This Week’s [in]Security – Issue 128

Welcome to This Week’s [in]Security. This week: PCI SSF & SSLC Reporting Templates. PIN Technical (mandatory) FAQ update. Photographic memory breach. 200M+ in DealerLeads, Verizon, and Monster (jobs) breaches. Hospital pager PHI leak. Facebook and sex. Widening the encryption debate. Canada Cyber Safe? Copyright take-down backfires. Every state is investigating Google. Web scraping legality. Cyber skills gap. SD-WAN security. Encrypted DNS. Cyber insurance. Snake-oil indicators. BlueKeep is out there. Flashlight apps really? NetCat side channel attack. SIMjacker. Monetizing IoT attacks. RDP , passwords, and ransomware. Damaging the power grid. Spies. ATM EMV cash-out. Vanishing payroll. Interesting Crypto conference take-aways. Pentesting gone wrong. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• New PCI publications:

  • Reporting templates for the new Software Security Framework https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-v10-ROV-Template-r10.pdf and Lifecycle https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-v10-ROC-Template-r10.pdf (interestingly, this breaks the general rule of thumb about DSS style Compensating Controls being allowed in ROVs (no) and ROCs(yes) – none are allowed here but the standard does recognize some constraints)
  • PCI PIN Technical (i.e. mandatory) FAQs updated for HSMs with older FIPS certifications and POI clear-text key injection https://www.pcisecuritystandards.org/documents/PTSPINTechnicalFAQsv2August2019.pdf (note some of these likely apply to PINv3)

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Man Allegedly Uses 'Photographic Memory' to Steal 1,300 Credit Card Numbers http://www.sciencealert.com/experts-doubt-cashier-stole-1-300-credit-numbers-using-only-a-photographic-memory
• DealerLeads 198M car buyers PII records exposed in unprotected Elasticsearch database https://www.forbes.com/sites/daveywinder/2019/09/15/bought-a-car-recently-198m-car-buyer-records-exposed-in-massive-data-leak/
• Vulnerabilities Exposed 2 Million Verizon Customer Contracts https://www.securityweek.com/vulnerabilities-exposed-2-million-verizon-customer-contracts
• Monster Never Told Users About Data Breach of third party exposing 3 years of data https://www.pymnts.com/news/security-and-risk/2019/monster-never-told-users-about-data-breach/US
• Secret Service investigates a breach at a US government IT contractor https://krebsonsecurity.com/2019/09/secret-service-investigates-breach-at-u-s-govt-it-contractor/
• Hospitals using insecure pager systems leak sensitive patient data https://election.ctvnews.ca/potential-health-data-breach-exposing-names-medical-conditions-discovered-by-privacy-researcher-1.4581914
• Crooks with bad opsec … mystery database left open turns out to be massive Groupon fraud ticket fraud ring https://www.theregister.co.uk/2019/09/12/databasegrouponscam/
• How data breaches are hurting small businesses https://www.techrepublic.com/article/how-data-breaches-are-hurting-small-businesses/

Privacy

Articles about privacy related news, risks, and trends.

• Sex lives of app users 'shared with Facebook' https://www.bbc.com/news/technology-49647239

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Lawmakers want to give Americans back their right to sue companies https://www.cnbc.com/2019/09/10/lawmakers-want-to-give-americans-back-their-right-to-sue-companies.html
• French law holds company liable after employee dies during sex on business trip https://www.bbc.co.uk/news/world-europe-49662134 
• Almost hilarious, vendor uses EFF image in violation of license and sends demands in a takedown notice to EFF (cheeky or clueless?) https://www.eff.org/deeplinks/2019/09/time-when-eff-got-copyright-takedown-demand Related EFF’s Takedown Hall of Shame https://www.eff.org/takedowns
• Swedish GDPR Fine Highlights Legal Challenges in Use of Biometrics https://www.securityweek.com/swedish-gdpr-fine-highlights-legal-challenges-use-biometrics
• Top European Court to Review National Data Retention Laws https://epic.org/2019/09/top-european-court-to-review-n.html
• Google: 50 US states and territories launch competition probe https://www.bbc.co.uk/news/business-49641306
• Web scraping doesn’t violate anti-hacking law, appeals court rules https://arstechnica.com/tech-policy/2019/09/web-scraping-doesnt-violate-anti-hacking-law-appeals-court-rules/
• Political promise to make Canada Cyber Safe could start a useful discussion and lead to improvements or just confuse everyone https://www.msn.com/en-ca/video/topvideos/scheer-promises-to-create-canada-cyber-safe-certification-for-digital-products/vi-AAGV2C0
• Australia's anti-encryption law is hurting press and personal privacy https://www.newscientist.com/article/mg24332474-600-australias-anti-encryption-law-is-hurting-press-and-personal-privacy/
• Encrypted messaging is becoming more popular, and child advocates are worried https://www.theverge.com/facebook/2019/9/13/20863489/encryption-stanford-conference-facebook-ncmec-ghq

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Why The Cybersecurity Skills Gap Won't Be Solved In The Classroom https://www.forbes.com/sites/jameshadley/2019/09/12/why-the-cybersecurity-skills-gap-wont-be-solved-in-the-classroom/
• SD-WAN: Disruptive Technology That Requires Careful Security Consideration https://www.securityweek.com/sd-wan-disruptive-technology-requires-careful-security-consideration

• DoH! Encrypted DNS:

  • Mozilla increases browser privacy with encrypted DNS https://nakedsecurity.sophos.com/2019/09/10/mozilla-increases-browser-privacy-with-encrypted-dns/
  • And Why Some Want to Turn It Off - Blocking Firefox DoH with Bind https://isc.sans.edu/diary/Blocking+Firefox+DoH+with+Bind/25316
  • Encrypted DNS could help close the biggest privacy gap on the Internet. Why are some groups fighting against it? https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups
• Norad asked Canada to 'identify and mitigate' cyber threats to critical civilian sites https://www.cbc.ca/news/politics/norad-cyber-civilian-1.5273917
• On Cybersecurity Insurance https://www.schneier.com/blog/archives/2019/09/on_cybersecurit.html
• Ransomware attacks: Weak passwords are now your biggest risk https://www.zdnet.com/article/ransomware-attacks-weak-passwords-are-now-your-biggest-risk/
• Ransomware protection planning https://www.linkedin.com/pulse/ransomware-protection-plan-pamela-gupta/
• Out of the archives: These should be required reading for anyone buying security products. Bruce Schneier on Snake Oil Warning Signs https://www.schneier.com/crypto-gram/archives/1999/0215.html#snakeoil and how to design a cipher https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Metasploit releases BlueKeep exploit, explains it’s for the good https://www.cso.com.au/article/666218/metasploit-releases-bluekeep-exploit-explains-it-good/
• Telnet backdoor vulnerabilities impact over a million IoT radio devices https://www.zdnet.com/article/critical-vulnerabilities-impact-over-a-million-iot-radio-devices/
• Microsoft Teams Can Be Used To Execute Arbitrary Payloads https://www.bleepingcomputer.com/news/security/microsoft-teams-can-be-used-to-execute-arbitrary-payloads/
• Critical TLS flaw opens Exim servers to remote compromise http://nakedsecurity.sophos.com/2019/09/10/critical-tls-flaw-opens-exim-servers-to-remote-compromise/
• Please just stop or buy a new phone … most Android flashlight apps request an absurd number of permissions (up to 77) https://www.zdnet.com/article/most-android-flashlight-apps-request-an-absurd-number-of-permissions/
• D-Link and Comba routers have multiple vulnerabilities, including storing passwords in plain text https://betanews.com/2019/09/11/d-link-comba-routers-password-vulnerabilities/
• Instagram Confirms Security Issue Exposed User Accounts And Phone Numbers (likely a vulnerability not a breach) https://www.forbes.com/sites/zakdoffman/2019/09/12/new-instagram-hack-exclusive-facebook-confirms-user-accounts-and-phone-numbers-at-risk/
• The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network https://www.theregister.co.uk/2019/09/10/intelnetcatsidechannelattack/
• Intel: SSH-stealing NetCAT bug not really a problem https://nakedsecurity.sophos.com/2019/09/13/intel-ssh-stealing-netcat-bug-not-really-a-problem/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• SIMjacker:

  • 1B Mobile Users Vulnerable to Ongoing ‘SimJacker’ Surveillance Attack https://threatpost.com/1b-mobile-users-vulnerable-to-ongoing-simjacker-surveillance-attack/148277/
  • Hackers are exploiting a platform-agnostic feature, used by your telco for management, to track mobile phone locations https://arstechnica.com/information-technology/2019/09/hackers-are-exploiting-a-platform-agnostic-flaw-to-track-mobile-phone-locations/How SIM swap fraud works https://blog.international.jtglobal.com/how-sim-swap-fraud-works
  • Simjacker attack exploited in the wild to track users for at least two years https://www.zdnet.com/article/new-simjacker-attack-exploited-in-the-wild-to-track-users-for-at-least-two-years/
• Rapid Rise in Monetization of IoT Attacks https://www.infosecurity-magazine.com/news/rapid-rise-in-monetization-of-iot/
• Cybercrime Black Markets: RDP Access Remains Cheap and Easy https://www.bankinfosecurity.com/cybercrime-black-markets-rdp-access-remains-cheap-easy-a-13054
• New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction in 2016 Ukraine Attack https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/
• Cybercriminals Steal $4.2m from State Troopers' Pension Fund https://www.infosecurity-magazine.com/news/hackers-steal-from-pension-fund/
• German bank loses €1.5 million in mysterious cashout of EMV cards https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/
• NY Payroll Company Vanishes With $35 Million https://krebsonsecurity.com/2019/09/ny-payroll-company-vanishes-with-35-million/
• Ransomware Attack Hits School District Twice in 4 Months https://www.securityweek.com/ransomware-attack-hits-school-district-twice-4-months
• Irish government admits ransomware breach https://www.thetimes.co.uk/article/irish-government-admits-ransomware-breach-s8n6nxpgj
• Wikipedia, World of Warcraft Downed By Weekend DDoS Attacks https://threatpost.com/wikipedia-world-of-warcraft-ddos-attacks/148121/
• Feds Indict 281 People for Involvement in Massive Email Fraud Scheme https://threatpost.com/feds-indict-281-people-for-involvement-in-massive-e-mail-fraud-scheme/148218/ and https://www.bankinfosecurity.com/bec-scam-roundup-281-suspects-arrested-worldwide-a-13059
• RCMP civilian employee charged under national security act https://www.bbc.co.uk/news/world-us-canada-49691465
• Chinese professor stole hard drive secrets for Huawei, US government charges https://arstechnica.com/tech-policy/2019/09/us-criminally-charges-chinese-professor-with-stealing-secrets-for-huawei/
• Suspected Hacker Arrested for Stealing and Selling Unreleased Music https://www.bleepingcomputer.com/news/security/suspected-hacker-arrested-for-stealing-and-selling-unreleased-music/

Other Security / Risk

Articles covering other types of risks.

• IACR Crypto conference 2019 Takeaways, runs down some of the most significant cryptography research of the year https://blog.trailofbits.com/2019/09/11/crypto-2019-takeaways/
• Stop Using CVSS to Score Risk – it’s a vulnerability severity rating https://www.securityweek.com/stop-using-cvss-score-risk
• Two Penetration Testers Arrested During Physical Break-in Exercise – Raises Many Questions for Industry on Contracts and Liabilities https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/11/men-arrested-burglary-dallas-county-iowa-courthouse-hired-judicial-branch-test-security-ia-crime/2292295001/
• Why Layering Is Going Out Of Fashion In Consumer Authentication https://www.pymnts.com/news/security-and-risk/2019/why-layering-is-going-out-of-fashion-in-consumer-authentication/
• Government-Censored Science Doomed The USSR, And The USA May Be Next https://www.forbes.com/sites/startswithabang/2019/09/12/government-censored-science-doomed-the-ussr-and-the-usa-may-be-next/
• Political disinformation is rampant online. How can voters cope? https://www.cbc.ca/news/technology/disinformation-political-spin-online-election-2019-1.5279919
• Calling anything “unhackable” is usually a bad sign, Fixing IoT Leaks with Hardware Security https://www.bankinfosecurity.com/fixing-iot-leaks-hardware-security-a-13048
• A Sixth Person Has Now Died From The Mysterious Lung Illness Linked to Vaping http://www.sciencealert.com/a-sixth-person-has-died-from-the-mysterious-lung-illness-linked-to-vaping
• Following EASA’s announcement last week, India will also certify the 737 MAX individually https://www.aerotime.aero/rytis.beresnevicius/23934-india-certify-737-max
• Brain Hack Devices Must Be Scrutinized, Say Top Scientists https://www.bbc.com/news/technology-49606027
• What the drone attack in Saudi Arabia means for gas prices in Canada https://www.ctvnews.ca/canada/what-the-drone-attack-in-saudi-arabia-means-for-gas-prices-in-canada-1.4594108
• Shell Companies Hide $15 Trillion From Taxes, Study Reports https://www.forbes.com/sites/lisettevoytko/2019/09/09/shell-companies-hide-15-trillion-from-taxes-study-reports/
• The pros and cons of switching to permanent Daylight Saving Time https://globalnews.ca/news/5885735/pros-cons-daylight-saving/
• Cargo truck lands on roof of house.  Video shows how. https://globalnews.ca/news/5882399/scarborough-truck-roof/ 
• Food Expiration Dates May Mislead Consumers https://www.scientificamerican.com/podcast/episode/food-expiration-dates-may-mislead-consumers/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Interesting idea. Since cooling demand is primarily driven by the sun, could it also be powered by the sun? https://scienmag.com/since-cooling-demand-is-primarily-driven-by-the-sun-could-it-also-be-powered-by-the-sun/
• Astronomers Find Water on an Exoplanet Twice the Size of Earth https://www.scientificamerican.com/article/astronomers-find-water-on-an-exoplanet-twice-the-size-of-earth/
• Is that a Canadian flag on a dinosaur? Newly Discovered Pterosaur with 10 Meter Wingspan Was One of The Biggest Flying Reptiles Ever http://www.sciencealert.com/newly-discovered-pterosaur-was-one-of-the-biggest-flying-reptiles-ever
• Hitchhikers Guide to the Universe aside, the number 42 has been hiding a secret https://www.sciencealert.com/the-sum-of-three-cubes-problem-has-been-solved-for-42
• New Clues Found in Understanding Near-Death Experiences https://www.scientificamerican.com/article/new-clues-found-in-understanding-near-death-experiences/
• Last Day of The Dinosaurs Revealed in Stunning Glimpse of Asteroid Disaster http://www.sciencealert.com/rocks-under-chicxulub-crater-reveal-a-detailed-snapshot-of-the-day-the-dinosaurs-died
• NASA Tests Autonomous Lunar Landing Technology https://www.universetoday.com/143348/nasa-tests-autonomous-lunar-landing-technology/