This Week’s [in]Security – Issue 137 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Compliance falters. Vote for 2020 PCI Sigs. PTS DTRs published. AI and fraud. Breaches  Sunshine Behavioral Health (93M), InfoTrax (1M).  Breaches and stock prices. Google has 50M health records. FB camera privacy. Canadian banks send data on 1M to US IRS. US-wide privacy. Privacy Shield concerns. Policy and Tech. Border searches of phones. Cellular location data. Caller ID spoofing and defense. BlueKeep patching fail and DoS. More firmware bugs. SIM swapping. How bad is it? And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Verizon: Companies Failing to Maintain PCI DSS Compliance. Interim compliance rates plummet https://www.bankinfosecurity.com/interviews/verizon-i-4506, https://www.finextra.com/newsarticle/34755/global-pci-dss-compliance-plummets, and the survey https://enterprise.verizon.com/resources/reports/payment-security/2018/
• Vote Now for 2020 Special Interest Group Projects https://blog.pcisecuritystandards.org/vote-now-for-2020-special-interest-group-projects
• PCI ISA in Practice Case Study: Braspag https://blog.pcisecuritystandards.org/isa-in-practice-case-study-braspag
• PCI SSC publishes PTS Derived Test Requirements https://www.pcisecuritystandards.org/security_standards/ped/dtr.php
• Visa: Using AI To Separate The Good, Bad — From Billions Of Daily Transactions https://www.pymnts.com/visa/2019/visa-using-ai-to-separate-the-good-bad-from-billions-of-daily-transactions/
• FTC Probing Visa, Mastercard About Debit Card Activities https://www.pymnts.com/news/security-and-risk/2019/ftc-probing-visa-mastercard-about-debit-card-activities/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Sunshine Behavioral Health Open Database Exposes 93M Files Of Substance Abuse Patients https://www.scmagazine.com/home/health-care/open-database-exposes-93m-files-on-patients-of-substance-abuse-facilities/
• Utah based InfoTrax Systems discovered it had been breached (1M customers) and hacked over two years after a server ran out of free space https://ww.zdnet.com/article/company-discovered-it-was-hacked-after-a-server-ran-out-of-free-space/ and https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/
• Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/
• Data of ZoneAlarm Forum Users Leaked Following Breach https://www.securityweek.com/data-zonealarm-forum-users-leaked-following-breach
• HIBP adds ToonDoo - 6,002,694 breached accounts https://haveibeenpwned.com/PwnedWebsites#ToonDoo
• Equifax Data Breach Update: Backsliding https://www.eff.org/deeplinks/2019/11/equifax-data-breach-update-backsliding
• ThreatList: Data Breaches Batter Stock Prices at Public Companies, For Months https://threatpost.com/data-breaches-batter-stock-price/150088/ and https://www.zdnet.com/video/this-is-the-impact-of-a-data-breach-on-enterprise-share-prices/

Privacy

Articles about privacy related news, risks, and trends.

• Nearly a million Canadian bank records sent to US IRS https://www.cbc.ca/news/politics/fatca-tax-us-canada-1.5353942
• Google Collects Health Data From Millions Without Informing Them https://www.pymnts.com/google/2019/google-collects-health-data-from-millions-without-informing-them/
• Will Google get away with grabbing 50m Americans' health records? https://www.theguardian.com/technology/2019/nov/14/google-healthcare-data-ascension
• Is Facebook Secretly Accessing Your iPhone's Camera? Some Users Claimed https://thehackernews.com/2019/11/facebook-ios-camera.html
• Facebook has fixed the bug that secretly accessed iOS users' phone cameras (FB) https://www.businessinsider.com/facebook-issues-fix-for-bug-that-secretly-accessed-ios-cameras-2019-11
• Apple Store worker 'texts himself customer's intimate photo' https://www.bbc.com/news/technology-50405688
• Consumer Data Privacy Rights: Emerging Tech Blurs Lines https://threatpost.com/consumer-data-privacy-rights-emerging-tech/150181/
• What Reporters Should Look For in Latest Facebook Document Leak https://www.eff.org/deeplinks/2019/11/what-reporters-should-look-latest-facebook-document-leak
• Microsoft Will Apply California's Privacy Law Nationwide https://www.bankinfosecurity.com/microsoft-will-apply-californias-privacy-law-nationwide-a-13397 and https://threatpost.com/microsoft-to-apply-californias-privacy-law-to-all-u-s-users/150101/
• European Privacy Board Cites Concerns about EU-U.S. Privacy Shield https://epic.org/2019/11/european-privacy-board-cites-c.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Technology and Policymakers. Essay on the two cultures and catostrophic implications of getting policy and tech wrong https://www.schneier.com/blog/archives/2019/11/technologyand\.html
• Federal Court Rules Suspicionless Searches of Travelers’ Phones and Laptops Unconstitutional https://www.eff.org/press/releases/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops and https://www.businessinsider.com/border-agents-cant-search-phones-laptops-without-reason-ruling-says-2019-11
• Intelligence Agencies Halt Collection of Cell Location Data Without ‘Probable Cause’ https://epic.org/2019/11/intelligence-agencies-halt-col.html
• Bipartisan Senate Bill Requires Warrant for Ongoing Face Surveillance https://epic.org/2019/11/bipartisan-senate-bill-require.html
• EFF Urges Court to Reconsider Decision That Harms Internet Users’ Ability to Protect Themselves Online https://www.eff.org/deeplinks/2019/11/eff-urges-court-reconsider-decision-harms-internet-users-ability-protect
• Canada: Federal Court Short-Circuits Voltage Pictures’ Canadian File Sharing Class Action Copyright Lawsuit Strategy http://www.michaelgeist.ca/2019/11/federal-court-short-circuits-voltage-pictures-canadian-file-sharing-class-action-copyright-lawsuit-strategy/
• How Laws Against Child Sexual Abuse Imagery Can Make It Harder to Detect https://www.nytimes.com/2019/11/12/us/online-child-sex-abuse.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Please make it so! SHAKEN/STIR: Finally! A Solution to Caller ID Spoofing? https://www.darkreading.com/endpoint/shaken-stir-finally!-a-solution-to-caller-id-spoofing/a/d-id/1336285
• The Myths of Multifactor Authentication https://www.darkreading.com/endpoint/authentication/the-myths-of-multifactor-authentication/a/d-id/1336262
• There's a nasty privacy problem in TLS called SNI. Fixing it proved a challenge that may just have been solved. Firefox is the first browser to rollout Encrypted SNI (ESNI) for testing with Cloudflare https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/
• Why Do We Need Strict Mode in JavaScript? - Better Programming https://medium.com/better-programming/why-do-we-need-strict-mode-in-javascript-df34771eb950
• Android: Protecting against code reuse in the Linux kernel with Shadow Call Stack https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux_30.html
• Plugging the Data Leak in Manufacturing https://threatpost.com/plugging-data-leak-manufacturing/150132/
• Scientists crack rabies virus weaponry https://scienmag.com/scientists-crack-rabies-virus-weaponry/
• Nuke sniffing robot! https://scienmag.com/nuclear-warheads-this-robot-can-find-them/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Despite Windows BlueKeep exploitation freak-out, no one stepped on the gas with patching https://www.theregister.co.uk/2019/11/11/bluekeepdidntboost_patching/
• BlueKeep Attacks Crash Systems Due to Meltdown Patch https://www.securityweek.com/bluekeep-attacks-crash-systems-due-meltdown-patch
• Intel Warns of Critical Info-Disclosure Bug in Security Engine https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/
• Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings https://www.wired.com/story/intel-mds-attack-taa/
• TPM-Fail Attacks Against Cryptographic Coprocessors https://www.schneier.com/blog/archives/2019/11/tpm-fail_attack.html
• 146 New Vulnerabilities All Come Preinstalled on Android Phones https://www.wired.com/story/146-bugs-preinstalled-android-phones/
• New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices https://thehackernews.com/2019/11/whatsapp-hacking-vulnerability.html
• McAfee antivirus software impacted by code execution vulnerability https://www.zdnet.com/article/mcafee-antivirus-software-impacted-by-code-execution-vulnerability/
• Magento Users Warned of Remote Code Execution Vulnerability https://www.securityweek.com/magento-users-warned-remote-code-execution-vulnerability
• Encrypted Emails on macOS Found Stored in Unprotected Way https://threatpost.com/encrypted-emails-on-macos-found-stored-in-unprotected-way/150065/
• UNB Student Finds Vulnerability in IoT Device door lock https://www.thebruns.ca/articles/unb-student-finds-vulnerability-in-iot-device

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• SIM swapping between major Canadian carriers. How a stolen phone number led to attempted sextortion https://www.cbc.ca/news/technology/phone-porting-extortion-1.5352300
• Police warn of 'SIM swapping' and 'phone number porting' part of recent scam in Ontario https://www.chch.com/sim-swapping-and-phone-number-porting-part-of-recent-scam-in-ontario/
• RCMP warn over 'spoofing' scams where calls appear to be from police https://www.cbc.ca/news/canada/british-columbia/spoofing-rcmp-scams-1.5354827
• Police warning of new slate of phone scams https://globalnews.ca/news/6174502/police-warning-phone-scams-porting-sim-swapping/
• More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/
• Phishing Emails Spoof WebEx Invites, Abuse Open Redirect https://www.scmagazine.com/home/security-news/cybercrime/phishing-emails-spoof-webex-invites-abuse-cisco-open-redirect/
• Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops' https://www.darkreading.com/theedge/account-fraud-harder-to-detect-as-criminals-move-from-bots-to-sweat-shops/b/d-id/1336324
• Threat Actor Impersonates USPS to Deliver Backdoor Malware https://threatpost.com/threat-actor-impersonates-usps-malware/150242/
• Stealthy Malware Flies Under AV Radar with Advanced Obfuscation https://threatpost.com/malware-steals-info-with-advanced-obfuscation/150280/
• Thousands of hacked Disney+ accounts are already for sale on hacking forums https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/
• Mexican Oil Company Pemex Hit by Ransomware https://www.securityweek.com/mexican-oil-company-pemex-hit-ransomware
• Ransomware Attack Downs Hosting Service SmarterASP.NET https://threatpost.com/ransomware-attack-downs-hosting-service-smarterasp-net/150072/
• Government of Nunavut systems hit by ransomware https://www.cbc.ca/news/canada/north/nunavut-government-ransomware-1.5346144
• Government of Nunavut slowly rebuilds computer network following ransomware attack https://nunatsiaq.com/stories/article/government-of-nunavut-slowly-rebuilds-computer-network-following-ransomware-attack/
• Try as they might, ransomware crooks can't hide their tells when playing hands https://www.theregister.co.uk/2019/11/15/sophosransomwareanalysis/
• DDoS Attacks Target Amazon, SoftLayer and Telecom Infrastructure https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/
• UK: Labour Party Hit by Massive Online Attack Attempt https://www.bankinfosecurity.com/labour-party-hit-by-massive-online-attack-attempt-a-13398
• Denial of service kingpin hit with 13 months denial of freedom and a massive bill to pay https://www.theregister.co.uk/2019/11/15/ddosowner13monthsprison/
• The Dark Web's Automobile Hacking Forums https://www.bankinfosecurity.com/interviews/dark-webs-automobile-hacking-forums-i-4510
• Orcus RAT Author Charged in Malware Scheme https://krebsonsecurity.com/2019/11/orcus-rat-author-charged-in-malware-scheme/
• Russian Accused of $20M Credit Card Fraud Extradited to US https://www.securityweek.com/russian-accused-20m-credit-card-fraud-extradited-us
• Identifying and Arresting Ransomware Criminals https://www.schneier.com/blog/archives/2019/11/identifying_and.html
• Two Arrested for Stealing $550,000 in Cryptocurrency Using Sim Swapping https://thehackernews.com/2019/11/hacking-with-sim-swapping.html
• B.C. cryptocurrency exchange shuts amid questions, complaints and lawsuits https://www.cbc.ca/news/canada/british-columbia/einstein-cryptocurrency-bitcoin-complaints-1.5347104

Other Security / Risk

Articles covering other types of risks.

• Google Chrome experiment crashes browser tabs, impacts companies worldwide https://www.zdnet.com/article/google-chrome-experiment-crashes-browser-tabs-impacts-companies-worldwide/
• These are all the Windows 10 features Microsoft is going to kill off https://www.techradar.com/news/these-are-all-the-windows-10-features-microsoft-is-going-to-kill-off
• How bad is it? FinecoBank customer password policy is so bad …. https://www.vice.com/en_us/article/kz4jjv/this-bank-had-the-worst-password-policy-weve-ever-seen
• Election Interference Notification Protocols Unveiled https://www.bankinfosecurity.com/election-interference-notification-protocols-unveiled-a-13396
• The US is being hit by a frigid, early cold snap that has killed at least 6 people and could break 100 temperature records https://www.businessinsider.com/arctic-blast-us-cold-expected-break-records-death-toll-2019-11
• Radioactive 'Tomb' in Pacific Filled With Nuclear Waste Is Starting to Crack https://www.sciencealert.com/a-tomb-in-the-marshall-islands-contains-a-huge-amount-of-radioactive-waste
• Superbugs to kill nearly 400,000 Canadians by 2050, report predicts https://globalnews.ca/news/6157171/antimicrobial-resistance-report-canada-cost/
• (No lasers yet) Changing Face Of Drone Warfare: Robot Sharks https://www.forbes.com/sites/hisutton/2019/11/06/changing-face-of-drone-warfare-robot-sharks/
• Majority of anti-vaxx ads on Facebook are funded by just two organizations https://www.theguardian.com/technology/2019/nov/13/majority-antivaxx-vaccine-ads-facebook-funded-by-two-organizations-study

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Breaking carbon dioxide faster, cheaper, and more efficiently https://phys.org/news/2019-11-carbon-dioxide-faster-cheaper-efficiently.html
• DNA Just One of More Than 1 Million Possible 'Genetic Molecules,' Scientists Find https://www.livescience.com/DNA-look-alikes-store-genetic-information.html
• Aversion to Broccoli May Have Genetic Roots https://www.scientificamerican.com/podcast/episode/aversion-to-broccoli-may-have-genetic-roots/
• Japan's Space Probe Is Returning to Earth With an Actual Piece of Asteroid https://www.sciencealert.com/japan-s-space-probe-is-returning-to-earth-with-an-actual-piece-of-asteroid
• (In case you were snowed in) Mercury Just Passed The Sun For The Last Time Until 2032. Here Are The Epic Photos https://www.sciencealert.com/mercury-just-passed-the-sun-for-the-last-time-until-2032-here-are-the-epic-photos
• Stingray Glider to Explore the Cloudtops of Venus https://www.universetoday.com/144045/stingray-glider-to-explore-the-cloudtops-of-venus/
• A Star Ejected from the Milky Way's 'Heart of Darkness' Has Reached a Mind-Blowing Speed 1700 of km/s https://www.space.com/star-ejected-milky-way-black-hole-superfast-speed.html