This Week’s [in]Security – Issue 147

Welcome to This Week’s [in]Security. X9 & PCI PIN, Mainframes and PCI, Card breaches, Healthcare data sharing, Clearview AI, Apple blinked, GDPR fines, IoT encryption, Tips and strategies, First post-EOL Windows 7 fix. Doomsday clock ticks forward. IoT planned obsolescence. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• X9 and PCI SSC Create Unified Pin Acceptance Security Standards https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_01212020
• The Importance of PCI DSS Vulnerability Management for z/OS https://www.linkedin.com/pulse/importance-pci-dss-vulnerability-management-zos-ray-overby
• POS Vendor THSuite for Cannabis Dispensaries Exposed Data https://www.bankinfosecurity.com/pos-vendor-for-cannabis-dispensaries-exposes-data-report-a-13643
• Mastercard Opens New Intelligence and Cyber Center in Vancouver, Canada https://www.securityweek.com/mastercard-opens-new-intelligence-and-cyber-center-vancouver-canada
• Better merchant compliance helps you, your peers, and your country! https://www.digitaltransactions.net/better-merchant-compliance-helps-you-your-peers-and-your-country/
• Worldpay On Modernizing Security Defenses To Foil eCommerce Fraud https://www.pymnts.com/aml/2020/worldpay-on-modernizing-security-defenses-to-foil-ecommerce-fraud/
• Interpol Arrests 3 Indonesian Credit Card Hackers for Magecart Attacks https://thehackernews.com/2020/01/indonesian-magecart-hackers.html
• Russian super-crook behind $20m internet fraud den Cardplanet and malware-exchange forum pleads guilty https://www.theregister.co.uk/2020/01/24/cardplanetadminguilty/

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Microsoft discloses 250M record security breach of customer support database https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
• Netgear TLS Private Key Disclosure through Device Firmware Images https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
• Phishing Campaign Leads To UPS Store Data Breach https://www.scmagazine.com/home/security-news/data-breach/phishing-campaign-leads-to-ups-store-data-breach/
• Hackers Steal Employee and Corporate Information From Mitsubishi Electric https://www.securityweek.com/hackers-steal-employee-and-corporate-information-mitsubishi-electric
• Tourism Data Hack Leads Greece Banks To Cancel Thousands Of Their Cards https://www.pymnts.com/news/security-and-risk/2020/tourism-data-hack-leads-greece-banks-to-cancel-thousands-of-their-cards/
• Hanna Andersson Data Breach: Hackers Compromise Website of Children's Clothier https://www.securityweek.com/hanna-andersson-data-breach-hackers-compromise-website-childrens-clothier
• 2015-member database floats off through breach in Royal Yachting Association's hull https://www.theregister.co.uk/2020/01/24/royalyachtingassociationdatabreach/
• Rogers' internal passwords and source code found open on GitHub https://www.itworldcanada.com/article/rogers-internal-passwords-and-source-code-found-open-on-github/426429
• Ransomware attack on construction company raises questions about federal contracts https://www.cbc.ca/news/politics/ransomware-bird-construction-military-1.5434308
• HIBP adds Tout - 652,683 breached accounts https://haveibeenpwned.com/PwnedWebsites#Tout

Privacy

Articles about privacy related news, risks, and trends.

• Hospitals’ Sharing Of Patient Data Extends To Other Big Tech Players https://www.pymnts.com/data/2020/hospitals-sharing-of-patient-data-extends-to-other-big-tech-players/
• Clearview AI’s Database Has Amassed 3 Billion Photos. This Is How If You Want Yours Deleted, You Have To Opt Out https://www.forbes.com/sites/kateoflahertyuk/2020/01/26/clearview-ais-database-has-amassed-3-billion-photos-this-is-how-if-you-want-yours-deleted-you-have-to-opt-out/
• Twitter Demands AI Company Stops Collecting Faces https://www.bbc.com/news/technology-51220654
• Go read this NYT expose on a creepy new facial recognition database used by US police https://www.theverge.com/2020/1/20/21073718/clearview-ai-facial-recognition-database-new-york-times-investigation-go-read-this
• Android Users Beware: These Top Camera Apps May Secretly Be Spying On You https://www.forbes.com/sites/zakdoffman/2020/01/19/android-users-beware-these-top-camera-apps-may-secretly-be-spying-on-you/
• Google Calls Out Safari for Privacy Flaws https://www.wired.com/story/google-safari-privacy-icloud-encryption-clearview-ai-security-news/
• Data Security Startup Privafy Emerges From Stealth Mode https://www.securityweek.com/data-security-startup-privafy-emerges-stealth-mode

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Apple Abandoned Plans for Encrypted iCloud Backup after FBI Complained https://www.schneier.com/blog/archives/2020/01/apple_abandoned.html and https://www.theregister.co.uk/2020/01/21/appleencrypticloud_backups/
• How to FBI-proof your encrypted iPhone backups https://www.theverge.com/2020/1/23/21076813/back-up-iphone-computer-how-to-mac-pc-icloud-data-fbi-encryption
• GDPR: $126 Million in Fines and Counting https://www.bankinfosecurity.com/gdpr-126-million-in-fines-counting-a-13630
• DOJ To Review Liability Law For Big Tech Firms https://www.pymnts.com/legal/2020/doj-to-review-liability-law-for-big-tech-firms/
• New Bill Proposes NSA Surveillance Reforms https://threatpost.com/new-bill-proposes-nsa-surveillance-reforms/152183/
• Tale of Jailbreaking Disobedient IoT Appliances Shortlisted for the National Canada Reads Prize https://www.eff.org/deeplinks/2020/01/tale-jailbreaking-disobedient-iot-appliances-shortlisted-national-canada-reads
• Academics call for UK's Computer Misuse Act 1990 to be reformed https://www.theregister.co.uk/2020/01/22/clrnncomputermisuseactreform_call/
• Treasury Wants to Collect More Cyber Risk Details From Banks https://www.bankinfosecurity.com/treasury-wants-to-collect-more-cyber-risk-details-from-banks-a-13642
• Maryland Considers Criminalizing Ransomware Possession https://www.bankinfosecurity.com/maryland-considers-criminalizing-ransomware-possession-a-13632
• Bill Would Create State Cybersecurity Leader Positions https://www.bankinfosecurity.com/bill-calls-for-state-cybersecurity-leader-positions-a-13624
• Google CEO Calls For AI Governance https://www.pymnts.com/news/artificial-intelligence/2020/google-ceo-calls-for-ai-governance/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• AI privacy startup Mine raises $3 million to help users ask companies to delete their data https://www.businessinsider.com/ai-startup-mine-raises-3-million-help-users-take-intel-data-2020
• Microsoft Releases Azure Security Benchmark https://www.securityweek.com/microsoft-releases-azure-security-benchmark
• An Open Source Effort to Encrypt the Internet of Things https://www.wired.com/story/e4-iot-encryption/
• Are We Secure Yet? How to Build a "Post-Breach" Culture https://www.darkreading.com/risk/are-we-secure-yet-how-to-build-a--post-breach--culture/a/d-id/1336813
• Krebs - Does your domain have a registry lock? https://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/
• This free ransomware decryption tool just got a handy update https://www.zdnet.com/article/this-free-ransomware-decryption-tool-just-got-a-handy-update/
• NSA guidance on Mitigating Cloud Vulnerabilities https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF
• Tips on Protecting Hospitals From Nation-State Attacks https://www.bankinfosecurity.com/interviews/tips-on-protecting-hospitals-from-nation-state-attacks-i-4583
• IBM Announces Policy Lab To Help Ensure ‘Trustworthy’ Tech https://www.pymnts.com/news/artificial-intelligence/2020/ibm-announces-policy-lab-to-help-ensure-trustworthy-tech/
• To get past Apple encryption, NYPD uses $10 million lab with supercomputer generating millions of passwords https://www.foxnews.com/tech/apple-encryption-nypd-supercomputer-passwords
• Four Ancient Chinese Military Philosophies That Can Help Guide Cybersecurity Today https://www.forbes.com/sites/forbestechcouncil/2020/01/21/four-ancient-chinese-military-philosophies-that-can-help-guide-cybersecurity-today/
• Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks https://www.zdnet.com/article/mozilla-has-banned-nearly-200-malicious-firefox-add-ons-over-the-last-two-weeks/ and https://www.forbes.com/sites/daveywinder/2020/01/26/google-confirms-security-shocker-all-paid-chrome-extensions-suspended-from-updating/
• Tinder will give you a verified blue check mark if you pass its catfishing test https://www.theverge.com/2020/1/23/21077423/tinder-photo-verification-blue-checkmark-safety-center-launch-noonlight
• (Interesting) Anonymous Symmetric-Key Communication https://eprint.iacr.org/2020/073
• Data Privacy Vs. Data Protection - Understanding The Distinction In Defending Your Data https://www.datex.ca/blog/data-privacy-vs.-data-protection-understanding-the-distinction-in-defending-your-data-1
• (interesting iead) RSA and redactable blockchains https://eprint.iacr.org/2020/069
• Falling through the ice: How to survive it https://www.washingtonpost.com/nation/2020/01/24/ice-survival-death/
• Immune discovery 'may treat all cancer' https://www.bbc.co.uk/news/health-51182451
• US Army Weighs Up Proposal For Gigantic Sea Wall to Defend NY From Future Floods https://www.sciencealert.com/storm-brewing-over-giant-6-mile-sea-wall-to-defend-new-york-from-future-floods

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• SIM Hijacking defenses aren't helping https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html
• People Are Calling SWAT Teams to Tech Executives’ Homes https://www.nytimes.com/2020/01/23/technology/fake-swat-calls-swatting.html
• Germany has to pay Microsoft for failing to upgrade from Windows 7 https://www.engadget.com/2020/01/22/germany-microsoft-extended-security/
• Microsoft forced to create a free Windows 7 update just days after updates ended https://www.theverge.com/2020/1/27/21082228/microsoft-windows-7-black-wallpaper-fix-update-support-patch
• New Citrix security warning and a tool to check for compromise Now https://www.forbes.com/sites/kateoflahertyuk/2020/01/22/new-citrix-security-warning-check-for-compromise-now/
• Citrix Releases First Patches for Critical ADC Vulnerability https://www.securityweek.com/citrix-releases-first-patches-critical-adc-vulnerability
• Multiple Vulnerabilities Found in AMD ATI Radeon Graphics Cards https://www.securityweek.com/multiple-vulnerabilities-found-amd-ati-radeon-graphics-cards
• Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks https://www.securityweek.com/serious-vulnerabilities-expose-honeywell-surveillance-systems-attacks
• Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment https://threatpost.com/pwn2own-miami-ics-equipment/152122/
• Google: Flaws in Apple’s Private-Browsing Technology Allow for Third-Party Tracking https://threatpost.com/google-flaws-in-apples-private-browsing-technology-allow-for-third-party-tracking/152128/
• Vulnerabilities Found in Some GE Healthcare Devices https://www.inforisktoday.com/vulnerabilities-found-in-some-ge-healthcare-devices-a-13647
• Cisco Webex flaw allows remote attackers to join private meetings https://securityaffairs.co/wordpress/96815/security/cisco-webex-flaw-2.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Why Phishing Remains So Popular? https://isc.sans.edu/diary.html?storyid=25742
• Some Hackers Take the Ransom and Run: Researchers https://www.securityweek.com/some-hackers-take-ransom-and-run-researchers
• New Data Ransom Target: Patients https://www.bankinfosecurity.com/new-data-ransom-target-patients-a-13626
• How Cybercriminals Are Converting Cryptocurrency to Cash https://www.bankinfosecurity.com/how-cybercriminals-are-converting-cryptocurrency-to-cash-a-13625
• Emotet Malware Alert Sounded by US Cybersecurity Agency https://www.bankinfosecurity.com/emotet-malware-alert-sounded-by-us-cybersecurity-agency-a-13640
• FBI Warns: Beware of Spoofed Job Application Portals https://www.databreachtoday.com/fbi-warns-beware-spoofed-job-application-portals-a-13641
• Beware New Text Scam That Pretends to Be a FedEx Package Alert https://gizmodo.com/beware-new-texting-scam-that-looks-like-fedex-tracking-1841179949
• Iran-Linked RAT Used in Recent Attacks on European Energy Sector https://www.securityweek.com/iran-linked-rat-used-recent-attacks-european-energy-sector
• Mac users are getting bombarded by laughably unsophisticated malware https://arstechnica.com/information-technology/2020/01/mac-users-are-getting-bombarded-by-laughably-unsophisticated-malware/
• Elaborate Honeypot 'Factory' Network Hit with Ransomware, RAT, and Cryptojacking https://www.darkreading.com/threat-intelligence/elaborate-honeypot-factory-network-hit-with-ransomware-rat-and-cryptojacking/d/d-id/1336842
• Updated FTCODE Ransomware Now Steals Credentials, Passwords https://www.bankinfosecurity.com/updated-ftcode-ransomware-now-steals-credentials-passwords-a-13638 and https://threatpost.com/ftcode-ransomware-steals-chrome-firefox-credentials/152022/
• WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware https://www.theregister.co.uk/2020/01/21/efsransomwarepoc/
• U.S. Gov Agency Targeted With Malware-Laced Emails https://threatpost.com/u-s-gov-agency-malware-laced-emails/152141/
• How Jeff Bezos’ iPhone X Was Hacked https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html
• Never open a WhatsApp message from the crown prince of Saudi Arabia https://www.theverge.com/interface/2020/1/23/21076975/mbs-whatsapp-jeff-bezos-boris-johnson-hacking and https://www.forbes.com/sites/rachelsandler/2020/01/21/bezoss-phone-hacked-by-saudi-crown-prince-report-says/
• DDoS Mitigation Firm Founder Admits to DDoS https://krebsonsecurity.com/2020/01/ddos-mitigation-firm-founder-admits-to-ddos/
• Hospital hacker spared prison after plod find almost 9,000 cardiac images at his home https://www.theregister.co.uk/2020/01/20/stokeontrenthospitalhacker9000cardiac_images/
• 18-year-old kid accused of $50m SIM-swap cryptocurrency heist https://www.theregister.co.uk/2020/01/25/security_roundup/

Other Security / Risk

Articles covering other types of risks.

• Doomsday: 100 seconds to midnight! https://arstechnica.com/tech-policy/2020/01/time-check-examining-the-doomsday-clocks-move-to-100-seconds-to-midnight/, https://www.forbes.com/sites/lisettevoytko/2020/01/23/doomsday-clock-set-100-seconds-to-midnight-issuing-dire-warning-of-apocalypse/, and https://www.sciencealert.com/the-doomsday-clock-just-jumped-closer-to-midnight-than-ever-guess-why
• WEF Report: Cyberattacks Rank Just Below Climate Change as an Existential Threat https://www.tenable.com/blog/wef-report-cyberattacks-rank-just-below-climate-change-as-an-existential-threat
• A Potent Greenhouse Gas Was Supposed to Be Eliminated. But Something Is Wrong https://www.sciencealert.com/a-super-greenhouse-gas-we-d-almost-eliminated-is-back-and-worse-than-ever
• How much longer will we trust Google’s search results? https://www.theverge.com/tech/2020/1/24/21079696/google-serp-design-change-altavisa-ads-trust
• (Older article but interesting and still valid)) The Shallowness of Google Translate - The Atlantic 2018 - https://www.theatlantic.com/technology/archive/2018/01/the-shallowness-of-google-translate/551570/
• Don’t abbreviate 2020 when signing legal documents, police warn https://www.wjtv.com/news/dont-abbreviate-2020-when-signing-legal-documents-police-warn/
• Elections Globally Are Under Threat. Here's How to Protect Them https://www.wired.com/story/un-warns-global-threat-election-integrity/
• A Trying Time for US Election Cybersecurity https://sector.ca/a-trying-time-for-us-election-cybersecurity/
• The biggest mistake most people make when it comes to taking risks https://www.businessinsider.com/psychotherapist-most-people-make-same-big-mistake-when-taking-risks
• Exploring HTTPS Security Inconsistencies: A Cross-Regional Perspective https://eprint.iacr.org/2020/079
• LastPass had a major outage https://www.zdnet.com/article/lastpass-is-in-the-midst-of-a-major-outage/
• Microsoft is preparing copy/paste between Windows 10 and your phone https://www.gizchina.com/2020/01/20/you-will-be-able-to-copy-and-paste-between-windows-10-and-your-phone-soon/
• A Tool That Removes Copyrighted Works Is Not a Substitute for Fair Use https://www.eff.org/deeplinks/2020/01/tool-removes-copyrighted-works-not-substitute-fair-use
• Famed economist David Rosenberg explains why he puts the odds of a recession at 80%. https://www.businessinsider.com/next-recession-rosenberg-sees-odds-at-80-percent-damage-done-2020-1
• 60% of you are disgusting: Go clean your phone right now. Here's how https://www.zdnet.com/article/60-of-you-are-disgusting-go-clean-your-phone-right-now-heres-how/
• Demand for face masks on the rise amid coronavirus outbreak — but are they effective? https://globalnews.ca/news/6451929/coronavirus-china-face-masks/
• 2nd presumptive case of coronavirus confirmed in Ontario https://www.cbc.ca/news/canada/toronto/coronavirus-wuhan-ontario-second-case-1.5441401
• Coronavirus: How worried should we be? https://www.bbc.com/news/health-51048366
• Curiosity Killed the ... Mouse? (Diseases that change their host behaviour) https://www.scientificamerican.com/podcast/episode/curiosity-killed-the-mouse/
• New research exposes security risk for e-scooters and riders https://www.utsa.edu/today/2020/01/story/escooter-hacking.html
• Australia Is About to Experience a 'Bonanza' of Deadly Spiders https://www.sciencealert.com/australia-is-about-to-experience-a-bonanza-of-deadly-spiders-and-experts-want-you-to-catch-them
• Salty dragonflies mean more mosquitoes, researchers find https://www.cbc.ca/news/canada/ottawa/road-salt-environmental-impact-run-off-dragonflies-mosquitoes-1.5435761
• Sonos is the latest example of a trend - You No Longer Own The Things You Buy https://www.vice.com/en_ca/article/3a8dpn/sonos-makes-it-clear-you-no-longer-own-the-things-you-buy and https://www.theguardian.com/technology/2020/jan/23/sonos-to-deny-software-updates-to-owners-of-older-equipment
• So long, Sonos: Meet the open-source audio system that will never die https://www.zdnet.com/article/so-long-sonos-meet-the-open-source-audio-system-that-will-never-die/
• US Cyber Command was not prepared to handle the amount of data it hacked from ISIS https://www.zdnet.com/article/us-cyber-command-was-not-prepared-to-handle-the-amount-data-it-hacked-from-isis/
• (Critical thinking fail?) Ontario teen reportedly calls police to complain after fake ID didn’t arrive https://globalnews.ca/news/6450216/teen-tries-to-buy-fake-id-opp-say/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Carbon Capture: Solved by Software? https://blogs.scientificamerican.com/observations/carbon-capture-solved-by-software/
• NOAA Gets Go-Ahead to Study Controversial Climate Plan B https://www.scientificamerican.com/article/noaa-gets-go-ahead-to-study-controversial-climate-plan-b/
• New solar power source and storage developed https://www.bbc.co.uk/news/science-environment-50717446
• (Reach out a touch someone just got real) Predictive touch response mechanism is a step toward a tactile internet https://scienmag.com/predictive-touch-response-mechanism-is-a-step-toward-a-tactile-internet/
• Two men make 'Earth sandwich', 20,000km apart https://www.bbc.co.uk/news/world-asia-51171834
• Throwing' satellites into space may be an alternative to launching rockets https://www.cbc.ca/radio/quirks/a-slingshot-to-space-1.5439638
• The Mummy Speaks! Hear Sounds From the Voice of an Ancient Egyptian Priest https://www.nytimes.com/2020/01/23/science/mummy-voice.html and https://www.bbc.co.uk/news/world-middle-east-51223828
• What 'The Curse of Oak Island' Teaches About Actually Finding Treasure https://www.inc.com/larry-robertson/what-the-curse-of-oak-island-teaches-about-actually-finding-treasure.html
• The New US Space Force Logo Looks Just Like 'Star Trek' And There's a Reason Why https://www.sciencealert.com/the-us-space-force-logo-looks-almost-identical-to-star-trek
• Did a two-billion-year-old monster impact save the Earth from being a snowball? https://www.syfy.com/syfywire/did-a-two-billion-year-old-monster-impact-save-the-earth-from-being-a-snowball
• Astronomers award 2020 Education Prize to Deborah Byrd https://earthsky.org/human-world/2020-aas-education-prize-deborah-byrd
• Betelgeuse Just Keeps Getting Dimmer, And We Have No Idea Why https://www.sciencealert.com/betelgeuse-just-keeps-getting-dimmer-and-we-have-no-idea-why
• How Far Is It To The Edge Of The Universe? https://www.forbes.com/sites/startswithabang/2020/01/21/how-far-is-it-to-the-edge-of-the-universe/