This Week’s [in]Security – Issue 98
Welcome to This Week’s [in]Security. This week: best practice for DSS assessments, crypto-currency CEO dies with only password to $190M, breaches at Houzz, Rubrik, Huddle House, and more, US carriers selling location data again, is Facebook getting serious on privacy, cryptography for slow phones, new TLS attacks, banks and anti-money laundering operations targeted, block-chain hype and trust, and more.
Now here’s this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
- Rotating lead QSA’s as a quality measure https://blog.pcisecuritystandards.org/lead-qsa-rotation-as-best-practice
- riticism of crypto-currencies https://arstechnica.com/information-technology/2019/02/researcher-counts-the-reasons-he-wants-cryptocurrency-burned-with-fire/
Breaches / Leaks
Covering breaches, leaks, data exposures, and their fallout.
- Data management giant Rubrik exposed an unprotected database of client data https://techcrunch.com/2019/01/29/rubrik-data-leak/
- Houzz announced they experienced a data breach including external and internal account information, PII, and salted passwords. The number of affected records has not been released yet. https://www.bleepingcomputer.com/news/security/houzz-break-in-data-breach-announced/
- Atlanta based Huddle House restaurants suffers POS malware breach https://www.securityweek.com/huddle-house-suffers-payment-card-breach
- South Africa’s electric utility, Eskom, exposed customer data including names, credit card numbers and security codes, and apparently ignored the researcher until he made it public https://www.zdnet.com/article/hackers-reveal-data-leak-at-south-africas-main-electricity-provider-on-twitter/
- TV viewing monitoring app Trakt admits to 2014 PHP breach that exposed users names, locations, email, and encrypted passwords https://www.theregister.co.uk/2019/02/07/trakt_hit_by_php_exploit_in_2014_app_users_deets_explosed_but_thankfully_payment_info_not_part_of_the_data_leak/
- An executive of Atrient, a vendor of Casino loyalty program kiosks, assaults security researcher at conference after multiple breach and vulnerability disclosure in offshore operations https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
- Another app exposes private messages and photos – this one a gay dating app https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/
- Few deatils but the Australian Parliament’s network was breached https://www.bankinfosecurity.com/hack-attack-breaches-australian-parliament-network-a-12012
Articles about privacy related news, risks, and trends.
- Facebook has hired some noted privacy experts https://www.schneier.com/blog/archives/2019/02/facebooks_new_p.html
- Facebook faces investigation by privacy commissioner over RBC access https://business.financialpost.com/news/fp-street/rbc-faces-investigation-by-privacy-commissioner-over-facebook-access
- US cellphone networks caught selling user location data again https://www.theregister.co.uk/2019/02/08/mobile_companies_selling_locations/
- Book review: The Age of Surveillance Capitalism https://theintercept.com/2019/02/02/shoshana-zuboff-age-of-surveillance-capitalism/
Laws & Regulations / Standards
News about laws, regulations, and standards affecting security, privacy, technology, and public interest.
- NIST is now announcing its intent to standardize Stateful Hash-Based Signatures (HBS) including the LMS and XMSS schemes Stateful Hash-Based Signatures Project: https://csrc.nist.gov/projects/stateful-hash-based-signatures and Request for Public Comments: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments
- NIST Webinar on February 28th about SP 800-37 rev 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://go.usa.gov/xENcs
- EFF Stupid Patent of the Month goes to IBM for a broadly worded and obvious texting and driving aid https://www.eff.org/deeplinks/2019/01/stupid-patent-month-ibms-software-patent-texting-and-driving
- EFF opposed Virginia online voting bills https://www.eff.org/deeplinks/2019/02/no-online-voting-virginia
- German antitrust authorities restrict Facebook’s use of data from multiple sources https://www.cbc.ca/news/world/germany-restricts-facebook-data-use-1.5009140
- India drafts new oversight rules for Chinese social media app companies https://www.pymnts.com/news/regulation/2019/india-chinese-apps-tiktok/
- NYPD sent a letter to Google & Waze to stop sharing the locations of Sobriety checkpoints https://www.nytimes.com/2019/02/06/nyregion/waze-nypd-location.html
- EPIC urges Congress to update surveillance safeguards https://epic.org/2019/02/epic-to-congress-update-survei-1.html
Defense / Techniques / Solutions
Covering developments and opportunities that may help improve security.
- Interesting article about how deception changes the rules of engagement in cyber security https://www.information-age.com/engagement-in-cyber-security-123478673/
- “Adiantum” – no it’s not the magic metal inside “Wolverine” – it’s Google’s storage encryption for the unaccelerated. Many devices don’t have crypto accelerators and simply can’t support AES. Now Google has an answer based on the ChaCha20 stream cipher https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
- Google open sources ClusterFuzz tool https://www.securityweek.com/google-open-sources-fuzzing-platform
- Now Firefox to add site isolation to strengthen the browser against attacks like Spectre and Meltdown https://www.securityweek.com/site-isolation-coming-firefox
- Chrome extension to detect unsafe passwords https://www.wired.com/story/password-checkup-chrome-extension/
- Google’s Tensorflow ML framework helps Gmail block spam https://www.darkreading.com/endpoint/google-tackles-gmail-spam-with-tensorflow/d/d-id/1333807
Bugs / Design Flaws / Vulnerabilities / Research
Articles about newly discovered vulnerabilities and research.
- The RSA Data Privacy & Security Survey 2019 finds that privacy concerns vary culturally and generationally https://www.rsa.com/en-us/company/news/the-dark-side-of-customer-data
- New downgrade attack against RSA PKCS#1 v1.5 can break TLS 1.3 and QUIC. Patches issued. https://www.zdnet.com/article/new-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3/
- Malicious PNG image files can trigger remote code execution on Android 7-9 https://thehackernews.com/2019/02/hack-android-with-image.html
- Several major airlines use unencrypted check-in https://www.securityweek.com/check-links-sent-several-airlines-expose-passenger-data
- The Equifax/Struts vulnerability keeps on giving. Organizations need to patch their management devices too – detailed dive into a VMware vCenter Struts exploit https://isc.sans.edu/forums/diary/Struts+Vulnerability+CVE20175638+on+VMware+vCenter+the+Gift+that+Keeps+on+Giving/24606/
- GoDaddy is still being exxploited for spam https://krebsonsecurity.com/2019/02/crooks-continue-to-exploit-godaddy-hole/
- Remote code execution in LibreOffice (patched) and OpenOffice (unpatched) https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html
- MS Exchange privilege elevation vulnerability https://threatpost.com/microsoft-confirms-serious-privexchange-vulnerability/141553/
- More IoT insecurity – grocery store freezers vulnerable https://www.engadget.com/2019/02/08/resource-data-management-thermostat-password-hack/
- Example of researcher dilemma with responsible disclosure and end-of-life products https://www.securityweek.com/zero-day-vulnerability-highlights-responsible-disclosure-dilemma
Hacking / Malware / Cybercrime / Exploitation
News covering active trends and events.
- Fake version of the Psiphon privacy tool conceals nasty spyware https://www.zdnet.com/article/now-this-android-spyware-poses-as-a-privacy-tool-to-trick-you-into-downloading/
- Credit Union Anti-Money-Laundering officers targeted by phishing campaign https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/
- Phishing attack targeting Facebook and Google credentials using alert emails hiding behind Google Translate https://threatpost.com/clever-phishing-attack-enlists-google-translate-to-spoof-facebook-login-page/141571/
- Abusing Gmail’s “dot insensitivity” to commit fraud https://www.schneier.com/blog/archives/2019/02/using_gmail_dot.html
- How APT hacking groups get their names https://threatpost.com/the-apt-name-game-how-grim-threat-actors-get-goofy-monikers/141445
- Report attributes 60% of cryptocurrecny exchange hacks to two groups https://www.zdnet.com/article/two-hacker-groups-responsible-for-60-percent-of-all-publicly-reported-hacks/
- Police in many countries continue operations against users of “Stresser” DDoS for hire services https://www.bankinfosecurity.com/stress-test-police-visit-webstresser-stresserbooter-users-a-12008
- Canadian banks and industries targeted by nation state hackers. Article https://www.thestar.com/news/canada/2019/02/06/hackers-targeting-canadian-banks-mining-companies-expert-tells-mps.html and report https://www.scalar.ca/en/landing/2019-security-study/
- Scalar and IDC Canada study shows cost of a breach is on the rise https://www.datex.ca/blog/cost-of-a-cyber-security-breach-reaches-a-record-high-as-canadian-businesses-spend-up-to-5.8-million-to-recover
- Chinese APT group targeted US Law Firm and major Norwegian managed service provider https://www.securityweek.com/chinese-hackers-spy-us-law-firm-major-norwegian-msp
- A programmer working for Huaxia, a Chinese bank, found and exploited a bug that let him withdraw money without detection. He was caught 14 months and $1M later. The bank didn’t want to press charges. https://www.independent.co.uk/life-style/gadgets-and-tech/news/free-money-cash-atm-trick-withdraw-china-a8765421.html
- More SIM swapping charges laid https://krebsonsecurity.com/2019/02/more-alleged-sim-swappers-face-justice/
Other Security / Risk
Articles covering other types of risks.
- Huawei needs $2B and 3-5 years to address British security concerns https://www.reuters.com/article/us-huawei-europe-britain-exclusive-idUSKCN1PV1CG
- The risk of a nation state cyber attack crippling the US https://www.bankinfosecurity.com/memo-nation-state-malware-attack-could-cripple-us-a-12005
- Related risks of attacks against western governments and financial institutions https://www.cbc.ca/news/politics/cyber-warfare-sanctions-denial-service-cia-1.5008956
- Failure to allow for contingencies! The head of a cryptocurrency exchange held the only password for their cold storage holding almost $200M. Then he died. https://www.foxnews.com/tech/cryptocurrency-exchange-chief-dies-with-passwords-needed-to-unlock-customers-190m-reports-say
- Excellent Schneier essay: “There’s No Good Reason to Trust Blockchain Technology” – talks about the hype, different trust models, and realities with blockchain and finds them lacking https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology/
- Discussion and link to report about Chinese AI strategy and (national) security implications https://www.schneier.com/blog/archives/2019/02/chinas_ai_strat.html
- Abusing Google Maps, “Claim this Business” is a risk for businesses and others. This time a student changed the name of their school to Hell on Earth https://www.independent.co.uk/life-style/gadgets-and-tech/news/google-maps-2019-latest-funny-hornsea-school-rename-hell-on-earth-a8765956.html
- UK police trial of facial recognition technology makes one arrest https://www.theregister.co.uk/2019/02/06/met_police_cop_to_just_one_successful_arrest_during_latest_facial_recog_trial/
- Rome’s airport temporarily closed to deal with leftover WWII bombs https://www.thestar.com/news/world/europe/2019/02/07/rome-airport-temporarily-closed-by-discovery-of-wwii-bombs.html
- Idaho is seeing an increase in mountain lion attacks https://globalnews.ca/news/4933985/woman-breaking-up-dog-fight-grabs-mountain-lion/
- Calgary home invasions by fake cops https://globalnews.ca/news/4938039/northeast-calgary-home-invasion-impersonating-officers/
Off-Topic / Science & Tech / Lighter Side
A variety of scientific, technical, historical, and more light-hearted news.
- Superfast 3D printer using light isn’t quite the replicators of Star Trek fame but it is impressive https://www.sciencealert.com/scientists-have-created-a-replicator-aka-a-super-fast-3d-printer
- NASA and the ESA are about to kick, move, and probe “Didymoon” the 160m sized moon of an asteroid https://www.universetoday.com/141419/esa-is-planning-a-mission-to-the-smallest-spacerock-ever-visited-the-moon-of-an-asteroid/
- Generation ships are the stuff of Sci-Fi, but how big would one need to be? https://www.universetoday.com/141407/how-big-would-a-generation-ship-need-to-be-to-keep-a-crew-of-500-alive-for-the-journey-to-another-star-1/
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.