This Week’s [in]Security – Issue 98 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: best practice for DSS assessments, crypto-currency CEO dies with only password to $190M, breaches at Houzz, Rubrik, Huddle House, and more, US carriers selling location data again, is Facebook getting serious on privacy, cryptography for slow phones, new TLS attacks, banks and anti-money laundering operations targeted, block-chain hype and trust, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Rotating lead QSA's as a quality measure https://blog.pcisecuritystandards.org/lead-qsa-rotation-as-best-practice
• riticism of crypto-currencies https://arstechnica.com/information-technology/2019/02/researcher-counts-the-reasons-he-wants-cryptocurrency-burned-with-fire/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Data management giant Rubrik exposed an unprotected database of client data https://techcrunch.com/2019/01/29/rubrik-data-leak/
• Houzz announced they experienced a data breach including external and internal account information, PII, and salted passwords. The number of affected records has not been released yet. https://www.bleepingcomputer.com/news/security/houzz-break-in-data-breach-announced/
• Atlanta based Huddle House restaurants suffers POS malware breach https://www.securityweek.com/huddle-house-suffers-payment-card-breach
• South Africa's electric utility, Eskom, exposed customer data including names, credit card numbers and security codes, and apparently ignored the researcher until he made it public https://www.zdnet.com/article/hackers-reveal-data-leak-at-south-africas-main-electricity-provider-on-twitter/
• TV viewing monitoring app Trakt admits to 2014 PHP breach that exposed users names, locations, email, and encrypted passwords https://www.theregister.co.uk/2019/02/07/trakthitbyphpexploitin2014appusersdeetsexplosedbutthankfullypaymentinfonotpartofthedataleak/
• An executive of Atrient, a vendor of Casino loyalty program kiosks, assaults security researcher at conference after multiple breach and vulnerability disclosure in offshore operations https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
• Another app exposes private messages and photos - this one a gay dating app https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/
• Few deatils but the Australian Parliament's network was breached https://www.bankinfosecurity.com/hack-attack-breaches-australian-parliament-network-a-12012

Privacy

Articles about privacy related news, risks, and trends.

• Facebook has hired some noted privacy experts https://www.schneier.com/blog/archives/2019/02/facebooksnewp.html
• Facebook faces investigation by privacy commissioner over RBC access https://business.financialpost.com/news/fp-street/rbc-faces-investigation-by-privacy-commissioner-over-facebook-access
• US cellphone networks caught selling user location data again https://www.theregister.co.uk/2019/02/08/mobilecompaniesselling_locations/
• Book review: The Age of Surveillance Capitalism https://theintercept.com/2019/02/02/shoshana-zuboff-age-of-surveillance-capitalism/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST is now announcing its intent to standardize Stateful Hash-Based Signatures (HBS) including the LMS and XMSS schemes Stateful Hash-Based Signatures Project: https://csrc.nist.gov/projects/stateful-hash-based-signatures and Request for Public Comments: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments
• NIST Webinar on February 28th about SP 800-37 rev 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://go.usa.gov/xENcs
• EFF Stupid Patent of the Month goes to IBM for a broadly worded and obvious texting and driving aid https://www.eff.org/deeplinks/2019/01/stupid-patent-month-ibms-software-patent-texting-and-driving
• EFF opposed Virginia online voting bills https://www.eff.org/deeplinks/2019/02/no-online-voting-virginia
• German antitrust authorities restrict Facebook's use of data from multiple sources https://www.cbc.ca/news/world/germany-restricts-facebook-data-use-1.5009140
• India drafts new oversight rules for Chinese social media app companies https://www.pymnts.com/news/regulation/2019/india-chinese-apps-tiktok/
• NYPD sent a letter to Google & Waze to stop sharing the locations of Sobriety checkpoints https://www.nytimes.com/2019/02/06/nyregion/waze-nypd-location.html
• EPIC urges Congress to update surveillance safeguards https://epic.org/2019/02/epic-to-congress-update-survei-1.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Interesting article about how deception changes the rules of engagement in cyber security https://www.information-age.com/engagement-in-cyber-security-123478673/
• "Adiantum" - no it's not the magic metal inside "Wolverine" - it's Google's storage encryption for the unaccelerated. Many devices don't have crypto accelerators and simply can't support AES. Now Google has an answer based on the ChaCha20 stream cipher https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
• Google open sources ClusterFuzz tool https://www.securityweek.com/google-open-sources-fuzzing-platform
• Now Firefox to add site isolation to strengthen the browser against attacks like Spectre and Meltdown https://www.securityweek.com/site-isolation-coming-firefox
• Chrome extension to detect unsafe passwords https://www.wired.com/story/password-checkup-chrome-extension/
• Google's Tensorflow ML framework helps Gmail block spam https://www.darkreading.com/endpoint/google-tackles-gmail-spam-with-tensorflow/d/d-id/1333807

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• The RSA Data Privacy & Security Survey 2019 finds that privacy concerns vary culturally and generationally https://www.rsa.com/en-us/company/news/the-dark-side-of-customer-data
• New downgrade attack against RSA PKCS#1 v1.5 can break TLS 1.3 and QUIC. Patches issued. https://www.zdnet.com/article/new-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3/
• Malicious PNG image files can trigger remote code execution on Android 7-9 https://thehackernews.com/2019/02/hack-android-with-image.html
• Several major airlines use unencrypted check-in https://www.securityweek.com/check-links-sent-several-airlines-expose-passenger-data
• The Equifax/Struts vulnerability keeps on giving. Organizations need to patch their management devices too - detailed dive into a VMware vCenter Struts exploit https://isc.sans.edu/forums/diary/Struts+Vulnerability+CVE20175638+on+VMware+vCenter+the+Gift+that+Keeps+on+Giving/24606/
• GoDaddy is still being exxploited for spam https://krebsonsecurity.com/2019/02/crooks-continue-to-exploit-godaddy-hole/
• Remote code execution in LibreOffice (patched) and OpenOffice (unpatched) https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html
• MS Exchange privilege elevation vulnerability https://threatpost.com/microsoft-confirms-serious-privexchange-vulnerability/141553/
• More IoT insecurity - grocery store freezers vulnerable https://www.engadget.com/2019/02/08/resource-data-management-thermostat-password-hack/
• Example of researcher dilemma with responsible disclosure and end-of-life products https://www.securityweek.com/zero-day-vulnerability-highlights-responsible-disclosure-dilemma

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Fake version of the Psiphon privacy tool conceals nasty spyware https://www.zdnet.com/article/now-this-android-spyware-poses-as-a-privacy-tool-to-trick-you-into-downloading/
• Credit Union Anti-Money-Laundering officers targeted by phishing campaign https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/
• Phishing attack targeting Facebook and Google credentials using alert emails hiding behind Google Translate https://threatpost.com/clever-phishing-attack-enlists-google-translate-to-spoof-facebook-login-page/141571/
• Abusing Gmail's "dot insensitivity" to commit fraud https://www.schneier.com/blog/archives/2019/02/usinggmaildot.html
• How APT hacking groups get their names https://threatpost.com/the-apt-name-game-how-grim-threat-actors-get-goofy-monikers/141445
• Report attributes 60% of cryptocurrecny exchange hacks to two groups https://www.zdnet.com/article/two-hacker-groups-responsible-for-60-percent-of-all-publicly-reported-hacks/
• Police in many countries continue operations against users of "Stresser" DDoS for hire services https://www.bankinfosecurity.com/stress-test-police-visit-webstresser-stresserbooter-users-a-12008
• Canadian banks and industries targeted by nation state hackers. Article https://www.thestar.com/news/canada/2019/02/06/hackers-targeting-canadian-banks-mining-companies-expert-tells-mps.html and report https://www.scalar.ca/en/landing/2019-security-study/
• Scalar and IDC Canada study shows cost of a breach is on the rise https://www.datex.ca/blog/cost-of-a-cyber-security-breach-reaches-a-record-high-as-canadian-businesses-spend-up-to-5.8-million-to-recover
• Chinese APT group targeted US Law Firm and major Norwegian managed service provider https://www.securityweek.com/chinese-hackers-spy-us-law-firm-major-norwegian-msp
• A programmer working for Huaxia, a Chinese bank, found and exploited a bug that let him withdraw money without detection. He was caught 14 months and $1M later. The bank didn't want to press charges. https://www.independent.co.uk/life-style/gadgets-and-tech/news/free-money-cash-atm-trick-withdraw-china-a8765421.html
• More SIM swapping charges laid https://krebsonsecurity.com/2019/02/more-alleged-sim-swappers-face-justice/

Other Security / Risk

Articles covering other types of risks.

• Huawei needs $2B and 3-5 years to address British security concerns https://www.reuters.com/article/us-huawei-europe-britain-exclusive-idUSKCN1PV1CG
• The risk of a nation state cyber attack crippling the US https://www.bankinfosecurity.com/memo-nation-state-malware-attack-could-cripple-us-a-12005
• Related risks of attacks against western governments and financial institutions https://www.cbc.ca/news/politics/cyber-warfare-sanctions-denial-service-cia-1.5008956
• Failure to allow for contingencies! The head of a cryptocurrency exchange held the only password for their cold storage holding almost $200M. Then he died. https://www.foxnews.com/tech/cryptocurrency-exchange-chief-dies-with-passwords-needed-to-unlock-customers-190m-reports-say
• Excellent Schneier essay: "There's No Good Reason to Trust Blockchain Technology" - talks about the hype, different trust models, and realities with blockchain and finds them lacking https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology/
• Discussion and link to report about Chinese AI strategy and (national) security implications https://www.schneier.com/blog/archives/2019/02/chinasaistrat.html
• Abusing Google Maps, "Claim this Business" is a risk for businesses and others. This time a student changed the name of their school to Hell on Earth https://www.independent.co.uk/life-style/gadgets-and-tech/news/google-maps-2019-latest-funny-hornsea-school-rename-hell-on-earth-a8765956.html
• UK police trial of facial recognition technology makes one arrest https://www.theregister.co.uk/2019/02/06/metpolicecoptojustonesuccessfularrestduringlatestfacialrecogtrial/
• Rome's airport temporarily closed to deal with leftover WWII bombs https://www.thestar.com/news/world/europe/2019/02/07/rome-airport-temporarily-closed-by-discovery-of-wwii-bombs.html
• Idaho is seeing an increase in mountain lion attacks https://globalnews.ca/news/4933985/woman-breaking-up-dog-fight-grabs-mountain-lion/
• Calgary home invasions by fake cops https://globalnews.ca/news/4938039/northeast-calgary-home-invasion-impersonating-officers/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Superfast 3D printer using light isn't quite the replicators of Star Trek fame but it is impressive https://www.sciencealert.com/scientists-have-created-a-replicator-aka-a-super-fast-3d-printer
• NASA and the ESA are about to kick, move, and probe "Didymoon" the 160m sized moon of an asteroid https://www.universetoday.com/141419/esa-is-planning-a-mission-to-the-smallest-spacerock-ever-visited-the-moon-of-an-asteroid/
• Generation ships are the stuff of Sci-Fi, but how big would one need to be? https://www.universetoday.com/141407/how-big-would-a-generation-ship-need-to-be-to-keep-a-crew-of-500-alive-for-the-journey-to-another-star-1/