This Week’s [in]Security – Issue 110

Welcome to This Week’s [in]Security. This week: PCI expires older HSMs, unknown 80M record PII db exposed, 200 more Magecart victims, lawsuits over breaches, privacy violations, and financial services. Warrant-less border searches, legal battles over compelled unlocking, NIST and FIPS 140, faster patching, block-chain identity, no longer made in China, Firefox certificate glitch disables add-ons globally, low tech scam nets high tech victims, dark web take down, the IRS gets their hacker, security mindsets, killer asteroids, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Security Standards Council bulletin on the expiration of the approval of PCI PTS HSM version 1 devices https://www.pcisecuritystandards.org/pdfs/PCISSCBulletinontheexpirationoftheapprovalofPTSHSMv1devices.pdf
• KeyCorp, other US banks roll out 'tap-and-go’ contactless credit, debit cards https://www.cleveland.com/business/2019/05/keybank-others-roll-out-tap-and-go-contactless-credit-debit-cards.html
• Another free PCI DSS web security checkup (not to be confused with Approved Scanning Services which are still required under PCI DSS) https://betanews.com/2019/04/29/free-website-security-test/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Unknown data breach exposes 80 million US households https://www.vpnmentor.com/blog/report-millions-homes-exposed/
• Over 200 campus online stores skimmed by Magecart attack https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/
• Data shows e-retail hacks more lucrative than ever https://krebsonsecurity.com/2019/04/data-e-retail-hacks-more-lucrative-than-ever/
• Citrix has confirmed that hackers had access to its networks for six months https://www.pymnts.com/news/security-and-risk/2019/hackers-citrix-networks-data-breach/
• $100-million class action lawsuit filed in Calgary over Marriott Hotels data breach https://edmontonjournal.com/news/local-news/100-million-class-action-lawsuit-filed-in-calgary-over-marriott-hotels-data-breach/wcm/c2ccc88a-db0d-4c4b-878a-c519918bf525

Privacy

Articles about privacy related news, risks, and trends.

• Google to offer option to auto-delete your web history https://www.bbc.com/news/technology-48132041
• Verizon, T-Mobile, Sprint, and AT&T Hit With Class Action Lawsuit Over Selling Customers’ Location Data https://motherboard.vice.com/amp/en_us/article/3k3dv3/verizon-tmobile-sprint-att-class-action-lawsuit-selling-phone-location-data
• America’s favorite door-locking app, “Latch”, has a data privacy problem https://onezero.medium.com/americas-favorite-door-locking-app-has-a-data-privacy-problem-f19169a8ab2e
• Somewhat disturbing piece on privacy written from the perspective of some nameless social media companies https://www.nytimes.com/2019/04/27/opinion/sunday/your-privacy-is-our-business.html
• The privacy paradox: why do people keep using tech firms that abuse their data? https://www.theguardian.com/commentisfree/2019/may/05/privacy-paradox-why-do-people-keep-using-tech-firms-data-facebook-scandal

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Massachusetts’ compelled decryption ruling deepens legal divide https://www.justsecurity.org/63827/split-over-compelled-decryption-deepens-with-massachusetts-case/
• Phone and laptop searches at US border 'quadruple' https://www.bbc.com/news/technology-48118558
• Canada Border Services seizes lawyer's phone, laptop for not sharing passwords https://www.cbc.ca/news/business/cbsa-boarder-security-search-phone-travellers-openmedia-1.5119017
• In the US the ACLU and EFF are challenging warrantless searches of laptops and phones https://www.eff.org/press/releases/new-documents-reveal-dhs-asserting-broad-unconstitutional-authority-search-travelers
• DHS issued a new binding operational directive requiring critical patching of Internet facing system within 15 days https://www.securityweek.com/dhs-orders-agencies-patch-critical-flaws-within-15-days
• NIST now linking with FIPS 140 on encryption https://www.nist.gov/news-events/news/2019/04/nist-links-federal-encryption-testing-international-standard-first-time
• Why isn't GDPR being enforced? https://www.schneier.com/blog/archives/2019/05/whyisntgdpr_b.html
• Putin Signs 'Russian Internet Law' to disconnect Russia https://www.forbes.com/sites/zakdoffman/2019/05/01/putin-signs-russian-internet-law-to-disconnect-the-country-from-the-world-wide-web/
• UK publishes proposed regulation for IoT device security https://www.securityweek.com/uk-publishes-proposed-regulation-iot-device-security

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• The virtues of security keys https://www.schneier.com/blog/archives/2019/05/onsecuritytok.html
• Check if your browser uses Secure DNS, DNSSEC, TLS 1.3, and Encrypted SNI https://www.ghacks.net/2019/04/29/check-if-your-browser-uses-secure-dns-dnssec-tls-1-3-and-encrypted-sni/
• NIST tool boosts chances of finding dangerous software flaws https://nakedsecurity.sophos.com/2019/04/29/nist-tool-boosts-chances-of-finding-dangerous-software-flaws/
• Mozilla will ban Firefox extensions that contain obfuscated code https://www.bleepingcomputer.com/news/security/mozilla-to-disable-firefox-add-ons-with-obfuscated-code/
• Five major Canadian banks have adopted SecureKey’s Verified.Me blockchain based identity system https://www.pymnts.com/news/digital-banking/2019/canadian-banks-blockchain-digital-id-verification/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Cisco pushes updates for 40 vulnerabilities including critical SSH fix for Nexus datacenter switches, Firepower firewalls, and more https://www.networkworld.com/article/3392858/cisco-issues-critical
• Expired certificate disables Firefox Add-ons world wide for two days https://www.bleepingcomputer.com/news/software/firefox-addons-being-disabled-due-to-an-expired-certificate/
• Google Chrome’s auto-scrolling of the URL can be exploited to for phishing and other purposes https://www.forbes.com/sites/daveywinder/2019/04/29/this-google-chrome-security-exploit-must-be-seen-to-be-believed-what-you-need-to-know/
• Security flaws in 100+ Jenkins plugins put enterprise networks at risk https://www.zdnet.com/google-amp/article/security-flaws-in-100-jenkins-plugins-put-enterprise-networks-at-risk/
• Huawei’s reported enterprise router 'backdoor' was Telnet https://www.theregister.co.uk/2019/04/30/huaweienterpriserouterbackdooris_telnet/
• 60 percent of enterprise codebases contain open-source vulnerabilities https://www.zdnet.com/article/60-percent-of-codebases-contain-open-source-vulnerabilities/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Malware infests popular pirate streaming hardware https://threatpost.com/kodiboxmalware/144191/
• Not all roads lead to Magento: all payment platforms are targets for Magecart https://www.riskiq.com/blog/labs/magecart-beyond-magento/
• Qakbot self-assembly malware https://www.bleepingcomputer.com/news/security/qakbot-assembles-its
• Oracle WebLogic RCE flaw being actively exploited to spread ransomware https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html
• DoS attack blamed for U.S. electrical grid disruptions https://www.securityweek.com/dos-attack-blamed-us-grid-disruptions-report
• Catholic Church sends $1.7M to criminals in business email compromise https://www.secureworldexpo.com/industry-news/business-email-compromise-example-2019
• Bitcoin scammers use low tech fake police alert posters to divert coin in Singapore https://www.pymnts.com/news/security-and-risk/2019/singapore-police-bitcoin-scam/
• Dark web market takedown https://krebsonsecurity.com/2019/05/feds-bust-up-dark-web-hub-wall-street-market/
• Man charged with hacking tax preparation firms as part of $1.5M IRS fraud scheme https://www.bankinfosecurity.com/russian-charged-15-million-cyber-tax-fraud-scheme-a-12431

Other Security / Risk

Articles covering other types of risks.

• Credit Union sues Fiserv over security irregularities https://krebsonsecurity.com/2019/05/credit-union-sues-fintech-giant-fiserv-over-security-claims/
• Audit finds the Department of Health and Human Services' information security program "not effective" https://www.bankinfosecurity.com/watchdog-agency-hhs-info-security-program-not-effective-a-12433
• The challenges of security heavy industries https://blog.isc2.org/isc2_blog/2019/04/heavy-industrial-companies-grapple-with-cybersecurity-problems.html
• Super Micro dropping China-made components after backdoor reports https://www.tomshardware.com/news/super-micro-servers-china-backdoors,39227.html
• Beluga whale with Russian made harness raises alarm in Norway https://www.ctvnews.ca/world/beluga-whale-with-russian-harness-raises-alarm-in-norway-1.4399317
• Why Canada's decisions on who builds 5G technology are so important https://www.cbc.ca/news/canada/british-columbia/5g-canada-huawei-technology-future-1.5113309
• Defending democracies against information attacks https://www.schneier.com/blog/archives/2019/04/defending_democ.html
• EFF points out the myriad of problems with social media content moderation https://www.eff.org/deeplinks/2019/04/content-moderation-broken-let-us-count-ways
• On the mindset and attitude needed in information security https://www.peerlyst.com/posts/breaking-into-infosec-attitude-and-mindset-jack-baylor
• New McAfee research reveals 61 percent of i.t. professionals have experienced a serious data breach https://www.businesswire.com/news/home/20190429005720/en/New-McAfee-Research-Reveals-61-Percent-I.T.
• A cryptographic puzzle designed by Ron Rivest was built into MIT’s CSAI lab 20 years ago has been broken - It was expected to take 35 years to solve https://hackaday.com/2019/04/30/mit-cryptographers-are-no-match-for-a-determined-belgian/
• The future may belong to the digital dead, by the year 2100, Facebook may have 4.9B dead users https://www.theguardian.com/technology/2019/apr/29/facebook-dead-users-2100-oxford
• There is no end to the tabloid stories and conspiracy theories about the case of missing flight MH370, however, new models of Indian Ocean currents suggest searches were too far south https://phys.org/news/2019-04-mathematical-approach-flight-mh370.html
• Asteroids 3 - Earth 1: Killer asteroid flattens New York in 4th Earth defense simulation https://phys.org/news/2019-05-killer-asteroid-flattens-york-simulation.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Observers of January’s lunar eclipse may have been lucky enough to spot a meteorite impact that was clocked at 61km/s https://www.cbc.ca/news/technology/moon-meteorite-impact-1.5118446
• Tabloids are full articles hyping of killer asteroid near misses that are anything but – now here’s a visualization of an upcoming and very real near miss that we’ve known about for years https://gizmodo.com/its-hard-to-believe-how-close-this-asteroid-is-going-to-1834418099
• Hubble confirms finding the exotic Buckminsterfullerene (C60) “Buckyballs” in interstellar medium https://www.skyandtelescope.com/astronomy-news/hubble-confirms-interstellar-buckyballs/
• Weird black hole is shooting out wobbly jets because it's dragging spacetime https://www.sciencealert.com/extraordinary-black-hole-shoots-out-wobbling-jets-as-it-devours-a-star