This Week’s [in]Security – Issue 119

Welcome to This Week’s [in]Security. This week: PCI is quite, ATM and payment app crime, record £183M GDPR fine for BA, massive smart home vendor records leak, de-anonymizing data, online fingerprinting , ISPs dislike DoH, secure power grid initiative, NIST VPN and TDEA/TDES updates, space tech risk, D-Link FTC settlement audits, Zipato’s smart hub IoT door lock failure, China puts secret app on tourist phones, Ubuntu hacked, Facebook account purge, push back and risk of Facebook's Libra Coin, Crypto-currency manipulation, courts and forensic firm hit by ransomware, ransomware firing, the strange case of Cisco gear with Huawei certificates, Blockchain hype, more evidence Blockchain is not eco-friendly, more Boeing pain, mushrooms and sleeping pill risks, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• No news from the PCI council after a busy previous week
• Russian 'Silence' hacking crew turns up the volume – with $3m-plus cyber-raid on bank's cash machines https://www.theregister.co.uk/2019/07/03/silencehackingbangla/
• Japan's 7-Eleven payment app gives easy access to scammers https://www.bbc.co.uk/news/world-asia-48878159

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• British Airways faces record-breaking
  £183M GDPR fine after data breach on 500K customers ( £366/customer) https://www.theverge.com/2019/7/8/20685830/british-airways-data-breach-fine-information-commissioners-office-gdpr
• Billions of Records Including Passwords Leaked by Smart Home Vendor https://www.bleepingcomputer.com/news/security/billions-of-records-including-passwords-leaked-by-smart-home-vendor/
• Data Breaches That Take Minutes to Occur, Often Require Months to Discover https://www.insurancejournal.com/news/national/2019/07/03/531283.htm
• Why Cloud Data Exposures Keep Happening https://sector.ca/why-cloud-data-keeps-getting-exposed/
• US Customs and Border Protection Reportedly Suspends Contractor Over Cyberattack and Disclosure of Traveler Photos https://www.cnet.com/news/us-customs-and-border-protection-reportedly-suspends-subcontractor-over-cyberattack/

Privacy

Articles about privacy related news, risks, and trends.

• We Are Now The Product Even If We Pay For A Service https://www.forbes.com/sites/kalevleetaru/2019/07/04/we-are-now-the-product-even-if-we-pay-for-a-service/
• ‘Fingerprinting’ to Track Us Online Is on the Rise. Here’s What to Do https://www.nytimes.com/2019/07/03/technology/personaltech/fingerprinting-track-devices-what-to-do.html
• Can Patient Data Be Truly 'De-Identified' for Research? https://www.bankinfosecurity.com/patient-data-be-truly-de-identified-for-research-a-12708
• Privacy groups sound alarm as B.C. community offers incentives for security cameras https://globalnews.ca/news/5466461/parksville-security-cameras-rebate/
• Mozilla Nominated for 'Internet Villain' by Angry ISPs https://www.bankinfosecurity.com/mozilla-nominated-as-internet-villain-for-secure-dns-a-12726
• In Amicus, EPIC Proposes Duty to Protect Personal Data http://epic.org/2019/07/in-amicus-epic-proposes-duty-t.html
• EPIC, Coalition Oppose Facebook Libra Plan http://epic.org/2019/07/epic-coalition-oppose-facebook.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• U.S. Government Makes Surprise Move To Secure Power Grid From Cyberattacks https://www.forbes.com/sites/kateoflahertyuk/2019/07/03/u-s-government-makes-surprise-move-to-secure-power-grid-from-cyber-attacks/
• Encryption laws are creating an exodus of data from Australia: Vault https://www.zdnet.com/article/encryption-laws-are-creating-an-exodus-of-data-from-australia-vault/
• The 'Going Dark' Debate: It's Back https://www.bankinfosecurity.com/blogs/going-dark-debate-its-back-p-2761
• Opinion: It's time to break up the Department of Homeland Security https://www.cnn.com/2019/07/04/opinions/department-of-homeland-security-needs-dismantling-perry/index.html
• Virginia bans 'deepfakes' and 'deepnudes' pornography https://www.bbc.co.uk/news/technology-48839758
• NIST Draft (SP) 800-77 Revision 1, Guide to IPsec VPNs is open for comments until October 8, 2019. Publication details: https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/draft and CSRC update: https://csrc.nist.gov/news/2019/nist-releases-draft-sp-800-77-rev-1-for-comment
• NIST Draft (SP) 800-175B Revision 1, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms (refers to TDEA/TDES deprecation strategy) is open for comments until September 5, 2019. Publication details: https://csrc.nist.gov/publications/detail/sp/800-175b/rev-1/draft and CSRC update: https://csrc.nist.gov/news/2019/nist-releases-draft-sp-800-175b-rev-1-for-comment

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google Chrome To Block Heavy Ads That Use Too Many Resources https://www.zdnet.com/article/google-chrome-to-block-heavy-ads-that-use-too-many-system-resources/
• Cyberwarfare in space: Satellites at risk of hacker attacks https://www.zdnet.com/article/cyberwarfare-in-space-satellites-at-risk-of-hacker-attacks/
• Toyota's Car-Hacking Toolkit (PASTA) Now Available https://www.darkreading.com/analytics/toyotas-car-hacking-tool-now-available/d/d-id/1335121
• Hash-Identifier - Software To Identify The Different Types Of Hashes Used To Encrypt Data And Especially Passwords https://www.kitploit.com/2019/07/hash-identifier-software-to-identify.html
• A Quick and Efficient Method For Locating the main() function of Linux ELF Malware Variants https://blog.trendmicro.com/trendlabs-security-intelligence/a-quick-and-efficient-method-for-locating-the-main-function-of-linux-elf-malware-variants/
• Paper: The Adversarial Robustness of Sampling https://eprint.iacr.org/2019/764
• Paper: Practical Attacks on Reduced-Round AES (on 5 rounds) https://eprint.iacr.org/2019/770
• D-Link Agrees to 10 Years of Security Audits to Settle FTC Charges https://thehackernews.com/2019/07/ftc-d-link-router-security.html
• Black Hat Q&A: Understanding NSA's Quest to Open Source Ghidra https://www.darkreading.com/threat-intelligence/black-hat-qanda-understanding-nsas-quest-to-open-source-ghidra/d/d-id/1335123

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• This game makes players better at spotting disinformation after just 15 minutes, study finds https://www.cbc.ca/news/technology/disinformation-study-online-game-vaccinate-1.5194616
• Magento Patches Flaws Leading to Site Takeover https://www.securityweek.com/magento-patches-flaws-leading-site-takeover
• Google Confirms Apple iPhone Bricking iMessage Bomb https://www.forbes.com/sites/daveywinder/2019/07/07/google-confirms-apple-iphone-bricking-imessage-bomb/
• Android July 2019 Security Update Patches 33 New Vulnerabilities https://thehackernews.com/2019/07/android-security-update.html
• Another IoT failure - Open Sesame! Zipato’s smart hub hacked to open front doors http://nakedsecurity.sophos.com/2019/07/04/open-sesame-zipatos-smart-hub-hacked-to-open-front-doors/
• Hardcoded Credentials Expose SICK Controllers to Remote Attacks https://www.securityweek.com/hardcoded-credentials-expose-sick-controllers-remote-attacks
• What if All Your Slack Chats Were Leaked? https://www.nytimes.com/2019/07/01/opinion/slack-chat-hackers-encryption.html
• With new feature update calendar, Microsoft finally settles on a sensible Windows 10 release schedule https://www.zdnet.com/article/with-new-feature-update-calendar-microsoft-finally-settles-on-a-sensible-windows-10-release-schedule/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• First-Ever Malware Strain Spotted Abusing New DoH Protocol https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/
• The Biggest Cybersecurity Crises of 2019 So Far https://www.wired.com/story/biggest-cybersecurity-crises-2019-so-far/
• US Cyber Command issues alert about Iranian hackers exploiting a 2017 vulnerability that bypasses the Outlook sandbox https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/
• China Snares Tourists’ Phones in Surveillance Dragnet by Adding Secret App https://www.nytimes.com/2019/07/02/technology/china-xinjiang-app.html
• Sophos Proof-of-Concept Exploit Shows Dangers of BlueKeep https://www.bankinfosecurity.com/sophos-proof-of-concept-exploit-shows-dangers-bluekeep-a-12709
• OpenPGP experts targeted by long-feared ‘poisoning’ attack http://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-targeted-by-long-feared-poisoning-attack/
• Ubuntu-Maker Canonical’s GitHub Account Gets Hacked - looks like a defacement could have been much worse https://thehackernews.com/2019/07/canonical-ubuntu-github-hacked.html
• Hacker deletes all content from University of Ottawa newspaper’s website https://globalnews.ca/news/5452169/hacker-deletes-all-content-university-of-ottawa-newspaper-website/
• Eight Arrested Over Cyberattacks Against Hong Kong Police https://www.securityweek.com/eight-arrested-over-cyberattacks-against-hong-kong-police
• Hacker Who Disrupted Sony Gaming Firm Gets Federal Prison https://www.securityweek.com/hacker-who-disrupted-sony-gaming-firm-gets-federal-prison
• Facebook Removes Accounts Used To Infect Thousands https://threatpost.com/facebook-malware-laced-links/146149/
• Hundreds of Facebook Libra websites appear as hackers seek to profit from new crypto-currency https://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-libra-cryptocurrency-hackers-fake-websites-cyber-crime-a8982896.html
• The Anatomy Of A Fake Cryptocurrency Trade: How Exchanges Create Phony Transactions https://www.forbes.com/sites/jeffkauflin/2019/07/02/the-anatomy-of-a-fake-cryptocurrency-trade-how-exchanges-create-phony-transactions/
• Samsung Update App with 10M+ Installs Charges for Free Firmware https://www.bleepingcomputer.com/news/security/samsung-update-app-with-10m-installs-charges-for-free-firmware/
• Hackers Slurp $500,000 Through 7-Eleven Mobile Payment App https://www.bankinfosecurity.com/hackers-slurp-500000-through-7-eleven-mobile-payment-app-a-12729
• Report: UK's Largest Forensics Firm Pays Ransom to Attacker https://www.bankinfosecurity.com/report-uks-largest-forensics-firm-pays-ransom-to-attacker-a-12730
• Ryuk, Ryuk, Ryuk: Georgia’s courts hit by ransomware https://arstechnica.com/information-technology/2019/07/ryuk-ryuk-ryuk-georgias-courts-hit-by-ransomware/
• Florida city fires IT employee after paying ransom demand last week https://www.zdnet.com/article/florida-city-fires-it-employee-after-paying-ransom-demand-last-week/
• Georgia Failed to Subpoena Image of Wiped Elections Server https://www.securityweek.com/georgia-failed-subpoena-image-wiped-elections-server
• Malicious Script With Multiple Payloads https://isc.sans.edu/diary.html?storyid=25090
• What Is Credential Dumping? https://www.wired.com/story/hacker-lexicon-credential-dumping

Other Security / Risk

Articles covering other types of risks.

• Consumer Data, Upcoming Elections Are at Risk, Black Hat Survey Says https://www.darkreading.com/consumer-data-upcoming-elections-are-at-risk-black-hat-survey-says/d/d-id/1335089
• So, you think you've spotted some 'fake news' — now what? https://www.cbc.ca/news/technology/fake-news-disinformation-propaganda-internet-1.5196964
• Analysis: The Real Threat From Facebook's Libra Coin is Identities https://www.forbes.com/sites/francescoppola/2019/06/30/the-real-threat-from-facebooks-libra-coin/
• We just got a clear sign that Facebook’s dodgy reputation means it has a massive struggle to persuade people to use its new cryptocurrency Libra We just got a clear sign that Facebook’s dodgy reputation means it has a massive struggle to persuade people to use its new cryptocurrency Libra https://www.businessinsider.com/facebook-people-libra-jefferies-trust-2019-7
• Seriously? Cisco put Huawei X.509 certificates and keys into its own switches https://www.zdnet.com/article/seriously-cisco-put-huawei-x-509-certificates-and-keys-into-its-own-switches/
• AT&T down: 911 calls failing to go through amid major carrier outage https://www.independent.co.uk/life-style/gadgets-and-tech/news/att-outage-911-calls-down-police-ambulance-latest-update-a8984316.html
• Cloudflare’s outage had widespread implications – incorrect Bitcoin prices, Down Detector unreachable and more https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/
• Facebook says glitches involving WhatsApp, Instagram now resolved https://www.cbc.ca/news/technology/facebook-whatsapp-instagram-social-media-outage-1.5198656
• Facebook buildings evacuated in California after nerve agent scare https://www.cbc.ca/news/world/facebook-site-evacuated-mail-sarin-1.5196514
• ReactOS ‘a ripoff of the Windows Research Kernel’ claims Microsoft kernel engineer https://www.theregister.co.uk/2019/07/03/reactosaripoffofthewindowsresearchkernelclaimsmicrosoftkernel_engineer/
• A new, more user-friendly language for programming supercomputers https://techxplore.com/news/2019-07-user-friendly-language-supercomputers.html
• Apparently, IBM’s Blockchain Isn’t a Real Blockchain https://cointelegraph.com/news/why-ibms-blockchain-isnt-a-real-blockchain
• OK, we call BS. Article claiming Blockchain will stop breaches is long on hype, short on details, omits a massive amount of infrastructure and transformation, and ignores other technologies. “Cybersecurity Breach at Maryland Agency Spotlights Need for Blockchain www.ccn.com/op-ed/security-breach-at-maryland-agency-highlights-govt-need-for-blockchain/2019/07/06/” (If you must visit, you’ll have to cut and past the text link).
• ‘It’s very arbitrary’: People, mayors furious over Quebec’s updated flood maps https://globalnews.ca/news/5462671/people-mayors-furious-quebec-flood-maps/
• Boeing’s pain grows – loses big order for 737 Max aircraft https://www.bbc.com/news/business-48899588
• New Flaw In Boeing 737 Forewarns Emergency Procedure Bugs In Driverless Cars https://www.forbes.com/sites/lanceeliot/2019/07/03/new-flaw-in-boeing-737-forewarns-emergency-procedure-bugs-in-driverless-cars/
• SpaceX has Lost Contact With 3 of its Starlink Satellites https://www.universetoday.com/142733/spacex-has-lost-contact-with-3-of-its-starlink-satellites/
• Google tweaked algorithm after rise in US shootings https://www.theguardian.com/technology/2019/jul/02/google-tweaked-algorithm-after-rise-in-us-shootings
• Bitcoin's energy consumption 'equals that of Switzerland' https://www.bbc.co.uk/news/technology-48853230
• Toxic death cap mushroom spotted in Vancouver, health officials confirm https://globalnews.ca/news/5461798/death-cap-mushroom-vancouver/
• Risks of sleeping pills and planes: Embarrassing tales from 35,000 feet https://www.cnn.com/travel/article/planes-sleeping-pills/index.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Safer Nuclear Reactors Are on the Way https://www.scientificamerican.com/article/safer-nuclear-reactors-are-on-the-way/
• New computer chip could speed up scientific discoveries by 1,000 times https://www.independent.co.uk/life-style/gadgets-and-tech/news/computer-chip-speed-record-blueshift-memory-discovery-a8989476.html
• Desirable Impurities, Tiny granules can help bring clean and abundant fusion power to Earth https://phys.org/news/2019-07-tiny-granules-abundant-fusion-power.html
• Astronomers help wage war on cancer https://scienmag.com/astronomers-help-wage-war-on-cancer/
• NASA Telescopes Have Revealed The Atmosphere of a Strange Hybrid Exoplanet Over 100 Light Years Away http://www.sciencealert.com/nasa-telescopes-reveal-the-atmosphere-of-a-strange-hybrid-exoplanet
• If You Thought Quantum Mechanics Was Weird, You Need to Check Out Entangled Time http://www.sciencealert.com/if-you-thought-quantum-mechanics-was-weird-wait-til-you-check-out-entangled-time