This Week’s [in]Security – Issue 117
Welcome to This Week’s [in]Security. This week: PCI PINv3 key blocks, PFI program updates, payment terminal inspections, Desjardin insider theft, DHS breach, prosecutors expose underage victims, pre-owned Nest Cam’s pwned, AMCA breach leads to bankruptcy, a web hosting company has been charged along with the operators of a massive child-porn operation, Knowledge-Based-Authentication (KBA) is now officially dead, $1.5T lost in a decade of US breaches, a batch of NIST drafts for comment over the last few weeks, Big Data, surveillance, and drone privacy, US and APTs hacking the grids, Facebook-coin, quantum safe crypto, Mongo encrypts, Google goes with commutative encryption, TV-AV, the impending worm, QuadrigaCX crypto-fraud, do we really need digital license plates, C programmers being bitten by undefined behavior, a real life Iron-Man suit, and more.
Now here’s this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
- PCI releases supplement for PIN (v3)
requirement 18-3. Article https://blog.pcisecuritystandards.org/guidance-pin-security-requirements-18-3-key-blocks and details https://www.pcisecuritystandards.org/documents/PIN_Security_Rqmt_18-3_Key_Blocks_2019.pdf
- PCI updates PFI forensic program
- Updates on the 2019 North American PCI Community Meeting https://events.pcisecuritystandards.org/vancouver-2019/
- Why POI (Point of Interaction – payment terminal) Tamper Inspections are so Important https://controlgap.com/blog/why-poi-tamper-inspections-are-so-important/
- As ATM Thefts Rise In Europe, Europol Urges Safeguards https://www.pymnts.com/news/security-and-risk/2019/atm-attacks-europol/
Breaches / Leaks
Covering breaches, leaks, data exposures, and their fallout.
- Desjardin insider theft/breach on 2.9M individual and 173K business members https://globalnews.ca/news/5412780/desjardins-user-data-shared/
- Oregon DHS notifying 645,000 people of data breach, personal information compromised https://www.kptv.com/news/oregon-dhs-notifying-people-of-data-breach-personal-information-compromised/article_90b9d3c2-9210-11e9-8aae-f74903185b1a.html
- The US government has leaked the names of child abuse victims by failing to hide Facebook account IDs in court documents (FB) https://www.businessinsider.com/facebook-ids-revealed-child-abuse-victims-us-court-documents-report-2019-6
- Google says that it’s investigating an issue where the previous owner of a used Nest Cam can spy on new users https://www.businessinsider.com/nest-cam-security-issue-lets-previous-owners-spy-2019-6
- Recently breached AMCA files for bankruptcy https://krebsonsecurity.com/2019/06/collections-firm-behind-labcorp-quest-breaches-files-for-bankruptcy/
- GAO reports on Equifax:
- KBA (Knowledge Based Authentication) No Longer Effective https://www.databreachtoday.com/gao-after-equifax-breach-kba-no-longer-effective-a-12641
- Agencies Must Tighten Online ID Proofing https://www.pymnts.com/safety-and-security/2019/gao-equifax-online-id-proof/
- A new website explains data breach risk. Article https://www.csoonline.com/article/3402985/a-new-website-explains-data-breach-risk.html and site https://www.breachclarity.com/
- The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches https://www.bleepingcomputer.com/news/security/the-us-loses-over-15-trillion-in-a-decade-of-data-breaches/
Articles about privacy related news, risks, and trends.
- EFF’s Recommendations for Consumer Data Privacy Laws https://www.eff.org/deeplinks/2019/06/effs-recommendations-consumer-data-privacy-laws
- Millions of Venmo transactions scraped (again) http://nakedsecurity.sophos.com/2019/06/19/millions-of-venmo-transactions-scraped-again/
- Is ‘Big Data’ About What We Do With Our Data Not How Much Of It We Have? https://www.forbes.com/sites/kalevleetaru/2019/06/16/is-big-data-about-what-we-do-with-our-data-not-how-much-of-it-we-have/
- Data, Surveillance, and the AI Arms Race https://www.schneier.com/blog/archives/2019/06/data_surveillan.html
- The Next Big Privacy Concern Is Up in the Air (drones) https://www.wsj.com/articles/the-next-big-privacy-concern-is-up-in-the-air-11561042733
- Privacy fears at an all-time high, former Ontario privacy commissioner says https://www.cbc.ca/news/canada/kitchener-waterloo/people-care-now-more-than-ever-privacy-ontario-former-privacy-commissioner-1.5173543
Laws & Regulations / Standards
News about laws, regulations, and standards affecting security, privacy, technology, and public interest.
- In a massive takedown of a ‘horrific’ child porn site, the hosting provider allegedly knew about and in a first has been charged https://beta.ctvnews.ca/national/canada/2019/6/20/1_4474486.html
- Adtech Industry Ignores Data Protection Laws, U.K. Regulator Rules. No Talk of GDPR fines Yet. https://www.forbes.com/sites/emmawoollacott/2019/06/20/adtech-industry-ignores-data-protection-laws-uk-regulator-rules/
- NIST Special Publication (SP) 800-205, Attribute Considerations for Access Control Systems https://csrc.nist.gov/publications/detail/sp/800-205/final
- Draft NIST documents open for comment
- Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft
- NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets https://csrc.nist.gov/publications/detail/sp/800-171b/draft
- Cybersecurity Whitepaper on Adopting a Secure Software Development Framework (SSDF) https://csrc.nist.gov/publications/detail/white-paper/2019/06/11/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft
- Detecting and Protecting Against Data Integrity Attacks in Industrial Control System (ICS) Environments https://csrc.nist.gov/publications/detail/white-paper/2019/06/12/detecting-and-protecting-against-data-integrity-attacks-in-ics/draft
- Continuous Monitoring for IT Infrastructure https://csrc.nist.gov/publications/detail/white-paper/2019/06/17/continuous-monitoring-for-it-infrastructure-for-smb/draft
- Senator Asks NIST to Propose Secure Data Sharing Methods https://www.securityweek.com/senator-asks-nist-propose-secure-data-sharing-methods
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- PQDH: A Quantum-Safe Replacement for Diffie-Hellman based on SIDH https://eprint.iacr.org/2019/730
- Towards Post-Quantum Cryptography in TLS https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/
- Qutrit’s are a more powerful alternative to qubits, now researchers demonstrate new path to reliable quantum computation https://phys.org/news/2019-06-path-reliable-quantum.html
- MongoDB Introduces Client-Side Field Level Encryption to Aid Compliance https://www.securityweek.com/mongodb-introduces-client-side-field-level-encryption-aid-compliance
- Google’s Private Join and Compute uses commutative encryption to enable “multiparty computation” without exposing information to anyone who didn’t already have it https://www.wired.com/story/google-private-join-compute-database-encryption/
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- Who knew? It’s time to AV scan your QLED TV weekly. Yes – this is a thing and it is built-into the set https://www.bbc.com/news/technology-48664251
- Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users https://www.forbes.com/sites/gordonkelly/2019/06/16/apple-iphone-ipad-security-warning-ios-12-iphone-xs-max-xr/
- U.S. Government Announces ‘Critical’ Warning For Microsoft Windows Users https://www.forbes.com/sites/daveywinder/2019/06/18/u-s-government-announces-critical-warning-for-microsoft-windows-users/
- Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool https://www.theregister.co.uk/2019/06/20/dell_supportassist_security_hole/
- Samba Vulnerability Can Crash Active Directory Components https://www.bleepingcomputer.com/news/security/samba-vulnerability-can-crash-active-directory-components/
Hacking / Malware / Cybercrime / Exploitation
News covering active trends and events.
- Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers https://arstechnica.com/information-technology/2019/06/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group/
- Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount https://www.wired.com/story/iran-hackers-us-phishing-tensions/
- Hackers behind dangerous oil and gas intrusions are probing US power grids https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/
- U.S. Planted Powerful Malware in Russia’s Power Grid: Report https://www.securityweek.com/us-planted-powerful-malware-russias-power-grid-report
- Ransomware gang hacks Managed Service Providers to deploy ransomware on customer systems https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
- The City of Riviera Beach Florida Pays $600K in Ransomware Attack, https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/
- Over a Month On, Baltimore Still Grappling with Hack Fallout https://www.govtech.com/security/Over-a-Month-On-Baltimore-Still-Grappling-with-Hack-Fallout.html
- QuadrigaCX founder transferred customers’ money to his own accounts: report https://globalnews.ca/news/5412070/quadrigacx-founder-transferred-customers-money/
- NASA’s JPL was hacked in 2018 https://www.forbes.com/sites/daveywinder/2019/06/20/confirmed-nasa-has-been-hacked/
Other Security / Risk
Articles covering other types of risks.
- Risks of Password Managers https://www.schneier.com/blog/archives/2019/06/risks_of_passwo.html
- Target cash registers across the US are crashing, creating massive lines of frustrated customers in ‘The Great Target Outage of 2019’ https://www.businessinsider.com/target-cash-register-great-target-outage-2019-6
- Article on digital license plates – we’d really like to see more analysis of security and privacy implications, and we’d really like to see a total cost of ownership analysis as to why anyone would spend $500 plus $7/month https://www.baltimoresun.com/business/bs-md-digital-license-plates-20190618-story.html
- The results of this study shouldn’t surprise anyone, drivers may overestimate Tesla Autopilot because of its name https://www.engadget.com/2019/06/21/iihs-driver-assistance-study/
- Deepfake Algorithms Just Got Even Smarter, And a Whole Lot Creepier http://www.sciencealert.com/deepfake-ai-algorithms-can-now-take-text-and-turn-it-into-words-spoken-in-a-video
- The Danger of Fake News During Pandemics https://www.schneier.com/blog/archives/2019/06/fake_news_and_p.html
- Facebook launches cryptocurrency with Visa, MasterCard, Uber, and others https://arstechnica.com/tech-policy/2019/06/facebook-launches-crypto-currency-with-visa-mastercard-uber-and-others/
- Facebook crypto-currency proposal immediately comes under fire https://www.cnbc.com/2019/06/20/facebook-libra-cryptocurrency-faced-with-central-bank-warnings.html
- Bank of Canada to review Facebook’s crypto-currency white paper ‘very carefully’ https://www.thestar.com/business/2019/06/18/bank-of-canada-to-review-facebooks-cryptocurrency-white-paper-very-carefully.html
- Article on the C programming language’s undefined storage behavior, assumptions about the hardware memory layout, and aggressive optimization breaking things https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/june/pointer-provenance/
- Apple warns some MacBook laptops can heat up so much they are dangerous https://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-macbook-pro-recall-15-inch-serial-number-am-i-eligible-heat-unsafe-a8967856.html
- Hezbollah operative collected information on Toronto’s Pearson airport https://globalnews.ca/news/5408240/hezbollah-pearson-airport/
- Horns (bone spurs) are growing on young people’s skulls. Phone use is to blame, research suggests. https://beta.washingtonpost.com/nation/2019/06/20/horns-are-growing-young-peoples-skulls-phone-use-is-blame-research-suggests/
- Man ate ‘expired’ food for a year to show that expiration dates can be meaningless https://www.thestar.com/life/2019/06/20/this-man-ate-expired-food-for-a-year-to-show-that-expiration-dates-can-be-meaningless.html
- Are tourists in the Dominican Republic being poisoned? https://www.businessinsider.com/british-couple-allege-they-were-poisoned-at-dominican-republic-hotel-2019-6
- Greenland Lost 4 Trillion Pounds Of Ice In Just 1 Day https://www.forbes.com/sites/trevornace/2019/06/18/greenland-lost-4-trillion-pounds-of-ice-in-just-1-day/
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.
- A former ‘Mythbuster’ built his own bulletproof Iron Man suit. It can fly, too. https://www.cnn.com/2019/06/17/entertainment/iron-man-suit-adam-savage-trnd/index.html
- 60 years on the U2 is still flying reconnaissance missions https://www.businessinsider.com/u2-dragon-lady-flying-over-60-years-but-plane-changed-2019-6
- Satellites Equipped With a Tether Would be Able to De-Orbit Themselves at the end of Their Life https://www.universetoday.com/142537/satellites-equipped-with-a-tether-would-be-able-to-de-orbit-themselves-at-the-end-of-their-life/
- Photo: The Milky Way over Pyramid of the Feathered Serpent https://apod.nasa.gov/apod/ap190617.html
- Mathematicians Have Proposed a New Structure to The Periodic Table http://www.sciencealert.com/the-periodic-table-could-be-organised-more-like-a-network-than-a-matrix
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.