This Week’s [in]Security – Issue 134

Welcome to This Week’s [in]Security. This week: Evolving PCI. PCI SSF transition. Online EMV SRC. Windows 7 EOS. EOL OS's getting worse. Magecart. Penny wise-pound foolish. VPN and AV breaches. US Military PII breach. Social media portability. The CASE Act. Robot voyeurs. Alex and Google Home privacy again. SQL magic password malware. Cyber Insurance fail. AES benefits. Quantum shade. Problem visibility and executives. Attribution and nested APTs. The end is near for Windows 7. Facebook probed by most states. Facebook and elections. Is minimal security too expensive? Green tech. Women setting records. Iot again. TikTok and National Security. Data over sound. Halloween! Carbon Capture. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

null- How the Council is Evolving to Secure the Future of Payments https://blog.pcisecuritystandards.org/how-the-council-is-evolving-to-secure-the-future-of-payments

• Resource Guide: Transitioning from PA-DSS to the Software Security Framework https://blog.pcisecuritystandards.org/resource-guide-transitioning-from-pa-dss-to-the-software-security-framework
• "PCI Technical (mandatory) FAQs for Card Production Security Requirements https://www.pcisecuritystandards.org/documents/CardProdSecurityRqrmtsFAQsv2Oct_2019.pdf"
• Visa, Mastercard other card networks begin EMV Secure Remote Commerce (EMV SRC) rollout for easier online checkout https://www.mobilepaymentstoday.com/news/visa-mastercard-other-card-networks-begin-emv-src-rollout-for-easier-online-checkout/
• We are less than 3 months from Windows 7 End-of-Support https://controlgap.com/blog/microsoft-support-and-pci-compliance/
• Outdated OSs Still Present in Many Industrial Organizations https://www.securityweek.com/outdated-oss-still-present-many-industrial-organizations-report
• FBI Issues Payment Card Skimming Warning https://www.bankinfosecurity.com/fbi-issues-payment-card-skimming-warning-a-13292
• Magecart 5 Linked to Carbanak Gang https://threatpost.com/magecart-5-linked-carbanak-gang/149419/
• Mastercard Institutes Criteria For Data Privacy https://www.pymnts.com/mastercard/2019/mastercard-institutes-criteria-for-data-privacy/
• Credit card fraud alert: Kelowna woman warns after false food order http://globalnews.ca/news/6074047/credit-card-fraud-alert-kelowna-woman-warns-after-false-food-order/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• £265m Data Breach Costs Could Have Been Avoided with £9600 Worth of Bug Bounties https://www.infosecurity-magazine.com/news/breach-costs-avoided-bug-bounties/
• Unsecure Database Exposed US Military Personnel Data https://www.bankinfosecurity.com/unsecure-database-exposed-us-military-personnel-data-report-a-13280
• 7 million Adobe Creative Cloud accounts exposed to the public https://www.comparitech.com/blog/information-security/7-million-adobe-creative-cloud-accounts-exposed-to-the-public/
• 7-Eleven fuel app data breach exposes users' personal details https://www.theguardian.com/technology/2019/oct/25/7-eleven-fuel-app-data-breach-exposes-users-personal-details
• Hacker Breached Servers Belonging to NordVPN, TorGuard VP, and possibly VikingVPN in 2018. NordVPN web certificate private keys were compromised https://www.bleepingcomputer.com/news/security/hacker-breached-servers-belonging-to-multiple-vpn-providers/ and https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/
• Avast says hackers breached internal network through compromised VPN profile https://www.zdnet.com/article/avast-says-hackers-breached-internal-network-through-compromised-vpn-profile/
• Avast Network Breached As Hackers Target CCleaner Again https://threatpost.com/avast-network-breached-as-hackers-target-ccleaner-again/149358/
• Is AWS Liable in Capital One Breach? https://threatpost.com/capital-one-breach-senators-aws-investigation/149567/
• Major Florida Health System Fined $2M for HIPPA Breach https://www.securityweek.com/major-florida-health-system-fined-2m-hippa-breach

Privacy

Articles about privacy related news, risks, and trends.

• Japanese hotel chain sorry that hackers may have watched guests through bedside robots https://www.theregister.co.uk/2019/10/22/japanesehotelchainsorrythatbedsiderobotsmayhavewatchedguests/
• Security researchers expose new Alexa and Google Home vulnerability https://www.theverge.com/2019/10/21/20924886/alexa-google-home-security-vulnerability-srlabs-phishing-eavesdropping
• Firefox Privacy Protection makes website trackers visible https://nakedsecurity.sophos.com/2019/10/25/firefox-privacy-protection-makes-website-trackers-visible/ and https://www.zdnet.com/article/mozillas-firefox-70-is-out-privacy-reports-reveal-whose-cookies-are-tracking-you/
• EU Data Watchdog Raises Concerns Over MS Contracts https://www.reuters.com/article/us-eu-dataprotection-microsoft-idUSKBN1X00WF
• FTC Warns Consumers About Stalking Apps https://www.darkreading.com/endpoint/privacy/ftc-warns-consumers-about-stalking-apps/d/d-id/1336161
• EU-U.S. Privacy Shield Renewed, Still in Dispute in Court http://epic.org/2019/10/eu-us-privacy-shield-renewed-s.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• WTF! Seriously? Cyber insurance doesn't cover criminal "hacking"! AIG says its cyber insurance plans don't cover criminal acts; wants lawsuit tossed https://www.cyberscoop.com/aig-cyber-insurance-lawsuit-bec/
• EFF and Partners Urge U.S. Lawmakers to Support New DoH Protocol for a More Secure Internet https://www.eff.org/press/releases/eff-and-partners-urge-us-lawmakers-support-new-doh-protocol-more-secure-internet
• Careful what you wish for - this could go either way - Proposed Social Media Law Would Let Data Flow Among Platforms https://www.pymnts.com/news/regulation/2019/proposed-social-media-law-would-let-data-flow-among-platforms/
• EPIC to Congress: Data Ownership Won't Protect Consumers http://epic.org/2019/10/epic-to-congress-data-ownershi.html
• Comcast fights Google’s encrypted-DNS plan but promises not to spy on users https://arstechnica.com/tech-policy/2019/10/comcast-fights-googles-encrypted-dns-plan-but-promises-not-to-spy-on-users/ and https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data
• The CASE Act - Are You Ready to Pay $30,000 for Sharing a Photo Online? The House of Representatives Thinks You Are https://www.eff.org/deeplinks/2019/10/ready-pay-30000-sharing-photo-online-house-representatives-thinks-you-are
• Now, California Can Assess Taxes No Matter Where You Live…Really https://www.forbes.com/sites/robertwood/2019/10/22/now-california-can-assess-taxes-no-matter-where-you-livereally/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft Aims to Block Firmware Attacks with New Secured-Core PCs https://www.darkreading.com/operations/microsoft-aims-to-block-firmware-attacks-with-new-secured-core-pcs/d/d-id/1336136
• Google to add eye detection to Pixel 4 after privacy concerns https://www.theguardian.com/technology/2019/oct/21/google-eye-detection-pixel-4-smartphone-unlock
• Good awareness technique even if it's for ads - How BlackBerry Used Improv Comedy To Make Cybersecurity A More ‘Human’ Topic https://www.forbes.com/sites/martyswant/2019/10/18/how-blackberry-used-improv-comedy-to-make-cybersecurity-a-more-human-topic/
• Computer science classes break down cultural barriers https://scienmag.com/computer-science-classes-break-down-cultural-barriers-study-shows/
• Oracle Releases Free Tool for Monitoring Internet Routing Security https://www.darkreading.com/vulnerabilities---threats/oracle-releases-free-tool-for-monitoring-internet-routing-security/d/d-id/1336158
• Public keys are not enough for SSH security (beware there may be PCI DSS scope issues here) https://blog.cloudflare.com/public-keys-are-not-enough-for-ssh-security/
• 15 Years Later, Metasploit Still Manages to be a Menace https://threatpost.com/metasploit-still-a-menace/149448/
• How to turn off Cortana on a Windows 10 computer, so it doesn't take up power and can't hear or respond to your voice https://www.businessinsider.com/how-to-turn-off-cortana-windows-10
• Calculating the Benefits of the Advanced Encryption Standard https://www.schneier.com/blog/archives/2019/10/calculating_the.html
• How LinuxONE Torpedoes Seven Mainframe Myths https://www.linkedin.com/pulse/how-linuxone-torpedoes-seven-mainframe-myths-jason-bloomberg

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe' https://www.theregister.co.uk/2019/10/21/flawtrendmicro/
• Firefox, Chrome Bugs Allow Arbitrary Code-Execution https://threatpost.com/critical-firefox-bugs-arbitrary-code-execution/149455/
• Avast, Avira Products Vulnerable to DLL Hijacking https://www.securityweek.com/avast-avira-products-vulnerable-dll-hijacking
• IoT: Security Research Firm Finds Vulnerability In Vatican’s ‘eRosary’ https://www.pymnts.com/safety-and-security/2019/security-research-firm-finds-vulnerability-in-vaticans-erosary/
• IoT: New Smart Device Warning: ‘20,000 Attacks Every 15 Minutes’—Change Your Passwords https://www.forbes.com/sites/zakdoffman/2019/10/20/new-cyber-warning-20000-attacks-every-15-minutes-on-smart-devicesreport/
• The Threat to SoHo IoT Devices is Growing Rapidly https://www.securityweek.com/threat-soho-iot-devices-growing-rapidly
• DoS Vulnerability in content distribution networks found by researchers https://nakedsecurity.sophos.com/2019/10/24/researchers-find-vulnerability-in-content-distribution-networks/
• Researchers are looking at classical crypto through a quantum lens - Observations on the Quantum Circuit of the SBox of AES https://eprint.iacr.org/2019/1245

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• A perfect example of why attribution is so hard. Attack formerly attributed to Iranian group was really a Russian group - think nested APT groups https://www.bbc.com/news/technology-50103378
• Just say the 'magic password': Boffins turn up potential backdoor in SQL Server 2012, 2014 https://www.theregister.co.uk/2019/10/22/esetsqlserver_backdoor/
• Attackers probing DoT? What's up with TCP 853 (DNS over TLS)?, (Mon, Oct 21st) https://isc.sans.edu/diary.html?storyid=25438
• Phishing Attack Aims At Stripe Users To Steal Banking Details https://latesthackingnews.com/2019/10/20/phishing-attack-targets-stripe-users-with-the-aim-to-steal-banking-credentials/
• Bank deny compensation when hackers steal customers' money https://www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982
• Major German manufacturer still down a week after getting hit by ransomware https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/
• Norwegian Newspaper Website Taken Offline After Content Hack https://www.forbes.com/sites/davidnikel/2019/10/19/norwegian-newspaper-website-taken-offline-after-content-hack/
• Billtrust Recovering From Ransomware Attack https://www.bankinfosecurity.com/report-billtrust-recovering-from-ransomware-attack-a-13289
• Cyberattack Causes Serious Disruptions at German Automation Firm Pilz https://www.securityweek.com/cyberattack-causes-serious-disruptions-german-automation-firm-pilz
• DDoS Attack Hits Amazon Web Services https://www.securityweek.com/ddos-attack-hits-amazon-web-services
• Johannesburg City Council Hit With Ransomware Attack https://www.pymnts.com/news/security-and-risk/2019/johannesburg-city-council-hit-with-ransomware-attack/
• Ransomware: The nightmare before Cyber Monday https://www.zdnet.com/article/ransomware-the-nightmare-before-cyber-monday/
• 42 Adware Apps with 8 Million Downloads Traced Back to Vietnamese Student https://thehackernews.com/2019/10/42-adware-apps-with-8-million-downloads.html
• Apple Removes 17 Malicious iOS Apps From App Store https://threatpost.com/click-fraud-malware-apple-app-store/149496/
• ThreatList: Sharp Increase in Fake Mobile Apps Impersonating Legit Ones https://threatpost.com/threatlist-fake-mobile-apps-impersonating-legit-ones/149505/
• Discord Turned Into an Info-Stealing Backdoor by New Malware https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/
• Amazon Files Lawsuit Against Pair Who Promise Selling Secrets https://www.pymnts.com/amazon/2019/amazon-files-lawsuit-against-duo-who-promise-selling-secrets/
• If there were almost a million computer misuse crimes last year, UK Police inititive Action Fraud is only passing 2% of cases to cops https://www.theregister.co.uk/2019/10/21/actionfraudcomputermisusecrimes_decrease/ and https://www.theregister.co.uk/2019/10/24/hmicfrsreportcyber_crime/ https://www.theregister.co.uk/2019/10/24/hmicfrsreportcyber_crime/
• Texas Man Gets 145 Months in Prison for Hacking LA Superior Court https://www.securityweek.com/texas-man-gets-145-months-prison-hacking-la-superior-court
• Dark Web Site Taken Down without Breaking Encryption https://www.schneier.com/blog/archives/2019/10/darkwebsite_t.html

Other Security / Risk

Articles covering other types of risks.

• Attorneys General From 47 States To Probe Facebook https://www.pymnts.com/facebook/2019/attorneys-general-from-47-states-to-probe-facebook/
• The Iceberg of Ignorance - problems hidden from senior management https://www.linkedin.com/pulse/iceberg-ignorance-frank-zijlstra
• Sobering … Is security is too expensive - How Much Security Is Enough? Practitioners Weigh In https://www.darkreading.com/operations/how-much-security-is-enough-practitioners-weigh-in/d/d-id/1336138
• Last month's leaked paper is out - Google AI Blog: Quantum Supremacy Using a Programmable Superconducting Processor http://ai.googleblog.com/2019/10/quantum-supremacy-using-programmable.html
• IBM throws some Quantum shade at Google's leaked supremacy paper https://www.wired.com/story/ibm-googles-quantum-leap-quantum-flop/
• Facebook discloses operations by Russia and Iran to meddle in 2020 election https://www.theguardian.com/technology/2019/oct/21/facebook-us-2020-elections-foreign-interference-russia
• Facebook Shuts Misleading Accounts Ahead of 2020 Election https://www.bankinfosecurity.com/facebook-shuts-misleading-accounts-ahead-2020-election-a-13279
• Facebook Bans Ads That Encourage People Not To Vote https://www.forbes.com/sites/rachelsandler/2019/10/21/facebook-bans-ads-that-encourage-people-not-to-vote/
• An internal memo warned that the White House might get hacked again because so many cybersecurity officials have resigned https://www.businessinsider.com/white-house-internal-memo-hack-warning-because-cyber-experts-resigned-2019-10
• New York Times abruptly eliminates its “director of information security” position: “there is no need for a dedicated focus on newsroom and journalistic security” https://boingboing.net/2019/10/23/sitting-ducks-r-us.html
• White House kicks infosec team to curb in IT office shakeup https://arstechnica.com/information-technology/2019/10/white-house-guts-infosec-team-posturing-itself-to-be-compromised-again/
• New Huawei Google Confirmation: More Bad News For Users https://www.forbes.com/sites/zakdoffman/2019/10/20/new-huawei-google-confirmationand-its-more-bad-news-for-users/
• TikTok could threaten national security, US lawmakers say https://www.cnn.com/2019/10/25/tech/tiktok-national-security/index.html
• No this isn't a time travel story - Last NSA Punched Tape Crypto Key Shipped Out https://www.cbronline.com/news/nsa-punched-tape-keys
• This will have intersting security implications - How Data-Over-Sound Will Ensure A Permanently Connected IoT World https://www.forbes.com/sites/simonchandler/2019/10/18/how-data-over-sound-will-ensure-a-permanently-connected-iot-world/ (No not TCP over Bongo's https://arstechnica.com/uncategorized/2003/09/2886-2/))
• Without riot insurance, Hong Kong firms face costs of protest damage http://globalnews.ca/news/6058545/hong-kong-firms-riot-insurance-protest-damage/
• Hope they have a good insurance policy. How does can a construction company not know they are drilling over a subway tunnel? https://www.680news.com/2019/10/22/contractor-drilling-through-subway-tunnel-shuts-down-part-of-line-1-ttc/
• More fallout from MyPayrollHR collapse - Cachet Financial Reeling from MyPayrollHR Fraud https://krebsonsecurity.com/2019/10/cachet-financial-reeling-from-mypayrollhr-fraud/
• Two Strains of Polio Down, One to Go https://www.scientificamerican.com/article/two-strains-of-polio-down-one-to-go1/
• Monovision eye correction method could create a dangerous optical illusion https://www.scientificamerican.com/article/a-dangerous-optical-illusion/
• What prohibition's failure means for the legalisation of cannabis - the economics of so called rational crimes https://www.bbc.co.uk/news/business-49906476
• Surely this is bluster? Could the US attack Turkey (a NATO member)? The implications of this are stunning! (We recall WWI started, in part, because of mutual protection treaties) https://www.businessinsider.com/pompeo-trump-prepared-for-military-action-against-turkey-if-needed-2019-10
• If Climate Scenarios Are Wrong For 2020, Can They Get 2100 Right? https://www.forbes.com/sites/rogerpielke/2019/10/21/if-climate-scenarios-are-wrong-for-2020-can-they-get-2100-right/
• Antarctic ice cliffs may not contribute to sea-level rise as much as predicted https://scienmag.com/antarctic-ice-cliffs-may-not-contribute-to-sea-level-rise-as-much-as-predicted/
• The Biggest Threat To Climate Science Comes From Climate Activists https://www.forbes.com/sites/rogerpielke/2019/10/23/the-biggest-threat-to-climate-science-comes-from-climate-advocates/
• Prime editing: DNA tool could correct 89% of genetic defects https://www.bbc.co.uk/news/health-50125843 (but we can't help thinking of the short film "Mimicry" https://www.imdb.com/title/tt5547272/))
• A Man's Gut Made Him Extremely Drunk by Brewing Alcohol When He Ate Carbs http://www.sciencealert.com/a-man-s-gut-made-him-extremely-drunk-by-brewing-alcohol-when-he-ate-carbs
• Don’t Let Science Publisher Elsevier Hold Knowledge for Ransom https://www.eff.org/deeplinks/2019/10/dont-let-science-publisher-elsevier-hold-knowledge-ransom
• Risk of negative equity in car payments - Your car-loan payment may be way too high. Here’s what’s happening http://globalnews.ca/news/6076159/car-payment-auto-loan-negative-equity/
• It Really Was the Asteroid That Ended the Dinosaurs (and not creeping vulcanism) https://scitechdaily.com/it-really-was-the-asteroid-that-ended-the-dinosaurs-heres-how-it-went-down/ and https://scienmag.com/mystery-solved-ocean-acidity-in-the-last-mass-extinction/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• It's nearly Halloween - here's a list of the 12 worst horror movies of all time https://www.businessinsider.com/worst-horror-movies-of-all-time-2019-10
• Forbes reviews 2019 horror movie for Halloween https://www.forbes.com/sites/danidiplacido/2019/10/20/which-horror-movie-should-you-watch-this-halloween/
• Ewww … These eerie photos show what happens to swimming pools after they've been abandoned for years https://www.businessinsider.com/abandoned-swimming-pools-2018-6
• Stanford researchers create new catalyst that can turn carbon dioxide (CO2) into fuels https://scienmag.com/stanford-researchers-create-new-catalyst-that-can-turn-carbon-dioxide-into-fuels/ and https://www.scientificamerican.com/article/molecular-trap-locks-away-co2/
• Company turns waste into fuel for hydrogen cars https://www.cnn.com/2019/10/14/energy/powerhouse-energy-plastic-hydrogen/index.html
• MIT engineers develop a new way to remove carbon dioxide from air even at low concentrations http://news.mit.edu/2019/mit-engineers-develop-new-way-remove-carbon-dioxide-air-1025
• New center to replace oil and gas with sustainable chemistry https://scienmag.com/new-center-to-replace-oil-and-gas-with-sustainable-chemistry/
• Russia's Floating Nuclear Power Plant Has Great Potential For Decarbonization Trends https://www.forbes.com/sites/rrapier/2019/10/20/floating-nuclear-power-plants-could-save-numerous-lives/
• First drug that can slow Alzheimer's dementia https://www.bbc.co.uk/news/health-50137041
• Looking inside the body with indirect light https://scienmag.com/looking-inside-the-body-with-indirect-light/
• Female speed climber shatters world record - 15m wall in under 7 sec - while injured https://www.businessinsider.com/video-spider-woman-breaks-speed-climbing-world-record-while-injured-2019-10
• Female astronauts answer questions from orbit https://www.bbc.co.uk/news/world-us-canada-50132024
• Bam! Scientists Watch Distant Exoplanet Collisionhttps://www.space.com/studying-recent-exoplanet-collision.html
• Astronomers detect first Kilonova - How to make strontium: Collide two neutron stars and stay way back https://www.syfy.com/syfywire/how-to-make-strontium-collide-two-neutron-stars-and-stay-way-back AND http://www.sciencealert.com/for-the-first-time-a-heavy-element-has-been-detected-forming-in-a-neutron-star-merger
• Battle of Midway: World War Two Japanese carrier wrecks found https://www.bbc.co.uk/news/world-asia-50124313
• Oh no Ranger Smith - this is definitely on Yogi Bear's bucket er .. basket list - A huge, 7-storey building shaped like a picnic basket is set become a luxury Ohio hotel https://www.businessinsider.com/picnic-basket-building-ohio-to-become-luxury-hotel-2019-10