This Week’s [in]Security – Issue 125

Welcome to This Week’s [in]Security. This week: PCI releases new PIN technical FAQ document. Payment Security opinion. Breaches at PokerTracker, MoviePass, Hostinger, an adult website, MasterCard's Priceless Specials loyalty program, US and Canadian healthcare providers. Forced password resets don't always mean your provider was breached. Hy-Vee breach cards up for sale. No privacy left. Telegram cracked. Privacy placebo. Backdoor legislation. Courts rule on border searches, patent trolls. Broken privacy shield. NSA firmware protection. Foiling BEC. Cyber-insurance. Vulnerability monopolies. Nest cam leaks. Disabling cars. Lenovo insecurity. Webmin hole. Worsening supply chain attacks. Ransoming Texas. Vulnerable and fake VPNs. Kubernetes DDoS. Astronaut hacker. A world without the Internet. Vaping death. Banned from US for CBD oil. Age appropriate cyber-security education. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

This week's photo: Careful where you park: Softball Foul 1 - Expensive Smart Windshield 0

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• New mandatory (i.e. technical) FAQs - PTS PIN Technical Frequently Asked Questions v2.0 https://www.pcisecuritystandards.org/documents/PTSPINTechnicalFAQsv2August2019.pdf
• Fraud: Why Payment Card Industry Must 'Get Its Act Together' https://www.databreachtoday.com/fraud-payment-card-industry-must-get-its-act-together-a-12959

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• PokerTracker.com Hacked to Inject Payment Card Stealing Script https://www.bleepingcomputer.com/news/security/pokertrackercom-hacked-to-inject-payment-card-stealing-script/
• MoviePass database exposes 161 million records including PII and payment cards https://www.scmagazine.com/home/security-news/moviepass-database-exposes-161-million-records/
• Australia's PayID data breach: Commbank, Westpac, NAB, ANZ customers personal information at risk https://www.9news.com.au/national/payid-data-breach-commbank-westpac-nab-anz-customers-personal-information-at-risk/3e5f4da5-763d-4069-92f2-7450937281fb
• Hackers could have breached US bioterrorism defenses for years via a contractor. We'll never know if they did https://taskandpurpose.com/us-bioterrorism-defense-cybersecurity-vulnerabilities
• Web host Hostinger says data breach may affect 14 million customer credentials https://techcrunch.com/2019/08/25/web-host-hostinger-data-breach/
• Privacy breach exposes thousands of Canadian patients’ health info https://edmonton.citynews.ca/video/2019/08/22/privacy-breach-exposes-thousands-of-patients-health-info/
• Mastercard reports web site data breach to German and Belgian DPAs https://www.bleepingcomputer.com/news/security/mastercard-reports-data-breach-to-german-and-belgian-dpas/
• MGH reports data breach that exposed information of nearly 10,000 people https://www.bostonglobe.com/metro/2019/08/22/mgh-reports-data-breach-that-exposed-information-nearly-people/Cj7S671ykepHZdbSlRojaI/story.html
• Forced Password Reset? Check Your Assumptions https://krebsonsecurity.com/2019/08/forced-password-reset-check-your-assumptions/
• Adult website data leak connected private users to content uploads https://www.zdnet.com/article/adult-content-sharing-website-leaked-private-user-information/
• Online sneaker reseller StockX faces lawsuit over data breach https://www.engadget.com/2019/08/21/stockx-faces-class-action-lawsuit/
• Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards https://krebsonsecurity.com/2019/08/breach-at-hy-vee-supermarket-chain-tied-to-sale-of-5m-stolen-credit-debit-cards/

Privacy

Articles about privacy related news, risks, and trends.

• So Much Of Our Lives Have Been Exposed Through Breaches We Have No Privacy Left https://www.forbes.com/sites/kalevleetaru/2019/08/25/so-much-of-our-lives-have-been-exposed-through-breaches-we-have-no-privacy-left/
• Did Facebook know about “View As” bug before 2018 breach? https://nakedsecurity.sophos.com/2019/08/19/did-facebook-know-about-view-as-bug-before-2018-breach/
• Chinese Agencies 'Crack Telegram': A Timely Warning For End-To-End Encryption https://www.forbes.com/sites/zakdoffman/2019/08/25/chinese-agencies-crack-telegram-a-timely-warning-for-end-to-end-encryption/
• Deconstructing Google’s excuses on tracking protection https://freedom-to-tinker.com/2019/08/23/deconstructing-googles-excuses-on-tracking-protection/
• Google Proposes 'Privacy Sandbox' to Develop Privacy-Focused Ads https://thehackernews.com/2019/08/google-privacy-sandbox-ads.html
• Facebook launches 'clear history' tool – but it won't delete anything https://www.theguardian.com/technology/2019/aug/20/facebook-launches-clear-history-tool-but-it-wont-delete-anything Facebook’s
• New Privacy Feature Comes With a Loophole https://www.wired.com/story/off-facebook-activity-privacy/
• Microsoft Halts Listening In To Xbox Gamers https://www.bbc.com/news/technology-4943587

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• We’re closer to the knife’s edge’: Confrontation looming on encryption ‘backdoors’ as Goodale looks for balance (Canada) https://nationalpost.com/news/politics/were-closer-to-the-knifes-edge-confrontation-looming-on-encryption-backdoors-as-goodale-looks-for-balance
• Canada’s New and Irresponsible Encryption Policy: How the Government of Canada’s New Policy Threatens Charter Rights, Cybersecurity, Economic Growth, and Foreign Policy https://citizenlab.ca/2019/08/canadas-new-and-irresponsible-encryption-policy-how-the-government-of-canadas-new-policy-threatens-charter-rights-cybersecurity-economic-growth-and-foreign-policy/
• Ninth Circuit Goes a Step Further to Protect Privacy in Border Device Searches https://www.eff.org/deeplinks/2019/08/ninth-circuit-goes-step-further-protect-privacy-border-device-searches
• Court Rules That “Patent Troll” is Opinion, Not Defamation https://www.eff.org/deeplinks/2019/08/court-rules-phrase-patent-troll-opinion-not-defamation
• Alleged “snake oil” crypto company sues over boos at Black Hat https://arstechnica.com/information-technology/2019/08/company-accused-of-crypto-snake-oil-sues-black-hat-anonymous-detractors/YouTube's New Lawsuit Shows Just How Far Copyright Trolls Have to Go Before They're Stopped https://www.eff.org/deeplinks/2019/08/youtubes-new-lawsuit-shows-just-how-far-copyright-trolls-have-go-theyre-stopped
• Company Violates Privacy Shield, FTC Imposes No Penalty https://epic.org/2019/08/company-violates-privacy-shiel.html
• Does the US Electoral College confuse you? Court rules on “Faithless Electors” https://www.washingtonpost.com/nation/2019/08/22/he-tried-stop-trump-electoral-college-court-says-his-faithless-ballot-was-legal/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Open-source project from NSA researchers will allow for protection against firmware attacks https://www.cyberscoop.com/nsa-firmware-open-source-coreboot-stm-pe-eugene-myers/
• Thinkuknow provides age appropriate cybersecurity education https://www.thinkuknow.co.uk/Quick thinking by Portland Public Schools stops $2.9m BEC scam https://nakedsecurity.sophos.com/2019/08/22/quick-thinking-by-portland-public-schools-stops-29m-bec-scam/
• What New Methods Are Being Used To Protect User Data? https://www.forbes.com/sites/quora/2019/08/19/what-new-methods-are-being-used-to-protect-user-data/
• What you — and your company — should know about cyber insurance https://blog.talosintelligence.com/2019/08/cyber-insurance-FAQs.html
• Yubico launches its dual USB-C and Lightning two-factor security key https://techcrunch.com/2019/08/20/yubikey-dual-usb-c-lightning/
• The Android 10 Privacy and Security Upgrades You Should Know About https://www.wired.com/story/android-10-privacy-security-features/
• Encryption, Encoding and Hashing: Explained https://www.packetlabs.net/encryption-encoding-and-hashing/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Five vendors account for nearly a quarter of all vulnerabilities https://betanews.com/2019/08/23/five-vendors-quarter-vulnerabilities/
• Unpatchable security flaw found in popular SoC boards https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/
• IoT Vulnerabilities in Google Nest Cam IQ can be used to hijack the camera, leak data https://www.zdnet.com/article/vulnerabilities-in-google-nest-cam-iq-can-be-used-to-hijack-your-camera/
• The Consumer Bureau's Reckless Plan for Debt Collection https://www.wired.com/story/the-consumer-bureaus-reckless-plan-for-debt-collection/
• Hacker Claims He Can ‘Turn Off 25,000 Cars’ At The Push Of A Button https://www.forbes.com/sites/thomasbrewster/2019/08/25/hacker-claims-he-can-immobilize-25000-cars-at-the-push-of-a-button/
• Cisco warns about public exploit code for critical flaws in its 220 Series smart switches https://www.helpnetsecurity.com/2019/08/22/cisco-220-series-exploit/
• Hacker Releases First Public Jailbreak for Up-to-Date iPhones in Years https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-public-iphone-jailbreak-in-years
• Lenovo Solution Centre (LSC) - Security gone in 600 seconds: Make-me-admin hole found in Lenovo Windows laptop crapware. Delete it now https://www.theregister.co.uk/2019/08/23/lenovosolutioncentrecve2019_6177/
• Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty https://www.theregister.co.uk/2019/08/22/steamzerodayvalve/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• The year-long rash of supply chain attacks against open source is getting worse https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse/
• Hackers Use Fake NordVPN Website to Deliver Banking Trojan https://www.bleepingcomputer.com/news/security/hackers-use-fake-nordvpn-website-to-deliver-banking-trojan/
• Alarm in Texas as 23 towns hit by 'coordinated' ransomware attack https://www.cnbc.com/2019/08/19/alarm-in-texas-as-23-towns-hit-by-coordinated-ransomware-attack.html
• Hackers Want $2.5 Million Ransom for Texas Ransomware Attacks https://www.bleepingcomputer.com/news/security/hackers-want-25-million-ransom-for-texas-ransomware-attacks/
• Backdoor Found in Webmin Utility https://duo.com/decipher/backdoor-found-in-webmin-utility
• Employees connect nuclear plant to the internet so they can mine cryptocurrency https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/ (astonishingly something like this has happened before see https://controlgap.com/blog/this-weeks-insecurity-issue-46/))
• Phishing: These are the companies that hackers impersonate when they try to steal your data https://www.zdnet.com/article/phishing-these-are-the-companies-that-hackers-impersonate-when-they-try-to-steal-your-data/
• Chinese APT Groups Target Cancer Research Facilities https://www.databreachtoday.com/chinese-apt-groups-target-cancer-research-facilities-report-a-12952
• Hackers Hit Unpatched Pulse Secure and Fortinet SSL VPNs https://www.bankinfosecurity.com/hackers-hit-unpatched-pulse-secure-fortinet-ssl-vpns-a-12958
• Instagram Security Warning: Millions At Risk From ‘Believable’ New Phishing Attack https://www.forbes.com/sites/zakdoffman/2019/08/24/new-critical-security-warning-issued-for-1-billion-instagram-users/
• Severe Flaws in Kubernetes Expose All Servers to DoS Attacks https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/
• $1.1 Million in Cryptocurrency to Be Seized From Hacker https://www.databreachtoday.com/11-million-in-cryptocurrency-to-be-seized-from-hacker-a-12962
• 80 Indicted for Scams, Including Business Email Compromises https://www.databreachtoday.com/80-indicted-for-scams-including-business-email-compromises-a-12951
• Should You Pay An Online Ransom? https://sector.ca/should-you-pay-an-online-ransom/

Other Security / Risk

Articles covering other types of risks.

• Astronaut accused of hacking former spouse's bank account from space https://www.boston25news.com/news/trending-now/astronaut-accused-of-hacking-former-spouse-s-bank-account-from-space/979034803
• CBSA officer caught leaking police information to family members: internal docs https://www.cbc.ca/news/politics/cbsa-calgary-police-breach-1.5251974
• Canadian woman faces lifetime ban after getting caught with CBD oil at U.S. border https://www.cbc.ca/news/politics/tasker-cbd-oil-us-border-lifetime-ban-1.5252479
• Modifying a Tesla to Become a Surveillance Platform (DEFCON) https://www.schneier.com/blog/archives/2019/08/modifyingates.html
• OpenAI Said Its Code Was Risky. Two Grads Recreated It Anyway https://www.wired.com/story/dangerous-ai-open-source/
• What Is Cyberwar? The Complete WIRED Guide https://www.wired.com/story/cyberwar-guide/
• What Would Happen If the Whole Internet Just Shut Down All of a Sudden? https://gizmodo.com/what-would-happen-if-the-whole-internet-just-shut-down-1837346490
• Thousands Of Banned Chinese Surveillance Cameras Are Watching Over America https://www.forbes.com/sites/thomasbrewster/2019/08/21/2000-banned-chinese-surveillance-cameras-keep-watch-over-us-government-sites/
• The First Person Has Died From a Mysterious Lung Illness Linked to Vaping http://www.sciencealert.com/a-mysterious-lung-illness-has-been-linked-to-vaping-and-the-first-person-has-died

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists extract hydrogen gas from oil and bitumen, giving potential pollution-free energy https://phys.org/news/2019-08-scientists-hydrogen-gas-oil-bitumen.html
• Nuking nature (not just hurricanes) https://www.wired.com/story/nuking-hurricanes-polar-ice-caps-climate-change/
• Huge 150 sq.km floating pumice raft near Fiji – about the size of Windsor Ontario https://www.bbc.com/news/world-australia-49469446
• 'It's sentimental': Titanic slowly disintegrates into ocean floor https://www.cbc.ca/news/canada/nova-scotia/titanic-slowly-returning-to-nature-1.5258893
• 5 Things You Likely Never Knew About NASA's X-15 Rocket Plane https://www.forbes.com/sites/brucedorminey/2019/08/25/5-things-you-likely-never-knew-about-nasas-x-15-rocket-plane/