This Week’s [in]Security – Issue 105 - 2nd Anniversary Edition | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI 2019 priorities, Kubernetes and PCI, card breaches at more restaurants, breaches at Toyota, medical cannabis, and 1B marketing data emails , Hospitals broadcasting PHA over insecure pager network, Toronto Stingrays, don't fall for 'birth year' or 'Florida Man' scams, the EU's PSD2 impact, NIST's usable cyber-security, Huawei's poor software practices, Asus auto-updates malware, Commando VM pentest platform, security vendor BS, data mining junked Tesla's, more crypto-currency thefts, Mexican bank heist, space junk, election tampering, outsourcer cost-cutting, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• The PCI Council's 2019 Priorities https://blog.pcisecuritystandards.org/pci-council-executive-director-on-2019-priorities
• Apple partners with bank to issue its own credit card https://arstechnica.com/information-technology/2019/03/apple-partners-with-goldman-sachs-to-offer-its-own-physical-credit-card/
• 96% of compromised payment cards were issued by US banks https://www.bankinfosecurity.com/payment-fraud-criminals-love-cards-issued-by-us-banks-a-12275
• How Paybase Overcame Default Kubernetes Security Settings for PCI DSS Compliance https://thenewstack.io/how-paybase-overcame-default-kubernetes-security-settings-for-pci-dss-compliance/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Emails of nearly 1 billion people leaked in massive data breach https://nypost.com/2019/03/29/emails-of-nearly-1-billion-people-leaked-in-massive-data-breach/
• Electronic data breach sees medical cannabis users' personal information compromised https://calgaryherald.com/cannabis/cannabis-news/electronic-data-breach-sees-medical-cannabis-users-personal-information-compromised
• Parent company of Buca di Beppo restaurants which was breached for 2M cards in February admits to 10 month breach. Other brands possibly affected include Planet Hollywood and Earl of Sandwich https://krebsonsecurity.com/2019/03/a-month-after-2-million-customer-cards-sold-online-buca-di-beppo-parent-admits-breach/
• Toyota Japan server with data on 3.1M customers breached https://www.securityweek.com/millions-toyota-customers-japan-hit-data-breach
• Patient data exposed at 2 Toronto hospitals via insecure pager network, privacy commissioner investigating https://toronto.citynews.ca/2019/03/25/exclusive-patient-data-exposed-at-2-toronto-hospitals-privacy-commissioner-investigating/
• Facebook's misguided approached to reporting the access token breach in Australia https://www.bankinfosecurity.com/facebooks-early-misguided-call-on-breach-disclosure-a-12265
• Proposed settlement in UCLA health breach affecting 4.5M people https://www.bankinfosecurity.com/interviews/analyzing-75-million-ucla-health-data-breach-settlement-i-4282
• Whitepages breach data now in HaveIbeenPwned https://haveibeenpwned.com/PwnedWebsites#Whitepages
• More fallout from the Panama Papers, CRA executes search warrants on Vancouver properties in tax evasion case https://www.cbc.ca/news/politics/canada-revenue-agency-tax-evasion-vancouver-1.5075426

Privacy

Articles about privacy related news, risks, and trends.

• Don't fall for 'Florida Man' phishing https://arstechnica.com/information-technology/2019/03/that-florida-man-challenge-phish-or-menace/
• EPIC has weighed in on a case involving Google's secret scanning of billions of personal image files for the US government https://epic.org/2019/03/epic-warns-appellate-court-of-.html
• Senate questions DOJ on location data surveillance https://epic.org/2019/03/senators-question-doj-about-su.html
• Researchers find mountains of sensitive data on totalled Teslas in junkyards https://boingboing.net/2019/03/30/greentheonly.html
• Thousands of bystanders caught in Toronto Police Stingray sweep of cellphone data https://www.thestar.com/news/gta/2019/03/24/thousands-of-bystanders-caught-in-toronto-police-sweep-of-cellphone-data.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Man suing Google over conspiracy theorists use of video of daughters death https://www.cbc.ca/radio/outintheopen/fighting-falsehoods-1.5056457/father-threatens-to-sue-google-after-online-conspiracy-theorists-allege-his-daughter-s-death-was-faked-1.5075733
• The EU's Payment Systems Directive 2 (PSD2) adds strong authentication and goes into effect this September and has implications for businesses outside Europe https://www.bankinfosecurity.com/far-reaching-implications-psd2-a-12274
• Tech companies reacting negatively to Australia's new laws. May result in a data exodus https://www.theguardian.com/technology/2019/mar/27/tech-companies-not-comfortable-storing-data-in-australia-microsoft-warns
• UK to ban anti-vaccine posts on social media https://www.independent.co.uk/life-style/gadgets-and-tech/news/anti-vax-facebook-twitter-instagram-vaccines-measles-mmr-a8841666.html
• EU passes controversial copyright law that includes meme bans https://www.independent.co.uk/life-style/gadgets-and-tech/news/eu-copyright-rules-article-13-11-meme-ban-voss-results-vote-a8840186.html
• NIST releases draft (SP) 800-204, Security Strategies for Microservices-based Application Systems. Update https://csrc.nist.gov/news/2019/nist-releases-draft-sp-800-204-for-public-comment and details https://csrc.nist.gov/publications/detail/sp/800-204/draft
• An unnamed government of about 30M people requested information on 58 million app users https://www.forbes.com/sites/thomasbrewster/2019/03/26/58-million-names-and-addresses-pleasetech-giants-reveal-wild-government-requests-for-data/
• Bulletproof TLS #51 on compliance impact of CA's using only 63 bits of entropy (not the required 64) https://www.feistyduck.com/bulletproof-tls-newsletter/issue51troublewithamissingrandombitinserialnumbers

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft took control of 99 websites used by Iranian based hackers https://www.nytimes.com/2019/03/27/technology/microsoft-iranian-hackers.html
• Windows security: Microsoft Defender AV can now stop malware from disabling it https://www.zdnet.com/article/windows-security-microsoft-defender-av-can-now-stop-malware-from-disabling-it/
• Commando VM: a Windows based penetration testing distribution https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html
• Firefox brings Lockbox password manager to Android’s autofill http://nakedsecurity.sophos.com/2019/03/28/firefox-brings-lockbox-password-manager-to-androids-autofill/
• NIST's usable cyber-security project https://csrc.nist.gov/projects/usable-cybersecurity
• Article on Doxing and some defenses https://www.comparitech.com/blog/vpn-privacy/what-is-doxxing-how-to-avoid/
• Fuzzing in the year 2000 (Part 2) a huge percentage of applications still crash or freeze 19 years later https://blog.trailofbits.com/2019/03/28/fuzzing-in-the-year-2000/
• US execuitve order to protect against EMP attack https://www.businessinsider.com/trump-signs-executive-order-electromagnetic-pulse-attack-2019-3

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Over 30 vulnerabilities fixed in the Magneto e-commerce management tool https://www.tenable.com/blog/magento-security-updates-fix-over-30-bugs-including-an-unauthenticated-remote-code-execution
• Zero-Day TP-Link SR20 Router Vulnerability Disclosed by Google after TP-Link failed to respond https://www.bleepingcomputer.com/news/security/zero-day-tp-link-sr20-router-vulnerability-disclosed-by-google-dev/
• HTTPS and TLS sites still hide weaknesses from users https://www.wired.com/story/https-isnt-always-as-secure-as-it-seems/
• The real risk with Huawei may be shoddy software practices and bugs https://www.nytimes.com/2019/03/28/technology/huawei-security-british-report.html
• Huawei's failure to address identified vulnerabilities https://www.theregister.co.uk/2019/03/28/huaweimirairouter_vulnerability/
• Discussion and link to article on NSA-inspired driver vulnerability in Huawei laptops https://www.schneier.com/blog/archives/2019/03/nsa-inspired_vu.html
• Researchers have found ways to exploit an Intel chip testing technology called VISA https://threatpost.com/undocumented-intel-visa-tech-can-be-abused-researchers-allege/143283/
• Can phone apps steal your banking PIN and passwords? Let us count the ways https://www.lightbluetouchpaper.org/2019/03/29/could-a-gaming-app-steal-your-bank-pin/
• Researchers report improved quantum cryptographic attacks against a class of Feistel ciphers https://eprint.iacr.org/2019/327

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• WinRAR actively being exploited in the wild https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html
• Asus's automatic update process got hacked and malware was pushed out. Includes links to diagnostic tools https://www.schneier.com/blog/archives/2019/03/malware_install.html
• It turns out Asus was warned months in advance https://techcrunch.com/2019/03/27/asus-hacking-risk/
• How hackers pulled off a $20 million bank heist in Mexico https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/
• $19M stolen from Bithumb crypto exchange https://thehackernews.com/2019/03/bithumb-cryptocurrency-hacked.html
• Operation SaboTor: Police arrested 61 vendors and buyers in the dark web https://securityaffairs.co/wordpress/82974/deep-web/operation-sabotor-dark-web.html
• Kaspersky reports that in 2018 over 47% of industrial control systems were attaked by malware https://www.securityweek.com/nearly-half-ics-devices-protected-kaspersky-targeted-2018
• Variants of 'LockerGoga' ransomware used on Norsk Hydro seems focused on damage https://threatpost.com/lockergoga-ransomware-norsk-hydro-wiper/143181/
• US companies Hexion and Momentive also hit by 'LockerGoga' are furiously replacing computers https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers
• Office Depot fined millions for tricking customers into believing their PCs were infected with malware https://securityboulevard.com/2019/03/office-depot-fined-millions-for-tricking-customers-into-believing-their-pcs-were-infected-with-malware/
• Man behind fatal swatting sentenced to 20 years https://krebsonsecurity.com/2019/03/man-behind-fatal-swatting-gets-20-years/
• UK man who was sacked after four weeks stole login credentials and deleted his ex-employers AWS servers gets two years https://www.datex.ca/blog/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers
• Ex-NSA employee associated within Shadow Broker release of NSA tools pleads guilty to 1 count of retaining sensitive information over a 20 year period https://thehackernews.com/2019/03/nsa-classified-material.html

Other Security / Risk

Articles covering other types of risks.

• What students think of government cyber jobs https://fcw.com/articles/2019/03/22/what-students-think-of-government-cyber-jobs.aspx
• Security vendor behavior that annoys CISO's https://cisoseries.com/30-security-vendor-behaviors-that-set-off-a-cisos-bs-detector/
• Study of GPS spoofing found almost 10K incidents since 2016 https://www.darkreading.com/risk/russia-regularly-spoofs-regional-gps/d/d-id/1334262
• Reaction to Facebook’s password breach suggest the public doesn’t really care about cybersecurity https://www.forbes.com/sites/kalevleetaru/2019/03/23/facebooks-password-breach-suggests-the-public-sees-cybersecurity-as-obsolete/
• Could Facebook start mining WhatsApp messages for ads and counter terrorism? https://www.forbes.com/sites/kalevleetaru/2019/03/23/could-facebook-start-mining-decrypted-whatsapp-messages-for-ads-and-counter-terrorism/
• Where do reluctant attitudes toward mainframe security come from? https://www.linkedin.com/pulse/where-do-reluctant-attitudes-toward-mainframe-security-ray-overby
• Outsourcer DXC cutting $60M from information security budget https://www.theregister.co.uk/2019/03/26/dxcsecurityspending/
• Lack of visibility into cloud systems presents a security risk https://www.darkreading.com/analytics/87--of-cloud-pros-say-visibility-masks-security/d/d-id/1334236
• India tested an anti-satellite weapon and created a debris field estimate to contain 6500 objects https://www.businessinsider.com/india-anti-satellite-missile-test-space-debris-cloud-2019-3
• Russian election meddling testing new tactic in Ukraine https://www.nytimes.com/2019/03/29/world/europe/ukraine-russia-election-tampering-propaganda.html
• Facebook and Instagram extend hate speech ban to white nationalism https://globalnews.ca/news/5102194/facebook-white-nationalists-hate-speech/
• Don’t fall for birth year hoax, you may get locked out of Twitter https://www.independent.co.uk/life-style/gadgets-and-tech/news/twitter-birth-year-hoax-colour-scheme-change-birthday-prank-a8841541.html
• Opinion: Why is renewable energy back by big oil? https://www.forbes.com/sites/michaelshellenberger/2019/03/28/the-dirty-secret-of-renewables-advocates-is-that-they-protect-fossil-fuel-interests-not-the-climate/
• Falling into the Grand Canyon https://globalnews.ca/news/5110075/grand-canyon-tourist-dies-photos-death/
• April Fools pranks that went wrong https://www.businessinsider.com/april-fools-day-pranks-gone-wrong-2019-3

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Canadians win $1M Turing Award for AI research https://www.cbc.ca/news/technology/turing-award-ai-deep-learning-1.5070415
• A mass grave of dinosaurs and fish from the Chicxulub impact has been found in North Dakota https://scienmag.com/stunning-discovery-offers-glimpse-of-minutes-following-dinosaur-killer-chicxulub-impact/
• University of Regina researchers have made a major discovery in the fight against Alzheimer's disease https://globalnews.ca/news/5112900/u-of-r-researcher-makes-ground-breaking-discovery-in-alzheimers/
• Artificial cell with photosynthesis https://www.sciencealert.com/scientists-have-developed-an-artificial-cell-that-photosynthesises-to-produce-energy
• A class of particle with five quarks has been discovered https://www.sciencealert.com/cern-adds-mysterious-pentaquark-particles-to-the-growing-family-of-matter
• Hubble called into action after a main belt asteroid suddenly sprouted a tail - turns out it's spinning so fast it's falling apart https://www.syfy.com/syfywire/hubble-watches-as-an-asteroid-starts-to-tear-itself-apart
• Two new exo-planets discovered using artificial intelligence https://phys.org/news/2019-03-planets-artificial-intelligence.html