This Week’s [in]Security – Issue 124 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI more on Key Blocks and some case studies. Breeches: Hy-Vee, Choice Hotels, State Farm, dating apps. Followups on Capital One, Equifax, AMCA, and First America. What may be the first mega breach of biometric data. Privacy commissioner on what to do if breached. Regaining trust. Facebook had people listening in on messenger calls too. NIST and cyberbudgets for small companies. Facebook biometric lawsuit. DEFCON is done and there are lots of new vulnerabilities and defensive techniques. Cybersecurity as practiced by experts and regular people. Google phasing out android passwords. Protecting 100M Lines of code. Escape room recruiting. Instagram 'fake' buttons. A skimmer detector. Ancient and horrible Windows CTF vulnerability. Browsers dropping XSS protections. EV certs. No honor among thieves. Sonic-Attack. Vanity plate risks. Brexit shortages. Stopping mass shooters and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Key Blocks 102 https://blog.pcisecuritystandards.org/key-blocks-102

• New PCI DSS and ISA Case Studies Available:

  • https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyBraspag-DSS.pdf
  • https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyDelcor-DSS.pdf
  • https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyFIS-DSS.pdf
  • https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyBraspag-ISA.pdf
  • https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyTIVIT-ISA.pdf
• The apple credit card has launched - featuring no PAN or CVV printed on the card https://www.youtube.com/watch?v=lj7kFBz-jw4
• A Rising Tide of Digital Payments Will Bring New Fraud Threats http://www.digitaltransactions.net/a-rising-tide-of-digital-payments-will-bring-new-fraud-threats-says-forrester/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Hy-Vee Supermarkets issues warning to customers after discovering point-of-sale breach https://www.zdnet.com/article/hy-vee-issues-warning-to-customers-after-discovering-point-of-sale-breach/
• 700K Choice Hotels records leaked in data breach, ransom demanded https://www.zdnet.com/article/700000-choice-hotels-records-leaked-in-data-breach/
• Huge security flaw exposes biometric data of more than 1M users https://www.theverge.com/2019/8/14/20805194/suprema-biostar-2-security-system-hack-breach-biometric-info-personal-data
• Four major dating apps expose precise locations of 10 million users very personal information https://www.zdnet.com/article/four-major-dating-apps-expose-precise-locations-of-10-million-users/State Farm Investigates Credential-Stuffing Attack https://www.bankinfosecurity.com/state-farm-investigates-credential-stuffing-attack-a-12893
• Capital One hacker took data from more than 30 companies, new court docs reveal https://www.zdnet.com/article/capital-one-hacker-took-data-from-more-than-30-companies-new-court-docs-reveal/
• Capital One Cyber Staff Raised Concerns Before Hack https://www.wsj.com/articles/capital-one-cyber-staff-raised-concerns-before-hack-11565906781
• 20+ Data Breaches Reported Per Day in First Half of 2019 https://www.darkreading.com/attacks-breaches/20+-data-breaches-reported-per-day-in-first-half-of-2019/d/d-id/1335538
• AMCA Breach Victim Count Continues to Grow https://www.databreachtoday.com/amca-breach-victim-count-continues-to-grow-a-12917
• SEC Investigating Data Leak at First American Financial Corp. https://krebsonsecurity.com/2019/08/sec-investigating-data-leak-at-first-american-financial-corp/
• European Central Bank Confirms BIRD Site very small breach of contact info https://www.scmagazine.com/home/security-news/european-central-bank-confirms-bird-site-hacked-contact-info-stolen/
• Have I been pwned updated with 40M account Chegg breach from 2018 https://haveibeenpwned.com/PwnedWebsites#Chegg
• Federal Trade Commission Walks Back Messaging Around Equifax Settlement https://www.privacyrights.org/blog/federal-trade-commission-walks-back-messaging-around-equifax-settlement

Privacy

Articles about privacy related news, risks, and trends.

• Canada's Privacy Commissioner on what to do if there’s a privacy breach? https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/buspipedaintro/bus10105/
• Huawei Technicians Helped African Governments Spy on Political Opponents https://www.wsj.com/articles/huawei-technicians-helped-african-governments-spy-on-political-opponents-11565793017
• Facebook got humans to listen in on some Messenger voice chats https://nakedsecurity.sophos.com/2019/08/15/facebook-got-humans-to-listen-in-on-some-messenger-voice-chats/
• What can be found from a phone number https://www.nytimes.com/2019/08/15/technology/personaltech/i-shared-my-phone-number-i-learned-i-shouldnt-have.html
• Amazon’s Ring Is a Perfect Storm of Privacy Threats https://www.eff.org/deeplinks/2019/08/amazons-ring-perfect-storm-privacy-threats
• PwC will have to work to rebuild trust after shock GDPR fine https://reclaimthenet.org/pwc-gdpr-fine/
• British Airways Criticized for Exposing Passenger Flight Details https://www.securityweek.com/british-airways-criticized-exposing-passenger-flight-details
• Why Aren’t We Talking About LinkedIn? https://www.nytimes.com/2019/08/08/style/linkedin-social-media.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Canada’s answer to NIST CSF aimed at small companies under 500 employees. https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
• Lawsuit May Proceed Against Facebook’s Biometric Surveillance https://www.eff.org/deeplinks/2019/08/victory-lawsuit-may-proceed-against-facebooks-biometric-surveillance-0
• Evaluating the NSA's Telephony Metadata Program https://www.schneier.com/blog/archives/2019/08/evaluatingthe1.html
• Clear Message Sent: Don’t Roll the Dice on Data Privacy Compliance https://www.imperva.com/blog/clear-message-sent-dont-roll-the-dice-on-data-privacy-compliance/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Study: Comparing Expert and Non-Expert Security Practices (USENIX) https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf
• U.S. CyberDome Poised to Protect 2020 Elections https://www.bankinfosecurity.com/interviews/us-cyberdome-poised-to-protect-2020-elections-i-4420
• Ottawa’s cybersecurity action plan includes $10M for special projects https://www.itworldcanada.com/article/ottawas-cybersecurity-action-plan-includes-10m-for-special-projects/420740
• Google Confirms Password Replacement For 1.7 Billion Android Users https://www.forbes.com/sites/daveywinder/2019/08/13/google-confirms-password-replacement-for-17-billion-android-users-starting-now/
• Protect Your Website from E-Commerce Skimming https://www.controlscan.com/blog/protect-your-website-from-ecommerce-skimming/
• How would you spend a small business cybersecurity budget https://www.linkedin.com/posts/gabrielfriedlander_how-would-you-spend-10k-yearly-on-cyber-ugcPost-6567026850097311744-FASA
• Instagram to let users report fake posts with special button https://www.independent.co.uk/life-style/gadgets-and-tech/news/instagram-update-fake-posts-button-new-latest-facebook-whatsapp-a9062936.html
• Hackers Take on Darpa's $10 Million Voting Machine (DEFCON) https://www.wired.com/story/darpa-voting-machine-defcon-voting-village-hackers/
• Judge Orders Georgia To Switch To Paper Ballots For 2020 Elections https://arstechnica.com/tech-policy/2019/08/judge-bans-insecure-touchscreen-voting-machines-from-georgia-after-2019/
• Meet Bluetana, the Scourge of Pump Skimmers https://krebsonsecurity.com/2019/08/meet-bluetana-the-scourge-of-pump-skimmers/
• New Research: Lessons from Password Checkup in action https://security.googleblog.com/2019/08/new-research-lessons-from-password.html
• Understanding why phishing attacks are so effective and how to mitigate them https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html
• Google Wants To Reduce HTTPS Cert Lifetimes To 1 Year https://www.zdnet.com/article/google-wants-to-reduce-lifespan-for-https-certificates-to-one-year/
• Canadian spy agency partners with escape room to find new recruits https://beta.ctvnews.ca/national/canada/2019/8/15/1_4551873.html
• Understanding the Mindset of Attackers https://www.databreachtoday.com/understanding-mindset-attackers-a-12907
• How Facebook Catches Bugs in Its 100 Million Lines of Code https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• This inter-process communication vulnerability in Microsoft CTF protocol goes back to Windows XP and it’s bad https://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/
• Four wormable bugs in newer versions of Windows need your attention now https://arstechnica.com/information-technology/2019/08/microsoft-warns-of-more-wormable-bugs-this-time-in-new-versions-of-windows/
• Bluetooth vulnerability could expose device data to hackers https://www.theverge.com/2019/8/16/20808597/bluetooth-device-flaw-hackers-vulnerability-data-encryption-cybersecurity-knob
• Warning: A Security Flaw In Kaspersky AntiVirus Lets Hackers Spy Users Online, Millions At Risk https://www.forbes.com/sites/jeanbaptiste/2019/08/16/warning-a-security-flaw-in-kaspersky-antivirus-lets-hackers-spy-users-online-millions-at-risk/
• Election Systems Are Even More Vulnerable Than We Thought (DEFCON) https://www.wired.com/story/security-news-election-systems-more-vulnerable/
• Bypassing Apple FaceID's Liveness Detection Feature (BLACKHAT) https://www.schneier.com/blog/archives/2019/08/bypassing_apple.html
• Practical attack against GSM A5/1 key exchange allows for attackers to decrypt your phone calls (DEFCON) https://www.wired.com/story/gsm-decrypt-calls/
• Cross-Site Scripting Protection Vanishing from Browsers https://www.packetlabs.net/browsers-dropping-xss-protection/
• These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (DEFCON) https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer
• Chrome Incognito mode detection fix busted by researchers https://nakedsecurity.sophos.com/2019/08/13/chrome-incognito-mode-detection-fix-busted-by-researchers/
• Do we really need more jargon? HVACking: Remotely Exploiting Bugs in Building Control Systems https://www.bleepingcomputer.com/news/security/hvacking-remotely-exploiting-bugs-in-building-control-systems/
• IoT Buttplug Hacker Talks Privacy, Consent, and Security (DEFCON) https://gizmodo.com/buttplug-hacker-talks-security-consent-and-why-he-hac-1837252628
• The Cybersecurity 202: Hackers just found serious vulnerabilities in a U.S. military fighter jet (DEFCON) https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/14/the-cybersecurity-202-hackers-just-found-serious-vulnerabilities-in-a-u-s-military-fighter-jet/5d53111988e0fa79e5481f68/
• Hacker Jeopardy, Wrong Answers Only Edition – a tricky question and something you likely didn’t know about Telnet (DEFCON) https://blog.erratasec.com/2019/08/hacker-jeopardy-wrong-answers-only.html
• The Power of NIST Cryptographic Tests Suite https://eprint.iacr.org/2019/905
• SQLite Vulnerability Permits iOS Hack (DEFCON) https://www.bankinfosecurity.com/sqlite-vulnerability-permits-ios-hack-report-a-12911
• Hackers Can Turn Everyday Speakers Into Acoustic Cyberweapons (DEFCON) https://www.wired.com/story/acoustic-cyberweapons-defcon/
• Patch Tuesday, August 2019 Edition https://krebsonsecurity.com/2019/08/patch-tuesday-august-2019-edition/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Extended Validation Certificates are (Really, Really) Dead https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
• City of Saskatoon falls prey to internet fraudster, sends $1-million to wrong bank account https://www.theglobeandmail.com/canada/article-city-of-saskatoon-falls-prey-to-internet-fraudster-sends-1-million
• US Cyber Command has publicly posted malware linked to a North Korea hacking group https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/
• Crackers outing other crackers https://arstechnica.com/information-technology/2019/08/hacker-sites-incriminating-database-published-online-by-rival-group/
• Supply-Chain Attack against the Electron Development Platform used by Skype, Slack, and WhatsApp https://www.schneier.com/blog/archives/2019/08/supply-chain_at.html
• Hackers Target the North American Hotel Industry With a RAT https://www.bleepingcomputer.com/news/security/hackers-target-the-north-american-hotel-industry-with-a-rat/
• Nasty New Malware Waits Until You Visit A Pornsite, Then Starts Recording https://www.forbes.com/sites/zakdoffman/2019/08/11/nasty-new-malware-waits-until-you-visit-a-pornsite-then-starts-recording/
• New Malware Norman Uses Your PC to Secretly Mine Cryptocurrency https://www.tomshardware.com/news/cryptocurrency-cryptojacking-malware-norman-cyber-security,40160.html
• Ransomware fighter on the run after costing hacker gangs millions https://micky.com.au/ransomware-fighter-on-the-run-after-costing-hacker-gangs-millions/

Other Security / Risk

Articles covering other types of risks.

• There could have been three more mass shootings if these men weren't stopped, authorities say https://www.cnn.com/2019/08/18/us/three-potential-attacks-foiled/index.html
• The UK will almost certainly run out of fresh food, fuel, and drugs in a no-deal Brexit, leaked official documents say https://www.businessinsider.com/uk-faces-food-fuel-and-drugs-shortages-in-no-deal-brexit-times-citing-official-documents-2019-8
• ‘NULL’ license plate gets security researcher $12K in tickets https://nakedsecurity.sophos.com/2019/08/15/null-license-plate-gets-security-researcher-12k-in-tickets/
• A Brief History of Vanity License Plates Gone Wrong https://www.wired.com/story/vanity-license-plates-gone-wrong-fines/
• The number of fake assistance dogs is exploding – but who are the owners behind it? https://www.theguardian.com/lifeandstyle/2019/aug/12/fake-emotional-support-animals-service-dogs
• Microsoft Confirms New Windows 10 Upgrade Warning https://www.forbes.com/sites/gordonkelly/2019/08/17/microsoft-windows-10-update-error-warning-upgrade-windows/
• A Major Cyber Attack Could Be Just as Deadly as Nuclear Weapons http://www.sciencealert.com/a-major-cyber-attack-could-be-just-as-damaging-as-a-nuclear-weapon
• Fun with a fake news generator https://aiweirdness.com/post/187027270732/fun-with-a-fake-news-generator
• Eleven Free Courses To Learn Bitcoin, Blockchain And Cryptocurrencies https://www.forbes.com/sites/rogerhuang/2019/08/12/eleven-free-courses-to-learn-bitcoin-blockchain-and-cryptocurrencies/
• Russia Opens Antitrust Inquiry Into App Restriction at Apple https://www.nytimes.com/2019/08/09/technology/russia-antitrust-apple-apps.html
• Is the bystander effect a myth? https://www.bbc.co.uk/news/world-us-canada-49295967

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Newfound superconductor material could be the 'silicon of quantum computers' https://phys.org/news/2019-08-newfound-superconductor-material-silicon-quantum.html
• The magnetic pole is moving. But is it flipping? The last magnetic pole flip saw 22,000 years of weirdness https://arstechnica.com/science/2019/08/the-last-magnetic-pole-flip-saw-22000-years-of-weirdness/
• Carbon Pricing Is Not a Fix for Climate Change https://blogs.scientificamerican.com/observations/carbon-pricing-is-not-a-fix-for-climate-change/
• The World's First Solar Road Has Officially Crumbled Into a Total Failure http://www.sciencealert.com/the-world-s-first-solar-road-has-turned-out-to-be-a-disappointing-failure
• How to demolish a nuclear power plant without blowing it up - robotic implosion https://www.cnn.com/2019/08/16/business/mulheim-karlich-nuclear-power-plant-demolition-grm-intl/index.html
• Earth Could Be the Lens for a Revolutionary Space Telescope https://www.scientificamerican.com/article/earth-could-be-a-lens-for-a-revolutionary-space-telescope/
• Why Build Big Rockets at All? It’s Time for Orbital Refueling https://www.universetoday.com/143178/why-build-big-rockets-at-all-its-time-for-orbital-refueling/