This Week’s [in]Security – Issue 93 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI updates on 3DS SDK's and TLS 1.3, the first breaches of 2019, update on Marriott/Starwood, all US states now have breach laws, Canada mandates spam call blocking, funding open source bug bounties, the power of fuzzing, more IoT exploitation, AI's learn to cheat, 2019 predictions,  pene-enclaves, and Krakatoa.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI updates the 3DS SDK summary of changes https://www.pcisecuritystandards.org/documents/PCI-3DS-SDK-Summary-of-Changes-v1.0-to-v1.1.pdf
• New PCI FAQ on TLS 1.3 security considerations https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-are-the-security-considerations-for-TLS-1-3 as always we have updated our index of all PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• How MasterCard is protecting their networks (video) https://www.bankinfosecurity.com/interviews/mastercard-launched-fusion-center-for-security-i-4207
• Discussions about the future of retail payment technologies: "smart" systems, "revolution" - not one mention of security https://www.pymnts.com/news/pos-innovation/2019/aevi-smart-pos-merchants/
• US payment card security is still a work in progress (video) https://www.bankinfosecurity.com/interviews/ongoing-battle-to-secure-card-payments-i-4211
• The US was not the last magnetic stripe holdout, India has just signaled a move to Chip https://www.mobilepaymentstoday.com/news/reserve-bank-of-india-tells-banks-to-dump-magstripe-credit-debit-cards-for-emv/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• The first reported breach of the new year affects 30K Australian civil servants in Victoria https://www.cbronline.com/news/2019s-first-data-breach
• Blur exposes 2.4M users ids, ips, password hashes, and more with the first leaky AWS S3 bucket of 2019  https://www.securityweek.com/blur-exposes-information-24-million-users
• Criminals claim to have hacked multiple insurers and are attempting to extort money or release files relating to 9/11  attacks https://motherboard.vice.com/en_us/article/yw79k5/hacker-group-threatens-dump-911-insurance-files-dark-overlord
• Dublin's "Luas" tram system's website hacked, criminal seeking to extort funds to not reveal collected information https://www.securityweek.com/website-dublin-tram-system-hacked
• Personal data on hundreds of German politicians and celebrities leaked in possible politically motivated doxing https://thehackernews.com/2019/01/germany-politicians-hacked.html
• Town of Whistler BC reports their website was breached https://www.citynews1130.com/2019/01/04/whistler-reports-security-breach-on-municipal-website/
• Marriott/Starwood breach update:  total guest records 384M , passports 5.2M plain-text and 20.3M encrypted, payment cards 8.6M encrypted and possibly 2K plain-text from free form text fields, no evidence of decryption key compromise http://www.digitaltransactions.net/marriott-updates-breach-numbers-says-354000-unexpired-cards-compromised/

Privacy

Articles about privacy related news, risks, and trends.

• Zuckerberg says Facebook will take years to fix https://www.yahoo.com/finance/news/facebook-ceo-zuckerberg-says-problems-184652398.html
• Privacy friendly search engines https://hackernoon.com/untraceable-search-engines-alternatives-to-google-811b09d5a873
• Weather Channel app owners, the Weather Company and IBM, sued by Los Angeles over misuse of collected data https://www.nytimes.com/2019/01/03/technology/weather-channel-app-lawsuit.html
• Warnings about smartspeakers and privacy - read the fine print, delete the data https://www.cbc.ca/news/canada/new-brunswick/cybersecurity-privacy-alexa-google-home-1.4963862

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• All US states now have breach notification laws http://www.digitaltransactions.net/all-states-now-have-breach-notification-laws-and-other-digital-transactions-news-briefs-from-1-2-19/
• CRTC: Phone companies must block calls with 'blatantly illegitimate' info by Dec 19, 2019 (finally some action on this scourge!) https://www.cbc.ca/news/canada/saskatchewan/phone-companies-crtc-new-regulations-1.4961104
• Equifax and others to face more Congressional scrutiny in 2019 https://www.pymnts.com/news/security-and-risk/2019/credit-reporting-legislation-democrats-equifax/
• USB Type C authentication program will enhance USB connection security https://www.eweek.com/security/usb-type-c-set-to-become-more-secure-with-authentication-standard
• Brazil creates data protection authority https://www.zdnet.com/article/brazilian-government-to-create-data-protection-authority/
• The work of NIST has been disrupted by the US government shutdown https://duo.com/decipher/government-shutdown-impacts-enterprise-security
• Vietnam's Cybersecurity/censorship law now in effect https://www.securityweek.com/vietnams-draconian-cybersecurity-bill-comes-effect
• BC court blocks class action against bankrupt computer firm NCIX, citing 'unreliable' proof of data breach https://www.cbc.ca/news/canada/british-columbia/court-blocks-class-action-against-bankrupt-computer-firm-citing-unreliable-proof-of-data-breach-1.4964076
• New US Congress's first Bill includes election security provisions https://www.securityweek.com/hr1-bill-includes-provisions-improve-us-election-security

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Integrity: Protecting data from alteration (video) https://www.bankinfosecurity.com/critical-importance-data-integrity-a-11908
• Bulletproof TLS #48 is out: Google to deploy post-quantum key exchange in TLS, EU standard ETLS has a back-door, various papers and vulnerabilities  https://www.feistyduck.com/bulletproof-tls-newsletter/issue48googlestartscecpq2
• The EU is funding 14 open source bug bounty programs https://threatpost.com/eu-offers-bug-bounties-for-14-open-source-projects/140473/
• A look at Intel's Offensive Security research team and their ongoing work on Spectre and Meltdown https://www.wired.com/story/intel-meltdown-spectre-storm/
• A deep dive into two suspected malicious jpeg files https://isc.sans.edu/diary/A+Malicious+JPEG%3F/24490 and https://isc.sans.edu/diary/A+Malicious+JPEG%3F+Second+Example/24494
• ISC2's top 10 webcasts from 2018 https://blog.isc2.org/isc2_blog/2019/01/2018s-top-10-webcasts.html
• How to protect your cell phone number and why you should care https://techcrunch.com/2018/12/25/cybersecurity-101-guide-protect-phone-number/
• It's 2019 and companies are still not scrubbing data from equipment being sold off https://www.businessinsider.com/western-countries-send-servers-full-of-sensitive-information-to-foreign-countries-2018-12

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Windows Zero-Day file overwrite https://www.bleepingcomputer.com/news/security/windows-zero-day-bug-allows-overwriting-files-with-arbitrary-data/
• Fuzzing using 30 year old tools still finds bugs in modern code (with supporting papers) https://blog.trailofbits.com/2018/12/31/fuzzing-like-its-1989/
• Researchers claim 85% success against Google's reCaptcha audio challenge and release code https://www.theregister.co.uk/2019/01/03/recaptchavoicechallenge/
• Android Chrome leaks device fingerprint information https://threatpost.com/chrome-in-android-leaks-device-fingerprinting-info/140480/ and patch https://thehackernews.com/2019/01/google-chrome-android-privacy.html
• Trivial to exploit Android Skype bug allows broad access to locked phones https://www.theregister.co.uk/2019/01/03/androidskypeapp_unlock/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Giftcard scams targeting businesses https://isc.sans.edu/diary/Gift+Card+Scams+on+the+rise/24482
• Very convincing Apple support scam calls are making the rounds - the call display looks completely authentic https://krebsonsecurity.com/2019/01/apple-phone-phishing-scams-getting-better/
• Phishing campaign using custom fonts as a simple substitution cipher to evade email defenses https://www.theregister.co.uk/2019/01/04/phishinghomebrewfonts/
• DataResolution.net fighting ransomware attack https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/
• Nest cam security breach: A hacker took over a baby monitor and broadcast threats https://www.washingtonpost.com/technology/2018/12/20/nest-cam-baby-monitor-hacked-kidnap-threat-came-device-parents-say/
• Hackers exploit insecure routers to take over Chromecasts to warn owners about security risks https://thenextweb.com/plugged/2019/01/03/hackers-take-over-chromecasts-to-warn-owners-about-security-risks/
• How the UEFI firmware rootkit worked https://www.theregister.co.uk/2019/01/02/lojaxuefirootkit/
• Looking back at the first large cyber-bank-heist: $10M from Citibank in 1994 https://www.darkreading.com/perimeter/25-years-later-looking-back-at-the-first-great-(cyber)-bank-heist/a/d-id/1333502

Other Security / Risk

Articles covering other types of risks.

• Forbes' predictions for 2019 Cybersecurity https://www.forbes.com/sites/forbestechcouncil/2018/12/28/cybersecurity-predictions-for-2019/
• Microsoft's top cybersecurity concerns for 2019 (video) https://www.bankinfosecurity.com/interviews/microsofts-top-3-cybersecurity-targets-for-2019-i-4212
• The problems with Biometrics https://www.csoonline.com/article/3330695/authentication/6-reasons-biometrics-are-bad-authenticators-and-1-acceptable-use.html
• Fascinating! Possibly terrifying?!  A Google AI invents a stenographic method to cheat at it's assigned task https://techcrunch.com/2018/12/31/this-clever-ai-hid-data-from-its-creators-to-cheat-at-its-appointed-task/
• Ready for 'BrainNet' interconnecting minds (it's very limited at but the potential is interesting) https://www.sciencealert.com/scientists-successfully-connected-the-brains-of-3-people-enabling-them-to-share-thoughts
• Article and discussion on DNA matching of distant relatives https://www.schneier.com/blog/archives/2019/01/long-range_fami.html
• Positive marijuana drug test results on the rise in public safety and national security roles https://www.businessinsider.com/workforce-marijuana-use-on-the-rise-in-safety-sensitive-jobs-2019-1
• Context is everything, cops called on man threatening death - to a spider https://www.businessinsider.com/australia-police-respond-to-man-shouting-at-spider-2019-1

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• • NASA's Dream Chaser space cargo plane goes into production https://www.sciencealert.com/nasa-clears-dream-chaser-space-cargo-plane-for-full-scale-production
  • The New Horizons probe sends first crude images of Ultima Thule from 6.5B km away and 3 years past Pluto https://www.theglobeandmail.com/canada/article-new-horizons-probe-phones-home-with-cache-of-images-and-data-from/ and https://www.bbc.com/news/science-environment-46742298
  • A petition to correct the weird map mistake that isolated a small part of Minnesota inside Canada https://www.cbc.ca/news/canada/manitoba/northwest-angle-petition-border-1.4962228 and apparently there are several similar 'pene-enclaves' https://www.ctvnews.ca/canada/beyond-the-northwest-angle-here-are-more-canada-u-s-border-oddities-1.4240096
  • Scientists have discovered a way to 'fix' photosynthesis and boost crop output by 40% https://www.sciencealert.com/researchers-boost-plant-production-by-40-percent-through-a-photosynthesis-shortcut
  • In 1883 Krakatoa (or Krakatau)  exploded with a force of 200MT obliterating an island and killing over 36K people - it's offspring has been flexing it's muscle, most recently with last month's tsunami and destroying part of the island - striking before and after photo https://www.bbc.com/news/science-environment-46743362 and a video purporting to show the eruption from a plane (note events at the 45s and 1m30s marks) https://www.youtube.com/watch?v=yLTDaah-oY8