This Week’s [in]Security – Issue 116 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Thinking ahead to PCI DSS 4.0, HSM vulnerabilities, breaches at 4 universities,TechData, Symantec and Evernote breaches, what Equifax broke, Canada investigates US boarder services breach, AMCA lawsuits, Ring Doorbell surveillance network, permission for facial recognition, false compliance claims punished, incomprehensible privacy policies, NIST updates, hacking back law revisited, Return of Data, radiation hardening, finessing windows updates, RAMBleed steals 2048 bit private key, multiple IoT problems, Gmail calendar exploitation, more flawed 2FA keys, Intel NUC firmware vulnerability, a tale of two newly exploited cities, Citizenlab's stalker-ware report, the future of HaveIBeenPwned, Cyber-security and Real Estate, Zuckerberg deep fake, risks to the planet, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI DSS 4.0 is coming (late 2020) and the predictions are starting https://www.blackfootuk.com/pci-dss-looking-ahead-to-v4-0/
• Researchers have found a number of serious vulnerabilities in an as yet unnamed make of Host Security Module (HSM), a specialized cyrptography computer used in banking and payments. https://www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-providers-governments/
• Discovery … 30 computers, 74 million unprotected card numbers…Do you have this PCI problem? https://www.linkedin.com/pulse/30-computers-74-million-unprotected-card-numbersdo-you-bill-lewis
• Online shops fear 2FA at checkout will increase abandoned carts http://nakedsecurity.sophos.com/2019/06/10/online-shops-fear-2fa-at-checkout-will-increase-abandoned-carts/
• Amazon launches a credit card for the ‘underbanked’ with bad credit (BTW: it appears to be out of scope for PCI DSS) https://www.cnbc.com/2019/06/10/amazon-launches-a-credit-card-for-the-underbanked-with-bad-credit.html

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Tech Data leaks 246GB of customer data https://www.techradar.com/news/tech-data-leaks-246gb-of-customer-data and https://www.zdnet.com/article/veteran-fortune-500-company-leaked-264gb-in-client-payment-data/
• 8.4TB in email metadata exposed in Shanghai Jiao Tong University data leak https://www.zdnet.com/article/8-4tb-in-email-metadata-exposed-in-university-data-leak/
• Three U.S. Universities Disclose Data Breaches Over Two-Day Span https://www.bleepingcomputer.com/news/security/three-us-universities-disclose-data-breaches-over-two-day-span/
• Evernote Chrome extension vulnerability allowed attackers to steal 4.6M users' data https://www.techrepublic.com/article/evernote-chrome-extension-vulnerability-allowed-attackers-to-steal-4-7m-users-data/
• Hacker hits Symantec and accesses passwords https://betanews.com/2019/06/14/symantec-hack/
• Multiple class action lawsuits filed in recent AMCA breach https://www.bankinfosecurity.com/multiple-class-action-lawsuits-filed-in-amca-breach-a-12599
• CBSA launches investigation after licence plate reader linked to U.S. hack https://www.cbc.ca/news/politics/cbsa-perceptics-licence-plate-breach-1.5172152
• More details emerge on breach Perceptics a supplier to US Customs and Border Services. Data was offloaded from government servers and included photos of travelers and license plates. https://www.buzzfeednews.com/article/daveyalba/the-us-governments-database-of-traveler-photos-has-been (Previously reported https://controlgap.com/blog/this-weeks-insecurity-issue-113/))
• Thanks to Equifax breach, 4 US agencies don't properly verify your data, GAO finds https://www.cnet.com/news/after-equifax-breach-some-us-agencies-arent-properly-protecting-americans-data/
• Senators question FBI on Russian hack of voting firm https://www.thestar.com/news/world/us/2019/06/12/senators-question-fbi-on-russian-hack-of-voting-firm.html

Privacy

Articles about privacy related news, risks, and trends.

• Amazon's helping police build a surveillance network with Ring doorbells https://www.cnet.com/features/amazons-helping-police-build-a-surveillance-network-with-ring-doorbells/
• You're responsible for getting permission from subjects if you want to use Windows Photos' facial recognition feature https://www.theregister.co.uk/2019/06/10/microsoftwindowsphotosfacialrecognition_consent/
• Canada’s Military Spies can Collect & Share Info on Canadians https://www.datex.ca/blog/canadas-military-spies-can-collect-share-info-on-canadians
• FTC Takes Action against Companies Falsely Claiming Compliance with the EU-U.S. Privacy Shield, Other International Privacy Agreements https://www.ftc.gov/news-events/press-releases/2019/06/ftc-takes-action-against-companies-falsely-claiming-compliance-eu
• As State AGs Gather at FTC Event, Still No Action on Facebook http://epic.org/2019/06/as-state-ags-gather-at-ftc-eve.html
• Opinion | We Read 150 Privacy Policies. They Were an Incomprehensible Disaster https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html
• Facebook will compensate Android users for running an app that constantly reports which other apps you're using https://www.businessinsider.com/facebook-study-research-apple-android-app-store-2019-6

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST updates

  • (NISTIR) 8221, “A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data. Details https://csrc.nist.gov/publications/detail/nistir/8221/final. Update https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221
  • SP 800-64 R2 Security Considerations in the System Development Life Cycle (SDLC) - withrawn (see SP 800-160 V 1 instead. Archive https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/archive/2008-10-16. And SP 800-160 Volume 1 publication details https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final
• Congress to take another stab at hack back legislation https://www.cyberscoop.com/hack-back-bill-tom-graves-offensive-cybersecurity/
• Interesting idea Return on Data (RoD) from a law journal last month https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3362880

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Boosting Secure Coding Practices https://www.bankinfosecurity.com/boosting-secure-coding-practices-a-12609
• Lessons learned trying to secure congressional campaigns https://www.schneier.com/blog/archives/2019/06/lessonslearned1.html
• Article describing how to disable the bleeding edge of Windows updates https://www.computerworld.com/article/3400953/save-yourself-a-headache-make-sure-windows-automatic-update-is-off.html
• Enabling Windows 10 tamper protection https://www.howtogeek.com/423970/how-to-enable-tamper-protection-for-windows-security-on-windows-10/
• Windows 10 Goes To Shell - improvements to the command line are coming https://hackaday.com/2019/06/10/windows-10-goes-to-shell/
• Android's Built-in Security Key Now Works With iOS Devices For Secure Login https://thehackernews.com/2019/06/android-security-key-ios.html
• Improving Security and Privacy for Chrome Extensions Users http://security.googleblog.com/2019/06/improving-security-and-privacy-for.html
• Hera asteroid mission's brain to be radiation-hard and failure-proof https://phys.org/news/2019-06-hera-asteroid-mission-brain-radiation-hard.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• FTSE 250 firms exposed to possible cyber-attacks, report finds https://www.theguardian.com/technology/2019/jun/11/ftse-250-firms-exposed-to-possible-cyber-attacks-report-finds
• RAMBleed Side-Channel Attack Exposes Privileged Memory https://threatpost.com/rambleed-side-channel-privileged-memory/145629/
• RAMBleed Researchers use Rowhammer bit flips to steal 2048-bit crypto key https://arstechnica.com/?p=1520383
• Breaking the ACORN stream cipher with a Single Fault - impacts CESAR and IoT https://eprint.iacr.org/2019/697
• Another IoT problem - Medical infusion pumps vulnerable to remote attacks https://portswigger.net/daily-swig/medical-infusion-pumps-vulnerable-to-remote-attacks
• Another bug from Micorsoft's past has been found. This time it's the equation editor which can be exploited to run unsafe code http://nakedsecurity.sophos.com/2019/06/10/microsoft-warns-of-time-travelling-equation-exploit-are-you-safe/
• Linux - Vim and NeoVim editor high-severity arbitrary OS command execution vulnerability inmodelines feature https://thehackernews.com/2019/06/linux-vim-vulnerability.html
• U.S. Government security keys made by Yubico are vulnerable to hackers, for the dumbest imaginable reason - non-random content https://boingboing.net/2019/06/14/u-s-government-security-keys.html
• Microsoft NTLM Flaws Expose All Windows Machines to RCE Attacks https://www.bleepingcomputer.com/news/security/microsoft-ntlm-flaws-expose-all-windows-machines-to-rce-attacks/
• Microsoft Blocks Some Bluetooth Devices Due to Security Risks https://www.bleepingcomputer.com/news/security/microsoft-blocks-some-bluetooth-devices-due-to-security-risks/
• June’s Patch Tuesday Fixes 88 Security Flaws, Including SandboxEscaper’s Zero Days, HoloLens https://blog.trendmicro.com/trendlabs-security-intelligence/junes-patch-tuesday-fixes-88-security-flaws-including-sandboxescapers-zero-days-hololens/ and https://threatpost.com/microsoft-patches-four-publicly-known-vulnerabilities/145594/
• Intel fixes severe NUC firmware, web console vulnerabilities https://www.zdnet.com/article/intel-fixes-severe-firmware-web-console-vulnerabilities/
• Hunting COM Objects (Part Two) https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html
• Another World Password Day Has Passed and Little Has Changed https://www.securityweek.com/another-world-password-day-has-passed-and-little-has-changed

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Exim email servers are now under attack https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/
• FBI Warns of HTTPS Abuse in Phishing Campaigns https://www.securityweek.com/fbi-warns-https-abuse-phishing-campaigns
• New Security Warning Issued For Google's 1.5 Billion Gmail And Calendar Users https://www.forbes.com/sites/daveywinder/2019/06/11/new-security-warning-issued-for-googles-1-5-billion-gmail-and-calendar-users/
• SQL Injection Attacks Represent Two-Third of All Web App Attacks https://www.darkreading.com/attacks-breaches/sql-injection-attacks-represent-two-third-of-all-web-app-attacks/d/d-id/1334960
• Getting Up to Speed on Magecart https://www.darkreading.com/cloud/getting-up-to-speed-on-magecart-/a/d-id/1334884
• The most targeted Internet of Things (IoT) devices https://www.zdnet.com/article/cybersecurity-these-are-the-internet-of-things-devices-that-are-most-targeted-by-hackers/
• City of Burlington Ontario falls for $503,000 phishing scam https://www.ctvnews.ca/canada/city-of-burlington-ont-falls-for-503-000-phishing-scam-1.4465779
• Mayor of Stratford Ontario calls for national strategy after town hit for online 'ransom' https://www.cbc.ca/news/politics/stratford-cyberattack-ransomware-hack-1.5170951
• Interesting look at a false flag employment scam https://arstechnica.com/gadgets/2019/06/scamming-the-scammers-how-i-sniffed-out-and-fought-a-cash-hungry-employment-scam/
• CitizenLab: The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry https://citizenlab.ca/2019/06/the-predator-in-your-pocket-a-multidisciplinary-assessment-of-the-stalkerware-application-industry/
• Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications https://citizenlab.ca/2019/06/installing-fear-a-canadian-legal-and-policy-analysis-of-using-developing-and-selling-smartphone-spyware-and-stalkerware-applications/
• New Brunswick RCMP issue warning about ‘gifting cloud’ scheme https://globalnews.ca/news/5385757/new-brunswick-rcmp-scheme/

Other Security / Risk

Articles covering other types of risks.

• Project Svalbard: The Future of Have I Been Pwned https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/
• The 2019 International Cyber Security and Intelligence Conference (ICSIC) will be held July 16-18, just outside of Toronto, at the Pearson Convention Center 2638 Steeles Avenue East, Brampton, ON Canada https://www.icsicanada.org/
• Workshop on the Economics of Information Security https://www.schneier.com/blog/archives/2019/06/workshoponthe_1.html
• Decoherence is a major problem that must be solved before quantum computers can be effective https://blogs.scientificamerican.com/observations/the-problem-with-quantum-computers/
• Unsurprisingly, cognitive bias can help shape (and mis-shape) security decisions https://www.darkreading.com/threat-intelligence/cognitive-bias-can-help-shape-security-decisions/d/d-id/1334925
• This shouldn't be a surprise - Why there's more to cybersecurity recruitment than just job titles https://www.forbes.com/sites/jameshadley/2019/06/10/why-theres-more-to-cybersecurity-recruitment-than-just-job-titles/
• Voting machine vendor shifts gears and pushes for backup paper ballots - uncertain if this is the ballot and scan technology researchers have been calling for https://www.darkreading.com/application-security/voting-machine-vendor-shifts-gears-and-pushes-for-backup-paper-ballots/d/d-id/1334924
• Hundreds of U.S. flights canceled as GPS-based aircraft navigation system fails https://www.forbes.com/sites/zakdoffman/2019/06/09/hundreds-of-u-s-flights-canceled-as-gps-based-aircraft-navigation-system-fails/
• Wordpress down: Websites across world stop working after strange glitch https://www.independent.co.uk/life-style/gadgets-and-tech/news/wordpress-down-not-working-website-sun-problem-help-a8954431.html
• The Multibillion-Dollar Problem Of Weak Cybersecurity in Real Estate https://www.forbes.com/sites/angelicakrystledonati/2019/06/12/the-multibillion-dollar-problem-of-weak-cybersecurity-in-real-estate/
• Team of American Hackers and Emirati Spies Discussed Attacking The Intercept https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/
• Radiohead Dropped 18 Hours of Unreleased Music to Screw Pirates https://www.wired.com/story/radiohead-unreleased-tracks-ok-computer-hackers-pirates-ransom/
• There’s a fake video showing Mark Zuckerberg saying he’s in control of ‘billions of people’s stolen data,’ as Facebook grapples with doctored videos that spread misinformation https://www.businessinsider.com/deepfake-video-mark-zuckerberg-instagram-2019-6
• Facebook lets deepfake Zuckerberg video stay on Instagram https://www.bbc.co.uk/news/technology-48607673
• How a gender-swapped dating profile picture led to a cop’s arrest https://globalnews.ca/news/5382184/snapchat-gender-swap-filter-cop-arrested/
• AI's dirty secret https://www.forbes.com/sites/charlesradclyffe/2019/06/10/ais-dirty-secret/
• Never seen this before. Woman accidentally opens plane's emergency exit door on tarmac while looking for bathroom - chaos and delays ensue https://globalnews.ca/news/5373207/woman-plane-emergency-exit-door-bathroom/
• Earth Is Now Approaching The Same 'Meteor Swarm' That Wiped-Out A Siberian Forest https://www.forbes.com/sites/jamiecartereurope/2019/06/11/earth-is-now-approaching-the-same-meteor-swarm-that-wiped-out-a-siberian-forest/
• Creeping Toward Permanent Drought https://blogs.scientificamerican.com/hot-planet/creeping-toward-permanent-drought/
• More Stalled Hurricanes And Less Wind Shear - Bad News For U.S. Coasts https://www.forbes.com/sites/marshallshepherd/2019/06/07/more-stalled-hurricanes-and-less-wind-shear-bad-news-for-u-s-coasts/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Amazing map visualizing the largest 18K bodies in our solar system http://tabletopwhale.com/2019/06/10/the-solar-system.html (h/t https://www.universetoday.com/142531/an-orbit-map-of-the-solar-system/))
• A Long-Lost Apollo Capsule Adrift in Space May Have Been Found After 50 Years http://www.sciencealert.com/astronomers-are-98-sure-they-ve-found-snoopy-the-missing-apollo-capsule-drifting-in-space
• Carnivorous plant that consumes baby salamanders found in Ontario’s Algonquin park https://www.ctvnews.ca/sci-tech/carnivorous-plant-that-consumes-baby-salamanders-found-in-ontario-park-1.4462089
• No, The Universe Cannot Be A Billion Years Younger Than We Think https://www.forbes.com/sites/startswithabang/2019/06/12/no-the-universe-cannot-be-a-billion-years-younger-than-we-think/
• A list of single words and their explanations that have no equivalent in English (from 2015) http://mentalfloss.com/article/50698/38-wonderful-foreign-words-we-could-use-english