This Week’s [in]Security – Issue 103 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Citrix, Ixigo, and a Chinese breach, the "creepy assignment", skepticism over Facebook's privacy shift, Windows now undoes bad fixes, IoT legislation, Bitcoin double spend, a deep dive into POS malware, Internet voting, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Small Merchant resource: Firewall basics https://blog.pcisecuritystandards.org/resource-for-small-merchants-firewall-basics
• PCI FAQ: can expired PTS POI device be used with SAQ B-IP? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Does-the-use-of-expired-PTS-POI-devices-meet-eligibility-criteria-for-SAQ-B-IP
• Our index of PCI FAQs was updated as well https://controlgap.com/index-pci-frequently-asked-questions/we updated our index )
• The next PCI Acquirer forum is in Vegas at the end of April https://www.cvent.com/events/pci-ssc-acquirer-forum-april-2019-las-vegas/event-summary-0d91e46dd1d04281a6f635f88bca4e77.aspx

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Ixigo brached for 17M records https://haveibeenpwned.com/PwnedWebsites#ixigo
• Very creepy database of almost 2M Chinese "Breed Ready" women exposed https://www.forbes.com/sites/zakdoffman/2019/03/11/exposed-chinese-database-includes-breed-ready-status-of-almost-2-million-women/
• Citrix has been breached for terabytes of data https://www.packetlabs.net/citrix-breach/
• The Citrix breach has been attributed to an Iranian linked APT group https://threatpost.com/ranian-apt-6tb-data-citrix/142688/
• Four questions to ask after a data breach https://www.forbes.com/sites/extrahop/2019/03/15/4-questions-to-ask-immediately-after-a-data-breach/
• Two-thirds of secondhand USB drives still contain data https://www.comparitech.com/blog/information-security/secondhand-usb-drive-memory-stick-study/
• Data from the 2018 Houzz breach makes it's way into have I been pwned https://haveibeenpwned.com/PwnedWebsites#Houzz

Privacy

Articles about privacy related news, risks, and trends.

• The "creepy assignment" (or the 21st century version of loose lips sink ships) - demonstrating people expose far too much personal information in places they shouldn't https://www.nytimes.com/2019/03/08/opinion/google-privacy.html
• Facial recognition systems trained on millions of images without consent https://www.independent.co.uk/life-style/gadgets-and-tech/news/facial-recognition-ai-algorithm-artificial-intelligence-flickr-a8820811.html
• Schneier: on judging Facebook's privacy shift (We don't believe it either)
• https://www.schneier.com/blog/archives/2019/03/judging_faceboo.html
• Report on workplace surveillance https://www.schneier.com/blog/archives/2019/03/on_surveillance.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Canada looking to regulate crypto in the wake of the Quadriga collapse https://www.pymnts.com/news/regulation/2019/canada-crypto-quadriga/
• PSD2 and GDPR may be in conflict https://www.pymnts.com/news/regulation/2019/psd2-deadline-gdpr-data-privacy-payment-innovation/
• NY grand jury looking at Facebook data sharing agreements https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html
• Troy Hunt weighs in on GDPR, cookie-walls and common sense https://www.troyhunt.com/these-cookie-warning-shenanigans-have-got-to-stop/
• Case of teacher using a "spy pen" to record students shows gap between law and technology https://www.cbc.ca/news/canada/newfoundland-labrador/privacy-in-digital-age-1.5043758

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Windows 10 now automatically uninstalls problem fixes https://thehackernews.com/2019/03/windows-buggy-updates.html
• Facebook launches AI to find and remove revenge porn https://www.thestar.com/news/world/us/2019/03/15/facebook-launches-ai-to-find-and-remove-revenge-porn.html
• US introduces bipartisan IoT legislation https://epic.org/2019/03/internet-of-things-legislation.html
• DARPA tackles an open source voting system https://www.schneier.com/blog/archives/2019/03/darpaisdevelo.html
• Recommended voting machines https://freedom-to-tinker.com/2019/03/14/voting-machines-i-recommend/
• Using AI to detect Malware https://blog.trendmicro.com/trendlabs-security-intelligence/a-machine-learning-model-to-detect-malware-variants/
• Federated learning is an AI method that can support privacy https://www.technologyreview.com/s/613098/a-little-known-ai-method-can-train-on-your-health-data-without-threatening-your-privacy/
• Firefox introducing and encrypted file transfer service https://thehackernews.com/2019/03/firefox-send-encrypted-file-share.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Office 365 and G-suite multi-factor authentication bypass by IMAP https://www.bleepingcomputer.com/news/security/multi-factor-auth-bypassed-in-office-365-and-g-suite-imap-attacks/
• 10 year old bug fixed allows CRA to pursue $66M in overpayments https://www.cbc.ca/news/politics/cpp-oas-debt-collection-cra-esdc-duclos-it-glitch-1.5047349
• How hackers are using DNS against us https://threatpost.com/three-ways-dns-is-weaponized-and-how-to-mitigate-the-risk/142759/
• Microsoft patches several critical bugs in DHCP https://www.theregister.co.uk/2019/03/12/marchpatchtuesday_dhcp/
• Bug in certificate authority software means 2M+ certificates used by Google, GoDaddy, and others have broken serial numbers and will need to be replaced https://www.theregister.co.uk/2019/03/13/tlscertrevokeejbcaconfig/
• WordPress flaws in pre-5.1.1 https://thehackernews.com/2019/03/hack-wordpress-websites.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Four wanted in nationwide bitcoin ATM "double spend" scam https://www.msn.com/en-ca/news/canada/4-wanted-in-nationwide-bitcoin-atm-scam/ar-BBUGHX6
• How Mexican banks were taken for $20M https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/
• Skimmer's hijack ATM camera as part of attack https://krebsonsecurity.com/2019/03/insert-skimmer-camera-cover-pin-stealer/
• Ad network Sizmek investigating resale of compromised accounts https://krebsonsecurity.com/2019/03/ad-network-sizmek-probes-account-breach/
• WinRAR bug being exploited as there in no auto-update https://thehackernews.com/2019/03/winrar-hacking-malware.html
• Most Android AV apps are junk or worse https://www.wired.com/story/android-antivirus-apps-bad-fake/
• Deep dive into the GlitchPOS malware https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html
• Man arrested for selling 1M Netflix and Spotify accounsts https://www.cnet.com/news/fbi-australian-police-arrest-man-caught-selling-1-million-netflix-spotify-passwords/
• Three men plead guilty in scheme to trick people out of sensitive data https://arstechnica.com/information-technology/2019/03/3-men-plead-guilty-to-vishing-and-smishing-scheme-estimated-to-cost-21-million/
• Hacker love to strike on Saturday https://www.bankinfosecurity.com/blogs/hackers-love-to-strike-on-saturday-p-2731

Other Security / Risk

Articles covering other types of risks.

• 96% of Canadians can't spot fraud https://newsroom.interac.ca/ninety-six-per-cent-of-canadians-failed-to-spot-fraud-when-put-to-the-test/
• Encryption and databases are strange bedfellows. Encryption is easy until you want to do things like searching encrypted data, then things start leaking https://blog.cryptographyengineering.com/2019/02/11/attack-of-the-week-searchable-encryption-and-the-ever-expanding-leakage-function/
• Quantum computers may not break encryption for decades https://www.tomshardware.com/news/quantum-computers-encryption-decades-researchers,38819.html
• Restarting a dead power grid is difficult but Venezuela has some additional challenges https://www.wired.com/story/venezuela-power-outage-black-start/
• Facebook's workplace apps target competitors https://www.forbes.com/sites/quickerbettertech/2019/03/10/facebooks-workplace-app-targets-slack-microsoft-teams-and-other-small-business-tech-news-this-week/
• Google took down 2.3B bad ads in 2018 https://www.securityweek.com/google-took-down-23-billion-bad-ads-2018
• Swiss Internet voting system is flawed https://www.schneier.com/blog/archives/2019/03/criticalflawi.html
• Russia is testing Online voiting https://www.schneier.com/blog/archives/2019/03/russiaistesti.html
• Tim Berners-Lee reflects on 30 years of the web https://www.theguardian.com/technology/2019/mar/12/tim-berners-lee-on-30-years-of-the-web-if-we-dream-a-little-we-can-get-the-web-we-want
• Australian stops arrow with mobile phone https://www.bbc.com/news/world-australia-47563634
• Man improvises life preserver with jeans https://globalnews.ca/news/5051001/jeans-flotation-device-lost-at-sea/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists have discovered a material that blocks sound but not light or air https://www.fastcompany.com/90316833/scientists-have-discovered-a-shape-that-blocks-all-sound-even-your-co-workers
• Iridium flares, the bright predictable flashes from the satellites meant to power satellite phones are coming to an end as the obsolete satellites de-orbit https://www.universetoday.com/141741/the-iridium-flare-era-is-about-to-end/
• Mice cleared of Alzheimer's like-plaque in brain using light and sound https://www.sciencealert.com/astonishing-new-study-treats-alzheimer-s-in-mice-with-a-light-and-sound-show
• University of Waterloo's plug-and-play wheels https://scienmag.com/new-wheel-units-could-bring-vehicle-costs-down/
• Time reversed at quantum scale https://scienmag.com/physicists-reverse-time-using-quantum-computer/
• Extracting DNA from fingerprints https://scienmag.com/fingerprints-revisited/