This Week’s [in]Security – Issue 64

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI publishes two more SSL/TLS documents as deadline approaches and a Q&A about these https://blog.pcisecuritystandards.org/what-happens-after-30-june-2018-new-guidance-on-use-of-ssl/early-tls-

  • Guidance for users of POI terminals running SSL and how to navigate the exemptions https://www.pcisecuritystandards.org/documents/Use-of-SSL-Early-TLS-for-POS-POI-Connections.pdf
  • Guidance on how to attain passing ASV scores for systems supporting SSL https://www.pcisecuritystandards.org/documents/Use-of-SSL-Early-TLS-and-ASV-Scans.pdf
• PCI FAQ #1457 was released confirming the Software PIN on COTS isn't eligible for P2PE approval https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Is-a-Software-based-PIN-Entry-on-COTS-Solution-eligible-for-a-P2PE-Solution-approval

• PCI SSC updated FAQs #1251, #1338, #1339:

  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-is-the-process-to-use-previously-deployed-POI-devices-in-a-PCI-P2PE-solution
  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-is-the-difference-between-POI-firmware-and-additional-software-that-may-be-present-on-the-POI-device
  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Are-POI-devices-with-only-the-PTS-approved-firmware-i-e-no-additional-software-eligible-for-use-in-a-PCI-P2PE-solution
• New PCI security awareness essentials - patching video https://blog.pcisecuritystandards.org/video-patching (and info-graphic) follows up on their essentials info-graphic https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf. See the related https://blog.pcisecuritystandards.org/video-strong-passwords and https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf
• EFF takes on Paypal on overly broad terms of service https://www.eff.org/deeplinks/2018/06/following-copyright-law-should-be-enough-even-when-payment-processors-say-it-isnt

Breaches / Leaks

• Possibly the first major card breach post-GDPR, Dixons Carphone - almost 6M payment cards and another 1.2M records https://www.databreachtoday.com/dixons-carphone-breach-59-million-payment-cards-exposed-a-11076
• French Optical Center fined €250K by CNIL for pre-GDPR breach of customer records https://www.enterprisetimes.co.uk/2018/06/13/optical-center-gets-e250000-fine-from-the-cnil/
• Cambridge University exposed the sensitive data of 3M users from the Facebook mypersonality app https://www.privacyrights.org/data-breaches?title=Facebook,%20inc.
• Weight Watchers IT Infrastructure Exposed via Password-less Kubernetes Server https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
• What the biggest data breaches would have been fined under GDPR https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the-biggest-data-breaches-and-the-shocking-fines-that-would-have-been/
• Yahoo fined £250K in UK for 2014 breach under pre-GDPR rules https://www.theregister.co.uk/2018/06/12/yahoo250kico_fine/
• Vermont librarian takes Equifax to small claims court and wins $600 over breach https://krebsonsecurity.com/2018/06/librarian-sues-equifax-over-2017-data-breach-wins-600/
• A deeper look at the previously reported problems with people sharing corporate credentials with Trello https://krebsonsecurity.com/2018/06/further-down-the-trello-rabbit-hole/

Laws & Regulations / Standards

• European law makers are calling for the suspension of the US Privacy Shield agreement https://epic.org/2018/06/european-civil-liberties-commi.html
• Colorado’s breach reporting law trumps HIPAA https://www.databreachtoday.com/colorados-tougher-breach-law-healthcare-incidents-included-a-11071
• EFF is supporting the ENCRYPT act to strengthen encryption policy https://www.eff.org/deeplinks/2018/06/encrypt-act-protects-encryption-us-state-prying
• Court vacates FTC order that wasn’t specific enough https://epic.org/2018/06/court-of-appeals-vacates-ftcs-.html
• US imposes more sanctions for Russian cyberattacks https://www.databreachtoday.com/us-imposes-more-russian-sanctions-for-cyberattacks-a-11069
• GDPR: UK privacy regulator open to eventual self-certification https://www.databreachtoday.com/gdpr-uk-privacy-regulator-open-to-self-certification-a-11066
• HITECH, HIPAA, and Electronic Health and Medical Records https://www.datex.ca/blog/what-is-the-relationship-between-hitech-hipaa-and-electronic-health-and-medical-records
• Citizen Lab paper on the "Encryption Debate" https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian-field-guide/ and https://deibert.citizenlab.ca/2018/05/digital-security-for-whom-or-what/
• Canada updates its cyber-strategy https://globalnews.ca/news/4269222/ottawa-unveils-new-cybersecurity-strategy-targeting-public-businesses/
• The Canadian music industry wants copying fees applied to every smartphone sold in Canada http://www.michaelgeist.ca/2018/06/canadian-music-industry-wants-government-to-pay-copying-fee-for-every-smartphone-sold-in-canada/
• Canada's federal government frustration with CRTC's carriers over consumers approach http://www.michaelgeist.ca/2018/06/crtc-rebuked-government-signals-frustration-with-the-commission-prioritizing-carriers-over-consumers/
• UK police face legal challenges over the use of automated facial recognition technology https://www.theguardian.com/technology/2018/jun/14/police-face-legal-action-over-use-of-facial-recognition-cameras

Privacy

• Parents nervous about privacy an Google G-suite educational tools http://www.cbc.ca/radio/spark/episode-401-1.4694935/as-google-for-education-tools-enter-classrooms-across-canada-some-parents-are-asking-to-opt-out-1.4694939
• Vermont’s new privacy law https://www.schneier.com/blog/archives/2018/06/newdataprivac.html
• Privacy Irony? Cambridge Analytica's ex-data chief rebrands himself as a privacy advocate http://www.businessinsider.com/cambridge-analyticas-alexander-tayler-seeks-privacy-advocate-work-2018-6

Bugs / Design Flaws

• Longstanding bug in Apple digital certificate implementation could have facilitated malware https://motherboard.vice.com/en_us/article/evkq3m/apple-macos-malware-okta-research
• Android Debugging Bridge left open by default https://www.bleepingcomputer.com/news/security/tens-of-thousands-of-android-devices-are-exposing-their-debug-port/
• Hey, Cortana. Help me break into this fully patched locked Windows 10 system. http://www.bbc.co.uk/news/technology-44457166
• Intel CPU on Windows Lazy Floating Point vulnerability can expose sensitive register data https://www.bleepingcomputer.com/news/security/new-lazy-fp-state-restore-vulnerability-affects-all-intel-core-cpus/
• Bug in GnuPGP let's attackers spoof messages into the UI via an unsanitized file name https://thehackernews.com/2018/06/gnupg-encryption-signature.html
• Data Exfiltration via Formula Injection #Part1 https://www.notsosecure.com/data-exfiltration-formula-injection/
• Web cache poisoning attack to be presented at Black Hat https://www.darkreading.com/vulnerabilities--- threats/new-hack-weaponizes-the-web-cache/d/d-id/1332027
• New Spectre/Meltdown fixes https://www.bleepingcomputer.com/news/security/heres-the-status-of-meltdown-and-spectre-mitigations-in-windows/
• Smart lock can be easily hacked http://www.bbc.co.uk/news/technology-44457166

Hacking / Malware / Cybercrime

• $50M stolen in attack on Coinrail cryptocurrency exchange https://www.databreachtoday.com/coinrail-cryptocurrency-exchange-in-south-korea-hacked-a-11068
• 74 arrested in global Business Email Compromise crackdown is a small fraction of those responsible for $3.7B in losses https://www.databreachtoday.com/74-arrests-in-business-email-compromise-takedown-a-11070
• $1.1B stolen in crypto-currency thefts in 6 months https://www.bankinfosecurity.com/cryptocurrency-theft-11-billion-stolen-in-last-6-months-a-11073
• Stealthy crypto-miner plays hide-and-seek https://www.bleepingcomputer.com/news/security/cryptocurrency-miner-plays-hide-and-seek-with-popular-games-and-tools/
• Backdoored Docker Images removed from Docker Hub https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub/
• Banco de Chile, which previously reported a massive malware DoS attack to cover a SWIFT heist, was hit for $10M https://www.bankinfosecurity.com/banco-de-chile-loses-10-million-in-swift-related-attack-a-11075
• The BrowseFox adware plugin is being used to abuse certificate signing and push malware https://blog.trendmicro.com/trendlabs-security-intelligence/how-machine-learning-techniques-helped-us-find-massive-certificate-abuse-by-browsefox
• The most abused (spammy) top level domains https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

Other Security / Risk

• Help prevent leaky buckets with free training - AWS best practices webinars https://www.theregister.co.uk/2018/06/12/awsbestpracticeswebinarseriesbuildingsecurityintoyour_environment/
• Sorry FBI, iOS12 security features may include requirement for providing the pass-code before unlocking all connections into your phone https://www.schneier.com/blog/archives/2018/06/newiphoneos_m.html
• New Google open source library for end-to-end encryption of push messages in Android apps https://security.googleblog.com/2018/06/end-to-end-encryption-for-push.html
• Discussion and links to presentation on Security and Complexity https://www.schneier.com/blog/archives/2018/06/thomasdullien\.html
• The consequences of ending net neutrality https://www.eff.org/deeplinks/2018/06/bleak-future-internet-without-net-neutrality-and-what-you-can-do-stop-it
• IPv6 is on by default, time to pay attention or risk a security bypass https://www.darkreading.com/vulnerabilities--- threats/weaponizing-ipv6-to-bypass-ipv4-security-/a/d-id/1331993
• Common patterns people use to satisfy password complexity rules https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/
• Anti-malware tools aren't good at finding stalker applications https://globalnews.ca/news/4223784/find-stalker-apps-phone/
• Europe now claiming Kaspersky confirmed as malicious and recommending their tools be removed https://www.databreachtoday.com/eu-claims-kaspersky-lab-software-confirmed-as-malicious-a-11080
• Kaspersky reacts by suspending joint work https://www.darkreading.com/operations/kaspersky-lab-freezes-work-with-europol-in-protest-of-eu-vote/d/d-id/1332048
• Satellites as a threat vector in 5G networks https://blog.trendmicro.com/trendlabs-security-intelligence/attack-vectors-in-orbit-need-for-satellite-security-in-5g-iot
• Schneier essay on the Russian censorship of the Telegram app https://www.schneier.com/blog/archives/2018/06/russian_censors.html
• Study on claiming credit for cyberattacks https://scienmag.com/claiming-credit-for-cyberattacks/
• Potential security concerns over USB powered fans given out in press kits at US-NK summit https://www.bbc.com/news/technology-43128073
• 1/3 of adults may be unaware they are using meds that can cause depression https://scienmag.com/one-third-of-us-adults-may-unknowingly-use-medications-that-can-cause-depression/
• The difficulty of verifying de-nuclearization https://www.wired.com/story/north-korea-summit-nuclear-promises

Off-Topic

• US builds 200 petaflop AI machine at Oak Ridge using IBM and NVIDIA gear https://www.technologyreview.com/s/611077/the-worlds-most-powerful-supercomputer-is-tailor-made-for-the-ai-era/
• Evidence of ancient organics on Mars https://www.universetoday.com/139429/and-nasas-big-announcement-is-ancient-organic-molecules-found-on-mars/
• Breakthrough Starshot – the fast solar sail tech – looking for companies to build the sail https://www.universetoday.com/139400/breakthrough-starshot-is-now-looking-for-the-companies-to-build-its-laser-powered-solar-sails-to-other-stars-1/
• Just weird, a supermassive black hole could in theory support 1 Million habitable planets http://www.space.com/40846-black-hole-million-habitable-planets.html
• How many people do you need for a generation ship?  About 100 based on this https://www.universetoday.com/139456/whats-the-minimum-number-of-people-you-should-send-in-a-generational-ship-to-proxima-centauri/
• In use today, concrete that uses less cement and traps CO2 http://money.cnn.com/2018/06/12/technology/concrete-carboncure/index.html