This Week’s [in]Security – Issue 104 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: NIST FPE update may render some deployed solutions weak, NIST formalizes TDES sunset, Magecart breaches at MyPillow and Amerisleep, stalkerware exposes spied data, Facebook storing plain-text passwords, 100K GitHub repositories exposed API and cryptographic keys, DHS client breach, FEMA overshared PII with contractor, more credential collections, Gearbest breach, motel spycam arrests, TLS middle-boxes, Google fined, did Facebook learn anything from the CA scandal, MySpace fumbles, the immutable Blockchain vs unstoppable laws, Boeing 737 Max investigations, FUD and sales, the risks meteors, CMEs & SPEs, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• NIST is updating the Format Preserving Encryption standard in a way that may impact the PCI compliance of some deployed FPE solutions rendering them "weak" https://controlgap.com/blog/nist-update-to-format-preserving-encryption-standard-affects-pci-use-cases/
• Visa card that lets you spend crypto-currencies https://www.coindesk.com/banking-startup-launching-visa-card-that-lets-you-spend-7-cryptos
• Tokens have more applications than payment card numbers both in the payments space and beyond http://www.digitaltransactions.net/the-future-of-tokens-will-extend-beyond-payments/
• New Jersey is 2nd state to ban cashless stores https://arstechnica.com/tech-policy/2019/03/new-jersey-becomes-second-state-to-ban-cashless-shops-and-restaurants/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Perspective of one who's been "breached" / "leaked" / or "exposed" https://www.wired.com/story/exactis-data-leak-fallout/
• MyPillow and Amerisleep's e-commerce sites were breached for card data by a Magecart attack https://www.riskiq.com/blog/labs/magecart-mypillow-amerisleep/
• Oregon DHS spear-phishing attack potentially exposed over 2M emails of over 350K DHS clients https://www.bleepingcomputer.com/news/security/2-million-emails-of-350k-clients-possibly-exposed-in-oregon-dhs-data-breach/
• Chinese retailer Gearbest exposes an unprotected ElasticSearch db with 1.5M customer records https://www.bankinfosecurity.com/gearbest-database-leaks-15-million-customer-records-a-12198
• A company that sells consumer spy/stalker-ware left a db unprotected and exposed containing tens of thousands of images, audio, and emails. And they don't seem to be aware of the breach despite attempts to contact them https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings
• Over 100K GitHub repositories have leaked API or cryptographic keys https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/
• Facebook was logging user passwords in plain text internally that were accessible to thousands of employees https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
• FEMA overshared the PII of 2.3M disaster survivors with a contractor https://www.bleepingcomputer.com/news/security/fema-data-leak-exposes-personal-info-of-23m-disaster-survivors/
• Another large collection of 26M records is up for sale on the dark web https://threatpost.com/fourth-credential-spill-dreammarket/142901/
• Unsecured fax server at a software vendor leaked patient data https://www.databreachtoday.com/unsecure-fax-server-leaked-patient-data-a-12193
• Summary of February breaches 700M records https://www.datex.ca/blog/list-of-data-breaches-and-cyber-attacks-in-february-2019-692853046-records-leaked

• The Have I Been Pwned database has been updated with data from three 2018 breaches

  • HauteLook (28M) https://haveibeenpwned.com/PwnedWebsites#HauteLook
  • 8fit (15M) https://haveibeenpwned.com/PwnedWebsites#8fit
  • Bookmate (3M) https://haveibeenpwned.com/PwnedWebsites#Bookmate

Privacy

Articles about privacy related news, risks, and trends.

• In Europe, Android users will be prompted for for their choice of default browser https://thehackernews.com/2019/03/google-android-europe-chrome.html
• Google's photo searched index could be repeatedly queried to track people, location, and time https://www.imperva.com/blog/now-patched-google-photos-vulnerability-let-hackers-track-your-friends-and-location-history/
• EPIC calling for audits into access and use of automated license plate reader databases https://www.eff.org/deeplinks/2019/03/heres-why-you-cant-trust-what-cops-and-companies-claim-about-automated-license
• The Cambridge Analytica scandal apparently didn't change Facebook https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• EU fines Google $1.7B for unfair advertising practices https://www.nytimes.com/2019/03/20/business/google-fine-advertising.html
• Supreme Court takes up case over State's ability to prosecute for SSN fraud and identity theft https://www.pymnts.com/legal/2019/supreme-court-social-security-fraud-illegal-immigrants/
• 130 companies tell EU parliament to reject the new copyright directive https://www.eff.org/deeplinks/2019/03/more-130-european-businesses-tell-european-parliament-reject-copyrightdirective
• In June, NIST is sponsoring the FISSEA conference promoting employee cybersecurity awareness and training programs. The call for papers is open until April 9th https://content.govdelivery.com/accounts/USNIST/bulletins/2384fdf
• NIST published (SP) 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. It includes a strategy for sun-setting Triple Data Encryption Algorithm (TDEA) by 2024. Details: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
• NIST updated (SP) 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. The update includes deprecation of TDEA. Details: https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final and updates https://csrc.nist.gov/news/2019/nist-publishes-sp-800-56B-revision-2
• TLS 1.3 is better for privacy but creates challenges for some enterprise solutions https://www.darkreading.com/endpoint/tls-13-a-good-news-bad-news-scenario/a/d-id/1334180
• Peloton is being sued for $150M over improper licensing of music https://www.pymnts.com/legal/2019/lawsuit-peloton-bike-music-streaming-licensing/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Startup promoting 'homomorphic' encryption a mathematically complex method that allows some operations to be performed on encrypted data without actually decrypting it. A possible solution for improved privacy. https://www.fastcompany.com/90314942/duality-homomorphic-encryption
• The Cybersecurity 202: Government can’t fight cyber threats alone https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/03/19/the-cybersecurity-202-government-can-t-fight-cyber-threats-alone-dhs-secretary-says/5c9040651b326b0f7f38f1cc/
• CloudFlare now offers tools to detect HTTPS interception https://blog.cloudflare.com/monsters-in-the-middleboxes/
• Firefox will support FIDO2 and Windows 10 Hello (password-less) authentication https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/
• Google open sources their sandbox API https://www.securityweek.com/google-open-sources-sandboxed-api
• CarbonCopy is a test tool which will make a completely spoofed (but self-signed) copy of a certificate - great for security and awareness
  testing https://kalilinuxtutorials.com/carboncopy-spoofed-certificate/
• The Australian Intelligence Agency joins the NSA and GCHQ by publishing their vulnerability disclosure process https://www.securityweek.com/australias-intelligence-agency-publishes-its-vulnerability-disclosure-process

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• IoT medical devices can be hacked over the air https://www.theregister.co.uk/2019/03/22/medtronicimplanteddefibrillator_hackable/
• Business don't scrub their tech kit. Researcher finds 94% (80 of 85) pre-owned devices wiped or encrypted https://threatpost.com/secondhandinsecure_data/142948/
• Krebs on the problems of using phone numbers for identity https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/
• The least secure programming languages are .... https://www.techrepublic.com/article/the-3-least-secure-programming-languages/
• Google and Microsoft cooperate to close off a new class of Windows vulnerability https://nakedsecurity.sophos.com/2019/03/20/google-researcher-discovers-new-type-of-windows-security-weakness/
• Putty and Libssh are releasing a patch for several security vulnerabilities https://thehackernews.com/2019/03/putty-software-hacking.html and https://thehackernews.com/2019/03/libssh2-vulnerabilities.html
• Android patches 5 year old Chromium bug including older OS's https://www.wired.com/story/android-vulnerability-five-years-fragmentation/
• The NSA just open sourced GHIDRA, a software reverse engineering tool. Researchers have already found vulnerabilities https://threatpost.com/nsa-ghidra-bug-rce/142937/
• Microsoft won't fix complex hack tricks user into unauthorized registry updates https://nakedsecurity.sophos.com/2019/03/19/microsoft-wont-patch-windows-registry-warning-problem/
• Glitch in new Presto app can shut down systems https://www.cbc.ca/news/canada/toronto/toronto-man-finds-apparent-glitch-on-presto-1.5061232

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Orange County, North Carolina has now been hit three times by ransomware https://www.bankinfosecurity.com/north-caroline-county-suffers-repeat-ransomware-infections-a-12217
• Norsk Hydro's aluminum smelting plants hit by sever ransomware attack https://www.bbc.com/news/technology-47624207
• Discussion and link to article on Triton SCADA malware https://www.schneier.com/blog/archives/2019/03/triton.html
• The Mirai malware botnet is getting upgrades https://www.bankinfosecurity.com/mirai-botnet-code-gets-exploit-refresh-a-12197
• DDoS attacks down after FBI crackdown https://threatpost.com/threatlist-ddos-attack-sizes-drop-85-percent-post-fbi-crackdown/142907/
• Seoul police have made arrests in a voyeuristic live streaming for profit that secretly filmed people in motels undressing and having sex https://threatpost.com/spycams-motels-live-streamed/143106/
• Scanning all IPv6 addresses isn't feasible, but IPv4 UPnP can give up info on IPv6 https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html
• A new study finds the vast majority of Bitcoin trading is a hoax https://www.cnbc.com/2019/03/22/majority-of-bitcoin-trading-is-a-hoax-new-study-finds.html

Other Security / Risk

Articles covering other types of risks.

• More cyber-security training and vulnerability management is needed https://blog.isc2.org/isc2_blog/2019/03/new-cybersecurity-reports-point-to-increased-need-for-retraining-and-vulnerability-management.html
• Unfortunately some cybersecurity vendors are resorting to lies and blackmail to get pitches in front of executives https://www.cnbc.com/2019/03/18/heres-how-cybersecurity-vendors-drive-the-hacking-news-cycle.html
• Article and discussion over the argument that cybersecurity is not very important https://www.schneier.com/blog/archives/2019/03/anargumenttha.html
• The latest Facebook security gaffe shows how Facebook doesn't care and there are no real, lasting, or felt consequences https://www.forbes.com/sites/kalevleetaru/2019/03/23/facebook-succeeded-in-killing-cybersecurity-like-it-did-privacy/#20ba328f4549
• AI and machine learning are different https://www.forbes.com/sites/nicolemartin1/2019/03/19/machine-learning-and-ai-are-not-the-same-heres-the-difference/
• Rabbitholes are the dark side of YouTube's recommendation algorithm https://www.scientificamerican.com/article/youtubes-recommendation-algorithm-has-a-dark-side/

• The tech vs real world version of the immovable object and unstoppable force may be blockchain's imutability

  • GDPR vs Blockchain - how can immutable memory forget?https://101blockchains.com/blockchain-gdpr/
  • New reporting of child abuse imagery in the BSV blockchain https://www.bbc.com/news/technology-47130268
  • 2018 reporting of child abuse images in the Bitcoin blockchain https://www.theguardian.com/technology/2018/mar/20/child-abuse-imagery-bitcoin-blockchain-illegal-content
• Once hailed as unhackable, blockchains are now getting hacked https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/
• Myspace lost all pre-2016 user content https://www.theguardian.com/technology/2019/mar/18/myspace-loses-all-content-uploaded-before-2016
• Snoden archives being mothballed https://www.schneier.com/blog/archives/2019/03/firstlookmedi.html
• Europe and Canada aren't relying on the US investigation of the Boeing 737 Max 8 self-certification investigation https://www.businessinsider.com/eu-canada-investigating-boeing-737-max-in-apparent-snub-to-us-2019-3 and https://arstechnica.com/information-technology/2019/03/boeing-downplayed-737-max-software-risks-self-certified-much-of-planes-safety/
• In December a meteor detonated 25km over the Bearing Sea with a force of 173 kT and nobody noticed at the time https://www.sciencealert.com/a-meteor-blast-over-the-bering-sea-was-the-size-of-10-hiroshimas-and-we-all-missed-it
• Scientists are looking into historical Solar Proton Events, the bigger-badder cousins of Coronal Mass Ejections, which could have catastrophic impact on power grids and tech https://www.cbc.ca/news/technology/solar-storm-1.5058330
• Apparently no one who watched the live streamed New Zealand mosque terror attack reported it! https://www.washingtonpost.com/nation/2019/03/19/new-zealand-mosque-shooters-facebook-live-stream-was-viewed-thousands-times-before-being-removed/
• Almost 300 people have died on Mt. Everest and most of the bodies are still there. Now melting glaciers are exposing them https://www.bbc.com/news/science-environment-47638436
• GCHQ releases simulators for WWII cryptographic kit including the Engima, Typex, and Bombe https://www.theregister.co.uk/2019/03/18/gchqenigmaemulator/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• New and more effective process found for extracting Hydrogen from seawater https://www.sciencealert.com/scientists-have-found-an-easy-way-to-turn-seawater-into-hydrogen-fuel
• If you know about the two century old treasure hunt on Oak Island, you may know of one of the most dedicated treasure hunters Dan Blankenship who just passed away at 95 https://globalnews.ca/news/5071131/dan-blankenship-oak-island-obit/