This Week’s [in]Security – Issue 117 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI PINv3 key blocks, PFI program updates, payment terminal inspections, Desjardin insider theft, DHS breach, prosecutors expose underage victims, pre-owned Nest Cam's pwned, AMCA breach leads to bankruptcy, a web hosting company has been charged along with the operators of a massive child-porn operation, Knowledge-Based-Authentication (KBA) is now officially dead, $1.5T lost in a decade of US breaches, a batch of NIST drafts for comment over the last few weeks, Big Data, surveillance, and drone privacy, US and APTs hacking the grids, Facebook-coin, quantum safe crypto, Mongo encrypts, Google goes with commutative encryption, TV-AV, the impending worm, QuadrigaCX crypto-fraud, do we really need digital license plates, C programmers being bitten by undefined behavior, a real life Iron-Man suit, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized bytopic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI releases supplement for PIN (v3)
  requirement 18-3. Article https://blog.pcisecuritystandards.org/guidance-pin-security-requirements-18-3-key-blocks and details https://www.pcisecuritystandards.org/documents/PINSecurityRqmt18-3KeyBlocks2019.pdf

• PCI updates PFI forensic program

  • https://www.pcisecuritystandards.org/documents/PFIProgramGuide_v3.1.pdf
  • https://www.pcisecuritystandards.org/documents/PFIQualificationRequirements_v3.2.pdf
  • https://www.pcisecuritystandards.org/documents/PFIPreliminaryIncidentResponseReport_v3.0.pdf
  • https://www.pcisecuritystandards.org/documents/FinalPFIReport_v3.0.pdf
• Updates on the 2019 North American PCI Community Meeting https://events.pcisecuritystandards.org/vancouver-2019/
• Why POI (Point of Interaction - payment terminal) Tamper Inspections are so Important https://controlgap.com/blog/why-poi-tamper-inspections-are-so-important/
• As ATM Thefts Rise In Europe, Europol Urges Safeguards https://www.pymnts.com/news/security-and-risk/2019/atm-attacks-europol/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Desjardin insider theft/breach on 2.9M individual and 173K business members https://globalnews.ca/news/5412780/desjardins-user-data-shared/
• Oregon DHS notifying 645,000 people of data breach, personal information compromised https://www.kptv.com/news/oregon-dhs-notifying-people-of-data-breach-personal-information-compromised/article_90b9d3c2-9210-11e9-8aae-f74903185b1a.html
• The US government has leaked the names of child abuse victims by failing to hide Facebook account IDs in court documents (FB) https://www.businessinsider.com/facebook-ids-revealed-child-abuse-victims-us-court-documents-report-2019-6
• Google says that it's investigating an issue where the previous owner of a used Nest Cam can spy on new users https://www.businessinsider.com/nest-cam-security-issue-lets-previous-owners-spy-2019-6
• Recently breached AMCA files for bankruptcy https://krebsonsecurity.com/2019/06/collections-firm-behind-labcorp-quest-breaches-files-for-bankruptcy/

• GAO reports on Equifax:

  • KBA (Knowledge Based Authentication) No Longer Effective https://www.databreachtoday.com/gao-after-equifax-breach-kba-no-longer-effective-a-12641
  • Agencies Must Tighten Online ID Proofing https://www.pymnts.com/safety-and-security/2019/gao-equifax-online-id-proof/
• A new website explains data breach risk. Article https://www.csoonline.com/article/3402985/a-new-website-explains-data-breach-risk.html and site https://www.breachclarity.com/
• The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches https://www.bleepingcomputer.com/news/security/the-us-loses-over-15-trillion-in-a-decade-of-data-breaches/

Privacy

Articles about privacy related news, risks, and trends.

• EFF's Recommendations for Consumer Data Privacy Laws https://www.eff.org/deeplinks/2019/06/effs-recommendations-consumer-data-privacy-laws
• Millions of Venmo transactions scraped (again) http://nakedsecurity.sophos.com/2019/06/19/millions-of-venmo-transactions-scraped-again/
• Is 'Big Data' About What We Do With Our Data Not How Much Of It We Have? https://www.forbes.com/sites/kalevleetaru/2019/06/16/is-big-data-about-what-we-do-with-our-data-not-how-much-of-it-we-have/
• Data, Surveillance, and the AI Arms Race https://www.schneier.com/blog/archives/2019/06/data_surveillan.html
• The Next Big Privacy Concern Is Up in the Air (drones) https://www.wsj.com/articles/the-next-big-privacy-concern-is-up-in-the-air-11561042733
• Privacy fears at an all-time high, former Ontario privacy commissioner says https://www.cbc.ca/news/canada/kitchener-waterloo/people-care-now-more-than-ever-privacy-ontario-former-privacy-commissioner-1.5173543

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• In a massive takedown of a 'horrific' child porn site, the hosting provider allegedly knew about and in a first has been charged https://beta.ctvnews.ca/national/canada/2019/6/20/1_4474486.html
• Adtech Industry Ignores Data Protection Laws, U.K. Regulator Rules. No Talk of GDPR fines Yet. https://www.forbes.com/sites/emmawoollacott/2019/06/20/adtech-industry-ignores-data-protection-laws-uk-regulator-rules/
• NIST Special Publication (SP) 800-205, Attribute Considerations for Access Control Systems https://csrc.nist.gov/publications/detail/sp/800-205/final

• Draft NIST documents open for comment

  • Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft
  • NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets https://csrc.nist.gov/publications/detail/sp/800-171b/draft
  • Cybersecurity Whitepaper on Adopting a Secure Software Development Framework (SSDF) https://csrc.nist.gov/publications/detail/white-paper/2019/06/11/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft
  • Detecting and Protecting Against Data Integrity Attacks in Industrial Control System (ICS) Environments https://csrc.nist.gov/publications/detail/white-paper/2019/06/12/detecting-and-protecting-against-data-integrity-attacks-in-ics/draft
  • Continuous Monitoring for IT Infrastructure https://csrc.nist.gov/publications/detail/white-paper/2019/06/17/continuous-monitoring-for-it-infrastructure-for-smb/draft
• Senator Asks NIST to Propose Secure Data Sharing Methods https://www.securityweek.com/senator-asks-nist-propose-secure-data-sharing-methods

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• PQDH: A Quantum-Safe Replacement for Diffie-Hellman based on SIDH https://eprint.iacr.org/2019/730
• Towards Post-Quantum Cryptography in TLS https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/
• Qutrit's are a more powerful alternative to qubits, now researchers demonstrate new path to reliable quantum computation https://phys.org/news/2019-06-path-reliable-quantum.html
• MongoDB Introduces Client-Side Field Level Encryption to Aid Compliance https://www.securityweek.com/mongodb-introduces-client-side-field-level-encryption-aid-compliance
• Google's Private Join and Compute uses commutative encryption to enable "multiparty computation" without exposing information to anyone who didn't already have it https://www.wired.com/story/google-private-join-compute-database-encryption/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Who knew? It's time to AV scan your QLED TV weekly. Yes - this is a thing and it is built-into the set https://www.bbc.com/news/technology-48664251
• Warning Issued For Apple's 1.4 Billion iPad And iPhone Users https://www.forbes.com/sites/gordonkelly/2019/06/16/apple-iphone-ipad-security-warning-ios-12-iphone-xs-max-xr/
• U.S. Government Announces 'Critical' Warning For Microsoft Windows Users https://www.forbes.com/sites/daveywinder/2019/06/18/u-s-government-announces-critical-warning-for-microsoft-windows-users/
• Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool https://www.theregister.co.uk/2019/06/20/dellsupportassistsecurity_hole/
• Samba Vulnerability Can Crash Active Directory Components https://www.bleepingcomputer.com/news/security/samba-vulnerability-can-crash-active-directory-components/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers https://arstechnica.com/information-technology/2019/06/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group/
• Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount https://www.wired.com/story/iran-hackers-us-phishing-tensions/
• Hackers behind dangerous oil and gas intrusions are probing US power grids https://arstechnica.com/information-technology/2019/06/hackers-behind-dangerous-oil-and-gas-intrusions-are-probing-us-power-grids/
• U.S. Planted Powerful Malware in Russia's Power Grid: Report https://www.securityweek.com/us-planted-powerful-malware-russias-power-grid-report
• Ransomware gang hacks Managed Service Providers to deploy ransomware on customer systems https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
• The City of Riviera Beach Florida Pays $600K in Ransomware Attack, https://threatpost.com/ransomware-florida-city-pays-600k-ransom/145869/
• Over a Month On, Baltimore Still Grappling with Hack Fallout https://www.govtech.com/security/Over-a-Month-On-Baltimore-Still-Grappling-with-Hack-Fallout.html
• QuadrigaCX founder transferred customers’ money to his own accounts: report https://globalnews.ca/news/5412070/quadrigacx-founder-transferred-customers-money/
• NASA’s JPL was hacked in 2018 https://www.forbes.com/sites/daveywinder/2019/06/20/confirmed-nasa-has-been-hacked/

Other Security / Risk

Articles covering other types of risks.

• Risks of Password Managers https://www.schneier.com/blog/archives/2019/06/risksofpasswo.html
• Target cash registers across the US are crashing, creating massive lines of frustrated customers in 'The Great Target Outage of 2019' https://www.businessinsider.com/target-cash-register-great-target-outage-2019-6
• Article on digital license plates - we'd really like to see more analysis of security and privacy implications, and we'd really like to see a total cost of ownership analysis as to why anyone would spend $500 plus $7/month https://www.baltimoresun.com/business/bs-md-digital-license-plates-20190618-story.html
• The results of this study shouldn't surprise anyone, drivers may overestimate Tesla Autopilot because of its name https://www.engadget.com/2019/06/21/iihs-driver-assistance-study/
• Deepfake Algorithms Just Got Even Smarter, And a Whole Lot Creepier http://www.sciencealert.com/deepfake-ai-algorithms-can-now-take-text-and-turn-it-into-words-spoken-in-a-video
• The Danger of Fake News During Pandemics https://www.schneier.com/blog/archives/2019/06/fakenewsand_p.html
• Facebook launches cryptocurrency with Visa, MasterCard, Uber, and others https://arstechnica.com/tech-policy/2019/06/facebook-launches-crypto-currency-with-visa-mastercard-uber-and-others/
• Facebook crypto-currency proposal immediately comes under fire https://www.cnbc.com/2019/06/20/facebook-libra-cryptocurrency-faced-with-central-bank-warnings.html
• Bank of Canada to review Facebook’s crypto-currency white paper ‘very carefully’ https://www.thestar.com/business/2019/06/18/bank-of-canada-to-review-facebooks-cryptocurrency-white-paper-very-carefully.html
• Article on the C programming language's undefined storage behavior, assumptions about the hardware memory layout, and aggressive optimization breaking things https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/june/pointer-provenance/
• Apple warns some MacBook laptops can heat up so much they are dangerous https://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-macbook-pro-recall-15-inch-serial-number-am-i-eligible-heat-unsafe-a8967856.html
• Hezbollah operative collected information on Toronto’s Pearson airport https://globalnews.ca/news/5408240/hezbollah-pearson-airport/
• Horns (bone spurs) are growing on young people’s skulls. Phone use is to blame, research suggests. https://beta.washingtonpost.com/nation/2019/06/20/horns-are-growing-young-peoples-skulls-phone-use-is-blame-research-suggests/
• Man ate ‘expired’ food for a year to show that expiration dates can be meaningless https://www.thestar.com/life/2019/06/20/this-man-ate-expired-food-for-a-year-to-show-that-expiration-dates-can-be-meaningless.html
• Are tourists in the Dominican Republic being poisoned? https://www.businessinsider.com/british-couple-allege-they-were-poisoned-at-dominican-republic-hotel-2019-6
• Greenland Lost 4 Trillion Pounds Of Ice In Just 1 Day https://www.forbes.com/sites/trevornace/2019/06/18/greenland-lost-4-trillion-pounds-of-ice-in-just-1-day/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• A former 'Mythbuster' built his own bulletproof Iron Man suit. It can fly, too. https://www.cnn.com/2019/06/17/entertainment/iron-man-suit-adam-savage-trnd/index.html
• 60 years on the U2 is still flying reconnaissance missions https://www.businessinsider.com/u2-dragon-lady-flying-over-60-years-but-plane-changed-2019-6
• Satellites Equipped With a Tether Would be Able to De-Orbit Themselves at the end of Their Life https://www.universetoday.com/142537/satellites-equipped-with-a-tether-would-be-able-to-de-orbit-themselves-at-the-end-of-their-life/
• Photo: The Milky Way over Pyramid of the Feathered Serpent https://apod.nasa.gov/apod/ap190617.html
• Mathematicians Have Proposed a New Structure to The Periodic Table http://www.sciencealert.com/the-periodic-table-could-be-organised-more-like-a-network-than-a-matrix