This Week’s [in]Security – Issue 83 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: new EMVco SRC, touch screen payments for the blind, Cathay Pacific, BA update, Obamacare, and more adult site breaches, Facebook fined, Yahoo payouts, secure DNS controversy, NIST, IoT privacy and surveillance, another Windows file bug, a near miss, and gullible thieves.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• EMVCo releases new draft specification for Secure Remote Commerce (SRC) https://www.pymnts.com/news/emv/2018/emvco-secure-remote-commerce-specs-payments-security/ and https://www.pymnts.com/mastercard/2018/emv-secure-remote-commerce-specification/
• Verifone introduces first compliant full touchscreen supporting blind and visually impaired people https://www.businesswire.com/news/home/20181022005091/en/Verifone-Introduces-PCI-Compliant-Full-Touchscreen-Feature-Blind
• Older article on guessing credit card security values https://nakedsecurity.sophos.com/2016/12/05/how-to-guess-credit-card-security-codes/

Breaches / Leaks

• Cathay Pacific breach impacting 9.4M https://www.bleepingcomputer.com/news/security/cathay-pacific-suffers-data-breach-impacting-94-million-passengers/
• Cathay Pacific waited seven months to announce a data breach and aren't really saying how many payment cards were breached https://www.techspot.com/news/77109-cathay-pacific-waited-seven-months-announce-data-breach.html
• British Airways update, breach was l185K arger than first reported https://www.zdnet.com/article/british-airways-cyberattack-data-theft-bigger-than-we-first-thought/
• Texas Retirement Agency portal breach affects 1.25M https://www.databreachtoday.com/texas-retirement-agency-portal-breach-affects-125-million-a-11638
• Hackers accessed records of 75,000 people in government health insurance system breach https://gizmodo.com/healthcare-gov-portal-suffers-data-breach-trump-offici-1829877392 and https://www.theverge.com/2018/10/20/18003322/healthcare-gov-centers-for-medicare-and-medicaid-cybersecurity-breach
• Federation of Sovereign Indigenous Nations pays hacker $20K in bitcoin after massive data breach https://www.cbc.ca/news/canada/saskatoon/fsin-hacked-bitcoin-payment-data-breach-1.4875487
• Group of 8 adult sites breached https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/
• Facebook gets top pre-GDPR fine from UK ICO for Cambridge Analytica data breach https://www.businessinsider.com/facebook-gets-top-fine-ico-cambridge-analytica-data-breach-2018-10
• Yahoo must pay $50M in damages for data breaches https://www.theverge.com/2018/10/24/18019092/yahoo-data-breach-pay-damages-us-israel
• Majority of CISOs believe security breaches are inevitable https://betanews.com/2018/10/25/cisos-cyber-breaches-inevitable/

Laws & Regulations / Standards

• NIST draft Guide to Securing macOS 10.12 Systems for IT Professionals available for review and comment. Update: https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-179-rev-1-for-comment and details: https://csrc.nist.gov/publications/detail/sp/800-179/rev-1/draft
• Controversy over IETF’s DNS Privacy standards DNS-over-HTTPS vs. DNS-over-TLS https://www.theregister.co.uk/2018/10/23/paulvixieslapsdohasdnsprivacyfeaturebecomesastandard/

Privacy

• Are police using smart-home IoT devices for surveillance? https://www.schneier.com/blog/archives/2018/10/arethepolice_.html
• User Perceptions of Smart Home Internet of Things (IoT) Privacy https://freedom-to-tinker.com/2018/10/22/user-perceptions-of-smart-home-internet-of-things-iot-privacy/
• Tim Cook blasts weaponisation of personal data, speaks about GDPR and need for US regulation http://www.bbc.co.uk/news/technology-45963935

Bugs / Design Flaws / Vulnerabilities / Defense

• Severe authentication bug in libssh impacts F5 Networks, Red Hat, likely Cisco, and others https://www.zdnet.com/article/vendors-confirm-products-affected-by-libssh-bug-as-poc-code-pops-up-on-github/
• Windows 10 1809 Zip extraction bug overwrites files without confirmation https://www.bleepingcomputer.com/news/security/windows-10-1809-zip-extraction-bug-overwrites-files-without-confirmation/
• A Windows zero day that allows deletion of any file https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/
• Longstanding bug in jquery file upload facilitates remote code execution https://threatpost.com/thousands-of-applications-vulnerable-to-rce-via-jquery-file-upload/138501/
• Opinion: Microsoft’s problem isn’t how often it updates Windows—it’s how it develops it https://arstechnica.com/gadgets/2018/10/microsofts-problem-isnt-shipping-windows-updates-its-developing-them/
• New privilege escalation in X.org windowing security flaw impacts most Linux and BSD distros https://www.zdnet.com/article/new-security-flaw-impacts-most-linux-and-bsd-distros/
• Mainframe's have amazing security capabilities but mainframe security is being taken for granted http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security
• PAKE: Password Authenticated Key Exchange protocol avoids sending passwords to servers in clear text https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
• Android's new Prototect Confirmation API uses a trusted UI to protect transactions from malware https://security.googleblog.com/2018/10/android-protected-confirmation-taking.html
• Firefox supporting blocking tracking cookies https://blog.mozilla.org/security/2018/10/23/firefox-63-lets-users-block-tracking-cookies/
• Microsoft to incorporate Google's Retpoline patch against Spectre variant 2 https://www.darkreading.com/endpoint/google-patch-to-block-spectre-slowdown-in-windows-10/d/d-id/1333084
• Several ethical hacking courses https://thehackernews.com/2017/12/ethical-hacking-trainings.html

Hacking / Malware / Cybercrime / Offense

• Why the Bloomberg Supermicro spy chip story seems wrong https://www.databreachtoday.com/where-secret-spying-chip-reported-by-bloomberg-a-11633
• The Magecart gang is exploiting zero-days in e-commerce plug-ins https://threatpost.com/magecart-cybergang-targets-0days-in-third-party-magento-extensions/138547/
• Botnets keep finding IoT with default logins https://www.databreachtoday.com/botnets-keep-brute-forcing-internet-things-devices-a-11637
• Trump continues to use his personal iPhone and China and Russia are listening https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html and https://www.wired.com/story/trump-iphone-security-risk/
• Saudia Arabia has been using spyware on its detractors for a while, one of Khashoggi's contacts was targeted https://citizenlab.ca/2018/10/the-nso-connection-to-jamal-khashoggi/
• US Cybercommand sends warnings to Russian trolls https://arstechnica.com/information-technology/2018/10/us-cyber-command-doxes-dms-warnings-to-russian-disinformation-trolls/
• Canadian Judge: Bitcoin ATM Firm Not Liable for Scam Victim's Losses https://www.ccn.com/bitcoin-atm-firm-not-liable-for-scam-victims-losses-canadian-judge/
• Statistics Canada: More than 1 in 5 Canadian companies hit by cyberattack in 2017 https://globalnews.ca/news/4551428/cyberattack-canadian-companies-statistics-canada/
• Authour of "Agent Tesla" password stealing malware identified https://krebsonsecurity.com/2018/10/who-is-agent-tesla/
• Threats to 2019 federal election are increasing faster than expected https://nationalpost.com/news/politics/threats-to-2019-federal-election-are-increasing-faster-than-we-expected-cse-says
• The 2017 cyber attack on a Suadia Arabian petrochemical company has been attributed to a Russian research organization https://www.darkreading.com/attacks-breaches/russian-research-institute-was-actively-involved-in-triton-ics-attack-activity/d/d-id/1333110
• How China manipulates Border Gateway Protocol https://www.schneier.com/blog/archives/2018/10/chinashacking\.html
• Google fighting a new type of ad fraud https://security.googleblog.com/2018/10/google-tackles-new-ad-fraud-scheme.html

Other Security / Risk

• Facebook removes 8.7M child nudity images in three months http://www.bbc.co.uk/news/technology-45967301
• Best practice for voter verified ballots in voting machine design https://freedom-to-tinker.com/2018/10/22/an-unverifiability-principle-for-voting-machines/ and some examples of bad design https://freedom-to-tinker.com/2018/10/19/continuous-roll-vvpat-under-glass-an-idea-whose-time-has-passed/
• Online voting is popular but has horrible security https://www.cbc.ca/news/canada/online-voting-municipalities-ontario-1.4875457
• Debating the value of compliance, Anthem was breached by a nation state after achieving HITRUST compliance https://www.databreachtoday.com/analysis-did-anthems-security-certification-have-value-a-11634
• A chunk of an old Iridium satellite launch booster space junk came crashing down in California http://bgr.com/2018/10/19/space-junk-california-hanford-iridium-satellite/
• Truck-size asteroid makes fourth-closest pass by Earth on record https://www.cnet.com/news/truck-size-asteroid-makes-fourth-closest-pass-by-earth-on-record/
• Hawaiian island is gone - converted to a shoal by powerful hurricane https://globalnews.ca/news/4590765/hawaiian-island-wiped-from-map-hurricane/
• Canada's penalties for pot impaired driving escalate this December and could bar newcomers from Canada https://www.ctvnews.ca/autos/new-pot-impaired-driving-penalties-could-bar-newcomers-from-canada-1.4148940

Off-Topic / Science & Tech / Lighter Side

• Possibly the most gullible thieves in the world? http://www.bbc.co.uk/news/world-europe-45958404
• Very neat low tech way to extract moisture from air and biomass using shipping containers wins X-prize https://www.cbc.ca/news/technology/water-xprize-1.4877601
• TCP/IP over gravity might be possible https://www.universetoday.com/140305/it-could-be-possible-to-transfer-data-through-gravitational-waves/
• Blue moons are an expression, but apparently blue asteroids and comets are actually a thing - and they're rare too https://phys.org/news/2018-10-rare-blue-asteroid-responsible-geminid.html
• Halloween is near, Dr. Who fans might want to binge on these scary episodes http://www.digitalspy.com/tv/doctor-who/feature/a869217/doctor-who-scariest-episodes-ranked-halloween/