This Week’s [in]Security – Issue 131 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI SSF Program Opens. Breaches: word games, fragrance, Russians, more Russians, zendesk, millions of Brazilians, lessons learned. Privacy lawsuits, Amazon tracking, facial db. Backdoors and law enforcement. EU cookies. EU extraterritorial win. NIST Manufacturing and IoT. Distrusting sketchy SSDs. Protecting Azure keys. Ransomware outbreaks and lessons. CPEs. Embedded vulnerabilities hit medical devices and more. PDF trickery. Two bullet proof hosts taken down. Nations abusing Play Store. Almost quantum tech. Disruption and adversarial interoperability. Voting hack. Evacuation orders. Anti-trust vs. open standard. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Software Security Framework program is now open for assessors to apply https://blog.pcisecuritystandards.org/new-assessor-opportunity-pci-software-security-framework and https://www.pcisecuritystandards.org/aboutus/pressreleases/pr_10022019
• Independent ATM providers suit against Visa and Mastercard resumes https://www.mobilepaymentstoday.com/news/atm-suit-against-visa-mastercard-resumes/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Theft of Over 218 Million Zynga 'Words with Friends' Gamers Data https://thehackernews.com/2019/09/zynga-game-hacking.html
• Records of 92 Million Brazilians For Sale To Highest Bidder https://www.forbes.com/sites/daveywinder/2019/10/06/a-government-database-of-92-million-citizen-records-for-sale-to-highest-bidder/
• What's that smell? Perfume merchant Fragrance Direct senses the scent of a digital burglary https://www.theregister.co.uk/2019/09/27/onlineperfumemerchant_hacked/
• Comodo Forums Breached, Data of Over 170,000 Users Up for Grabs https://www.bleepingcomputer.com/news/security/comodo-forums-breached-data-of-over-170-000-users-up-for-grabs/
• Zendesk discloses 2016 data breach https://www.zdnet.com/article/zendesk-discloses-2016-data-breach/
• 20 million personal tax records for Russian citizens exposed online https://www.comparitech.com/blog/vpn-privacy/russian-tax-records-exposed-online/
• Russia’s Sberbank Investigating Potential 60M Credit Card Leak https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-client-data-leak/
• The breach page of the privacy rights clearing house just posted a batch of recently disclosed breaches, mostly healthcare https://www.privacyrights.org/data-breaches?title=&taxonomyvocabulary11_tid%5B%5D=2439
• Wanelo - 23,165,793 breached accounts added to HIBP https://haveibeenpwned.com/PwnedWebsites#Wanelo
• Zynga's Breach Notification: How Not to Inform Victims https://www.bankinfosecurity.com/blogs/zyngas-breach-notification-how-to-inform-victims-p-2796
• Six in 10 Global Firms Hit by a Data Breach https://www.infosecurity-magazine.com/news/six-in-10-global-firms-hit-by-a/
• ANU incident report on massive data breach is a must-read https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/

Privacy

Articles about privacy related news, risks, and trends.

• Lawsuit Against Google by iPhone Users for Gets Green Light From London Court https://www.pymnts.com/legal/2019/lawsuit-against-google-gets-green-light-from-london-court/ and https://www.thesun.co.uk/tech/10057178/iphone-users-google-compensation-data/
• How to Set Your Google Data to Self-Destruct https://www.nytimes.com/2019/10/02/technology/personaltech/google-data-self-destruct-privacy.html
• Privacy Allies File Amicus Briefs in Support of EFF’s Jewel v. NSA Case https://www.eff.org/deeplinks/2019/10/privacy-allies-file-amicus-briefs-support-effs-jewel-v-nsa-case
• Amazon may soon be able to track your phone’s location even if you don’t use any of its products or services https://www.businessinsider.com/amazon-may-soon-be-able-to-track-your-phone-location-2019-9
• Plan for massive facial recognition database sparks privacy concerns https://www.theguardian.com/technology/2019/sep/29/plan-for-massive-facial-recognition-database-sparks-privacy-concerns
• Amazon promotes 'extremely creepy' security cameras that can be easily hacked to spy on you https://www.independent.co.uk/life-style/gadgets-and-tech/news/amazon-security-camera-hack-privacy-which-a9127501.html
• StatsCan hired PR firm to prevent 'reputational damage' after outcry over plan to gather banking records https://www.cbc.ca/news/politics/statistics-canada-hires-pr-firm-1.5298092

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• New WhatsApp And Facebook Encryption ‘Backdoors’—What’s Really Going On https://www.forbes.com/sites/zakdoffman/2019/09/29/whatsapp-backdoorwill-facebook-be-forced-to-break-message-encryption-as-reported/
• Facebook will have to give UK police access to encrypted messages https://www.cnet.com/news/facebook-will-have-to-give-uk-police-access-to-encrypted-messages-report-says/
• US and UK Sign Law Enforcement Data Access Agreement http://epic.org/2019/10/us-and-uk-sign-law-enforcement.html
• Attorney General William Barr will ask Facebook to delay its plans for a fully encrypted, auto-deleting messaging platform (FB) https://www.businessinsider.com/facebook-messaging-justice-department-mark-zuckerberg-william-barr-2019-10
• PSD2 Authentication Deadline Needs to Be Firmed Up - Now https://www.bankinfosecurity.com/blogs/psd2-authentication-deadline-needs-to-be-firmed-up-now-p-2794
• COMMENTARY: ‘Fake news’ is a concern, but Ottawa’s prohibition goes too far https://globalnews.ca/news/5963471/rob-breakenridge-on-fake-news/
• Court Upholds Net Neutrality Repeal, With Some Caveats https://www.nytimes.com/2019/10/01/technology/net-neutrality-repeal-broadband.html
• Users Need to Consent to Online Tracking Cookies: EU Court https://www.securityweek.com/users-need-consent-online-tracking-cookies-eu-court
• Facebook Can Be Forced to Delete Content Worldwide, E.U.’s Top Court Rules https://www.nytimes.com/2019/10/03/technology/facebook-europe.html
• Senate Passes Ransomware Law https://www.infosecurity-magazine.com/news/senate-passes-ransomware-law/
• Google is the target of an anti-trust investigation happening over an open standard - DNS over HTTPS (DoH) https://www.engadget.com/2019/09/29/congress-doj-scrutinze-google-encrypted-dns/ and https://www.pymnts.com/google/2019/antitrust-investigators-question-googles-plans-for-new-internet-protocol/
• New Google Chrome Settings Start Now, Impacting​ Millions—U.S. Lawmakers Are Worried https://www.forbes.com/sites/zakdoffman/2019/09/30/googles-new-chrome-privacy-setting-starts-nowimpacting-millions-and-worrying-lawmakers/
• 40 Companies Hit With Subpoenas After MyPayrollHR Scandal https://www.pymnts.com/news/b2b-payments/2019/new-york-considers-payroll-licenses-amid-mypayrollhr-scandal/
• OPP opens centre for cyber operations https://globalnews.ca/news/5970566/opp-cyber-operations-centre/
• NIST release an implementation guide for the CyberSecurity Framework (CSF) Manufacturing Profile Low Impact Level NISTIR 8183A (3 volumes) https://csrc.nist.gov/publications/detail/nistir/8183a/vol-1/final, https://csrc.nist.gov/publications/detail/nistir/8183a/vol-2/final, and https://csrc.nist.gov/publications/detail/nistir/8183a/vol-3/final. For more info on CSF Manufacturing Profile https://csrc.nist.gov/publications/detail/nistir/8183/final
• NIST draft NISTIR 8267, Security Review of Consumer Home Internet of Things (IoT) Products is availble for comments until November 1st. https://csrc.nist.gov/publications/detail/nistir/8267/draft
• Americans Have 365 Days To Get A New, Enhanced ID If They Want To Board An Airline Flight https://www.forbes.com/sites/danielreed/2019/10/02/youve-got-365-days-to-get-a-new-different-better-id-if-you-want-to-board-a-flight-and-go-somewhere/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Cloudflare adds VPN like features to 1.1.1.1 privacy app, goes beyond DoH/DoT https://nakedsecurity.sophos.com/2019/10/01/cloudflare-adds-vpn-features-to-1-1-1-1-privacy-app/
• Windows 10’s BitLocker Encryption No Longer Trusts Your SSD's sketchy encryption https://www.howtogeek.com/442114/windows-10s-bitlocker-encryption-no-longer-trusts-your-ssd/
• Google Confirms Password Security Update For 1 Billion Users https://www.forbes.com/sites/daveywinder/2019/10/02/google-confirms-password-security-update-for-1-billion-users/
• Identifying & Exploiting Leaked Azure Storage Keys https://www.notsosecure.com/identifying-exploiting-leaked-azure-storage-keys/
• Measuring the Security of IoT Devices https://www.schneier.com/blog/archives/2019/10/measuringthes.html
• Baltimore Ransomware Carnage Compounded by Local Storage https://www.bankinfosecurity.com/blogs/baltimore-ransomware-carnage-compounded-by-local-storage-p-2795
• U.S. Steps Up Scrutiny of Airplane Cybersecurity https://www.wsj.com/articles/u-s-government-steps-up-scrutiny-of-airplane-cybersecurity-11569764123
• Toronto Pearson Airport to use AI-powered technology to detect weapons https://globalnews.ca/news/5978954/toronto-pearson-airport-ai-technology/
• 8 Microsegmentation Pitfalls to Avoid https://www.darkreading.com/8-microsegmentation-pitfalls-to-avoid/d/d-id/1335936
• A Diffie-Hellman quantum session key establishment protocol without entanglement https://eprint.iacr.org/2019/1118
• Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols (Extended Version) https://eprint.iacr.org/2019/1140
• Pay What You Wish — 9 Hacking Certification Training Courses in 1 Bundle https://thehackernews.com/2019/09/learn-hacking-course-certification.html
• CPE opportunities at UoT School of Continuing Studies:
• IT Risk Management & Cybersecurity based on the new COBIT 2019 https://learn.utoronto.ca/programs-courses/courses/3373-enterprise-it-risk-management-cyber-security
• Privacy Management Certificate based on COBIT https://learn.utoronto.ca/programs-courses/certificates/privacy-management-digital-enterprise

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• GAO Raises Concerns About Power Grid Vulnerabilities https://www.bankinfosecurity.com/gao-raises-concerns-about-power-grid-vulnerabilities-a-13157
• Open Document format creates twist in maldoc landscape https://blog.talosintelligence.com/2019/09/odt-malware-twist.html
• Decades-Old Code Is Putting Millions of Critical Embeded Devices at Risk (an old widely licensed TCP/IP stack by Interpeak called IPnet, the suite of bugs is known as Urgent/11) https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/
• FDA Issues Alert on Medical Device IPnet Vulnerabilities https://www.bankinfosecurity.com/fda-issues-alert-on-medical-device-ipnet-vulnerabilities-a-13164
• Attack against PDF standard opens encryption and signatures to exfiltration and forgery https://threatpost.com/hack-breaks-pdf-encryption/148834/
• Exim suffers another ‘critical’ remote code execution flaw https://nakedsecurity.sophos.com/2019/10/02/exim-suffers-another-critical-remote-code-execution-flaw/
• New WhatsApp Warning: Security Flaw Confirmed—1 Billion Users Told Update Apps Now https://www.forbes.com/sites/zakdoffman/2019/10/03/new-whatsapp-warning-security-flaw-confirmed1-billion-users-told-update-apps-now/
• New Bug Found in NSA’s Ghidra Tool https://threatpost.com/bug-in-nsas-ghidra/148787/
• Professionally made malicious lightning cable now available https://mobilesyrup.com/2019/09/30/lightning-cable-omg-hack-computers/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting https://krebsonsecurity.com/2019/09/german-cops-raid-cyberbunker-2-0-arrest-7-in-child-porn-dark-web-market-sting/ and https://arstechnica.com/information-technology/2019/09/german-police-seize-bulletproof-hosting-data-center-in-former-nato-bunker/
• Huygens if true: Dutch police break up bulletproof hosting outfit and kill Mirai botnet https://www.theregister.co.uk/2019/10/03/dutchcopsbust_mirai/
• Masad Spyware Uses Telegram Bots for Command-and-Control https://threatpost.com/masad-spyware-telegram-bots/148759/
• eGobbler Malvertising Attack Hijacks 1B+ Sessions With Webkit Exploit https://threatpost.com/malvertising-attack-hijacks-1b-sessions-with-webkit-exploit/148795/
• Virus Bulletin 2019: Geost Android Botnet Goes After Millions of Euros https://threatpost.com/virus-bulletin-geost-android-botnet/148864/
• Researchers Link Magecart Group 4 to Cobalt Group https://www.darkreading.com/vulnerabilities---threats/researchers-link-magecart-group-4-to-cobalt-group/d/d-id/1335990
• Defence Construction Canada hit by cyber attack – corporation’s team trying to restore full IT capability https://nationalpost.com/news/national/defence-watch/defence-construction-canada-hit-by-cyber-attack-corporations-team-trying-to-restore-full-it-capability/wcm/c501f437-4f80-47f9-96df-4b9201cfd350
• Hearing Aid Giant Warns of $95m in Ransomware Losses https://www.infosecurity-magazine.com/news/hearing-aid-giant-warns-95m/
• Two Southwestern Ontario hospitals hit by cyber attack https://www.woodstocksentinelreview.com/news/local-news/two-southwestern-ontario-hospitals-hit-by-cyber-attack
• U.S. and Australian Hospitals Targeted by New Ransomware Attacks https://www.bleepingcomputer.com/news/security/us-and-australian-hospitals-targeted-by-new-ransomware-attacks/ and https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/
• International technologies company in Strathroy, Ontario suffers cyberattack https://globalnews.ca/news/5975158/strathroy-cyberattack/
• Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/
• Airbus Says Taking 'Appropriate Measures' Against Hackers https://www.securityweek.com/airbus-says-taking-appropriate-measures-against-hackers
• Asics apologises for porn playing for hours above Auckland store https://www.bbc.co.uk/news/world-asia-49874967
• Limerick student tricks scammer to give him money https://www.bbc.co.uk/news/world-europe-49871448
• Canada Revenue Agency scam resurfaces in Barrie area https://globalnews.ca/news/5969600/cra-scam-barrie/
• Millennials Impacted By Fraud More Than Older Consumers https://www.pymnts.com/news/security-and-risk/2019/millennials-impacted-by-fraud-more-than-older-consumers/
• Guilty Pleas in $29 Million Online Ad Fraud Case https://www.bankinfosecurity.com/guilty-pleas-in-29-million-online-ad-fraud-case-a-13156
• Ex-Yahoo engineer hacked accounts seeking pornography https://www.bbc.co.uk/news/technology-49892760
• Former Army Contractor Gets Prison Term for Insider Attack https://www.bankinfosecurity.com/former-army-contractor-gets-prison-term-for-insider-attack-a-13160
• Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/
• Another nuclear scientist caught mining cryptocurrency using classified lab supercomputers https://www.independent.co.uk/life-style/gadgets-and-tech/news/bitcoin-mining-russia-nuclear-scientists-cryptocurrency-a9129636.html

Other Security / Risk

Articles covering other types of risks.

• NSA on the Future of National Cybersecurity https://www.schneier.com/blog/archives/2019/10/nsaonthe_futu.html
• Supply-Chain Security and Trust https://www.schneier.com/blog/archives/2019/09/supply-chainse1.html
• Windows 10 users fume: Microsoft, where's our 'local account' option gone? https://www.zdnet.com/article/windows-10-users-fume-microsoft-wheres-our-local-account-option-gone/
• Harvesting Attacks' & the Quantum Revolution https://www.darkreading.com/vulnerabilities---threats/harvesting-attacks-and-the-quantum-revolution/a/d-id/1335870
• Almost quantum, This New Chip Could Bridge The Gap Between Classical And Quantum Computing https://www.sciencealert.com/new-chip-promises-to-bridge-the-gap-between-classical-and-quantum-computing
• Beyond quantum supremacy: the hunt for useful quantum computers https://www.nature.com/articles/d41586-019-02936-3
• Fascinating article on Adversarial Interoperability and its disruptive effects for good and bad https://www.eff.org/deeplinks/2019/10/adversarial-interoperability
• FBI called in to investigate 2018 Mountain State mobile voting system hacking https://www.theregister.co.uk/2019/10/02/westvirginiaelection_hacking/
• Researchers trying to prevent a repeat of 2016's election misinformation in 2020 are struggling thanks to a lack of data from Facebook https://www.businessinsider.com/researchers-struggle-to-study-disinformation-lack-of-data-from-facebook-2019-9
• Egypt used Google Play in spy campaign targeting its own citizens https://arstechnica.com/information-technology/2019/10/egypt-used-google-play-in-spy-campaign-targeting-its-own-citizens-researchers-say/
• Mate 30 Pro loses access to Google apps after researcher exposes installation backdoor https://bgr.com/2019/10/02/mate-30-pro-google-apps-unavailable-installation-backdoor-discovered/
• New Google Warning: 280M+ Android Users At Risk As China ‘Manipulates’ Play Store https://www.forbes.com/sites/zakdoffman/2019/10/02/new-google-play-warning-280m-users-at-risk-as-china-manipulates-top-vpns/
• Bitcoin mining mega farm burns down in China, destroying $10m of cryptocurrency machines https://www.independent.co.uk/life-style/gadgets-and-tech/news/bitcoin-mining-farm-china-fire-cryptocurrency-innosilicon-a9128246.html
• Conundrum: Why People Do Not Listen to Evacuation Orders https://www.scientificamerican.com/article/conundrum-why-people-do-not-listen-to-evacuation-orders/
• How To Tell If You Can Trust Online Health (Or Any) Information Comes Down To Knowing The Difference Between Influencers And Experts https://www.forbes.com/sites/jesscording/2019/09/26/trusting-online-health-information/
• 315 billion-tonne iceberg breaks off Antarctica https://www.bbc.co.uk/news/science-environment-49885450
• Net-Zero Carbon Dioxide Emissions By 2050 Requires A New Nuclear Power Plant Every Day https://www.forbes.com/sites/rogerpielke/2019/09/30/net-zero-carbon-dioxide-emissions-by-2050-requires-a-new-nuclear-power-plant-every-day/
• Uptick of Canadians hit with 5-year bans at U.S. borders called a 'troubling trend' https://www.cbc.ca/news/canada/british-columbia/increase-bans-canada-us-border-1.5300708
• Albertans with distracted driving tickets are finding it hard to get car insurance https://www.cbc.ca/news/canada/edmonton/distracted-driving-tickets-insurance-1.5289746
• HMRC 'disciplined' almost 100 employees for computer misuse over 24 months https://www.theregister.co.uk/2019/10/01/hmrcdisciplinedalmost100employeesforcomputermisuseover24months/
• Canadians are amongst the best winter drivers on the planet, yet a nice summer and we all seem to forget how to drive in the snow …. Calgary police urge drivers to be cautious after overnight snowfall results in crashes https://globalnews.ca/news/5964884/calgary-september-snow-crashes-ice-roads/
• Second World War-era B-17 bomber crashes with at least 7 reported dead https://www.ctvnews.ca/world/world-war-ii-era-bomber-crashes-at-least-7-reported-dead-1.4620409

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Why engineers in Alberta think they've found a way for the oilsands to produce clean fuel https://www.cbc.ca/news/business/alberta-hydrogen-innovation-1.5290297
• Aluminum Organic Batteries - a new concept could make more environmentally friendly batteries possible https://scienmag.com/a-new-concept-could-make-more-environmentally-friendly-batteries-possible/
• Natural Carbon Sequestration - New research puts Australia at forefront of blue carbon economy https://scienmag.com/new-research-puts-australia-at-forefront-of-blue-carbon-economy/
• Eco-friendly electrochemical catalysts using solar cells to harvest energy from the sun https://scienmag.com/eco-friendly-electrochemical-catalysts-using-solar-cells-to-harvest-energy-from-the-sun/
• New Simulation Shows Superconductivity Could Be Turned On And Off in Some Materials http://www.sciencealert.com/after-decades-of-research-a-maths-model-unlocks-more-of-superconductivity-s-secrets
• Type 2 Diabetes Can Be Reversed Even Without Intensive Weight Loss http://www.sciencealert.com/type-2-diabetes-can-be-reversed-even-without-intensive-weight-loss-research-shows
• Earth's Magnetic Poles Could Flip More Frequently Than We Previously Thought http://www.sciencealert.com/earth-s-magnetic-poles-could-flip-more-frequently-than-we-previously-thought
• What's really going on inside an insect-munching venus flytrap https://www.businessinsider.com/whats-inside-a-venus-flytrap-2019-9
• A Fun New Paper Says Planet 9 Could Actually Be a Primordial Black Hole http://www.sciencealert.com/planet-9-could-be-an-ancient-black-hole-says-new-study
• Turns Out The Megalodon Shark Ain't THAT Big https://www.forbes.com/sites/melissacristinamarquez/2019/10/02/turns-out-the-megalodon-shark-aint-that-big/
• Spitting Image show plots return to TV after 23 years https://www.bbc.co.uk/news/entertainment-arts-49865406