctvnews.ca/we-shouldn-t-be-building-houses-in-floodplains-critics-sound-concern-over-ford-government-s-plan-to-explore-building-homes-in-conservation-lands-1.6130632
• Dead Arecibo telescope offers asteroid warning from beyond the grave https://www.livescience.com/arecibo-near-earth-asteroid-report
• Environment:
• Utility Explores Converting Coal Plants into Nuclear Power https://www.scientificamerican.com/article/utility-explores-converting-coal-plants-into-nuclear-power/
• New Report Lists 5 Reasons to Think Plastic Recycling Is a "Failed Concept" https://www.sciencealert.com/new-report-lists-5-reasons-to-think-plastic-recycling-is-a-failed-concept
• NASA is Mapping Giant Clouds of Methane Released by “Super-Emitters” Across the World https://www.universetoday.com/158353/nasa-is-mapping-giant-clouds-of-methane-released-by-super-emitters-across-the-world/

Russia v. Ukraine

News and announcements relating to Russia's invasion of Ukraine.

• The war:
• Russian missiles smash Ukrainian homes as Moscow warns of ‘uncontrolled escalation' https://globalnews.ca/news/9220237/russian-missiles-mykolaiv-ukraine/
• Reaction and response:
• How Technology Companies Are Shaping the Ukraine Conflict https://www.scientificamerican.com/article/how-technology-companies-are-shaping-the-ukraine-conflict/
• Ukraine war: Russia halts grain deal after 'massive' Black Sea Fleet attack https://www.bbc.co.uk/news/world-europe-63439760
• There is chance for peace in Ukraine, France's Emmanuel Macron says https://globalnews.ca/news/9220390/ukraine-russia-war-peace-macron/
• Sanctions & economic Impact:
• Canada to impose new sanctions on 35 more Russians as attacks on Ukraine persist https://globalnews.ca/news/9233641/canada-russia-sanctions-ukraine-war-oct-28/
• Information, Disinformation, and Propaganda:
• Ukraine war: Kyiv denounces Russia's 'dirty bomb' claims https://www.bbc.co.uk/news/world-europe-63369175

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• The Wreck of the ‘Äpplet'—Sister Ship of Sweden's Infamous ‘Vasa'—Has Been Found After More Than Three Centuries https://www.mentalfloss.com/posts/applet-shipwreck-found-sister-vessel-vasa-sweden
• Nightmares Can Be Silenced With a Single Piano Chord, Scientists Discover https://www.sciencealert.com/nightmares-can-be-silenced-with-a-single-piano-chord-scientists-discover
• Recent advances in chocolate research https://scienmag.com/recent-advances-in-chocolate-research/
• Massive American aircraft carrier USS Gerald R. Ford arrives in Halifax harbour https://globalnews.ca/news/9233865/american-aircraft-carrier-uss-gerald-r-ford-halifax-harbour/
• How Dangerous are Nearby Supernovae to Life on Earth? https://www.universetoday.com/158316/how-dangerous-are-nearby-supernovae-to-life-on-earth/