Blog

This Week’s [in]Security – Issue 54

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• The PCI Standard council recently raised the bar for assessors in terms of industry certifications, they’ve now partnered with ISACA to make those more affordable https://blog.pcisecuritystandards.org/isaca-partners-with-pci-ssc-to-provide-discount-on-industry-certifications
• Interesting Chip card fraud using mail interception https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/

Breaches / Leaks

• Study found 1.5B files amassing a staggering 12PB (i.e. 12,000 TB) of data online and 93% of it was NON-cloud hosting. Note that more study is needed as the percentage of encrypted vs. unencrypted files is not known https://www.theregister.co.uk/2018/04/05/billions_files_exposed_aws_ftp_wide_open/
• Female ridesharing company “DriveHer” hit by breach of driver PII https://www.thestar.com/news/gta/2018/04/04/driveher-ride-sharing-app-for-women-suspends-service-after-data-breach-exposes-personal-information.html
• Shuterfly PII breach https://www.enterprisetimes.co.uk/2018/04/05/shutterfly-reacts-to-data-breach/
• Sear’s & Delta service provider [24]7.ai hit for small breach affecting online sales using customer chat function http://fortune.com/2018/04/05/sears-delta-data-breach/
• Best Buy affected by [24]7.ai breach. No word on other customers including AT&T, Citi, eBay, Farmers Insurance and Hilton https://www.cnet.com/news/best-buy-data-breach-24-7-ai/
• Panera Bread has had an 8-month long leak of as much as up to 37M records of customer data from it’s online ordering system and tried to cover-up the extent of the breach (note: card data appears properly truncated so this wouldn’t be considered a payment breach) https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
• More on Panera Bread’s reaction to being told they were leaking data https://arstechnica.com/information-technology/2018/04/panera-accused-security-researcher-of-scam-when-he-reported-a-major-flaw/
• The Under Armour / MyFitnessPal breached data used a mix of password hashes. While most passwords were hashed with bcrypt, an undisclosed number were hashed with the weak SHA-1 https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing
• Drones For Less breach of customer (not cardholder) data https://www.theregister.co.uk/2018/04/06/dronesforless_data_breach/
• Massachusetts lawsuit against Equifax can proceed https://www.theglobeandmail.com/business/article-massachusetts-lawsuit-against-equifax-over-data-breach-allowed-to/

Laws & Regulations / Standards

• Canada’s breach disclosure rules go into effect November 1, 2018 http://www.michaelgeist.ca/2018/04/coming-soon-or-at-least-by-november-government-sets-a-date-for-data-breach-disclosure-rules-to-take-effect/
• California addresses Net Neutrality https://www.eff.org/deeplinks/2018/04/californias-legislature-seeks-protect-network-neutrality-and-promote-isp
• Court rules some fees charged for public access to court records are illegal https://freedom-to-tinker.com/2018/04/01/judge-declares-some-pacer-fees-illegal-but-does-not-go-far-enough/
• US Supreme Court considering case for world-wide damages for infringement of US patents https://www.eff.org/deeplinks/2018/04/eff-supreme-court-dont-turn-us-patents-worldwide-patents
• The FBI had the capability to get into the San Bernardino shooters iPhone, a look into the Inspector General’s report https://www.eff.org/deeplinks/2018/04/fbi-could-have-gotten-san-bernardino-shooters-iphone-leadership-didnt-say
• US Consumer Product Safety Commission to hold hearings on IoT risks, link and discussion https://www.schneier.com/blog/archives/2018/04/public_hearing_.html

Privacy

• Telus supports national website blocking proposal with dubious arguments http://www.michaelgeist.ca/2018/04/telus-website-blocking-submission-no-copyright-expertise-needed-and-no-net-neutrality-violation-if-everyone-blocks-websites/
• Gay dating app under fire for sharing user’s HIV status and leaking location information https://www.buzzfeed.com/azeenghorayshi/grindr-hiv-status-privacy and https://www.nbcnews.com/feature/nbc-out/security-flaws-gay-dating-app-grindr-expose-users-location-data-n858446
• UK raids Cambridge Analytica, looks to GDPR and possible other regulation https://www.economist.com/news/britain/21739707-new-and-rapidly-growing-british-industry-gets-shock-britain-moves-rein-data-analytics
• The Facebook Scandal and reaction continues to grow:
  • Facebook’s shutsdown of its partner categories program has more to do with GDPR than Cambridge https://www.eff.org/deeplinks/2018/04/facebook-isnt-telling-whole-story-about-its-decision-stop-partnering-data-brokers
  • Facebook’s GDPR support will not roll out world-wide https://www.databreachtoday.com/facebooks-zuckerberg-gdpr-wont-apply-worldwide-a-10763
  • Facebook ups estimate of Cambridge’s data grab to 87M including people outside the US http://www.bbc.com/news/technology-43649018 and https://fbnewsroomus.files.wordpress.com/2018/04/ca-country-list.jpg
  • As many as 2.2B users data harvested through abuse of phone number search https://thehackernews.com/2018/04/facebook-data-privacy.html and http://www.bbc.co.uk/news/technology-43656746
  • And what sounds like a phenomenally bad idea for hospitals to share data on vulnerable patients with Facebook https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html

Bugs / Design Flaws

• Intel Remote Keyboard app on Android and iOS dropped due to insecurities https://threatpost.com/intel-tells-remote-keyboard-users-to-delete-app-after-critical-bug-found/130974/
• Out-of-band patch for the Meltdown patch https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night
• Intel won’t be fixing Spectre variant 2 in many processors https://www.theregister.co.uk/2018/04/04/intel_says_some_cpus_with_spectre_v2_cant_be_fixed/
• Austrian man reverse engineers his bank’s mobile API with BURP suite and finds vulnerabilities https://blog.haschek.at/post/fc874
• Remote code execution in Windows Defender rar file processing https://www.theregister.co.uk/2018/04/04/microsoft_windows_defender_rar_bug/

Hacking / Malware / Cybercrime

• KevDroid malware records calls and audio, tracks locations, steals call logs, inventories apps, and roots Android phones https://thehackernews.com/2018/04/android-spying-trojan.html
• A SWIFT attack thwarted in Malaysia https://www.bankinfosecurity.com/malaysias-central-bank-blocks-attempted-swift-fraud-a-10758

Other Security / Risk

• 40% of employees believe they have ZERO responsibility for securing information https://www.datex.ca/blog/employees-confused-about-cybersecurity-responsibilities
• Study of 130 companies finds internal access is too broad, stale data, and ghost accounts https://www.darkreading.com/operations/identity-and-access-management/one-third-of-internal-user-accounts-are-ghost-users/d/d-id/1331443
• Mystery “IMSI Catchers” found in Washington DC. https://www.theregister.co.uk/2018/04/03/imsi_catcher_stingray_washington_dc/
• Follow-up on last weeks “.cm” typosquatting article show a lot more people than you might thing omit the “o” https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/
• Risks of not “claiming” your business on Google Maps https://www.thestar.com/news/gta/2018/03/28/internet-police-warn-business-owners-of-sabotage-on-google-maps.html
• Challenges for connected hospitals https://blog.trendmicro.com/trendlabs-security-intelligence/challenges-in-securing-connected-hospitals
• EFF launches a new version of the “HTTPS Everywhere” plugin that ensures if a site offers HTTPS then you will use it https://www.eff.org/deeplinks/2018/04/https-everywhere-introduces-new-feature-continual-ruleset-updates
• “Fetch” a new idea for trading data https://www.economist.com/news/science-and-technology/21739644-securing-data-networks-new-ways-trade-data
• DARPA looking at advanced ways to test hardware security https://www.darkreading.com/vulnerabilities—threats/vulnerability-management/new-darpa-contract-looks-to-avoid-another-meltdown/d/d-id/1331452
• “Oblivious DNS” a proposal to ensure no single party sees both the DNS query and originating subnet/IP address https://freedom-to-tinker.com/2018/04/02/a-privacy-preserving-approach-to-dns/
• Cloudflare’s 1.1.1.1 DoH service (DNS over HTTPS) http://www.bbc.com/news/world-us-canada-43622862
• Summary and discussion of research into secret communications over backdoored encryption https://www.schneier.com/blog/archives/2018/04/subverting_back.html
• Leaked Russian emails expose disinformation and dirty tricks http://www.businessinsider.com/leaked-emails-show-russia-uses-paid-thugs-to-sow-dissent-and-chaos-2018-4
• Apple planning to move off Intel chips to a new high end ARM cpu https://thehackernews.com/2018/04/apple-mac-arc-intel.html
• AI lessons learned from Microsoft’s short lived chatbot “Tay” https://www.technologyreview.com/s/610634/microsofts-neo-nazi-sexbot-was-a-great-lesson-for-makers-of-ai-assistants/
• Are we in for a new round of trade wars with the US vs. everyone?
  • China strikes back at US tariffs https://www.ft.com/content/8022a546-3651-11e8-8b98-2f31af407cc8and Whitehouse rebukes them  http://www.bbc.com/news/world-us-canada-43622862
  • Trump doubles down with $100B tariff threat on China http://www.bbc.com/news/business-43664243
  • Ontario hits back at New York “Buy American” legislation https://www.thestar.com/business/economy/2018/04/02/ontario-fires-back-at-new-yorks-buy-american-policy.html

Off-Topic

• The curious phenomena of “Twin Movies” http://www.bbc.com/news/entertainment-arts-43371881
• Something is hiding inside Venus’s cloud layer, could it be life? http://www.syfy.com/syfywire/life-in-hell-could-venus-have-a-bacterial-infection
• Our galactic center is home to as many as 10,000 smaller black holes http://www.bbc.com/news/science-environment-43648152
• The lunar X-prize expired unclaimed and why getting back to the moon is hard https://www.technologyreview.com/s/610720/why-getting-back-to-the-moon-is-so-damn-hard/
• In the wake of last week’s reentry of China’s space station, a look at space junk that rains down https://www.universetoday.com/138919/did-you-know-that-a-satellite-crashes-back-to-earth-about-once-a-week-on-average/

_______________________________________________________________

Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.