This Week’s [in]Security – Issue 120 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI on key blocks and new password management, massive Magecart AWS infection, FTC to fine Facebook $5B. Breaches at Fieldwork Software (cards), GE aviation, and Maryland Department of Labor, and a mega mongo 3rd party breach. Creepy Google Home. Election security. What does password-less mean? CPEs, More IoT nonsense. Hijacking USB dongles, security problems in Android libraries, multiple ransomware attacks and responses, Spotify appears to have a fraud problem with debit cards, espionage, trade secrets, copyright and stock photos, cyber incident impacts, CEO's and board level security, widespread outages, space risks, economic risks, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Article on PCI Introduction to Key Blocks and information supplement documents https://blog.pcisecuritystandards.org/key-blocks-101
• Article on the recent PCI FAQ: Can organizations use alternative password management methods to meet PCI DSS Requirement 8? Article https://blog.pcisecuritystandards.org/faq-can-organizations-use-alternative-password-management-methods-to-meet-pci-dss-requirement
• Magecart Hacker Group Infects 17,000+ Domains in AWS S3 Bucket Sweep https://www.wired.com/story/magecart-amazon-cloud-hacks/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Facebook will reportedly be fined a record $5 billion over privacy mishaps https://www.cnet.com/news/facebook-will-reportedly-be-fined-a-record-5-billion-over-privacy-mishaps/ and https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html
• UK watchdog fined firms £3m for data breaches last year – before GDPR kicked in https://www.theregister.co.uk/2019/07/10/icofinedbusinesses3mlast_year/
• Europe's huge privacy fines (both 1.5% of revenue) against Marriott and British Airways are a warning for Google and Facebook https://www.cnbc.com/2019/07/10/gdpr-fines-vs-marriott-british-air-are-a-warning-for-google-facebook.html
• Fieldwork Software Database Leak Exposed Credit Card Details https://www.zdnet.com/article/fieldwork-software-database-exposed-full-credit-card-details-of-business-customers/
• MongoDB Database Exposed 188 Million Records Scraped or Purchased from Pipl and LexisNexus https://www.bankinfosecurity.com/mongodb-database-exposed-188-million-records-researchers-a-12769
• GE Aviation exposes private keys to the public on a misconfigured Jenkins instance https://www.theregister.co.uk/2019/07/09/geaviationjenkinsdnssnafu/
• Maryland Department of Labor Announces Data Breach https://www.securityweek.com/maryland-department-labor-announces-data-breach
• After leak, Google admits workers and contractors can listen to what people say to its AI home devices https://www.theguardian.com/technology/2019/jul/11/google-home-assistant-listen-recordings-users-privacy
• Data from Desjardins breach likely sold to foreign criminals https://finance.yahoo.com/news/data-from-desjardins-breach-likely-sold-to-foreign-criminals-report-154442644.html
• Pushing for an emergency Commons committee meeting after Desjardins breach https://www.cbc.ca/news/politics/scheer-meeting-desjardins-1.5204161
• Legal Implications of the AMCA Data Breach https://www.bankinfosecurity.com/interviews/legal-implications-amca-data-breach-i-4378
• Premera Blue Cross pays states $10 million over data breach https://www.seattletimes.com/business/premera-blue-cross-pays-states-10-million-over-data-breach/

Privacy

Articles about privacy related news, risks, and trends.

• Google Home Silently Captures Recordings - No Wake Up Word Used - of Domestic Violence and More https://threatpost.com/google-home-recordings-domestic-violence/146424/
• Windows 7 users upset by unwanted Patch Tuesday telemetry added to security only update http://nakedsecurity.sophos.com/2019/07/12/windows-7-users-upset-by-unwanted-patch-tuesday-telemetry/
• Tracking Bluetooth's by busting MAC randomization https://www.theregister.co.uk/2019/07/12/untraceablebluetoothexposed/
• ICE Used Facial Recognition to Mine State Driver’s License Databases https://www.nytimes.com/2019/07/07/us/politics/ice-drivers-licenses-facial-recognition.html
• Canadians can expect to have their personal information collected at Canada-U.S. border https://www.ctvnews.ca/politics/canadians-can-expect-to-have-their-personal-information-collected-at-canada-u-s-border-1.4505673

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• FEC: US Political Campaigns Can Use Discounted Cybersecurity Services https://krebsonsecurity.com/2019/07/fec-campaigns-can-use-discounted-cybersecurity-services/
• NIST Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS) is open for public comment until August 9, 2019. Publication details: https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft and CSRC update: https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms
• Solving the WHOIS / Privacy (GDPR) Problem - a draft: https://isc.sans.edu/diary.html?storyid=25108
• 'Terrible idea': Online security experts warn against online voting in N.W.T. elections https://www.cbc.ca/news/canada/north/online-voting-northwest-territories-election-1.5207356
• Bipartisan bill to force DHS to alert the public of hacking attempts on election computer systems https://www.theregister.co.uk/2019/07/11/electionsecuritybill/
• Court Rules Computer Experts May Examine Georgia Voting Systems http://epic.org/2019/07/court-computer-experts-may-exa.html
• Interoperability: Fix the Internet, Not the Tech Companies https://www.eff.org/deeplinks/2019/07/interoperability-fix-internet-not-tech-companies
• US launches inquiry into French plan to tax tech giants https://www.bbc.co.uk/news/world-europe-48945828

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• DoH - “Mozilla aren’t villains after all” – ISPs back down after public outcry http://nakedsecurity.sophos.com/2019/07/11/mozilla-arent-villains-after-all/
• Microsoft adds new 'passwordless' sign-in option with latest Windows 10 20H1 test build https://www.zdnet.com/article/microsoft-adds-new-passwordless-sign-in-option-with-latest-windows-10-20h1-test-build/
• Why a PIN is better than a password (Windows 10) – we always though PIN was a terrible name for this control https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
• Pwned Passwords gets new batches of busted passwords in version 5 https://www.troyhunt.com/pwned-passwords-version-5/
• Phishing for Awareness vs Phishing for Security? https://www.packetlabs.net/phishing-for-security/
• Firefox will not trust certificates from DarkMatter over firm’s involvement in UAE spying https://www.forbes.com/sites/kateoflahertyuk/2019/07/10/firefox-blocks-u-a-e-spy-firm-after-state-sponsored-hacking-claims/
• Instagram's anti-bullying AI asks users: 'Are you sure you want to post this?' https://www.theguardian.com/technology/2019/jul/09/instagram-bullying-new-feature-do-you-want-to-post-this
• Grizzly Browser Fuzzing Framework https://blog.mozilla.org/security/2019/07/10/grizzly/
• A gentle introduction to Linux Kernel fuzzing https://blog.cloudflare.com/a-gentle-introduction-to-linux-kernel-fuzzing/
• Hackers' Operating System Kali Linux Released for Raspberry Pi 4 https://thehackernews.com/2019/07/kali-linux-raspberry-pi-4.html
• Cardiac Biometric https://www.schneier.com/blog/archives/2019/07/cardiac_biometr.html
• Continuing Professional Education (CPE) - Coursera, a provider of high quality free online courses, introduces their Global Skills Index of high demand skills. No surprise that cybersecurity is on the list. https://blog.coursera.org/introducing-the-coursera-global-skills-index/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• U.S. Coast Guard Issues Cybersecurity Warnings for Commercial Vessels https://www.securityweek.com/us-coast-guard-issues-cybersecurity-warnings-commercial-vessels
• 2019 Cloud Security Report sponsored by (ISC)² surveyed
  LinkedIn's cybersecurity community https://www.isc2.org/resource-center/reports/cloud-security-report
• Windows 10 security: Bad bug in our CPU diagnostics app, so patch now, says Intel https://www.zdnet.com/article/windows-10-security-bad-bug-in-our-cpu-diagnostics-app-so-patch-now-says-intel/
• Rogue Android apps ignore your permissions through side and covert channel attacks and naughty libraries caching sensitive data http://nakedsecurity.sophos.com/2019/07/10/android-apps-sidestepping-permissions-to-access-sensitive-data/
• Privacy and security risks as Sign In with Apple's modifications to the Open ID protocol https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/
• Serious Security Flaw With Teleconferencing App Could Allow Websites to Hijack Mac Webcams https://gizmodo.com/serious-security-flaw-with-teleconferencing-app-allowed-183620243
• Apple disabled the Walkie-Talkie app over spying flaw https://www.securityweek.com/flaw-walkie-talkie-app-apple-watch-allows-spying
• Logitech wireless USB dongles vulnerable to new hijacking flaws https://www.zdnet.com/article/logitech-wireless-usb-dongles-vulnerable-to-new-hijacking-flaws/
• Remote code backdoor targeting production systems discovered in Ruby strongpassword library by attentive developer [http://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strongpassword-library/](http://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/)
• Researchers Disclose Vulnerability in Siemens' ICS Software https://www.bankinfosecurity.com/researchers-disclose-vulnerability-in-siemens-ics-software-a-12765
• IoT Hacked Hair Straighteners Can Threaten Homes and Start Fires https://threatpost.com/firestarter-hacked-hair-straighteners/146434/
• Huawei has gagged infosec researchers https://www.theregister.co.uk/2019/07/09/huaweitoaddresssecurityholes/
• New Samba release finally disables SMBv1 by default https://isc.sans.edu/diary.html?storyid=25116
• July Patch Tuesday Lowdown https://krebsonsecurity.com/2019/07/patch-tuesday-lowdown-july-2019-edition/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Agent Smith Malware Infects 25M Android Phones With Rogue Ads Pushing Malware That ‘Hides In WhatsApp’ https://threatpost.com/malware-agent-smith-android-ads/146359/ and https://www.forbes.com/sites/thomasbrewster/2019/07/10/25-million-android-phones-infected-with-malware-that-hides-in-whatsapp/
• Microsoft Confirms Windows 'Great Duke Of Hell' File-less Malware Attack https://www.forbes.com/sites/daveywinder/2019/07/09/microsoft-confirms-windows-great-duke-of-hell-malware-attack/
• Whitehats use DoS attack to temporarily shut down ransomware campaign https://arstechnica.com/information-technology/2019/07/whitehats-use-dos-attack-to-shut-down-ransomware-campaign-but-only-temporarily/
• Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery https://www.techrepublic.com/article/cybersecurity-malware-lingers-in-smbs-for-an-average-of-800-days-before-discovery/
• Ransomware Targets QNAP Storage Devices https://www.bankinfosecurity.com/report-ransomware-targets-qnap-storage-devices-a-12774
• US mayors resolve not to pay hackers over ransomware attacks https://www.cnet.com/news/us-mayors-adopt-resolution-to-not-pay-hackers-over-ransomware-attacks/
• Who’s Behind the GandCrab Ransomware? https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/
• Eastern Ontario community hit with ransomware attack https://www.cbc.ca/news/canada/ottawa/the-nation-eastern-ontario-ransomware-1.5204732
• Monroe College Hit With Ransomware, $2 Million Demanded https://www.bleepingcomputer.com/news/security/monroe-college-hit-with-ransomware-2-million-demanded/
• Indiana County Disabled by Malware Attack https://www.securityweek.com/indiana-county-disabled-malware-attack
• Ransomware Recovery Firms Who Secretly Pay Hackers https://www.schneier.com/blog/archives/2019/07/ransomware_reco.html
• Canadians seeing unauthorized debit card transactions from Spotify https://www.cbc.ca/news/canada/nova-scotia/spotify-charges-debit-account-unauthorized-withdrawals-1.5206053
• $32m stolen from Tokyo cryptocurrency exchange in latest hack https://www.theguardian.com/technology/2019/jul/12/tokyo-cryptocurrency-exchange-hack-bitpoint-bitcoin
• Google Suspends Fraudulent Samsung Update App https://www.pymnts.com/news/security-and-risk/2019/google-suspends-fraudulent-samsung-update-app/
• 7-Eleven Japan suspends mobile app after data breach https://www.mobilepaymentstoday.com/news/7-eleven-japan-suspends-mobile-app-after-data-breach/
• Latest FinSpy Modules Lift Data from Secure Messaging Apps https://threatpost.com/finspy-modules-secure-messaging-apps/146372/
• Confirmed: Microsoft Windows Zero-Day Exploit Used In Government Espionage Operation https://www.forbes.com/sites/daveywinder/2019/07/12/confirmed-microsoft-windows-zero-day-exploit-used-in-government-espionage-operation/
• Sea Turtle's DNS Hijacking Continues Despite Exposure https://www.securityweek.com/sea-turtles-dns-hijacking-continues-despite-exposure
• Details of the Cloud Hopper Attacks https://www.schneier.com/blog/archives/2019/07/detailsofthe_2.html
• Ex-Tesla Engineer: OK, Yes, I Uploaded Autopilot Trade Secrets To My iCloud, What's The Big Deal? https://www.gizmodo.com.au/2019/07/ex-tesla-engineer-okay-yes-i-uploaded-autopilot-trade-secrets-to-my-icloudwhats-the-big-deal/
• Theft of trade secrets https://www.zdnet.com/article/engineer-flees-to-china-after-stealing-source-code-of-us-train-firm/

Other Security / Risk

Articles covering other types of risks.

• Cybersecurity incidents cost businesses $45B last year https://www.techrepublic.com/article/cybersecurity-incidents-cost-businesses-45b-last-year/
• Financial Impacts of Cybersecurity Events https://www.packetlabs.net/financial-impact-of-cybersecurity/
• The Hidden Peril – Are boards and CEOs asking the right incident preparedness questions? A look at our assumptions of resilience https://www.itworldcanada.com/blog/the-hidden-peril-are-boards-and-ceos-asking-the-right-incident-preparedness-questions/419712
• Good Governance: Do Boards Need Cyber Security Experts? https://www.forbes.com/sites/robinferracone/2019/07/09/good-governance-do-boards-need-cyber-security-experts/
• Major wireless outage disrupts Canadian cellular services https://www.cbc.ca/news/business/network-outages-affecting-voice-service-1.5203461
• Reddit and Twitter went down for thousands of users last Thursday https://www.businessinsider.com/reddit-down-error-message-downdetector-2019-7 and https://www.businessinsider.com/twitter-is-down-website-app-experience-outage-thursday-2019-7
• LinkedIn went down as well https://www.businessinsider.com/linkedin-is-down-social-network-suffers-outage-wednesday-2019-7
• The deep-dive into how Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline https://blog.cloudflare.com/the-deep-dive-into-how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-monday/
• Windows 10 System File Checker (SFC) /scannow Can't Fix Corrupted Files After Update https://www.bleepingcomputer.com/news/microsoft/windows-10-sfc-scannow-cant-fix-corrupted-files-after-update/
• A Reminder That 'Fake News' Is An Information Literacy Problem - Not A Technology Problem https://www.forbes.com/sites/kalevleetaru/2019/07/07/a-reminder-that-fake-news-is-an-information-literacy-problem-not-a-technology-problem/
• Russia's RT banned from UK media freedom conference https://www.bbc.co.uk/news/world-europe-48919085
• The Problem of Copyright Fraud and Stock Photo Sites - UK Magazine Blames Stock Photo Site for Stolen Photo Used on Cover https://fstoppers.com/news/uk-magazine-blames-stock-photo-site-stolen-photo-used-cover-388141
• France may seize drivers licenses from distracted drivers if caught on phone https://nationalpost.com/news/world/french-may-be-driven-off-road-if-caught-on-phone
• How common is mail forwarding fraud? Canada Post won't say https://www.cbc.ca/news/canada/nova-scotia/crown-corporation-canada-post-mail-forwarding-fraud-foi-1.5203831
• You have to be kidding this is what IoT brings us - Resetting Your GE Smart Light Bulb – https://www.schneier.com/blog/archives/2019/07/resettingyour\.html
• Freak Fatal Accident With Metal Straw Highlights a Risk https://www.nytimes.com/2019/07/11/world/europe/metal-straws-death.html
• Will planting 1 billion hectares of trees slow down climate change? https://globalnews.ca/news/5471379/planting-trees-climate-change-theory/
• Cleaning up space junk before it threatens our satellites and spacecraft https://scienmag.com/cleaning-up-the-cosmic-neighborhood/
• Astronomers hunting dangerous rocks spot a large (1km) and hard to spot Atira (sunwards) asteroid with a 151 day ‘year’ – this one is no a threat to Earth https://www.syfy.com/syfywire/2019-lf6-the-asteroid-with-the-shortest-year-known
• Bombardier job cuts raise questions on impact of Buy America Act https://www.cbc.ca/news/business/bombardier-buy-america-job-cuts-canada-1.5206922
• A critical recession indicator is dangerously close to a threshold that's signaled every meltdown since 1960 https://www.businessinsider.com/next-recession-nearing-as-100-percent-reliable-signal-flashes-red-2019-7
• Cyber Spies Take A Step Out Of The Shadows With History Of Codebreaking https://www.zdnet.com/article/cyber-spies-take-a-step-out-of-the-shadows-with-history-of-codebreaking/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Critical Thinking: That Giant Asteroid of Gold Recently Reported in Many Tabloids Won’t Make Us Richer https://www.bloomberg.com/opinion/articles/2019-07-08/asteroid-16-psyche-and-all-that-gold-won-t-make-earth-richer
• Striking NASA Maps Reveal How The California Earthquakes Altered The Planet's Surface http://www.sciencealert.com/nasa-maps-reveal-how-the-california-earthquakes-altered-the-surface-of-the-planet
• If you’re older than 27 you were born into a universe where the only known planets were in our solar system, now there are over 4000. This article and video illustrates these discoveries https://www.syfy.com/syfywire/4000-exoplanets-in-sight-and-sound
• 5 Terrifying Moments During the Apollo 11 Moon Landing Mission https://history.com/news/apollo-11-moon-landing-terrifying-moments
• New photo of the super massive, and thankfully distant, star Eta Carinae that could go supernova soon https://www.universetoday.com/142734/hubble-has-a-brand-new-picture-of-the-massive-star-eta-carinae-it-could-detonate-as-a-supernova-any-day-now/