This Week’s [in]Security – Issue 89 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Beyond "locks and bars" secure e-shopping. Vote for PCI 2019 special interest groups. More fallout and huge liability from Marriott's Starwood breach. New breaches at 1-800-FLOWERS, Quora, Fallout76, and BeatStars. Facebook harvested call and text logs without permission. Republican's hacked in mid-terms.  Magecart gangs go after admin credentials. Exploiting typo links in Tweets.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• How can you tell if the website you're shopping at is secure? Read our guide that shows you how to go beyond "locks and bars" but doesn't require you to be a penetration tester https://controlgap.com/blog/how-can-i-tell-if-the-site-i-shop-from-is-secure
• The 2019 PCI SIG proposals are out for voting https://blog.pcisecuritystandards.org/vote-now-for-2019-special-interest-group-projects

• PCI updates for

  • PTS HSM Technical FAQs https://www.pcisecuritystandards.org/documents/PTSHSMTechnicalFAQsv3Nov2018.pdf
  • PTS POI Technical FAQs https://www.pcisecuritystandards.org/documents/PTSPINTechnicalFAQsv2Nov2018.pdf
  • Card Production FAQs https://www.pcisecuritystandards.org/documents/CardProdSecurityRqrmtsFAQsv2Nov_2018.pdf

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Quora breached for 100M records includes user IDs and 'encrypted' password data https://arstechnica.com/information-technology/2018/12/quora-says-hackers-stole-password-data-and-other-details-for-100-million-users/

• Credit card stealing malware on Canada’s 1-800-FLOWERS website (www.1800Flowers.ca) went undetected for four years grabbing card data and security codes https://techcrunch.com/2018/12/03/credit-card-stealing-malware-flowers-four-years/.

  • This is eerily similar to a 2016 breach of their main website (1-800-FLOWERS.com)  https://www.lowcards.com/1-800-flowers-suffers-credit-card-breach-after-valentines-day-rush-40631
  • And may be related a Magecart attack on Shopper Approved (used by 1-800-Flowers) announced in October https://www.cnet.com/news/hackers-breach-customer-rating-tool-used-on-over-7000-websites/

• The potential liabilities over the Starwood breach is now nearing Marriott’s annual revenue ($23B/2017). These numbers will change after the dust settles (elimination of duplicate records, actual number of compromised cards, legal negotiations).  Here's a partial list of possible liabilities:

  • Marriott may be seriously underestimating costs, estimates breach costs at only $1B https://www.pymnts.com/news/security-and-risk/2018/marriott-cfo-data-breach-cyberattack/
  • Class action lawsuit of $25/customer or $12B https://www.zdnet.com/article/marriott-sued-hours-after-announcing-data-breach/
  • Replacement costs for passports may be on the table https://www.wctrib.com/business/4538047-marriott-will-pay-new-passports-after-data-breach-if-fraud-has-taken-place although this is probably a rubbish PR statement http://fortune.com/2018/12/08/marriott-breach-hack-starwood-passport-pay/
  • GDPR 4% of revenue or slightly less than $1B on their 2017 revenue https://www.campaignlive.co.uk/article/marriott-potentially-exposed-first-big-gdpr-fine-starwood-data-breach/1520070
  • Payment Card Brand breach fines aka "Account Recovery" meant to reimburse card issuers aren't publicized. Fines will vary depending on what was compromised. A breach of sensitive authentication data like track, security codes, or PIN will demand a higher penalty than a breach of basic cardholder data.  Various media reports over the years have toted numbers as high as $90/card. Assuming a range of $5 to $25 per card the this would put the maximum liability in a range of $2.5B to $12.5B. However, Target seems to have settled with the banks for about $1 per card according to this 2015 article https://www.bloomberg.com/news/articles/2015-12-02/target-settles-with-banks-over-2013-data-breach-for-39-million

• Additional fallout from the Marriott breach

  • Another example of a confusing incident response https://techcrunch.com/2018/12/03/marriott-data-breach-response-risk-phishing/
  • Clues in Marriott breach point to Chinese attack tools and to multiple attack groups https://www.theglobeandmail.com/world/article-hackers-behind-marriott-breach-left-clues-suggesting-links-to-china/
  • Lawmakers are upset https://www.forbes.com/sites/davidvolodzko/2018/12/04/marriott-breach-exposes-far-more-than-just-data/
• Lenovo to pay out $7.3M to settle 27 class action lawsuits after 2014 Superfish debacle https://threatpost.com/lenovo-ordered-to-pay-7-3m-in-superfish-fiasco/139560/
• Jewelers plug data leak https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/
• Game vendor Bethesda (Fallout76) exposes customer information through ticketing system https://www.forbes.com/sites/erikkain/2018/12/05/a-fallout-76-support-glitch-leaked-players-personal-information-for-all-the-world-to-see/
• As a result of the Panama Papers breach, four people charged in US with fraud and tax evasion http://www.bbc.co.uk/news/world-us-canada-46449696
• BeatStars report an intrusion https://www.zdnet.com/article/beatstars-discloses-security-breach-in-twitter-live-stream/
• What appears to have been data from the old Linkedin breach has recently turned up in an unsecured MongoDB, 66M records https://haveibeenpwned.com/PwnedWebsites#YouveBeenScraped
• UK consumers are just about fed up with data breaches https://www.computerweekly.com/news/252453836/UK-consumers-threaten-data-breach-backlash

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• On bodycams and other kit: NIST draft Security Analysis of First Responder Mobile and Wearable Devices open for public comment January 7, 2019.  Details https://csrc.nist.gov/publications/detail/nistir/8196/draft and Update https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8196-for-comment
• ACLU vs DoJ on keeping arguments to wiretap Facebook Messenger a secret https://www.schneier.com/blog/archives/2018/12/thedojssecret.html
• GCHQ expanded use of bulk equipment interference snooping https://www.theregister.co.uk/2018/12/06/ukgchqbulkequipmentinterference/
• Australia passes bill to force tech firms to hand over encrypted data https://www.reuters.com/article/us-australia-security-data/australia-passes-bill-to-force-tech-firms-to-hand-over-encrypted-data-idUSKBN1O42SR
• NIST published Volume 3, Automation Support for Security Control Assessments: Software Asset Management (SWAM) to help manage risk created by unmanaged or unauthorized software on a network.  Details: https://csrc.nist.gov/publications/detail/nistir/8011/vol-3/final and update: https://csrc.nist.gov/news/2018/nist-publishes-nistir-8011-vol-3

Privacy

Articles about privacy related news, risks, and trends.

• Oath (AOL and Yahoo owner) settles with NY state for $5M over ads violating federal child privacy law https://www.nytimes.com/2018/12/03/business/media/oath-children-online-privacy.html
• Concerns over US Secret Service facial recognition project https://threatpost.com/white-house-facial-recognition-pilot-raises-privacy-alarms/139649/
• Microsoft calls for regulation of face recognition tech https://www.cnet.com/news/microsoft-calls-for-regulation-of-facial-recognition-technology/
• Some facial recognition claiming predictive powers is based on a  debunked 19th century pseudo-science https://theintercept.com/2018/12/06/artificial-intellgience-experts-issue-urgent-warning-against-facial-scanning-with-a-dangerous-history/
• More Facebook controversy over collection of call and text logs https://www.theverge.com/2018/12/5/18127216/facebook-android-call-scraping-high-risk-emails-uk-parliament
• Internal documents suggest Facebook might have exploited Android APIs to collect call and text data without permission https://www.androidpolice.com/2018/12/05/internal-documents-suggest-facebook-might-have-exploited-android-apis-to-collect-call-and-text-data-without-permission/
• A privacy lawsuit against Facebook has been dismissed https://epic.org/2018/12/in-facebook-case-ninth-circuit.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google’s Project Lantern and Chronicle, search-focused cybersecurity https://www.engadget.com/2018/11/30/chronicle-cybersecurity-alphabet-moonshot-x/
• Google announces Security and Privacy awards https://security.googleblog.com/2018/11/announcing-google-security-and-privacy.html
• Why tabletop tests of incident response is important https://www.databreachtoday.com/incident-response-tabletop-exercise-essential-a-11754
• Microsoft is killing Edge for a new Chromium based browser https://www.windowscentral.com/microsoft-building-chromium-powered-web-browser-windows-10 also what went wrong and what's next https://www.zdnet.com/article/microsoft-edge-what-went-wrong-whats-next/
• Cybersecurity jobs expected to be in high demand in Canada https://globalnews.ca/news/4733898/cybersecurity-jobs-high-demand-canada/
• Google call screening transcriptions start rolling out to Pixel owners https://www.theverge.com/2018/12/3/18123437/googles-call-screen-transcripts-released-usa-pixel-phone-google-assistant
• On the relative value of black/grey/white-box penetration testing https://www.packetlabs.net/types-of-penetration-testing/
• Project Blacklist: finding  publicly available secret keys / secret materials related to various web frameworks to audit applications https://www.notsosecure.com/project-blacklist3r/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Kubernetes' first major security hole discovered https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/
• Google patches 11 Android critical remote code execution vulnerabilities https://threatpost.com/google-patches-11-critical-rce-android-vulnerabilities/139612/
• Cisco pushes reset on sharefile passwords https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/
• Cellular AKA protocol still broken including for 5G https://www.theregister.co.uk/2018/12/05/mobileuserscanbetrackedwithcheapkitaka_protocol/
• Text based CAPTCHA's are now well and truly broken https://www.theregister.co.uk/2018/12/05/aibeatscaptcha/
• New tool for probing computer firmware for Spectre class vulnerability https://www.theregister.co.uk/2018/12/07/splitspectre_attack/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Magecart group now going after admin credentials https://threatpost.com/magecart-group-ups-ante-now-goes-after-admin-credentials/139580/
• Sting unmasks ransomware decryption service as a middleman scam https://www.theregister.co.uk/2018/12/04/ransomwarehelperwasmiddlemandr_shifro/
• Eastern European banks lose tens of millions of dollars to rogue device attacks https://www.zdnet.com/google-amp/article/eastern-european-banks-lose-tens-of-millions-of-dollars-in-hollywood-style-hacks/
• Hackers are opening SMB ports on routers so they can infect PCs with malware based on NSA exploits https://www.zdnet.com/article/hackers-are-opening-smb-ports-on-routers-so-they-can-infect-pcs-with-nsa-malware/
• Top CFOs are being targeted by a sophisticated email scam https://www.cnn.com/2018/12/04/tech/london-blue-email-hackers/index.html
• Republicans breached in 2018 midterms https://www.politico.com/story/2018/12/04/exclusive-emails-of-top-nrcc-officials-stolen-in-major-2018-hack-1043309
• "Relay Thefts" of push to start cars on the rise https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890
• Huawei executive arrested in Canada for extradition to the US http://www.bbc.co.uk/news/business-46462858
• Bomb hoaxer and DDoS sentenced https://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/

Other Security / Risk

Articles covering other types of risks.

• Risks to democracies from chatbots. Article https://www.nytimes.com/2018/12/04/opinion/chatbots-ai-democracy-free-speech.html and discussions https://www.schneier.com/blog/archives/2018/12/securityrisks15.html
• With another election coming, foreign countries will try to twist Canadian opinion online in 2019 https://beta.ctvnews.ca/local/toronto/2018/12/6/1_4207661.html
• Why hand marked ballots are the best https://freedom-to-tinker.com/2018/12/03/why-voters-should-mark-ballots-by-hand/
• US DHS building tools to de-anonymize anonymous crypto-currencies https://thenextweb.com/hardfork/2018/12/04/us-government-cryptocurrency-forensics/
• On a human-centric approach to cybersecurity https://citizenlab.ca/2018/12/ronald-deibert-on-moving-towards-a-human-centric-approach-to-cybersecurity/
• Back issues of the NSA's Cryptolog magazine https://www.schneier.com/blog/archives/2018/12/backissuesof_.html  and the archive itself https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog
• China's lead in Quantum encryption https://www.nytimes.com/2018/12/03/technology/quantum-encryption.html
• Schneier takes apart some bad consumer security advice https://www.schneier.com/blog/archives/2018/12/badconsumerse.html
• Someone coined this "Grandpa Doesn't Understand the Internet".  Rudy Giuliani makes a typo leaving out a space between "... G-20." and "In ..." and accidentally creates a link to unregistered domain in India. An astute political prankster who seizes the moment to register the domain and embarrass him with anti-Trump message. But, seriously, creating a link from two words and a missing space is a UI problem we should all be aware of.  https://www.thestar.com/news/world/2018/12/05/rudy-giulianis-typo-became-an-anti-trump-message-he-blamed-twitter-but-this-atlanta-man-pranked-him.html
• Road accidents 8th leading cause of death https://www.cnn.com/2018/12/07/health/who-road-safety-report-intl/index.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• On the perception of time passing faster with age https://www.nbcnews.com/better/health/why-our-sense-time-speeds-we-age-how-slow-it-ncna936351
• Kepler and Gaia team up to confirm 104 new exoplanets http://astronomy.com/news/2018/12/kepler-and-gaia-team-up-to-confirm-104-new-exoplanets
• Evidence suggests the biblical tale of the smiting of Soddom and Gomorrah may have a 1MT meteor airburst 1km above the Dead Sea https://www.universetoday.com/140752/a-meteor-may-have-exploded-in-the-air-3700-years-ago-obliterating-communities-near-the-dead-sea/
• 101 years ago Halifax was rocked by a massive 2.9 kT explosion killing 2,000 and wounding another 9,000 https://www.cbc.ca/news/canada/nova-scotia/halifax-explosion-second-hand-story-1.4934371
• Before radar, warplanes were spotted using stereophonic tubas and stethoscopes https://www.cnn.com/style/article/war-sound-locators-before-radar/index.html
• A list of "hacking" related movies https://cybersecurityventures.com/movies-about-cybersecurity-and-hacking/