This Week’s [in]Security – Issue 80 | insecurity | Control Gap

Welcome to This Week’s [in]Security - Facebook breach fallout and other troubles,  rethinking privacy, PIN on COTS (SPoC) gets closer as SCRP devices begin to certify, border security, free trade, more firmware bugs and back-doors including Chinese supply chain attack.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• The first SCRP reader, which are needed for SPoC (PIN on COTS) solutions, was recently certified under PTS 5.1.    https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-30341 and https://www.brightsight.com/en/archieven/1461.
• To search for SCRP readers visit https://www.pcisecuritystandards.org/assessorsandsolutions/pintransactiondevices and select SCRP as the Device Type.
• FAQ #1439 on SAQ-A updated for requirement 6 clarification https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-do-PCI-DSS-Requirements-2-6-and-8-apply-to-SAQ-A-merchants

Breaches / Leaks

• Facebook's latest breach affecting 90M users and lots of 3rd party apps continue to unfold as well as new privacy issues and the fallout from earlier issues in this terrible year https://controlgap.com/blog/social-network-spiraling-everything-going-on-with-facebook-up-until-now/
• Sales engagement startup Apollo says its massive contacts database was stolen in a data breach https://techcrunch.com/2018/10/01/apollo-contacts-data-breach/
• Retailer SHEIN breached information on 6M user’s credentials, no payment data https://www.infosecurity-magazine.com/news/breach-us-retailer-shein-six/
• Burgerville customer credit card info stolen in POS malware based data breach, size and scope not yet public https://www.zdnet.com/article/burgerville-customer-credit-card-info-stolen-in-data-breach-laid-at-fin7s-feet/
• UK political party conference app exposes phone numbers of MP’s and journalists https://www.theregister.co.uk/2018/10/01/toryconferenceappdatabreachdorriesblockchain_prank/
• Tesco Bank fined £16.4m by watchdog over cyber-attack https://www.theguardian.com/business/2018/oct/01/tesco-bank-fined-cyber-attack-fca

Laws & Regulations / Standards

• Biometrics and the 5th amendment:

  • FBI ordered man to unlock phone with FaceID https://www.pymnts.com/legal/2018/apple-iphone-x-face-id-biometric-security/
  • Searching phones - police vs border control https://www.wired.com/story/police-unlock-iphone-face-id-legal-rights/
• New Zealand boarder controls "digital strip search" https://www.washingtonpost.com/news/morning-mix/wp/2018/10/02/new-zealands-digital-strip-searches-give-border-agents-your-device-passwords-or-risk-a-5000-fine/
• California sued by US government over Net Neutrality law https://arstechnica.com/tech-policy/2018/09/california-governor-signs-net-neutrality-rules-into-law/ and https://www.washingtonpost.com/technology/2018/10/01/trump-administration-is-suing-california-quash-its-new-net-neutrality-law/
• The new NAFTA USMCA frees up Canadian data to US companies https://www.washingtonpost.com/amphtml/world/theamericas/experts-say-usmca-frees-canadian-data--but-with-unknown-risks/2018/10/03/3bdb05be-c651-11e8-9c0f-2ffaf6d422aastory.html
• The impact of the USMCA on Canadian Copyright Law http://www.michaelgeist.ca/2018/10/the-usmca-and-copyright-reform-who-is-writing-canadas-copyright-law-anyway/
• The CRTC rejected the Bell Canada coalition’s website blocking proposal http://www.michaelgeist.ca/2018/10/application-denied-crtc-rejects-bell-coalition-website-blocking-proposal/
• NIST Blockchain Technology Overview update https://csrc.nist.gov/news/2018/nistir-8202-blockchain-technology-overview and details https://csrc.nist.gov/publications/detail/nistir/8202/final

• NIST is withdrawing the following

  • SP 800-48 Rev. 1 (July 2008), Guide to Securing Legacy IEEE 802.11 Wireless Networks  https://csrc.nist.gov/publications/detail/sp/800-48/rev-1/final
  • SP 800-120 (September 2010), Recommendation for EAP Methods Used in Wireless Network Access Authentication https://csrc.nist.gov/publications/detail/sp/800-120/final
  • SP 800-127 (September 2010), Guide to Securing WiMAX Wireless Communications https://csrc.nist.gov/publications/detail/sp/800-127/final

Privacy

• Evaluating privacy of systems https://freedom-to-tinker.com/2018/09/27/privaci-challenge-context-matters/
• Discussion and link to interview with NYU Law Professor Helen Nissenbaum on data privacy and why it's wrong to focus on consent. https://www.schneier.com/blog/archives/2018/10/helennissenbau1.html or original interview https://hbr.org/2018/09/stop-thinking-about-consent-it-isnt-possible-and-it-isnt-right

Bugs / Design Flaws / Vulnerabilities / Defense

• Deleted files and driver problems are among the serious problems with Windows 10 October update:

  • Intel audio drivers and file deletion https://www.zdnet.com/article/windows-10-october-update-problems-wiped-docs-plus-intel-driver-warning/
  • No fix for file deletion bug so far https://www.zdnet.com/article/windows-10-october-update-delete-your-files-this-tool-might-recover-them/
• Windows touchscreen handwriting to text conversion is hording passwords and other information in plain text https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/
• Hardware back-doors in Chinese products https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond
• iOS 12 lock code bypass using Siri https://thehackernews.com/2018/10/iphone-passcode-bypass-hack.html
• Apple forgot to lock Intel Management Engine in laptops https://www.theregister.co.uk/2018/10/03/intelmanagementengine_hole/
• Another firmware vulnerability, this found in Dell's iDRAC service https://www.theregister.co.uk/2018/10/03/idracdellserver_firmware/
• Vulnerabilities in NAS devices https://threatpost.com/nine-nas-bugs-open-lenovoemc-iomega-devices-to-attack/137829/
• The 2018 NICE K12 Cybersecurity Education Conference has been announced for December 3-4 in San Antonio https://www.k12cybersecurityconference.org/registration/

Hacking / Malware / Cybercrime / Offense

• Voice scammers are getting trickier https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/
• The FCC Is Fighting Back Against Robocalls using spoofed numbers http://mentalfloss.com/article/559158/fcc-fighting-back-against-robocalls
• Swiss Chalet, Harvey's, other big chains hit by 'malware outbreak' https://www.cbc.ca/news/business/recipe-unlimited-swiss-chalet-east-side-mario-s-malware-outbreak-1.4845907
• Bitcoin ransom demanded in cyberattack on big Canadian restaurants https://www.cbc.ca/news/business/ransomware-hack-recipe-unlimited-restaurant-cyberattack-1.4847487
• Russia accused of brazen attack on world chemical weapons watchdog https://www.cnn.com/2018/10/04/europe/netherlands-russia-gru-intl/index.html
• North Korean Hackers Tied to $100 Million in SWIFT Fraud https://www.databreachtoday.com/north-korean-hackers-tied-to-100-million-in-swift-fraud-a-11579
• CEO of Phantom Secure pleads guilty to facilitating crime with secure smart phones sold to organized crime  https://motherboard.vice.com/en_us/article/gyewe9/phantom-secure-ceo-pleads-guilty-vincent-ramos
• French police officer caught selling confidential police data on the dark web https://www.zdnet.com/google-amp/article/french-police-officer-caught-selling-confidential-police-data-on-the-dark-web/
• Latvian programmer gets 14 years in prison for enabling Target breach https://www.mobilepaymentstoday.com/news/hacker-gets-14-years-in-prison-for-enabling-target-breach/
• Responding to ransomware attacks: critical elements https://www.databreachtoday.com/responding-to-ransomware-attacks-critical-elements-a-11578

Other Security / Risk

• Facebook actually had some good news but it's being overshadowed by other troubles, they are included in our standalone article https://controlgap.com/blog/social-network-spiraling-everything-going-on-with-facebook-up-until-now/
• Krebs describes the problem of security researchers posing as crooks and telling them apart https://krebsonsecurity.com/2018/10/when-security-researchers-pose-as-cybercrooks-who-can-tell-the-difference/
• Employees share an average of six passwords with co-workers https://www.darkreading.com/threat-intelligence/employees-share-average-of-6-passwords-with-co-workers/d/d-id/1332933
• US and Australia are at odds with Canada and the UK on how to protect against potential backdoors in Huawei equipment and software https://www.theglobeandmail.com/politics/article-us-intelligence-officials-question-canadas-ability-to-test-chinas/
• Research shows a new way to get hardware based random numbers https://www.theregister.co.uk/2018/10/01/hardwarerandomnumbers/
• Saudi Arabia is actively spying in Canada https://deibert.citizenlab.ca/2018/10/saudi-cyber-espionage/
• Terahertz millimeter-wave scanners are being touted for their ability to detect terrorist bombers and not invade privacy https://www.schneier.com/blog/archives/2018/10/terahertz_milli.html
• Fitbit data used to charge US man with murder http://www.bbc.co.uk/news/technology-45745366
• Addiction could stem from ancient virus https://www.cnn.com/2018/09/25/health/retrovirus-addiction-study-intl/index.html

Off-Topic / Science & Tech / Lighter Side

• Inexpensive 3D printed homes https://www.businessinsider.com/3d-homes-that-take-24-hours-and-less-than-4000-to-print-2018-9
• A broken font that can help improve memory? Could this font help your memory? https://www.cnn.com/style/article/memory-boosting-font-intl/index.html
• The “death comet” is being hyped as catastrophic, relax – it’s just a nickname and it will pass a long way away https://www.universetoday.com/140108/the-death-comet-will-pass-by-earth-just-after-halloween/
• No this is not another Batman reboot, it’s NASA’s Mars Rover on the streets of NYC https://www.space.com/41956-stephen-colbert-neil-tyson-mars-rover-joyride.html
• Another icy object points way to a ninth planet https://www.syfy.com/syfywire/a-newly-discovered-extremely-distant-icy-world-points-to-planet-9
• Astronomers find stars incoming from outside our galaxy in Gaia probe data https://phys.org/news/2018-10-gaia-stars-galaxies.html
• No precedents, the quest for Kosher bacon is a real thing https://www.nytimes.com/2018/09/30/technology/meat-labs-kosher-bacon.html