This Week’s [in]Security – Issue 97 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: New PCI Information supplement, Updates on SPoC, and Secure Software Framework, PwnPOS alert, More mega-breach collections, HIV and banking breaches, Apple hid a major breach, Apple punishes Facebook over naughty research app TOS violation, In Japan all your IoT belong to us, LIFX insecure smart bulb, more IoT insecurity, just clicking a link isn't probable cause, NIST extends feedback periods, Post-quantum crypto updates, Automatic bug detection and patching at scale.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI updates information supplement on maintaining compliance - article https://blog.pcisecuritystandards.org/update-to-maintaining-compliance-information-supplement and document https://www.pcisecuritystandards.org/documents/PCIDSSV2.0BestPracticesforMaintainingPCIDSS_Compliance.pdf
• Control Gap article about PCI's grand experiment in mobile payments - Software PIN on COTS (SPoC) - what it is, how it works, why it's different, and what you need to know https://controlgap.com/blog/pci-spoc-pin-on-cots-grand-experiment-in-mobile-payments/
• Review of the new PCI Software Security Framework https://ims.ul.com/pci-s3-future-payment-software-security
• Visa Alert - same PwnPOS file in multiple Windows POS hospitality industry breaches http://click.broadcasts.visa.com/xfm/?17568/0/4e503b09b989aac5585cedce061aaee2/lonew

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Data leak in Singapore exposes HIV status of 14,K - locals and foreign visitors https://gizmodo.com/data-leak-in-singapore-exposes-hiv-status-of-14-000-loc-1832126939
• Discover has announced a breach. Apparently this was a third party breach affecting only Discover Cards https://www.bleepingcomputer.com/news/security/discover-card-users-affected-by-data-breach-new-credit-cards-issued/
• India's largest bank, SBI, left a large database unprotected https://www.bankinfosecurity.com/sbi-investigates-reported-massive-data-leak-a-11986
• AirBus is investigating a breach of employee data https://www.zdnet.com/article/airbus-data-breach-impacts-employees-in-europe/
• In 2018 there were fewer breaches but they were bigger http://www.digitaltransactions.net/data-breaches-fell-in-2018-but-records-exposed-more-than-doubled-non-profit-reports/
• After the massive Collection#1, there are 4 more collections with 2.2B unique records that appear to be amalgamated breaches from the past https://www.wired.com/story/collection-leak-usernames-passwords-billions/ also the group behind the leak has been identified https://www.zdnet.com/article/security-firm-identifies-hacker-behind-collection-1-leak-as-collection-2-5-become-public/
• Recall the Panama Papers breach and its' little cousin the Paradise Papers divulging off-shore wealth, Canada Revenue Agency launches 100 audits after Paradise Papers leak https://www.thestar.com/news/paradise-papers/2019/01/29/canada-revenue-agency-launches-100-audits-after-paradise-papers-leak.html

Privacy

Articles about privacy related news, risks, and trends.

• Apple may have covered up a major privacy breach last year that granted partial access to iCloud data https://thehackernews.com/2019/01/icloud-privacy-breach.html
• EU is raising concerns over the integration of Facebook's messaging apps https://www.theguardian.com/technology/2019/jan/28/eu-data-watchdog-raises-concerns-facebook-integration
• A GDPR complaint looking into
  Google Ads practice of profiling users and shearing the profiles with third parties https://www.pymnts.com/news/regulation/2019/gdpr-complaint-data-google-iab/
• Article about GDPR today https://epic.org/2019/01/new-edition-of-gdpr-today-now-.html and the site https://www.gdprtoday.org/
• The controversial Facebook Research app has been banned and pulled from the Apple Store https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/. The app paid people including teens to track all their activity through a VPN https://techcrunch.com/2019/01/29/facebook-project-atlas/
• Apple temporarily revoked Facebook's distribution certificates over TOS violations causing internal chaos. Corporate and test applications not only don't install they no longer run https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
• Apple also temporarily revoked Google developer certificate for violations of their distribution policy https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate
• Google's Screenwise application was also pulled but much of the program is still active https://www.eff.org/deeplinks/2019/02/google-screenwise-unwise-trade-all-your-privacy-cash
• Privacy watchdog slams Yukon government for sharing personal employee records too widely https://www.cbc.ca/news/canada/north/privacy-watchdog-slams-yukon-gov-t-for-sharing-personal-employee-records-too-widely-1.4998062
• EFF opinion/analysis of Zuckerbergs' Wall Street Journal op-ed https://www.eff.org/deeplinks/2019/01/wsj-op-ed-mark-zuckerberg-speaks-down-users-and-misses-point

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST announces Post-Quantum Cryptography Standard round 2 candidates. Announcement: https://csrc.nist.gov/news/2019/pqc-standardization-process-2nd-round-candidates, News: https://www.nist.gov/news-events/news/2019/01/nist-reveals-26-algorithms-advancing-post-quantum-crypto-semifinals, and PQC Project: https://csrc.nist.gov/projects/post-quantum-cryptography
• Internal Report (NISTIR) 8240, Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process Details: https://csrc.nist.gov/publications/detail/nistir/8240/final

• NIST has extended feedback periods on several draft documents - possibly in response to the US Government Shutdown

  • SP 800-57 Part 2 Rev. 1, Recommendation for Key Management Part 2: Best Practices for Key Management Organizations - Update: https://csrc.nist.gov/news/2018/nist-releases-2nd-draft-sp-800-57-part-2-rev-1 and details: https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/draft CSRC
  • SP 800-189, Secure Interdomain Traffic Exchange: Routing Robustness and DDoS Mitigation - Update: https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-189-for-comment and details: https://csrc.nist.gov/publications/detail/sp/800-189/draft
  • SP 1800-16, Securing Web Transactions: TLS Server Certificate Management - Details: https://csrc.nist.gov/publications/detail/sp/1800-16/draft and Project: https://www.nccoe.nist.gov/projects/building-blocks/tls-server-certificate-management
• Court clears way for Equifax lawsuits https://www.theregister.co.uk/2019/01/29/equifaxlawsuitsapproved/
• Judge blocks Yahoo payout over lack of transparency https://www.bbc.com/news/technology-47044652
• Several states are considering new/improved consumer privacy laws https://www.bankinfosecurity.com/privacy-several-states-consider-new-laws-a-11988
• EFF is presenting in a federal appeal that clicking on a URL isn't sufficient for a search warrant https://www.eff.org/press/releases/hearing-thursday-eff-tells-court-clicking-url-isnt-enough-evidence-justify-search
• Medical device security framework https://www.careersinfosecurity.com/new-medical-device-cybersecurity-framework-unveiled-a-11976
• American bar association stands up for privacy in border crossings https://epic.org/2019/01/american-bar-association-takes.html
• ACTRA wants Canada to regulate search engines promote Canadian content or face penalties http://www.michaelgeist.ca/2019/01/actra-wants-government-to-penalize-search-engines-that-refuse-to-promote-canadian-content-in-search-results/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Mayhem - automating vulnerability discovery and patching at scale https://spectrum.ieee.org/computing/software/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them
• How to secure mainframes http://vmblog.com/archive/2019/01/29/key-resources-2019-predictions-how-can-we-secure-the-mainframe-in-2019.aspx
• Japan plans mass security testing of IoT devices https://www.schneier.com/blog/archives/2019/01/japanese_govern.html
• Mozilla is working out rules for tracking practices the browser will block in future updates https://blog.mozilla.org/security/2019/01/28/defining-the-tracking-practices-that-will-be-blocked-in-firefox/
• Netcraft launches an anti-phishing app https://www.securityweek.com/netcraft-launches-anti-phishing-mobile-app
• Apparently free-Windows 10 upgrades are still available https://www.zdnet.com/article/heres-how-you-can-still-get-a-free-windows-10-upgrade/
• How to tell the difference between scam and legit CRA calls https://globalnews.ca/news/4907961/cra-phone-scams/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Major iPhone FaceTime bug lets you hear the audio of the person you are calling before they pick up https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
• WordPress plugin "Total Donations" is compromised by a zero-day and the developers are missing in action https://www.zdnet.com/article/wordpress-sites-under-attack-via-zero-day-in-abandoned-plugin/
• The LIFX smart light bulb is massively insecure https://www.schneier.com/blog/archives/2019/01/securityanalys6.html
• 5G may not protect from IMSI catchers (aka Stingrays) https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers
• A year after a report found security in children's smart watches was terrible - almost nothing has changed https://www.schneier.com/blog/archives/2019/01/securityflaws3.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Criminals are actively exploiting SS7 telephone system vulnerabilities to attack bank accounts https://motherboard.vice.com/amp/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
• Underground marketplace, xDedic, selling PII and access to servers taken down https://www.securityweek.com/authorities-seize-hacked-server-marketplace
• Law enforcement is now going after users of DDoS for hire services https://www.securityweek.com/authorities-track-down-users-ddos-services
• Beauty Camera apps collect photos, spew porn and force you to phishing sites https://blog.trendmicro.com/trendlabs-security-intelligence/various-google-play-beauty-camera-apps-sends-users-pornographic-content-redirects-them-to-phishing-websites-and-collects-their-pictures/
• APT 39 - an Iranian cyberespionage group interested in targeted personal information https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
• 'Karma': Inside the hack used by the UAE to break into iPhones of foes https://www.reuters.com/investigates/special-report/usa-spying-karma/

Other Security / Risk

Articles covering other types of risks.

• Don't assume blind people can't use phones https://www.bbc.com/news/blogs-trending-47031509
• US prisons are building voice print databases https://theintercept.com/2019/01/30/prison-voice-prints-databases-securus/
• Canadian cyber-security statistics article https://www.packetlabs.net/canadian-cyber-security-statistics/ and full survey (by CIRA) https://cira.ca/sites/default/files/public/cybersecurityreport181015.pdf
• 3 ways to mess up GDPR compliance https://www.darkreading.com/vulnerabilities-and-threats/3-ways-companies-mess-up-gdpr-compliance-the-most/a/d-id/1333734
• Opinion: How would we know if Huawei is a risk?https://www.cbc.ca/news/technology/huawei-5g-security-testing-vulnerabilities-risks-proof-ban-1.4997957
• Israeli cyberexpert warns against using Huawei 5G citing Chinese telecom's BGP hijacking of Rogers customer Internet traffic in Ottawa in 2016 https://www.thestar.com/news/canada/2019/01/31/israeli-cyberexpert-detects-china-hack-in-ottawa-warns-against-using-huawei-5g.html
• Bizzare - the place where car-fobs stopped working https://www.cbc.ca/news/canada/calgary/carstairs-westview-co-op-grocery-car-key-fob-1.4999558 appear to be linked to faulty remote starter https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Songs in the key of 'IT' https://www.theregister.co.uk/2018/11/14/thatoldtime2018it_songbook/
• Japanese astronomers using modified amateur equipment have spotted a "Planetesimal" (1-10km diamater object) in the outer solar system https://gizmodo.com/amateur-astronomy-equipment-may-have-spotted-tiny-objec-1832129450
• A list of the 10 largest non-planets in the solar system https://www.forbes.com/sites/startswithabang/2019/01/28/these-are-the-10-largest-non-planets-in-our-solar-system/
• One of the moon rocks returned by Apollo 14 turns out to have been blasted free of the Earth a very long time ago https://astroengine.com/2019/01/27/oldest-earth-rock-found-in-lunar-exile/
• Experiencing life at -40 https://www.sciencealert.com/this-is-what-40-actually-feels-like