This Week’s [in]Security – Issue 114 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI SPoC/MSR and Contactless COTS updates, more POS malware strikes, the new encryption wars, Windows update problems , Bitcoin's quantum vulnerability, wormable medical devices, dumb smart locks, multiple breaches and leaks Marriott and others, Canva, Theta360, medical info, Amazingco, a law society, Flipboard, Facebook looses lawsuits against investigations, covering up breaches, ProtonMail and Snapchat privacy, States have no privacy obligations, alternatives to passwords, fixing GPS, Baltimore, Ottawa, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI on mobile payment acceptance: SPoC and contactless updates https://blog.pcisecuritystandards.org/pci-on-mobile-payment-acceptance-spoc-and-contactless-updates
• PCI publishes SPoC MSR Annex https://www.pcisecuritystandards.org/documents/SPoCMSRAnnex-v1.0.pdf
• New whitepaper available: Architecting for PCI DSS Segmentation and Scoping on AWS https://aws.amazon.com/blogs/security/new-whitepaper-available-architecting-for-pci-dss-segmentation-and-scoping-on-aws/
• Some models of Verifone terminals (VX and E series) get stuck in reboot loops http://support.verifone.com/verifone/support/home.do?_ga=2.7998066.1385337660.1559149858-1240740440.1559149858

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Security systems of Marriott and other major hotel chains exposed by huge data breach at
  the Pyramid Hotel Group https://www.forbes.com/sites/daveywinder/2019/05/31/security-systems-of-major-hotel-chains-exposed-by-huge-data-breach/
• Data on 139M of Canva users’ stolen as GnosticPlayers strikes again http://nakedsecurity.sophos.com/2019/05/28/millions-of-canva-users-data-stolen-as-gnosticplayers-strikes-again/ and https://www.afr.com/technology/web/security/canva-criticised-after-data-breach-exposed-139m-user-details-20190526-p51r8i
• Theta360 leak exposes 11M photos, user data https://www.scmagazine.com/home/security-news/privacy-compliance/theta360-leak-exposes-11-million-photos-user-data/
• Financial, medical information put at risk in months-old Broome County security breach https://wbng.com/news/local-news/2019/05/31/financial-medical-information-put-at-risk-in-months-old-broome-county-security-breach/
• Healthcare breach of 1.5m records made worse by notifications sent to wrong addresses https://www.datex.ca/blog/healthcare-breach-of-1.5m-records-made-worse-by-notifications-sent-to-wrong-addresses
• Checkers, Rally's burger joints hit by POS malware https://www.bankinfosecurity.com/checkers-rallys-burger-joints-hit-by-pos-malware-a-12540
• 200k personal records exposed by events planning firm Amazingco https://threatpost.com/200k-personal-records-exposed-by-events-planning-firm/145133/
• Ordine Avvocati di Roma - 41,960 breached accounts https://haveibeenpwned.com/PwnedWebsites#OrdineAvvocatiDiRoma
• Flipboard database hacked, users' account information exposed https://thehackernews.com/2019/05/flipboard-data-breach-hacking.html
• SMH claims sabotage after new data leak https://www.smh.com.au/business/companies/it-s-sabotage-valuation-company-hits-out-after-new-data-leak-20190530-p51sxo.html
• Understanding The First American Financial data leak: how did it happen and what does it mean? https://www.forbes.com/sites/ajdellinger/2019/05/26/understanding-the-first-american-financial-data-leak-how-did-it-happen-and-what-does-it-mean/
• NY investigates exposure of 885m mortgage documents by First American Financial https://krebsonsecurity.com/2019/05/ny-investigates-exposure-of-885-million-mortgage-documents/
• Facebook loses US court battle to keep internal privacy breach records private https://www.forbes.com/sites/zakdoffman/2019/05/31/facebook-loses-in-court-over-privacy-emails-as-zuckerberg-votes-to-keep-full-control/
• Facebook Loses bid to block landmark EU ECJ data security hearing https://www.securityweek.com/facebook-loses-bid-block-landmark-ecj-data-security-hearing
• Under GDPR, UK data breach reports quadruple https://www.bankinfosecurity.com/under-gdpr-uk-data-breach-reports-quadruple-a-12530
• UK bosses are willing to cover up data breaches https://www.itproportal.com/news/uk-bosses-are-willing-to-cover-up-data-breaches/
• 2.3B files exposed in a year: a new record for misconfigurations https://threatpost.com/files-exposed-record-misconfigs/145177/

Privacy

Articles about privacy related news, risks, and trends.

• Canada announces Digital Charter, promises serious fines to business for not protecting privacy https://www.itworldcanada.com/article/canada-announces-digital-charter-promises-serious-fines-to-business-for-not-protecting-privacy/418217
• Biometric identification and privacy concerns: a Canadian perspective https://www.airdberlis.com/insights/blogs/thespotlight/post/ts-item/biometric-identification-and-privacy-concerns-a-canadian-perspective
• ProtonMail accused of voluntarily helping police spy on users https://www.securityweek.com/protonmail-accused-voluntarily-helping-police-spy-users
• Snapchat privacy blunder piques concerns about insider threats https://threatpost.com/snapchat-privacy-blunder-piques-concerns-about-insider-threats/145074/
• If regulators won’t stop the sale of cell phone users’ location data, consumers must https://www.eff.org/deeplinks/2019/05/if-regulators-wont-stop-sale-cell-phone-users-location-data-consumers-must
• Newly released Amazon patent shows just how much creepier Alexa can get http://www.sciencealert.com/creepy-new-amazon-patent-would-mean-alexa-records-everything-you-say-from-now-on

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Canada uses civil anti-spam law in bid to fine malware purveyors https://krebsonsecurity.com/2019/05/canada-uses-civil-anti-spam-law-in-bid-to-fine-malware-purveyors/
• US demands social media details from visa applicants https://www.bbc.com/news/world-us-canada-48486672
• Georgia Supreme Court rules that State has no obligation to protect personal information https://www.securityweek.com/georgia-supreme-court-rules-state-has-no-obligation-protect-personal-information
• A terrible patent bill is on the way https://www.eff.org/deeplinks/2019/05/terrible-patent-bill-way

• Ghost users and the reboot of the crypto wars

  • The encryption wars are back, but this time it's different https://www.zdnet.com/article/the-encryption-wars-are-back-but-this-time-its-different/
  • New perspectives on the future of encryption (more on the new encryption wars) https://www.lawfareblog.com/new-perspectives-future-encryption
  • Schneier and Stallman speak out against ghost user proposals https://www.theregister.co.uk/2019/05/30/techhitsbackatgchqghostuserprivacybuster/
• Facebook is already working towards Germany’s end-to-end encryption backdoor vision https://www.forbes.com/sites/kalevleetaru/2019/05/28/facebook-is-already-working-towards-germanys-end-to-end-encryption-backdoor-vision/
• Mozilla dislikes Google’s crypto-signed website packaging spec https://www.theregister.co.uk/2019/05/30/mozillawebpackaging/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Intel follows AMD's lead on full memory encryption https://www.tomshardware.co.uk/intel-mktme-amd-memory-encryption,news-60766.html
• To fight deepfakes, researchers built a smarter camera https://www.wired.com/story/detect-deepfakes-camera-watermark/
• Microsoft announces new Windows 10 password and encryption security defaults https://www.forbes.com/sites/daveywinder/2019/05/24/microsoft-announces-new-windows-10-password-and-encryption-security-defaults/
• 8 ways to authenticate without passwords https://www.darkreading.com/endpoint/authentication/8-ways-to-authenticate-without-passwords/d/d-id/1334809
• Microsoft Defender ATP for Mac now in public preview https://www.securityweek.com/microsoft-defender-atp-mac-now-public-preview
• DARPA considering Earth based GPS to thwart attacks https://www.forbes.com/sites/brucedorminey/2019/05/31/new-global-navigation-system-could-guard-u-s-military-against-gps-attacks/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Google researcher finds code execution vulnerability in Notepad https://www.securityweek.com/google-researcher-finds-code-execution-vulnerability-notepad
• Unpatched Docker bug allows read-write access to host OS http://nakedsecurity.sophos.com/2019/05/31/unpatched-docker-bug-allows-read-write-access-to-host-os/ and https://www.bleepingcomputer.com/news/security/unpatched-flaw-affects-all-docker-versions-exploits-ready/
• Researchers uncover IoT smart padlock’s dumb security http://nakedsecurity.sophos.com/2019/05/29/researchers-uncover-smart-padlocks-dumb-security/
• Siemens medical products affected by wormable Windows flaw https://www.securityweek.com/siemens-medical-products-affected-wormable-windows-flaw
• Windows 10 May 2019 update blocked by old Bluetooth drivers https://www.bleepingcomputer.com/news/microsoft/windows-10-may-2019-update-blocked-by-old-bluetooth-drivers/
• Microsoft admits Windows 10 security feature broken by update https://www.forbes.com/sites/daveywinder/2019/05/28/microsoft-admits-windows-10-security-feature-broken-by-update/
• Researcher finds vulnerability that can bypass the macOS Gatekeeper protections to run malicious code https://www.techradar.com/news/security-researcher-spots-a-maos-malware-vulnerability-thats-not-yet-patched
• Joomla and WordPress found harboring malicious redirect code https://threatpost.com/joomla-and-wordpress-malicious-redirect-code/145068/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• The human cost of cyberattacks https://www.schneier.com/blog/archives/2019/05/thehumancost_.html
• The changing cost of cybercrime https://www.lightbluetouchpaper.org/2019/05/30/the-changing-cost-of-cybercrime/
• Advanced Linux backdoor found in the wild escaped AV detection https://arstechnica.com/information-technology/2019/05/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection/
• Sectigo revokes certificates used to sign malware following recent report https://www.securityweek.com/sectigo-revokes-certificates-used-sign-malware-following-recent-report
• Website for storing digital currencies hosted code with a sneaky backdoor https://arstechnica.com/?p=1510799
• This smells of a misguided attempt to deflect responsibility for not patching a known vulnerability: Baltimore ransomware attack: NSA faces questions https://www.bbc.com/news/technology-48423954
• Baltimore vs the NSA - a lesson in journalism vs. cybersecurity https://blog.erratasec.com/2019/05/a-lesson-in-journalism-vs-cybersecurity.html
• Criminals use universal credit system to defraud families https://www.pymnts.com/news/security-and-risk/2019/universal-credit-system-fraud/
• Why half of phishing attacks target the Great White North https://www.techrepublic.com/article/oh-canada-why-half-of-phishing-attacks-target-the-great-white-north/
• 10 years of virtual dynamite: A high-level retrospective of ATM malware https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html
• How convicts ordered to stay offline try to slip their digital leashes https://www.nytimes.com/2019/05/26/us/computer-internet-restrictions-probation.html

Other Security / Risk

Articles covering other types of risks.

• Certificate Authority Certinomis removed from Firefox browser (Bulletproof TLS Newsletter Issue #53) https://www.feistyduck.com/bulletproof-tls-newsletter/issue53certificateauthoritycertinomisremovedfromfirefoxbrowser
• Senator: US govt staff may be sending their smartphone web traffic 'wrapped in a bow' to Russia, China via VPNs https://www.theregister.co.uk/2019/05/30/dhsalarmvpn/
• Chinese military to replace windows os amid fears of US hacking https://www.zdnet.com/article/chinese-military-to-replace-windows-os-amid-fears-of-us-hacking/
• City of Ottawa lagging behind IT security risks as it churns through tech bosses https://ottawacitizen.com/news/local-news/city-lagging-behind-it-security-risks-as-it-churns-through-tech-bosses
• Online voting seems like a great idea--until you look closer https://www.scientificamerican.com/article/online-voting-seems-like-a-great-idea-until-you-look-closer/
• Should failing phish tests be a fireable offense? https://krebsonsecurity.com/2019/05/should-failing-phish-tests-be-a-fireable-offense/
• How a quantum computer could break 2048-bit RSA encryption in 8 hours https://www.technologyreview.com/s/613596/how-a-quantum-computer-could-break-2048-bit-rsa-encryption-in-8-hours/
• BitCoin's blockchain sometimes contains public keys protecting billions of dollars, a working quantum computer could make someone very wealthy https://www.linkedin.com/pulse/perfect-harvest-now-decrypt-later-attack-how-steal-10-baumhof
• New research generates deepfake video from a single picture http://nakedsecurity.sophos.com/2019/05/29/deepfake-researchers-can-now-make-paintings-talk/
• Fraudulent academic papers https://www.schneier.com/blog/archives/2019/05/fraudulent_acad.html
• Google cloud outage knocks out Gmail, Discord and Snapchat https://www.engadget.com/2019/06/02/google-cloud-outage/
• BlackBerry BBM messaging app shuts down, consumers offered replacement service BBMe https://globalnews.ca/news/5342085/blackberry-bbm-app/
• Rare Enigma machine with original parts goes on sale https://www.independent.co.uk/life-style/gadgets-and-tech/news/enigma-machine-original-parts-buy-price-cost-how-much-a8937131.html
• How Canadian police are using genealogy to find people potentially linked to cold cases https://www.cbc.ca/news/canada/british-columbia/golden-state-killer-dna-vancouver-cold-case-leonardo-1.5145144
• 100 percent renewable pledges do not equal carbon-free power https://www.scientificamerican.com/article/100-percent-renewable-pledges-do-not-equal-carbon-free-power/
• This Is a 'Cross Sea'. you do not want to get caught in one http://www.sciencealert.com/this-is-a-cross-sea-you-do-not-want-to-get-caught-in-one
• A teetotal patient developed severe alcoholic hepatitis thanks to homeopathy http://www.sciencealert.com/this-teetotal-patient-developed-hepatitis-thanks-to-a-regular-use-of-homeopathy

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Here’s how Canada made its case for claiming the North Pole over Russia, Denmark https://globalnews.ca/news/5344035/canada-north-pole-claim-case/
• Our Sun's 11 year solar cycle explained https://scienmag.com/the-sun-follows-the-rhythm-of-the-planets/
• Jupiter's Great Red Spot is unraveling https://www.cbc.ca/news/technology/jupiter-great-red-spot-1.5154387
• New supernova recipe: toss a white dwarf into a black hole https://www.syfy.com/syfywire/making-a-supernova-the-hard-way-tossing-a-white-dwarf-into-a-black-hole
• An optical illusion that will zigzag your brain https://www.syfy.com/syfywire/an-optical-illusion-that-will-zigzag-your-brain