This Week’s [in]Security – Issue 103
Welcome to This Week’s [in]Security. This week: Citrix, Ixigo, and a Chinese breach, the “creepy assignment”, skepticism over Facebook’s privacy shift, Windows now undoes bad fixes, IoT legislation, Bitcoin double spend, a deep dive into POS malware, Internet voting, and more.
Now here’s this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
- PCI Small Merchant resource: Firewall basics https://blog.pcisecuritystandards.org/resource-for-small-merchants-firewall-basics
- PCI FAQ: can expired PTS POI device be used with SAQ B-IP? https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Does-the-use-of-expired-PTS-POI-devices-meet-eligibility-criteria-for-SAQ-B-IP
- Our index of PCI FAQs was updated as well https://controlgap.com/index-pci-frequently-asked-questions/we updated our index )
- The next PCI Acquirer forum is in Vegas at the end of April https://www.cvent.com/events/pci-ssc-acquirer-forum-april-2019-las-vegas/event-summary-0d91e46dd1d04281a6f635f88bca4e77.aspx
Breaches / Leaks
Covering breaches, leaks, data exposures, and their fallout.
- Ixigo brached for 17M records https://haveibeenpwned.com/PwnedWebsites#ixigo
- Very creepy database of almost 2M Chinese “Breed Ready” women exposed https://www.forbes.com/sites/zakdoffman/2019/03/11/exposed-chinese-database-includes-breed-ready-status-of-almost-2-million-women/
- Citrix has been breached for terabytes of data https://www.packetlabs.net/citrix-breach/
- The Citrix breach has been attributed to an Iranian linked APT group https://threatpost.com/ranian-apt-6tb-data-citrix/142688/
- Four questions to ask after a data breach https://www.forbes.com/sites/extrahop/2019/03/15/4-questions-to-ask-immediately-after-a-data-breach/
- Two-thirds of secondhand USB drives still contain data https://www.comparitech.com/blog/information-security/secondhand-usb-drive-memory-stick-study/
- Data from the 2018 Houzz breach makes it’s way into have I been pwned https://haveibeenpwned.com/PwnedWebsites#Houzz
Articles about privacy related news, risks, and trends.
- The “creepy assignment” (or the 21st century version of loose lips sink ships) – demonstrating people expose far too much personal information in places they shouldn’t https://www.nytimes.com/2019/03/08/opinion/google-privacy.html
- Facial recognition systems trained on millions of images without consent https://www.independent.co.uk/life-style/gadgets-and-tech/news/facial-recognition-ai-algorithm-artificial-intelligence-flickr-a8820811.html
- Schneier: on judging Facebook’s privacy shift (We don’t believe it either)
- Report on workplace surveillance https://www.schneier.com/blog/archives/2019/03/on_surveillance.html
Laws & Regulations / Standards
News about laws, regulations, and standards affecting security, privacy, technology, and public interest.
- Canada looking to regulate crypto in the wake of the Quadriga collapse https://www.pymnts.com/news/regulation/2019/canada-crypto-quadriga/
- PSD2 and GDPR may be in conflict https://www.pymnts.com/news/regulation/2019/psd2-deadline-gdpr-data-privacy-payment-innovation/
- NY grand jury looking at Facebook data sharing agreements https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html
- Troy Hunt weighs in on GDPR, cookie-walls and common sense https://www.troyhunt.com/these-cookie-warning-shenanigans-have-got-to-stop/
- Case of teacher using a “spy pen” to record students shows gap between law and technology https://www.cbc.ca/news/canada/newfoundland-labrador/privacy-in-digital-age-1.5043758
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- Windows 10 now automatically uninstalls problem fixes https://thehackernews.com/2019/03/windows-buggy-updates.html
- Facebook launches AI to find and remove revenge porn https://www.thestar.com/news/world/us/2019/03/15/facebook-launches-ai-to-find-and-remove-revenge-porn.html
- US introduces bipartisan IoT legislation https://epic.org/2019/03/internet-of-things-legislation.html
- DARPA tackles an open source voting system https://www.schneier.com/blog/archives/2019/03/darpa_is_develo.html
- Recommended voting machines https://freedom-to-tinker.com/2019/03/14/voting-machines-i-recommend/
- Using AI to detect Malware https://blog.trendmicro.com/trendlabs-security-intelligence/a-machine-learning-model-to-detect-malware-variants/
- Federated learning is an AI method that can support privacy https://www.technologyreview.com/s/613098/a-little-known-ai-method-can-train-on-your-health-data-without-threatening-your-privacy/
- Firefox introducing and encrypted file transfer service https://thehackernews.com/2019/03/firefox-send-encrypted-file-share.html
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- Office 365 and G-suite multi-factor authentication bypass by IMAP https://www.bleepingcomputer.com/news/security/multi-factor-auth-bypassed-in-office-365-and-g-suite-imap-attacks/
- 10 year old bug fixed allows CRA to pursue $66M in overpayments https://www.cbc.ca/news/politics/cpp-oas-debt-collection-cra-esdc-duclos-it-glitch-1.5047349
- How hackers are using DNS against us https://threatpost.com/three-ways-dns-is-weaponized-and-how-to-mitigate-the-risk/142759/
- Microsoft patches several critical bugs in DHCP https://www.theregister.co.uk/2019/03/12/march_patch_tuesday_dhcp/
- Bug in certificate authority software means 2M+ certificates used by Google, GoDaddy, and others have broken serial numbers and will need to be replaced https://www.theregister.co.uk/2019/03/13/tls_cert_revoke_ejbca_config/
- WordPress flaws in pre-5.1.1 https://thehackernews.com/2019/03/hack-wordpress-websites.html
Hacking / Malware / Cybercrime / Exploitation
News covering active trends and events.
- Four wanted in nationwide bitcoin ATM “double spend” scam https://www.msn.com/en-ca/news/canada/4-wanted-in-nationwide-bitcoin-atm-scam/ar-BBUGHX6
- How Mexican banks were taken for $20M https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/
- Skimmer’s hijack ATM camera as part of attack https://krebsonsecurity.com/2019/03/insert-skimmer-camera-cover-pin-stealer/
- Ad network Sizmek investigating resale of compromised accounts https://krebsonsecurity.com/2019/03/ad-network-sizmek-probes-account-breach/
- WinRAR bug being exploited as there in no auto-update https://thehackernews.com/2019/03/winrar-hacking-malware.html
- Most Android AV apps are junk or worse https://www.wired.com/story/android-antivirus-apps-bad-fake/
- Deep dive into the GlitchPOS malware https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html
- Man arrested for selling 1M Netflix and Spotify accounsts https://www.cnet.com/news/fbi-australian-police-arrest-man-caught-selling-1-million-netflix-spotify-passwords/
- Three men plead guilty in scheme to trick people out of sensitive data https://arstechnica.com/information-technology/2019/03/3-men-plead-guilty-to-vishing-and-smishing-scheme-estimated-to-cost-21-million/
- Hacker love to strike on Saturday https://www.bankinfosecurity.com/blogs/hackers-love-to-strike-on-saturday-p-2731
Other Security / Risk
Articles covering other types of risks.
- 96% of Canadians can’t spot fraud https://newsroom.interac.ca/ninety-six-per-cent-of-canadians-failed-to-spot-fraud-when-put-to-the-test/
- Encryption and databases are strange bedfellows. Encryption is easy until you want to do things like searching encrypted data, then things start leaking https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/
- Quantum computers may not break encryption for decades https://www.tomshardware.com/news/quantum-computers-encryption-decades-researchers,38819.html
- Restarting a dead power grid is difficult but Venezuela has some additional challenges https://www.wired.com/story/venezuela-power-outage-black-start/
- Facebook’s workplace apps target competitors https://www.forbes.com/sites/quickerbettertech/2019/03/10/facebooks-workplace-app-targets-slack-microsoft-teams-and-other-small-business-tech-news-this-week/
- Google took down 2.3B bad ads in 2018 https://www.securityweek.com/google-took-down-23-billion-bad-ads-2018
- Swiss Internet voting system is flawed https://www.schneier.com/blog/archives/2019/03/critical_flaw_i.html
- Russia is testing Online voiting https://www.schneier.com/blog/archives/2019/03/russia_is_testi.html
- Tim Berners-Lee reflects on 30 years of the web https://www.theguardian.com/technology/2019/mar/12/tim-berners-lee-on-30-years-of-the-web-if-we-dream-a-little-we-can-get-the-web-we-want
- Australian stops arrow with mobile phone https://www.bbc.com/news/world-australia-47563634
- Man improvises life preserver with jeans https://globalnews.ca/news/5051001/jeans-flotation-device-lost-at-sea/
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.
- Scientists have discovered a material that blocks sound but not light or air https://www.fastcompany.com/90316833/scientists-have-discovered-a-shape-that-blocks-all-sound-even-your-co-workers
- Iridium flares, the bright predictable flashes from the satellites meant to power satellite phones are coming to an end as the obsolete satellites de-orbit https://www.universetoday.com/141741/the-iridium-flare-era-is-about-to-end/
- Mice cleared of Alzheimer’s like-plaque in brain using light and sound https://www.sciencealert.com/astonishing-new-study-treats-alzheimer-s-in-mice-with-a-light-and-sound-show
- University of Waterloo’s plug-and-play wheels https://scienmag.com/new-wheel-units-could-bring-vehicle-costs-down/
- Time reversed at quantum scale https://scienmag.com/physicists-reverse-time-using-quantum-computer/
- Extracting DNA from fingerprints https://scienmag.com/fingerprints-revisited/
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.