This Week’s [in]Security – Issue 133 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI more flexibility and staying ahead of threats. PCI and AWS. More Magecart. Carders take down carders. Mining social media. Canada Post resetting compromised passwords. ISO Privacy. China requiring facial scans for Internet access. Hiring Catch-22. Canada considering digital currency. MS Advanced Tamper Protection. Expanded bug bounties. Lots of patches. Biometric fails. More ransomware. IoT commodes - really. Bugs in cross platform code cause havoc. Playing with Trolls. Amazon says bye bye Larry. New Math. First all female spacewalk. And More.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI's new security ethos: Stay ahead of threats, don't just react https://www.paymentssource.com/news/pcis-new-security-ethos-stay-ahead-of-threats-dont-just-react
• The PCI Council Plans More Rule Flexibility As It Eyes a Major Revision of Its Flagship Standard https://www.digitaltransactions.net/the-pci-council-plans-more-rule-flexibility-as-it-eyes-a-major-revision-of-its-flagship-standard/
• PCI for AWS https://aws.amazon.com/quickstart/architecture/compliance-pci/
• PCI DSS in Practice Case Study: Braspag https://blog.pcisecuritystandards.org/pci-dss-in-practice-case-study-braspag
• Magecart Attacks Alive and Well as Recent Wave Hits High-End Retailers https://www.cpomagazine.com/cyber-security/magecart-attacks-alive-and-well-as-recent-wave-hits-high-end-retailers/
• “BriansClub” Hack Rescues 26M Stolen Cards https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/
• When Card Shops Play Dirty, Consumers Win https://krebsonsecurity.com/2019/10/when-card-shops-play-dirty-consumers-win/
• Social media a goldmine for credit card and online payment fraud https://vancouversun.com/news/local-news/social-media-a-goldmine-for-credit-card-and-online-payment-fraud-investigator
• We asked a hacker to try and steal a CNN tech reporter's data. Here's what happened https://www.cnn.com/2019/10/18/tech/reporter-hack/index.html

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Canada Post resetting customer passwords over possibility personal info was compromised elsewhere (credential stuffing) https://globalnews.ca/news/6046334/canada-post-passwords/

Privacy

Articles about privacy related news, risks, and trends.

• Analysis: New ISO Privacy Standard https://www.bankinfosecurity.com/interviews/analysis-new-iso-privacy-standard-i-4476
• How ultrasonic tracking apps may be listening to you and how to block them https://www.comparitech.com/blog/information-security/block-ultrasonic-tracking-apps/
• Unencrypted Mobile Traffic on Tor Network Leaks PII https://threatpost.com/unencrypted-mobile-traffic-tor-network-leaks-pii/149200/
• Huawei surveillance systems with facial recognition watch citizens in 50 countries https://www.cbc.ca/news/technology/chinese-snooping-tech-1.5322428
• Consumer Financil Records - Nonpublic Personal Information https://privacyrights.org/definitions/nonpublic-personal-information

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Starting December 1st, China's new MLPS 2.0 cybersecurity laws will require submission of a facial scan to receive internet access https://www.privateinternetaccess.com/blog/2019/10/starting-december-1st-chinas-new-mlps-2-0-cybersecurity-laws-will-require
• Will Canada weaken encryption with backdoors? https://www.macleans.ca/opinion/will-canada-weaken-encryption-with-backdoors/
• Snowden - Without encryption we will lose all privacy. This is our new battleground https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook
• NIST has released a second public draft of NIST Special Publication (SP) 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation for comment until November 15, 2019. Publication details: https://csrc.nist.gov/publications/detail/sp/800-189/draft
• This seems like a legal hiring practice/human rights Catch-22 - clearly a company can't hire someone not legally able to work in the country but if they make and rescind an offer based on a candidates misrepresentation then they're guilty of discrimination https://business.financialpost.com/opinion/ontario-human-rights-tribunal-orders-employer-to-pay-120000-in-damages-to-worker-it-didnt-even-hire
• Bank of Canada exploring digital currency that could share information with police, tax authorities https://thelogic.co/news/exclusive/bank-of-canada-exploring-digital-currency-that-could-share-information-with-police-tax-authorities/
• Trump’s Huawei Ban Rejected By New Ruling In Germany https://www.forbes.com/sites/zakdoffman/2019/10/15/trumps-huawei-ban-rejected-by-surprise-new-report/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Microsoft Announces Important Security Update For All Windows 10 Users - Defender Advanced Tamper Protection is generally available https://www.forbes.com/sites/daveywinder/2019/10/15/microsoft-announces-windows-10-security-update-for-800-million-users/
• Germany's cyber-security agency recommends Firefox as most secure browser https://www.zdnet.com/article/germanys-cyber-security-agency-recommends-firefox-as-most-secure-browser/
• Improved Security and Privacy Indicators in Firefox 70 https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/
• Using Machine Learning to Detect IP Hijacking https://www.schneier.com/blog/archives/2019/10/usingmachinel_1.html
• Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps https://thehackernews.com/2019/10/facebook-apps-bug-bounty.html
• Microsoft Tackles Election Security with Bug Bounties https://threatpost.com/microsoft-election-security-bug-bounties/149347/
• Cryptography without using secret keys - unclonable keys https://phys.org/news/2019-10-cryptography-secret-keys.html
• On the Efficiency of Software Implementations of Lightweight Block Ciphers from the Perspective of Programming Languages https://eprint.iacr.org/2019/1218

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now https://www.zdnet.com/article/cisco-these-wi-fi-access-points-are-easily-owned-by-remote-hackers-so-patch-now/
• Security researcher publishes proof-of-concept code for recent Android zero-day https://www.zdnet.com/article/security-researcher-publishes-proof-of-concept-code-for-recent-android-zero-day/
• Nitro PDF Pro to Get Micropatches for 7 Potential RCE Bugs https://www.bleepingcomputer.com/news/security/nitro-pdf-pro-to-get-micropatches-for-7-potential-rce-bugs/
• Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
• Adobe Patches Over 80 Vulnerabilities in Three Products https://www.securityweek.com/adobe-patches-over-80-vulnerabilities-three-products and https://thehackernews.com/2019/10/adobe-software-patches.html
• Google’s Pixel 4 face unlock has one major privacy weakness https://www.theverge.com/2019/10/17/20919390/google-pixel-4-face-unlock-eyes-closed-privacy-eye-contact
• Galaxy S10 Fingerprint Sensor Thwarted With 3rd Party Silicon Screen Protector https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/
• Samsung Is Warning Customers To Erase All Their Fingerprints On These 5 Models https://www.narcity.com/news/ca/samsung-fingerprint-defect-means-anyone-could-access-your-phone
• Friendly reminder: Fingerprints (biometrics alone are a bad way to secure your phone https://www.androidauthority.com/fingerprints-insecure-phone-1043477/
• Real-Time Data Takes On Magnitude Of Supply Chain Risks https://www.pymnts.com/news/b2b-payments/2019/real-time-data-supply-chain-risk-logistics-analytics/
• GPU-Accelerated Branch-and-Bound Algorithm for Differential Cluster Search of Block Ciphers https://eprint.iacr.org/2019/1216
• Factoring 2048-bit Numbers Using 20 Million Qubits https://www.schneier.com/blog/archives/2019/10/factoring_2048-.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• 71% of Canadian Organizations Were Impacted By A Cyber-Attack Last Year https://www.datex.ca/blog/71-of-canadian-organizations-were-impacted-by-a-cyber-attack-last-year
• WAV audio files are now being used to hide malicious code https://www.zdnet.com/article/wav-audio-files-are-now-being-used-to-hide-malicious-code/
• How a Bitcoin trail helped bust a graphic child exploitation website https://www.cnn.com/2019/10/19/asia/south-korea-child-exploitation-international-police-intl-hnk/index.html
• M6, one of France's biggest TV channels, hit by ransomware https://www.zdnet.com/article/m6-one-of-frances-biggest-tv-channels-hit-by-ransomware/
• Major Airport Malware Attack Shines a Light on Operations Security https://threatpost.com/major-airport-malware-attack-ot-security/149330/
• Pitney Bowes Hit with Ransomware Attack https://threatpost.com/pitney-bowes-hit-with-ransomware-attack/149156/
• Definite uptick': Global wave of ransomware attacks hitting Canadian organizations https://www.cbc.ca/news/technology/more-ransomware-canada-1.5317871
• Warning: Russian Hackers Break Into European Embassy In Washington https://www.forbes.com/sites/thomasbrewster/2019/10/17/russian-hackers-breach-european-embassy-in-washington/
• Iranian Hackers Create Credible Phishing to Steal University/Research Library Access https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/
• We Have No Reason to Believe 5G Is Safe https://blogs.scientificamerican.com/observations/we-have-no-reason-to-believe-5g-is-safe/

Other Security / Risk

Articles covering other types of risks.

• Has it really come to this?! 1 in 5 IT security professionals fear their connected toilets will be hacked https://www.zdnet.com/article/1-in-5-it-professionals-fear-their-connected-toilets-will-be-hacked/ and yes it's actually a thing - ​LG Uplus launches IoT for bathrooms with Wi-Fi bidet toilet https://www.zdnet.com/article/lg-uplus-launches-iot-for-bathrooms-with-wi-fi-bidet-toilet/
• Researchers find bug in Python script may have affected hundreds of studies - no so cross-platform software https://arstechnica.com/information-technology/2019/10/chemists-discover-cross-platform-python-scripts-not-so-cross-platform/
• Rent-a-troll: Researchers pit disinformation farmers against each other https://arstechnica.com/information-technology/2019/10/disinformation-campaigns-not-just-for-state-actors-anymore/
• Pen testers find mystery black box connected to ship’s engines https://nakedsecurity.sophos.com/2019/10/17/pen-testers-find-mystery-black-box-connected-to-ships-engines/
• Worn-Out Flash Memory Is Suddenly Bricking Tesla Cars https://www.vice.com/en_us/article/qvgxqp/worn-out-flash-memory-is-suddenly-bricking-tesla-cars
• Multifactor authentication issue hitting North American Azure, Office 365 users https://www.zdnet.com/article/multifactor-authentication-issue-hitting-north-american-azure-office-365-users/
• Pictures Raise Specter of Fake Evidence in 737 Max Crash Probe https://www.bloomberg.com/news/articles/2019-10-15/pictures-raise-specter-of-fake-evidence-in-737-max-crash-probe
• Help! I bought a domain and ended up with a stranger's PayPal! And I can't give it back https://www.theregister.co.uk/2019/10/17/paypalaccountdomain/
• Trump Campaign Website Left Open to Email Server Hijack https://threatpost.com/trump-campaign-website-allowed-email-hijack/149278/
• CCTV shows jailed British tourists entered US deliberately https://www.bbc.co.uk/news/world-us-canada-50067575 had originally claim they took a wrong turn and accidentally drove into the U.S. They’ve spent days detained with their 3-month-old baby.
• Amazon's consumer business says bye bye to Oracle databases, moves to AWS https://www.zdnet.com/article/amazons-consumer-business-says-bye-bye-to-oracle-databases-moves-to-aws/
• There's a more than 25% risk of a US recession in the next year http://markets.businessinsider.com/news/stocks/there-s-a-more-than-25-risk-of-a-us-recession-in-the-next-year-bloomberg-economics-says-1028596894
• The biggest volcano eruptions in recorded history https://www.businessinsider.com/biggest-volcano-eruptions-recorded-history-yellowstone-2017-10
• Terribly obvious headline misses the point - New research suggests global ice age changed the face of the planet https://phys.org/news/2019-10-global-ice-age-planet.html
• Experiment with HTTP/3 using NGINX and quiche https://blog.cloudflare.com/experiment-with-http-3-using-nginx-and-quiche/
• Mathematicians Have Discovered an Entirely New Way to Multiply Large Numbers that’s O(log N) and not N^X http://www.sciencealert.com/mathematicians-have-discovered-an-astonishing-new-way-to-multiply-large-numbers

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• NASA astronauts perform the 1st all-female spacewalk https://www.cbc.ca/news/technology/all-female-spacewalk-live-1.5325258 and http://www.sciencealert.com/nasa-just-made-history-with-the-first-all-female-spacewalk
• NASA Just Unveiled Its Brand New Spacesuits For The Artemis Missions http://www.sciencealert.com/nasa-has-just-unveiled-its-new-artemis-spacesuits-for-the-moon
• MIT engineers tested Leonardo da Vinci's design for a 900 foot long bridge proposed for Istanbul https://www.cnn.com/style/article/leonardo-da-vinci-bridge-scn/index.html
• No, A NASA Engineer Has Not Broken Physics With An Impossible Engine https://www.forbes.com/sites/startswithabang/2019/10/17/for-the-last-time-no-a-nasa-engineer-has-not-broken-physics-with-an-impossible-engine/
• Planet Sizes Matter for Habitability Too https://www.universetoday.com/143731/planet-sizes-matter-for-habitability-too/
• The curious case of the Methuselah star that appears to be older than the Universe? https://www.space.com/how-can-a-star-be-older-than-the-universe.html