This Week’s [in]Security – Issue 49 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Q&A on PIN on COTS and the new PTS Secure Card Reader (SCRP) function https://blog.pcisecuritystandards.org/pci-software-based-pin-entry-on-cots-understanding-new-test-requirements
• PCI released the PIN Entry on COTS testing requirements https://www.pcisecuritystandards.org/documents/SPoCTest\_Requirements_v1.0.pdf
• UL does a deep dive on the new PIN on COTS testing requirements https://blog.ul-ts.com/posts/pci-pin-on-cots-digging-into-the-details/
• Visa's Ready for Transit program gains traction https://www.mobilepaymentstoday.com/news/14-companies-join-visas-ready-for-transit-program/

Breaches / Leaks

• HaveIbeenpwned adds a huge collection (almost 3K) breaches and 80M+ emails https://haveibeenpwned.com/PwnedWebsites#2844Breaches
• Trustico emails 23K web certificate private keys https://www.databreachtoday.com/leak-23000-private-keys-triggers-security-scramble-a-10689
• Equifax forgot about 2.4M exposed records https://www.databreachtoday.com/equifax-discloses-24-million-more-mega-breach-victims-a-10691
• Equifax also appears to be making a profit from the megabreach https://www.cnet.com/news/equifax-possibly-profiting-off-data-breach-sen-warren-says/
• US Marine Corp sends confidentail information on 23K individuals to wrong party https://www.marinecorpstimes.com/news/your-marine-corps/2018/02/28/major-data-breach-at-marine-forces-reserve-impacts-thousands/

Laws & Regulations / Standards

• Fair dealing over payments and refund dispute in Canada http://www.michaelgeist.ca/2018/02/fair-dealing-fake-news-seeking-refund-arising-copyright-payments-becomes-legal-attack-writers/
• Micheal Geist's series on Fairplay Canada's proposals for web-blocking http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-10-may-violate-human-rights-norms/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-part-11-higher-internet-access-costs/, http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-canadians-take-stand-site-blocking/, http://www.michaelgeist.ca/2018/03/case-bell-coalitions-website-blocking-plan-part-12-increasing-privacy-risks-canadians/, http://www.michaelgeist.ca/2018/03/case-bell-coalitions-website-blocking-plan-part-13-inconsistent-crtc-policy-direction/
• Georgia Bill will criminalize computer security research https://www.eff.org/deeplinks/2018/02/how-grassroots-activists-georgia-are-leading-opposition-against-dangerous-computer
• It was Fair Dealing week, several articles supporting it http://www.michaelgeist.ca/2018/02/why-fair-dealing-benefits-creator-the-case-of-a-room-full-of-spoons/, http://www.michaelgeist.ca/2018/02/fair-dealing-safeguards-freedom-expression-case-vancouver-aquarium/, http://www.michaelgeist.ca/2018/03/fair-dealing-support-news-reporting-public-debate-case-warman-national-post-v-fournier/, http://www.michaelgeist.ca/2018/03/fair-dealing-right-read-case-blacklocks-reporter-v-canada-attorney-general/
• Court of Appeals restores FTC's ability to regulate ISPs https://epic.org/2018/02/court-of-appeals-restores-ftcs.html
• Apple transitions Chineses iPhone owners keys to a Chinese company https://www.schneier.com/blog/archives/2018/02/appletostore_.html

Privacy

• Discussion and article about Cellebrite (who cracked the Apple vs. FBI phone) and their ability to crack the iPhone X https://www.schneier.com/blog/archives/2018/02/cellebrite_unlo.html
• 2.4M Europeans ask Google to be forgotten https://nypost.com/2018/02/27/google-gets-2-4m-requests-from-europeans-to-be-forgotten/

Bugs / Design Flaws

• Apple urges iOS upgraade in response to Cellebrite 's claims to be able to unlock any iPhone but it's unclear if it will help https://threatpost.com/apple-tackles-cellebrite-unlock-claims-sort-of/130111/
• µTorrent software flaw allows for remote control of your PC https://thehackernews.com/2018/02/torrent-download-software.html
• Poorly implemented SAML libraries allow attackers to assume identities https://www.darkreading.com/cloud/saml-flaw-lets-hackers-assume-users-identities/d/d-id/1331146
• Trustico web site goes offline after vulnerability disclosed on Twitter https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/

 Hacking / Malware / Cybercrime

• Nanocore RAT author gets 33 months for designing and providing tools for/to criminals https://www.bankinfosecurity.com/nanocore-rat-developer-gets-33-month-prison-sentence-a-10682 and https://thehackernews.com/2018/02/malware-author-jailed.html
• Did Bitcoin "creator" steal his dead partner's Bitcoins? He's being sued for it https://www.theguardian.com/technology/2018/feb/27/bitcoin-craig-wright-self-proclaimed-creator-sued-10bn-former-coding-partner-family
• Malware using domain generation techniques to push mining adware https://arstechnica.com/information-technology/2018/02/ad-network-uses-advanced-malware-technique-to-conceal-cpu-draining-mining-ads/
• Memcache is a new vector for enormously amplified DDoS attacks https://www.bleepingcomputer.com/news/security/memcache-servers-can-be-abused-for-insanely-massive-ddos-attacks/
• Krebs does a Bot roundup https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
• Unsurprisingly the Olympic hack is attributed to Russia https://www.schneier.com/blog/archives/2018/03/russians_hacked.html
• Krebs article on how to defend against unauthorized mobile number porting https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/
• FS-ISAC cyber threat/risk sharing organization was phished and fortunately they caught it quickly https://krebsonsecurity.com/2018/03/financial-cyber-threat-sharing-group-phished/
• Largest ever DDoS attack targets GitHub https://thehackernews.com/2018/03/biggest-ddos-attack-github.html

Other Security / Risk

• Cybersecurity jargon is becoming "word salad" so (ISC)2 has published a Lexicon http://blog.isc2.org/isc2_blog/2018/02/welcome-to-the-lexicon-project.html
• Mozzilla analyzes Alexa top 1M sites year over year for security (e.g. CSP, Secure cookies, CORS, HTTPS, HSTS, and more)  https://blog.mozilla.org/security/2018/02/28/analysis-alexa-top-1m-sites-2/
• New Bullteproof TLS newsletter: Chrome marking HTTP insecure, SSL and early TLS deprecation, Post-Quantum crypto, TLS mail guidance, cert life lines, TLS 1.3, text book RSA found in the wild (very bad), SSL labs changes, TLS  https://www.feistyduck.com/bulletproof-tls-newsletter/issue38chromewillmarkhttppagesasnot_secure.html
• Beyond the hype, what blockchain is good for https://freedom-to-tinker.com/2018/02/26/blockchain-what-is-it-good-for/
• More on Mixpanel and other web replay tools collecting passwords and other sensitive data https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-credentials-password-leaks-to-mixpanel-and-session-replay-companies/
• The underground market for counterfeit web certificates https://www.bankinfosecurity.com/darknet-vendors-sell-counterfeit-tls-certificates-a-10680
• Breached data shows US Army, FBI, and ICE personnel purchased spyware, but why?  https://motherboard.vice.com/en_us/article/ywqqkw/military-fbi-and-ice-are-customers-of-controversial-stalkerware
• MIT researches propose "Veil" framework to plug private browsing modes leaks https://www.theregister.co.uk/2018/02/26/mitwangveil_browsing/
• E-mail leaves a trail of evidence, how Manafort and Gates got caught diddling documents https://www.schneier.com/blog/archives/2018/02/e-mailleavesa.html
• USPS Informed Delivery now notifies you if someone signs up to see your mail https://krebsonsecurity.com/2018/02/usps-finally-starts-notifying-you-by-mail-if-someone-is-scanning-your-snail-mail-online/
• Digital hygiene and cyber-security for the traveler https://www.datex.ca/blog/cybersecurity-travel-tips-when-going-abroad
• How can techniques developed to fight wild fires help security incident response https://www.darkreading.com/attacks-breaches/incident-management-what-it-security-can-learn-from-public-safety/a/d-id/1331120
• Tim Horton's gets hit by malware, crashing cash registers https://www.ctvnews.ca/business/virus-downs-hundreds-of-tim-hortons-cash-registers-furious-owners-threaten-lawsuit-1.3821172
• Canada to scrap $1B IBM Phoenix payroll system https://www.bloomberg.com/news/articles/2018-03-01/canada-to-scrap-ibm-payroll-plan-gone-awry-costing-c-1-billion

Off-Topic

• When the habitable zone becomes uninhabitable, our nearest exo-planet Proxima b was likely fried last year by it's angry little star https://astroengine.com/2018/02/26/proxima-centauri-unleashes-doomsday-flare/
• Spinlaunch startup planning space catapult https://www.universetoday.com/138687/space-catapult-startup-spinlaunch-come-stealth-mode-space-catapults-yes-please/
• Stratolaunch completes 2nd taxi test of the "Roc" the worlds largest jet https://www.universetoday.com/138699/biggest-airplane-taxis-runway-2020-launching-rockets/
• Video game playing AI finds cheat in Q*bert https://www.theverge.com/tldr/2018/2/28/17062338/ai-agent-atari-q-bert-cracked-bug-cheat
• The Icelandic language is getting swamped by English https://www.theguardian.com/world/2018/feb/26/icelandic-language-battles-threat-of-digital-extinction