This Week’s [in]Security – Issue 112 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week:  P2PEv3 comment period, new FAQ on alternate password controls, Magecart skewers 3 more big fish, Panama and Australia largely breached, Equifax breach cost update, Facebook again, GLBA to mandate pen-testing, more Intel flaws, XP patched again, scary WhatsApp exploit used in the wild, SHA-1 attacks improved, the value of an IPv4 address, Bluetooth risks, landing navigation can be hacked, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Council schedule for request for comments including P2PE v3 (beginning this week), PTS POI v6, Contactless on COTS v1, DSS v4 https://www.pcisecuritystandards.org/getinvolved/requestfor_comments
• New FAQ #1467 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-organizations-use-alternative-password-management-methods-to-meet-PCI-DSS-Requirement-8
• Updated list of PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• Cyber-security leaders emphasize payment security and cooperation https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_05142019
• The cost of COTS in payment solutions https://ims.ul.com/faqs-and-webinar-recording-whats-cost-cots
• Article on risk of PTS v3 sunset confuses and misses the mark https://www.mobilepaymentstoday.com/blogs/end-of-life-for-certain-pos-terminals-and-the-looming-risk-to-retailers/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Forbes subscription site hit by Magecart card skimming malware https://www.bleepingcomputer.com/news/security/hackers-inject-magecart-card-skimmer-in-forbes-subscription-site/
• Additionally Picreel and CloudCMS were hit by JavaScript skimmers https://www.riskiq.com/blog/labs/cloudcms-picreel-magecart/
• Report warns that data breaches are a time bomb https://www.bbc.com/news/technology-48215075
• Panama server exposes data on most of its' citizens https://www.darkreading.com/cloud/poorly-configured-server-exposes-most-panama-citizens-data/d/d-id/1334691
• Data on 10.5M Australians breached in past 3 months https://www.theregister.co.uk/2019/05/13/10mozzieshaddatabreachedinlastthreemonths/
• Another exposed Elasticsearch db with PII on 8M people https://www.darkreading.com/cloud/exposed-elasticsearch-database-compromises-data-on-8m-people/d/d-id/1334747
• Japanese retailer breached for 460K email addresses https://www.bankinfosecurity.com/hack-japanese-retailer-exposes-460000-customer-accounts-a-12482
• Equifax's data breach costs hit $1.4B https://www.bankinfosecurity.com/equifaxs-data-breach-costs-hit-14-billion-a-12473

Privacy

Articles about privacy related news, risks, and trends.

• San Francisco bans facial recognition use by police https://www.securityweek.com/san-francisco-bans-facial-recognition-use-police
• Facebook could face 20-year Government oversight https://www.pymnts.com/facebook/2019/facebook-government-oversight-settlement/
• Double-sided printing leads to Chubb privacy fumble https://www.theregister.co.uk/2019/05/10/chubbdoublesidedprintingdatabreach/
• Gmail reads receipts to keep a running list of things you buy. You can't turn it off, but you can stop Google from using your shopping history https://www.businessinsider.com/how-to-prevent-google-using-information-it-tracks-about-your-purchases-2019-5
• Facebook responds to essay calling for its breakup https://www.nytimes.com/2019/05/09/business/facebook-response-chris-hughes.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Proposed cyber-security changes to Gramm-Leach-Bliley Act (GLBA) mandate security testing cohttps://www.linkedin.com/pulse/new-cybersecurity-regulations-could-impact-your-business-ray-overby/
• Trump declares national emergency over IT threats - https://www.bbc.co.uk/news/world-us-canada-48289550
• EFF wins National Security Letter transparency lawsuit https://www.eff.org/deeplinks/2019/05/victory-eff-wins-national-security-letter-transparency-lawsuit
• Apple's Supreme Court defeat could signal significant changes in mobile app sales https://www.mobilepaymentstoday.com/articles/apples-supreme-court-defeat-could-signal-significant-changes-in-mobile-app-sales/
• The false promise of “Lawful Access” to private data https://www.wired.com/story/the-false-promise-of-lawful-access-to-private-data/
• The LawBytes Podcast, Episode 11: Reinterpreting Canadian privacy law – David Fraser on cross-border data transfers, the right to de-index, and the facebook investigation http://www.michaelgeist.ca/2019/05/lawbytes-podcast-episode-11/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft releases version 2.0 of their Attack Surface Analyzer https://www.securityweek.com/microsoft-releases-attack-surface-analyzer-20
• Nessus Essentials (a free vulnerability scanner for the home) https://www.tenable.com/blog/nessus-home-is-now-nessus-essentials
• Google started tracking wild zero-day exploits https://www.securityweek.com/google-starts-tracking-zero-days-exploited-wild
• Interesting but don't throw away your HSMs yet. Unbound Tech Gains First-ever FIPS 140-2 Certification for a software-only cryptographic module based on multiparty computation https://www.prnewswire.com/news-releases/unbound-tech-gains-first-ever-fips-140-2-certification-for-a-software-only-cryptographic-module-based-on-multiparty-computation-300848707.html
• Security Engineering: Third Edition https://www.lightbluetouchpaper.org/2019/05/17/security-engineering-third-edition/
• The Canadian Centre for Cyber Security https://cyber.gc.ca/en/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• More Spectre-like vulnerabilities hit Intel Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs https://www.schneier.com/blog/archives/2019/05/anotherintelc.html
• WhatsApp vulnerability exposed civil rights promoters to hacking attempts and silent device takeovers https://www.androidpolice.com/2019/05/13/whatsapp-vulnerability-exposed-civil-rights-promoters-to-hacking-attempts/
• Microsoft warns wormable Windows bug could lead to another WannaCry https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry
• Microsoft takes rare step of patching EOL systems https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/
• Remote Code Execution flaw found in Kaspersky products https://www.securityweek.com/remote-code-execution-flaw-found-kaspersky-products
• 79 vulnerabilities patched in this month's Patch Tuesday https://blog.qualys.com/laws-of-vulnerabilities/2019/05/14/may-2019-patch-tuesday-79-vulns-22-critical-rdp-rce-mds-attacks-adobe-vulns
• Linux Kernel prior to 5.0.8 vulnerable to Remote Code Execution https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/
• A Cisco router bug with global implications https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
• Google is replacing Bluetooth Titan Security Keys because of a vulnerability https://www.theverge.com/2019/5/15/18625028/google-titan-security-keys-bluetooth-vulnerability-replacement-free
• It wasn't that long ago that SHA-1 was broken, now the attack is becoming practical https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Feds target $100M ‘GozNym’ cybercrime network https://krebsonsecurity.com/2019/05/feds-target-100m-goznym-cybercrime-network/
• Hackers abuse ASUS cloud service to install backdoor on users’ PC https://arstechnica.com/information-technology/2019/05/asus-cloud-service-abused-to-install-backdoor-on-pcs/
• FIN7 APT linked to escalating active exploits for Microsoft SharePoint bug https://threatpost.com/fin7-active-exploits-sharepoint/144628/
• Korean APT "ScarCruft" is collecting Bluetooth information with malware https://arstechnica.com/information-technology/2019/05/korean-speaking-hackers-add-bluetooth-harvester-to-its-tool-arsenal/
• Report finds website infections holding steady at 1% but attacks becoming stealthier https://www.securityweek.com/website-infections-holding-steady-1-attacks-becoming-stealthier-report
• Attackers are messing with TLS "signature" information to mess up encryption traffic analysis techniques and evade detection https://threatpost.com/billions-bots-cipher-stunting/144763/
• Keyloggers injected in Web Trust Seal supply chain attack https://www.bleepingcomputer.com/news/security/keyloggers-injected-in-web-trust-seal-supply-chain-attack/
• ELECTRICFISH is new Windows malware from North Korea http://nakedsecurity.sophos.com/2019/05/14/dhs-fbi-spot-north-korean-traffic-tunnelling-malware/
• The science of disappearing billions - how cryptocurrency scams work http://www.sciencealert.com/here-s-how-cryptocurrency-scammers-rob-investors-of-billions
• An account hijacking forum used by SIM swappers was just hacked https://krebsonsecurity.com/2019/05/account-hijacking-forum-ogusers-hacked/
• Scammers trafficking IPv4 addresses charged with wire fraud https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-address-scammers/
• Canadian company pleads guilty to peddling vast database of personal information https://beta.ctvnews.ca/national/canada/2019/5/17/1_4427618.html

Other Security / Risk

Articles covering other types of risks.

• The top 5 most dangerous attachment types https://threatpost.com/threatlist-top-5-most-dangerous-attachment-types/144635/
• Anyone recall Die Hard 2? It turns out the radio navigation planes use to land safely is insecure and can be hacked https://arstechnica.com/information-technology/2019/05/the-radio-navigation-planes-use-to-land-safely-is-insecure-and-can-be-hacked/
• Cloud creating head winds For security appliance vendors https://www.forbes.com/sites/richardstiennon/2019/05/13/the-cloud-is-creating-head-winds-for-security-appliance-vendors/
• Bluetooth's complexity is a security risk https://www.wired.com/story/bluetooth-complex-security-risk/
• The world's most infected laptop is for sale as an art piece - just don't turn it on https://www.forbes.com/sites/curtissilver/2019/05/15/malware-laptop-auction-chaos/
• The risk of running authenticated vulnerability scans https://isc.sans.edu/diary.html?storyid=24942
• Investigation of QuadrigaCX cryptocurrency debacle turns up $28M in assets https://www.cbc.ca/news/canada/nova-scotia/quadrigacx-cryptocurrency-bankruptcy-ernst-and-young-1.4364467
• Engineers measure accuracy of 2 Qubits in silicon http://www.sciencealert.com/quantum-breakthrough-accurate-2-qubit-operations-in-silicon-measured-for-first-time
• Why are Cryptographers being denied entry into the US? https://www.schneier.com/blog/archives/2019/05/whyarecryptog.html
• Russia and far right spreading disinformation ahead of EU elections https://www.nytimes.com/2019/05/10/world/europe/russian-propaganda-influence-campaign-european-elections-far-right.html
• The International Spy Museum reopens in Washington DC https://www.schneier.com/blog/archives/2019/05/international_s.html
• Someone hacked into the USGA database to post some unflattering golf scores on Trump's account https://www.businessinsider.com/trumps-usga-account-hacked-unflattering-golf-scores-posted-2019-5
• A new record setting dive to the bottom of the Mariana Trecnch finds plastic waste https://www.bbc.co.uk/news/science-environment-48230157

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Observations of June's Beta Taurid meteor stream may help determine risk of another Tunguska sized impact https://www.syfy.com/syfywire/could-larger-space-rocks-be-hiding-in-the-beta-taurid-meteor-stream-we-may-find-out-this
• The city of Hiroshima was consumed in the fire and aftermath of the first atomic bomb. Scientists have finally discovered where it went https://www.sciencealert.com/the-ghostly-legacy-of-hiroshima-has-finally-been-discovered-in-physical-form
• How did ancient sea creatures get caught in amber? http://www.sciencealert.com/cretaceous-sea-creatures-have-been-found-trapped-in-amber-alongside-insects
• Testing a solar sail prototype https://www.sciencealert.com/researchers-just-tested-a-prototype-probe-made-to-cross-the-vast-distances-between-stars
• The kilogram was just redefined http://www.sciencealert.com/tomorrow-the-definition-of-the-kilogram-will-change-forever-here-s-what-that-really-means
• A slightly warped perspective piece "The Lowest Bid Universe" https://blogs.scientificamerican.com/life-unbounded/the-lowest-bid-universe/