This Week’s [in]Security – Issue 142 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Payments: Scams, Magecart, Liability Shift. Breaches at Facebook, Zynga, Lifelabs, WaWa, Ring, and others. Ransomware now listed a potential breach. The terrifying truth of smart phone location data. What your car knows about you. Internet shutdowns. More big tech scrutiny. 911 v2.0. Passwords. IoT, Ring, DTEN. Nation state risks. What password strength meters get wrong. Closing the barn door. Spam scams. SIM swaps, when your number is spoofed. Porch pirates. Kids don't trust Alexa. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Point-of-Sale Chip Transactions Exceeded Non-Chip Payments in 2018, Fed Data Show https://www.digitaltransactions.net/point-of-sale-chip-transactions-exceeded-non-chip-payments-in-2018-fed-data-show/
• Eye on Gas Stations: Networks Reject Delay in EMV Liability Shift; Visa Warns of Malware Attacks https://www.digitaltransactions.net/eye-on-gas-stations-networks-reject-delay-in-emv-liability-shift-visa-warns-of-malware-attacks/
• Hunting for Magecart With URLscan.io https://www.securityweek.com/hunting-magecart-urlscanio
• Watch Out For These Four Common Payment Scams https://newsroom.interac.ca/watch-out-for-these-four-common-payment-scams/
• Card skimming fraud doubles: five ways to keep safe at an ATM https://www.which.co.uk/news/2019/12/card-skimming-fraud-doubles-five-ways-to-keep-safe-at-an-atm/
• Rooster Teeth Attack Showcases New Magecart Approach https://threatpost.com/rooster-teeth-attack-magecart/151216/
• The Lifecycle of Stolen Payment Data https://www.bankinfosecurity.com/lifecycle-stolen-payment-data-a-13504
• Are You A Level 2 Merchant? Beware The MasterCard Trap https://pciguru.wordpress.com/2019/12/08/are-you-a-level-2-merchant-beware-the-mastercard-trap/
• PayPal completes acquisition of China's GoPay https://www.mobilepaymentstoday.com/news/paypal-completes-acquistion-of-chinas-gopay/

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• 267M Facebook Users’ Phone Numbers Exposed Online https://threatpost.com/267m-facebook-phone-numbers-exposed-online/151327/
• 172M passwords stolen in Zynga hack https://www.theguardian.com/games/2019/dec/19/170m-passwords-stolen-in-zynga-words-with-friends-hack-monitor-says - accounts added to HIBP https://haveibeenpwned.com/PwnedWebsites#Zynga

• Lifelabs announced a data breach affecting 15M people, almost half the population of Canada - the data included payment cards, health records, credentials and PII:

  • 15M LifeLabs customers may have had data breached in cyberattack https://www.ctvnews.ca/health/we-re-sorry-15m-lifelabs-customers-may-have-had-data-breached-in-cyberattack-1.4733963 and https://www.cbc.ca/news/canada/british-columbia/lifelabs-cyberattack-15-million-1.5399577 and https://www.bankinfosecurity.com/canadian-lab-pays-ransom-to-retrieve-data-a-13522
  • (We think not enough is known publicly to say): Cybersecurity threat analyst says LifeLabs made "absolutely terrible decision" by paying ransom https://www.straight.com/tech/1338451/cybersecurity-threat-analyst-says-lifelabs-made-absolutely-terrible-decisi
  • LifeLabs hack: What Canadians need to know about the health data breach https://globalnews.ca/news/6311853/lifelabs-data-hack-what-to-know/
  • Proposed class-action lawsuit launched against LifeLabs in B.C. Supreme Court https://www.cbc.ca/news/canada/british-columbia/proposed-class-action-lawsuit-launched-against-lifelabs-in-b-c-supreme-court-1.5401477 and https://globalnews.ca/news/6314506/lifelabs-hack-bc-lawsuit/
• Wawa Data Breach: Malware Stole Customer Payment Card Info https://threatpost.com/wawa-data-breach-malware-stole-customer-payment-card-info/151337/
• Wawa: PoS malware skimmed convenience store customers’ card data for 8 months https://arstechnica.com/information-technology/2019/12/pos-malware-skimmed-convenience-store-customers-card-data-for-8-months/
• Wawa Data Breach: Malware Stole Customer Payment Card Info https://threatpost.com/wawa-data-breach-malware-stole-customer-payment-card-info/151337/
• One Day, Three Credit Card Data Breach Notifications (Wawa, Island Restaurants, Champagne French Bakery Cafe) https://www.bleepingcomputer.com/news/security/one-day-three-credit-card-data-breach-notifications/
• Ring Throws Customers Under the Bus After Data Breach https://www.eff.org/deeplinks/2019/12/ring-throws-customers-under-bus-after-data-breach
• Singapore: Personal data of 2,400 MINDEF, SAF personnel potentially affected; 2 vendors hit by malware https://www.channelnewsasia.com/news/singapore/st-logistics-mindef-saf-2400-personal-data-breach-hmi-institute-12202786
• Email blackmail brouhaha tears UKIP apart as High Court refuses computer seizure attempt https://www.theregister.co.uk/2019/12/19/ukipemailblackmailsystemaccess_kerfuffle/
• Saskatchewan Health Authority must do more to prevent breaches: privacy commissioner https://globalnews.ca/news/6308160/59-patients-info-stolen-lost-prevent-breaches-privacy-commissioner/
• More evolution - Ransomware now shaming victims who refuse to pay https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/
• Maze Ransomware Operators Publish Victim Data Online https://www.securityweek.com/maze-ransomware-operators-publish-victim-data-online
• Ransomware 'Crisis' in US Schools: More Than 1,000 Hit So Far in 2019 https://www.darkreading.com/threat-intelligence/ransomware-crisis-in-us-schools-more-than-1000-hit-so-far-in-2019/d/d-id/1336634
• Incident Response lessons from recent Maze ransomware attacks https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html
• Prairie insurance and financial brokerage failed to disclose ransomware attack https://www.cbc.ca/news/technology/andrew-agencies-ransomware-1.5400101
• Equifax data breach settlement: You have 30 days to claim your $125 from Equifax https://www.cbsnews.com/news/file-claim-against-equifax-for-2017-data-breach-125-cash-or-free-credit-monitoring-for-a-decade/

Privacy

Articles about privacy related news, risks, and trends.

• Phone location tracking is frighteningly real: how to protect yourself https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html and https://www.forbes.com/sites/gordonkelly/2019/12/22/new-security-warning-issued-for-tens-of-millions-of-smartphone-users-updated/
• What does your car know about you? We hacked a Chevy to find out. https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/
• Poll: Strong Public Support for Privacy Legislation in 2020 https://epic.org/2019/12/poll-strong-public-support-for.html
• Why Is The CCPA A Data Privacy Wake-Up Call? https://www.forbes.com/sites/forbestechcouncil/2019/12/19/why-is-the-ccpa-a-data-privacy-wake-up-call/
• Privacy commissioner finds gaps in federal party policies on personal data collection https://globalnews.ca/news/6298793/canada-privacy-commissioner-parties-info/
• Here's how the N.W.T. gov't failed to protect your privacy in 2019 https://www.cbc.ca/news/canada/north/2019-nwt-privacy-commissioners-report-1.5398659
• Facebook Wins an EU Privacy Ruling https://www.bankinfosecurity.com/facebook-wins-eu-privacy-ruling-a-13529

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Internet shutdowns used to be rare. They're increasingly becoming the norm https://www.cnn.com/2019/12/21/asia/internet-shutdowns-china-india-censorship-intl-hnk/index.html
• Google’s acquisition Of Data Firm Triggers UK Watchdog Probe https://www.pymnts.com/antitrust/2019/google-acquisition-of-data-firm-triggers-uk-watchdog-probe/
• NIST Special Publication (SP) 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation, provides technical guidance and recommendations for technologies such as facilitate resilient interdomain traffic exchange (RITE), interdomain routing control, Resource Public Key Infrastructure (RPKI),BGP-OV, and prefix filtering. Publication details: https://csrc.nist.gov/publications/detail/sp/800-189/final
• Controversial sale of .org domain manager faces review at ICANN https://arstechnica.com/tech-policy/2019/12/controversial-sale-of-org-domain-manager-faces-review-at-icann/
• FTC May Block Facebook Integration of WhatsApp User Data https://epic.org/2019/12/ftc-may-block-facebook-integra.html
• France Dings Google With 150M Euro Anti-Competition Fine https://www.pymnts.com/google/2019/france-dings-google-with-150m-euro-anti-competition-fine/
• California DOJ Cuts Off ICE Deportation Officers from State Law Enforcement Database https://www.eff.org/deeplinks/2019/12/california-doj-cuts-ice-deportation-officers-state-law-enforcement-database
• Court: FBI raiding NSA's global wiretap database to probe US peeps is probably illegal and unconstitutional https://www.theregister.co.uk/2019/12/19/fbispyingdatabase/
• Seizing Products for Design Patent Owners Isn't CBP's Job https://www.eff.org/deeplinks/2019/12/seizing-products-design-patent-owners-isnt-cbps-job

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Internet-based 911 service could help narrow down caller location https://globalnews.ca/news/6327016/calling-911-location-pinpoint/
• How a Password-Free World Could Have Prevented the Biggest Breaches of 2019 https://www.darkreading.com/endpoint/how-a-password-free-world-could-have-prevented-the-biggest-breaches-of-2019/a/d-id/1336629
• Google Cloud External Key Manager Now in Beta https://www.darkreading.com/cloud/google-cloud-external-key-manager-now-in-beta/d/d-id/1336669
• Apple iPhones and iPads finally get key-based protection against account takeovers https://arstechnica.com/information-technology/2019/12/idevices-finally-get-key-based-protection-against-account-takeovers/
• Mozilla: Firefox Add-On Developers Must Use 2FA https://www.bankinfosecurity.com/mozilla-firefox-add-on-developers-must-use-2fa-a-13511
• As Hackers Target Mobile Payment Apps, Here's How to Keep Them at Bay https://www.darkreading.com/theedge/as-hackers-target-mobile-payment-apps-heres-how-to-keep-them-at-bay/b/d-id/1336625
• Priceline Uses AI To Stop Fraudsters In Their Tracks https://www.pymnts.com/fraud-prevention/2019/priceline-fraud-online-travel-airline-ai/
• (This sounds like quantum key distribution without the quantum) Scientists Develop ‘Absolutely Unbreakable’ Encryption Chip Using Chaos Theory https://www.forbes.com/sites/daveywinder/2019/12/20/scientists-develop-absolutely-unbreakable-encryption-chip-using-chaos-theory/ and https://www.darkreading.com/application-security/research-team-demonstrates-perfect-secrecy-implementation/d/d-id/1336688
• 25 Data Security Statistics That Matter https://www.datex.ca/blog/25-data-security-statistics-that-matter
• Not so IDLE hands: FBI program offers companies data protection via deception https://arstechnica.com/information-technology/2019/12/not-so-idle-hands-fbi-program-offers-companies-data-protection-via-deception/
• Security, Here's When You Should Call Legal https://www.tenable.com/blog/security-heres-when-you-should-call-legal
• Attack tools - No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to Domain Admin http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
• ReconCobra : Complete Automated Pentest Framework For Information Gathering https://kalilinuxtutorials.com/reconcobra-automated-pentest-framework/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Internet of crap (encryption): IoT gear is generating easy-to-crack keys https://www.theregister.co.uk/2019/12/16/internetofcrap_encryption/
• Study: IoT Devices Have Alarmingly Weak RSA Keys https://www.bankinfosecurity.com/study-shows-lowering-costs-for-rsa-key-factoring-attacks-a-13510
• DTEN: Lousy IoT Security - Using Smart Displays to Spy on Meetings https://www.schneier.com/blog/archives/2019/12/lousyiotsecur.html and https://www.wired.com/story/dten-video-conferencing-vulnerabilities/
• EPIC, Coalition Issue Warning About Amazon Ring https://epic.org/2019/12/epic-coalition-issue-warning-a.html
• Ring Plagued by Security Issues, Flood of Hacks https://threatpost.com/ring-plagued-security-issues-hacks/151263/
• Alexa, Google Home Eavesdropping Hack Not Yet Fixed https://threatpost.com/alexa-google-home-eavesdropping-hack-not-yet-fixed/151164/
• Iranian Attacks on Industrial Control Systems https://www.schneier.com/blog/archives/2019/12/iranian_attacks.html
• US Navy bans TikTok from mobile devices saying it's a cybersecurity threat https://www.theguardian.com/technology/2019/dec/21/us-navy-bans-tiktok-from-mobile-devices-saying-its-a-cybersecurity-threat
• Latest version of Chrome has a serious problem affecting millions using WebViews apps and local storage https://www.forbes.com/sites/gordonkelly/2019/12/18/warning-issued-for-millions-of-google-chrome-users-update-fix/ and https://www.theregister.co.uk/2019/12/16/chrome79updateacatastropheforandroiduserswithwebviewapps/
• Mobile Devices Account for 41% of DDoS Attack Traffic https://www.darkreading.com/attacks-breaches/mobile-devices-account-for-41--of-ddos-attack-traffic/d/d-id/1336635
• Facebook And Google Top Dashlane’s List Of 2019’s Worst Password Offenders https://blog.dashlane.com/2019-worst-password-offenders/
• ‘Inconsistent and misleading’ password meters could increase risk of cyber attacks https://scienmag.com/inconsistent-and-misleading-password-meters-could-increase-risk-of-cyber-attacks/
• Password' Falls in the Ranks of Favorite Bad Passwords https://www.darkreading.com/application-security/password-falls-in-the-ranks-of-favorite-bad-passwords/d/d-id/1336652
• Still Why No HTTPS? https://www.troyhunt.com/still-why-no-https/
• SQL Server 2019 Security Tool Inadvertently Reveals Where Sensitive Data is Stored https://www.imperva.com/blog/sql-server-2019-security-tool-inadvertently-reveals-where-sensitive-data-is-stored/
• Why Running a Privileged Container in Docker Is a Bad Idea https://blog.trendmicro.com/trendlabs-security-intelligence/why-running-a-privileged-container-in-docker-is-a-bad-idea/
• TP-Link Routers Give Cyberattackers an Open Door to Business Networks https://threatpost.com/tp-link-routers-cyberattackers-open-door/151254/
• Electric vehicle charging stations 'easy' to attack https://www.cbc.ca/news/canada/windsor/electric-vehicle-charging-station-hack-security-1.5398341
• Why Securing Medical Devices Is So Challenging https://www.databreachtoday.com/interviews/securing-medical-devices-so-challenging-i-4541
• (Closing the barn door?) Insurer Races to Fix Security Flaws After Whistleblower Alert https://www.bankinfosecurity.com/insurer-races-to-fix-security-flaws-after-whistleblower-alert-a-13508

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• When The Text Message From The Bank Isn’t From The Bank https://www.pymnts.com/news/security-and-risk/2019/pscu-battle-fraudsters-and-bots/
• No longer my phone': Windsor resident at wit's end after spam callers spoof number https://www.cbc.ca/news/canada/windsor/windsor-resident-at-wits-end-spam-spoof-calls-1.5396587
• Abbotsford woman's cellphone number stolen, e-mail and PayPal accounts hacked 'https://www.citynews1130.com/2019/12/20/abbotsford-woman-cellphone-number-hacked/
• Increasing phone scams a ‘game of numbers’ says anti-fraud analyst https://globalnews.ca/news/6307052/phone-scams-canada/
• Inside ‘Evil Corp,’ a $100M Cybercrime Menace https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/
• Hackers Continue to Exploit Cisco ASA Vulnerability Patched Last Year https://www.securityweek.com/hackers-continue-exploit-cisco-asa-vulnerability-patched-last-year
• Cyberespionage Campaign Spreads https://www.bankinfosecurity.com/cyberespionage-campaign-spreads-report-a-13521
• Avoid These 100 Android Apps Hiding ‘Malicious’ Malware: New ‘Fraud Arms Race’ Underway https://www.forbes.com/sites/zakdoffman/2019/12/19/avoid-these-100-android-apps-hiding-malicious-malware-new-fraud-arms-race-underway/
• Facebook's support forum is overrun with scammers trying to defraud desperate users. The company has ignored it for months. https://www.businessinsider.com/facebook-community-help-forum-fake-phone-number-scammers-2019-12
• How bots are stealing artwork from artists on Twitter https://www.bbc.co.uk/news/technology-50817561
• Das Reboot: University forces 38,000 students, staff to queue, show their papers for password reset following 'cyber attack' https://www.theregister.co.uk/2019/12/19/germanunireset/
• Toronto woman catches ‘porch pirates’ on camera https://globalnews.ca/news/6314897/toronto-porch-pirates-video/
• CRTC issues $115,000 in penalties to stop the spread of malicious software https://www.newswire.ca/news-releases/crtc-issues-115-000-in-penalties-to-stop-the-spread-of-malicious-software-866235347.html
• Hackers Behind GozNym Malware Sentenced for Stealing $100 Million https://thehackernews.com/2019/12/goznym-malware-sentenced.html
• Five years in the clink for super-crook who scammed Google, Facebook out of $120m with fake tech invoices https://www.theregister.co.uk/2019/12/20/facebookgooglehackerfiveyears/
• British Hacker Accused of Blackmailing healthcare Firms Extradited to U.S. https://thehackernews.com/2019/12/dark-overlord-hacker-extradited.html
• Siemens Contractor Sentenced for Writing 'Logic Bombs' https://www.darkreading.com/application-security/siemens-contractor-sentenced-for-writing-logic-bombs-/d/d-id/1336641

Other Security / Risk

Articles covering other types of risks.

• (Good instincts) Kids don't trust Alexa to give the right answer https://www.cbc.ca/news/technology/ramona-pringle-alexa-kids-technology-1.5397579
• US Navy Memo Raised Cyberscurity Concerns About DJI Drones https://www.bankinfosecurity.com/us-navy-memo-raised-cybersecurity-over-dji-drones-a-13523
• B.C.'s clear-cut forests are 'dead zones,' emitting more greenhouse gases than fossil fuels https://www.cbc.ca/news/canada/british-columbia/b-c-s-clear-cut-forests-are-dead-zones-emitting-more-greenhouse-gases-than-fossil-fuels-report-finds-1.5398660
• The Carbon Dioxide We Dump into the Sky Is Just Another Kind of Garbage https://blogs.scientificamerican.com/observations/the-carbon-dioxide-we-dump-into-the-sky-is-just-another-kind-of-garbage/
• NIST Study Finds Extensive Bias in Face Surveillance Technology https://epic.org/2019/12/nist-study-finds-extensive-bia.html
• Mastercard On Overcoming AI’s Bias Problem https://www.pymnts.com/mastercard/2019/mastercard-on-ais-bias-problem/
• Facial recognition ‘confirmed’ Ajax developer was wanted crime boss, but CBSA couldn’t prove it https://globalnews.ca/news/6301100/confirmed-facial-recognition-but-did-not-proceed-documents/
• A sober B.C. man gave his impaired mother a drive home. Police still issued a penalty https://globalnews.ca/news/6324745/bc-dui-passenger/
• A vegan couple who only fed their kids raw fruits and vegetables has been charged with murder after their toddler son died of malnutrition https://www.businessinsider.com/ryan-sheila-oleary-vegan-couple-charged-in-sons-death-2019-12
• Attacker Causes Epileptic Seizure over the Internet https://www.schneier.com/blog/archives/2019/12/attacker_causes.html
• (Tis the season) Gone in seconds: 2 Surrey vehicles pilfered after being left running unattended https://globalnews.ca/news/6319487/2-surrey-vehicles-stolen-unattended/
• RCMP investigating after alleged paid test-taker caught at SFU https://globalnews.ca/news/6313708/rcmp-investigating-after-alleged-paid-test-taker-caught-at-sfu/
• ‘Canadian eyes only’ intelligence reports say Canadian leaders attacked in cyber campaigns https://globalnews.ca/news/6258755/intelligence-reports-canadian-leaders-attacked-cyber-campaigns
• (Political ads on Facebook are still a problem) Thousands Of Misleading Facebook Ads Help Conservatives To ‘Crushing’ U.K. Election Victory https://www.forbes.com/sites/simonchandler/2019/12/14/thousands-of-misleading-facebook-ads-help-conservatives-to-crushing-uk-election-victory/
• Lyft thought some users' real names were offensive content. Candice Poon, Cara Dick, Mike Finger and others were ordered to get new names https://www.businessinsider.com/lyft-mistakes-names-community-guidelines-violation-2019-12
• BayStream: Pirate Bay enters streaming wars with 'illegal Netflix' https://www.independent.co.uk/life-style/gadgets-and-tech/news/pirate-bay-stream-movie-free-online-baystream-netflix-a9248096.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Glitter stink bomb 2.0 to deter 'porch pirates' https://www.bbc.co.uk/news/technology-50821472
• I was a teenage code-breaker at Bletchley Park https://www.bbc.co.uk/news/av/uk-50840818/i-was-a-teenage-code-breaker-at-bletchley-park
• Ever Heard of 'Hair Ice'? It's Totally a Thing https://www.sciencealert.com/this-rare-icy-enigma-is-so-thin-and-wispy-it-looks-like-hair-but-melts-in-your-hand
• Scientists Reconstruct Entire Genome of a Woman From Her 5,700-Year-Old Chewing Gum https://www.sciencealert.com/entire-genome-of-woman-who-lived-5-700-years-ago-reconstructed-from-chewing-gum
• NASA's 'Quiet' Supersonic Jet Experiment Was Just Approved For Final Assembly https://www.sciencealert.com/experimental-nasa-jet-set-to-zoom-into-new-supersonic-era-of-transportation
• ESA’s CHEOPS Just Launched. We’re About to Learn a LOT More About Exoplanets https://www.universetoday.com/144436/esas-cheops-just-launched-were-about-to-learn-a-lot-more-about-exoplanets/
• Astronomers Confirm The Existence of Planets That Have The Lightness of Cotton Candy https://www.sciencealert.com/adorably-named-super-puff-planets-are-like-nothing-in-the-solar-system
• (Exo-exo-planets?) Planetary Mass Objects Discovered in Other Galaxies https://www.universetoday.com/144394/planetary-mass-objects-discovered-in-other-galaxies/
• Researchers Have Identified 100 Mysteriously Disappeared Stars in The Night Sky https://www.sciencealert.com/a-look-through-past-star-catalogues-finds-scores-of-stars-that-have-mysteriously-vanished
• Are galactic spiral arms traffic jams or do they wind up? https://www.syfy.com/syfywire/are-galactic-spiral-arms-traffic-jams-or-do-they-wind-up-the-evidence-is-polarizing
• 1 Billion Years Ago, The Milky Way's Heart Mysteriously Erupted in 100,000 Supernovae https://www.sciencealert.com/a-billion-years-ago-the-milky-way-s-heart-erupted-in-100-000-supernovae