This Week’s [in]Security – Issue 130 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Big changes coming in PCI updates to DSS, P2PE PA-DSS/SSF. First PCI SPoC solutions. New Control Gap service offerings. New Magecart tactics. Breaches: 400M medical records, DoorDash. Breach updates on Dunkin, CafePress. 69K Facebook apps suspended. NIST privacy and zero trust. GDPR and Blockchain. California's privacy law. Right to be forgotten. Forensic transparency. Cost of fraud. Malicious RDP. Blocking malicious attachments. Ransomware tools. Pen-testers redirected to FBI site. Vaccines. Quantum milestone. Trade tools. Youtube 2FA bypassed. Visualizing an APT. New widespread SIM card attack. Fighting deep-fakes. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• The first two SPoC solutions were listed in September https://www.pcisecuritystandards.org/assessorsandsolutions/spoc_solutions

• Control Gap is now approved for PIN audits as well as DSS, PA-DSS, P2PE, PA-P2PE, 3DS Core, and TSP:

  • DSS QSA's https://www.pcisecuritystandards.org/assessorsandsolutions/qualifiedsecurityassessors
  • PIN QPA's https://www.pcisecuritystandards.org/assessorsandsolutions/qpa_assessors
  • P2PE & PA-P2PE QSA's https://www.pcisecuritystandards.org/assessorsandsolutions/pointtopointencryptionassessors
  • PA-DSS (PA-QSA's) https://www.pcisecuritystandards.org/assessorsandsolutions/paymentapplicationassessors
  • 3DS Assessors https://www.pcisecuritystandards.org/assessorsandsolutions/3ds_assessors
  • Who is qualified to assess the PCI TSP Security Requirements? https://www.pcisecuritystandards.org/documents/FAQsforTSPRequirementsv1.pdf
• The PCI Council has updated their Vendor Release Agreement has been updated and becomes mandatory on November 1 (new listings) and January 1 (changes). All vendors of listed PCI solutions (e.g. PA-DSS, P2PE, PTS, SPoC, SSF, etc.) are required to sign it to add or change listings. https://www.pcisecuritystandards.org/documents/VendorReleaseAgreementSeptember2019_Form.docx
• Opinion: Big Changes in Store for PCI DSS v4.0, and More! https://www.datex.ca/blog/big-changes-in-store-for-pci-dss-v4.0-and-more

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• 400 Million Medical Radiological Images Exposed on the Internet https://www.bleepingcomputer.com/news/security/400-million-medical-radiological-images-exposed-on-the-internet/
• DoorDash Data Breach Impacts Personal Data of Almost 5M Users https://threatpost.com/doordash-data-breach-impacts-personal-data-of-almost-5m-users/148724/
• NY AG Sues Dunkin’ Over Data Breaches, Theft https://www.pymnts.com/legal/2019/ny-ag-sues-dunkin-over-data-breaches-theft/
• Several months after the fact, CafePress finally acknowledges huge data theft to its customers https://www.theregister.co.uk/2019/09/23/cafepressadmitsbreachtocustomers/
• 200K Sign Petition Against Equifax Data Breach Settlement https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/
• Why do cloud leaks keep happening? Because no one has a clue how their instances are configured https://www.theregister.co.uk/2019/09/24/mcafeecloudleak_study/

Privacy

Articles about privacy related news, risks, and trends.

• EPIC to Congress: 29,000 Facebook Complaints Pending at FTC https://epic.org/2019/09/epic-to-congress-29000-faceboo.html
• NIST to Finalize Privacy Framework Soon https://www.bankinfosecurity.com/nist-to-finalize-privacy-framework-soon-a-13147
• Facebook's Purge So Far: 69,000 Apps Suspended https://www.bankinfosecurity.com/facebooks-purge-so-far-69000-apps-suspended-a-13134
• US Companies Scramble To Comply With Impending CA Privacy Law https://www.pymnts.com/news/regulation/2019/us-companies-scramble-to-comply-with-california-privacy-law/
• Here's why the 'right to be forgotten' online is tricky in Canada https://www.cbc.ca/news/technology/right-to-be-forgotten-canada-eu-court-1.5297528
• Forget erasure: why blockchain is really incompatible with the GDPR https://medium.com/berkman-klein-center/forget-erasure-why-blockchain-is-really-incompatible-with-the-gdpr-9f60374e90f3
• Google takes sole stand on privacy, rejects new rules for fear of 'authoritarian' review https://www.theregister.co.uk/2019/09/25/googleprivacywc3/
• Privacy by Design': Building Better Apps https://www.bankinfosecurity.com/interviews/privacy-by-design-building-better-apps-i-4452
• Google Calendar Privacy Concerns Raised https://www.bankinfosecurity.com/google-calendar-privacy-concerns-raised-a-13133
• Google Tightens Its Voice Assistant Rules Amid Privacy Backlash https://www.wired.com/story/google-assistant-human-transcription-privacy/
• Vimeo sued for storing faceprints of people without their say-so https://nakedsecurity.sophos.com/2019/09/26/vimeo-sued-for-storing-faceprints-of-people-without-their-say-so/
• GDPR: Only one in three businesses are compliant – here's what is holding them back https://www.zdnet.com/article/gdpr-only-one-in-three-businesses-are-compliant-heres-what-is-holding-them-back/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST released draft SP 800-207, Zero Trust Architecture open for comment open until November 22, 2019 https://csrc.nist.gov/publications/detail/sp/800-207/draft
• Google wins extraterritorial 'right-to-be forgotten' fight with France https://www.cbc.ca/news/technology/google-wins-right-to-be-forgotten-fight-with-france-1.5294957
• Bill Introduced to Regulate Forensic Algorithms https://epic.org/2019/09/bill-introduced-to-regulate-fo.html
• National Institute for CyberSecurity Education eNewsletter Fall 2019 https://content.govdelivery.com/accounts/USNIST/bulletins/25fb11d
• Match knowingly puts people at risk from scammers, FTC charges https://nakedsecurity.sophos.com/2019/09/27/match-knowingly-puts-people-at-risk-from-scammers-ftc-charges/
• Microsoft is challenging a secrecy order in court - customers are entitled to know about federal data requests https://arstechnica.com/tech-policy/2019/09/microsoft-battles-feds-over-gag-orders-in-law-enforcement-data-requests/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Mapping the connections inside Russia's APT Ecosystem https://research.checkpoint.com/russianaptecosystem/
• As Fraud Attempts Increase, So Do the Costs of Mitigating Them http://www.digitaltransactions.net/as-fraud-attempts-increase-so-do-the-costs-of-mitigating-them/
• A journalist's tech tools https://www.nytimes.com/2019/09/25/technology/personaltech/disinformation-slack.html
• Control Gap is now formally offering a wider range of Cyber Security services https://controlgap.com/blog/control-gap-gets-cyber/
• Pay The Ransom Or Else - Two Free Ransomware Tools Can Save You https://www.forbes.com/sites/tjmccue/2019/09/23/pay-the-ransom-or-else---two-free-ransomware-malware-tools-can-save-you/
• Hit by ransomware? Victims of these four types of file-encrypting malware can now retrieve their files for free https://www.zdnet.com/article/hit-by-ransomware-victims-of-these-four-types-of-file-encrypting-malware-can-now-retrieve-their-files-for-free/
• Outlook for Web Bans 38 More File Extensions in Email Attachments https://thehackernews.com/2019/09/email-attachment-malware.html
• Quantum-Resistant Cryptography: Our Best Defense Against An Impending Quantum Apocalypse https://www.forbes.com/sites/forbestechcouncil/2019/09/25/quantum-resistant-cryptography-our-best-defense-against-an-impending-quantum-apocalypse/
• Think you can spot a phishing email? Think again https://betanews.com/2019/09/27/spotting-phishing-email/
• Bulletproof TLS Newsletter #57 Mozilla and Chrome about to enable DNS over HTTPS, vulnerabilities, CA incidents, and more https://www.feistyduck.com/bulletproof-tls-newsletter/issue57mozillaandchromeabouttoenablednsoverhttps

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Malicious RDP Behavior Detected in 90% of Organizations https://www.infosecurity-magazine.com/news/malicious-rdp-behavior-detected/
• Four words from Cisco to strike fear into the most hardened techies: Guest account as root https://www.theregister.co.uk/2019/09/26/ciscoguestasrootvuln_patches/
• IE zero-day under active attack gets emergency patch https://arstechnica.com/information-technology/2019/09/microsoft-pushes-patch-of-ie-zeroday-thats-being-actively-exploited/
• Drilling open a smart door lock in 4 seconds https://www.pentestpartners.com/security-blog/drilling-open-a-smart-door-lock-in-4-seconds/
• Web Shells Penetration Testing https://www.hackingarticles.in/web-shells-penetration-testing/
• Bad vBulletin vBug Zero-day exploit lets miscreants hijack vulnerable web forums https://www.theregister.co.uk/2019/09/24/vbulletinvbugzeroday/
• Microsoft Released Out-of-Band Security Updates https://blog.qualys.com/laws-of-vulnerabilities/2019/09/24/microsoft-releases-out-of-band-security-updates
• Some Voting Machines Still Have Decade-Old Vulnerabilities https://www.wired.com/story/voting-village-results-hacking-decade-old-bugs/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• YouTube ‘influencers’ get 2FA tokens phished https://nakedsecurity.sophos.com/2019/09/24/youtube-influencers-get-2fa-tokens-phished/
• Researchers Disclose Another SIM Card Attack Possibly Impacting Millions https://www.securityweek.com/researchers-disclose-another-sim-card-attack-possibly-impacting-millions
• Magecart Group 5 Targets Routers Behind Public Wi-Fi Networks using L7 Protocol https://threatpost.com/magecart-group-targets-routers-behind-public-wi-fi-networks/148662/
• Stratford cyberattack costs $75K in bitcoin https://www.cbc.ca/1.5290568
• Woodstock Ontario, police targeted by ‘cyber attack’ https://www.woodstocksentinelreview.com/news/local-news/city-of-woodstock-experiencing-cyber-attack
• Urgent warning over Netflix phishing scam which empties users' bank accounts after telling them their subscription has been cancelled https://www.dailymail.co.uk/news/article-7497277/Netflix-phishing-scam-empties-Australian-users-bank-accounts-emailing-ca
• Czech Intelligence Blames China for Major Cyber Attack https://www.securityweek.com/czech-intelligence-blames-china-major-cyber-attack
• Web Attacks Focus on SQL Injection, Malware on Credentials https://www.darkreading.com/threat-intelligence/web-attacks-focus-on-sql-injection-malware-on-credentials/d/d-id/1335910
• Kaspersky: Dual-Use Dtrack Malware Linked to ATM Thefts https://www.bankinfosecurity.com/kaspersky-dual-use-dtrack-malware-linked-to-atm-thefts-a-13144
• Attackers Are Targeting IT Service Providers https://blog.isc2.org/isc2_blog/2019/09/attackers-are-targeting-it-service-providers.html
• Ineffective Package Tracking Facilitates Fraud https://www.schneier.com/blog/archives/2019/09/ineffective_pac.html
• Krebs: Interview With the Guy Who Tried to Frame Me for Heroin Possession https://krebsonsecurity.com/2019/09/interview-with-the-guy-who-tried-to-frame-me-for-heroin-possession/

Other Security / Risk

Articles covering other types of risks.

• Google may have just passed the Quantum Supremacy milestone but it isn’t a practical application https://www.wired.com/story/why-googles-quantum-computing-victory-is-a-huge-deal-and-a-letdown/
• Google's war on deepfakes: As election looms, it shares ton of AI-faked videos https://www.zdnet.com/article/googles-war-on-deepfakes-as-election-looms-it-shares-ton-of-ai-faked-videos/
• AT&T redirected bug bounty pen-test payloads to the FBI's Tips portal https://www.zdnet.com/article/at-t-redirected-pen-test-payloads-to-the-fbis-tips-portal/
• Toronto approves strategy to combat anti-vaccination as parents accuse city of 'genocide' https://www.cbc.ca/news/canada/toronto/vaccination-hesitancy-report-vote-1.5294186
• Oprah Suffered A Vaccine-Preventable Illness. Now She's Promoting Vaccines https://www.forbes.com/sites/ninashapiro/2019/09/24/oprah-suffered-a-vaccine-preventable-illness-now-shes-promoting-vaccines/
• NASA to develop mission to search for near-Earth asteroids https://spacenews.com/nasa-to-develop-mission-to-search-for-near-earth-asteroids/
• This Summer's Asteroid Near-Miss Helped Greenlight NASA's NEOCam Mission to Search the Skies for Killer Spacerocks https://www.universetoday.com/143527/this-summers-asteroid-near-miss-helped-greenlight-nasas-neocam-mission-to-search-the-skies-for-killer-spacerocks/
• New report on the 737 Max blames 'inexperienced pilots' and low-cost airlines https://www.businessinsider.com/737-max-blame-inexperienced-pilots-boeing-nyt-report-2019-9
• Canadians' trust in science falling, poll suggests https://www.cbc.ca/news/technology/science-survey-1.5291291
• Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report https://www.forbes.com/sites/zakdoffman/2019/09/24/new-cyberwarfare-report-unveils-russias-secret-weapon-against-us-2020-election/
• France Outlines Its Approach to Cyberwar https://www.schneier.com/blog/archives/2019/09/france_outlines.html
• Researchers Want to Ditch the Motherboard https://www.tomshardware.com/news/researchers-kill-motherboard-silicon-interconnect-fabric,40475.html
• Hurricane Lorenzo Is The Strongest Hurricane On Record In The Eastern Atlantic Ocean https://www.forbes.com/sites/dennismersereau/2019/09/27/hurricane-lorenzo-is-the-strongest-hurricane-on-record-in-the-eastern-atlantic-ocean/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• A new way to turn heat into energy https://phys.org/news/2019-09-energy.html
• Planet Nine: How we’ll find the Solar System's missing planet https://www.sciencefocus.com/space/planet-nine-how-well-find-the-solar-systems-missing-planet/
• New 'space plane' promises UK-Australia in 4 hours https://www.cnn.com/travel/article/hypersonic-flight-air-breathing-rocket-scli-intl-gbr-scn/index.html
• Two Linguists Use Their Skills to Inspect (the structure not the content) 21,739 Trump Tweets https://www.scientificamerican.com/article/two-linguists-use-their-skills-to-inspect-21-739-trump-tweets/
• Scientists Are Starting to Take Warp Drives Seriously, Especially One Specific Concept http://www.sciencealert.com/how-feasible-is-a-warp-drive-here-s-the-science
• Extra-solar comet "2I/Borisov", only the second interstellar object we've spotted https://www.independent.co.uk/life-style/gadgets-and-tech/news/interstellar-comet-object-alien-solar-system-a9119581.html