This Week’s [in]Security – Issue 67 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• 2017 saw 2.3B chip cards shipped worldwide https://www.pymnts.com/news/payments-innovation/2018/chip-card-smart-payment-association/
• Who knew? There's another PCI (Payments Council of India) and they appointed a new chairman https://economictimes.indiatimes.com/industry/banking/finance/banking/pci-appoints-new-chairman-vishwas-patel-co-chairman-loney-antony/articleshow/64846548.cms

Breaches / Leaks

• Wired sums up the worst breaches of the first half of 2018 https://www.wired.com/story/2018-worst-hacks-so-far
• Adidas website breached for contact information and encrypted passwords https://www.theregister.co.uk/2018/06/29/adidas_breach/
• US law enforcement personel exposed by breach at Texas State University’s Advanced Law Enforcement Rapid Response Training https://www.privacyrights.org/data-breaches?title=Advanced%20Law%20Enforcement%20Rapid%20Response%20Training,%20Texas%20State%20University
• Macy's warns customers of online data breach via reused credentials https://www.freep.com/story/money/business/2018/07/06/macys-data-breach-online/763074002/
• Timehop security breach of app access keys last Christmas affects the company’s entire 21M userbase https://www.bleepingcomputer.com/news/security/timehop-security-breach-affects-the-company-s-entire-21-million-userbase/
• Another former Equifax staffer charged with insider trading https://nakedsecurity.sophos.com/2018/07/02/second-former-equifax-staffer-charged-with-insider-trading/
• The CBC privacy breach announced in May was slightly bigger and broader than first announced https://www.cbc.ca/news/politics/privacy-cbc-theft-computer-1.4732106
• It’s been observed that breached companies often rebound financially, but Cybersecurity stocks are still benefiting from Equifax https://www.pymnts.com/news/investment-tracker/2018/cybersecurity-stocks-equifax-data-breach-privacy/

Laws & Regulations / Standards

• Drinking from a firehose, article on eight of the NSA’s domestic spying centers https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/
• Open for comments: NIST’s SP 800-71 Recommendations for Key Establishment Using Symmetric Block Ciphers. Update: https://csrc.nist.gov/News/2018/NIST-Releases-Draft-SP-800-71-for-Public-Comment and details: https://csrc.nist.gov/publications/detail/sp/800-71/draft
• NIST SP 800-116 Revision 1, Guidelines for the Use of Personal Identity Verification (PIV) Credentials in Facility Access. . Update: https://csrc.nist.gov/News/2018/NIST-Publishes-SP-800-116-Revision-1 and details: https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final
• How responsible disclosure works in the EU https://www.lightbluetouchpaper.org/2018/06/28/responsible-vulnerability-disclosure-in-europe/
• EFF ways in on the EU’s upcoming voting on proposed copyright filters and link tax https://www.eff.org/deeplinks/2018/06/crucial-next-few-days-eus-copyright-filter-and-link-tax-battle
• EU MEPs reject controversial copyright law that includes filters and link tax - http://www.bbc.co.uk/news/technology-44712475
• Homeland Security subpoenas Twitter for data breach finder's account https://www.zdnet.com/article/homeland-security-subpoenas-twitter-for-data-breach-finders-account/
• Do PGP key servers violate GDPR? https://www.theregister.co.uk/2018/07/05/pgpkeyservers_gdpr/
• Stupid patent of the month uncovers series of ridiculous patents by man being extradited to US to face sex-trafficking charges https://www.eff.org/deeplinks/2018/06/stupid-patent-month-alleged-cult-leader-wants-improve-performance
• Stupid patent, recorded language lessons, used to threaten teacher https://www.eff.org/deeplinks/2018/07/effs-help-language-teacher-responds-ridiculous-patent-threat

Privacy

• Your phone isn’t listening to you, but many apps are stealing screenshots of sensitive information https://gizmodo.com/these-academics-spent-the-last-year-testing-whether-you-1826961188
• Third-party apps can read your messages, here’s how to disconnect them from your Google account http://www.businessinsider.com/how-to-disconnect-third-party-apps-google-account-gmail-2018-7 and https://www.databreachtoday.com/what-apps-are-peeking-into-your-gmail-a-11171
• Article and discussion on how face makeup beats facial recognition software https://www.schneier.com/blog/archives/2018/07/beatingfacial\.html
• EFF and EPIC urge Illinois Supreme Court: to protect biometric privacy https://www.eff.org/deeplinks/2018/07/eff-illinois-supreme-court-protect-biometric-privacy and https://epic.org/2018/07/epic-urges-illinois-supreme-co.html
• Facebook gave 61 business, including AOL, Hinge, Nike, Nissan, Oracle, Panasonic, Serotek, Snap, Spotify, UPS, extensions to access data after 2014 https://www.theguardian.com/technology/2018/jul/02/facebook-user-data-access-companies-privacy
• Facebook under increasing scrutiny over Cambridge Analytica http://money.cnn.com/2018/07/02/technology/cambridge-analytica-facebook-fbi-ftc-sec/index.html
• UK National Health Service ignored patient opt-out requests for 3 years https://www.theregister.co.uk/2018/07/03/confidentialpatientinfonhssoftwaresharetpp/
• Citizen Lab asks National Energy Board about implications of Security Threat Monitoring Services https://citizenlab.ca/2018/06/letter-to-canadas-national-energy-board-regarding-security-threat-monitoring-services-request-for-information/

Bugs / Design Flaws

• Samsung phones are spontaneously texting users’ photos to random contacts without their permission https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages
• Malicious PDF hid two zero-day vulnerabilities for Windows and Acrobat https://thehackernews.com/2018/07/windows-adobe-zero-exploit.html
• Discussion on the LTE Alter Attack https://www.schneier.com/blog/archives/2018/07/traffic_analysi.html and article with video demonstration http://www.theregister.co.uk/2018/06/29/4g_security/
• The Diameter protocol, an SS7 replacement, is routinely misconfigured and is still vulnerable https://www.bleepingcomputer.com/news/security/newer-diameter-telephony-protocol-just-as-vulnerable-as-ss7/

Hacking / Malware / Cybercrime

• New malware delivers binary payload that will ransomware your old PC or mine cryptocurrency using your shinny new high performance kit https://thehackernews.com/2018/07/cryptocurrency-mining-ransomware.html
• Hidden tunneling, successfully used in the Equifax breach, is on the rise as a criminal data exfiltration technique https://threatpost.com/financial-services-sector-rife-with-hidden-tunnels/132987/
• Iranian APT Poses As Israeli Cyber-Security Firm That Exposed Its Operations in phishing expedition https://www.bleepingcomputer.com/news/security/iranian-apt-poses-as-israeli-cyber-security-firm-that-exposed-its-operations/
• Pair generate $100 million of illegal profit by hacking press releases https://latesthackingnews.com/2018/07/08/100-million-of-illegal-profit-generated-by-hacking-press-releases/
• Former insider stole healthcare data indicted for criminal HIPAA violations https://www.databreachtoday.com/former-insider-indicted-for-criminal-hipaa-violations-a-11163
• First crypto-jacking conviction, person sentenced for malicious use of Coinhive library https://www.bleepingcomputer.com/news/security/first-ever-person-sentenced-for-malicious-use-of-coinhive-library/
• Macro-based malware campaign replaces desktop and Quick Launch shortcuts to install backdoor https://www.scmagazine.com/macro-based-malware-campaign-replaces-desktop-and-quick-launch-shortcuts-to-install-backdoor/article/778695/
• Kim Dotcom loses latest appeal against US extradition in regard to MegaUpload http://www.bbc.co.uk/news/technology-44720197
• Scientists Discover Hottest, Most Improbable Way to Steal Your Passwords but shoulder surfing is probably easier https://gizmodo.com/scientists-discover-hottest-most-improbable-way-to-ste-1827396066

Other Security / Risk

• OK, We Are Bad At Cybersecurity -- Now What? https://www.forbes.com/sites/forbestechcouncil/2018/07/06/ok-we-are-bad-at-cybersecurity-now-what/
• When should companies not work with governments? https://www.theguardian.com/technology/2018/jun/26/tech-government-contracts-worker-revolt-microsoft-amazon-google
• Google Cloud anti-abuse measures, gave business 3 days to respond or be permanently shut down http://www.businessinsider.com/google-cloud-threatens-to-automatically-delete-business-app-2018-7
• Facebook’s algorithms labels declaration of independence as 'hate speech’ illustrates risks of historical documents https://www.theguardian.com/world/2018/jul/05/facebook-declaration-of-independence-hate-speech
• BlackHat creating community to study human factors in InfoSec, especially those affecting practitioners https://www.darkreading.com/careers-and-people/6-drivers-of-mental-and-emotional-stress-in-infosec/d/d-id/1332195
• Interview with Chris Roberts about transportation security: planes, trains, and automobiles https://www.theregister.co.uk/2018/07/04/planehackerroberts_interview/
• Deloitte Report concludes Canada is struggling to keep up with demand for cybersecurity talent https://mobilesyrup.com/2018/07/04/canada-cybersecurity-demand-deloitte/
• More on the effectiveness of deep-fake videos or how well financed groups and nation states can make anyone say anything they want to mess with you https://www.cbc.ca/news/technology/deepfake-politics-1.4731665
• Discussion and link to research into perception of threats https://www.schneier.com/blog/archives/2018/06/conservation_of.html
• Why is WHO proposing a gaming disorder, but not a smartphone or Internet disorder https://www.theatlantic.com/technology/archive/2018/06/whos-afraid-of-virginia-wolfenstein/563843/
• One fifth of Bitcoins are permanently lost https://www.newsbtc.com/2018/07/07/lost-bitcoin-is-giving-birth-to-an-emerging-crypto-recovery-industry/
• Words in English change their meaning often due to popularization, just ask any "hacker".  Matt Blaze, a leading cryptographer, sells off crypto.com https://techcrunch.com/2018/07/07/rip-crypto/

Off-Topic

• New technique that uses lasers and fibre optic cables to detect earthquakes is almost as good as seismometers http://www.bbc.co.uk/news/science-environment-44683284
• Putting asteroid impact risk into perspective http://www.businessinsider.com/asteroid-sizes-that-can-damage-cities-states-planet-2018-6
• Dawn probe now in close-diving orbit of Ceres, finds evidence of water http://www.syfy.com/syfywire/dawn-is-now-barnstorming-ceres-and-seeing-wonders
• Almost forgotten, the soccer ball that survived the Challenger Space Shuttle explosion and flew into space 20 years later http://www.espn.com/espn/feature/story/_/id/23902766/nasa-astronaut-ellison-onizuka-soccer-ball-survived-challenger-explosion
• Direct observation of the birth of an Exoplanet https://gizmodo.com/astronomers-have-captured-first-direct-evidence-of-an-e-1827283946
• Who spends more on Canadian content, NetFlix or private broadcasters? http://www.michaelgeist.ca/2018/07/government-memo-suggests-netflix-outspends-canadian-private-broadcasters-on-canadian-english-scripted-programming/