This Week’s [in]Security – Issue 122
Welcome to This Week’s [in]Security. This week: PCI: SSF FAQ document, Contactless COTS comment period, CPEs. Breaches: QuickBit, Robinhood. Breach followups: Citrix, Facebook, Equifax, AMCA. 2019 Breach Cost Study. Netflix film on Cambridge Analytica. Anonymization fails, changing the the encryption backdoor debate, fooling an anti-malware ‘AI’, weak AES keys, election security, Observatory for Internet Abuse, detecting fake images, the Cybersecurity Visuals Challenge, payroll phishing, a new look a the climate change problem, and more.
Now here’s this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
This Week [in]Security will be on hiatus next week, issue 123 will return in two weeks.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
- Article on PCI Software Security Framework FAQS: PA-DSS Impact and Transition https://blog.pcisecuritystandards.org/pci-software-security-framework-faqs-pa-dss-impact-and-transition
- SSF FAQs have been published in a standalone document https://www.pcisecuritystandards.org/documents/FAQs-for-PCI-Software-Security-Framework-v2.pdf
- PCI Request for Comments: Contactless Payments on COTS Standard https://blog.pcisecuritystandards.org/request-for-comments-contactless-payments-on-cots-standard
- PCI SSC 5 Common Questions About Continuing Professional Education Credits https://blog.pcisecuritystandards.org/5-common-questions-about-continuing-professional-education-credits
- Updated FAQ 1458 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-date-should-be-used-for-Date-of-Report-in-the-ROC
Breaches / Leaks
Covering breaches, leaks, data exposures, and their fallout.
- The 2019 IBM Ponemon Cost of a Breach Study is now available https://www.ibm.com/security/data-breach
- Crypto Exchange QuickBit Confirms Data Breach That May Impact 300,000 Users https://www.coindesk.com/crypto-exchange-quickbit-confirms-data-breach-impacting-300000-users
- Stock Trading Firm Robinhood Stored User Passwords in Plaintext https://www.securityweek.com/stock-trading-firm-robinhood-stored-user-passwords-plaintext
- Data breach of vendor puts personal info of TN high school students at risk https://www.wsmv.com/news/data-breach-of-vendor-puts-personal-info-of-tn-high/article_a319c472-ad73-11e9-a209-a7cf327c76a3.html
- Citrix Confirms Password-Spraying (aka userID guessing) Attack Used in Heist of Reams of Internal IP https://threatpost.com/citrix-confirms-password-spraying-heist/146641/
- Have I Been Pwnded adds more accounts
- EatStreet, 2019, 6M https://haveibeenpwned.com/PwnedWebsites#EatStreet
- Xiaomi (unverified), 2012, 7M https://haveibeenpwned.com/PwnedWebsites#Xiaomi
- Yet Again, More Victims Added to AMCA Breach Tally https://www.bankinfosecurity.com/more-victims-added-to-amca-breach-tally-again-a-12817
- What You Should Know About the Equifax Data Breach Settlement https://krebsonsecurity.com/2019/07/what-you-should-know-about-the-equifax-data-breach-settlement/
- Knowing About Your Security Flaws And Not Patching: Priceless? Actually: $575 Million https://www.forbes.com/sites/danpitman1/2019/07/22/knowing-about-your-security-flaws-and-not-patching-priceless-actually-575-million/
- Facebook’s FTC fine was reportedly going to be tens of billions of dollars, and would’ve held Mark Zuckerberg personally responsible https://www.businessinsider.com/facebook-ftc-fine-deal-explained-2019-7
- The other shoe drops in the $5B Facebook settlement – 20 years privacy program https://thehackernews.com/2019/07/ftc-facebook-privacy-program.html
- The Great Hack – Netflix production about Cambridge Analytica and the dark side of social media in the wake of the 2016 U.S. presidential election. https://www.netflix.com/title/80117542
Articles about privacy related news, risks, and trends.
- Anonymizing personal data ‘not enough to protect privacy,’ shows new study https://techxplore.com/news/2019-07-anonymizing-personal-privacy.html
- A new Facebook privacy flaw allowed thousands of children on Messenger Kids to enter group chats with strangers https://www.businessinsider.com/facebook-messenger-kids-group-chat-privacy-flaw-2019-7
- Marketing biz bares folks’ data in the act of asking for their GDPR communication preferences https://www.theregister.co.uk/2019/07/22/sprint_education_gdpr_email_fail/
- Data slurped from 4 million browsers still available via Google Analytics https://arstechnica.com/information-technology/2019/07/data-slurped-from-4-million-browsers-still-available-via-google-analytics/
Laws & Regulations / Standards
News about laws, regulations, and standards affecting security, privacy, technology, and public interest.
- Schneier reviews Attorney General William Barr’s position on encryption policy – the debates approach may be changing for the good https://www.schneier.com/blog/archives/2019/07/attorney_genera_1.html
- PSD2, Strong Customer Authentication (SCA) And Exemptions To The Extension https://www.pymnts.com/authentication/2019/psd2-sca-and-exemptions-to-the-extension/
- New York’s Revenge Porn Law Is a Flawed Step Forward https://www.wired.com/story/new-york-revenge-porn-law/
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- Facebook’s Ex-Security Chief Details His ‘Observatory’ for Internet Abuse https://www.wired.com/story/alex-stamos-internet-observatory/
- NSA to Form New Cybersecurity Directorate https://www.darkreading.com/threat-intelligence/nsa-to-form-new-cybersecurity-directorate/d/d-id/1335333
- Re-Thinking Supply Chain Security https://www.bankinfosecurity.com/interviews/re-thinking-supply-chain-security-i-4383
- Chrome 76 blocks websites from detecting incognito mode https://nakedsecurity.sophos.com/2019/07/22/chrome-76-blocks-websites-from-detecting-incognito-mode/
- Security Considerations in a BYOD Culture https://www.darkreading.com/edge/theedge/security-considerations-in-a-byod-culture/b/d-id/1335178
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- Researchers Easily Trick Cylance’s AI-Based Antivirus Into Thinking Malware Is ‘Goodware’ https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware
- Weak-Key Subspace Trails and Applications to AES https://eprint.iacr.org/2019/852
- Re-evaluating Network Security – It is Increasingly More Complex https://isc.sans.edu/diary.html?storyid=25152
- Critical RCE Flaw in Palo Alto Gateways Hits Uber https://threatpost.com/critical-rce-flaw-palo-alto-gateways-uber/146606/
- A New ‘Arbitrary File Copy’ Flaw Affects ProFTPD Powered FTP Servers https://thehackernews.com/2019/07/linux-ftp-server-security.html
- Bug in NVIDIA’s Tegra Chipset Opens Door to Malicious Code Execution https://threatpost.com/nvidias-tegra-chipset-attack/146561/
- U.S. Warns of 5G Wireless Network Security Risks https://www.securityweek.com/us-warns-5g-wireless-network-security-risks
Hacking / Malware / Cybercrime / Exploitation
News covering active trends and events.
- Israeli Spyware Firm Accused Of Hacking Apple, Facebook And Google Responds (Updated) https://www.forbes.com/sites/zakdoffman/2019/07/19/israeli-whatsapp-spyware-now-targets-icloud-google-and-facebook-via-phones-report/
- Ex-NSA Contractor Gets 9 Years for Retaining Defense Data https://www.darkreading.com/threat-intelligence/ex-nsa-contractor-gets-9-years-for-retaining-defense-data/d/d-id/1335312
- Siemens Contractor Pleads Guilty to Planting ‘Logic Bomb’ in Spreadsheets https://thehackernews.com/2019/07/siemens-logic-bomb.html
- Neo-Nazi SWATters Target Dozens of Journalists https://krebsonsecurity.com/2019/07/neo-nazi-swatters-target-dozens-of-journalists/
- Ransomware Attack Cripples South African Power Company’s Entire Network https://www.bleepingcomputer.com/news/security/ransomware-attack-cripples-power-company-s-entire-network/
- Attackers Turn Elasticsearch Databases Into DDoS Bots https://www.securityweek.com/attackers-turn-elasticsearch-databases-ddos-bots
- Adware Is the Malware You Should Actually Be Worried About https://www.wired.com/story/adware-most-common-malware/
- Advanced mobile surveillanceware, made in Russia, found in the wild https://arstechnica.com/information-technology/2019/07/advanced-mobile-surveillanceware-made-in-russia-found-in-the-wild/
- Quickbooks’ cloud host, Insynq, hit by ransomware Krebs on Security https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/
- FIN8 Group Returns, Targeting POS Devices With New Tools https://www.bankinfosecurity.com/fin8-group-returns-targeting-pos-devices-new-tools-a-12819
- China-Linked Threat Actor Using New Backdoor https://www.securityweek.com/china-linked-threat-actor-using-new-backdoor
- Phishing Attack Aimed at Stealing Payroll Deposits https://www.databreachtoday.com/phishing-attack-aimed-at-stealing-payroll-deposits-a-12804
- Alleged identity thief arrested in Penticton after 30 pieces of identification found in vehicle https://globalnews.ca/news/5679143/alleged-identity-thief-arrested-in-penticton-after-30-pieces-of-identification-found-in-vehicle/
Other Security / Risk
Articles covering other types of risks.
- Matrices, hoodies, and thugs. Oh my! The cybersecurity visuals challenge hopes to remedy the sorry state of cyber images https://www.openideo.com/challenge-briefs/cybersecurity-visuals
- Identifying a Fake Picture Online Is Harder Than You Might Think https://www.snopes.com/ap/2019/07/26/identifying-a-fake-picture-online-is-harder-than-you-might-think/
- Opinion: Climate change issues have been problematic and ineffective, a moon-shot approach is needed to find solutions https://www.forbes.com/sites/stevedenning/2019/07/21/implementing-the-one-viable-solution-to-climate-change/
- Cyber-insurance, nation state malware, and acts of war – Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks? https://www.theregister.co.uk/2019/07/26/do_insurance_war_exclusion_clauses_apply_to_cyberattacks/
- AI’s Minority Report for retail: They know you’ll return it even before you buy it https://www.zdnet.com/article/a-i-s-minority-report-for-retail-they-know-youll-return-it-even-before-you-buy-it/
- Ad Tool Facebook Built to Fight Disinformation Doesn’t Work as Advertised https://www.nytimes.com/2019/07/25/technology/facebook-ad-library.html
- The Unsexy Threat to Election Security https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
- Let’s Destroy Democracy https://blog.talosintelligence.com/2019/07/lets-destroy-democracy.html
- AML Compliance Costs Nordic Banks https://www.pymnts.com/news/banking/2019/aml-costs-nordic-banks/
- How did YouTube help spread a conspiracy theory? https://www.bbc.co.uk/news/stories-49021903
- Bracebridge OPP respond to almost 400 pocket dials, unintentional 911 calls in first 3 weeks of July https://globalnews.ca/news/5679614/bracebridge-opp-unintentional-911-calls/
- Why the WHO’s Emergency Declaration for Ebola Is a Big Deal https://www.scientificamerican.com/article/why-the-whos-emergency-declaration-for-ebola-is-a-big-deal/
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.
- New Device That Channels Heat Into Light Could Boost Solar Cell Efficiency to 80% http://www.sciencealert.com/device-that-channels-heat-into-light-could-boost-solar-efficiency-to-80-percent
- Solar sails are no longer SciFi – LightSail2 Deploys Its Sails https://www.universetoday.com/142938/drama-in-low-earth-orbit-as-lightsail2-deploys-its-sails/
- Tiny New Species of Shark That Glows in The Dark http://www.sciencealert.com/researchers-have-just-identified-a-new-species-of-shark-it-has-pockets-that-glow-in-the-dark
- Gaia Mission is Mapping Out the Bar at the Center of the Milky Way https://www.universetoday.com/142877/gaia-mission-is-mapping-out-the-bar-at-the-center-of-the-milky-way/
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.