This Week’s [in]Security – Issue 109 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI : Software Security Framework update, contactless hiccups, Breaches: Docker,, Pennsylvania PHI, Emcare, Atlanta Hawks , Bodybuilding.com, Wi-Fi hotspots db, $4.7M hard-drive, Facebook may now have to pay the piper, credit card updaters, creepy targeted ad tech, Qualcomm chips vulnerabilities, Internet Security Threat Report, cybersecurity “Exercise in a Box”, DoH is coming, Windows dropping password expiration, Microsoft Visual Studio malware, newer POODLE variants, analysis of CARBANAK malware, defeating facial recognition, another cryptocurrency scandal, Etherium’s blockchain bandit, spearphishng government money, Formjacking/Magecart, Algoma Public Health ransomware, risks of shadow IT, the hamburglar, Apple sued for $1B over racial recognition fraud, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Programs update: PCI Software Security Framework https://blog.pcisecuritystandards.org/programs-update-pci-software-security-framework
• ETA announces collaboration with PCI and EMVCo for TRANSACT https://www.electran.org/events/etatransact/eta-announces-collaboration-with-pci-and-emvco-for-transact/
• The switch from old contactless (magnetic stripe) to new (EMV) is causing hiccups across the industry http://www.digitaltransactions.net/how-an-old-standard-could-trip-up-a-new-generation-of-contactless-payments/
• Moneris announces a new family of payment terminals https://www.newswire.ca/news-releases/moneris-introduces-universal-payment-application-on-next-generation-devices-867684009.html

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• 4.9M PII records of patients of a Pennsylvania addiction treatment facility were left exposed in unprotected ElasticSearch db https://threatpost.com/medical-documents-addiction-patients-leaked/143993/
• The makers of an app called Wi-Fi Finder left a db of hotspots, SSIDs, locations, and passwords unsecured https://threatpost.com/leakyappdata/144029/
• Atlanta Hawks online shop hit with Magecart payment card stealing malware https://www.cnet.com/news/hackers-hit-atlanta-hawks-with-malware-stealing-credit-card-information/
• Bodybuilding.com online retailer discloses a data breach https://www.securityweek.com/bodybuildingcom-discloses-data-breach
• Docker hub database hack exposes sensitive data of 190k users https://www.bleepingcomputer.com/news/security/docker-hub-database-hack-exposes-sensitive-data-of-190k-users/
• EmCare data breach exposes 60K employees and patients https://www.scmagazine.com/home/security-news/data-breach/emcare-data-breach-exposes-60000-employees-patients/
• Washington State University to pay more than $4.7M to settle theft of a hard disk with unencrypted PII https://www.bankinfosecurity.com/what-led-to-47-million-breach-lawsuit-settlement-a-12401
• A province-by-province breakdown of how the Facebook / Cambridge Analytica data leak affected Canadians https://www.ctvnews.ca/canada/facebook-data-leak-province-by-province-breakdown-of-affected-canadians-1.4394945
• Facebook survives despite a constant stream of privacy and security-related scandals. Is it because of its size or consumer apathy? https://www.forbes.com/sites/kalevleetaru/2019/04/21/does-facebook-survive-because-of-its-size-or-because-we-gave-up-on-privacy-and-security/
• The Best Way to Avoid Data Leaks and Privacy Scandals: Don't Own Consumer Data https://www.forbes.com/sites/joetoscano1/2019/04/24/the-best-way-to-avoid-data-leaks-and-privacy-scandals-dont-own-consumer-data/

Privacy

Articles about privacy related news, risks, and trends.

• Teen sues Apple for $1 billion after Apple stores’ facial recognition ties stolen temporary license to someone else https://nakedsecurity.sophos.com/2019/04/25/teen-sues-apple-for-1-billion-over-apple-stores-facial-recognition/
• Credit card updating service provides new card details to merchants without explicit consent https://www.cbc.ca/news/business/banking-information-shared-with-third-parties-1.5102931
• Google is facing questions from Congress about Sensorvault, its database that stores the geolocation data of millions of Android users https://www.bankinfosecurity.com/google-sensorvault-database-draws-congressional-scrutiny-a-12411
• Targeted in store advertising using creepy age and sex guessing cameras https://www.cbc.ca/news/technology/cameras-targeted-advertising-1.5107784
• Amazon team that monitors Alexa can access user locations https://globalnews.ca/news/5198562/amazon-alexa-report-locations/
• Canada’s Office of the Privacy Commissioner is taking Facebook to court after a joint probe found Facebook violated Canadian privacy laws https://techcrunch.com/2019/04/25/facebook-broke-canadian-privacy-law-joint-probe-finds/
• Facebook expects to be fined up to $5B by F.T.C. over privacy issues https://www.nytimes.com/2019/04/24/technology/facebook-ftc-fine-privacy.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• EU votes to create huge biometric database – what could possibly go wrong https://www.zdnet.com/article/eu-votes-to-create-gigantic-biometrics-database/
• New Zealand and France to seek pact blocking extreme online content https://www.nytimes.com/2019/04/24/world/asia/ardern-social-media-content.html
• Sizing up revised model for national health data exchange https://www.bankinfosecurity.com/sizing-up-revised-model-for-national-health-data-exchange-a-12412
• California assembly’s privacy committee votes to weaken landmark privacy law https://www.eff.org/deeplinks/2019/04/california-assemblys-privacy-committee-votes-weaken-landmark-privacy-law
• In Massachusetts, police can force your finger onto a suspect's iPhone to see if it unlocks https://www.theregister.co.uk/2019/04/24/judgeforcedfingertoiphone_unlock/
• Massachusetts court blocks warrant-less access to real-time cell phone location data https://www.eff.org/deeplinks/2019/04/massachusetts-court-blocks-warrantless-access-real-time-cell-phone-location-data
• Chalking tires to issue parking tickets violates the fourth amendment, federal court rules https://www.forbes.com/sites/nicksibilla/2019/04/24/chalking-tires-to-issue-parking-tickets-violates-the-fourth-amendment-federal-court-rules/
• New York state accuses cryptocurrency exchange Bitfinex of covering up missing $850M https://www.pymnts.com/news/security-and-risk/2019/bitfinex-cryptocurrency-attorney-general/
• DoH! It’s coming and will impact governments and ISPs – DNS over HTTPS implementations are rolling out https://nakedsecurity.sophos.com/2019/04/24/dns-over-https-is-coming-whether-isps-and-governments-like-it-or-not/
• NIST released a draft for comment until June 24 of SP 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)”. Details: https://csrc.nist.gov/publications/detail/sp/1800-15/draft and project: https://www.nccoe.nist.gov/projects/building-blocks/mitigating-iot-based-ddos
• The Tillis-Coons patent bill aims to kill Alice and will be a disaster for innovation https://www.eff.org/deeplinks/2019/04/tillis-coons-patent-bill-will-be-disaster-innovation

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft drops password expiration policies from Windows 10 1903 security baseline measurement https://betanews.com/2019/04/25/windows-10-password-expiration-policy/
• Symantec’s Internet Security Threat Report is out and Formjacking and Magecart are high on the list https://www.symantec.com/blogs/feature-stories/istr-2019-cyber-skimming-payment-card-data-hits-big-time
• UK’s NCSC release free online cybersecurity tool “Exercise in a Box” that lets you test your hacker defenses https://www.zdnet.com/article/cyber-security-this-free-tool-lets-you-test-your-hacker-defences/
• How to stop Google from storing your location history https://www.cnbc.com/2019/04/25/how-to-stop-google-from-storing-your-location-history.html
• The SIM swap fix that the us isn't using https://www.wired.com/story/sim-swap-fix-carriers-banks/
• Attack and defense - wireless security at home https://www.packetlabs.net/home-wireless-security/
• Forbes suggests a process for easy to remember and hard to guess passwords. While it’s an improvement over the many terrible passwords people use, its use of a common root causes problems for all your passwords when there is a breach. https://www.forbes.com/sites/kevinmurnane/2019/04/21/how-to-create-unique-passwords-for-every-account-that-are-hard-to-guess-and-easy-to-remember/
• If you must use FLASH, there is an open source analysis tool to review your SWF files https://www.fireeye.com/blog/threat-research/2019/04/flashmingo-open-source-automatic-analysis-tool-for-flash.html
• A suggestion on programming languages security professionals should know https://blog.erratasec.com/2019/04/programming-languages-infosec.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Security flaw lets attackers recover private keys from Qualcomm chips https://www.zdnet.com/article/security-flaw-lets-attackers-recover-private-keys-from-qualcomm-chips/
• SSL Labs will be colouring web sites using cipher-block-chaining (CBC) ciphers in orange to discourage their use. Shortly they will be failing sites vulnerable to some newer CBC vulnerabilities (i.e. Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and sleeping POODLE) https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
• That's worse than the code to unlock my luggage, researchers wondered if any Etherium cryptocurrency wallets were protected by a private key of 1, then 2, and so on. By the time they got to the bottom of the rabbit-hole they discovered a ‘Blockchain bandit’ had scored $50Min an attack they call “Ethercombing” https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/
• Windows 10’s big May 2019 Update is blocked on PCs using USB storage https://www.theverge.com/2019/4/24/18514479/microsoft-windows-10-may-2019-update-usb-storage-block
• Massively insecure peer-to-peer protocol used in Chinese made IoT security cameras https://krebsonsecurity.com/2019/04/p2p-weakness-exposes-millions-of-iot-devices/
• Revenge of the gummy fingers? Samsung Galaxy S10 fingerprint scanner Tricked with 3D Print https://www.bleepingcomputer.com/news/security/samsung-galaxy-s10-fingerprint-scanner-tricked-with-3d-print/
• Hacker finds he can remotely kill car engines after breaking into GPS tracking apps https://motherboard.vice.com/en_us/article/zmpx4x/hacker-monitor-cars-kill-engine-gps-tracking-apps
• Researchers defeat facial recognition systems with an adversarial imaging attack. With further work they might be able to print it on a T-shirt https://www.theregister.co.uk/2019/04/19/defenseagainstthedarknetorhowtoaccessorizetodefeatsurveillance/
• A collision forgery attack has been published against SNEIKEN (lightweight cryptography candidate) https://eprint.iacr.org/2019/408 (SNEIK was just announced as a NIST round 1 candidate https://csrc.nist.gov/Projects/Lightweight-Cryptography/Round-1-Candidates))

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Old vulnerabilities are still good tricks for today's attacks https://www.bleepingcomputer.com/news/security/old-vulnerabilities-are-still-good-tricks-for-todays-attacks/
• Spear-phishing government financial authorities with fake top-secret Excel document and malicious TeamViewer https://threatpost.com/teamviewer-attacks-state-department/144014/
• Google bans developer with half a billion app downloads from Play Store for Ad fraud https://www.engadget.com/2019/04/26/google-bans-app-developer-do-global-play-store-ad-fraud/
• ExtraPulsar backdoor based on leaked NSA code https://nakedsecurity.sophos.com/2019/04/25/extrapulsar-backdoor-based-on-leaked-nsa-code-what-you-need-to-know/
• Who’s behind the RevCode WebMonitor RAT? https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/
• The anatomy of highly profitable credential stuffing attacks https://www.bleepingcomputer.com/news/security/the-anatomy-of-highly-profitable-credential-stuffing-attacks/
• A deep dive into source code of the CARBANAK backdoor used by the FIN7 APT https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html, http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html, http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html, and https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html
• Deep dive on C runtime code tampering supply chain attacks https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks/
• Supply chain malware attack targeting Microsoft Visual Studio and video games https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/
• The Chipotle hack and the troubling trend of credential stuffing – was it a breach or just bad loss prevention? https://www.pymnts.com/news/security-and-risk/2019/chipotle-hack-credential-stuffing-attack-kount/
• No personal information compromised after ransomware attack at Algoma Public Health https://www.cbc.ca/news/canada/sudbury/ransomware-attack-algoma-health-1.5107037
• The FBI's recovery asset team on blocking fraudulent wire transfers https://www.bankinfosecurity.com/blogs/fbis-rat-blocking-fraudulent-wire-transfers-p-2740
• An amalgam of cybercrime statistics from various surveys and reports https://www.thesslstore.com/blog/80-eye-opening-cyber-security-statistics-for-2019/
• FBI Internet Crime Complaint Center recorded $2.7 B in losses in 2018 https://www.darkreading.com/risk/fbi-$27-billion-in-losses-to-cyber-enabled-crimes-in-2018/d/d-id/1334498
• Ex-student records himself using USB Killer to fry college computers https://nakedsecurity.sophos.com/2019/04/24/killer-usb-key-fries-66-machines/
• Last reported https://controlgap.com/blog/this-weeks-insecurity-issue-99/, the hamburglar strikes again feasting on $2,000 in meals using customer's McDonald's app https://www.cbc.ca/news/business/mcdonald-s-app-fraudster-online-account-1.5113012

Other Security / Risk

Articles covering other types of risks.

• 25% of workers knowingly ignore security rules https://www.darkreading.com/threat-intelligence/1-in-4-workers-are-aware-of-security-guidelines--- but-ignore-them/d/d-id/1334492
• Three out of five IT workers share sensitive information by email https://www.zdnet.com/article/three-out-of-five-tech-workers-share-sensitive-information-by-email/
• Why shadow IT is the next looming cybersecurity threat https://thenextweb.com/podium/2019/04/25/why-shadow-it-is-the-next-looming-cybersecurity-threat/
• The Five-Eyes will be making a joint appearance at Cyber UK https://www.bankinfosecurity.com/five-eyes-intelligence-members-to-detail-cyber-threats-a-12408
• Facebook urged to tackle spread of fake profiles used by US police https://www.theguardian.com/technology/2019/apr/22/facebook-law-enforcement-fake-profiles-ice
• Social media companies 'actively' serve up extremist material to users to maximise profits, MPs say https://www.independent.co.uk/news/uk/home-news/youtube-facebook-twitter-extremist-content-profit-home-affairs-a8884881.html
• Sewage and cyber threats: Feds probe TransAqua's digital security https://www.cbc.ca/news/canada/new-brunswick/transaqua-cyber-security-sewage-1.5090170
• Last fall David Patterson said Moore’s Law is over and it’s time for new computer architectures and software languages https://spectrum.ieee.org/view-from-the-valley/computing/hardware/david-patterson-says-its-time-for-new-computer-architectures-and-software-languages
• 'Passengers are afraid of this airplane': How Boeing is handling its 737 Max problem https://www.cbc.ca/news/business/the-national-737-max-boeing-1.5107529
• Three challenges to achieving truly autonomous cars https://www.technologyreview.com/s/613399/the-three-challenges-keeping-cars-from-being-fully-autonomous/
• Ballot Marking Devices aren’t auditable in a meaningful way https://freedom-to-tinker.com/2019/04/22/bmds-are-not-meaningfully-auditable/
• 1200 people have died from Measles since October https://www.businessinsider.com/measles-has-killed-1200-people-since-october-2019-4
• This never-ending livestream of ai-generated death metal is giving us serious anxiety http://www.sciencealert.com/new-24-7-ai-generated-death-metal-youtube-stream-is-giving-us-anxiety

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Was that my inside voice? Scientists unveil a 'brain decoder' that turns neural activity into speech http://www.sciencealert.com/a-new-kind-of-brain-decoder-turns-neural-activity-for-speaking-directly-into-speech
• Scientists may have figured out why Earth’s magnetic poles are moving so fast recently http://www.sciencealert.com/we-might-finally-understand-why-earth-s-magnetic-field-regularly-jerks
• Study finds solar and wind power make electricity much more expensive https://www.forbes.com/sites/michaelshellenberger/2019/04/22/unreliable-nature-of-solar-and-wind-makes-electricity-much-more-expensive-major-new-study-finds/
• Dark matter search discovers an unstable isotope of Xeon with an amazing long half-life https://www.forbes.com/sites/startswithabang/2019/04/24/dark-matter-search-discovers-a-spectacular-bonus-the-longest-lived-unstable-element-ever/
• 'Amateur' astronomers create an incredible 1000+ hour image of a galactic neighbor https://www.syfy.com/syfywire/amateur-astronomers-create-an-incredible-1000-hour-image-of-a-galactic-neighbor