This Week’s [in]Security – Issue 132 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Millions of Magecart skimmers. Payments and disabilities. Anti-fraud scanner. Breaches and leaks: Russian ISP, New Zealand, Alberta Health, TransUnion. Face recognition, the war on encryption, FBI abused access to NSA data, high res selfies and stalkers. CA Deep-fake law, NY SHIELD Act, US-UK CLOUD Act, DMCA challenges. NIST key management and lightweight crypto updates. NIST and FIPS-140-3 (not a typo). SIN/SSN Alternatives. Ignorance of the Law. Ransomeware keys. Prioritizing patching. Copy and paste coding fails. More on bypassing 2FA. VoIP espionage. Sowing division. Quantum update. Sketchy SSD encryption. Free cryptography CPEs. Breaking encryption via the RNG. Canadian banks and 2FA. Vaping and cancer. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Magecart:

  • Magecart Skimmers Spotted on 2M Websites https://www.darkreading.com/endpoint/magecart-skimmers-spotted-on-2m-websites/d/d-id/1336011
  • Deep Dive - FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
  • Cookie Monster Eats Data From Sesame Street Store https://www.bbc.com/news/technology-49986737
  • Report: Attacks Target Sites Running Volusion Payment Platform ttps://www.bankinfosecurity.com/report-attacks-target-sites-running-volusion-payment-platform-a-13229
  • Dead simple: Plenty of Magecart miscreants still looking to skim off your credit card deets https://www.theregister.co.uk/2019/10/04/magecart/
• Merchants need to heed disability laws - Domino’s Case Could Increase Pressure on Retailers for Web Accessibility https://www.pymnts.com/legal/2019/dominos-case-could-increase-pressure-on-retailers-for-web-accessibility/
• New Advanced Credit Cards where the security codes change hourly – will hinder crooks (and any businesses that don’t use the codes in real time) https://www.linkedin.com/pulse/introducing-new-advanced-credit-cards-where-cvvs-change-thakur-
• MasterCard Threat Scan is an easy to use service available to MasterCard Issuers to test their production authorization network to see if they are susceptible to both known and theoretical fraud patterns. As such it can go where traditional vulnerability scans and penetration tests cannot. https://globalrisk.mastercard.com/online_resource/threat-scan/. See also https://www.pymnts.com/news/security-and-risk/2019/mastercard-threat-scan-helps-banks-detect-vulnerabilities/
• Visa talks about ATM Cashout and Account Enumeration Fraud Countermeasures https://www.bankinfosecurity.com/new-card-fraud-countermeasures-a-13205
• PCI DSS in Practice Case Study: Decolar https://blog.pcisecuritystandards.org/pci-dss-in-practice-case-study-decolar
• Mastercard, Visa, Stripe Warned By Senators To Beware Of Libra https://www.pymnts.com/cryptocurrency/2019/mastercard-visa-stripe-warned-by-senators-to-beware-of-libra/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Data breach at Russian ISP impacts 8.7 million customers https://www.zdnet.com/article/data-breach-at-russian-isp-impacts-8-7-million-customers/
• Credit info exposed in TransUnion datasecurity incident involving compromise of customer credentials to credit portal (thankfully not Equifax scale) https://www.bleepingcomputer.com/news/security/credit-info-exposed-in-transunion-data-security-incident/
• TransUnion privacy breach underscores rise of third-party cyberattacks  https://globalnews.ca/news/6017356/transunion-security-third-party-cyberattacks/
• New Zealand Network Breach May Affect 1 Million https://www.databreachtoday.com/new-zealand-breach-may-affect-1-million-a-13210
• New Zealand ComCom suffers breach after laptop theft https://www.zdnet.com/article/new-zealand-comcom-suffers-breach-after-laptop-theft/
• A Dutch forum for 250K sex workers and their clients was breached https://www.theregister.co.uk/2019/10/10/dutchhookerforumhacked250000usersprivates_bared/
• Hard drive with 650 patients’ records missing since August: Alberta health officials https://globalnews.ca/news/6001679/alberta-health-records-650-patients-missing-computer/
• Click2Mail Suffers Data Breach https://www.darkreading.com/attacks-breaches/click2mail-suffers-data-breach/d/d-id/1336072
• Imperva blames 2018 data breach on stolen AWS API key - estimated 13K credentials impacted https://www.zdnet.com/article/imperva-blames-data-breach-on-stolen-aws-api-key/
• Hacked Off: Lawsuit Alleges CafePress Used Poor Security https://www.bankinfosecurity.com/hacked-off-lawsuit-alleges-cafepress-used-poor-security-a-13233

Privacy

Articles about privacy related news, risks, and trends.

• How face recognition is taking over airports https://www.cnn.com/travel/article/airports-facial-recognition/index.html
• FBI violated Americans’ privacy by abusing access to NSA surveillance data, court rules https://www.theverge.com/2019/10/8/20905678/fbi-violated-americans-privacy-rights-court-ruling-fisc-surveillance-nsa and https://www.eff.org/deeplinks/2019/10/secret-court-rules-fbis-backdoor-searches-americans-violated-fourth-amendment
• Very creepy and disturbing - Stalker attacks Japanese pop singer – after tracking her down using reflection in her eyes https://www.theregister.co.uk/2019/10/10/stalkerjapaneyes/
• Twitter May Have Mistakenly Used Users’ Data For Advertising https://www.pymnts.com/safety-and-security/2019/twitter-may-have-mistakenly-used-users-data-for-advertising/
• Twitter transgression proves why its flawed 2FA system is such a privacy trap https://arstechnica.com/information-technology/2019/10/twitter-used-phone-numbers-provided-for-2fa-to-match-users-to-advertisers/
• Why Political Parties + Mass Data Collection + Religious Targeting + No Privacy Laws = Trouble http://www.michaelgeist.ca/2019/10/why-political-parties-mass-data-collection-religious-targeting-no-privacy-laws-trouble/
• Most US Presidential Campaign Websites Offer Little Privacy Protection https://www.darkreading.com/vulnerabilities---threats/most-us-presidential-campaign-websites-offer-little-privacy-protection/d/d-id/1336029
• Here Is What Facebook Won’t Tell You About Message Encryption https://www.forbes.com/sites/zakdoffman/2019/10/06/is-facebooks-new-encryption-fight-hiding-a-ruthless-secret-agenda/
• The Cambridge Analytica whistleblower explains how the firm used Facebook data to sway elections (FB) https://www.businessinsider.com/cambridge-analytica-whistleblower-christopher-wylie-facebook-data-2019-10
• Wi-Fi Hotspot Tracking (references 2018 article) https://www.schneier.com/blog/archives/2019/10/wi-fihotspott.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Schneier slams Australia's encryption laws and CyberCon speaker bans https://www.zdnet.com/article/schneier-slams-australias-encryption-laws-cybercon-speaker-bans/
• The broken record: Why Barr’s call against end-to-end encryption is nuts https://arstechnica.com/tech-policy/2019/10/the-broken-record-why-barrs-call-against-end-to-end-encryption-is-nuts/
• Euro ISP club: Sure, weaken encryption. It'll only undermine security for everyone, morons https://www.theregister.co.uk/2019/10/08/euroispslamsgovernmentcallstoweakenencryption/

• NIST drafts and updates:

  • NIST draft SP 800-57 Part 1 Revision 5, Recommendation for Key Management: Part 1 – General is open for comments until December 6. See https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/draft
  • NIST Internal Report (IR) 8268, Status Report on the First Round of the NIST Lightweight Cryptography Standardization Process - 32 candidate algorithms enter round 2 https://csrc.nist.gov/publications/detail/nistir/8268/final
  • NIST just released a slew of Cryptographic Module Validation draft standards (SP) 800-140-x relating to FIPS 140-3 (the replacement for 140-2) for comment:
  • Overview of the Transition to FIPS 140-3 https://csrc.nist.gov/projects/fips-140-3-transition-effort/transition-to-fips-140-3
  • Series update https://csrc.nist.gov/news/2019/nist-releases-draft-nist-sp-800-140x-subseries
  • Draft of SP 800-140 and sub-publications A-F 140: https://csrc.nist.gov/publciations/detail/sp/800-140/draft , 140A: https://csrc.nist.gov/publciations/detail/sp/800-140a/draft, 140B: https://csrc.nist.gov/publciations/detail/sp/800-140b/draft, 140C: https://csrc.nist.gov/publciations/detail/sp/800-140c/draft, 140D: https://csrc.nist.gov/publciations/detail/sp/800-140d/draft, 140E: https://csrc.nist.gov/publciations/detail/sp/800-140e/draft, and 140F: https://csrc.nist.gov/publciations/detail/sp/800-140f/draft
• DMCA - One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair https://www.eff.org/deeplinks/2019/10/one-weird-law-interferes-security-research-remix-culture-and-even-car-repair
• Adobe Suspends Accounts for All Venezuela Users Citing U.S. Sanctions https://thehackernews.com/2019/10/adobe-venezuela-sanctions.html
• Why The PSD2 SCA (strong customer authentication) Delay Is Both An Opportunity, Challenge https://www.pymnts.com/news/regulation/2019/why-the-sca-delay-is-both-an-opportunity-challenge/
• UK Releases US-UK CLOUD Act Agreement https://epic.org/2019/10/uk-releases-us-uk-cloud-act-ag.html
• California Bans Deepfakes in Elections, Porn https://threatpost.com/california-bans-deepfakes-elections-porn/148950/
• Initial CCPA Compliance Costs Could Hit $55 Billion https://www.bankinfosecurity.com/initial-ccpa-compliance-costs-could-hit-55-billion-study-a-13209
• Complying with New York's SHIELD Act https://www.bankinfosecurity.com/interviews/complying-new-yorks-shield-act-i-4470
• U.S. Companies Unaware Of EU Cybersecurity Regulations https://www.forbes.com/sites/jodywestby/2019/10/07/us-companies-unaware-of-eu-cybersecurity-regulations/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• In wake of data breaches, hunt for SIN alternatives intensifies - National https://globalnews.ca/news/6018344/sin-alternatives-hunt/
• NIST and Microsoft Partner to Improve Enterprise Patching Strategies https://www.securityweek.com/nist-and-microsoft-partner-improve-enterprise-patching-strategies
• How to Prioritize Vulnerability Patching (hint: CVSS isn't enough by itself) https://www.bankinfosecurity.com/how-to-prioritize-vulnerability-patching-a-13200
• HildaCrypt Ransomware Developer Releases Decryption Keys https://www.bleepingcomputer.com/news/security/hildacrypt-ransomware-developer-releases-decryption-keys/
• Whitehat Hacks Muhstik Ransomware Gang And Release Keys https://packetstormsecurity.com/news/view/30560/Whitehat-Hacks-Muhstik-Ransomware-Gang-And-Release-Keys.html
• Preventing Election Interference: New Recommendations https://www.bankinfosecurity.com/preventing-election-meddling-new-recommendations-a-13227
• U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks https://www.securityweek.com/us-help-secure-baltic-energy-grid-against-cyber-attacks
• Password Strength: Make It a Priority! https://www.packetlabs.net/password-strength/
• UNIX Co-Founder Ken Thompson's BSD Password Has Finally Been Cracked 39 years later https://thehackernews.com/2019/10/unix-bsd-password-cracked.html
• Demonstration of Machine-Checked Proofs for Cryptographic Standards on a SHA-3 implementation https://eprint.iacr.org/2019/1155
• Looking for InfoSec CPE's - Free Cyrptography Course from Stanford via Coursea starts October 28th https://www.coursera.org/learn/crypto

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• This should not surprise - most Americans fail cybersecurity quiz https://threatpost.com/americans-fail-cybersecurity-quiz/149041/
• Copycat Coders Create Vulnerable Apps https://packetstormsecurity.com/news/view/30559/Copycat-Coders-Create-Vulnerable-Apps.html and https://www.bankinfosecurity.com/blogs/cutpastefail-unchecked-code-reuse-means-security-peril-p-2798
• D-Link Home Routers Open to Remote Takeover Will Remain Unpatched https://threatpost.com/d-link-home-routers-unpatched/148941/
• New Unpatchable iPhone Exploit Allows Jailbreaking https://www.schneier.com/blog/archives/2019/10/new_unpatchable.html
• Google finds Android zero day that can take control of Pixel and Galaxy devices https://www.theverge.com/2019/10/4/20898460/android-security-vulnerability-project-zero-pixel-galaxy-huawei-xiaomi
• Google Patches Remote Code Execution Bugs in Android 10 https://www.securityweek.com/google-patches-remote-code-execution-bugs-android-10
• Deep Dive on Last Month’s EXIM RCE Vulnerability CVE-2019-16928: Exploiting Exim via EHLO Strings https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-16928-exploiting-an-exim-vulnerability-via-ehlo-strings/
• Microsoft Releases October 2019 Patch Tuesday Updates https://thehackernews.com/2019/10/microsoft-patch-tuesday-october.html
• Pass the Hash Remains a Poorly Defended Threat Vector https://www.securityweek.com/pass-hash-remains-poorly-defended-threat-vector
• New attack to watch which makes inroads on reduced 5 round AES - The Retracing Boomerang Attack https://eprint.iacr.org/2019/1154
• More Cryptanalysis of the Solitaire (manual) Cipher https://www.schneier.com/blog/archives/2019/10/more_cryptanaly.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• An IRS employee stole identities and went on a 2-year spending spree https://qz.com/1723855/an-irs-employee-stole-identities-went-on-spending-spree/
• Capital One Hacking Trial Delay Likely https://www.bankinfosecurity.com/capital-one-hacking-trial-delay-likely-a-13236
• FBI Warns About Attacks That Bypass Multi Factor Authentication https://packetstormsecurity.com/news/view/30558/FBI-Warns-About-Attacks-That-Bypass-Multi-Factor-Authentication.html
• VoIP Espionage Campaign Hits U.S. Utilities Supplier https://packetstormsecurity.com/news/view/30557/VoIP-Espionage-Campaign-Hits-U.S.-Utilities-Supplier.html
• SIM Cards in 29 Countries Vulnerable to Remote Simjacker Attacks https://thehackernews.com/2019/10/simjacker-vulnerability-exploit.html
• Attackers exploit 0-day vulnerability that gives full control of Android phones https://arstechnica.com/information-technology/2019/10/attackers-exploit-0day-vulnerability-that-gives-full-control-of-android-phones/
• Android devices hit by zero-day exploit Google thought it had patched https://nakedsecurity.sophos.com/2019/10/07/android-devices-hit-by-zero-day-exploit-google-thought-it-had-patched/
• Deep Dive - Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
• Compromising TLS by crippling browser side key generation:
• New Reductor Nation-State Malware Compromises TLS https://www.schneier.com/blog/archives/2019/10/newreductorna.html
• Warning For Windows Users As Encryption Breaking Malware Breaks Cover https://www.forbes.com/sites/daveywinder/2019/10/04/warning-for-windows-users-as-encryption-breaking-malware-breaks-cover/
• Russian Hacker Group Patches Chrome And Firefox To Fingerprint TLS Traffic https://packetstormsecurity.com/news/view/30552/Russian-Hacker-Group-Patches-Chrome-And-Firefox-To-Fingerprint-TLS-Traffic.html
• FBI warns of major ransomware attacks as criminals go “big-game hunting” https://arstechnica.com/information-technology/2019/10/fbi-warns-of-major-ransomware-attacks-as-criminals-go-big-game-hunting/
• Phishing attempts increase 400%, many malicious URLs found on trusted domains https://www.helpnetsecurity.com/2019/10/09/phishing-increase-2019/
• How we got inside an overseas tech support scam targeting Canadians https://www.cbc.ca/news/world/tech-support-scam-india-marketplace-1.5298336
• Cheeky. Finfisher malware authors fire off legal threats to silence German journalists https://www.theregister.co.uk/2019/10/10/finfisherauthorslegalthreatsgerman_journalists/

Other Security / Risk

Articles covering other types of risks.

• Why is this online banking security feature common in other countries, but not Canada? https://www.cbc.ca/news/canada/nova-scotia/two-factor-verification-online-banking-security-1.5306052
• Good article IBM demonstrates CRYSTAL a quantum resistant public key cipher and a good explanations of the limitations of quantum computing https://www.scientificamerican.com/article/new-encryption-system-protects-data-from-quantum-computers/
• Quantum speedups for lattice sieves are tenuous at best https://eprint.iacr.org/2019/1161
• Planting Tiny Spy Chips in Hardware Can Cost as Little as $200 https://www.wired.com/story/plant-spy-chips-hardware-supermicro-cheap-proof-of-concept/
• Speakers Censored at AISA Conference in Melbourne https://www.schneier.com/blog/archives/2019/10/speakers_censor.html
• The Standard Cybersecurity Model Is Fundamentally Broken (we should all know this but the problem is what's a credible alternative) https://www.forbes.com/sites/tonybradley/2019/10/07/the-standard-cybersecurity-model-is-fundamentally-broken/
• Ethiopian Airlines breached Boeing 737 maintenance records: whistleblower https://globalnews.ca/news/6002267/ethiopian-airlines-whistleblower-boeing-737-crash/
• Risks of going all digital, Her iPhone died. It led to her being charged as a criminal https://www.zdnet.com/article/her-iphone-died-it-led-to-her-being-charged-as-a-criminal/
• Defense Intelligence Agency employee arrested for allegedly leaking highly classified reports to media https://www.businessinsider.com/dia-employee-arrested-for-leaking-highly-classified-reports-to-media-2019-10
• Microsoft and US Senators Clash Over Huawei Threat Warning https://www.forbes.com/sites/zakdoffman/2019/10/08/new-microsoft-warninghuawei-threat-is-real-and-urgent/
• Globalization backlash could lead to a 'technological iron curtain' https://markets.businessinsider.com/news/stocks/the-trumpian-backlash-to-globalization-could-lead-to-a-technological-iron-curtain-says-this-economist-1028582564
• Iran-linked Hackers Target Trump 2020 Campaign https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/
• An example of how foreign interference seeks to divide us all - or if you can spot trolls you can spot this too https://www.dhs.gov/sites/default/files/publications/190717cisa_the-war-on-pineapple-understanding-foreign-interference-in-5-steps.pdf
• New Schneier book "We Have Root" (collection of online essays) https://www.schneier.com/blog/archives/2019/10/ihaveanewbo.html
• Artificial Intelligence Learns to Talk Back to Bigots https://www.scientificamerican.com/podcast/episode/artificial-intelligence-learns-to-talk-back-to-bigots/
• Not fit for purpose? Police Robot on Patrol Completely Ignores Woman Trying to Summon The Police https://www.sciencealert.com/police-robot-ignores-woman-who-tried-to-call-the-police
• This Man Ended Up With First-Degree Burns From a High-Vis Safety Vest https://www.sciencealert.com/an-unfortunate-australian-man-got-first-degree-burns-from-his-high-vis-vest
• Scientists Have Found a Culprit Spreading Antibiotic Resistance to Other Microbes https://www.sciencealert.com/scientists-have-found-the-culprit-spreading-antibiotic-resistance-to-other-microbes
• The Hyper-Employment Paradox https://www.forbes.com/sites/cognitiveworld/2019/10/05/the-hyper-employment-paradox/
• E-cigarette smoke caused lung cancer in mice https://scienmag.com/e-cigarette-smoke-caused-lung-cancer-in-mice/
• Should We Be Routinely Flying Into Typhoons Like Hagibis For Science? https://www.forbes.com/sites/marshallshepherd/2019/10/07/should-we-be-routinely-flying-into-typhoons-like-hagibis-for-science/
• Eight-year-old climber scales replica of U.S. President Trump's 'virtually impenetrable' border wall https://www.ctvnews.ca/world/climber-8-tackles-replica-of-trump-s-virtually-impenetrable-border-wall-1.4632380
• Cheating at Professional Poker https://www.schneier.com/blog/archives/2019/10/cheatingatpro_1.html
• We Just Got More Evidence a Large Meteorite Smashed Into Earth 12,800 Years Ago https://www.sciencealert.com/a-large-meteorite-could-have-hit-the-earth-12-800-years-ago-and-caused-massive-climate-changes
• Here's Why Scientists Are Working So Hard to Keep Warming Below 2 Degrees Celsius https://www.sciencealert.com/if-warming-exceeds-2-c-antarctica-s-ice-sheets-could-raise-seas-20-metres
• Why would you do this? Dark Tourism - Visitors at Chernobyl can now tour the control room, where radiation levels could be 40,000 times higher than normal in a hazmat suit for 5 minutes only https://www.businessinsider.com/chernobyl-control-room-tours-radiation-still-high-2019-10

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists Have Figured Out How to Extract Oxygen From Moon Dirt https://www.sciencealert.com/scientists-have-figured-out-how-to-extract-oxygen-from-moon-dirt
• Hydrogen Could Become A $130 Billion U.S. Industry By 2050. Could It Also Cut Emissions? https://www.forbes.com/sites/energyinnovation/2019/10/07/how-hydrogen-could-become-a-130-billion-us-industry-and-cut-emissions-by-2050/
• Carbon Engineering - Taking CO2 Right Out Of The Air To Make Gasoline (now if we could use this to stop taking it out of the ground) https://www.forbes.com/sites/jamesconca/2019/10/08/carbon-engineering-taking-co2-right-out-of-the-air-to-make-gasoline/
• NASA to test its first all-electric plane, the X-57 https://bigthink.com/technology-innovation/electric-aircraft
• 3D-printed tiny homes in 24 hours for a fraction of the cost https://www.businessinsider.com/icon-3d-printer-tiny-home-austin-photos-2019-10
• A volcano blows its top as seen from space https://www.syfy.com/syfywire/a-volcano-blows-its-top-seen-from-space
• NASA sets first all-female spacewalk after cancellation in spring https://globalnews.ca/news/5994152/nasa-all-female-space-walk/ and https://www.cbc.ca/news/technology/women-only-spacewalk-1.5164211
• Astronauts aboard International Space Station successfully grow space meat for first time https://globalnews.ca/news/6002465/space-meat-international-space-station/
• Alexei Leonov, 1st person to walk in space, dies at 85 https://www.cbc.ca/news/technology/alexei-leonov-1.5317734
• 20 New Moons Found Around Saturn, Snagging Satellite Record from Jupiter https://www.space.com/saturn-20-newfound-moons-naming-contest.html
• Warp speeds in 'Star Trek' are achingly slow, and a simple animation of the starship Enterprise by a NASA scientist proves it https://www.businessinsider.com/star-trek-warp-light-speed-reality-travel-nasa-animation-2019-1
• Really? - Whisky ‘capsules’ draw comparisons to Tide Pods, Fruit Gushers https://globalnews.ca/news/5997212/glenlivet-capsules-tide-pods/
• Just saying - there is a museum of failed innovations https://failuremuseum.com/