This Week’s [in]Security – Issue 82 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI (non-DSS) updates, supply chain security, early TLS sunset, breaches: settlements, Pentagon travelers, voters records; voting machines, DNA and privacy, fuzzing, and AI limitations.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• News about the soon to be released PCI Software Security Standard https://blog.pcisecuritystandards.org/pci-software-security-standards-coming-soon
• PCI Small Merchant Case Study showcases new small merchant tools https://www.pcisecuritystandards.org/documents/PCIAccorHotelsVigiTrustCaseStudy_-v03.pdf
• What’s Next for PCI Card Production and Provisioning? https://blog.pcisecuritystandards.org/whats-next-for-pci-card-production-and-provisioning
• PCI Card Production Technical (i.e. mandatory) FAQs were updated https://www.pcisecuritystandards.org/documents/CardProdSecurityRqrmtsFAQsv2October_2018.pdf
• PCI PTS POI v5 Security Requirement Technial FAQ's updated https://www.pcisecuritystandards.org/documents/PTSPOITechnicalFAQsv5Oct2018.pdf

Breaches / Leaks

• Pentagon discloses breach of card data through travel supplier https://www.zdnet.com/article/pentagon-discloses-card-breach/
• Amazon's cloud is authorized to store classified US government data, Wikileaks just dumped their data center locations https://www.techspot.com/amp/news/76900-wikileaks-dumps-amazon-data-center-locations-all-see.html
• Tea Party super PAC leaked 500K voter records via AWS S3 bucket https://www.theregister.co.uk/2018/10/17/republicanteapartyfundsecurity_blunder/
• A dating app for Trump supports is massively insecure, leaking just about everything https://www.theregister.co.uk/2018/10/15/donaldtrumpdatingappinsecure/

• PRC just posted info on several unsized breaches that were reported this summer.  We know they were big enough to require notification in California:

  • JP Morgan Chase https://www.databreachtoday.com/aetna-hit-more-penalties-for-two-breaches-a-11611
  • Capital One https://www.privacyrights.org/data-breaches?title=Capital%20One
  • Amex Travel https://www.privacyrights.org/data-breaches?title=American%20Express%20Travel%20Related%20Services%20Company,%20Inc
• Aetna is still paying the price for two HIPAA breaches in 2017 https://www.databreachtoday.com/aetna-hit-more-penalties-for-two-breaches-a-11611
• Anthem's $16M  HIPAA breach settlement https://www.databreachtoday.com/anthem-mega-breach-record-16-million-hipaa-settlement-a-11622

Laws & Regulations / Standards

• Canada's new breach reporting law will be here soon https://www.packetlabs.net/november-1-pipeda-breach-reporting/
• The debate over Australia’s new draft crypto legislation continues – still drawing criticism https://www.databreachtoday.com/tech-companies-bristle-at-australias-crypto-legislation-a-11599

• The impending death of early TLS in 2020

  • NIST releases second draft of Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. Requires government TLS servers and clients support TLS 1.2 configured with FIPS-based cipher suites, and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2024. Update: https://csrc.nist.gov/news/2018/second-draft-of-TLS-guidance-now-available and Details: https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
  • Chrome https://security.googleblog.com/2018/10/modernizing-transport-security.html
  • Mozilla TLS https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
• EFF report on rights of security researchers across the America's https://www.eff.org/deeplinks/2018/10/canada-chile-security-researchers-have-rights-our-new-report
• EPIC's 2018 Privacy Law Sourcebook https://epic.org/2018/10/epic-publishes-privacy-law-sou-1.html
• New York's AG investigating possible fraud in FTC Net neutrality commenting https://www.nytimes.com/2018/10/16/technology/net-neutrality-inquiry-comments.html
• On October 17 Canada became the first G7 country to legalize recreational marijuana, having said that where and when people can use it varies and depends on Provincial legislation, City bylaws, private property rules, and both organizational and institutional rules.  Restrictions include some obvious common sense reasons and some less so.  Examples include: https://globalnews.ca/news/4438410/canada-marijuana-tourism-pot-visitor-guide/, https://www.cbc.ca/news/canada/marijuana-faq-legalization-need-to-know-1.4862207, and https://globalnews.ca/news/4536465/cannabis-legalization-where-you-can-smoke-ottawa/

Privacy

• Article and discussion of research into indirect privacy violations, specifically how DNA databases violate everyone’s privacy, and mitigation strategies. Discussion also covers Facebook https://www.schneier.com/blog/archives/2018/10/howdnadatabas.html
• Google has reversed it's position on letting app developers scan email https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/16/the-cybersecurity-202-google-puts-privacy-over-business-incentives-with-new-developer-restrictions/5bc4bbec1b326b7c8a8d19c1/ (this reversal has come about with the month https://controlgap.com/blog/this-weeks-insecurity-issue-79/ when it was reported this was still happening)
• Does Canadian Privacy Law apply to Google search? http://www.michaelgeist.ca/2018/10/does-canadian-privacy-law-apply-to-google-search/
• Senate hearing on consumer privacy talks to privacy experts and consumer advocates https://www.eff.org/deeplinks/2018/10/new-witness-panel-tells-congress-how-protect-consumer-data-privacy
• Another recently discovered privacy problem with TLS's 0-RTT/1-RTT allows web tracking https://www.theregister.co.uk/2018/10/19/tlshandshakeprivacy/

Bugs / Design Flaws / Vulnerabilities / Defense

• Krebs interviews CIS’s Tony Sager about supply chain security https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/
• Discussion and link to article and interview on government perspective on supply chain attacks https://www.schneier.com/blog/archives/2018/10/government_pers.html
• Apparently unpatched, simple, and persistent Windows "RID Hijacking" privilege escalation bug affects many versions of Windows https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/
• Massive Oracle patch addresses 300 vulnerabilities https://www.theregister.co.uk/2018/10/16/oraclepatchbundle/
• Recent research from Concordia University found commercial TLS proxy gear insecure by default https://www.theregister.co.uk/2018/09/27/tlsproxiesstillmostlyrubbishsaycanadianinfosecboffins/
• Fuzzing is a powerful vulnerability discovery tool, the technology is still maturing, so how do you know how well it works https://blog.trailofbits.com/2018/10/05/how-to-spot-good-fuzzing-research/
• Paper on how Datex applies Attribute Based Access Controls https://www.datex.ca/blog/attribute-based-access-control-abac
• Horribly insecure voting machine infringes on patent https://freedom-to-tinker.com/2018/10/16/design-flaw-in-dominion-imagecast-evolution-voting-machine/
• Article and discussion of West Virginia's Internet voting trials https://www.schneier.com/blog/archives/2018/10/westvirginiau.html

Hacking / Malware / Cybercrime / Offense

• US Voter data for sale https://www.databreachtoday.com/us-voter-records-for-sale-on-hacker-forum-a-11616
• Twitter releases huge dump (10M+ tweets) showing Russian and Iranian influence going back to 2009 https://www.scmagazine.com/home/security-news/twitter-releases-10m-tweets-reveals-decade-of-foreign-influence-including-russias-efforts-during-2016-election/ and https://blog.twitter.com/official/en_us/topics/company/2018/enabling-further-research-of-information-operations-on-twitter.html
• Crypto-currency Exchange lost $882M in attacks https://www.databreachtoday.com/report-cryptocurrency-exchanges-lost-882-million-to-hackers-a-11624
• UK investigated over 1000 significant incidents in 2 years, mostly attributed to nation state actors https://www.databreachtoday.com/10-cyberattacks-investigated-weekly-by-uk-a-11617
• Canada: CSE memo reports blocking 474M “malicious cyber activities” per day in 2016-2017  https://www.thestar.com/politics/federal/2018/10/17/hackers-target-federal-government-networks-an-average-of-474-million-times-per-day-memo-shows.html
• Another example of supply side malware: abandoned Tweet counter hijacked https://www.bleepingcomputer.com/news/security/abandoned-tweet-counter-hijacked-with-malicious-script/
• Large scale homographic phising in Iceland https://www.bleepingcomputer.com/news/security/largest-cyber-attack-against-iceland-driven-by-complex-phishing-scheme/
• University vending machine App hacked for unlimited credit https://www.bleepingcomputer.com/news/security/vending-machine-app-hacked-for-unlimited-credit/

Other Security / Risk

• Opinion: The Current State Of Cybersecurity Shows Now Is The Time For Zero Trust https://www.forbes.com/sites/louiscolumbus/2018/10/14/the-current-state-of-cybersecurity-shows-now-is-the-time-for-zero-trust/
• Audits missing in much of cyber-security https://www.darkreading.com/endpoint/audits-the-missing-layer-in-cybersecurity-/a/d-id/1333054
• Compounding injury - water authority hit by hurricane Florence and ransomware https://threatpost.com/in-county-crippled-by-hurricane-water-utility-targeted-in-ransomware-attack/138327/
• Washington Post security news: hacking medical devices, government failures to implement DMARC to secure email, hacking and accounting rules https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/
• EPIC has obtained FTC emails concerning Facebook audits - and yes they had concerns https://epic.org/2018/10/epic-v-ftc-epic-obtains-emails.html
• Interesting article about how social media and always connected makes life for poachers easier https://www.lightbluetouchpaper.org/2018/10/11/privacy-for-tigers/
• AI/Machine Learning - Neural Networks don't get (and can't create) optical illusions https://www.technologyreview.com/s/612261/neural-networks-dont-understand-what-optical-illusions-are/
• Fake crypto-mining software just serves ads https://www.bleepingcomputer.com/news/security/android-apps-pretend-to-mine-unmineable-cryptocurrencies-to-just-show-ads/

Off-Topic / Science & Tech / Lighter Side

• Wally Pacholka captures beautiful images of the night sky in amazing settings, his work has won awards and been featured by NASA's APOD.  Here's a Geminid meteor streaking past the big dipper from California's Anza Borrego state park http://www.astropics.com/wally-pacholka-photographs/new-wally-pacholka-photographs/anza-borrego-geminid-over-badlands.html
• An audio/optical illusion https://www.businessinsider.com/optical-illusion-sound-2018-10