This Week’s [in]Security – Issue 111 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: a quiet week for PCI, rethinking cashless stores, large PII leak in India, Samsung projects exposed, more on what Alexa records, new laws for credit reporting agencies, the end (of passwords) is near, encrypted TVs, cookie overhaul, never claim something is unhackable, SAP vulnerabilities, Russian S-boxes, 3 AV companies breached, Evil Clippy, Exchange backdoor, bombs trump hackers, another crypto-heist, hunting supply side hackers, Windows with GPL'd Linux kernel, future relics, UBI, Helium, fixing the climate and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• San Francisco to bar cashless-only stores https://www.pymnts.com/digital-payments/2019/san-francisco-bar-cashless-only-stores/
• Restaurants and retailers rethinking cashless https://www.mobilepaymentstoday.com/articles/restaurants-retailers-rethink-cashless-as-financial-inclusion-takes-center-stage/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Freedom Mobile server leak exposed data on 15K customers https://www.cbc.ca/news/business/freedom-mobile-data-breach-1.5126952
• Records on 275M Indian citizens exposed by an insecure Mongo db https://nakedsecurity.sophos.com/2019/05/10/275m-indian-citizens-records-exposed-by-insecure-mongodb-database/
• Samsung exposes multiple source code projects including SmartThings and credentials on GITlab https://www.forbes.com/sites/daveywinder/2019/05/09/samsung-investigates-massive-data-leak-what-you-need-to-know/
• $3M HIPAA settlement over delay in breach investigation https://www.careersinfosecurity.com/3-million-hipaa-settlement-in-delayed-breach-response-case-a-12451

Privacy

Articles about privacy related news, risks, and trends.

• Amazon collects Alexa recordings of your most intimate moments – here's how to listen to and delete them https://www.independent.co.uk/life-style/gadgets-and-tech/news/amazon-alexa-recording-listen-how-to-delete-echo-privacy-a8905326.html
• Airbnb superhost secretly recorded guests with hidden bedroom camera https://threatpost.com/airbnb-hidden-camera-bedroom/144508/
• Google is preaching the virtues of privacy https://www.nytimes.com/2019/05/07/technology/google-privacy-tools.html
• How to automatically delete the records Google saves of your searches and other app activity https://www.businessinsider.com/how-to-delete-google-search-history-app-activity-automatically-2019-5
• US Senator demands Mark Zuckerberg share details of
  Facebook crypto-currency project https://coingape.com/us-senator-demands-facebook-to-share-details-of-its-libra-crypto-payment-project/
• Deep learning will be the end of end to end encryption in social media https://www.forbes.com/sites/kalevleetaru/2019/05/11/deep-learning-will-be-the-end-of-end-to-end-encryption/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Court refuses to keep patent licensor's secrets https://www.eff.org/deeplinks/2019/05/court-refuses-keep-patent-licensing-secrets
• Lawmakers introduce legislation regulating Equifax, credit reporting agencies http://epic.org/2019/05/lawmakers-introduce-legislatio.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Android Q will require storage encryption on all devices including TVs https://www.slashgear.com/android-q-will-require-storage-encryption-on-all-devices-including-tvs-09576124/
• Cryptographic breakthrough allows using handshake-style encryption for time-delayed communications https://www.helpnetsecurity.com/2019/05/07/handshake-style-encryption/
• Chrome browser pushes SameSite cookie security overhaul https://nakedsecurity.sophos.com/2019/05/10/chrome-browser-pushes-samesite-cookie-security-overhaul/
• Microsoft launches new solutions to protect elections https://www.securityweek.com/microsoft-launches-new-solutions-protect-elections-hacking
• Microsoft to do away with passwords on Windows 10 https://www.forbes.com/sites/daveywinder/2019/05/11/microsoft-confirms-intent-to-replace-windows-10-passwords-for-800-million-users/
• Improving Active Directory security https://www.packetlabs.net/active-directory-security/
• What is application shielding https://www.wired.com/story/what-is-application-shielding/
• Protecting yourself from identity theft https://www.schneier.com/blog/archives/2019/05/protectingyour2.html
• Learning web application security https://www.packetlabs.net/learning-web-application-security/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Unlocked root account in Alpine Docker image https://www.bleepingcomputer.com/news/security/bug-in-alpine-linux-docker-image-leaves-root-account-unlocked/
• Panic alarms meant to keep granny and little Timmy safe prove a privacy fiasco https://www.theregister.co.uk/2019/05/11/panicalarmshackable/
• Controversy brewing over S-Boxes in Russian cryptographic algorithms Streebog and https://www.vice.com/en_us/article/43j3wm/experts-doubt-russian-encryption-standard-cryptography-backdoor-streebog-kuznyechik and https://eprint.iacr.org/2019/092
• 50,000 enterprise firms running SAP software vulnerable to attack https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-vulnerable-to-attack/
• ‘Unhackable’ encrypted flash drive eyeDisk is, as it happens, hackable https://techcrunch.com/2019/05/10/eyedisk-encrypted-flash-drive-unhackable/
• Hackers love these common configuration errors https://threatpost.com/top-5-configuration-mistakes-hackers/144457/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Spammers and criminals increasingly using trusted services like Google and Azure storage to host malware https://www.theregister.co.uk/2019/05/07/filesharingsitesphishingresearch/
• Tax prep firm Wolters Kluwer servers opened to malware and outage https://krebsonsecurity.com/2019/05/whats-behind-the-wolters-kluwer-tax-outage/
• The "Dark Web" is smaller than you think https://www.darkreading.com/risk/the-dark-web-is-smaller-than-you-think/d/d-id/1334631
• Russian nation-state hacking group has been infiltrating Microsoft Exchange email servers since at least 2014 via a custom backdoor https://www.darkreading.com/application-security/russian-nation-state-group-employs-custom-backdoor-for-microsoft-exchange-server/d/d-id/1334628
• “RobbinHood” ransomware takes down Baltimore city government networks https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/
• This brings the idea of "hacking back" to a new level - reality https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/
• "Evil Clippy" - malicious macro creator https://www.schneier.com/blog/archives/2019/05/maliciousmsof.html
• Hackers breached 3 US antivirus companies https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/ and are selling access and source code https://www.bleepingcomputer.com/news/security/hackers-selling-access-and-source-code-from-antivirus-companies/
• Confluence servers hacked to install miners and rootkits https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to-install-miners-and-rootkits/
• $40.7M in Bitcoin stolen from Binance crypto-exchange https://www.coindesk.com/hackers-steal-40-7-million-in-bitcoin-from-crypto-exchange-binance
• On the trail of supply side hackers https://www.wired.com/story/barium-supply-chain-hackers/
• BBB warns of online small business lending scam https://www.pymnts.com/news/b2b-payments/2019/bbb-small-business-online-lending-scam/
• Ukrainian national facing wire fraud and other charges from over malvertising botnet https://www.bankinfosecurity.com/ukrainian-national-charged-in-malvertising-botnet-scheme-a-12450
• DOJ charges Chinese man over breach of 79M people’s personal data from Anthem health insurers https://www.businessinsider.com/chinese-hacker-stole-data-78-million-anthem-doj-say-2019-5
• ATM theft is still a thing https://globalnews.ca/news/5249643/kawartha-lakes-oshawa-men-charged-alleged-atm-theft-attempts/
• The NSA hacking tools leaked by Shadow Brokers were actively used by the Chinese a year earlier https://www.schneier.com/blog/archives/2019/05/leakednsahack.html

Other Security / Risk

Articles covering other types of risks.

• Windows 10 will soon ship with a full, open source, GPLed Linux kernel https://arstechnica.com/gadgets/2019/05/windows-10-will-soon-ship-with-a-full-open-source-gpled-linux-kernel/
• Microsoft unveils Windows Terminal, a new command line app for Window https://www.theverge.com/2019/5/6/18527870/microsoft-windows-terminal-command-line-tool
• The CIA open for business on TOR https://www.zdnet.com/article/cia-camps-out-in-anonymized-tor-network/
• Orange acquires cybersecurity firm SecureLink https://www.securityweek.com/orange-acquires-cybersecurity-firm-securelink
• Groundbreaking study could lead to fast, simple test for Ebola virus https://scienmag.com/groundbreaking-study-could-lead-to-fast-simple-test-for-ebola-virus/
• Future relics: Why AirPods are a tragedy https://www.vice.com/en_us/article/neaz3d/airpods-are-a-tragedy
• Content moderation .vs.interventions https://freedom-to-tinker.com/2019/05/07/choosing-between-content-moderation-interventions/
• Is the right to repair good or bad for cyber-security https://blog.isc2.org/isc2_blog/2019/05/right-to-repair-good-or-bad-for-cybersecurity.html
• Reverse engineering Chinese mass surveillance app https://www.eff.org/deeplinks/2019/05/human-rights-watch-reverse-engineers-mass-surveillance-app-used-police-xinjiang
• Car keys mysteriously stopped working in a small Ohio town https://www.sciencealert.com/a-strange-mystery-of-doors-that-wouldn-t-open-in-ohio-has-finally-been-solved (something similar happened in Alberta recently https://controlgap.com/blog/this-weeks-insecurity-issue-97/))
• Helium is non-renewable and in short supply - party store closing some locations https://www.ctvnews.ca/sci-tech/party-city-to-close-stores-amid-helium-shortage-1.4417073
• Study on UBI says it doesn't achieve its purpose https://www.businessinsider.com/universal-basic-income-new-study-says-it-doesnt-achieve-main-purpose-2019-5
• Couple who ate raw marmot for "health benefits" instead died of the plague https://www.washingtonpost.com/nation/2019/05/08/couple-ate-raw-marmot-believed-have-health-benefits-then-they-died-plague/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists test radical ways to fix Earth's climate change problem https://www.bbc.com/news/science-environment-48069663
• For a split second, a Quantum Computer made history go backward https://www.nytimes.com/2019/05/08/science/quantum-physics-time.html