This Week’s [in]Security – Issue 115 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: a quiet week for PCI, RDP MFA bypass, make SSNs public, AMCA (Quest, LabCorp, OPKO) breach, Data Protection Authority exposure, privacy and politics in Canada, 33% of breaches caused by 6% of bugs, impersonating doctors, rescuing vulnerable crypto-currency, Baltimore and Norsk Hydro, how Apple finds offline things and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• (This has PCI DSS implications) Microsoft RDP 'feature' bypassess MFA http://nakedsecurity.sophos.com/2019/06/06/microsoft-dismisses-new-windows-rdp-bug-as-a-feature/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Proposal to make SSN's "public" would force changes https://www.cnn.com/2019/06/05/perspectives/labcorp-quest-diagnostics-data-breach-social-security-numbers/index.html

• American Medical Collections Agency (AMCA) breach of financial, cards, medical, and personal information

  • 12M Quest Diagnostics patients https://www.nbcnewyork.com/news/local/Quest-Diagnostics-12-Million-People-Data-Breach-510754611.html and https://www.wxyz.com/news/nearly-12m-patients-may-be-affected-in-quest-diagnostics-data-breach
  • 7.7M LabCorp patients https://www.bankinfosecurity.com/77-million-labcorp-patients-added-to-amca-breach-tally-a-12573
  • 400K more OPKO Health patients added https://www.theregister.co.uk/2019/06/06/congressamcaleakquestlabcorp/
  • 200K breached cards for sale http://www.digitaltransactions.net/about-200000-card-numbers-from-medical-collections-agency-for-sale-researcher-says/
• Australian National University hit by huge data breach https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach
• Westpac security breach: Almost 100,000 customers exposed, cyber security news update https://finance.nine.com.au/business%20news/westpac-data-breach-100000-australian-customers-at-risk/84c91581-90b6-464e-9137-a2d973492614
• Somewhat ironic. A data protection authority reports itself to itself after data breach https://www.grahamcluley.com/data-protection-authority-reports-itself-to-itself-after-data-breach/
• First American faces NY regulator, lawsuit over exposure https://www.bankinfosecurity.com/first-american-faces-ny-regulator-lawsuit-over-exposure-a-12548
• Bombas, the sock company, fined over concealing a 2014 payment card data breach until 2018 https://nypost.com/2019/06/06/sock-company-bombas-fined-over-data-breach/
• Cathay Pacific's unpatched decade-old vulnerability led to 2018 breach https://www.zdnet.com/article/cathay-pacifics-unpatched-decade-old-vulnerability-led-to-2018-breach/

Privacy

Articles about privacy related news, risks, and trends.

• British Columbia is looking at the privacy practices of Canada's federal political parties https://www.thestar.com/news/canada/2019/06/05/federal-politicians-could-soon-face-bc-privacy-watchdog-over-party-databases.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Vancouver considering a ban on Bitcoin ATMs — which police say are ‘ideal’ for money laundering https://www.thestar.com/vancouver/2019/06/04/bitcoin-atms-are-ideal-for-money-laundering-vancouver-police-warn-but-businesses-are-eager-for-regulation.html
• The importance of protecting cybersecurity whistleblowers https://www.schneier.com/blog/archives/2019/06/theimportance3.html
• Facebook to cut off Huawei to comply with U.S. sanctions https://www.securityweek.com/facebook-cut-huawei-comply-us-sanctions

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Lessons learned trying to secure congressional campaigns https://www.schneier.com/blog/archives/2019/06/lessonslearned1.html
• Microsoft says mandatory password changing is “ancient and obsolete” https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/
• Troy Hunt: ‘messy’ password problem isn’t getting better https://threatpost.com/troy-hunt-messy-password-problem/145439/
• Firefox web browser now blocks third-party tracking cookies by default https://thehackernews.com/2019/06/firefox-tracking-cookies.html
• Benefits of Apple's single sign-on over Google and Facebook https://www.wired.com/story/sign-in-with-apple-sso-google-facebook/
• MeltdownDetector: a runtime approach for detecting Meltdown attacks https://eprint.iacr.org/2019/613
• Tip: BASE64 encoded PowerShell scripts are recognizable by the amount of letter 'A's https://isc.sans.edu/diary/rss/24992
• Slowing down robocalls https://www.wired.com/story/stop-robocalls-slow-down-apps-tips-carriers-fcc/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Microsoft RDP 'feature' bypassess MFA http://nakedsecurity.sophos.com/2019/06/06/microsoft-dismisses-new-windows-rdp-bug-as-a-feature/
• New tools make 2FA bypass via fake websites much easier https://www.pymnts.com/news/security-and-risk/2019/synopsys-phishing-scam-2fa-authentication/
• Hacker discloses second zero-day to bypass patch for Windows privilege escalation https://thehackernews.com/2019/06/windows-eop-exploit.html
• Only 5.5% of all vulnerabilities are ever exploited in the wild https://www.zdnet.com/article/only-5-5-of-all-vulnerabilities-are-ever-exploited-in-the-wild/
• Cybersecurity: One in three breaches are caused by unpatched vulnerabilities https://www.zdnet.com/article/cybersecurity-one-in-three-breaches-are-caused-by-unpatched-vulnerabilities/
• MacOS zero-day allows trusted apps to run malicious code https://threatpost.com/macos-zero-day-malicious-code/145259/
• New email hacking tool from OilRig APT group leaked online https://www.bleepingcomputer.com/news/security/new-email-hacking-tool-from-oilrig-apt-group-leaked-online/
• Older Windows 10 Versions Get Intel Microcode Updates for Meltdown/Spectre vulnerabilities https://www.bleepingcomputer.com/news/microsoft/older-windows-10-versions-get-intel-microcode-updates-for-mds-vulns/
• Several vulnerabilities found in Cisco industrial network director https://www.securityweek.com/several-vulnerabilities-found-cisco-industrial-network-director
• Critical flaws in Amcrest HDSeries IoT Camera allows complete takeover https://threatpost.com/amcrest-critical-security-issues/145507/
• Hunting COM objects https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
• Many iOS developers don’t use encryption: report https://www.securityweek.com/many-ios-developers-don%E2%80%99t-use-encryption-report
• Another case of BGP misdirection sends European mobile traffic through China Telecom for 2 hours https://arstechnica.com/information-technology/2019/06/bgp-mishap-sends-european-mobile-traffic-through-china-telecom-for-2-hours/
• Why Windows 10 says your Wi-Fi network “Isn’t Secure” https://www.howtogeek.com/423708/why-windows-10-says-your-wi-fi-network-isnt-secure/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• New brute-force botnet targeting over 1.5M RDP servers worldwide https://thehackernews.com/2019/06/windows-rdp-brute-force.html
• Tap ‘n ghost NFC attack creatively targets Android devices https://threatpost.com/tap-ghost-attack-android/145286/
• How hackers make money from your stolen medical data https://www.zdnet.com/article/this-is-how-hackers-make-money-from-your-stolen-medical-data/
• Doctor's identities for sale on the dark web https://www.independent.co.uk/life-style/gadgets-and-tech/news/dark-web-hackers-doctor-identities-medical-records-cyber-crime-a8943581.html
• Baltimore’s bill for ransomware: Over $18 million, so far https://arstechnica.com/information-technology/2019/06/baltimores-bill-for-ransomware-over-18-million-so-far/
• Baltimore ransomware was not the eternal-blue exploit https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/
• Ransomware attack costs Norsk Hydro tens of millions of dollars https://www.securityweek.com/ransomware-attack-costs-norsk-hydro-tens-millions-dollars
• Government sector in central asia targeted with new HAWKBALL backdoor delivered via Microsoft office vulnerabilities https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html
• Adware hidden in android apps downloaded more than 440M times https://www.darkreading.com/attacks-breaches/adware-hidden-in-android-apps-downloaded-more-than-440-million-times/d/d-id/1334877
• Someone slipped a vuln into crypto-wallets via an NPM package. Then someone else siphoned off $13m in coins to protect it from thieves https://www.theregister.co.uk/2019/06/07/komodonpmwallets/
• Four indicted in Darkode malware case https://www.databreachtoday.com/feds-charge-four-in-new-darkode-case-a-12588
• Spain extradites 94 Taiwanese to China on phone scam charges https://www.securityweek.com/spain-extradites-94-taiwanese-china-phone-scam-charges

Other Security / Risk

Articles covering other types of risks.

• Vendor Risk management is on the mind of Insurance companies https://www.databreachtoday.com/interviews/vendor-security-risk-management-growing-concern-i-4346
• Microsoft and Oracle link up their clouds https://techcrunch.com/2019/06/05/microsoft-and-oracle-link-up-their-clouds/
• How does Apple (privately) find your offline devices? https://blog.cryptographyengineering.com/2019/06/05/how-does-apple-privately-find-your-offline-devices/
• High school cheaters nabbed by neural network https://www.scientificamerican.com/article/white-house-climate-review-could-damage-careers-scientists-warn/
• The War Museum Overloon unveils a rare Enigma G in a new exhibition https://thedailybounce.net/museums-events-historical/historical/war-museum-overloon-unveils-enigma-g-in-new-exhibition/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• KLM designed flying wing is efficient and cool looking http://www.sciencealert.com/fuel-efficient-v-plane-plans-to-seat-passengers-in-its-wings
• Scientists find long sought flaw affecting solar panel efficiency http://www.sciencealert.com/scientists-identify-a-key-flaw-in-solar-panel-efficiency-after-40-years-of-searching
• Physicists have figured out how to save Schrödinger's Cat from uncertain death https://www.sciencealert.com/physicists-have-figured-out-a-way-to-save-schroedinger-s-cat-from-its-uncertain-demise
• Solving the Sun’s super-heating mystery with the Parker solar probe https://scienmag.com/solving-the-suns-super-heating-mystery-with-parker-solar-probe/