This Week’s [in]Security – Issue 35

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Visa Security Alert - Cybercriminals Leveraging Dynamic Data Exchange (DDE) Protocol vulnerability https://usa.visa.com/dam/VCOM/global/support-legal/documents/psi-security-alert-cybercriminals-leveraging-dde-protocol.pdf (from Visa's merchant library https://usa.visa.com/support/merchant/library.html))

• Several PCI guidance documents received recent updates that haven't been as broadly publicized as they deserve

  • https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf
  • https://www.pcisecuritystandards.org/pdfs/bestpracticessecuring_ecommerce.pdf 
  • https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentationv11.pdf
  • https://www.pcisecuritystandards.org/documents/PCIMobilePaymentAcceptanceSecurityGuidelinesforDevelopersv2_0.pdf 
  • https://www.pcisecuritystandards.org/documents/PCIMobilePaymentAcceptanceSecurityGuidelinesforMerchantsv2_0.pdf
• Another report on retailer cybersecurity https://sector.ca/cybersecurity-report-card-says-retailers-must-try-harder/
• Study tries to quantify lost Bitcoins http://fortune.com/2017/11/25/lost-bitcoins/

Breaches / Leaks

• Free Application for Federal Student Aid weak KBA access leaks huge amounts of personal data https://krebsonsecurity.com/2017/11/namedobssnfafsa-data-gold-mine/

• The Uber breach:

  • Uber actively concealed a breach of 57M records paying off hackers while negotiating with FCC over past breaches https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
  • EPIC weighs in  https://epic.org/2017/11/uber-hid-massive-data-breach-f.html
  • UK probe started and deliberate evasion could increase penalties https://www.databreachtoday.com/driving-privacy-regulators-crazy-uk-probes-uber-breach-a-10469
  • More nations investigate https://www.theguardian.com/technology/2017/nov/22/uber-scrutiny-data-breach-hacking
  • Just a reminder that 48 states have breach notification laws http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
  • This is the second breach of Uber using hardcoded credentials, from 2014 https://securityintelligence.com/news/publicly-stored-security-key-may-enabled-uber-data-breach/
• Australia's Department of Social Services breach included credit card data https://www.theguardian.com/technology/2017/nov/22/uber-scrutiny-data-breach-hacking
• Troy Hunt (of I've been Pwned) to testify to Congress on breaches https://www.troyhunt.com/im-testifying-in-front-of-congress-in-washington-dc-about-data-breaches-what-should-i-say/

Laws & Regulations / Standards

• Technology, transparency and fourth amendment searches https://www.vox.com/the-big-idea/2017/11/22/16687420/fourth-amendment-online-searches-constitution-facebook-gag-orders
• Apple vs. FBI again?  This time over Texas killer https://www.theregister.co.uk/2017/11/20/warranttexasshooter_iphone/
• Congress looking at letting ISPs setup paid "fast lanes" and breaking Net-neutrality  https://www.eff.org/deeplinks/2017/11/will-congress-bless-internet-fast-lanes
• Canada and US on different paths re: Net-neutrality http://www.michaelgeist.ca/2017/11/net-neutrality-divide-canada-u-s-go-separate-ways-open-internet/
• New FCC rules should help limit robocalls https://www.wired.com/story/robocall-getting-worse-but-help-is-here/
• Australian patent troll suit to suppress EFF's stupid patent of the month fails https://www.eff.org/deeplinks/2017/11/court-rules-effs-stupid-patent-month-post-protected-speech
• OWASP updates it's top 10 in 2017 https://www.owasp.org/images/7/72/OWASPTop10-2017_%28en%29.pdf.pdf and an article https://www.darkreading.com/application-security/new-owasp-top-10-list-includes-three-new-web-vulns/d/d-id/1330479

Bugs / Design Flaws

• Even more security flaws in Intel's Management Engine (ME) firmware https://www.theregister.co.uk/2017/11/20/intelflagsfirmware_flaws/
• Intel patches multiple bugs in ME https://threatpost.com/intel-patches-cpu-bugs-impacting-millions-of-pcs-servers/128962/
• 53 models of HP Printers have firmware vulnerable to remote code execution https://thehackernews.com/2017/11/hp-printer-hacking.html
• Vulnerability in configuration of Windows Addresses Space Randomization Layer https://www.darkreading.com/vulnerabilities--- threats/researcher-finds-hole-in-windows-aslr-security-defense/d/d-id/1330466
• Microsoft's response to the ASRL finding indicates risk is with a limited case and is being worked on  https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
• Golden ticket-like bug in SAML authentication https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
• F5 RSA cyrpto vulnerable to the Bleichenbacher attack and needs patching https://www.theregister.co.uk/2017/11/20/f5cryptoweakness/
• Samsung pay leaks https://www.darkreading.com/threat-intelligence/samsung-pay-leaks-mobile-device-information/d/d-id/1330480

Privacy

• Google collects location via cell tower even when location tracking is off https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
• Germany orders smart watches with covert listening capabilities destroyed http://www.zdnet.com/article/is-germany-right-to-tell-parents-to-destroy-kids-smartwatches-over-snooping-fears/
• Removing your collected voice assistant data from Google and Amazon https://www.wired.com/story/amazon-echo-and-google-home-voice-data-delete/

Hacking / Malware / Cybercrime

• Another Microsoft office feature being used to spread malware https://thehackernews.com/2017/11/ms-office-macro-malware.html
• Tether (a dollar backed cryptocurrency) hacked for $30M tokens https://thehackernews.com/2017/11/tether-bitcoin-hacked.html
• Western Union AML settlement fund to reimburse scam victims https://krebsonsecurity.com/2017/11/fund-targets-victims-scammed-via-western-union/
• OPP warning of scams https://www.theweeklynews.ca/news-story/7936031-opp-warning-public-of-latest-fraudulent-scams/
• Article on the empire exploitation framework https://www.tenable.com/blog/identifying-empire-http-listeners

Other Security / Risk

• A problem with Javascript code tags https://www.theregister.co.uk/2017/11/22/cryptojackersgoogletagmanagercoin_hive/
• The new year approaches and the security predictions are coming https://www.forbes.com/sites/davelewis/2017/11/21/the-logical-fallacy-of-security-predictions/
• IBM links public DNS to threat database https://www.theregister.co.uk/2017/11/20/quad9secureprivatednsresolver/ and press release https://www.globalcyberalliance.org/ibm-packet-clearing-house-global-cyber-alliance-collaborate-protect-businesses-consumers-internet-threats.html
• Article on techniques to lock down websites https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
• Noscript for the new Firefox https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/
• Amazon classified cloud https://www.schneier.com/blog/archives/2017/11/amazoncreates\.html
• Algorithm detecting unknown serial killers https://www.newyorker.com/magazine/2017/11/27/the-serial-killer-detector
• Krebs update on the VDOS stresser players https://krebsonsecurity.com/2017/11/correcting-the-record-on-vdos-prosecutions/
• Example of a cognative AI https://www.technologyreview.com/s/609507/this-inquisitive-ai-will-kick-your-butt-at-battleship/

Off-Topic

• An anti-spam chatbot at your service https://www.theverge.com/2017/11/10/16632724/scam-chatbot-ai-email-rescam-netsafe
• The Big Dipper over Pyramid Mountain in Jasper National Park  Alberta https://apod.nasa.gov/apod/ap171121.html
• Another easily debunked moon landing conspiracy theory http://www.syfy.com/syfywire/no-thats-not-a-stagehand-in-an-apollo-astronaut-photo