This Week’s [in]Security – Issue 47 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI and X9 joining forces to unify PIN standards https://www.pcisecuritystandards.org/pdfs/PCIX9PressReleaseFeb142018_FINAL.PDF
• Another reminder and a resource guide for SSL/early TLS migration https://blog.pcisecuritystandards.org/resource-guide-migrating-from-ssl-and-early-tls
• Overcoming obstacles to mPOS adoption https://www.mobilepaymentstoday.com/articles/why-mpos-adoption-continues-to-lag-with-retailers/

Breaches / Leaks

• Another unsecured AWS S3 bucket with personal information exposed. The server belonged to Bongo which was purchased by FedEx. http://www.zdnet.com/article/unsecured-server-exposes-fedex-customer-records/
• Equifax followup, Senators demanding answers on CFPB's halted investigation https://epic.org/2018/02/following-epic-letter-31-senat.html
• Aetna breach legal action gets messy, Aetna suing suppliers, suppliers countersuing https://www.databreachtoday.com/aetna-breach-case-gets-messier-a-10646
• Wikileaks leaks, pre-election anti-Clinton chats leaked https://theintercept.com/2018/02/14/julian-assange-wikileaks-election-clinton-trump/

Laws & Regulations / Standards

• Possible unintended consequences of GPDR on WHOIS and Cybercrime https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/
• Facebook personal data use and privacy settings illegal in Germany https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court
• NIST on IoT Cybersecurity Standardization draft and public comments, news release https://csrc.nist.gov/News/2018/Report-International-IoT-Cybersecurity-Standards and draft document https://csrc.nist.gov/publications/detail/nistir/8200/draft
• NIST has updated the Security Content Automation Protocol (SCAP) a suite of specifications to promote standardization amongst automated vulnerability management, measurement, and policy compliance products https://csrc.nist.gov/News/2018/NIST-Publishes-SCAP-1-3-Technical-Spec, https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final, and https://csrc.nist.gov/publications/detail/sp/800-126a/final
• UK has developed a tool to block extremist content and may legislate its use https://www.theregister.co.uk/2018/02/13/amberruddextremismblockingtool/
• Senators and expert cryptographers pushing FBI to provide concrete proposals for crypto-backboors https://www.theregister.co.uk/2018/02/14/cryptographyexpertsfbi/
• Series of articles by Micheal Geist on Canadian Copyright law and the Bell “Fairplay Canada”  Coalition website blocking plan http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-1-canadas-current-copyright-law-provides-effective-anti-piracy-tools/,  http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-2-weak-evidence-state-canadian-piracy/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-3-piracy-little-impact-thriving-digital-services-tv-production/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-4-absence-court-orders-put-canada-odds-almost-everyone/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-5-inevitable-expansion-block-list-standard-piracy-sites/, and http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-6-blocking-legitimate-websites/
• EFF comments on Bell’s “Fairplay Canada” proposal, calling it flawed https://www.eff.org/deeplinks/2018/02/will-canada-be-new-testing-ground-sopa-lite-canadian-media-companies-hope-so

Bugs / Design Flaws

• New techniques developed to exploit Meltdown and Spectre vulnerabilities https://www.theregister.co.uk/2018/02/14/meltdownspectreexploit_variants/
• VMware workaround for Meltdown and Spectre https://www.theregister.co.uk/2018/02/09/vmwaretempfixesformeltdownspectreforvirtualappliances/
• More on the browsealoud bug that facilitated mass crypto-mining and the problem 3rd party web libraries https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/
• BrowseAloud cryto-mining crypto-jackers netted a mere $24 for their efforts https://www.theguardian.com/technology/2018/feb/14/cryptojacking-campaign-24-dollars-hackers-cryptocurrency-salon Preventing crypto-jacking https://www.databreachtoday.com/cryptocurrency-miners-how-to-shield-browsers-from-bad-guys-a-10651
• Serious bug in Lotus Notes Smart updater https://www.theregister.co.uk/2018/02/12/notesdllimpersonation_bug/
• Windows installer vulnerability https://www.scmagazineuk.com/windows-installer-service-hacked-to-infect-victims-systems-with-malware/article/743633/
• Skype 7.4 or less updater vulnerability http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/ was fixed in version 8 https://www.theregister.co.uk/2018/02/15/microsoftskypefixed/
• Telegram Unicode vulnerability facilitates crypto-mining malware https://threatpost.com/venerable-unicode-technique-used-to-deliver-cryptomining-malware-through-telegram/129929/
• Last Tuesdays patches https://krebsonsecurity.com/2018/02/microsoft-patch-tuesday-february-2018-edition/

Privacy

• Privacy laws prevent pointing cameras at the street? https://www.thespec.com/news-story/8133368-don-t-let-home-security-cameras-point-at-the-street-ontario-privacy-commissioner/
• Livestream and conference at University of Ottawa on emerging de-identification standards http://create-best.com/20180228-privacy-analytics/

Hacking / Malware / Cybercrime

• Newtek Buisness services, host of 100,000+ websites had several core domains hijacked https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
• Cyber-attacks and threats to the Olympics https://www.theregister.co.uk/2018/02/11/winterolympicswebsitedownedbycyberattack/, and https://www.schneier.com/blog/archives/2018/02/internet_securi.html
• Another crypto-currency exchange fails, Italy based BitGrail looses $170M in Nano https://www.bleepingcomputer.com/news/cryptocurrency/bitgrail-cryptocurrency-exchange-becomes-insolvent-after-losing-170-million/
• More Crypto-currency exit scams https://www.pymnts.com/news/security-and-risk/2018/bitgrail-loopx-cryptocurrency-financial-crime/
• Money Laundering using crypto-currency https://www.databreachtoday.com/criminals-hide-billions-in-cryptocurrency-europol-warns-a-10653
• Half of all crypto-jacking happening on porn sites https://www.bleepingcomputer.com/news/security/half-of-all-cryptojacking-scripts-found-on-porn-sites/
• Analysis of “Olympic Destroyer” malware shows no data exfiltration just very thorough destruction https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/ and wide reach https://threatpost.com/researchers-find-new-twists-in-olympic-destroyer-malware/129937/
• Researcher shows how to steal sensitive data from MacOS screen shots https://www.bleepingcomputer.com/news/apple/researcher-uses-macos-app-screenshot-feature-to-steal-passwords-tokens-keys/
• Fraudsters demanding gift cards.  It's not just iTunes cards and ransomware (it's also tax scams and gaming cards too) https://www.baytoday.ca/local-news/dont-pay-ransom-with-i-tunes-cards-838735
• Another phone scam – don’t call back if you get one ring https://www.ctvnews.ca/canada/don-t-call-back-one-ring-scam-targets-phones-across-canada-1.3801297
• Canada Revenue acting on Panama Papers disclosures with raids in Toronto, Calgary, and Vancouver http://www.cbc.ca/news/politics/cra-panama-papers-raids-vancouver-toronto-calgary-1.4535565
• Remember the 2007 Heartland breach, the criminals were just sentenced https://www.darkreading.com/attacks-breaches/russian-hackers-sentenced-in-heartland-payment-systems-breach-case/d/d-id/1331080

Other Security / Risk

• Unilever to tech media companies - clean up content or loose advertising http://money.cnn.com/2018/02/12/media/unilever-advertising-facebook-google-swamp/index.html
• OpenSSL alpha lets devs get hands on TLS 1.3 https://www.theregister.co.uk/2018/02/14/openssl111alphaaddstls13_support/
• Mozilla removing cache access from insecure HTTP https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/
• Google Chrome now blocking egregious ads https://www.theregister.co.uk/2018/02/14/googlechromead_blocking/
• Schneier essay on “Can Consumers' Online Data Be Protected?” https://www.schneier.com/blog/archives/2018/02/canconsumerso.html
• Discussion and link to article on election security https://www.schneier.com/blog/archives/2018/02/electionsecuri1.html
• Troy Hunt on Hoodied hackers, FUD, and the dark web https://www.troyhunt.com/making-light-of-the-dark-web-and-debunking-the-fud/
• Discussion and link to National Academies Report on Crypto Policy https://www.schneier.com/blog/archives/2018/02/newnationalac.html
• The modern CIO and emerging tech/risk https://www.datex.ca/blog/security-concerns-of-the-modern-cio
• Farmers at the front lines of the right to repair movement https://motherboard.vice.com/en_us/article/kzp7ny/tractor-hacking-right-to-repair
• US 3-letter agency testify before Senate about concerns over Huawei/ZTE phones and communications equipment http://www.theregister.co.uk/2018/02/14/huaweiztensafbicia/
• Report on the Healthcare industry cybersecurity https://explore.securityscorecard.com/2018-cybersecurity-healthcare-report-ssc.html
• Study shows risk of fatal traffic accidents rises on 4/20 https://scienmag.com/is-risk-of-fatal-crashes-increased-on-4-20-counterculture-holiday-celebrating-marijuana/
• London's city airport shutdown for removal of WWII bomb http://www.bbc.co.uk/news/uk-england-london-43027472

Off-Topic

• Maybe there is something to that saying about healthy kids eating dirt … new antibiotic family discovered in dirt http://www.bbc.co.uk/news/health-43032602
• The Kepler mission finds 95 new exoplanets https://scienmag.com/kepler-scientists-discover-almost-100-new-exoplanets/
• Could SETI messages be malicious? https://www.universetoday.com/138521/receive-message-aliens-delete-without-reading/