This Week’s [in]Security – Issue 123 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI - the first listed SPoC solution, DSS v4 development. PCI, Visa, and Retail & Hospitality ISAC coordinate Magecart security alerts. Bypassing Visa contact-less limits. Capital One - 106M record cloud breach, arrest, analysis, investigations, and lawsuits. Breaches - CafePress, Mexican bookstore, POS supply chain, Amazon cloud backups, Honda, FormGet, ambulance and police services. Equifax short cash for payouts. GDPR used to breach GDPR. GDPR revenue impact. PSD2 and e-commerce. EU companies on hook for FB likes. The "going Dark" debate rages. Encryption in space is hard. Abusing the Blockchain. Vulnerabilities - small planes, DSLRs, more Spectre, SCADA, WPA3, Qualcomm-Android, 40+ Windows drivers, 200M IoT devices. No open instant message malware. Mobile carrier insecurity. Selling and buying insecure kit. War-Shipping. Pseudoscience social media risks. The TSA finds a missile launcher in checked luggage. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Software-based PIN Entry on COTS (SPoC) Solutions https://www.pcisecuritystandards.org/assessorsandsolutions/spoc_solutions
• 3 Things to Know about PCI DSS v4.0 Development https://blog.pcisecuritystandards.org/3-things-to-know-about-pci-dss-v4-0-development

• Major warning on Magecart

  • PCI Council & Retail ISAC Issue Magecart Warning https://www.infosecurity-magazine.com/news/pci-isac-magecart/
  • Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Online Skimming to Payment Security https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_08012019
  • PCI Security Standards Council bulletin on the threat of online skimming to payment security https://www.pcisecuritystandards.org/pdfs/PCISSCMagecartBulletinRHISACFINAL.pdf
  • Visa Security Alert: eCommerce JavaScript Skimming Campaign Targeting Service Providers http://click.broadcasts.visa.com/xfm/?25583/0/4a81a9a2ac91ca288c494f38f792bf1f/lonew
  • The Threat of Online Skimming to Payment Security https://blog.pcisecuritystandards.org/the-threat-of-online-skimming-to-payment-security
• Information Supplement: Best Practices for Maintaining PCI DSS Compliance https://blog.pcisecuritystandards.org/information-supplement-best-practices-for-maintaining-pci-dss-compliance
• Researchers claim they can break your VISA credit card's £30 contactless limit https://www.forbes.com/sites/thomasbrewster/2019/07/29/exclusive-hackers-can-break-your-credit-cards-30-contactless-limit/
• Deep dive into recent reports of bypassing VISA contactless CVM limits https://www.linkedin.com/pulse/bypassing-contactless-cvm-limits-andrew-jamieson
• Bank of America will terminate its merchant services partnership with First Data when the ten-year contract expires in June 2020 https://www.finextra.com/newsarticle/34190/bofa-terminates-first-data-partnershipjpm-chase-closes-collaboration-with-ondeck
• Visa makes a change to the U.S. domestic EMV activation deadline for Automated Fuel Dispensers https://usa.visa.com/visa-everywhere/security/emv-at-the-pump.html
• New credit card payment rules for Quebecers take effect https://www.cbc.ca/news/canada/montreal/credit-card-rules-quebec-in-effect-1.5232380
• Chase Bank wipes out all outstanding credit card debt owed by Canadian users as part of Canadian exit https://toronto.citynews.ca/2019/08/08/chase-bank-wipes-out-all-outstanding-credit-card-debt-owed-by-canadian-users-2/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• 106M Capital One breach, arrest, analysis, investigations, and lawsuits:

  • Massive data breach hits Capital One affecting more than 100M customers https://www.usatoday.com/story/money/2019/07/29/capital-one-data-breach-2019-millions-affected-new-breach/1863259001/ and https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/ and https://www.forbes.com/sites/rachelsandler/2019/07/29/capital-one-says-hacker-breached-accounts-of-100-million-people-ex-amazon-employee-arrested/
  • Tip led to arrest in Capital One breach https://www.bloomberg.com/news/articles/2019-07-30/tipster-s-email-led-to-arrest-in-massive-capital-one-data-breach
  • Feds: former cloud worker hacks into Capital One and takes data for 106 million people https://arstechnica.com/information-technology/2019/07/feds-former-cloud-worker-hacks-into-capital-one-and-takes-data-for-106-million-people/
  • What we can learn from the Capital One breach https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
  • Capital One: Where Did the Bank Fail on Defense? https://www.bankinfosecurity.com/capital-one-where-did-bank-fail-on-defense-a-12858
  • A Technical Analysis of the Capital One Hack https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea
  • GitHub sued for aiding hacking in Capital One breach https://www.zdnet.com/article/github-sued-for-aiding-hacking-in-capital-one-breach/
  • Ontario woman files suit on behalf of Canadians affected by Capital One data breach https://www.cbc.ca/news/business/capital-one-lawsuit-1.5238625
  • NY Attorney General Investigates Capital One; Lawsuits Loom https://www.databreachtoday.com/ny-attorney-general-investigates-capital-one-lawsuits-loom-a-12862
  • Italian Bank UniCredit To Investigate Capital One Data Hack https://www.pymnts.com/news/security-and-risk/2019/italian-bank-unicredit-to-investigate-capital-one-data-hack/
  • Capital One Data Breach Sparks GOP Probe https://www.pymnts.com/news/security-and-risk/2019/capital-one-data-breach-sparks-gop-probe/
• NAB Apologizes After Breach of Personal Data https://www.bankinfosecurity.com/nab-apologizes-after-breach-personal-data-a-12846
• CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them? https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/
• 2.1M customer records breached at Mexican online bookstore, personal and purchase data stolen https://www.comparitech.com/blog/vpn-privacy/libreria-porrua-database-leak/
• POS supply chain exploited. Over 1 Million Credit Card Data From The U.S., South Korea Have Been Leaked https://www.forbes.com/sites/jeanbaptiste/2019/08/05/data-leak-alert-over-1-million-credit-card-from-the-u-s-south-korea-have-been-stolen/
• Hundreds of exposed Amazon cloud backups found leaking sensitive data https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
• Honda's Security 'Soft Spots' Exposed in Unsecured Database https://threatpost.com/hondas-security-soft-spots-database/146852/
• Text book publisher, Pearson, Beach Exposed Data Of 13K+ Students https://www.pymnts.com/news/security-and-risk/2019/pearson-beach-exposed-student-data/
• FormGet Storage Bucket Leaks Passport Scans, Bank Details https://www.darkreading.com/cloud/formget-storage-bucket-leaks-passport-scans-bank-details/d/d-id/1335358
• Equifax on the hot seat for running out of data breach settlement funds https://bgr.com/2019/08/02/equifax-settlement-cash-running-out/
• Equifax Settlement Won’t be Enough to Deter Future Breaches: The Law Must Catch Up https://www.eff.org/deeplinks/2019/07/equifax-settlement-wont-be-enough-deter-future-breaches-law-must-catch
• 3 Takeaways from the First American Financial Breach https://www.darkreading.com/breaches/3-takeaways-from-the-first-american-financial-breach/a/d-id/1335278
• Teen Hacker Finds Bugs in School Software That Exposed Millions of Records https://www.wired.com/story/teen-hacker-school-software-blackboard-follett/
• StockX was hacked, exposing millions of customers’ data https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/
• E3 data breach leaks info for thousands of registered journalists https://www.engadget.com/2019/08/03/e3-data-breach-media/
• Club Penguin Rewritten breach caused by rogue admin backdoor https://nakedsecurity.sophos.com/2019/08/02/club-penguin-rewritten-breach-caused-by-rogue-admin-backdoor/
• FDNY warns of data breach possibly affecting 10,000 patients https://nypost.com/2019/08/09/fdny-warns-of-major-data-breach-possibly-affecting-more-than-10000-patients/
• Hacker swipes personal deets of 20,000 peeps from under Los Angeles Police Dept's nose https://www.theregister.co.uk/2019/07/30/lapddatabreach/

Privacy

Articles about privacy related news, risks, and trends.

• Black Hat: GDPR privacy law exploited to reveal personal data https://www.bbc.com/news/technology-49252501
• What's in your file? Federal political parties don't have to tell you https://www.cbc.ca/news/canada/nova-scotia/privacy-federal-political-parties-transparency-1.5226118
• Top European Court Rules Companies Using Facebook "Like" Button Are Responsible for User Privacy https://epic.org/2019/07/top-european-court-rules-compa.html
• Google and Apple suspend contractor access to voice recordings http://nakedsecurity.sophos.com/2019/08/05/google-and-apple-suspend-contractor-access-to-voice-recordings/
• More on Backdooring (or Not) WhatsApp https://www.schneier.com/blog/archives/2019/08/moreonbackdoo.html
• Privacy Group Files Legal Challenge to Facebook’s $5 Billion F.T.C. Settlement https://www.nytimes.com/2019/07/26/technology/facebook-ftc-epic-privacy.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• New York Passes Data Breach Law https://epic.org/2019/07/new-york-passes-data-breach-la.html

• The Going Dark Debates

  • Barr says the US needs encryption backdoors to prevent “going dark.” Um, what? https://arstechnica.com/tech-policy/2019/08/post-snowden-tech-became-more-secure-but-is-govt-really-at-risk-of-going-dark/
  • DOJ and FBI Show No Signs of Correcting Past Untruths in Their New Attacks on Encryption https://www.eff.org/deeplinks/2019/07/doj-and-fbi-show-no-signs-correcting-past-untruths-their-new-attacks-encryption
  • ACLU on the GCHQ Backdoor Proposal https://www.schneier.com/blog/archives/2019/07/acluonthe_gch.html
• GDPR impacting ecommerce website revenues in Europe https://ecommercenews.eu/ecommerce-websites-in-europe-hit-by-gdpr/
• EU PSD2 means your online shopping will soon require more than just a bank card https://www.wired.co.uk/article/online-shopping-psd2-strong-customer-authentication
• The LawBytes Podcast, Episode 22: Navigating Intermediary Liability for the Internet http://www.michaelgeist.ca/2019/07/lawbytes-podcast-episode-22/
• Social insurance numbers are stolen by the millions — but Ottawa replaces just dozens per year https://www.cbc.ca/news/politics/stolen-social-insurance-numbers-fraud-1.5232037
• Stupid Patents: Someone Is Suing Companies for Using SMS Messages in 2019 https://www.eff.org/deeplinks/2019/07/someone-suing-companies-using-sms-messages-2019

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Space tech has a unique problem with encryption – cosmic rays. ESA Pi in the sky project testing encrypted comms on International Space Station https://www.theregister.co.uk/2019/08/01/esaencryptedcommsi/
• What all the stuff in email headers means—and how to sniff out spoofing https://arstechnica.com/information-technology/2019/08/ars-forensic-files-how-to-parse-through-e-mail-headers-and-spot-obfuscation/
• Securing devices for DEFCON https://blog.erratasec.com/2019/08/securing-devices-for-defcon.html
• The AttackSurfaceMapper is a new automated penetration testing tool https://www.hackread.com/attacksurfacemapper-new-automated-penetration-testing-tool/
• Titan Security Keys are now available in Canada, France, Japan, and the UK http://security.googleblog.com/2019/07/titan-security-keys-are-now-available.html
• How Can We Stop Ransomware From Spreading? https://www.darkreading.com/edge/theedge/how-can-we-stop-ransomware-from-spreading/b/d-id/1335366

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• US issues hacking security alert for small planes https://www.apnews.com/6219f26c3ea145b6b29b5e69115504a9
• Urgent11 security flaws impact routers, printers, SCADA, and many IoT devices https://www.zdnet.com/article/urgent11-security-flaws-impact-routers-printers-scada-and-many-iot-devices/
• In 2017 there were reports of child abuse images buried in the Bitcoin blockchain. The problem hasn’t improved. The Dark Side Of Public Blockchains: Unintended Use https://www.forbes.com/sites/thomassilkjaer/2019/07/28/the-dark-side-of-public-blockchains-unintended-use/
• More Spectre -SWAPGS Attack — New Speculative Execution Flaw Affects All Modern Intel CPUs https://thehackernews.com/2019/08/swapgs-speculative-execution.html
• Windows 10 Security Alert: Vulnerabilties Found in Over 40 Drivers https://www.bleepingcomputer.com/news/security/windows-10-security-alert-vulnerabilties-found-in-over-40-drivers/
• Researchers Discover New Ways to Hack WPA3 Protected WiFi Passwords https://thehackernews.com/2019/08/hack-wpa3-wifi-password.html
• It's 2019 – and you can completely pwn millions of Qualcomm-powered Androids over the air https://www.theregister.co.uk/2019/08/06/qualcommandroidsecurity_patches/
• Pentagon Buys Equipment With Known Vulnerabilities https://www.bankinfosecurity.com/pentagon-buys-equipment-known-vulnerabilities-audit-a-12866
• Cisco ‘Knowingly’ Sold Hackable Video Surveillance System to U.S. Government https://thehackernews.com/2019/08/cisco-surveillance-technology.html
• 200 million devices—some mission-critical—vulnerable to remote takeover https://arstechnica.com/information-technology/2019/07/200-million-devices-some-mission-critical-vulnerable-to-remote-takeover/
• Researchers hack camera in fake video attack https://nakedsecurity.sophos.com/2019/08/01/researchers-hack-camera-in-fake-video-attack/
• Security researchers find that DSLR cameras are vulnerable to ransomware attack https://www.theverge.com/2019/8/11/20800979/check-point-canon-eos-80d-dslr-malware-ransomware-cybersecurity
• Trivial Bugs in Western Digital SSD Utility Puts Owners at Risk https://www.bleepingcomputer.com/news/security/trivial-bugs-in-western-digital-ssd-utility-puts-owners-at-risk/
• Report warns of possible mass casualties from automotive cyberattacks https://www.freep.com/story/money/cars/2019/07/31/auto-cyberattacks-mass-casualties-consumer-watchdog/1880873001/
• Another Attack Against Driverless Cars https://www.schneier.com/blog/archives/2019/07/anotherattack\.html
• Cryptolocking WordPress Plugin Locks Up Blog Posts https://threatpost.com/cryptolocking-wordpress-plugin/147016/
• Security bugs in popular Cisco switch brand allow hackers to take over devices https://www.zdnet.com/article/security-bugs-in-popular-cisco-switch-brand-allow-hackers-to-take-over-devices/
• Warning As Google Falls Victim To Critical Security Issue On LinkedIn Jobs Pages https://www.forbes.com/sites/zakdoffman/2019/07/29/linkedin-security-issue-tricked-google-into-official-search-for-new-ceo/
• Monzo, a large digital bank, tells customers to change PIN after discovering security flaw https://www.ft.com/content/f4f1f00a-b78a-11e9-8a88-aa6628ac896c
• Steam Zero-Day Vulnerability Affects Over 100 Million Users https://www.bleepingcomputer.com/news/security/steam-zero-day-vulnerability-affects-over-100-million-users/
• Cryptography can be arcane and complex. This article attempts to explain cryptographic attacks. "Cryptographic Attacks: A Guide for the Perplexed" https://research.checkpoint.com/cryptographic-attacks-a-guide-for-the-perplexed/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Who Owns Your Wireless Service? Crooks. https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/
• Pakistani Man Bribed AT&T Employees to Unlock Phones, Plant Malware https://www.securityweek.com/pakistani-man-bribed-att-employees-unlock-phones-plant-malware
• Rare Steganography Hack Hides PHP Scripts in JPEG EXIF Headers - Can Compromise Fully Patched Websites https://threatpost.com/rare-steganography-hack-can-compromise-fully-patched-websites/146701/ New advanced malware, possibly nation sponsored, is targeting US utilities https://arstechnica.com/information-technology/2019/08/new-advanced-malware-possibly-nation-sponsored-is-targeting-us-utilities/
• Microsoft: Russia Probes Office Printers, VOIP Phones https://www.bankinfosecurity.com/microsoft-russia-probes-office-printers-voip-phones-a-12875
• This new Android ransomware infects you through SMS messages https://www.zdnet.com/article/this-new-android-ransomware-infects-you-through-sms-messages/
• New Android Ransomware Uses SMS Spam to Infect Its Victims https://www.bleepingcomputer.com/news/security/new-android-ransomware-uses-sms-spam-to-infect-its-victims/
• iMessage bug could have allowed attackers to read data from any iPhone https://nakedsecurity.sophos.com/2019/07/31/google-reveals-data-slurping-imessage-bug/
• Hackers Can Break Into an iPhone Just by Sending a Text https://www.wired.com/story/imessage-interactionless-hacks-google-project-zero/
• More fake newspaper sites claiming to be based in Quebec pop up — two years after they were exposed https://www.cbc.ca/news/technology/quebec-fake-newspapers-1.5228905
• Louisiana Gov Declares Emergency After Cyberattacks Plague Schools https://threatpost.com/louisiana-gov-declares-emergency-after-cyberattacks-plague-schools/146713/
• GermanWiper ransomware hits Germany hard, destroys files, asks for ransom https://www.zdnet.com/article/germanwiper-ransomware-hits-germany-hard-destroys-files-asks-for-ransom/
• The recent iNSYNQ Ransom Attack Began With Phishing Email https://krebsonsecurity.com/2019/08/insynq-ransom-attack-began-with-phishing-email/
• Georgia hit with malware yet again https://nakedsecurity.sophos.com/2019/07/31/georgia-hit-with-malware-yet-again/
• Attackers ransom bookseller’s exposed MongoDB database https://nakedsecurity.sophos.com/2019/08/06/attackers-ransom-booksellers-exposed-mongodb-database/
• Brazilian Cell Phone Hack https://www.schneier.com/blog/archives/2019/08/braziliancell\.html
• Phone Pfarming for Ad Fraud https://www.schneier.com/blog/archives/2019/08/phonefarmingf.html
• Windows 10 Warning: 250M Account Takeover Trojan Disables Windows Defender https://www.forbes.com/sites/daveywinder/2019/07/31/windows-10-warning-250m-account-takeover-trojan-disables-windows-defender/
• Hackers swarm around Ottawa city hall https://ottawacitizen.com/news/local-news/hackers-swarm-around-ottawa-city-hall

Other Security / Risk

Articles covering other types of risks.

• TSA screeners find missile launcher in checked luggage at airport https://www.nbcnews.com/news/us-news/tsa-screeners-find-missile-launcher-checked-luggage-airport-n1035756
• IBM researchers explore War-Shipping – targeted mobile spy devices sent by courier https://www.theregister.co.uk/2019/08/07/ibmwarshippingwifi_package/
• A dismal industry: The unsustainable burden of cybersecurity https://www.zdnet.com/article/a-dismal-industry-the-unsustainable-burden-of-cyber-security/
• Pentagon testing mass surveillance balloons across the US https://www.theguardian.com/us-news/2019/aug/02/pentagon-balloons-surveillance-midwest
• Dumped by Cloudflare, 8chan gets back online—then gets kicked off again https://arstechnica.com/tech-policy/2019/08/8chan-briefly-got-back-online-with-same-cdn-used-by-neo-nazi-daily-stormer/
• The Trump Administration Is Using the Full Power of the U.S. Surveillance State Against Whistleblowers https://theintercept.com/2019/08/04/whistleblowers-surveillance-fbi-trump/
• Pseudoscience is taking over social media and putting us all at risk https://www.independent.co.uk/news/science/pseudoscience-fake-news-social-media-facebook-twitter-misinformation-science-a9034321.html
• From a wrongful arrest to a life-saving romance: the typos that have changed people's lives https://www.theguardian.com/technology/2019/aug/03/wrongful-arrest-life-saving-romance-typos-that-changed-lives

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Why Energy Storage Is Proving Even More Disruptive Than Cheap Renewables https://www.forbes.com/sites/jeffmcmahon/2019/08/02/why-energy-storage-is-proving-even-more-disruptive-than-cheap-renewables/
• African smoke is fertilizing Amazon rainforest and oceans, study finds https://phys.org/news/2019-07-african-fertilizing-amazon-rainforest-oceans.html
• 3M invents new packaging to ship products more efficiently with less waste https://www.fastcompany.com/90382264/no-more-cardboard-boxes-3m-invents-an-ingenious-new-way-to-ship-products
• Recursive language and modern imagination were acquired simultaneously 70,000 years ago https://scienmag.com/recursive-language-and-modern-imagination-were-acquired-simultaneously-70000-years-ago/
• This Photo Is Black And White. Here's The Science That Makes Your Brain See Colour https://www.sciencealert.com/crazy-optical-illusion-makes-your-brain-see-colour-in-a-black-and-white-photo
• Solar-sailing satellite proves it can use light to propel through space https://www.theverge.com/2019/7/31/20748894/lightsail-2-mission-solar-sail-planetary-society-success-demonstration
• Planet GJ 357 d: Potentially habitable super-Earth discovered https://www.cbsnews.com/news/planet-gj357-d-potentially-habitable-super-earth-discovered/
• Bizarre Star Found Hurtling Out of Our Galaxy Centre Is Fastest of Its Kind Ever Seen https://www.sciencealert.com/our-bossy-black-hole-kicked-out-a-star-and-it-s-shooting-through-the-galaxy-insanely-fast