This Week’s [in]Security – Issue 88

Welcome to This Week’s [in]Security. This week: PCI Telephony updates. Record setting post-GDPR breach at Starward/Marriot. Breaches at Dell, Atrium Health, Sky Brasil, Dunkin Donuts, Sotheby's Home, Data & Leads, and an unidentified ElasticSearch server.  Uber fined.  Back-dooring Oz. Nosy CRA workers. Criminal volunteers on open-source project and Trojans code to steal crypto-wallets. And, Faking DNA evidence.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI updates on telephony and VoIP:

  • FAQ #1153 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-VoIP-in-scope-for-PCI-DSS
  • Announcement of changes https://blog.pcisecuritystandards.org/industry-guidance-on-accepting-telephone-payments-securely
  • Updated information supplement https://www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
• Visa announced some changes on their merchant news site last month concerning 3DS, cash discounts, and new merchant category codes (MCC) https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html

Breaches / Leaks

• Possibly the largest post-GDPR breach goes to the Starwood hotel chain (acquired by Marriott in 2016) was breached for a third time.  The prior breaches were limited to their POS systems. This breach of  their guest reservation database went undetected for four years and affects 500M guests and included contact information, date of birth, travel information, passport numbers, AES encrypted payment card data. Reports are uncertain if the the encryption keys were compromised.  The breach was detected in September and reported to the SEC in November.  There is no word if any required GDPR filings were made. Based on Marriot's annual report the fines under GDPR could approach $1B.  Reports at:

  • https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
  • https://www.zdnet.com/article/marriott-announces-data-breach-affecting-500-million-hotel-guests/
  • https://techcrunch.com/2018/11/30/starwood-hotels-says-500-million-guest-records-stolen-in-massive-data-breach/
  • https://www.databreachtoday.com/marriotts-starwood-reservation-hack-could-affect-500-million-a-11751
  • https://www.bna.com/marriott-breach-fresh-n57982094283/ (about GDPR)
  • https://www.axios.com/marriott-starwood-data-breech-0a4aadcd-9ba9-41ce-8cd8-6ac85b956533.html (calss for international investigations)
• Data &Leads reports a breach of 44M records https://haveibeenpwned.com/PwnedWebsites#DataAndLeads
• Sky Brasil exposed 32M subscriber records in an insecure ElasticSearch database https://www.zdnet.com/article/sky-brasil-exposes-data-of-32-million-subscribers/
• Another 57M records exposed through insecure ElasticSearch server, possibly related to Data & Leeds https://nakedsecurity.sophos.com/2018/11/30/57m-americans-details-leaked-online-by-another-misconfigured-server/
• Atrium Health breached for 2.6M records and 700K SSNs https://www.zdnet.com/article/atrium-health-data-breach-exposed-2-65-million-patient-records/
• Dell announces security breach, size unknown https://www.zdnet.com/article/dell-announces-security-breach/
• Magecart adds another notch to their belt by skimming from Sotheby's Home website https://www.theregister.co.uk/2018/11/30/magecart_fiends_strike_sothebys_home_website/
• Dunkin Donuts loyalty site, DD Perks, accounts accessed at a third-party a month ago in what sounds like a credential stuffing attack http://fortune.com/2018/11/29/dunkin-donuts-data-breach-app/
• Urban a popular massage app exposed data on 300K clients including complaints from therapists over inappropriate requests  https://nypost.com/2018/11/28/massage-app-data-breach-reveals-which-clients-asked-for-sexual-favors/
• Humble Bumble which recently had good deals on security books suffered a minor breach https://www.kotaku.com.au/2018/12/humble-bundle-suffered-very-limited-data-breach/
• Uber fined $1.2M under pre-GDPR rules for delay in reporting breach disclosure https://www.databreachtoday.com/uber-fined-12-million-in-eu-for-breach-disclosure-delay-a-11730

Laws & Regulations / Standards

• NIST publications:

  • Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) - details https://csrc.nist.gov/publications/detail/nistir/8200/final
  • Draft for comment Volume B, Trusted Cloud: Security Practice Guide for VMWare Hybrid Cloud Infrastructure as a Service (IaaS) Environments Cybersecurity Practice Guide - details https://csrc.nist.gov/publications/detail/sp/1800-19/draft and homepage: https://www.nccoe.nist.gov/projects/building-blocks/trusted-cloud/hybrid
  • Draft for comment Volume A (Executive Summary) and Volume B (Approach, Architecture and Security Characteristics)  on Securing Web Transactions: TLS Server Certificate Management - details https://csrc.nist.gov/publications/detail/sp/1800-16/draft and homepage https://www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-management
• Australia's opposition has compromised on lawful decryption and may support it as long as it's only used for counter-terrorism https://www.theregister.co.uk/2018/11/27/oz_decryption_legislation/
• FBI still pushing for backdoors https://www.wired.com/story/rod-rosenstein-encryption-backdoor/
• GCHQ tries a different spin on encryption backdoors https://www.theregister.co.uk/2018/11/29/gchq_encrypted_apps/
• The province of Ontario's Consumer Protection Bill takes aim at breaches https://www.canadianunderwriter.ca/legislation-regulation/data-breach-risk-prompts-new-ontario-legislation-1004149354/
• The City of York's reaction to a vulnerability disclosure was to call the police, fortunately cooler heads prevailed https://www.bleepingcomputer.com/news/security/the-one-planet-york-data-breach-that-was-a-data-leak/
• California and IMDB at legal odds over actors ages https://www.eff.org/deeplinks/2018/11/california-still-trying-gag-imdb-were-telling-new-court-dont-let-it
• Stupid Patent of the Month: Using math for formal security validation of a trading platform https://www.eff.org/deeplinks/2018/11/stupid-patent-month-patent-using-mathematical-proofs

Privacy

• Rogue tax workers snooping on Canadians in larger numbers https://www.cbc.ca/news/politics/cra-canada-revenue-agency-privacy-breaches-commissioner-employees-1.4916022
• Schneier essay on how surveillance inhibits freedom of expression https://www.schneier.com/blog/archives/2018/11/how_surveillanc_1.html
• Google's location tracking is challenged in Europe https://www.bbc.com/news/technology-46356999

Bugs / Design Flaws / Vulnerabilities / Defense

• Implications of the Marriot breach https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/
• Article and debate prompted by the recent "event-stream" supply chain attack against code used by millions https://www.schneier.com/blog/archives/2018/11/distributing_ma.html
• When will Firefox alert you to a breached website https://blog.mozilla.org/security/2018/11/14/when-does-firefox-alert-for-breached-sites/
• Kreb's guide to secure online shopping https://krebsonsecurity.com/2018/11/how-to-shop-online-like-a-security-pro/
• What is known about security in Intel's management engine https://blog.ptsecurity.com/2018/11/what-we-have-learned-about-intel-me.html
• Rowhammer attacks are more effective with a side channel timing attack https://www.wired.com/story/rowhammer-ecc-memory-data-hack/
• Microsoft’s Office 365 MFA security crashes for second time https://nakedsecurity.sophos.com/2018/11/29/microsofts-office-365-mfa-security-crashes-for-second-time/
• MITRE completes first evaluation of endpoint security using the ATT&CK framework https://www.darkreading.com/endpoint/mitre-changes-the-game-in-security-product-testing/d/d-id/1333374

Hacking / Malware / Cybercrime / Offense

• Analysis of the supply chain Trojan horse against BitPay wallets found in the NPM event-stream module https://medium.com/@hkparker/analysis-of-a-supply-chain-attack-2bd8fa8286ac
• HTTPS lock icons aren't an indicator of an authentic site, just an encrypted one https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
• Bloomberg is standing by their story about Chinese hardware implants in SuperMicro motherboards - but corporate denials aside, they still haven't managed to convince skeptics https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ and https://www.schneier.com/blog/archives/2018/11/that_bloomberg_.html
• The FBI created a fake FedEx site and deployed weaponized word docs to identify a criminal https://motherboard.vice.com/en_us/article/d3b3xk/the-fbi-created-a-fake-fedex-website-to-unmask-a-cybercriminal
• The FBI took down a large Internet advertising fraud ring leading to the arrest and pending extradition of 8 people. The criminals included redirecting IP networks through BGP manipulation in their toolkit.  https://www.schneier.com/blog/archives/2018/11/fbi_takes_down_.html
• Calls and pop-up scams about your computer infected by a virus traced to New Delhi India results in 39 arrests and 16 call centers shut down  https://www.nytimes.com/2018/11/28/technology/scams-india-call-center-raids.html and https://www.darkreading.com/endpoint/39-arrested-in-tech-support-scam-crackdown-microsoft/d/d-id/1333377
• Symantec challenges NSS labs lawsuit over security bug audit conspiracy claim https://www.theregister.co.uk/2018/11/29/symantec_attacks_nss_labs/

Other Security / Risk

• Scientists demonstrate that DNA evidence can be fabricated https://www.nytimes.com/2009/08/18/science/18dna.html
• Princeton University's  Center for Information Technology Policy has openings for a visiting researcher and fellow https://freedom-to-tinker.com/2018/11/28/citp-call-for-visitors-for-2019-20/
• Bulletproof TLS Newsletter Issue #47 -  Attacking cryptography with side channels and more https://www.feistyduck.com/bulletproof-tls-newsletter/issue_47_attacking_cryptography_with_side_channels
• Anchorage Alaksa suffered a huge magnitude 7.0 eartquake last Friday and hundreds of after shocks. It has been the most powerful quake in Alaska since the 1964 magnitude 9.2 quake one of the most powerful ever recorded https://www.nytimes.com/2018/12/01/us/anchorage-alaska-earthquake.html and https://www.cnn.com/2018/12/01/us/alaska-earthquake/index.html
• Sotheby's was auctioning off a working 3-wheel Enigma machine (model I) on Friday with an expected value of nearly $200K https://www.schneier.com/blog/archives/2018/11/three-rotor_eni_1.html and http://www.sothebys.com/en/auctions/ecatalogue/2018/history-of-science-technology-n09886/lot.41.html
• In 1972 dozens of magnetic mines denotated in the waters off Vietnam. The event was classified but now there may be an explanation - a solar storm https://astroengine.com/2018/11/28/did-a-solar-storm-detonate-dozens-of-vietnam-war-mines/
• Is a recession coming? https://www.theatlantic.com/ideas/archive/2018/11/stocks-are-nosediving-recession-coming/576568/

Off-Topic / Science & Tech / Lighter Side

• NASA lands the InSight probe on Mars https://www.universetoday.com/140646/insight-lander-touches-down-begins-mission-to-unlock-the-secrets-of-mars/
• Weird seismic waves detected leaves scientists guessing - possible slow quake or volcanic foreshadowing https://www.nationalgeographic.com/science/2018/11/strange-earthquake-waves-rippled-around-world-earth-geology/
• Astronomers looking at Brown-dwarf stars with "auroral radiation" have identified a rogue planet with possible moons https://www.syfy.com/syfywire/an-aurora-glows-over-a-possible-rogue-planet
• Using our Sun as a gravitational lens could allow us to image city sized areas on the surface of exo-planets http://www.leonarddavid.com/city-spotting-on-exoplanets-new-concept-advanced/
• Setting the way-back machine for our 88th issue, an MIT tradition honoring Wile E. Coyote the last day to drop spring courses https://www.youtube.com/watch?v=7bZwm1jpoeE