This Week’s [in]Security – Issue 122 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI: SSF FAQ document, Contactless COTS comment period, CPEs. Breaches: QuickBit, Robinhood. Breach followups: Citrix, Facebook, Equifax, AMCA. 2019 Breach Cost Study. Netflix film on Cambridge Analytica. Anonymization fails, changing the the encryption backdoor debate, fooling an anti-malware 'AI', weak AES keys, election security, Observatory for Internet Abuse, detecting fake images, the Cybersecurity Visuals Challenge, payroll phishing, a new look a the climate change problem, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

This Week [in]Security will be on hiatus next week, issue 123 will return in two weeks.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Article on PCI Software Security Framework FAQS: PA-DSS Impact and Transition https://blog.pcisecuritystandards.org/pci-software-security-framework-faqs-pa-dss-impact-and-transition
• SSF FAQs have been published in a standalone document https://www.pcisecuritystandards.org/documents/FAQs-for-PCI-Software-Security-Framework-v2.pdf
• PCI Request for Comments: Contactless Payments on COTS Standard https://blog.pcisecuritystandards.org/request-for-comments-contactless-payments-on-cots-standard
• PCI SSC 5 Common Questions About Continuing Professional Education Credits https://blog.pcisecuritystandards.org/5-common-questions-about-continuing-professional-education-credits
• Updated FAQ 1458 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-date-should-be-used-for-Date-of-Report-in-the-ROC

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• The 2019 IBM Ponemon Cost of a Breach Study is now available https://www.ibm.com/security/data-breach
• Crypto Exchange QuickBit Confirms Data Breach That May Impact 300,000 Users https://www.coindesk.com/crypto-exchange-quickbit-confirms-data-breach-impacting-300000-users
• Stock Trading Firm Robinhood Stored User Passwords in Plaintext https://www.securityweek.com/stock-trading-firm-robinhood-stored-user-passwords-plaintext
• Data breach of vendor puts personal info of TN high school students at risk https://www.wsmv.com/news/data-breach-of-vendor-puts-personal-info-of-tn-high/article_a319c472-ad73-11e9-a209-a7cf327c76a3.html
• Citrix Confirms Password-Spraying (aka userID guessing) Attack Used in Heist of Reams of Internal IP https://threatpost.com/citrix-confirms-password-spraying-heist/146641/

• Have I Been Pwnded adds more accounts

  • EatStreet, 2019, 6M https://haveibeenpwned.com/PwnedWebsites#EatStreet
  • Xiaomi (unverified), 2012, 7M https://haveibeenpwned.com/PwnedWebsites#Xiaomi
• Yet Again, More Victims Added to AMCA Breach Tally https://www.bankinfosecurity.com/more-victims-added-to-amca-breach-tally-again-a-12817
• What You Should Know About the Equifax Data Breach Settlement https://krebsonsecurity.com/2019/07/what-you-should-know-about-the-equifax-data-breach-settlement/
• Knowing About Your Security Flaws And Not Patching: Priceless? Actually: $575 Million https://www.forbes.com/sites/danpitman1/2019/07/22/knowing-about-your-security-flaws-and-not-patching-priceless-actually-575-million/
• Facebook's FTC fine was reportedly going to be tens of billions of dollars, and would've held Mark Zuckerberg personally responsible https://www.businessinsider.com/facebook-ftc-fine-deal-explained-2019-7
• The other shoe drops in the $5B Facebook settlement – 20 years privacy program https://thehackernews.com/2019/07/ftc-facebook-privacy-program.html
• The Great Hack - Netflix production about Cambridge Analytica and the dark side of social media in the wake of the 2016 U.S. presidential election. https://www.netflix.com/title/80117542

Privacy

Articles about privacy related news, risks, and trends.

• Anonymizing personal data 'not enough to protect privacy,' shows new study https://techxplore.com/news/2019-07-anonymizing-personal-privacy.html
• A new Facebook privacy flaw allowed thousands of children on Messenger Kids to enter group chats with strangers https://www.businessinsider.com/facebook-messenger-kids-group-chat-privacy-flaw-2019-7
• Marketing biz bares folks' data in the act of asking for their GDPR communication preferences https://www.theregister.co.uk/2019/07/22/sprinteducationgdpremailfail/
• Data slurped from 4 million browsers still available via Google Analytics https://arstechnica.com/information-technology/2019/07/data-slurped-from-4-million-browsers-still-available-via-google-analytics/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Schneier reviews Attorney General William Barr’s position on encryption policy – the debates approach may be changing for the good https://www.schneier.com/blog/archives/2019/07/attorneygenera1.html
• PSD2, Strong Customer Authentication (SCA) And Exemptions To The Extension https://www.pymnts.com/authentication/2019/psd2-sca-and-exemptions-to-the-extension/
• New York's Revenge Porn Law Is a Flawed Step Forward https://www.wired.com/story/new-york-revenge-porn-law/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Facebook's Ex-Security Chief Details His 'Observatory' for Internet Abuse https://www.wired.com/story/alex-stamos-internet-observatory/
• NSA to Form New Cybersecurity Directorate https://www.darkreading.com/threat-intelligence/nsa-to-form-new-cybersecurity-directorate/d/d-id/1335333
• Re-Thinking Supply Chain Security https://www.bankinfosecurity.com/interviews/re-thinking-supply-chain-security-i-4383
• Chrome 76 blocks websites from detecting incognito mode https://nakedsecurity.sophos.com/2019/07/22/chrome-76-blocks-websites-from-detecting-incognito-mode/
• Security Considerations in a BYOD Culture https://www.darkreading.com/edge/theedge/security-considerations-in-a-byod-culture/b/d-id/1335178

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware' https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware
• Weak-Key Subspace Trails and Applications to AES https://eprint.iacr.org/2019/852
• Re-evaluating Network Security - It is Increasingly More Complex https://isc.sans.edu/diary.html?storyid=25152
• Critical RCE Flaw in Palo Alto Gateways Hits Uber https://threatpost.com/critical-rce-flaw-palo-alto-gateways-uber/146606/
• A New 'Arbitrary File Copy' Flaw Affects ProFTPD Powered FTP Servers https://thehackernews.com/2019/07/linux-ftp-server-security.html
• Bug in NVIDIA’s Tegra Chipset Opens Door to Malicious Code Execution https://threatpost.com/nvidias-tegra-chipset-attack/146561/
• U.S. Warns of 5G Wireless Network Security Risks https://www.securityweek.com/us-warns-5g-wireless-network-security-risks

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Israeli Spyware Firm Accused Of Hacking Apple, Facebook And Google Responds (Updated) https://www.forbes.com/sites/zakdoffman/2019/07/19/israeli-whatsapp-spyware-now-targets-icloud-google-and-facebook-via-phones-report/
• Ex-NSA Contractor Gets 9 Years for Retaining Defense Data https://www.darkreading.com/threat-intelligence/ex-nsa-contractor-gets-9-years-for-retaining-defense-data/d/d-id/1335312
• Siemens Contractor Pleads Guilty to Planting 'Logic Bomb' in Spreadsheets https://thehackernews.com/2019/07/siemens-logic-bomb.html
• Neo-Nazi SWATters Target Dozens of Journalists https://krebsonsecurity.com/2019/07/neo-nazi-swatters-target-dozens-of-journalists/
• Ransomware Attack Cripples South African Power Company’s Entire Network https://www.bleepingcomputer.com/news/security/ransomware-attack-cripples-power-company-s-entire-network/
• Attackers Turn Elasticsearch Databases Into DDoS Bots https://www.securityweek.com/attackers-turn-elasticsearch-databases-ddos-bots
• Adware Is the Malware You Should Actually Be Worried About https://www.wired.com/story/adware-most-common-malware/
• Advanced mobile surveillanceware, made in Russia, found in the wild https://arstechnica.com/information-technology/2019/07/advanced-mobile-surveillanceware-made-in-russia-found-in-the-wild/
• Quickbooks’ cloud host, Insynq, hit by ransomware Krebs on Security https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/
• FIN8 Group Returns, Targeting POS Devices With New Tools https://www.bankinfosecurity.com/fin8-group-returns-targeting-pos-devices-new-tools-a-12819
• China-Linked Threat Actor Using New Backdoor https://www.securityweek.com/china-linked-threat-actor-using-new-backdoor
• Phishing Attack Aimed at Stealing Payroll Deposits https://www.databreachtoday.com/phishing-attack-aimed-at-stealing-payroll-deposits-a-12804
• Alleged identity thief arrested in Penticton after 30 pieces of identification found in vehicle https://globalnews.ca/news/5679143/alleged-identity-thief-arrested-in-penticton-after-30-pieces-of-identification-found-in-vehicle/

Other Security / Risk

Articles covering other types of risks.

• Matrices, hoodies, and thugs. Oh my! The cybersecurity visuals challenge hopes to remedy the sorry state of cyber images https://www.openideo.com/challenge-briefs/cybersecurity-visuals
• Identifying a Fake Picture Online Is Harder Than You Might Think https://www.snopes.com/ap/2019/07/26/identifying-a-fake-picture-online-is-harder-than-you-might-think/
• Opinion: Climate change issues have been problematic and ineffective, a moon-shot approach is needed to find solutions https://www.forbes.com/sites/stevedenning/2019/07/21/implementing-the-one-viable-solution-to-climate-change/
• Cyber-insurance, nation state malware, and acts of war – Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks? https://www.theregister.co.uk/2019/07/26/doinsurancewarexclusionclausesapplyto_cyberattacks/
• AI's Minority Report for retail: They know you’ll return it even before you buy it https://www.zdnet.com/article/a-i-s-minority-report-for-retail-they-know-youll-return-it-even-before-you-buy-it/
• Ad Tool Facebook Built to Fight Disinformation Doesn’t Work as Advertised https://www.nytimes.com/2019/07/25/technology/facebook-ad-library.html
• The Unsexy Threat to Election Security https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
• Let's Destroy Democracy https://blog.talosintelligence.com/2019/07/lets-destroy-democracy.html
• AML Compliance Costs Nordic Banks https://www.pymnts.com/news/banking/2019/aml-costs-nordic-banks/
• How did YouTube help spread a conspiracy theory? https://www.bbc.co.uk/news/stories-49021903
• Bracebridge OPP respond to almost 400 pocket dials, unintentional 911 calls in first 3 weeks of July https://globalnews.ca/news/5679614/bracebridge-opp-unintentional-911-calls/
• Why the WHO's Emergency Declaration for Ebola Is a Big Deal https://www.scientificamerican.com/article/why-the-whos-emergency-declaration-for-ebola-is-a-big-deal/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• New Device That Channels Heat Into Light Could Boost Solar Cell Efficiency to 80% http://www.sciencealert.com/device-that-channels-heat-into-light-could-boost-solar-efficiency-to-80-percent
• Solar sails are no longer SciFi - LightSail2 Deploys Its Sails https://www.universetoday.com/142938/drama-in-low-earth-orbit-as-lightsail2-deploys-its-sails/
• Tiny New Species of Shark That Glows in The Dark http://www.sciencealert.com/researchers-have-just-identified-a-new-species-of-shark-it-has-pockets-that-glow-in-the-dark
• Gaia Mission is Mapping Out the Bar at the Center of the Milky Way https://www.universetoday.com/142877/gaia-mission-is-mapping-out-the-bar-at-the-center-of-the-milky-way/