This Week’s [in]Security – Issue 106 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI quiet, the future of card numbers, multiple breaches including AeroGrow card data, 500M resumes, university &, government pension PII, more Facebook data, Airbnb hidden cameras, Facebook demanding passwords to emails, political campaigns and PII, money laundering, France tripped up on own fake-news law, law that could jail tech executives, Zuckerberg's troubling ideas for regulating the Internet, recovering photos from wet iPhones, bad apps, fake cancer, GPS rollover, report on mass GPS spoofing, Mexico's ATM skimmers, cyber-crime Facebook groups, arrest at Mar-a-lago, boarder harassment, when the magic AI box breaks, lock-picking, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Will credit card numbers be a thing of the past https://www.bnnbloomberg.ca/mastercard-sees-other-banks-ditching-credit-card-numbers-like-apple-did-1.1234893

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Chinese HR recruitment firms leave half a billion resumes exposed online https://www.tripwire.com/state-of-security/featured/unsecured-databases-leaking-resumes/
• The maker of the at-home garden kit AeroGarden,
  AeroGrow, was breached by e-commerce skimming malware https://www.pymnts.com/news/security-and-risk/2019/aerogrow-malware-customer-data/
• Georgia Tech data breach exposes up to 1.3 million faculty and students https://www.ajc.com/news/breaking-news/breaking-data-breach-exposes-georgia-tech-faculty-students/
• Sensitive data from 8,000 people exposed in privacy breach at BC Pension https://www.cheknews.ca/sensitive-data-from-8000-people-exposed-in-privacy-breach-at-bc-pension-corporation-549422/ and investigation https://beta.ctvnews.ca/local/vancouver-island/2019/4/4/1_4366543.html
• Two unprotected databases containing 146GB and 540M records of Facebook data were left unprotected in AWS S3 databases by app partner Cultura Colectiva https://www.upguard.com/breaches/facebook-user-data-leak
• The Facebook/Cultura Colectiva exposure is sparking a larger debate and finger pointing https://threatpost.com/facebook-and-amazon-are-locked-in-a-blame-game-over-leaked-data-whos-really-to-blame/143467/ and https://www.wired.com/story/facebook-apps-540-million-records/
• Trends and common causes in healthcare breaches https://www.bankinfosecurity.com/tracking-common-causes-recent-health-data-breaches-a-12307
• Summary of 2019 breaches - 2.1B records in March (4.53B year to date) https://www.datex.ca/blog/list-of-data-breaches-and-cyber-attack-in-march-2019-2.1-billion-records-leaked
• More Panama Papers fallout includes billion-dollar global tax recovery with $15M found in Canada https://www.cbc.ca/news/politics/panama-papers-cra-tax-recovered-charges-1.5082058

Privacy

Articles about privacy related news, risks, and trends.

• Airbnb guest found hidden surveillance camera by scanning Wi-Fi network https://arstechnica.com/information-technology/2019/04/airbnb-guest-found-hidden-surveillance-camera-by-scanning-wi-fi-network/ (There is a related article under defense below)
• Facebook forces some users to give up their email password to register https://securityboulevard.com/2019/04/facebook-forces-users-to-give-email-password-wait-what/
• Article and discussion on how political campaigns use personal data https://www.schneier.com/blog/archives/2019/04/howpoliticalc.html and original report https://tacticaltech.org/media/Personal-Data-Political-Persuasion-How-it-works_print-friendly.pdf

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• U.S. deems Canada ‘major money laundering country’ as gangs exploit weak law enforcement https://globalnews.ca/news/5102137/us-canada-major-money-laundering-country/
• An awkward moment for Twitter in a classic case of being hoisted by their own petard, France's online voting awareness campaign runs afoul of their own fake news law https://www.independent.co.uk/life-style/gadgets-and-tech/news/france-twitter-fake-news-law-social-media-a8854781.html
• Former Mozilla CTO, Trump administration critic, and US citizen files civil rights compliant against US Customs and Border Patrol after being detained and threatened at the US border. Article https://www.zdnet.com/article/former-mozilla-cto-detained-at-us-border-and-denied-a-lawyer/ and discussion https://www.schneier.com/blog/archives/2019/04/formermozilla\.html
• A new and rushed Australian law could result in social media executives going to jail for their platforms streaming hate videos https://www.cbc.ca/news/technology/australia-social-media-violence-streaming-1.5085940 and https://www.nytimes.com/2019/04/03/world/australia/social-media-law.html
• US Senate is considering a bipartisan bill to apply immediate sanctions to any country trying to hack or influence elections https://www.theregister.co.uk/2019/04/05/senateelectionbill/
• Mark Zuckerberg takes to the Washington Post with his ideas on regulating the Internet https://www.washingtonpost.com/opinions/mark-zuckerberg-the-internet-needs-new-rules-lets-start-in-these-four-areas/2019/03/29/9e6f0504-521a-11e9-a3f7-78b7525a8d5f_story.html
• EFF analysis of Zuckerberg's position: https://www.eff.org/deeplinks/2019/04/mark-zuckerberg-does-not-speak-internet
• Department of Housing and Urban Development is suing Facebook. Facebook's ad-serving algorithm discriminates by gender and race. Here's a summary https://www.technologyreview.com/s/613274/facebook-algorithm-discriminates-ai-bias/
  and analysis https://arxiv.org/abs/1904.02095
• Myspace recently lost most of their users data. A large trove of 500K songs from Myspace has surfaced - yet there seems to be no discussion of potential copyright issues https://www.independent.co.uk/life-style/gadgets-and-tech/news/myspace-lost-songs-tracks-internet-history-listen-old-a8855521.html
• Apparently banishment is still a thing - judge bars man from PEI https://beta.ctvnews.ca/national/canada/2019/4/3/1_4363557.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Government security guidance for small and medium sized businesses https://www.itworldcanada.com/article/government-issues-cyber-security-guide-for-smbs/416464
• If your kids flush your iPhone and you've been told your photos are unrecoverable, read this https://www.cbc.ca/news/apple-can-t-help-how-a-molecular-biologist-trained-stay-at-home-moms-to-recover-lost-iphone-photos-1.5079639
• How to find a secret webcam in your holiday rental https://www.cnn.com/travel/article/hidden-spy-cam-airbnb-scli-intl/index.html
• Schneier comments on an "unhackable cryptography" project and compares an article and source code comments and concludes the project is interesting even if the article sounds like snake-oil https://www.schneier.com/blog/archives/2019/04/unhackable_cryp.html
• Firefox will support backward compatibility with FIDO U2F authentication https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox/
• Microsoft changes Windows 10 USB storage device disconnect to be safer https://www.zdnet.com/article/microsoft-changes-how-windows-10-disconnects-usb-storage-devices/
• Interesting system used to authenticate the work of an anonymous artist - Banksy https://boingboing.net/2019/03/31/di-faced-note.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Checkpoint discovers critical vulnerabilities in a mobile security ap, Guard Provider, that came pre-installed on Xiaomi smart phones https://blog.checkpoint.com/2019/04/04/xiaomi-vulnerability-when-security-is-not-what-it-seems/
• Many banking mobile apps are full of holes https://www.computerworld.com/article/3387149/massive-bank-app-security-holes-you-might-want-to-go-back-to-that-money-under-the-mattress-tactic.html
• Researchers exploit medical tech and demonstrate software that alter CT scans (add or remove tumors) and trick radiologists https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/
• Apache shared hosting - got root https://arstechnica.com/information-technology/2019/04/serious-apache-server-bug-gives-root-to-baddies-in-shared-host-environments/
• Researchers gain root access to Tesla Autopilot and also fool the lane recognition system with stickers to steer into oncoming lane. Article https://www.forbes.com/sites/thomasbrewster/2019/04/01/hackers-use-little-stickers-to-trick-tesla-autopilot-into-the-wrong-lane/ and discussion https://www.schneier.com/blog/archives/2019/04/adversarial_mac.html
• Penetration testers using Burp Suite should be aware that the upstream proxy allows others to access decrypted HTTPS https://medium.com/@armaanpathan/scary-bug-in-burp-suite-upstream-proxy-allows-hackers-to-hack-hackers-e6fc9a8d60a
• In a large scale test of UK University cyber-security, attackers succeeded in one to two hours https://www.zdnet.com/article/hackers-broke-into-university-networks-in-just-two-hours/
• Researcher gets no response from smart-watch vendor, injects fake GPS coordinates to spell out PWNED! https://nakedsecurity.sophos.com/2019/04/04/why-pwned-is-appearing-on-some-gps-smartwatches/
• In a different kind of zero-day problem reminiscent of Y2K, the GPS clock rolled back over to zero (it does this every 1024 weeks) on Saturday which may cause problems in older devices https://nakedsecurity.sophos.com/2019/04/05/serious-security-gps-week-rollover-and-the-other-sort-of-zero-day/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Government spyware hidden in Google Play store app https://nakedsecurity.sophos.com/2019/04/02/government-spyware-hidden-in-google-play-store-apps/
• Malware hits Albany NY police department https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/albany-ny-malware/
• Ex-Senate employee (US) guilty of theft of personal data https://www.thestar.com/news/world/us/2019/04/06/ex-senate-employee-pleads-guilty-to-theft-of-personal-data.html
• Investigator told Saudis hacked into Amazon CEO Jeff Bezos' phone https://securityaffairs.co/wordpress/83175/security/jeff-bezos-phone-hack.html
• Two men, including the alleged head of an ATM skimming gang and the head of an ATM company, were arrested in Mexico relating to attacks on competing ATM companies https://krebsonsecurity.com/2019/04/alleged-chief-of-romanian-atm-skimming-gang-arrested-in-mexico/
• Crooks use hidden directories of compromised HTTPS sites to deliver malware https://securityaffairs.co/wordpress/83249/cyber-crime/https-sites-deliver-malware.html
• Chinese hackers poke the Bayer, but German giant says it withstood attack https://www.theregister.co.uk/2019/04/04/chinesehackersbayerbutgermangiantsaysitwithstood_attack/
• Researchers unearth 74 Facebook cybercrime groups with 385,000 members https://arstechnica.com/information-technology/2019/04/facebook-is-a-popular-venue-for-selling-all-manner-of-cybercrime-services/ and https://www.wired.com/story/facebook-cybercrime-groups-again/
• Citizen Lab on 60 Minutes feature on commercial spyware https://deibert.citizenlab.ca/2019/04/citizen-lab-on-60-minutes/

Other Security / Risk

Articles covering other types of risks.

• Former top US generals and admirals issue 'grave' warning to ban Chinese tech https://www.cnn.com/2019/04/04/asia/huawei-us-china-new-zealand-intl/index.html, https://www.lawfareblog.com/document-former-military-and-intelligence-officials-letter-5g-risks, and copy of letter https://assets.documentcloud.org/documents/5793095/Huawei-5G-Letter.pdf
• Chinese woman arrested at Mar-a-lago with 4 phones, malware laced USB and no valid reason to be there https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/04/03/the-cybersecurity-202-arrest-at-mar-a-lago-spotlights-simple-but-pervasive-threat-of-thumb-drives/5ca400e81b326b0f7f38f2f7/
• Incidents of GPS spoofing aren't new but now Russia is accused of a massive campaign https://nakedsecurity.sophos.com/2019/04/01/russia-accused-of-massive-gps-spoofing-campaign/
• Health care’s huge cybersecurity problem https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation
• Canada is expecting foreign interference in our upcoming Federal Election https://www.securityweek.com/foreign-interference-canadian-election-very-likely-says-minister
• Another case of DNA solving a crime - the death of an abandoned new-born baby almost 20 years ago https://www.thestar.com/news/world/us/2019/04/04/chief-family-dna-leads-police-to-mother-who-abandoned-baby.html
• Almost half the population (45%) of people aren't securely storing their tax documents https://www.datex.ca/blog/45-of-taxpayers-do-not-securely-store-tax-documents
• EU accuses German carmakers of colluding to delay clean air technology https://www.cnn.com/2019/04/05/business/volkswagen-bmw-daimler-antitrust-emissions/index.html
• Unidentified tiny satellites reveal the need for better space tracking https://www.theverge.com/2019/4/2/18277344/space-situational-awareness-air-force-tracking-sso-a-spaceflight-cubesats
• Concept drift - why machine learning models crash and burn in real life https://www.forbes.com/sites/forbestechcouncil/2019/04/03/why-machine-learning-models-crash-and-burn-in-production/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• MIT and NASA engineers demonstrate a new kind of airplane wing https://phys.org/news/2019-04-mit-nasa-kind-airplane-wing.html
• NASA's new planet hunter, TESS, has detected an 'Exocomet' (comet orbiting another star) https://www.sciencealert.com/nasa-s-new-planet-hunter-has-detected-its-first-exocomet-orbiting-an-alien-star
• Article on why "hackers" like lock picking with video tutorial https://sector.ca/why-hackers-love-lock-picking-so-much/
• How mathematicians figured out how many Sudoko puzzles are possible - and yes it's really really big https://www.businessinsider.com/number-of-possible-sudoku-puzzle-grids-2019-4