This Week’s [in]Security – Issue 129

Welcome to This Week’s [in]Security. This week: Big updates from the PCI Community meeting including DSS 4.0, P2PE 3.0, and Software Security. Lots of breaches. 8 cities via Click2Gov, Magecart revival and hotel booking sites. Equador (yes the country). Facebook suspends thousands of apps. FBI National Security letters and back-doors. New Mitre CWE top 25. Faster Wi-fi. Elections. AI fighting card fraud. Microsoft breaks defender. More bad Android apps. Fitbit catches up murder. Sentencing and sanctions. Russian's read FBI encrypted comms. Gene manipulation gone wrong. Crown Sterling demo flops. The climate , carbon footprints, and nukes. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

This week's photo was taken at the Vancouver PCI Community meeting (and no your browser hasn't stuck rendering). This highlights the risks of video games bleeding through into reality :). Okay we confess, it's just a nice sculpture.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• 5 Questions About PCI DSS v4.0 https://blog.pcisecuritystandards.org/5-questions-about-pci-dss-v4-0
• 3 Things to Know About P2PE v3.0 https://blog.pcisecuritystandards.org/3-things-to-know-about-p2pe-v3-0

• Software Security and PA-DSS updates:

  • Understanding the PCI Software Security Framework: New Educational Resources https://blog.pcisecuritystandards.org/understanding-the-pci-software-security-framework-new-educational-resources
  • Executive Director Q&A: PCI SSC Strategic Framework https://blog.pcisecuritystandards.org/executive-director-q-and-a-pci-ssc-strategic-framework
  • Transitioning from PA-DSS to the PCI Software Security Framework https://www.pcisecuritystandards.org/documents/TransitioningfromPA-DSStoSSFResourceGuide.pdf
• REB PCI DSS Case Study: Braspag https://www.pcisecuritystandards.org/documents/casestudies/PCICaseStudyBraspag-DSS.pdf
• PCI Security Standards Council And Women’s Network in Electronic Transactions Announce strategic Partnership https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_09182019

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Payment Card Breach Hits 8 Cities Using Vulnerable Bill Portal https://threatpost.com/payment-card-breach-hits-8-cities-using-vulnerable-bill-portal/148521/

• Magecart

  • Hotel Booking Sites Come Under Fire From Magecart https://www.zdnet.com/article/magecart-strikes-again-hotel-booking-websites-come-under-fire/
  • Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/
  • Old Magecart Domains are Being Bought Up for Monetization https://www.riskiq.com/blog/labs/magecart-reused-domains/
• Data breach at Miami server exposes personal information on virtually every Ecuadorean https://www.chicagotribune.com/news/nationworld/sns-tns-bc-miami-ecuador-databreach-20190916-story.html
• One Arrested in Ecuador's Mega Data Leak https://www.darkreading.com/cloud/one-arrested-in-ecuadors-mega-data-leak/d/d-id/1335839
• 24.3M Unsecured Health Records Expose Patient Data, Images https://www.darkreading.com/threat-intelligence/243m-unsecured-health-records-expose-patient-data-images/d/d-id/1335835
• Lumin PDF Leak Exposed Data on 24 Million Users https://www.bankinfosecurity.com/luminpdf-leaked-exposed-data-for-243m-users-a-13100
• Lumin PDF - 15,453,048 breached accounts from April 2019 now on HIBP https://haveibeenpwned.com/PwnedWebsites#LuminPDF
• Thinkful confirms data breach days after Chegg’s $80M acquisition https://techcrunch.com/2019/09/19/thinkful-data-breach-chegg-acquisition/
• FEMA offers free credit monitoring after mishandling disaster survivor data https://www.scmagazine.com/home/security-news/data-breach/fema-offers-free-credit-monitoring-after-mishandling-disaster-survivors-data/
• UNICEF Leaks Personal Data Of 8,000 Users Via Email Blunder https://threatpost.com/unicef-leaks-personal-data-of-8000-users-via-email-blunder/148270/
• Scotiabank source code, credentials found open on GitHub https://www.itworldcanada.com/article/scotiabank-source-code-credentials-found-open-on-github-news-report/421992

Privacy

Articles about privacy related news, risks, and trends.

• Facebook suspends tens of thousands of apps in ongoing privacy investigation https://arstechnica.com/information-technology/2019/09/facebook-suspends-tens-of-thousands-of-apps-in-ongoing-privacy-investigation/
• Access Now Calls for Privacy Shield to be Struck Down https://epic.org/2019/09/access-now-calls-for-privacy-s.html
• Big Tech’s Disingenuous Push for a Federal Privacy Law https://www.eff.org/deeplinks/2019/09/big-techs-disingenuous-push-federal-privacy-law

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• The FBI Tried to Plant a Backdoor in an Encrypted Phone Network -https://www.vice.com/en_us/article/pa73dz/fbi-tried-to-plant-backdoor-in-encrypted-phone-phantom-secure
• FBI Served Valve, Symantec, More National Security Letters https://gizmodo.com/fbi-served-secret-subpoenas-to-a-video-game-developer-1838291239
• Senators Urge FCC to Review Licenses for Chinese Telecoms https://www.bankinfosecurity.com/senators-urge-fcc-to-review-licenses-for-chinese-telecoms-a-13118
• After Six Years in Exile, Edward Snowden Explains Himself https://www.wired.com/story/after-six-years-in-exile-edward-snowden-explains-himself/
• EPIC Publishes First Reference Book on AI Policy https://epic.org/2019/09/epic-publishes-first-reference.html
• MITRE Publishes New List of Most Dangerous Software Weaknesses (CWE top 25) https://www.securityweek.com/mitre-publishes-new-list-most-dangerous-software-weaknesses
• NIST released Draft SP 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector, for public comment until November 18, 2019. https://csrc.nist.gov/publications/detail/sp/1800-24/draft
• A New, Faster Wi-Fi Just Officially Launched http://www.sciencealert.com/a-new-faster-wi-fi-just-officially-launched-here-s-what-you-need-to-know
• Best Buy, Staples accused of 'urging' customers to pirate TV shows with devices sold in stores https://www.cbc.ca/news/business/best-buy-staples-canada-computers-london-drugs-piracy-android-boxes-1.5283504

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Securing the 2020 Elections From Multifarious Threats https://www.securityweek.com/securing-2020-elections-multifarious-threats
• Using Artificial Intelligence to Combat Card Fraud https://www.bankinfosecurity.com/interviews/using-artificial-intelligence-to-combat-card-fraud-i-4447
• What Skyjacking and Kidnapping Cases Can Teach Us About Responding to Ransomware Attacks https://www.tenable.com/blog/what-skyjacking-and-kidnapping-cases-can-teach-us-about-responding-to-ransomware-attacks
• You all know why you should encrypt your cloud data – now learn where and how https://www.theregister.co.uk/2019/09/16/awsencryptionwebinar/
• New types of biometrics under development, including gait, scent, heartbeat, microbiome, and butt shape https://www.schneier.com/blog/archives/2019/09/new_biometrics.html
• The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite https://www.wired.com/story/air-force-defcon-satellite-hacking/
• Dynamic Searchable Encryption with Access Control https://eprint.iacr.org/2019/1038

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• The Most Common And Insecure Password Revealed—It’s Not 123456 Or Admin https://www.forbes.com/sites/daveywinder/2019/09/21/the-most-common-and-insecure-password-revealedits-not-123456-or-admin/
• Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html
• Windows Defender Antivirus Scans Broken After New Update https://www.bleepingcomputer.com/news/microsoft/windows-defender-antivirus-scans-broken-after-new-update/
• Clever New DDoS Attack Gets a Lot of Bang for a Hacker's Buck https://www.wired.com/story/ddos-attack-ws-discovery/
• A New Attack on RSA and Demytko's Elliptic Curve Cryptosystem https://eprint.iacr.org/2019/1050
• Congress Hears Ideas for Battling ID Theft https://www.bankinfosecurity.com/congress-hears-ideas-for-battling-id-theft-a-13094

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• New Android Warning: 500M+ Users Have Installed Apps Hiding Nasty Malware https://www.forbes.com/sites/zakdoffman/2019/09/20/new-android-warning-500m-users-have-installed-apps-hiding-nasty-malwareuninstall-now/
• New TortoiseShell Group Hacks 11 IT Providers to Reach Their Customers https://www.bleepingcomputer.com/news/security/new-tortoiseshell-group-hacks-11-it-providers-to-reach-their-customers/
• New Threat Actor Fraudulently Buys Digital Certificates to Spread Malware https://threatpost.com/threat-actor-buys-digital-certs-spreads-malware/148345/
• Encrypted Sextortion PDFs https://isc.sans.edu/diary.html?storyid=25324
• Before He Spammed You, this Sly Prince Stalked Your Mailbox https://krebsonsecurity.com/2019/09/before-he-spammed-you-this-sly-prince-stalked-your-mailbox/
• Pennsylvania man allegedly used a drone to drop explosives on his ex-girlfriend’s house https://www.businessinsider.com/man-accused-of-trying-to-airstrike-girlfriends-house-with-drone-2019-9
• A Brutal Murder, a Wearable Witness, and an Unlikely Suspect https://www.wired.com/story/telltale-heart-fitbit-murder/
• Man Who Hired Deadly Swatting Gets 15 Months https://krebsonsecurity.com/2019/09/man-who-hired-deadly-swatting-gets-15-months/
• Credit Card Theft Ringleader Pleads Guilty https://www.bankinfosecurity.com/fin7-hacking-group-leader-pleads-guilty-a-13088
• US Sanctions 3 North Korean Hacking Groups https://www.bankinfosecurity.com/us-sanctions-alleged-north-korean-hacking-groups-a-13092
• Russian Hacker To Plead Guilty In JPMorgan Case https://www.pymnts.com/legal/2019/russian-hacker-pleading-guilty-in-jpmorgan-case/

Other Security / Risk

Articles covering other types of risks.

• Russian Spies ‘Breached FBI Encrypted Communications’ https://www.forbes.com/sites/daveywinder/2019/09/18/russian-spies-breach-fbi-encrypted-communications-no-backdoor-needed/ and https://www.huffpost.com/entry/exclusive-russia-carried-out-a-stunning-breach-of-fbi-communications-system-escalating-the-spy-game-on-us-soiln5d7f73dee4b077dcbd6159b1 
• Australia didn't blame China for parliament hack in case it upset trade relations https://www.theregister.co.uk/2019/09/16/australiachinaparliamenthackreport/
• Cracking Forgotten Passwords https://www.schneier.com/blog/archives/2019/09/cracking_forgot.html
• These Hacks Require Literally Sneaking in the Backdoor https://threatpost.com/these-hacks-require-literally-sneaking-in-the-backdoor/148484/
• Banks, Arbitrary Password Restrictions and Why They Don't Matter https://www.troyhunt.com/banks-arbitrary-password-restrictions-and-why-they-dont-matter/
• Medicine show: Crown Sterling demos 256-bit RSA key-cracking at private event - comments indicate it's unimpressive https://arstechnica.com/information-technology/2019/09/medicine-show-crown-sterling-demos-256-bit-rsa-key-cracking-at-private-event/ and https://www.schneier.com/blog/archives/2019/09/crownsterling\.html
• Mainframe Security Challenges: An Encroaching Perimeter https://www.bankinfosecurity.com/interviews/mainframe-security-challenges-encroaching-perimeter-i-4444
• Encrypted Smartphone Takedown Outed Canadian Mole https://www.bankinfosecurity.com/suspected-canadian-mole-may-have-used-secure-smartphone-a-13096
• Amazon Tweaks Search Algorithm To Elevate Its Own Products https://www.pymnts.com/news/ecommerce/2019/amazon-tweaks-search-algorithm-to-elevate-products/
• When Biology Becomes Software https://www.schneier.com/blog/archives/2019/09/whenbiologybe.html
• A Trial That Gene-Hacked Mosquitoes to Stop Breeding Has Backfired Spectacularly http://www.sciencealert.com/a-trial-that-gene-hacked-mosquitoes-to-stop-breeding-has-backfired-spectacularly
• Explosion at Russian Lab That Houses Smallpox Sends Internet Into Panic. But don't. http://www.sciencealert.com/explosion-at-russian-lab-that-houses-smallpox-sends-internet-into-panic and http://www.sciencealert.com/you-can-stop-freaking-out-about-the-explosion-at-that-russian-smallpox-lab
• The Problem with Failing to Admit We Don't Know https://blogs.scientificamerican.com/observations/the-problem-with-failing-to-admit-we-dont-know/
• The Use (and misuse) of Personality Tests in the Workplace https://www.nytimes.com/2019/09/01/opinion/letters/personality-tests-myers-briggs-workplace.html
• The cost of insulin has skyrocketed in the US https://www.businessinsider.com/insulin-price-increased-last-decade-chart-2019-9
• Purdue Pharma, maker of opioid painkiller OxyContin, files for bankruptcy https://globalnews.ca/news/5906653/purdue-pharma-oxycontin-bankruptcy/
• Study: Obesity associated with abnormal bowel habits — not diet https://scienmag.com/study-obesity-associated-with-abnormal-bowel-habits-not-diet/
• To address hunger, many countries may have to increase carbon footprint https://scienmag.com/to-address-hunger-many-countries-may-have-to-increase-carbon-footprint/
• A new model of the Earth's climate 50 million years ago is revealing worrisome clues about what our future could look like https://www.businessinsider.com/model-of-eocene-warming-could-improve-predictions-about-climate-change-2019-9
• Can Environmentalists Get Their Heads Wrapped Around Using Nuclear Energy? https://www.forbes.com/sites/kensilverstein/2019/09/13/can-environmentalists-get-their-heads-wrapped-around-using-nuclear-energy/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Dead Bodies Keep Moving For More Than a Year After Death - creepy and problematic http://www.sciencealert.com/the-writhing-dead-turns-out-human-corpses-move-around-quite-a-bit-as-they-decompose
• Astronomers find the most massive neutron known https://www.syfy.com/syfywire/record-breaker-astronomers-find-the-most-massive-neutron-known-probably-the-most-massive