This Week’s [in]Security – Issue 101 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: detailed alert on trending e-commerce attack methods, PCI glossary for small business, PCI seeks input on SPoC MSR, large surveillance db leak, watchlists exposed, many NIST announcements, FPE update, patent on opting-in, fix-it-already project, fighting fake news with MetaFact, fighting trolls in the midterms, USB-C Thunderbolt risks, a slew of bugs, SuperMicro vulnerabilities used to pwnd IBM cloud servers, Comcast and Kanye West have nothings in common, financial group undermining TLS 1.3, Quadriga's empty cold-wallets, Marriott's GDPR liability, moderator PTSD, carbon sequestering, the solar system gets bigger, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI publishes a glossary for use by small merchants https://blog.pcisecuritystandards.org/resource-for-small-merchants-glossary-of-payment-and-infosec-terms
• PCI is asking for comments on their proposed SPoC MSR Annex (a PIN-on-glass use case for magnetic stripe cards) https://blog.pcisecuritystandards.org/request-for-comments-pci-spoc-msr-annex
• VISA issues alert on FIN6 APT - a very complete look at the dangerous trend in e-commerce attacks from phishing, foothold, formjacking, and magecart https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
• RiskIQ analysis of the Magecart Group 4 operation https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Part 1 of 3) Stolen government laptop from Northwest Territories Department of Health had data on most if not all https://www.cbc.ca/news/canada/north/stolen-laptop-breach-more-details-1.5023613
• Dow Jones financial watchlist exposed on unsecured Elasticsearch db https://www.darkreading.com/cloud/dow-jones-leak-exposes-watchlist-database/d/d-id/1334006
• Unsecured Chinese surveillance database found on the web https://www.eff.org/deeplinks/2019/03/massive-database-leak-gives-us-window-chinas-digital-surveillance-state
• 40M accounts from July 2018 ShareThis breach for sale https://haveibeenpwned.com/PwnedWebsites#ShareThis
• Montreal-based UN aviation agency
  ICAO tried to cover up 2016 cyberattack https://www.msn.com/en-ca/news/canada/montreal-based-un-aviation-agency-tried-to-cover-up-2016-cyberattack-documents-show/ar-BBU8JKQ
• This should be no surprise, GDPR may add up to $915Μ Marriott's data breach expenses https://www.forbes.com/sites/yiannismouratidis/2019/01/09/gdpr-may-add-up-to-8-8b-marriotts-data-breach-expenses/

Privacy

Articles about privacy related news, risks, and trends.

• Facebook pressured Canada and other countries to ease up on data rules, U.K. reports say https://www.cbc.ca/news/politics/facebook-canada-data-pressure-1.5041063 and https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment
• Ireland currently has 15 GDPR probes agaisnt Facebook, Twitter, and others https://www.bankinfosecurity.com/15-gdpr-probes-in-ireland-target-facebook-twitter-others-a-12059
• Huge gaps between privacy and mobile apps https://www.bankinfosecurity.com/blogs/gap-between-mobile-apps-privacy-p-2725

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• US Patent office grants stupid patent for privacy opt-in mechanism https://www.eff.org/deeplinks/2019/02/stupid-patent-month-patent-following-privacy-laws
• Facebook and Instagram launch lawsuit over sale of fake accounts https://www.businessinsider.com/facebook-and-instagram-launch-lawsuit-over-fake-accounts-and-followers-2019-3
• EFF and others supporting proposed California "Privacy for All" law https://www.eff.org/deeplinks/2019/02/its-time-california-guarantee-privacy-all
• Tech industry pushes for changes to Australia's anti-encryption law https://www.bankinfosecurity.com/tech-industry-pushes-for-australian-encryption-law-changes-a-12049
• NIST looking for feedback on SP 800-38G rev1 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption includes on updates to address isues with FF1 and FF3. Update: https://csrc.nist.gov/news/2019/nist-requests-comments-on-draft-sp-800-38g-rev-1 and details: https://csrc.nist.gov/publications/detail/sp/800-38G/rev-1/draft. Note these updates may impact solutions using FPE in the application of payment cards.
• NIST SP 800-177 rev 1 Trustworthy Email. Updates https://csrc.nist.gov/news/2019/trustworthy-email-nist-publishes-sp-800-177-rev-1 and details
  https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final
• NIST makes minor updates to SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations https://csrc.nist.gov/publications/detail/sp/800-162/final
• NIST’s National Initiative for CyberSecurity Education (NICE) is having a conference in Phoneix on November 18-20, 2019. See https://niceconference.org/ and https://content.govdelivery.com/accounts/USNIST/bulletins/22fbc9f
• TikTok sttles $5.7M in FTC fines over privacy complaint https://epic.org/2019/02/ftc-obtains-fines-tiktok-for-v.html
• Tech companies weigh in to Supreme Court about Oracle vs. Google lawsuit over Java API's https://www.businessinsider.com/oracle-google-supreme-court-java-android-2019-2

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft rolls out Google's Retpoline Spectre mitigation to Windows 10 users https://www.zdnet.com/article/microsoft-rolls-out-googles-retpoline-spectre-mitigation-to-windows-10-users/
• EFF has had some shaming success with their "Stupid Patent of the Month" project, not they strike again with "Fix it Already" and their initial list of nine bugs shame Facebook, Google, Apple, Twitter, Verizon, Microsoft, Slack, Venmo, and WhatsApp. Article https://www.eff.org/press/releases/eff-implores-nine-companies-fix-it-already and project page https://fixitalready.eff.org
• MetaFact - an approach to fighting fake news https://www.sciencealert.com/scientists-have-beaten-elon-musk-to-a-fake-news-solution-and-it-s-gaining-traction and project https://metafact.io/
• US Cyber command took Russian cyber-trolls offline for 2018 elections https://arstechnica.com/information-technology/2019/02/report-us-cyber-command-took-russian-trolls-offline-during-midterms/
• Android now supporting FIDO2 password-less authentication https://thehackernews.com/2019/02/android-fido2-password-security.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Researchers build fake USB-C Thunderbolt network card and successfully exploit MacOS, FreeBSD, and Linux (Windows is vulnerable too) https://www.lightbluetouchpaper.org/2019/02/26/struck-by-a-thunderbolt/
• Move over Kanye West, Comcast sets phone PINs to "0000" and fuels number porting scams https://arstechnica.com/information-technology/2019/03/a-comcast-security-flub-helped-attackers-steal-mobile-phone-numbers/
• Chrome PDF zero-day https://www.securityweek.com/chrome-zero-day-exploited-harvest-user-data-pdf-files
• Cisco: patch routers for severity 9.8 vulnerability https://www.zdnet.com/article/cisco-patch-routers-now-against-massive-9-810-severity-security-hole/
• Cisco patches Webex vulnerability again-again https://threatpost.com/cisco-patches-high-severity-webex-vulnerability-for-third-time/142243/
• Severe vulnerabilities in Nokia/Alcatel-Lucent GPON (optical) routers https://www.tenable.com/blog/tenable-research-discovers-remote-code-execution-vulnerabilities-in-gpon-routers
• Supermicro hardware weaknesses let researchers backdoor an IBM cloud server https://arstechnica.com/information-technology/2019/02/supermicro-hardware-weaknesses-let-researchers-backdoor-an-ibm-cloud-server/ and https://www.wired.com/story/dark-metal-cloud-computers-invisible-malware/
• Ring doorbell vulnerable to third-party spying https://threatpost.com/ring-doorbell-flaw-opens-door-to-spying/142265/
• New browser attack lets hackers run bad code even after users leave a web page https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/
• Bulletprooof TLS #50, various TLS news including a debate on a UAE base CA and if it should be distrusted https://www.feistyduck.com/bulletproof-tls-newsletter/issue50darkmatterfromtheunitedarabemiratesoperatesacertificate_authority
• SHAREit patches too critical vulnerabilities that allow theft of files https://threatpost.com/shareit-flaws-files/142200/
• IBM says more than half of malware attacks are file-less https://www.theregister.co.uk/2019/02/26/malwareibmpowershell/
• 2018 saw over 22K vulnerabilities and almost 1/3 were not fixed https://www.darkreading.com/vulnerabilities--- threats/more-than-22000-vulns-were-disclosed-in-2018-27--without-fixes/d/d-id/1333998

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Malware targets ElasticSearch 1.4.2 and older https://www.theregister.co.uk/2019/02/27/elasticsearchmalwarecisco_talos/
• Malware in phone apps facilitate hijacking calls to legitimate firms https://www.darkreading.com/threat-intelligence/whose-line-is-it-when-voice-phishing-attacks-get-sneaky/d/d-id/1333982
• 74% of data breaches start with privileged credential abuse https://www.forbes.com/sites/louiscolumbus/2019/02/26/74-of-data-breaches-start-with-privileged-credential-abuse/
• Cab company ex-employee takes over business's Google listing and redirects calls to competitor https://globalnews.ca/news/5016415/penticton-taxi-company-hacked/
• Blatant fraud riding the crypto-currency hype wave https://www.theregister.co.uk/2019/02/28/cryptocurrencyownerarrested/
• Scammers like Gift Cards over wire transfers https://www.wired.com/story/email-scammers-gift-cards-nonprofits/
• Search into QuadrigaCX's missing cryptocurrency turns up empty 'cold wallets' - could this be fraud? https://www.ctvnews.ca/business/search-into-missing-cryptocurrency-turns-up-empty-cold-wallets-report-1.4319270
• California hacker gets 3 months in jail https://www.theregister.co.uk/2019/02/27/alfabetorussianjailed/
• Former Russian cyber-intelligence official and Kaspersky executive sentenced to 22-years in prison https://krebsonsecurity.com/2019/02/former-russian-cybersecurity-chief-sentenced-to-22-years-in-prison/
• DDoS for hire operator pleads guilty https://krebsonsecurity.com/2019/02/booter-boss-interviewed-in-2014-pleads-guilty/

Other Security / Risk

Articles covering other types of risks.

• ETS or eTLS, is a flawed protocol being pushed by a financial industry group known as BITS to undermine TLS 1.3 https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it
• The attack-footprint of autonomous vehicles https://threatpost.com/modern-car-warning/142190/
• The US terrorist watch list isn't secret, it's actually shared broadly https://www.schneier.com/blog/archives/2019/02/caneverybodyr.html
• Canada's federal auditor cancels work for lack of money https://www.msn.com/en-ca/news/canada/federal-auditor-cancels-work-for-lack-of-money/ar-BBUcXqW
• US considering ripping out Huawei gear https://www.theregister.co.uk/2019/02/25/huaweiuselectric_grid/
• Coinhive will shut down because Monero is no longer profitable https://threatpost.com/coinhive-monero-shutdown/142290/
• Why AI is a threat to democracy https://www.technologyreview.com/s/613010/why-ai-is-a-threat-to-democracyand-what-we-can-do-to-stop-it/
• Facebook moderators exposed to endless toxic content may experience PTSD https://www.sciencealert.com/facebook-moderators-are-breaking-down-under-inhumane-conditions-and-what-they-see
• Crematorium workers may be at risk from radio-active cancer treatments https://globalnews.ca/news/5003932/cremation-radioactive-cancer-drug/
• Investors are seeing through the hype of buzzwords https://www.businessinsider.com/blackrock-survey-of-institutional-investors-on-technology-2019-2

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• NASA was testing a new rover in the Chilean desert when their dry run unearthed some strange and previously unknown bacteria https://www.sciencealert.com/a-planetary-rover-in-the-chilean-desert-has-found-strange-bacteria-that-could-lead-us-to-martians
• The record for the most distant solar system object has been broken after only 3 months Far-Out move over for Far-Far-Out https://www.universetoday.com/141634/the-record-for-the-most-distant-object-in-the-solar-system-has-been-shattered-introducing-farfarout-at-140-astronomical-units/
• The evidence for planet nine mounts https://www.syfy.com/syfywire/does-planet-9-exist
• New carbon sequestering tech makes coal from the CO2 in the air https://www.forbes.com/sites/trevornace/2019/02/27/scientists-just-pulled-co2-from-air-and-turned-it-into-coal/
• Life probably can’t exist on quite as many planets as we once thought https://www.technologyreview.com/s/613003/life-probably-cant-exist-on-quite-as-many-planets-as-we-once-thought/
• Flat earthers prove themselves wrong https://cheezburger.com/95794945/flat-earthers-experimentally-disproving-themselves-will-make-you-smile
• 1 Minute physics: "How ISPs Violate the Laws of Mathematics" https://youtu.be/Z3IPVWN-1ks