This Week’s [in]Security – Issue 121 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: what's the minimum for PCI, PCI-NIST mapping, more Magecart, payment card fraud on ApplePay and Interac, lifetime breach protection, changing SINs, breached: Amadeus airline services, AavGo hotel services, Bulgaria, Sprint/Samsung, Lenovo storage, 62 US colleges, Desjardins followup, 220M+ more compromised credentials, Equifax nears $700M settlement, mass Slack reset, Kazakhstan intercepting HTTPS, more motherborad vulnerabilities, NIST on TLS certificates, Master keys for GrandCrab ransomware, Russia's FSB exposed through 3rd party, Face morphing app controversy, literally a killer app, $45B lost to cyber attacks, LinkedIn phishing, mass shooting common factors, safer programming languages, cyberlaws in conflict, AirDropped terrorism, swarming Area 51, the Moon landing, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• What’s the minimum I need to do for PCI? https://controlgap.com/blog/whats-the-minimum-i-need-to-do-for-pci/

• PCI just released articles and documentation mapping PCI and the NISTCybersecurity Framework:

  • Article https://blog.pcisecuritystandards.org/nist-mapping
  • At a glance https://www.pcisecuritystandards.org/pdfs/Mapping-PCI-DSS-to-NIST-Framework-At-a-Glance.pdf
  • Executive Brief https://www.pcisecuritystandards.org/pdfs/Mapping-PCI-DSS-to-NIST-Framework-Executive-Brief.pdf
  • Maping Resource https://www.pcisecuritystandards.org/pdfs/Mapping-PCI-DSS-to-NIST-Framework.pdf

• Payment Fraud:

  • Criminals Enroll Stolen Cards on Apple Pay https://www.bankinfosecurity.com/payment-fraud-criminals-enroll-stolen-cards-on-apple-pay-a-12779
  • TD customers question how Visa Debit chequing accounts were compromised in last weeks news about bogus Spotify charges https://www.cbc.ca/news/canada/nova-scotia/spotify-charges-td-accounts-virtual-debit-cards-1.5213569
• Third-party Risk: Magecart Creditcard Attacks https://www.packetlabs.net/magecart-creditcard-attacks/
• Party Like a Russian, Carder’s Edition https://krebsonsecurity.com/2019/07/party-like-a-russian-carders-edition/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• AavGo apparently left an unsecured ElasticSearch database of 8M records of hotel industry data on the Internet https://www.theregister.co.uk/2019/07/16/aavgohoteldata_breach/
• Hacker steals data of millions of Bulgarians, emails it to local media https://www.zdnet.com/article/hacker-steals-data-of-millions-of-bulgarians-emails-it-to-local-media/
• Sprint says hackers breached customer accounts via Samsung 'add a line' website https://www.zdnet.com/article/sprint-says-hackers-breached-customer-accounts-via-samsung-website/
• Thousands of Legacy Lenovo Storage Devices Exposed Millions of Files https://www.securityweek.com/thousands-legacy-lenovo-storage-devices-exposed-millions-files
• Patch me Amadeus – web security flaw in software used by 500 airlines exposed valid airline boarding passes https://www.bankinfosecurity.com/security-flaw-exposed-valid-airline-boarding-passes-a-12783
• Hackers breach 62 US colleges by exploiting ERP vulnerability https://www.zdnet.com/article/hackers-breach-62-us-colleges-by-exploiting-erp-vulnerability/
• DataSpii: rogue browser extensions collected browser histories from 4M people and companies like Apple, Tesla, Blue Origin https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/ and technical details https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/

• Desjardins:

  • Is free lifelong data breach protection the new normal? https://www.cbc.ca/news/canada/montreal/desjardins-data-breach-protection-1.5212030
  • Changing SINs won't address data breach concerns, says ESDC https://ipolitics.ca/2019/07/15/changing-sins-wont-address-desjardins-data-breach-concerns-says-esdc/
• Another customer of AMCA comes forward with 2.2 million patients affected by the third-party data breach https://techcrunch.com/2019/07/17/millions-patients-amca-breach/
• Equifax to Pay Around $700 Million to Resolve Data-Breach Probes https://www.wsj.com/articles/equifax-to-pay-around-700-million-to-resolve-data-breach-probes-11563577702 and https://www.engadget.com/2019/07/19/equifax-data-breach-ftc-cfpb/
• Slack Initiates Mass Password Reset for 100K users after more credentials from 2015 breach surface https://threatpost.com/slack-password-reset/146545/

• Have I been Pwned gets data from more breaches:

  • Evite, 2013, 100M https://haveibeenpwned.com/PwnedWebsites#Evite
  • piZap, 2017, 41M https://haveibeenpwned.com/PwnedWebsites#piZap
  • SHEIN, 2018, 39M https://haveibeenpwned.com/PwnedWebsites#SHEIN
  • YouNow, 2019, 18M https://haveibeenpwned.com/PwnedWebsites#YouNow ,
  • Animoto, 2018, 22M https://haveibeenpwned.com/PwnedWebsites#Animoto
  • Netlog 2012 22M https://haveibeenpwned.com/PwnedWebsites#Netlog
• The Have I Been Pwned API is changing in part to address systemic abuse. Authentication and a small monthly fee will be required https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/
• How Small Mistakes Lead to Major Data Breaches https://www.datex.ca/blog/how-small-mistakes-lead-to-major-data-breaches

Privacy

Articles about privacy related news, risks, and trends.

• Opinion: Knowing the “Value” of Our Data Won’t Fix Our Privacy Problems https://www.eff.org/deeplinks/2019/07/knowing-value-our-data-wont-fix-our-privacy-problems
• There is a controversy over FaceApp and biometrics brewing and it’s being investigated – in part it’s over a Russian company asserting irrevocable rights to your photos https://www.forbes.com/sites/zakdoffman/2019/07/17/fbi-and-ftc-told-to-investigate-russias-faceapp-as-u-s-national-security-risk/ and http://nakedsecurity.sophos.com/2019/07/19/faceapp-panic-sets-internet-alight/
• Deep Dive: ID Verification In The Sharing And Gig Economies https://www.pymnts.com/aml/2019/id-verification-sharing-gig-platform-economy-security-trulioo/
• EFF whitepaper “Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks” https://www.eff.org/deeplinks/2019/07/announcing-gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell
• German state bans Office 365, Google, and Apple clouds in schools, citing privacy concerns and GDPR https://www.theverge.com/2019/7/15/20694797/hesse-german-state-gdpr-office-365-schools-illegal-data-protection
• Sharpening Our Claws: Teaching Privacy Badger to Fight More Third-Party Trackers https://www.eff.org/deeplinks/2019/07/sharpening-our-claws-teaching-privacy-badger-fight-more-third-party-trackers
• A Feisty Google Adversary Tests How Much People Care About Privacy (note Bruce Schneier is a proponent of DuckDuckGo) https://www.nytimes.com/2019/07/15/technology/duckduckgo-private-search.html
• Kazakhstan government is now intercepting all HTTPS traffic https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/

Laws

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Cyberlaws in conflict:

  • Australian encryption laws to run up against CLOUD Act and GDPR: Law Council https://www.zdnet.com/article/encryption-laws-to-run-up-against-cloud-act-and-gdpr-law-council/
  • China’s new privacy law requires explicit consent for things GDPR does not and will require companies operating in China to make more changes for privacy https://www.chinalawblog.com/2019/07/gdpr-meets-its-match-in-china.html
  • The New York Privacy Act goes beyond GDPR and introduces idea of "data fiduciary" https://reclaimthenet.org/new-york-privacy-act-data-fiduciary/
• Draft Bill Proposes Ban On Cryptocurrencies In India https://www.pymnts.com/cryptocurrency/2019/draft-bill-proposes-ban-cryptos-india/
• Opinion: Why WiFi needs a more complete Security standard https://www.forbes.com/sites/forbestechcouncil/2019/07/16/lets-end-the-wild-west-of-wi-fi-security/
• 22% of users would quit WhatsApp if encryption is banned https://www.comparitech.com/blog/vpn-privacy/whatsapp-encryption-ban-study/
• NIST Draft Special Publication (SP) 1800-16, Securing Web Transactions: Transport Layer Security (TLS) Server Certificate Management is open for public comment until September 13, 2019 https://csrc.nist.gov/publications/detail/sp/1800-16/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Secure programming:

  • We Need a Safer Systems Programming Language https://msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/
  • Security Lessons From a New Programming Language for IoT devices https://www.darkreading.com/application-security/security-lessons-from-a-new-programming-language/d/d-id/1335300
  • Software Developers Face Secure Coding Challenges https://www.darkreading.com/application-security/software-developers-face-secure-coding-challenges/d/d-id/1335247
  • Security Teams Often Struggle to Get Developers on Board: GitLab Study https://www.securityweek.com/security-teams-often-struggle-get-developers-board-gitlab-study
• Another approach which has been in the news before is DARPA's Morpheus chip https://nakedsecurity.sophos.com/2019/07/19/shapeshifting-morpheus-chip-aims-to-baffle-hackers/
• Hardware Implementations of NIST Lightweight Cryptographic Candidates: A First Look https://eprint.iacr.org/2019/824
• Article and webinar on mainframe modernization and security https://www.linkedin.com/pulse/dont-forget-security-conversations-around-mainframe-ray-overby/
• Walmart scoring execs against one another on security performance https://www.zdnet.com/article/walmart-scoring-execs-against-one-another-on-security-performance/
• How To Clear Out Your Zombie Apps and Online Accounts https://www.wired.com/story/delete-old-apps-accounts-online/
• Protect Yourself From Camera and Microphone Hacking https://www.consumerreports.org/privacy/how-to-protect-yourself-from-camera-and-microphone-hacking/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• IoT Shaming – Insulin Pumps - Hackers Made an App That Kills to Prove a Point https://www.wired.com/story/medtronic-insulin-pump-hack-app/
• Your Pa$$word doesn't matter https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984
• Nothing as exotic as BlueKeep, RDP password guessing is fueling attacks http://nakedsecurity.sophos.com/2019/07/17/rdp-exposed-the-wolves-already-at-your-door/
• Another supply chain vulnerability. This one in Gigabyte’s server motherboard’s Baseboard Management Controller (BMC) affects Lenovo, Acer, AMAX, Bigtera, Ciara, Penguin Computing and sysGen https://threatpost.com/firmware-bugs-plague-supply-chain/146519/
• Critical Bug in WordPress Plugin Lets Hackers Execute Code https://www.bleepingcomputer.com/news/security/critical-bug-in-wordpress-plugin-lets-hackers-execute-code/
• Instagram bug could have allowed anyone to take over your account http://nakedsecurity.sophos.com/2019/07/15/instagram-bug-could-have-allowed-anyone-to-take-over-your-account/
• Hackers Can Manipulate Media Files Transferred via WhatsApp, Telegram https://www.securityweek.com/hackers-can-manipulate-media-files-transferred-whatsapp-telegram
• Exfiltrating data, such as passwords, from an air-gapped machine using malware, cameras, and keyboard LEDs http://nakedsecurity.sophos.com/2019/07/15/researchers-read-data-from-air-gapped-machine-using-leds
• ‘Plaintext Recovery Attacks against XTS Beyond Collisions’ is an interesting first look at attack methods aimed at hard disk encryption. XTS-AES is still safe. https://eprint.iacr.org/2019/825
• Windows NT services are assigned a SID based on an SHA-1 hash. Uses nice analogy “the other side of the airtight hatchway“ to conclude the risks of collisions are still negligible https://devblogs.microsoft.com/oldnewthing/20190717-00/?p=102714

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• XKCD comic: How ‘Hacking’ Works https://xkcd.com/2176/
• FBI Releases Master Decryption Keys for GandCrab Ransomware https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/
• Cyber Attacks Cost $45 Billion in 2018 https://www.securitymagazine.com/articles/90493-cyber-attacks-cost-45-billion-in-2018
• Email scammers extract over $300m a month from American suits' pockets https://www.theregister.co.uk/2019/07/17/emailscammersearnmorethan300mpermonthbytargetingus_businesses/
• Phishing Attack Exploiting New Technique to Hide Base URL Used on American Express Customers https://www.bleepingcomputer.com/news/security/american-express-customers-targeted-by-novel-phishing-attack/
• Iranian backed malicious document spear-phishing campaign using LinkedIn from a University researcher - Hard Pass: Declining APT34’s Invite to Join Their Professional Network https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
• Hackers breach contractor to Russia's FSB expose Tor deanonymization project https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
• Meet the World’s Biggest ‘Bulletproof’ Hoster https://krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/
• Ransomware Thugs Extort Indiana County for Over $130,000 in Bitcoin https://www.ccn.com/news/ransomware-thugs-indiana-county-130000-bitcoin/2019/07/13/
• Microsoft warns 10,000 customers they’re targeted by nation-sponsored hackers https://arstechnica.com/tech-policy/2019/07/microsoft-warns-10000-customers-theyre-targeted-by-nation-sponsored-hackers/
• Windows 10 Users Warned Of 100M Malicious Adverts Threat https://www.forbes.com/sites/daveywinder/2019/07/18/windows-10-users-warned-of-100m-advert-bombs-security-threat/
• Scam Of The Week: Microsoft OneNote Audio Note Phishing Emails https://blog.knowbe4.com/scam-of-the-week-microsoft-onenote-audio-note-phishing-emails
• Article by a victim of on how his McDonald's App account was defrauded of $2,000 https://mobilesyrup.com/2019/07/11/how-hackers-stole-2000-mcdonalds-app/ (Note the author doesn’t appear to be aware of the Have I Been Pwned resource https://haveibeenpwned.com/))

Other Security / Risk

Articles covering other types of risks.

• Filed under ‘what could go wrong’ with a short range anonymous messaging app - JetBlue Bomb Scare Set Off with Apple AirDrop https://threatpost.com/jetblue-bomb-scare-apple-airdrop/146482/
• Identity Theft on the Job Market https://www.schneier.com/blog/archives/2019/07/identitytheft\.html
• Viral joke maybe getting real and dangerous - The US Air Force Has a Warning For The 1.1 Million People Wanting to Storm Area 51 http://www.sciencealert.com/the-us-air-force-has-a-warning-for-the-1-1-million-people-wanting-to-storm-area-51
• Study of CEO’s finds Cybersecurity is the biggest threat to the world economy over the next decade https://www.cnbc.com/2019/07/09/cybersecurity-biggest-threat-to-world-economy-ceos-say.html
• Hidden cost (environmental) of America's addiction to absurdly fast shipping https://www.cnn.com/2019/07/15/business/fast-shipping-environmental-impact/index.html
• Europe's satellite navigation system Galileo stops working completely after 'technical incident' https://www.independent.co.uk/life-style/gadgets-and-tech/news/gps-down-not-working-europe-gallileo-sat-nav-navigation-satellites-a9005741.html
• A new Secret Service report shows what criminals behind mass attacks (e.g. shootings) have in common https://www.cnn.com/2019/07/09/politics/secret-service-mass-attacks-report/index.html
• The 5G Health Hazard That Isn’t https://www.nytimes.com/2019/07/16/science/5g-cellphones-wireless-cancer.html
• Rabies nearly always kills when symptoms show, health officer says after Canadian fatality https://globalnews.ca/news/5498593/rabies-death-canada-explainer/
• Cheating at Chess at the Grand Master level https://www.washingtonpost.com/nation/2019/07/15/chess-grandmasters-success-was-unreal-then-he-was-caught-bathroom-with-phone/
• Excessive rainfall in Toronto, driving through standing water, cars removed from major freeway by crane https://www.cp24.com/firefighters-responded-to-12-water-rescue-calls-amid-torrential-downpour-1.4511514
• Historical Fortress of Louisbourg braces for future with modern defenses https://www.cbc.ca/news/canada/nova-scotia/fortress-louisbourg-construction-half-finished-1.5209890

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Video of Apollo 11’s descent to the Moon https://apod.nasa.gov/apod/ap190717.html
• Cinematographer Says Why It Would Have Been Impossible to Fake The Moon Landing Footage http://www.sciencealert.com/here-s-why-it-would-have-been-impossible-to-fake-the-moon-landings-footage
• A look back at the impossibly unstable X-29 fighter jet concept with inverted wings https://www.cnn.com/style/article/grumman-x-29-nasa-darpa-fighter-plane/index.html
• We didn’t even think you could do this, the first photos of quantum entanglement https://www.sciencealert.com/scientists-just-unveiled-the-first-ever-photo-of-quantum-entanglement