This Week’s [in]Security – Issue 53 - Anniversary Edition | insecurity | Control Gap

Welcome to the first anniversary edition of This Week’s [in]Security. This week we take a look back at the last year in security, the big stories, the surprises, and as always we’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

A Year of [in]Security

Our first issue debuted on April 3rd, 2017 and covered 27 articles taken from 13 web sites. After 52 issues plus a special issue on the Facebook/Cambridge Analytica scandal (https://controlgap.com/blog/cambridge-analytica-facebook-scandal/)  we've summarized and served up links for 2391 articles taken from 300 websites!

A Year of News

This last year we've seen a number of big and surprising stories and trends:

• Breaches of payment acceptance systems (https://controlgap.com/?s=%22card+breach%22)), at least massive ones, were not front and center in the news until Sak's (this issue). Healthcare breaches (https://controlgap.com/?s=Healthcare)) were almost epidemic in numbers but tended to be smaller in scale. The major breach stories involved information brokers and surveillance capitalism collecting a wide range of data (possibly including cards) where people are the product not the customer:

  • Facebook and Cambridge Analytica (50M) https://controlgap.com/blog/cambridge-analytica-facebook-scandal/, and https://controlgap.com/?s=Cambridge+Analytica
  • Equifax (143M) and it's tax/payroll subsidiary TALX https://controlgap.com/blog/this-weeks-insecurity-issue-24/, https://controlgap.com/blog/this-weeks-insecurity-issue-8/, and https://controlgap.com/?s=Equifax
  • Alteryx/Experian (123M) https://controlgap.com/?s=Experian
  • Voter registration data on 198M Americans, https://controlgap.com/blog/this-weeks-insecurity-issue-13/ and https://controlgap.com/?s=voter
• There was constant flow of leaks from insecure Amazon AWS S3 buckets  which were involved in at least 25 breaches ranging from Verizon, Accenture, the NSA, governments and included voter data, medical records, system credentials, private keys and more https://controlgap.com/?s=AWS+S3
• A big surprise this year was the shear number of critical firmware vulnerabilities, starting with AMT and leading up to Meltdown/Spectre that continue to have far reaching implications https://controlgap.com/blog/pci-compliance-intel-amt-vulnerability/,and https://controlgap.com/?s=Meltdown+Spectre
• Malware continued to be a major problem with NSA exploit powered ransomware and crypto-jacking https://controlgap.com/?s=ransom, and https://controlgap.com/?s=mining
• IoT vulnerabilities continue to be a problem ranging from massive DDoS attacks, industrial robots to some unusual consumer items like medical devices, high end ovens and adult/sex toys https://controlgap.com/?s=IoT

There's a lot more including coverage of cyber-research, new tools and techniques, the ongoing war against encryption, GDPR, AI, blockchain, and more.

A Year of Insight

We've brought you insightful articles about understanding PCI, including:

• Our predictions for the next revision of PCI DSS https://controlgap.com/blog/predictions-next-version-pci-dss/
• How encryption affects scope https://controlgap.com/blog/understanding-encryption-and-pci-compliance/
• How to interpret "connected-to" https://controlgap.com/blog/connected-to-pci/

We covered a number of  developments over the year that have compliance implications:

• The unexpected impact of Visa's new 8-digit BIN ranges on PCI https://controlgap.com/blog/new-bin-ranges-and-pci-truncation/ and it's followup https://controlgap.com/blog/pci-truncation-rules-clarified/
• Triple DES (aka TDEA, 3DES), Blowfish, and other ciphers are reaching the end of their useful life https://controlgap.com/blog/nist-moves-on-sweet32/
• One of the Format Preserving Encryption modes approved by NIST in 2015 was broken https://controlgap.com/blog/7-things-to-do-with-fpe-break/

PCI Compliance and Payments

• What's happening in PCI DSS in 2018, no new requirements planned for minor update https://blog.pcisecuritystandards.org/4-things-to-know-about-pci-dss-in-2018
• PCI has released some new Paymentt Data Security Essentials videos and infographics https://blog.pcisecuritystandards.org/share-this-new-resources-for-businesses-on-payment-data-security-essentials
• Visa sets sights on US EMV contactless transactions http://www.digitaltransactions.net/visa-gets-set-for-the-next-big-emv-phase-making-contactless-transactions-routine/

Breaches / Leaks

• HBC brands Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor hit by 5M card breach  (while dwarfed by recent non-card breaches this is the largest card breach in a while) https://www.theguardian.com/technology/2018/apr/01/saks-lord-taylor-date-breach-5-million-cards
• MyFitnessPal (UnderArmour) breached for 150M emails and hashed passwords https://www.theguardian.com/technology/2018/mar/30/hackers-steal-data-150m-myfitnesspal-app-users-under-armour
• The Australian Department of Health breached privacy laws with improperly anonymized data set https://www.itnews.com.au/news/health-breached-privacy-law-in-open-data-bungle-oaic-487936

Laws & Regulations / Standards

• TLS 1.3 is now official https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-internet-standard/
• US CLOUD act passes allowing law enforcement to access citizens’ information stored in foreign counties with a court-approved subpoena https://threatpost.com/senate-gives-nod-to-controversial-cross-border-data-access-bill/130757/
• NIST is asking for comments on guidance for documenting and populating test data on a mobile device before testing a mobile forensic tool https://csrc.nist.gov/News/2018/NIST-Releases-Draft-Special-Publication-800-202 and https://csrc.nist.gov/publications/detail/sp/800-202/draft
• Canadian appeals court weighs in on Fair Dealing and Insubstantial copying http://www.michaelgeist.ca/2018/03/federal-court-of-appeal-rejects-access-copyright-bid-to-overturn-board-ruling-on-insubstantial-copying-fair-dealing/
• Suspicion that the FBI concealed their crypto capabilities https://epic.org/2018/03/fbi-concealed-crypto-capabilit.html and engineered their legal showdown with Apple to set precedent https://www.theregister.co.uk/2018/03/27/fbiencryptionshowdown/
• FBI has been using classified hacking tools in ordinary criminal cases https://motherboard.vice.com/en_us/article/7xdxg9/fbi-hacking-investigations-classified-remote-operations-unit
• US police routinely use dead peoples fingerprints to unlock phones https://www.schneier.com/blog/archives/2018/03/unlocking_iphon.html
• UK police extracting phone data without a warrant http://www.bbc.com/news/uk-43507661
• US looking to tie visa applicants to social media accounts http://www.bbc.co.uk/news/world-us-canada-43601557
• State of Georgia law criminalizes security researchers, ironic given they invested $35M to expand the state’s cybersecurity training complex  https://www.eff.org/deeplinks/2018/03/georgia-passes-anti-infosec-legislation

Privacy

• EFF's "Privacy Badger" tool https://www.eff.org/deeplinks/2018/03/one-answer-facebook-problem-block-its-tracking-technologies
• Schneier on Facebook, Cambridge Analytica, and the larger problem of surveillance capitalism https://www.schneier.com/blog/archives/2018/03/facebookandca.html
• People looking at what Google tracks https://www.nbcnews.com/tech/social-media/worried-about-what-facebook-knows-about-you-check-out-google-n860781

• More on Cambridge Analytica

  • AggregateIQ and Palantir also implicated in Cambridge Scandal https://www.pymnts.com/facebook/2018/cambridge-analytica-aggregateiq-user-data/ and http://money.cnn.com/2018/03/27/technology/palantir-cambridge-analytica-facebook-peter-thiel/index.html

• More on Facebook

  • Facebook executive's "ugly truth" memo http://www.bbc.com/news/technology-43594959
  • User's deleting Facebook accounts are downloading their data and they're shocked what FB was mining https://www.theguardian.com/technology/2018/mar/25/facebook-logs-texts-and-calls-users-find-as-they-delete-accounts-cambridge-analytica
  • Facebook has been collecting Android call and text data for years http://www.businessinsider.com/facebook-has-been-keeping-android-call-and-text-data-2018-3
  • Facebook may have been reading emails too https://www.theguardian.com/technology/2018/mar/25/did-facebook-read-my-private-emails
  • FTC is investigating https://www.pymnts.com/facebook/2018/ftc-facebook-privacy-consumer-data/
  • Zuckerberg won't testify to UK parliament https://www.theguardian.com/technology/2018/mar/27/facebook-mark-zuckerberg-declines-to-appear-before-uk-fake-news-inquiry-mps
  • Zuckerberg will testify to congress http://money.cnn.com/2018/03/27/technology/mark-zuckerberg-testify-congress-facebook/index.html
  • 37 states investigating Facebook https://epic.org/2018/03/state-ags-launch-facebook-inve.html
  • India now investigating https://inc42.com/buzz/indian-government-letter-facebook-data-breach/

• Companies quitting Facebook or pulling advertising

  • Elon Musk deletes Facebook for Tesla and SpaceX https://www.theverge.com/2018/3/23/17156402/elon-musk-deleted-tesla-and-spacex-facebook-pages-twitter-challenge
  • Playboy quits http://money.cnn.com/2018/03/28/technology/playboy-leaving-facebook-data/index.html
  • Sonos, Mozzilla, and more  https://www.thesun.co.uk/tech/5919880/what-companies-brands-quit-facebook/
• Someone suggesting to "Poison" your Facebook data before deleting you account https://motherboard.vice.com/en_us/article/qvxv4x/how-to-delete-facebook-data

Bugs / Design Flaws

• The first Meltdown patches introduced a much bigger vulnerability http://blog.frizk.net/2018/03/total-meltdown.html
• Sneaking naughty QR codes past iOS https://www.theregister.co.uk/2018/03/27/appleioscameraappqr_codes/
• Mac harddisk encryption password sometimes gets written to the system log https://nakedsecurity.sophos.com/2018/03/28/yet-another-apple-password-leak-how-to-avoid-it/
• Meltdown and Spectre fallout - more Intel branch prediction attacks https://www.schneier.com/blog/archives/2018/03/anotherbranch\.html
• Monero transactions aren't quiet as untraceable as believed https://www.wired.com/story/monero-privacy/
• Article and discussion on hardware backdoor research https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html
• Cisco's Easter bugs https://www.theregister.co.uk/2018/03/29/ciscocriticalios_bugs/

Hacking / Malware / Cybercrime

• Resurgent Wannacry[pt] hits Boeing https://www.theregister.co.uk/2018/03/28/wannacry_boeing/
• Hackers briefly take out Baltimore's 911 service https://www.theregister.co.uk/2018/03/27/baltimore911problemsblamedonhackingattack/
• Attacking face recognition with infrared. Discussion at  https://www.schneier.com/blog/archives/2018/03/foolingfacere.html and paper at https://arxiv.org/pdf/1803.04683.pdf
• Tracing stolen bitcoin https://www.lightbluetouchpaper.org/2018/03/26/tracing-stolen-bitcoin/
• Coinhive, malware, and bad actors https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/
• Russian who breached Dropbox and Linkedin finally extradited to US https://thehackernews.com/2018/03/linkedin-hacker-extradited.html

Other Security / Risk

• Most FTSE 100 boards in the dark on their cyber resilience plans https://www.theregister.co.uk/2018/03/28/cyberresilienceplanningftse100/
• Beware the .cm top level domain that typosquatters love https://krebsonsecurity.com/2018/03/omitting-the-o-in-com-could-be-costly/
• Healthcare computer security is problematic but apparently breach response procedures lead to deaths https://www.darkreading.com/endpoint/privacy/fixing-hacks-has-deadly-impact-on-hospitals/d/d-id/1331386
• Tumbr also used by Russian troll factory https://www.theregister.co.uk/2018/03/26/tumblrbansrussian_trolls/
• The AI fake news arms race is about to begin https://www.technologyreview.com/s/610635/fake-news-20-personalized-optimized-and-even-harder-to-stop/
• New Firefox features anti-crypto-jacking and ad filtering  mechanisms https://www.bleepingcomputer.com/news/software/firefox-working-on-protection-against-in-browser-cryptojacking-scripts/ and https://www.bleepingcomputer.com/news/security/firefox-to-get-an-ad-filtering-system/
• MITRE evaluates APT detection tools https://www.darkreading.com/perimeter/mitre-evaluates-tools-for-apt-detection/d/d-id/1331407
• Kaspersky is open sourcing their threat hunting tool https://www.darkreading.com/perimeter/kaspersky-lab-open-sources-its-threat-hunting-tool/d/d-id/1331388
• EFF series on secure messaging https://www.eff.org/deeplinks/2018/03/secure-messaging-more-secure-mess
• Analysis of affiliate marketing https://freedom-to-tinker.com/2018/03/26/is-affiliate-marketing-disclosed-to-consumers-on-social-media/
• Troy Hunt trolls a scammer https://www.troyhunt.com/a-scammer-tried-to-scare-me-into-buying-their-security-services-heres-how-it-went-down/
• Bulletproof TLS newsletter #39 is out - discussion about the controversial practice of certificate sellers generating private keys for their customers plus the usual roundup of SSL/TLS news https://www.feistyduck.com/bulletproof-tls-newsletter/issue39trusticodebacleshowsriskofkeygenerationbyresellers.html

Off-Topic

• China's Tiangong-1 tumbling out of control 8.5 ton space station finally re-entered the atmosphere in the South Pacific about 120 km west of Suwarrow Atoll in the northern Cook Islands (NZ)  https://www.theguardian.com/world/2018/apr/02/tiangong-1-crash-china-space-station and http://www.aerospace.org/CORDSuploads/TiangongStoryboard.png
• Add your name to NASA probe that will "touch the Sun" https://www.universetoday.com/138862/nasas-parker-solar-probe-will-touch-sun-can/
• China building a rocket that would compete with the Saturn V https://www.universetoday.com/138847/china-working-rocket-powerful-saturn-v-launch-2030/
• Knuckle cracking explained  and now modeled with 3 equations http://www.bbc.com/news/science-environment-43572709

[poll id="1"]