This Week’s [in]Security – Issue 102 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI DSS 4.0 begins its journey, debates on cashless and contactless payments, 2018 data breaches up by over 4x , policy and cyber risk disclosure, breach followups, another mega breach of contact information, what's Facebook up to, more undisclosed microphones, NIST updates, NSA's reverse engineering tool opens up, Equifax fumbles again, a new class of firmware attacks, more IoT, several zero-days in the wild, bots, big data, echo chambers, behavior prediction, and more.

This week's photo is for those that have never experienced the Canadian winter phenomena of parking lot shrinkage.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI announces plans for DSS 4.0 in 2020 https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0
• Philadelphia bans "cashless" stores https://www.nytimes.com/2019/03/07/business/cashless-stores-philadelphia.html
• Opinion/criticism of implications of going contactless https://www.theguardian.com/commentisfree/2019/mar/07/going-contactless-is-gloriously-convenient-for-all-the-wrong-people

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Marketing company Verifications io leaves 809M vetted email addresses exposed in an unsecured Mongo db https://www.wired.com/story/email-marketing-company-809-million-records-exposed-online/ and https://haveibeenpwned.com/PwnedWebsites#VerificationsIO
• A $1M University of Manitoba health study is in jeopardy over mishandling of personal health information https://www.cbc.ca/news/canada/manitoba/manitoba-university-health-breach-1.5046017
• 12,449 data breaches confirmed in 2018, a 424% increase https://www.bleepingcomputer.com/news/security/12-449-data-breaches-confirmed-in-2018-a-424-percent-increase-over-the-previous-year/
• The inadequacies of cyber risk disclosures through the lens of Marriott's public filings https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are
• Marriott breach costs pass $28M https://www.securityweek.com/data-breach-cost-marriott-28-million-so-far
• Report finds Equifax negligent before and after breach https://www.theregister.co.uk/2019/03/08/securityequifaxsenate/
• In related news, the Senate questions executives from Equifax, and Marriott https://www.pymnts.com/fraud-prevention/2019/senate-hearing-equifax-marriott-data-breach/
• Equifax executive pleads guilty to insider trading on breach https://www.thestar.com/news/world/us/2019/03/07/former-equifax-executive-pleads-guilty-to-insider-trading.html

Privacy

Articles about privacy related news, risks, and trends.

• Nest is the latest product with a creepy secret microphone https://www.schneier.com/blog/archives/2019/03/thelatestin_c.html
• Limiting access through cookie walls violate GDPR https://www.pymnts.com/news/regulation/2019/dpa-website-cookies-gdpr/
• Schneier: Don't expect the US to guard your web privacy https://www.theregister.co.uk/2019/03/07/policytechnologyschneier/
• We aren't the only ones skeptical of Zuckerberg's new privacy focused Facebook https://www.eff.org/deeplinks/2019/03/privacy-focused-facebook-well-believe-it-when-we-see-it
• Facebook's still misusing your 2FA phone number https://www.eff.org/deeplinks/2019/03/facebook-doubles-down-misusing-your-phone-number
• Consumers are sloppy with their own privacy and security practices https://threatpost.com/rsac-2019-most-consumers-say-no-to-cumbersome-data-privacy-practices/142478/
• DHS is planning on transferring personal data to the Census Bureau https://epic.org/2019/03/epic-investigates-the-transfer.html
• Apparently the NSA has shutdown their phone call surveillance program https://arstechnica.com/tech-policy/2019/03/house-aide-nsa-has-shut-down-phone-call-record-surveillance/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Huawei goes on offensive suing US government over 5G ban https://globalnews.ca/news/5029375/huawei-lawsuit-us-5g-ban/
• LawBytes: a new podcast on digital policy in Canada http://www.michaelgeist.ca/2019/03/welcome-to-lawbytes-a-new-podcast-on-digital-policy-in-canada/
• Internet filters inevitable if EU Article 13 passes https://www.eff.org/deeplinks/2019/03/german-data-privacy-commissioner-says-article-13-inevitably-leads-filters-which
• NIST draft/comments on SP 800-133 rev 1 Recommendation for Cryptographic Key Generation adds EdDSA and KMACs. Update https://csrc.nist.gov/news/2019/nist-releases-draft-sp-800-133-rev-1-for-comment and details https://csrc.nist.gov/publications/detail/sp/800-133/rev-1/draft
• NIST Small Business Cybersecurity Corner https://www.nist.gov/itl/smallbusinesscyber
• Citizen Lab is in front of the standing committee on public safety and national security https://citizenlab.ca/2019/03/christopher-parsons-testifies-before-standing-committee-on-public-safety-and-national-security/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• NSA open sources GHIDRA reverse engineering tool https://thehackernews.com/2019/03/ghidra-reverse-engineering-tool.html
• AI mining millions of tweets for vulnerability information https://www.wired.com/story/machine-learning-tweets-critical-security-flaws/
• What is the purpose of a penetration test https://www.packetlabs.net/purpose-of-a-penetration-test/
• CISSP has been recognized as a top certification https://blog.isc2.org/isc2_blog/2019/03/cissp-recognized-as-top-cybersecurity-certification-program-by-sc-media.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Equifax's credit freeze PIN can be bypassed https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/
• All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/
• Digital signatures in PDFs are broken https://www.schneier.com/blog/archives/2019/03/digital_signatu.html
• Researcher finds vulnerabilities in in-flight entertainment system in a real flight - this seem irresponsible! https://www.theregister.co.uk/2019/03/08/thalestopseriesvuln/
• Ultrasound machine compromised in two clicks https://threatpost.com/ultrasound-hacked/142601/
• Office sign-in kiosks have security vulnerabilities https://www.wired.com/story/visitor-management-system-vulnerabilities/
• Cars vulnerable to flawed smart alarm systems https://www.bbc.com/news/av/technology-47485733/security-holes-found-in-smart-car-alarms
• Unpatched vulnerabilities with UPnP devices in homes https://blog.trendmicro.com/trendlabs-security-intelligence/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Chrome zero-day in the wild https://thehackernews.com/2019/03/update-google-chrome-hack.html
• Google discloses two in the wild zero-days https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
• North Korean hackers hit over 100 targets in US and allies while the Trump-Kim summit was happening https://www.nytimes.com/2019/03/03/technology/north-korea-hackers-trump.html
• Iranian APT group responsible for losses in the hundreds of millions https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report
• Scammers selling online searches and followup with fraudulent charges https://krebsonsecurity.com/2019/03/hackers-sell-access-to-bait-and-switch-empire/
• Crypto-currency miners exploiting Docker hosts https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/
• Web certificates for sale on the dark-web https://www.securityweek.com/study-finds-rampant-sale-ssltls-certificates-dark-web
• Scammers targeting non-profits like Scouts for BEC/phishing https://threatpost.com/rsac-2019-bec-scammer-gang-takes-aim-at-boy-scouts-other-nonprofts/142302/
• Ex-employee pleads guilty in insider health-care breach https://www.bankinfosecurity.com/hipaa-crimes-a-12150
• Minnesota man pleads guilty to hacking government database in retaliation for acquittal of cop https://www.securityweek.com/man-admits-hacking-minnesota-databases-over-cop-acquittal
• Bitcoin trader brutally tortured https://www.independent.co.uk/life-style/gadgets-and-tech/news/bitcoin-robbery-torture-cryptocurrency-netherlands-a8807986.html
• New York orders reexamination of all-in-one voter machine over flaws not identified by vendor https://freedom-to-tinker.com/2019/03/08/reexamination-of-an-all-in-one-voting-machine/
• Discussion about (previously reported) denial of insurance coverage over ransomware infection (Zurich, Mondelez, and NotPetya) https://www.theregister.co.uk/2019/03/08/securityequifaxsenate/

Other Security / Risk

Articles covering other types of risks.

• Use a bot to catch a bot http://aiweirdness.com/post/183315553672/it-takes-a-bot-to-know-one
• Satellites communications security isn't as secure as you might expect https://www.extremetech.com/extreme/287284-hacking-satellites-is-probably-easier-than-you-think
• Big Data has been getting sloppy as data scientists have turned away from statistics. Does anyone actually care if the results are right? https://www.nytimes.com/2019/03/07/business/cashless-stores-philadelphia.html
• Probing how algorithms led to "filter bubbles" and "echo chambers" https://www.technologyreview.com/s/613083/deepmind-is-asking-how-google-helped-turn-the-internet-into-an-echo-chamber/
• Adi Shamir, the S in RSA couldn't get a Visa to attend the US RSA conference https://www.theregister.co.uk/2019/03/05/rsacofounderusvisarow/
• System claims to detect shoplifting behavior https://www.schneier.com/blog/archives/2019/03/detecting_shopl.html
• Predicting serial killers? https://globalnews.ca/news/5029321/neuroscience-psychopaths-serial-killers-explainer/
• Old TalkTalk email account taken over by spammers 8 years after contract ended https://www.theregister.co.uk/2019/03/07/talktalk8yroldemailaccountstill_active/
• Beware of rental scams in Vancouver BC https://globalnews.ca/news/5029357/rental-scam-new-westminster/
• Un-vaccinated Oregon boy contracts tetanus, suffers 70 days of agony, and cost $800K to treat https://globalnews.ca/news/5033440/oregon-boy-tetanus-unvaccinated/
• Largest study finds no link between MMR vaccines and autism https://www.sciencealert.com/even-in-kids-at-risk-the-mmr-vaccine-doesn-t-increase-chances-of-developing-autism
• The trolling technique known as sea-lioning https://www.forbes.com/sites/marshallshepherd/2019/03/07/sealioning-is-a-common-trolling-tactic-on-social-media-what-is-it/
• Ottawa man snowed in for the winter was making do when rescued by Police https://www.thestar.com/news/canada/2019/03/08/elderly-ottawa-man-dug-out-by-police-after-spending-winter-snowed-into-home.html
• US is tracking journalists, lawyers, and immigration activists https://www.nbcsandiego.com/news/local/Source-Leaked-Documents-Show-the-US-Government-Tracking-Journalists-and-Advocates-Through-a-Secret-Database-506783231.html
• Several states and provinces are reconsidering daylight savings time https://globalnews.ca/news/5033187/daylight-saving-time-british-columbia/
• 'Nightmare' consequences for woman declared dead by former employer https://www.ctvnews.ca/canada/nightmare-consequences-for-woman-declared-dead-by-former-employer-1.4326003
• Interesting case of a lost wedding ring, the power and intrusiveness of social media https://www.thestar.com/edmonton/2019/03/04/after-27-years-retired-mountie-cracks-the-case-of-the-wedding-ring-found-at-the-bottom-of-the-ocean.html
• On paywalls and publicly funded research https://www.cbc.ca/news/health/research-public-funding-academic-journal-subscriptions-elsevier-librarians-university-of-california-1.5049597?cmp=rss
• Before there were tamper evident sealed envelopes, there was letter locking https://www.schneier.com/blog/archives/2019/03/letterlocking.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Space-X's Crew Dragon capsule completes first unmanned mission with a successful splashdown https://www.nytimes.com/2019/03/08/science/spacex-dragon-splashdown.html
• The Milky Way galaxy has been weighd in at 1.54T solar masses. A feat akin to a bacteria determining the weight of the Elephant it lives in https://www.syfy.com/syfywire/what-is-the-mass-of-the-milky-way
• Debunking asteriod near miss hysteria. According to the tabloids, there's always a killer asteroid hurtling towards us at 15km/s that will miss us by 0.0027 AU. Sounds scary bad! How about if they said 500K km? https://www.sciencealert.com/a-huge-asteroid-just-zoomed-by-earth-and-another-one-is-coming-soon
• Rouge planets in the Milky Way could number in the billions https://www.sciencealert.com/there-could-be-billions-of-loose-planets-roaming-the-milky-way
• NASA says the world added an Amazon's worth of greenery in 2 decades https://www.ctvnews.ca/sci-tech/world-added-an-amazon-s-worth-of-greenery-in-2-decades-nasa-1.4321918
• NASA converted a Hubble deep field image into sound and it's almost musicak https://www.sciencealert.com/nasa-turned-this-hubble-image-into-strange-haunting-music
• Strangely octopuses and squids evolve by editing their RNA https://www.sciencealert.com/it-s-official-octopus-and-squid-evolution-is-weirder-than-we-could-have-ever-imagined