This Week’s [in]Security – Issue 118

Welcome to This Week’s [in]Security. This week: Major update on PCI SSF and SLC standards, Magecart, POS malware, ATM shimmers, 300M EA Games breach, Attunity AWS breach, Desjardins insider breach, cloud breaches at PCM, Fujitsu, Tata, NTT Data, Dimension Data, CSC and DXC, 10 years breached Equifax CIO jailed, everyone's spying: NSA, MySpace, and Spanish Scoer League, ballot security, NIST IoT, NTS (Secure Time), DoH, Huawei full of holes, NASA Pi hack, 10 years vulnerable, multiple nation-state hacks, more ransomware, multiple crypto-currency frauds and hacks, USB-sniffing dogs, Perception gaps, Boeing's terrible week, logic puzzles, the world's largest human Maple Leaf, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI released a large update on the new Software Security Framework and Life Cycle Standards:

  • Press release https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_06262019
  • New Software Security Framework Programs: Timeline & Key Milestones https://blog.pcisecuritystandards.org/new-software-security-framework-programs-timeline-and-key-milestones
  • SSF Program Guide https://www.pcisecuritystandards.org/documents/Secure-Software-Program-Guide-v1.pdf
  • SSF Qualification Requirements for Assessors https://www.pcisecuritystandards.org/documents/SSF-Qualification-Requirements-for-Assessors-V1.pdf
  • SSLC Program Guide https://www.pcisecuritystandards.org/documents/Secure-Software-Life-Cycle-(SLC)-Program-Guide-v1.pdf
  • FAQs https://www.pcisecuritystandards.org/documents/FAQs-for-PCI-Software-Security-Framework-v2.pdf
• New PCI DSS Azure blue print makes compliance simpler https://azure.microsoft.com/en-us/blog/new-pci-dss-azure-blueprint-makes-compliance-simpler/
• Eight Percent of North American Payments Fraud Is Related to Terrorism, Report Finds http://www.digitaltransactions.net/eight-percent-of-north-american-payments-fraud-is-related-to-terrorism-report-finds/
• Visa alert on POS malware activity https://usa.visa.com/dam/VCOM/global/support-legal/documents/visa-security-alert-alina-pos-malware.pdf at https://usa.visa.com/support/merchant/library.html
• MageCart Launches Customizable Campaign https://www.darkreading.com/attacks-breaches/magecart-launches-customizable-campaign/d/d-id/1335087
• Hackers Favoring Shimmers Over Skimmers for ATM Attacks https://www.securityweek.com/hackers-favoring-shimmers-over-skimmers-atm-attacks

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• EA Games Login Flaw Exposed Accounts of 300 Million Gamers https://www.securityweek.com/ea-games-login-flaw-exposed-accounts-300-million-gamers
• Dominion National Discovers Breach 9 Years After it Happened https://www.bleepingcomputer.com/news/security/dominion-national-discovers-breach-9-years-after-it-happened/
• Breach at Cloud Solution Provider PCM Inc. https://krebsonsecurity.com/2019/06/breach-at-cloud-solution-provider-pcm-inc/
• Desjardins data breach affecting 2.9 million members leads to class-action lawsuit https://globalnews.ca/news/5416842/desjardins-data-breach-class-action-lawsuit/
• Another AWS S3 exposure by an Israeli based company (Attunity) left 1TB of insecure data including passwords, keys, personal employee information , and customers information including Ford and TD Bank https://business.financialpost.com/news/fp-street/td-bank-internal-files-found-online-in-keys-to-the-kingdom-cloud-data-exposure
• Ex-Equifax CIO Gets 4-Month Prison Term for Insider Trading after Breach https://www.bankinfosecurity.com/ex-equifax-cio-gets-4-month-prison-term-for-insider-trading-a-12704

Privacy

Articles about privacy related news, risks, and trends.

• Italy Fines Facebook $1.1M For Mishandling Data https://www.pymnts.com/news/security-and-risk/2019/italy-fines-facebook-mishandling-data-cambridge-analytica/
• A US Senator asked the FTC to 'take all necessary steps' to ensure YouTube is held accountable for violating children privacy laws https://www.businessinsider.com/sen-markey-suggests-new-childrens-privacy-regulations-for-youtube-2019-6
• New Warning Reveals Gmail's Major Privacy Problem https://www.forbes.com/sites/kateoflahertyuk/2019/06/27/new-warning-reveals-gmails-major-privacy-problem/
• UK's MoD is helping itself to cops' fingerprint database 'unlawfully', rules biometrics chief https://www.theregister.co.uk/2019/06/27/modhelpingselftofingerprintdnadatabase_unlawfully/
• Spanish Soccer League App Spies on Fans to Catch Media Pirates https://www.schneier.com/blog/archives/2019/06/spanishsoccer\.html
• Motel 6 agrees to $10 million settlement over sharing guest lists with ICE https://globalnews.ca/news/5447368/motel-6-ice-settlement/
• Decoding America's spies: What does the NSA's cryptic memo really mean? Citizens illegally spied on again https://www.theregister.co.uk/2019/06/26/nsaspyprogram_aclu/
• Myspace Employees Used to Spy on Users https://www.wired.com/story/myspace-overlord-iot-robert-mueller-security-roundup/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• House Passes Election Security and Paper Ballot Bill http://epic.org/2019/06/house-passes-election-security.html
• U.S. May Outlaw Messaging Encryption Used By WhatsApp, iMessage And Others, Report https://www.forbes.com/sites/zakdoffman/2019/06/29/u-s-may-outlaw-uncrackable-end-to-end-encrypted-messaging-report-claims/
• Senate bill would make companies put a price on personal data https://www.engadget.com/2019/06/24/senate-dashboard-bill-data/
• Opinion | Hackers are taking cities hostage. Here’s a way around it - make paying ransomware illegal https://beta-washingtonpost-com.cdn.ampproject.org/c/s/beta.washingtonpost.com/opinions/hackers-are-taking-cities-hostage-heres-a-way-around-it/2019/06/23/f08b79ea-9459-11e9-aadb-74e6b2b
• NIST publishes NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Details: https://csrc.nist.gov/publications/detail/nistir/8228/final and update https://csrc.nist.gov/news/2019/nist-publishes-nistir-8228
• EPIC Amicus: Georgia's Electronic Voting Machines Unreliable, Fail to Safeguard Secret Ballot http://epic.org/2019/06/epic-amicus-georgias-electroni.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Bulletproof TLS Issue#54 is out. It covers vulnerabilities, research, and developments affecting cryptography and TLS. This month there is a feature on Network Time Security (NTS) https://www.feistyduck.com/bulletproof-tls-newsletter/issue54networktimesecurityntscouldfinallybringsupportforauthenticatednetwork_time
• Google Public DNS over HTTPS (DoH) supports RFC 8484 standard http://security.googleblog.com/2019/06/google-public-dns-over-https-doh.html
• Microsoft to require multi-factor authentication for cloud https://krebsonsecurity.com/2019/06/microsoft-to-require-multi-factor-authentication-for-cloud-solution-providers/
• This should make hardening easier, Microsoft is moving Cortana into a separate app in the Windows store https://www.theverge.com/2019/6/28/19092244/microsoft-cortana-beta-windows-10-microsoft-store
• What Online Application Flaws Should You Be Worried About? https://sector.ca/what-online-application-flaws-should-you-be-worried-about/
• The Other Side of CIS Critical Control 2 - Inventorying Unwanted Software https://isc.sans.edu/diary.html?storyid=25072
• Security in Android Q: Everything Google added to make your phone safer https://www.xda-developers.com/android-q-security-privacy-features/
• Google is Cracking Down on Apps that Request Overly Broad Permissions - Warns of Microsoft SwiftKey Losing Access to Gmail on July 15 https://www.bleepingcomputer.com/news/security/google-warns-of-microsoft-swiftkey-losing-access-to-gmail-on-july-15/
• OpenSSH implements deterrents to the Rambleed attack http://nakedsecurity.sophos.com/2019/06/25/serious-security-rambleed-attacks-blunted-the-openssh-way/
• AWS Announces General Availability of Security Hub https://www.securityweek.com/aws-announces-general-availability-security-hub
• Schools to teach pupils about perils of fake news and catfishing https://www.theguardian.com/technology/2019/jun/26/schoolchildren-to-get-online-safety-advice-on-catfishing-and-fake-news

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Senate finds US agencies left security holes untouched for a decade https://www.engadget.com/2019/06/25/senate-investigation-into-security-fixes/
• Certain Insulin Pumps Recalled Due to Cybersecurity Issues https://www.bankinfosecurity.com/medtronic-recall-a-12701
• Vulnerability in AMD’s Secure Encrypted Virtualization for EPYC: Update Now to Build 22 https://www.anandtech.com/show/14587/vulnerability-in-amds-secure-encrypted-virtualization-for-epyc-update-now-to-build-22
• Huawei products riddled with backdoors, zero days and critical vulnerabilities https://www.scmagazine.com/home/security-news/vulnerabilities/huawei-products-riddled-with-backdoors-zero-days-and-critical-vulnerabilities/
• Cellebrite Claims It Can Unlock Any iPhone https://www.schneier.com/blog/archives/2019/06/cellebrite_clai.html
• Excel is a bit of a Frankenstein monster of user productivity tools. No surprise that it gets maliciously abused. How Hackers Turn Microsoft Excel's Own Features Against It https://www.wired.com/story/microsoft-excel-hacking-power-query-macros/
• Microsoft Teams Can Be Used to Download and Run Malicious Packages https://www.bleepingcomputer.com/news/security/microsoft-teams-can-be-used-to-download-and-run-malicious-packages/
• Another Vulnerability in Dell's Security Bloatware, Must Update ASAP https://www.digitaltrends.com/web/dell-supportassist-second-vulnerability/
• Presidential alerts can be easily spoofed, thanks to LTE security vulnerabilities https://www.androidpolice.com/2019/06/23/presidential-alerts-can-be-easily-spoofed-thanks-to-lte-security-vulnerabilities/
• Claims of Tesla hack wide of the mark—digging into GNSS hacking https://arstechnica.com/cars/2019/06/claims-of-tesla-hack-wide-of-the-mark-we-dig-into-gnss-hacking/
• Social engineers are skilled tool users that can compromise your lives and businesses https://www.cbsnews.com/news/hacker-ibm-security-social-engineer-invades-cbs-reporters-without-writing-a-single-line-of-code/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• The Cybersecurity 202: U.S. businesses are preparing for Iranian hacks after American cyber attack https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/06/24/the-cybersecurity-202-u-s-businesses-are-preparing-for-iranian-hacks-a
• China hacked 8 major technology firms in elaborate ‘Cloud Hopper’ attack: report https://globalnews.ca/news/5432525/china-cyberattack-computer-services-cloud-hopper/
• Cloud Hopper breach victims named: Fujitsu, Tata, NTT Data, Dimension Data, CSC and DXC https://www.bankinfosecurity.com/cloud-hopper-major-cloud-services-victims-named-a-12695
• A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata https://www.wired.com/story/chinese-hackers-carrier-metadata/ and https://www.forbes.com/sites/zakdoffman/2019/06/25/chinese-government-suspected-of-major-hack-on-10-global-phone-companies-reports/
• US cyber attack on Iran exploited flaw in heavily-guarded network, experts say https://www.timesofisrael.com/us-cyber-attack-on-iran-exploited-flaw-in-heavily-guarded-network-experts-say/
• Russian internet giant Yandex reportedly hacked by Western intelligence agency https://www.cnet.com/news/russian-internet-giant-yandex-reportedly-hacked-by-western-intelligence-agency/
• Google – Android vendor hit with supply chain attack https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/
• Tracing the Supply Chain Attack on Android https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/
• SIM swapping - a trivial cell phone hack is ruining lives https://www.engadget.com/2019/06/28/cell-phone-hack-is-ruining-lives-identity-theft/
• MacOS Gatekeeper vulnerability has now been exploited https://9to5mac.com/2019/06/25/macos-gatekeeper-vulnerability-2/
• NASA hacked because of unauthorized Raspberry Pi connected to its network https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/Senate bill would make companies put a price on personal data https://www.engadget.com/2019/06/24/senate-dashboard-bill-data/
• Second US town pays up to ransomware hackers https://www.bbc.com/news/technology-48770128
• Florida LAN: Someone clicks link, again, giving Key Biscayne ransomware https://arstechnica.com/information-technology/2019/06/is-there-something-in-the-water-third-florida-city-hit-by-ransomware/
• Thousands of IoT Devices Bricked By Silex Malware https://threatpost.com/thousands-of-iot-devices-bricked-by-silex-malware/146065/
• New ransomware infections are the worst drive-by attacks in recent memory https://arstechnica.com/information-technology/2019/06/new-ransomware-infections-are-the-worst-drive-by-attacks-in-recent-memory/
• Ex-Senate Aide Sentenced to 4 Years in Prison for Data Leak https://www.securityweek.com/ex-senate-aide-sentenced-4-years-prison-data-leak
• Anonymous and stupid? Hacker threw Molotov cocktail, dropped USB drive of his DDoS deeds http://nakedsecurity.sophos.com/2019/06/26/hacker-threw-molotov-cocktail-dropped-usb-drive-of-his-ddos-deeds/
• Hackers Used Two Firefox Zero Days to Hit a Crypto Exchange https://www.wired.com/story/firefox-vulnerability-coinbase-ransomware-border-hack/
• Hackers Steal Millions from Cryptocurrency Exchange Bitrue https://www.securityweek.com/hackers-steal-millions-cryptocurrency-exchange-bitrue
• Police deploy USB sniffing dogs and arrest 6 in $28M Cryptocurrency Typosquatting Fraud Probe https://www.bankinfosecurity.com/police-arrest-6-in-28-million-cryptocurrency-fraud-probe-a-12691
• Crypto Exchange And XRP Refuge Bitsane Vanishes, Scamming As Many As 246,000 Users https://www.forbes.com/sites/hanktucker/2019/06/27/crypto-exchange-and-xrp-refuge-bitsane-vanishes-scamming-as-many-as-246000-users/
• QuadrigaCX founder used aliases, moved assets into personal accounts: report https://www.cbc.ca/1.5182984
• Nearly 20 Pct Of Bitcoin Traders Have Been Hacked https://www.pymnts.com/blockchain/bitcoin/2019/bitcoin-traders-hacked/

Other Security / Risk

Articles covering other types of risks.

• The "Perception Gap", a study of political divisions in US society, has far broader implications for communication, cooperation, and success https://www.theatlantic.com/ideas/archive/2019/06/republicans-and-democrats-dont-understand-each-other/592324/
• FAA says new potential risk identified on Boeing 737 MAX jets https://globalnews.ca/news/5435154/faa-boeing-737-max-risk/
• DOJ probe expands beyond Boeing 737 MAX, includes 787 Dreamliner https://www.seattletimes.com/business/boeing-aerospace/federal-prosecutors-issue-subpoena-for-boeing-787-dreamliner-records/
• Just when you thought their PR couldn't get any worse - Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers https://www.bloomberg.com/news/articles/2019-06-28/boeing-s-737-max-software-outsourced-to-9-an-hour-engineers
• Bulgarian IT expert arrested after demoing vulnerability in kindergarten software and downloading masses of data https://www.zdnet.com/article/bulgarian-it-expert-arrested-after-demoing-vulnerability-in-kindergarten-software/
• Google Maps Hit By 11 Million Fake Businesses In 'Costly And Dangerous Deception' https://www.forbes.com/sites/zakdoffman/2019/06/20/google-maps-responds-to-dangerous-deception-of-11-million-fake-businesses/
• A Trump campaign consultant is reportedly making fake websites for Democratic candidates https://www.businessinsider.com/patrick-mauldin-trump-consultant-fake-biden-website-2019-6
• A new study from Princeton reveals how shopping websites use 'dark patterns' to trick you into buying things you didn't actually want https://www.businessinsider.com/dark-patterns-online-shopping-princeton-2019-6
• German WW2 bomb leaves giant crater in field https://www.bbc.co.uk/news/world-europe-48746557
• Krakatau volcano is angry again https://watchers.news/2019/06/26/violent-phreatomagmatic-eruption-at-anak-krakatau-volcano-indonesia/
• Climate change could make some homes uninsurable https://www.cbc.ca/news/thenational/climate-change-could-make-some-homes-uninsurable-1.5179375
• For Almost 100 Years, Scientists Puzzled Over The Tunguska Event https://www.forbes.com/sites/davidbressan/2019/06/29/for-more-than-111-years-scientist-puzzled-over-the-tunguska-event/
• Satellite Captures Airburst Explosion as a Small Asteroid Meteoroid Entered Earth's Atmosphere South of Puerto Rico https://weather.com/news/news/2019-06-26-asteroid-explodes-caribbean-puerto-rico-june-22

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Coverage Set for NASA Test of Orion Abort System https://www.nasa.gov/press-release/coverage-set-for-nasa-test-of-orion-abort-system-for-moon-to-mars-missions-0
• Earth To Mars In 100 Days? The Power Of Nuclear Rockets https://www.universetoday.com/142689/earth-to-mars-in-100-days-the-power-of-nuclear-rockets/
• 'We could have lost the Apollo 11 crew:' A once-classified anomaly nearly killed NASA's first moon astronauts, a new book reveals https://www.businessinsider.com/classified-apollo-11-anomaly-threatened-to-crash-first-moon-astronauts-2019-6
• NASA’s TESS Mission Finds Its Smallest Planet Yet https://www.nasa.gov/feature/goddard/2019/nasa-s-tess-mission-finds-its-smallest-planet-yet
• How to solve the Hardest Logic Puzzle Ever (the 3 gods of True, False, and Random) logic puzzle - yes it will bake your brain https://getpocket.com/explore/item/how-to-solve-the-hardest-logic-puzzle-ever
• Thousands gather to form world's largest human maple leaf https://www.ctvnews.ca/canada/thousands-gather-to-form-world-s-largest-human-maple-leaf-1.4488550