This Week’s [in]Security – Issue 68 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Former Secret Service Agent: PCI DSS isn't enough https://www.law.com/legaltechnews/2018/07/10/former-secret-service-agent-pci-compliance-isnt-enough-in-todays-cyber-environment/
• Trustwave sued by insurers over the 2009 Heartland breach https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/ and https://www.itnews.com.au/news/trustwave-sued-for-40m-over-heartland-pci-dss-checks-497536

Breaches / Leaks

• Another fitness app, Polar, leaks military personnel locations https://www.itnews.com.au/news/polar-fitness-app-leaks-military-personnel-locations-497433
• Thomas Cook suffers small breach, uses GDPR article 33 to avoid reporting https://www.theregister.co.uk/2018/07/10/thomascookprivacy_flap/
• Breach of personal information confirmed at Domain Factory https://thehackernews.com/2018/07/web-hosting-server-hack.html
• Laptop contained health data of most NWT residents https://www.canhealth.com/2018/07/04/laptop-contained-health-data-of-most-nwt-residents/
• Aviation ID Australia says website accessed by unauthorized individual, PII taken, size of breach unknown https://www.databreachtoday.com/australian-airport-identity-card-issuer-breached-a-11205
• Credential stuffing and the recent find of the 111M userids and passwords found in the Pemiblanc list credential https://www.troyhunt.com/the-111-million-pemiblanc-credential-stuffing-list/
• Customers' text messages stolen from Android spyware company https://motherboard.vice.com/en_us/article/qvm44m/hacker-steals-text-messages-android-spyware-company-spyhuman
• Bloomingdales caught in Macy’s breach https://www.scmagazine.com/breach-department-unauthorized-party-accesses-macyscom-and-bloomingdalescom-customer-accounts/article/779351/
• Ticketmaster breach was part of a larger credit card skimming effort targeting upstream tools https://www.zdnet.com/article/ticketmaster-breach-was-part-of-a-larger-credit-card-skimming-effort-analysis-shows/
• Timehop admits to more data leakage, details GDPR danger https://www.theregister.co.uk/2018/07/12/timehopdataleak_update/
• Lack of multi-factor authentication cited as a contributor to recent Timehop breach https://www.databreachtoday.com/timehop-lack-multifactor-login-controls-led-to-breach-a-11183
• Facebook fined £500,000 UK data watchdog for pre-GDPR Cambridge Analytica breach - http://www.bbc.co.uk/news/technology-44785151
• Mail.ru, Russian company connected to Kremlin, had access to Facebook user data through apps as part of the 61 companies with extended access https://money.cnn.com/2018/07/10/technology/mailru-facebook-russia/index.html
• More from the Russia probe, 500K voter records were stolen https://epic.org/2018/07/special-counsel-russian-intell.html
• IBM studies data breach impact https://www.mobilepaymentstoday.com/news/ibm-studies-data-breach-impact/

Laws & Regulations / Standards

• NIST seeks comments on Draft Special Publication (SP) 800-56B Revision 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. Update https://csrc.nist.gov/News/2018/NIST-Releases-Draft-SP-800-56B-Rev-2-for-Comment and details https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft
• Chinese firm fined for stealing US trade secrets https://www.darkreading.com/attacks-breaches/chinese-wind-turbine-manufacturer-gets-max-fine-for-source-code-theft/d/d-id/1332243
• Movie Industry Denies Lawsuit Strategy Despite Proliferation of Legal Actions and Settlement Demands Against Thousands of Canadians http://www.michaelgeist.ca/2018/07/movie-industry-denies-lawsuit-strategy-despite-proliferation-of-legal-actions-and-settlement-demands-against-thousands-of-canadians/
• Microsoft calls for regulation of facial recognition technologies https://www.pymnts.com/amazon/2018/microsoft-regulation-facial-recognition-technology/
• EFF urges Patent Office not to make it harder to kill bad patents https://www.eff.org/deeplinks/2018/07/eff-patent-office-dont-make-it-harder-kill-bad-patents
• Canada's Privacy legislation is 20 years old, Michael Geist makes the case for PIPEDA 2.0 http://www.michaelgeist.ca/2018/07/pipeda-at-20-time-for-pipeda-2-0/

Privacy

• Instagram users mistakenly believe new question feature is anonymous https://www.theguardian.com/technology/2018/jul/15/instagram-question-answer-new-feature-mistakes

Bugs / Design Flaws

• New Spectre family vulnerability affects Intel chips https://www.theregister.co.uk/2018/07/10/intelsecurityspectre_advisories/

Hacking / Malware / Cybercrime

• FBI: Business e-mail compromise is a $12B scam https://www.ic3.gov/media/2018/180712.aspx
• Article and discussion on Department of Commerce botnet threat report https://www.schneier.com/blog/archives/2018/07/departmentofc.html
• New dual-platform malware targets both Windows and Linux https://www.techrepublic.com/article/this-new-dual-platform-malware-targets-both-windows-and-linux-systems/
• Stolen D-link certificate used to digitally sign spying malware https://thehackernews.com/2018/07/digital-certificate-malware.html
• PROPagate Code Injection Seen in the Wild https://www.schneier.com/blog/archives/2018/07/propagatecode\.html
• Technique to defeat Apple’s USB restricted mode https://thehackernews.com/2018/07/bypass-ios-usb-restricted-mode.html
• A new twist on sextortion scams uses your old password to be more convincing https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

Other Security / Risk

• The trouble with patching https://www.databreachtoday.com/software-flaws-patching-so-hard-a-11187
• Fooling infrared vision https://www.economist.com/science-and-technology/2018/07/05/how-to-fool-infrared-vision-gear-into-thinking-you-are-not-there
• Notorious ‘Hijack Factory’ shunned from web https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/
• Apple’s security updates https://www.darkreading.com/operations/apple-releases-wave-of-security-updates/d/d-id/1332268
• ExxonMobil marketing bungles rewards card launch https://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/
• Demystifying the Dark Web: peeling back the layers of Tor’s onion services https://freedom-to-tinker.com/2018/07/12/demystifying-the-dark-web-peeling-back-the-layers-of-tors-onion-services/
• Power company shuts off electricity leads to woman’s death in possible violation of NJ law https://www.washingtonpost.com/news/morning-mix/wp/2018/07/09/an-oxygen-machine-was-keeping-an-ailing-woman-alive-then-the-power-company-shut-off-her-electricity/
• Chart gives U.S. Federal Reserve gloomy glimpse of trade-war world https://business.financialpost.com/news/economy/chart-of-the-century-gives-u-s-fed-reserve-gloomy-glimpse-of-trade-war-world
• The world has never seen a Category 6 hurricane, but the day may be coming https://www.thestar.com/news/world/2018/07/10/the-world-has-never-seen-a-category-6-hurricane-but-the-day-may-be-coming.html
• 10 Survival myths that can kill http://www.businessinsider.com/common-survival-myths-and-facts-2017-5

Off-Topic

• Calories and macros and BMI don’t count https://www.washingtonpost.com/lifestyle/wellness/calories-and-macros-and-bmi-dont-count-here-are-the-numbers-that-really-matter/2018/07/03/3325793e-7a45-11e8-aeee-4d04c8ac6158_story.html
• For the next while, all 5 naked-eye-visible planets can be seen at the same time - no telescope required https://www.cbc.ca/news/technology/5-planets-night-sky-1.4745932
• Universe's Expansion Rate Is Different Depending on Where You Look http://www.space.com/41163-universe-expansion-rate-changes-near-far.html
• Pluto and Charon in HD http://www.syfy.com/syfywire/we-now-have-official-high-resolution-maps-of-pluto-and-charon
• Rare twin asteroid discovered https://www.space.com/41154-rare-binary-asteroid-discovery-near-earth.html