This Week’s [in]Security – Issue 126

Welcome to This Week’s [in]Security. This week: PCI: more case studies and key blocks pt-3. More Magecart and click-jacking. Breaches: Imperva, Foxit, and MasterCard Germany. Privacy: bananas and credit cards, warrant-less GPS trackers, Ring doorbells and the police. More on the crypto-war debates. Denied entry to US based on other people’s social media. Facebook wins a ruling. Crime & jurisdiction in outer space. NIST updates: TLS and Supply chains. TDE key rotation. MFA 99% effective. Deep dive into iOS exploit chains. Lost Facebook private key signing apps in the wild. Ad malware infects Cam Scanner. Open wide and say ransomware. Back to school with ransomware. iPhone and Android watering hole attack going on for years. Twitter CEO's account compromised. Malfunctioning voting machine flips votes. Controversial encryption. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Key Blocks 103 https://blog.pcisecuritystandards.org/key-blocks-103
• Magecart hackers compromise another 80 eCommerce sites https://securityaffairs.co/wordpress/90493/hacking/magecart-formjacking-attacks.html
• Web clickjacking fraud makes a comeback thanks to JavaScript tricks https://nakedsecurity.sophos.com/2019/08/29/web-clickjacking-fraud-makes-a-comeback-thanks-to-javascript-tricks/

• PCI Case Studies:

  • Decolar/Despegar (DSS) https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyDelcor-DSS.pdf
  • Hillman (P2PE) https://www.pcisecuritystandards.org/pdfs/PCISSCP2PEBluefin-HillmanCase_Study.pdf
  • Paul Smith (P2PE) https://www.pcisecuritystandards.org/pdfs/PCISSCP2PEIPS-PaulSmithCaseStudy_-_final.pdf
  • Bit9 (PCIP) https://www.pcisecuritystandards.org/documents/PCI%20SSC-%20PCIP%20Case%20Study%20%20Bit9.pdf
  • Excentus (PCIP) https://www.pcisecuritystandards.org/documents/PCI%20SSC%20-%20PCIP%20Case%20Study%20Excentus.pdf

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Cybersecurity Firm Imperva Discloses Breach https://krebsonsecurity.com/2019/08/cybersecurity-firm-imperva-discloses-breach/ and Breach Exposes WAF Customers' Data, Including SSL Certs, API Keys https://thehackernews.com/2019/08/imperva-waf-breach.html
• Company behind Foxit PDF Reader announces security breach https://www.zdnet.com/article/company-behind-foxit-pdf-reader-announces-security-breach/

• Have I been Pwned gets more data from prior breaches of account credentials:

  • Mastercard Priceless Specials (German bonus program) 90K https://haveibeenpwned.com/PwnedWebsites#MastercardPricelessSpecials
  • Poshmark 36M – mid-2018 https://haveibeenpwned.com/PwnedWebsites#Poshmark
  • Coinmama 479K – Aug 2017 https://haveibeenpwned.com/PwnedWebsites#Coinmama
  • XKCD 562K – July 2019 https://haveibeenpwned.com/PwnedWebsites#XKCD
• Breach Saga: Bulgarian Tax Agency Fined; Pen Testers Charged https://www.bankinfosecurity.com/breach-saga-bulgarian-tax-agency-fined-pen-testers-charged-a-13000

Privacy

Articles about privacy related news, risks, and trends.

• A tale of two cards and two bananas - the spy in your wallet: Credit cards have a privacy problem https://www.washingtonpost.com/technology/2019/08/26/spy-your-wallet-credit-cards-have-privacy-problem/
• Are US border cops secretly hiding GPS trackers on vehicles without a warrant? EFF lawyers want to know https://www.theregister.co.uk/2019/08/28/effcmpgps/
• Five Concerns about Amazon Ring’s Deals with Police https://www.eff.org/deeplinks/2019/08/five-concerns-about-amazon-rings-deals-police

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST released (SP) 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. It requires that all government TLS servers and clients support TLS 1.2 configured with FIPS-based cipher suites and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2024. Publication details: https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
• NIST’s National Cybersecurity Center of Excellence Supply Chain Assurance project team is having an industry workshop Tuesday, September 10, 2019 8:30am on verifying supply chains Register here: https://www.nccoe.nist.gov/events/cyber-supply-chain-risk-management-c-scrm-validating-integrity-server-and-client-devices. If you have any questions about the workshop, please send them to: supplychain-nccoe@nist.gov
• Facebook's big win: Will this ruling have global impact on how your data is used? https://www.zdnet.com/article/facebooks-big-win-will-this-ruling-have-global-impact-on-how-your-data-is-used/
• US border officials are increasingly denying entry to travelers over others’ social media https://techcrunch.com/2019/08/27/border-deny-entry-united-states-social-media/
• What happens when you commit a crime in outer space? https://globalnews.ca/news/5835064/space-crime-nasa-investigation/
• The Myth of Consumer-Grade Security https://www.schneier.com/blog/archives/2019/08/themythof_con.html
• U.S. Export Controls and “Published” Encryption Source Code Explained https://www.eff.org/deeplinks/2019/08/us-export-controls-and-published-encryption-source-code-explained
• Microsoft readies exFAT patents for Linux and open source https://www.zdnet.com/article/microsoft-readies-exfat-patents-for-linux-and-open-source/
• Canadian Cybersecurity: Cyber-Secure Canada Certification https://www.ic.gc.ca/eic/site/137.nsf/eng/h_00000.html and an article about it https://www.packetlabs.net/cyber-secure-canada-certification/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft: Using multi-factor authentication blocks 99.9% of account hacks https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/
• Every Computer Science Degree Should Require a Course in Cybersecurity https://hbr.org/2019/08/every-computer-science-degree-should-require-a-course-in-cybersecurity
• Key Rotation in TDE https://www.sqlservercentral.com/articles/key-rotation-in-tde
• Should I Always Change My Password After a Breach? https://blog.dashlane.com/should-i-always-change-my-password-after-a-breach/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Bulletproof TLS Issue #56 (EV certs are dead and more) https://www.feistyduck.com/bulletproof-tls-newsletter/issue56firefoxandchromewillremoveguiindicatorforextendedvalidationcertificates
• A very deep dive into iOS Exploit chains found in the wild https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
• Surprise. Half of All Social Media Logins Are Fraud https://threatpost.com/half-social-media-logins-fraud/147688/
• BitDefender Confirms Security Flaw In Free Windows Antivirus 2020, Millions At Risk -- Update Now https://www.forbes.com/sites/jeanbaptiste/2019/08/26/bitdefender-confirms-security-flaw-in-free-windows-antivirus-2020-millions-at-risk-update-now/
• Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps https://www.theregister.co.uk/2019/09/02/facebookbasicsappkeycompromised/
• Attacking the Intel Secure Enclave https://www.schneier.com/blog/archives/2019/08/attackingthei.html
• Subverting Decryption in AEAD using an Algorithm Substitution Attack (ASA) https://eprint.iacr.org/2019/987 (And if you find yourself head-scratching over this here is an older reference https://www.schneier.com/blog/archives/2014/06/defendingagain2.html))

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Android Google Play app, Cam Scanner, with 100 million downloads starts to deliver malware https://www.zdnet.com/article/android-google-play-app-with-100-million-downloads-starts-to-deliver-malware/
• Ransomware hits hundreds of dentist offices in the US |https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/
• Ransomware Bites Dental Data Backup Firm https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/
• Rash of ransomware continues with 13 new victims—most of them schools https://arstechnica.com/information-technology/2019/08/rash-of-ransomware-continues-with-13-new-victims-most-of-them-schools/
• Armed with iOS 0days, hackers indiscriminately infected iPhones for two years https://arstechnica.com/information-technology/2019/08/armed-with-ios-0days-hackers-indiscriminately-infected-iphones-for-two-years/
• iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/
• Phishers want your cloud providers https://krebsonsecurity.com/2019/08/phishers-are-angling-for-your-cloud-providers/
• Twitter CEO Jack Dorsey’s @jack’s twitter account compromised via phone number attack https://nakedsecurity.sophos.com/2019/08/30/jacks-twitter-attacked-phone-number-hacked/ and https://www.wired.com/story/jack-dorsey-twitter-hacked/
• WordPress sites under attack as hacker group tries to create rogue admin accounts https://www.zdnet.com/article/wordpress-sites-under-attack-as-hacker-group-tries-to-create-rogue-admin-accounts/

Other Security / Risk

Articles covering other types of risks.

• U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html
• How insurance companies are fueling a rise in ransomware attacks https://arstechnica.com/information-technology/2019/08/how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks/
• U.S. officials fear ransomware attack against 2020 election https://www.cnbc.com/2019/08/26/us-officials-fear-ransomware-attack-against-2020-election.html
• Video captures glitching Mississippi voting machines flipping votes https://nakedsecurity.sophos.com/2019/08/29/video-captures-glitching-mississippi-voting-machines-flipping-votes/
• Snake oil or genius? Crown Sterling tells its side of Black Hat controversy (No details yet, so we remain skeptical) https://arstechnica.com/information-technology/2019/08/snake-oil-or-genius-crown-sterling-tells-its-side-of-black-hat-controversy/
• Don't Play in Google's Privacy Sandbox https://www.eff.org/deeplinks/2019/08/dont-play-googles-privacy-sandbox-1
• SpaceCom: Trump launches space warfare command https://www.bbc.co.uk/news/world-us-canada-49518612
• RFID and “The Thing” - The Cold War Spy Technology Which We All Use https://www.bbc.com/news/business-48859331
• The Mysterious Vaping Illness That’s ‘Becoming an Epidemic’ https://www.nytimes.com/2019/08/31/health/vaping-marijuana-ecigarettes-sickness.html
• AI Emotion-Detection Arms Race https://www.schneier.com/blog/archives/2019/08/ai_emotion-dete.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientific Breakthrough Enables Storage and Release of Mechanical Waves Without Energy Loss https://scitechdaily.com/scientific-breakthrough-enables-storage-and-release-of-mechanical-waves-without-energy-loss/
• If you swish pancakes around, they turn the other way - know we know why - solving the pancake problem https://phys.org/news/2019-08-pancake-problem.html
• U.S. Air Force's Secretive X-37B Spaceplane Breaks Orbit Record https://www.popularmechanics.com/military/a28819806/x-37b-orbit-record/
• Why Soviets Sent Dogs, Not Primates, to Space https://www.theatlantic.com/science/archive/2019/08/space-race-dogs-chimpanzees-monkeys/597166/
• Titanic II nearing completion https://blogs.scientificamerican.com/observations/titanic-the-reboot/
• An Arctic shipwreck 'frozen in time' is revealing new details of the tragic 1845 Franklin expedition to find Canada’s North-West Passage https://www.cnn.com/travel/article/canada-shipwreck-franklin-scli-intl/index.html
• Humor: Misadventure on THE AIRLINE THAT SHALL NOT BE NAMED https://controlgap.com/blog/a-misadventure-on-the-airline-that-shall-not-be-named/