This Week’s [in]Security – Issue 108 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI Card Production program updates, Wipro outsourcer supply chain breach,new Equifax regulatory reporting, more Facebook misbehavior, Sidewalk labs sued, Google location data warrants, muting home assistants, old school photo booths and the Internet, EU's SCA for e-commerce, NIST mobile app security and lightweight cryptography, banned payment processor, the mother of all bad password lists, Oracle patches, Kaspersky, Huawei, & Iranians (oh my), and much more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• The PCI Card Production program has released new documents:

  • Program Guide https://www.pcisecuritystandards.org/documents/CardProductionSecurityAssessor\(CPSA)_ProgramGuide\_v1.0Apr2019.pdf
  • Assessor Qualifications https://www.pcisecuritystandards.org/documents/CardProductionSecurity__Assessor_(CPSA)_QualificationRequirements\_v1.0Apr\_2019.pdf
  • Physical and Logical Attestations https://www.pcisecuritystandards.org/documents/PCICardProductionPhysicalAOC_V1.docx and https://www.pcisecuritystandards.org/documents/PCICardProduction__Logical__AOC_V1.docx

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• India's Just Dial exposes unprotected 100M user profile database https://thehackernews.com/2019/04/justdial-hacked-data-breach.html
• Wipro, India's 3rd largest IT outsourcer, was breached and provide a textbook case of how not to handle media relations https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/
• The first article on Wipro. Hacked Wipro accounts were being used to attack their US customers https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/
• Blue Cross Idaho suffers small breach of PHI https://www.securityweek.com/blue-cross-idaho-hacked-some-member-information-accessed
• Three chapters of the FBI National Academy Associates were breached https://www.bankinfosecurity.com/fbi-a-12380
• In related news the American Advertising Federation was breached (but it wasn't FBI data as claimed) https://www.bleepingcomputer.com/news/security/hackers-publish-aaf-member-data-claim-its-fbi-watchlist/
• Shopify app flaw exposes merchants revenues and traffic https://threatpost.com/shopify-flaw-exposed-merchant-revenue-traffic/143902/
• Equifax must report to Canada's OPC for six years for 2017 breach https://www.datex.ca/blog/equifax-forced-to-report-to-the-privacy-commissioner-of-canada-for-six-years-as-a-result-of-2017-data-breach

Privacy

Articles about privacy related news, risks, and trends.

• Recently Facebook was criticized for asking new users for their email and password then they used them to upload 1.5M users contact info https://www.businessinsider.com/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4
• Facebook fights to “shield Zuckerberg” from punishment in US privacy probe https://arstechnica.com/tech-policy/2019/04/ftc-may-hold-zuckerberg-personally-responsible-for-facebook-privacy-failures/
• Canada group sues government over Google's Sidewalk Labs https://www.bbc.com/news/world-us-canada-47956760
• IoT photo booths - the private photo booth pictures you took inside the Drake Hotel were totally public https://www.blogto.com/tech/2019/04/private-photos-you-took-drake-hotel-were-totally-public/
• Getting home assistants Alexa and Google Home to stop listening all the time https://www.forbes.com/sites/tjmccue/2019/04/19/alexa-is-listening-all-the-time-heres-how-to-stop-it/
• Google maps and other apps keeps your location data history in its Sensorvault - and it's increasingly being targeted by police warrants https://www.eff.org/deeplinks/2019/04/googles-sensorvault-can-tell-police-where-youve-been

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Europe is banking on the Strong Customer Authentication regulation to mitigate e-commerce fraud https://www.forbes.com/sites/jordanmckee/2019/04/14/strong-customer-authentication/
• NIST Lightweight Cryptography (LWC) Standardization Project announces round 1 candidates https://csrc.nist.gov/projects/lightweight-cryptography/round-1-candidates
• NIST SP 800-163 revision 1, Vetting the Security of Mobile Applications has been published. Update https://csrc.nist.gov/news/2019/nist-publishes-sp-800-163-rev-1 and details https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final
• Canada looking to overhaul "problematic "No-Fly" list https://www.thestar.com/news/canada/2019/04/21/canada-looks-to-united-states-for-help-on-solving-no-fly-list-headaches.html
• Ottawa should impose cyber obligations on banks, says national security expert https://www.itworldcanada.com/article/ottawa-should-impose-cyber-obligations-on-banks-says-national-security-expert/416944
• Film and TV studios suing Canadian BitTorrent users - notice will come by registered mail and shouldn't be ignored https://www.cbc.ca/news/canada/nova-scotia/movie-studios-bittorrent-users-lawsuits-norwich-order-1.5100700
• In Virginia, police use of automated license plate readers violates state's data act https://www.eff.org/deeplinks/2019/04/victory-fairfax-virginia-judge-finds-local-police-use-alpr-violates-states-data
• Another example of the broken patent system spotlit by the EFF's stupid patent of the month https://www.eff.org/deeplinks/2019/04/how-landmark-technologys-terrible-patent-has-survived
• FTC bans payment processor and owner from payments industry and levies nearly $2M contempt judgement http://www.digitaltransactions.net/payment-processor-banned-following-violation-of-ftc-settlement/
• Starz abuses DCMA to take down tweets about TV show breach https://www.independent.co.uk/life-style/gadgets-and-tech/news/twitter-tv-leak-piracy-deleted-american-gods-the-100-dmca-a8870956.html
• Even EFF's meta-tweet was taken down https://www.eff.org/deeplinks/2019/04/effs-tweet-about-overzealous-dmca-takedown-now-subject-overzealous-takedown
• Can Alexa be HIPAA compliant? https://www.careersinfosecurity.com/interviews/alexa-are-you-hipaa-compliant-i-4293

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Top controls to improve Office 365 security https://www.packetlabs.net/increase-office-365-security/
• Intel 8th generation CPUs add a hardware shield to help protect against firmware vulnerabilities https://www.securityweek.com/intel-adds-hardware-shield-new-8th-gen-intel-core-vpro-mobile-cpus
• GCHQ issues list of worst 100K passwords and some of the most come are classically bad https://www.theguardian.com/technology/2019/apr/21/cybercrime-hacking-internet-account-passwords
• Does the US need a department of cybersecurity https://www.schneier.com/blog/archives/2019/04/adepartmentof.html
• Open source tool for analysis of Flash https://www.fireeye.com/blog/threat-research/2019/04/flashmingo-open-source-automatic-analysis-tool-for-flash.html
• Let's Encrypt making the transition away from cross-signed certs to become a trusted root certificate https://scotthelme.co.uk/lets-encrypt-to-transition-to-isrg-root/
• A paper on a practical solution to design a secure logging system that provides confidentiality, integrity, completeness, and non-repudiation https://eprint.iacr.org/2019/376
• How to delete the Windows 10 paging file on every shut down https://www.techrepublic.com/article/how-to-delete-the-windows-10-paging-file-on-every-shut-down/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Oracle patches nearly 300 vulnerabilities https://www.tenable.com/blog/oracle-critical-patch-update-for-april-contains-297-fixes
• Microsoft has another buggy update for Windows 10. User controllable update delays coming soon https://www.forbes.com/sites/gordonkelly/2019/04/17/microsoft-windows-10-problem-update-warning-upgrade-cost/
• Microsoft Edge vulnerable to XXE attack that can exfiltrate files https://arstechnica.com/information-technology/2019/04/unexpected-security-feature-in-microsoft-edge-could-allow-for-file-theft/
• Forgotten Windows live tiles Azure sub-domain allowed arbitrary content to be pushed into tiles https://thehackernews.com/2019/04/subdomain-microsoft-azure.html
• A bug in France's high security government instant messenger, Tchap, allowed not government users to sign up and get access to public groups https://thehackernews.com/2019/04/france-Tchap-secure-messenger.html
• Child-tracking smart watch hackable https://www.bankinfosecurity.com/australian-child-tracking-smartwatch-vulnerable-to-hackers-a-12376
• Many medical devices are insecure https://www.databreachtoday.com/interviews/dangers-unsecured-medical-devices-i-4298

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Chrome iOS sandbox vulnerability being exploited by advertising malware https://www.forbes.com/sites/daveywinder/2019/04/17/iphone-users-under-attack-as-ios-chrome-security-sandbox-fails/
• Fake Instagram apps harvest credentials https://threatpost.com/fake-instagram-apps-google-play/143786/
• A group dubbed "Sea Turtle" has targeted a large number of organizations for DNS hijacking. Article https://www.tenable.com/blog/sea-turtle-dns-hijacking-campaign-utilizes-at-least-seven-patched-vulnerabilities and discussion https://www.schneier.com/blog/archives/2019/04/newdnshijacki.html
• Article and analysis on the Triton critical infrastructure malware https://www.sciencealert.com/a-breakthrough-revives-an-old-idea-for-nuclear-fusion-that-could-power-your-home
• Airbnb scams facilitated by a service called "Land Lordz" https://krebsonsecurity.com/2019/04/land-lordz-service-powers-airbnb-scams/
• Car2Go suspended their Chicago operations after their app was exploited to steal high end rental cars https://www.schneier.com/blog/archives/2019/04/newdnshijacki.html
• Weather Channel taken offline by attack https://threatpost.com/weather-channel-off-air-hack/143936/
• Utah County and City of Stratford hit by ransomware https://www.securityweek.com/utah-county-struck-ransomware and https://globalnews.ca/news/5168004/city-of-stratford-ransomware/
• Ecuador claims 40M cyber attacks since Assange arrest https://www.securityweek.com/ecuador-says-hit-40-million-cyber-attacks-assange-arrest
• Police exploit sketchy ATM withdrawals to arrest dark web drug seller https://www.wired.com/story/sinmed-dark-web-manattan-district-attorney-atm-withdrawals/
• Malware researcher who stopped Wannacry[pt] pleads guilty to writing malware tools https://krebsonsecurity.com/2019/04/marcus-malwaretech-hutchins-pleads-guilty-to-writing-selling-banking-malware/
• UK man sentenced to 5 years for role in running Silk Road 2.0 dark web site https://www.bankinfosecurity.com/silk-road-20-operator-sentenced-to-prison-a-12378

Other Security / Risk

Articles covering other types of risks.

• Someone is outing Iranian hackers and their code https://arstechnica.com/information-technology/2019/04/a-mystery-agent-is-doxing-irans-hackers-and-dumping-their-code/
• U.S. intelligence says Huawei funded by Chinese state security https://www.reuters.com/article/us-usa-trade-china-huawei-idUSKCN1RW03D
• Huawei is going to sea raising concerns about spying on undersea cables https://www.schneier.com/blog/archives/2019/04/chinaspyingon.html
• Someone was targeting critics of Kaspersky trying to get evidence of ulterior motives for their criticism https://www.securityweek.com/mysterious-operative-haunted-kaspersky-critics
• EU changes position on Kaspersky from malicious to no evidence https://www.securityweek.com/european-commission-no-evidence-issues-kaspersky-products
• Fortinet fined for selling the US government off re-badged Chinese kit as their own https://www.theregister.co.uk/2019/04/17/dojfortinetcase/
• Researchers and Spamhaus at odds over port scanning and blacklisting https://www.theregister.co.uk/2019/04/16/spamhausportscans/
• Organizational complacency around mainframe security puts data at risk https://www.linkedin.com/pulse/kri-research-organizational-complacency-around-mainframe-ray-overby
• Gatwick drone attack may have been inside job https://www.bbc.com/news/uk-47919680
• Did the fire at Notre Dame cathedral inspire an arsonist in New York? https://globalnews.ca/news/5180061/st-patricks-cathedral-arrest/
• How temporary fixes and restoration work may have made the Notre Dame fire worse https://www.businessinsider.com/heres-what-led-to-the-collapse-of-the-notre-dame-cathedral-2019-4
• "Seasteading" and micronations are curious examples of people trying to avoid the laws of countries and come with some unique risks https://www.bbc.com/news/world-asia-47974234
• Measles cases surging up 300 to 700% https://www.bbc.com/news/health-47940710
• Interesting article about the 737 Max from a pilot and software-engineer https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer
• Remember the Jurassic Park raptors? Cassowaries are probably the closest living thing . Fortunately they tend to stick to themselves and don't hunt in packs https://www.sciencealert.com/a-florida-man-has-been-killed-by-a-cassowary-apparently-the-world-s-most-dangerous-bird

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Autonomous cars may eventually make driving a rare skill but long before that driving a stick shift will disappear https://www.forbes.com/sites/jimgorzelany/2019/04/15/here-are-all-the-2019-vehicles-you-can-still-get-with-a-stick-shift/
• Progress made on small fusion device - dare we hope for Mr Fusion https://www.sciencealert.com/a-breakthrough-revives-an-old-idea-for-nuclear-fusion-that-could-power-your-home
• New type of super-conductor found https://www.sciencealert.com/physicists-have-found-an-entirely-new-type-of-superconductivity
• Naming a Black Hole https://www.sciencealert.com/the-black-hole-we-can-t-stop-talking-about-has-been-christened-with-an-unofficial-name
• Researchers 3D print a tiny human heart from donor heart tissue https://www.bbc.com/news/av/world-middle-east-47940619/israeli-scientists-print-3d-heart-using-human-tissue
• TESS may have found an Earth sized exoplanet in a nearby solar system https://www.syfy.com/syfywire/tess-may-have-bagged-its-first-earth-sized-exoplanet