This Week’s [in]Security – Issue 41 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Quick guide to PCI Council training for merchants https://blog.pcisecuritystandards.org/pci-training-for-merchants-which-course-is-right-for-you
• PCI published a supplemental fact sheet on requirements for "Connected-to" Service Providers https://www.pcisecuritystandards.org/documents/PCI-SSC-Connected-to-Service-Providers-Guidance.pdf
• PCI released new Technical FAQs for PTS PIN FAQ https://www.pcisecuritystandards.org/documents/PTSPINTechnicalFAQsv2Dec2017.pdf, PTS POI  https://www.pcisecuritystandards.org/documents/PTSPOITechnicalFAQsv5Dec2017.pdf, and Card Production https://www.pcisecuritystandards.org/documents/CardProdSecurityRqrmtsFAQsv2December_2017.pdf
• PCI has updated the Card Production Reporting Templates https://www.pcisecuritystandards.org/documents/PCICPv2.0ROCReportingTemplatePhysicalv2.1Dec2017_form.docx and https://www.pcisecuritystandards.org/documents/PCICPv2.0ROCReportingTemplateLogicalv2.1Dec2017_form.docx

Breaches / Leaks

• Forever 21 breach (see ) ongoing for 7 months https://www.databreachtoday.com/forever-21-suffered-7-month-pos-malware-attack-a-10555
• TLS news includes private key compromises in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Also updates on the ROBOT and ROCA attacks and more) https://www.feistyduck.com/bulletproof-tls-newsletter/issue36privatekeysin_software
• India's national bio-metric database compromised https://gizmodo.com/full-access-to-indias-national-biometric-database-repor-1821772876
• GDPR web site complete with countdown clock https://www.eugdpr.org/
• DHS notifies affected employees https://www.databreachtoday.com/dhs-says-246000-employees-personal-details-were-exposed-a-10560 of previously reported breach https://www.usatoday.com/story/news/politics/2017/11/28/sensitive-personal-information-246-000-dhs-employees-found-home-computer/901654001/

Laws & Regulations / Standards

• NIST updates: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems https://csrc.nist.gov/publications/detail/sp/800-160/final
• NIST draft for fog computing (decentralized IoT, applications, management, and analytics at scale) https://csrc.nist.gov/publications/detail/sp/800-191/draft
• US Lawmakers seem disinterested in protecting data breach victims https://gizmodo.com/post-equifax-failure-of-us-lawmakers-to-protect-data-b-1821707695
• NIST draft report on Botnet resilience https://csrc.nist.gov/publications/detail/white-paper/2018/01/05/enhancing-resilience-against-botnets--report-to-the-president/draft

Bugs / Design Flaws

• The BIG news last week was the Meltdown (aka variant 3) and Spectre (aka variants 1 & 2) attacks that collectively exploit design flaws affecting Intel, ARM, and AMD chips. Expected operating system software patches will have performance penalties.

  • Vulnerability FAQ https://meltdownattack.com/#faq or https://spectreattack.com/#faq (same site)
  • Schneier opinion article https://www.schneier.com/blog/archives/2018/01/spectreandmel_1.html and initial post: mostly links and comments/discussions https://www.schneier.com/blog/archives/2018/01/spectreandmel.html
  • Patches, workarounds, and AV complications https://www.databreachtoday.com/meltdown-spectre-patches-workarounds-appear-a-10558
  • Some mitigation and more information from Google https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
  • Chrome browser users should enable Strict Site Isolation https://www.chromium.org/Home/chromium-security/ssca
  • Papers https://meltdownattack.com/meltdown.pdf and https://spectreattack.com/spectre.pdf
  • Google project zero https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html
  • AMD response https://www.amd.com/en/corporate/speculative-execution
  • Intel response https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ and https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
  • Linus Torvald isn't happy with Intel's response https://lkml.org/lkml/2018/1/3/797
  • Even XKCD, normally in Off-Topic, explains Meltdown and Spectre https://xkcd.com/1938/
• Old MacOS Kernel Zero-Day kernel vulnerability publication may have been motivated by lack of bug bounty  https://thehackernews.com/2018/01/macos-kernel-exploit.html

Privacy

• Widespread GPS tracking service software flaws expose geo-location data, photos, etc. https://thehackernews.com/2018/01/gps-location-tracking.html

Hacking / Malware / Cybercrime

• Bitcoin randsom paid out for crypto-currecny exchange analyst https://www.theguardian.com/uk-news/2017/dec/29/ukraine-kidnappers-release-hostage-after-1m-bitcoin-ransom-paid
• Follow-up on serial swatter at the center of Witchita wrongful death https://krebsonsecurity.com/2018/01/serial-swatter-swautistic-bragged-he-hit-100-schools-10-homes/
• Security Apps pushing aggressive ads http://blog.trendmicro.com/trendlabs-security-intelligence/apps-disguised-security-tools-bombard-users-ads-track-users-location/
• Louisana man charged with 269 counts of wire-fraud and money laundering as facilitator for "Nigerian Prince" scams https://www.pymnts.com/news/security-and-risk/2018/nigerian-prince-scammer-isnt-nigerian-or-a-prince/

Other Security / Risk

• Fallout from Uber taxi disruption may take down some financial institutions https://www.pymnts.com/news/ridesharing/2018/ubers-latest-taxi-threat-lenders-and-medallion-loan-defaults/
• An interesting tamper detection App for Android but it requires a second phone  https://www.schneier.com/blog/archives/2018/01/tamper-detectio.html
• Idea to easy security notifications https://www.theregister.co.uk/2018/01/03/securitynotificationscheme/ and the origin site https://securitytxt.org/
• Series of posts discussing the "AI Singularity" What is it? What it isn't? Why hasn't it already happened? https://freedom-to-tinker.com/2018/01/03/why-the-singularity-is-not-a-singularity/, https://freedom-to-tinker.com/2018/01/04/singularity-skepticism-2-why-self-improvement-isnt-enough/
• White House bans personal phones https://gizmodo.com/the-white-house-finally-realized-that-using-personal-ph-1821768097
• On detecting ad-blocker blockers https://www.schneier.com/blog/archives/2018/01/detecting_adblo.html
• Video of white noise has received five copyright infringement claims http://www.bbc.co.uk/news/technology-42580523

Off-Topic

• Double effect optical illusion http://www.syfy.com/syfywire/optical-illusion-shade-changing-shape-shifting-gray-turtles
• Just dust, there are no alien mega-structures around Tabby's star https://astroengine.com/2018/01/03/tabbys-star-dust-up-theres-no-alien-megastructure/