This Week’s [in]Security – Issue 97
Welcome to This Week’s [in]Security. This week: New PCI Information supplement, Updates on SPoC, and Secure Software Framework, PwnPOS alert, More mega-breach collections, HIV and banking breaches, Apple hid a major breach, Apple punishes Facebook over naughty research app TOS violation, In Japan all your IoT belong to us, LIFX insecure smart bulb, more IoT insecurity, just clicking a link isn’t probable cause, NIST extends feedback periods, Post-quantum crypto updates, Automatic bug detection and patching at scale.
Now here’s this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
- PCI updates information supplement on maintaining compliance – article https://blog.pcisecuritystandards.org/update-to-maintaining-compliance-information-supplement and document https://www.pcisecuritystandards.org/documents/PCI_DSS_V2.0_Best_Practices_for_Maintaining_PCI_DSS_Compliance.pdf
- Control Gap article about PCI’s grand experiment in mobile payments – Software PIN on COTS (SPoC) – what it is, how it works, why it’s different, and what you need to know https://controlgap.com/blog/pci-spoc-pin-on-cots-grand-experiment-in-mobile-payments/
- Review of the new PCI Software Security Framework https://ims.ul.com/pci-s3-future-payment-software-security
- Visa Alert – same PwnPOS file in multiple Windows POS hospitality industry breaches http://click.broadcasts.visa.com/xfm/?17568/0/4e503b09b989aac5585cedce061aaee2/lonew
Breaches / Leaks
Covering breaches, leaks, data exposures, and their fallout.
- Data leak in Singapore exposes HIV status of 14,K – locals and foreign visitors https://gizmodo.com/data-leak-in-singapore-exposes-hiv-status-of-14-000-loc-1832126939
- Discover has announced a breach. Apparently this was a third party breach affecting only Discover Cards https://www.bleepingcomputer.com/news/security/discover-card-users-affected-by-data-breach-new-credit-cards-issued/
- India’s largest bank, SBI, left a large database unprotected https://www.bankinfosecurity.com/sbi-investigates-reported-massive-data-leak-a-11986
- AirBus is investigating a breach of employee data https://www.zdnet.com/article/airbus-data-breach-impacts-employees-in-europe/
- In 2018 there were fewer breaches but they were bigger http://www.digitaltransactions.net/data-breaches-fell-in-2018-but-records-exposed-more-than-doubled-non-profit-reports/
- After the massive Collection#1, there are 4 more collections with 2.2B unique records that appear to be amalgamated breaches from the past https://www.wired.com/story/collection-leak-usernames-passwords-billions/ also the group behind the leak has been identified https://www.zdnet.com/article/security-firm-identifies-hacker-behind-collection-1-leak-as-collection-2-5-become-public/
- Recall the Panama Papers breach and its’ little cousin the Paradise Papers divulging off-shore wealth, Canada Revenue Agency launches 100 audits after Paradise Papers leak https://www.thestar.com/news/paradise-papers/2019/01/29/canada-revenue-agency-launches-100-audits-after-paradise-papers-leak.html
Articles about privacy related news, risks, and trends.
- Apple may have covered up a major privacy breach last year that granted partial access to iCloud data https://thehackernews.com/2019/01/icloud-privacy-breach.html
- EU is raising concerns over the integration of Facebook’s messaging apps https://www.theguardian.com/technology/2019/jan/28/eu-data-watchdog-raises-concerns-facebook-integration
- A GDPR complaint looking into
Google Ads practice of profiling users and shearing the profiles with third parties https://www.pymnts.com/news/regulation/2019/gdpr-complaint-data-google-iab/
- Article about GDPR today https://epic.org/2019/01/new-edition-of-gdpr-today-now-.html and the site https://www.gdprtoday.org/
- The controversial Facebook Research app has been banned and pulled from the Apple Store https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/. The app paid people including teens to track all their activity through a VPN https://techcrunch.com/2019/01/29/facebook-project-atlas/
- Apple temporarily revoked Facebook’s distribution certificates over TOS violations causing internal chaos. Corporate and test applications not only don’t install they no longer run https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
- Apple also temporarily revoked Google developer certificate for violations of their distribution policy https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate
- Google’s Screenwise application was also pulled but much of the program is still active https://www.eff.org/deeplinks/2019/02/google-screenwise-unwise-trade-all-your-privacy-cash
- Privacy watchdog slams Yukon government for sharing personal employee records too widely https://www.cbc.ca/news/canada/north/privacy-watchdog-slams-yukon-gov-t-for-sharing-personal-employee-records-too-widely-1.4998062
- EFF opinion/analysis of Zuckerbergs’ Wall Street Journal op-ed https://www.eff.org/deeplinks/2019/01/wsj-op-ed-mark-zuckerberg-speaks-down-users-and-misses-point
Laws & Regulations / Standards
News about laws, regulations, and standards affecting security, privacy, technology, and public interest.
- NIST announces Post-Quantum Cryptography Standard round 2 candidates. Announcement: https://csrc.nist.gov/news/2019/pqc-standardization-process-2nd-round-candidates, News: https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals, and PQC Project: https://csrc.nist.gov/projects/post-quantum-cryptography
- Internal Report (NISTIR) 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process Details: https://csrc.nist.gov/publications/detail/nistir/8240/final
- NIST has extended feedback periods on several draft documents – possibly in response to the US Government Shutdown
- SP 800-57 Part 2 Rev. 1, Recommendation for Key Management Part 2: Best Practices for Key Management Organizations – Update: https://csrc.nist.gov/news/2018/nist-releases-2nd-draft-sp-800-57-part-2-rev-1 and details: https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/draft CSRC
- SP 800-189, Secure Interdomain Traffic Exchange: Routing Robustness and DDoS Mitigation – Update: https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-189-for-comment and details: https://csrc.nist.gov/publications/detail/sp/800-189/draft
- SP 1800-16, Securing Web Transactions: TLS Server Certificate Management – Details: https://csrc.nist.gov/publications/detail/sp/1800-16/draft and Project: https://www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-management
- Court clears way for Equifax lawsuits https://www.theregister.co.uk/2019/01/29/equifax_lawsuits_approved/
- Judge blocks Yahoo payout over lack of transparency https://www.bbc.com/news/technology-47044652
- Several states are considering new/improved consumer privacy laws https://www.bankinfosecurity.com/privacy-several-states-consider-new-laws-a-11988
- EFF is presenting in a federal appeal that clicking on a URL isn’t sufficient for a search warrant https://www.eff.org/press/releases/hearing-thursday-eff-tells-court-clicking-url-isnt-enough-evidence-justify-search
- Medical device security framework https://www.careersinfosecurity.com/new-medical-device-cybersecurity-framework-unveiled-a-11976
- American bar association stands up for privacy in border crossings https://epic.org/2019/01/american-bar-association-takes.html
- ACTRA wants Canada to regulate search engines promote Canadian content or face penalties http://www.michaelgeist.ca/2019/01/actra-wants-government-to-penalize-search-engines-that-refuse-to-promote-canadian-content-in-search-results/
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- Mayhem – automating vulnerability discovery and patching at scale https://spectrum.ieee.org/computing/software/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
- How to secure mainframes http://vmblog.com/archive/2019/01/29/key-resources-2019-predictions-how-can-we-secure-the-mainframe-in-2019.aspx
- Japan plans mass security testing of IoT devices https://www.schneier.com/blog/archives/2019/01/japanese_govern.html
- Mozilla is working out rules for tracking practices the browser will block in future updates https://blog.mozilla.org/security/2019/01/28/defining-the-tracking-practices-that-will-be-blocked-in-firefox/
- Netcraft launches an anti-phishing app https://www.securityweek.com/netcraft-launches-anti-phishing-mobile-app
- Apparently free-Windows 10 upgrades are still available https://www.zdnet.com/article/heres-how-you-can-still-get-a-free-windows-10-upgrade/
- How to tell the difference between scam and legit CRA calls https://globalnews.ca/news/4907961/cra-phone-scams/
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- Major iPhone FaceTime bug lets you hear the audio of the person you are calling before they pick up https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
- WordPress plugin “Total Donations” is compromised by a zero-day and the developers are missing in action https://www.zdnet.com/article/wordpress-sites-under-attack-via-zero-day-in-abandoned-plugin/
- The LIFX smart light bulb is massively insecure https://www.schneier.com/blog/archives/2019/01/security_analys_6.html
- 5G may not protect from IMSI catchers (aka Stingrays) https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers
- A year after a report found security in children’s smart watches was terrible – almost nothing has changed https://www.schneier.com/blog/archives/2019/01/security_flaws_3.html
Hacking / Malware / Cybercrime / Exploitation
News covering active trends and events.
- Criminals are actively exploiting SS7 telephone system vulnerabilities to attack bank accounts https://motherboard.vice.com/amp/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
- Underground marketplace, xDedic, selling PII and access to servers taken down https://www.securityweek.com/authorities-seize-hacked-server-marketplace
- Law enforcement is now going after users of DDoS for hire services https://www.securityweek.com/authorities-track-down-users-ddos-services
- Beauty Camera apps collect photos, spew porn and force you to phishing sites https://blog.trendmicro.com/trendlabs-security-intelligence/various-google-play-beauty-camera-apps-sends-users-pornographic-content-redirects-them-to-phishing-websites-and-collects-their-pictures/
- APT 39 – an Iranian cyberespionage group interested in targeted personal information https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
- ‘Karma’: Inside the hack used by the UAE to break into iPhones of foes https://www.reuters.com/investigates/special-report/usa-spying-karma/
Other Security / Risk
Articles covering other types of risks.
- Don’t assume blind people can’t use phones https://www.bbc.com/news/blogs-trending-47031509
- US prisons are building voice print databases https://theintercept.com/2019/01/30/prison-voice-prints-databases-securus/
- Canadian cyber-security statistics article https://www.packetlabs.net/canadian-cyber-security-statistics/ and full survey (by CIRA) https://cira.ca/sites/default/files/public/cybersecurity_report_181015.pdf
- 3 ways to mess up GDPR compliance https://www.darkreading.com/vulnerabilities-and-threats/3-ways-companies-mess-up-gdpr-compliance-the-most/a/d-id/1333734
- Opinion: How would we know if Huawei is a risk?https://www.cbc.ca/news/technology/huawei-5g-security-testing-vulnerabilities-risks-proof-ban-1.4997957
- Israeli cyberexpert warns against using Huawei 5G citing Chinese telecom’s BGP hijacking of Rogers customer Internet traffic in Ottawa in 2016 https://www.thestar.com/news/canada/2019/01/31/israeli-cyberexpert-detects-china-hack-in-ottawa-warns-against-using-huawei-5g.html
- Bizzare – the place where car-fobs stopped working https://www.cbc.ca/news/canada/calgary/carstairs-westview-co-op-grocery-car-key-fob-1.4999558 appear to be linked to faulty remote starter https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.
- Songs in the key of ‘IT’ https://www.theregister.co.uk/2018/11/14/that_old_time_2018_it_songbook/
- Japanese astronomers using modified amateur equipment have spotted a “Planetesimal” (1-10km diamater object) in the outer solar system https://gizmodo.com/amateur-astronomy-equipment-may-have-spotted-tiny-objec-1832129450
- A list of the 10 largest non-planets in the solar system https://www.forbes.com/sites/startswithabang/2019/01/28/these-are-the-10-largest-non-planets-in-our-solar-system/
- One of the moon rocks returned by Apollo 14 turns out to have been blasted free of the Earth a very long time ago https://astroengine.com/2019/01/27/oldest-earth-rock-found-in-lunar-exile/
- Experiencing life at -40 https://www.sciencealert.com/this-is-what-40-actually-feels-like
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.