This Week’s [in]Security – Issue 113 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI feedback underway on P2PE v3, SSF update, Magecart now with IFRAMES, 885M title insurance records exposed, AT&T's un-breach, breaches of Instagram and Truecaller data, breaches at HCL, Peel Region and the Game Golf app, 3B fake Facebook accounts removed, 2FA stops bot attacks, tracking your mobile device, NIST key management update, right to repair in Canada, the squeeky breach headline gets the fix, 4 windows zero-days published, Windows RDS worm code, Industrial sites aren't ready for it, 12K Mongo db's gone, Baltimore hit, virus-day-off, China: Huawei and drones, interesting new tech, rare-earth-metals mega-find, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI P2PE Standard v3.0 Request for Comments is underway https://blog.pcisecuritystandards.org/request-for-comments-p2pe-standard-v3-0
• PCI Software Security Framework: update on assessor qualification details still to come https://blog.pcisecuritystandards.org/pci-software-security-framework-update-on-assessor-qualification
• eBook from the folks at UL on Securing Digital Payments https://connect.ul.com/eBook-Securing-Digital-Payments.html
• Magecart goes IFRAME to clumsily skim redirecting e-commerce web sites https://www.bleepingcomputer.com/news/security/hackers-steal-payment-card-data-using-rogue-iframe-phishing/ and details https://blog.malwarebytes.com/cybercrime/2019/05/skimmer-acts-as-payment-service-provider-via-rogue-iframe/
• Worldwide ATM installations declined In 2018 https://www.pymnts.com/cash/2019/atm-installations-decline-financial-inclusion/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• First American Financial Corp. exposed 885M of title insurance records https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/
• Chtrbox exposes 49M records in unsecured AWS database, included data on Instagram influencer accounts https://www.scmagazine.com/home/security-news/privacy-compliance/unsecure-chtrbox-aws-database-exposes-data-on-49-million-instagram-influencers-accounts/ and http://nakedsecurity.sophos.com/2019/05/22/cache-of-49m-instagram-records-found-online/
• Instagram bans Chtrbox for TOS violations for scraping 350K public information https://www.bankinfosecurity.com/instagram-bans-social-media-company-after-data-exposure-a-12518
• HCL exposes customer and employee passwords, project information, and, personnel info https://threatpost.com/data-leak-hcl-customer-info/144919/
• Phisher folk reel in Computacenter security vetting mailbox packed with sensitive staff data https://www.theregister.co.uk/2019/05/23/computacenterstaffsecurityclearanceapplicationmailboxbreached/
• Another misconfigured IT (Again) leads to big health data breach https://www.bankinfosecurity.com/misconfigured-again-leads-to-big-health-data-breach-a-12511
• Millions of golfers land in privacy hazard after cloud misconfiguration https://threatpost.com/golfers-privacy-hazard-game-golf/144918/
• The Swedish identity app company, Truecaller, denies data hack as customer info shows up on dark web. May be part of an aggregated collection https://www.pymnts.com/news/security-and-risk/2019/truecaller-data-dark-web/
• Peel Regional breach of information https://www.peelregion.ca/articles/2019/information-breach.asp
• An unbreach: AT&T accidently exposes data breach template pages by mistake https://www.vice.com/en_us/article/nea35k/att-mistake-data-breach
• Equifax just became the first company to have its outlook downgraded for a cyber attack https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html

Privacy

Articles about privacy related news, risks, and trends.

• Thanks to Facebook, your cellphone company is watching you more closely than ever https://theintercept.com/2019/05/20/facebook-data-phone-carriers-ads-credit-score/
• Calibration fingerprint attacks for smartphones that can uniquely identify and track a device https://www.lightbluetouchpaper.org/2019/05/21/calibration-fingerprint-attacks-for-smartphones/
• Facial recognition has already reached its breaking point https://www.wired.com/story/facial-recognition-regulation/
• Privacy complaints near 150,000 in first year of GDPR http://epic.org/2019/05/privacy-complaints-near-150000.html
• AI has been weaponized in China. That should be a wake-up call for the world https://www.cbc.ca/news/opinion/ai-china-1.5140612

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST updated (SP) 800-57 Part 2 Revision 1, Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. Details: https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final and update: https://csrc.nist.gov/news/2019/nist-publishes-sp-800-57-part-2-rev-1
• Why a non-profit is pressing for 'right to repair' legislation in Canada https://www.cbc.ca/news/canada/toronto/right-to-repair-legislation-device-smartphone-1.5144235
• Senator Hawley introduces "do not track" bill for internet http://epic.org/2019/05/senator-hawley-introduces-do-n.html
• Black Hat Q&A: Bruce Schneier calls for public-interest technologists https://www.darkreading.com/careers-and-people/black-hat-qanda-bruce-schneier-calls-for-public-interest-technologists/d/d-id/1334755
• Germany talking about banning end-to-end encryption https://www.schneier.com/blog/archives/2019/05/germany_talking.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google data shows 2-factor authentication blocks 100% of automated bot hacks https://thenextweb.com/google/2019/05/23/google-data-shows-2-factor-authentication-blocks-100-of-automated-bot-hacks/
• How to do a risk-limiting audit of elections https://freedom-to-tinker.com/2019/05/23/how-to-do-a-risk-limiting-audit/
• Why do I need a Penetration Test? https://www.packetlabs.net/why-do-i-need-a-pentest/
• Using Shodan open port monitoring https://isc.sans.edu/diary/rss/24956
• Microsoft beefs Up Wi-Fi protection https://threatpost.com/microsoft-wi-fi-protection/145053/
• Stop the Presses: Media Coverage as a Prioritization Metric for Vulnerability Management https://www.tenable.com/blog/stop-the-presses-media-coverage-as-a-prioritization-metric-for-vulnerability-management

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Lack of secure coding called a national security threat https://www.databreachtoday.com/interviews/lack-secure-coding-called-national-security-threat-i-4332
• Windows zero-day drops on Twitter, developer promises 4 more https://threatpost.com/windows-zero-day-lpe/144976/
• SandboxEscaper drops three more windows zero-day exploits https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
• Windows 10 update bricks pcs, Microsoft offers workarounds https://threatpost.com/windows-10-update-bricks-pcs/144897/
• Sophos tells users to roll back Microsoft's Patch Tuesday run if they want PC to boot https://www.theregister.co.uk/2019/05/20/sophosmicrosoftpatchtuesdayboot_hang/
• Proof of Concept Windows RDS wormable flaw https://www.securityweek.com/poc-exploits-created-wormable-windows-rds-flaw
• With a second Wannacry looming, more than half of industrial sites are vulnerable https://www.forbes.com/sites/ajdellinger/2019/05/15/with-a-second-wannacry-looming-more-than-half-of-industrial-sites-are-vulnerable/
• No root password for 20% of popular docker Containers https://www.securityweek.com/no-root-password-20-popular-docker-containers
• Cisco starts patching firmware bug; millions of devices still vulnerable https://threatpost.com/cisco-patch-firmware/144936/
• Slack bug allows remote file hijacking, malware injection https://threatpost.com/slack-remote-file-hijacking-malware/144871/
• Say it ain’t so Google, since 2005 some G-suite passwords stored in plain text https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/
• “BlueKeep” Remote Desktop Services code execution exploits are coming, patch now! https://www.bleepingcomputer.com/news/security/bluekeep-remote-desktop-exploits-are-coming-patch-now
• Behind the naming of ZombieLoad and other Intel Spectre-like flaws https://threatpost.com/behind-the-naming-of-zombieload-and-other-intel-spectre-like-flaws/144875/ and how Intel’s latest side channel bug was discovered and disclosed https://threatpost.com/zombieload-how-intels-latest-side-channel-bug-was-discovered-and-disclosed/144849/
• Somewhat sensational title highlights risk of later movement from unimportant to important systems/devices https://www.cisomag.com/hackers-can-steal-your-identity-and-bank-details-from-a-coffee-machine/
• A couple of developments in cryptanalysis: Anomalies and vector space search: tools for S-box reverse-engineering https://eprint.iacr.org/2019/528 and Speeding-up of SCA attacks on 32-bit multiplications https://eprint.iacr.org/2019/530

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Legal threats make powerful phishing lures https://krebsonsecurity.com/2019/05/legal-threats-make-powerful-phishing-lures/
• Let adware be treated as malware, Canuck boffins declare after breaking open Wajam ad injector https://www.theregister.co.uk/2019/05/20/wajammalwareclaims/
• 12,000 open MongoDB databases wiped https://www.scmagazine.com/home/security-news/cybercrime/report-hacking-group-wipes-content-from-over-12000-open-mongodb-databases/
• Volume of signed malware increases, CAs need better vetting https://www.bleepingcomputer.com/news/security/volume-of-signed-malware-increases-cas-need-better-vetting/
• Linux version of Winnti malware uncovered in recent attacks https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
• New Mirai variant uses multiple exploits to target routers and other devices https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/
• Baltimore ransomware attack stops citizen water bill payments https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers
• Ohio school gets snowday virus vacation https://www.zdnet.com/article/ohio-school-sends-students-home-because-of-trickbot-malware-infection/
• Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online https://www.theregister.co.uk/2019/05/23/percepticshackedlicenseplaterecognition/
• Most hacker-for-hire services are frauds https://www.zdnet.com/article/google-research-most-hacker-for-hire-services-are-frauds/
• Assange now faces 18 US charges and is indicted under Espionage Act https://www.bankinfosecurity.com/assange-now-faces-18-us-charges-a-12517

Other Security / Risk

Articles covering other types of risks.

• 97% of Americans can't ace a basic security test https://www.darkreading.com/cloud/97--of-americans-cant-ace-a-basic-security-test-/d/d-id/1334763
• Facebook removes 3 billion fake accounts in 6 months https://www.cbc.ca/news/business/facebook-fake-accounts-1.5146701
• EFF project shows how people are unfairly “tossed out” by platforms’ absurd enforcement of content rules https://www.eff.org/press/releases/eff-project-shows-how-people-are-unfairly-tossed-out-platforms-absurd-enforcement
• Windows 10 could break if capability SIDs are removed from permissions https://www.bleepingcomputer.com/news/microsoft/windows-10-could-break-if-capability-sids-are-removed-from-permissions/
• LinkedIn allowed TLS certificate to expire—again https://www.securityweek.com/linkedin-allowed-tls-certificate-expire%E2%80%94again
• U.S. Restrictions on Huawei expose a high-tech achilles’ heel for China https://www.nytimes.com/2019/05/21/technology/huawei-china-chips.html
• Google restricts Huawei’s access to android after Trump executive order https://www.nytimes.com/2019/05/20/technology/google-huawei-android.html and https://www.bankinfosecurity.com/google-restricts-huaweis-access-to-android-a-12498
• US report warns Chinese drones may steal data https://www.securityweek.com/us-warns-chinese-drones-may-steal-data-report
• WestJet pilot's eyes burned by laser on flight from Newfoundland to Florida https://www.cbc.ca/news/canada/newfoundland-labrador/westjet-pilot-eyes-burned-by-laser-1.5144981?cmp=rss
• China responsible for surge in ozone-depleting emissions, study suggests https://www.cbc.ca/news/technology/china-responsible-ozone-depleting-emissions-study-1.5146269
• A massive, 'semi-infinite' trove of rare-earth metals has been found in Japan https://www.cnbc.com/2018/04/12/japan-rare-earths-huge-deposit-of-metals-found-in-pacific.html
• Physicists have officially smashed the record for high-temperature superconductivity http://www.sciencealert.com/physicists-have-officially-smashed-the-record-for-high-temperature-superconductivity
• Canada: Dalhousie researcher developing inexpensive, self-repairing, paint-on solar cells https://www.cbc.ca/news/canada/nova-scotia/dal-researcher-developing-paint-on-solar-cells-1.5141820
• New artificial photosynthesis breakthrough uses gold to turn co2 into liquid fuel http://www.sciencealert.com/new-artificial-photosynthesis-breakthrough-uses-gold-to-turn-co2-into-liquid-fuel
• Space X's broadband project moves forward with 60 satellite launch https://www.bbc.com/news/science-environment-48289204
• We can't solve climate change without nuclear power https://blogs.scientificamerican.com/observations/we-cant-solve-climate-change-without-nuclear-power/
• Interesting Enigma 2000: An authenticated encryption algorithm for human-to-human communication https://eprint.iacr.org/2019/488
• People dying in the traffic jams at the summit of Mt. Everest. Photo shows just how crazy it is. https://www.bbc.com/news/world-asia-48395241

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Big Bang Theory upset? The universe may be almost a billion years younger than previously thought https://www.nbcnews.com/mach/science/universe-may-be-billion-years-younger-we-thought-scientists-are-ncna1005541
• 18 Earth-sized exoplanets discovered https://scienmag.com/18-earth-sized-exoplanets-discovered/
• Here's what it takes to fly the U-2 spy plane, which soars 13 miles above the earth https://www.businessinsider.com/what-u-2-spy-plane-pilot-training-is-like-2019-5
• Niki Lauda, three-time Formula One world champion and determined survivor dies at age 70 https://www.theguardian.com/sport/2019/may/21/niki-lauda-formula-one-legend-dies-aged-70