This Week’s [in]Security – Issue 100

Welcome to This Week’s [in]Security. This week: PCI PIN program gets moving, POS breach, credential stuffing TurboTax breach, breach fallout, secret cameras everywhere, Facebook and the Healthcare apps, Facebook lawsuit emails, defecting politicians taking parties PII data with them, Twitter DMs live forever, Facebook's US fines could be billions, Facebook spying on competitors, MS killing SHA-1 for updates, catfishing, very old bugs in WinRar and WordPress, Spectre is here to stay, more Magecart and supply chain attacks, Splunk unexpectedly leaves Russia, and original Enigma machine, and synthetic DNA.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI ramps up PIN program https://blog.pcisecuritystandards.org/applications-now-open-for-qualified-pin-assessor-program
• Apple to launch credit card https://www.engadget.com/2019/02/21/apple-credit-card-launch/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• 137 restaurants exposed by breach of North Country Point-of-Sale for cardholder’s name, credit card number, expiration date, and CVV https://www.bleepingcomputer.com/news/security/cards-used-at-137-restaurants-exposed-by-point-of-sale-breach/
• 70K bank cards from Pakistani bank for sale https://www.bankinfosecurity.com/big-dump-pakistani-bank-card-data-appears-on-carder-site-a-12044
• 170K hours of sensitive medical calls exposed in Sweden https://www.bbc.com/news/technology-47292887
• A misconfigured database exposed 1M paitent records at UW medicine https://www.bankinfosecurity.com/misconfiguration-leads-to-major-health-data-breach-a-12042
• Unsecured MongoDB database exposes personal information on 500K Indian citizens https://thehackernews.com/2019/02/mongodb-delhi-database-leaked.html
• Intuit's TurboTax was breached through a credential stuffing attack will now be implementing 2FA https://www.bleepingcomputer.com/news/security/tax-returns-exposed-in-turbotax-credential-stuffing-attacks/
• UK Labour Party locks down member databases on suspicions breakaway MPs were siphoning off data https://www.theregister.co.uk/2019/02/21/databreachlabourlocksdownmemberdatabases/
• Flaw in Stanford student record system exposes student records https://www.darkreading.com/vulnerabilities--- threats/breach-in-stanford-system-exposes-student-records/d/d-id/1333905
• Faceboook Groups exposed medical data https://www.pymnts.com/facebook/2019/facebook-exposing-user-data-groups/
• Data from last year's MyFitnessPal breach recently came up for sale https://haveibeenpwned.com/PwnedWebsites#MyFitnessPal
• Data from 2017 MyHeritage genealogy breach came up for sale https://haveibeenpwned.com/PwnedWebsites#MyHeritage
• Data from Ontario Healthcare breach hack/extortion in 2018 one step closer to being dumped https://healthitsecurity.com/news/amp/hackers-attempt-to-extort-ontario-healthcare-provider-carepartners

Privacy

Articles about privacy related news, risks, and trends.

• Advances in camera tech and peeping toms https://globalnews.ca/news/4981127/hidden-cameras-fight-peeping-toms/
• Oops, your Nest has a microphone they forgot to mention https://www.cbc.ca/news/technology/google-nest-mic-forgot-1.5027333

• Airline in-flight entertainment systems have cameras facing you

  • Singapore Airlines’ https://www.fastcompany.com/90310098/someone-found-cameras-in-singapore-airlines-in-flight-entertainment-system
  • American Airlines' https://www.cnet.com/news/american-airlines-has-cameras-in-some-of-its-seat-back-screens/
• Healthcare apps are sharing information with Facebook https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636 and https://www.theverge.com/2019/2/22/18236398/facebook-mobile-apps-data-sharing-ads-health-fitness-privacy-violation
• New York state orders inquiry into Facbook Healthcare app abuse of privacy https://www.theguardian.com/technology/2019/feb/22/new-york-facebook-privacy-data-app-wall-street-journal-report
• Congress investigating Facebook health information complaint https://www.bankinfosecurity.com/congress-scrutinizes-facebook-health-data-privacy-complaint-a-12038
• Worldwide law enforcement trends threatening privacy https://www.eff.org/deeplinks/2019/02/whats-emergency-keeping-international-requests-law-enforcement-access-secure-and
• 18K Apps on Google play violate ad ID policies https://www.securityweek.com/18000-android-apps-violate-googles-ad-id-policies-analysis
• Twitter doesn't delete direct messages https://www.independent.co.uk/life-style/gadgets-and-tech/news/twitter-direct-messages-dms-privacy-cyber-security-data-a8784821.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Police are increasingly using "Reverse Location Warrants" to find all cellphones near a crime scene https://www.schneier.com/blog/archives/2019/02/reverse_locatio.html
• US Facebook privacy fine could be in the billions https://www.securityweek.com/us-facebook-fine-over-privacy-could-be-billions-reports
• California law to require notification of breach of passport and biometric data https://www.cnet.com/news/california-bill-would-
• Push to replace Pennsylvania's voting machines by 2020 https://www.thestar.com/news/world/us/2019/02/20/pennsylvania-must-replace-voting-machines-lawmakers-told.html
• Ontario MPP wants to bring 'Right to Repair' movement to Canada https://mobilesyrup.com/2019/02/18/ontario-mpp-right-repair/
• Cash-free stores may be forced to take cash https://www.nytimes.com/2019/02/20/business/cashless-payments.html
• What happens to your crypto-currency when you die https://sector.ca/what-happens-to-your-bitcoin-after-you-die/
• Trove of unauthenticated Facebook executive emails relating to a lawsuit posted online https://www.theguardian.com/technology/2019/feb/22/facebook-new-emails-leaked-six4three-lawsuit-user-data

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• New approach to defending against broad password guessing attacks https://www.darkreading.com/attacks-breaches/researchers-propose-new-approach-to-address-online-password-guessing-attacks/d/d-id/1333939
• Microsoft trims Flash whitelist after Google finds holes https://arstechnica.com/gadgets/2019/02/microsoft-culls-secret-flash-whitelist-after-google-points-out-its-insecurity/
• Web application security testing FAQ https://www.packetlabs.net/webapp-security-testing-faq/
• Macs and antivirus software https://www.comparitech.com/blog/information-security/if-you-have-a-mac-do-you-need-antivirus-protection/
• Cloudflare now has an RDP security offering https://blog.cloudflare.com/cloudflare-access-now-supports-rdp/
• Microsoft is abandoning SHA-1 hashing for software updates. Older systems without SHA-2 support will not be able to get updates https://threatpost.com/microsoft-updates-os-sha-1/142000/
• NATO tests troops with catfishing excercise https://www.wired.com/story/nato-stratcom-catfished-soldiers-social-media/
• Catching a "Catfisher" https://www.theguardian.com/technology/ng-interactive/2019/feb/20/how-to-catch-a-catfisher

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Vulnerabilities in multiple password managers leak information https://www.securityevaluators.com/casestudies/password-manager-hacking/
• Spectre type attacks: no easy fixes https://www.darkreading.com/analytics/google-research-no-simple-fix-for-spectre-class-vulnerabilities/d/d-id/1333911
• Easily mounted attacks on Wi-Fi networks https://www.imperva.com/blog/no-one-is-safe-the-five-most-popular-social-engineering-attacks-against-your-companys-wi-fi-network/
• Ships vulnerable to remote attacks that could result in capsizing, collisions, and more https://threatpost.com/hacker-capsize-ship-sea/142077/
• WhatsApp bug on iOS can expose messages https://www.bankinfosecurity.com/whatsapp-flaw-could-allow-for-message-snooping-a-12039
• WinRAR path traversal bug discovered after 14 years https://arstechnica.com/information-technology/2019/02/nasty-code-execution-bug-in-winrar-threatened-millions-of-users-for-14-years/
• WordPress remote code execution flaw lay undiscovered for 6 years https://thehackernews.com/2019/02/wordpress-remote-code-execution.html
• How phishing is both easy and effective https://www.darkreading.com/application-security/the-anatomy-of-a-lazy-phish/a/d-id/1333879

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Nasty "drainer-bot" malware in popular Google Play apps comits ad fraud at the cost of your bandwidth and battery https://arstechnica.com/information-technology/2019/02/google-play-apps-with-10-million-installs-drains-batteries-jacks-up-data-charges/
• Ongoing and widespread DNS hijacking https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
• Windows based ATM jack-potting software https://www.wired.com/story/atm-hacking-winpot-jackpotting-game/
• Facebook used app to spy on potential competitors https://www.bbc.com/news/technology-47281906
• Supply Chain Attacks, like Magecart doubled last year https://www.securityweek.com/supply-chain-attacks-nearly-doubled-2018-symantec
• Related, article on formjacking https://www.darkreading.com/threat-intelligence/formjacking-compromises-4800-sites-per-month-could-yours-be-one/d/d-id/1333908
• Simple, spartan and effective credential theft malware https://arstechnica.com/information-technology/2019/02/hard-to-detect-credential-theft-malware-has-infected-1200-and-is-still-going/
• Thieves try to steal Bitcoin with doctored photos to get around 2FA backup authentication https://www.bankinfosecurity.com/doctored-photos-thieves-try-to-steal-bitcoin-a-12016
• LinkedIn direct messages to job seekers laced with malware https://www.bleepingcomputer.com/news/security/linkedin-messaging-abused-to-target-us-companies-with-backdoors/
• Hackers use compromised banks as starting points for phishing attacks https://www.bleepingcomputer.com/news/security/hackers-use-compromised-banks-as-starting-points-for-phishing-attacks/
• Melbourne Heart Group attacked by ransomware https://www.theguardian.com/technology/2019/feb/21/hackers-scramble-patient-files-in-melbourne-heart-clinic-cyber-attack
• Ongoing Russian information operations against western democracies https://www.nytimes.com/2019/02/20/technology/russia-hack-microsoft.html
• Cyber-criminals are hiring https://www.theregister.co.uk/2019/02/21/blackhatssextortion275ksalaries_helpers/
• Reports of a new type of fuel pump credit card skimmer are mistaken https://krebsonsecurity.com/2019/02/new-breed-of-fuel-pump-skimmer-uses-sms-and-bluetooth/

Other Security / Risk

Articles covering other types of risks.

• Splunk pulls out of Russia https://www.zdnet.com/article/splunk-pulls-out-of-russia-with-mysterious-statement/
• Interview with head of US CyberCommand https://www.schneier.com/blog/archives/2019/02/gennakasoneon.htmlrequire-companies-to-let-you-know-if-your-passport-number-is-stolen/
• Google Earth accidentaly reveals secret military sites https://www.zdnet.com/article/google-maps-update-accidentally-reveals-secret-military-sites/
• The imperfect truth about facts in a world of fakery https://www.wired.com/story/zeynep-tufekci-facts-fake-news-verification/
• Security fears had an impact on Kaspersky in North America https://www.theregister.co.uk/2019/02/19/extentofsecurityfearsaboutsecuritybizkasperskylab_revealed/
• Chinese attacks on US up after pressure on
  Huawei  https://www.pymnts.com/news/security-and-risk/2019/chinese-hackers-telecom-cyberattacks/
• UK thinks risk of using Huawei gear is manageable https://www.bankinfosecurity.com/report-uk-believes-risk-using-huawei-manageable-a-12027
• After pedophiles post suggestive comments on video's of kids - advertisers boycott YouTube https://www.thestar.com/business/technology/2019/02/21/advertisers-boycott-youtube-after-pedophiles-swarm-comments-on-videos-of-children.html
• Zuckerberg criticized for idea to crowd source fact checking https://www.theguardian.com/technology/2019/feb/20/facebook-fact-checking-crowdsourced-mark-zuckerberg
• Estonia has a volunteer Cyber-militia https://www.schneier.com/blog/archives/2019/02/estonias_volunt.html
• The man who found an original WWII Enigma machine on eBay https://eandt.theiet.org/content/articles/2019/02/the-cyber-security-expert-who-found-an-enigma-machine-on-ebay/
• CERN's world-first browser reborn: Now you can browse like it's 1990 https://www.zdnet.com/article/cerns-world-first-browser-reborn-now-you-can-browse-like-its-1990/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Firefall in Yosemite is rare and beautiful event https://www.bbc.com/news/av/world-us-canada-47325381/firefall-in-yosemite-national-park-stuns-visitors
• Turns out a 10th century Viking warrior was female https://www.sciencealert.com/researchers-double-down-on-contentious-study-showing-viking-women-warriors-existed
• Microwaving grapes can cause plasma light show and damage ovens https://www.cbc.ca/news/technology/grapes-plasma-microwave-1.5024855
• Synthetic or alternate DNA? Study finds that four unnatural bases can work together GCAT and now SBPZ. More research is needed but there may be eventual medical applications (e.g. cancer treatment) https://www.scientificamerican.com/article/four-new-dna-letters-double-lifes-alphabet/
• Man shoots self spinning gun on his finger (reminiscent of an old comedy song about a gunfighter that gunned himself down) https://globalnews.ca/news/4975068/man-shoots-self-stomach-birthday-party/