This Week’s [in]Security – Issue 135 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI DSS 4 Comment Period. New PCI Contactless on COTS standard. EMVco and 3D Secure. A PCI Horror Story. Magecart. Carders. Breaches at top domain registrars, UniCredit (3rd times a charm), Bed Bath& Beyond, Desjardins breach numbers grow. Hall of shame - bank asking for other bank passwords. FB agrees to fine. Several articles on the ups and downs of facial recognition. Textalyzers?! ISPs called out for encrypted DNS lies. Bye, bye Flash!, Small quantum key distribution chip. Experimenting with post-quantum TLS. Delegated TLS credentials. ECC crypto timing attack. General attack on fingerprint readers.Random fail. SMS and Whatsapp hacking. FB sues NSO group. BlueKeep in the wild. Brain hacks. Amazon account fraud using non-Amazon devices. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Request for Comments: PCI DSS Version 4.0 https://blog.pcisecuritystandards.org/request-for-comments-pci-dss-version-4.0
• Coming Soon: New Contactless Standard https://blog.pcisecuritystandards.org/coming-soon-new-contactless-standard
• EMVCo Is Eyeing Some New Initiatives for 3-D Secure 2.0 http://www.digitaltransactions.net/emvco-is-eyeing-some-new-initiatives-for-3-d-secure-2-0/
• "The Entity" - a PCI horror story https://controlgap.com/blog/the-entity-a-scary-pci-monster/
• Skimming Malware Found on American Cancer Society Webstore https://www.bankinfosecurity.com/skimming-malware-found-on-american-cancer-society-webstore-a-13321
• Magecart Gang Targets Skin Care Site Visitors For 5+ Months https://threatpost.com/magecart-attack-skin-care-site/149580/
• Takeaways from the $566M BriansClub breach https://krebsonsecurity.com/2019/10/takeaways-from-the-566m-briansclub-breach/
• Joker's Stash Drops Largest-Ever Credit Card Cache on Dark Web https://threatpost.com/jokers-stash-largest-ever-credit-card-drop/149649/
• With TSYS Now Under Its Wing, Global Payments Expands in Canada With Desjardins Acquisition http://www.digitaltransactions.net/with-tsys-now-under-its-wing-global-payments-expands-in-canada-with-desjardins-acquisition/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Breaches of contact information at top domain registrars NetworkSolution.com, Register.com, and Web.com- passwords being reset https://krebsonsecurity.com/2019/10/breaches-at-networksolutions-register-com-and-web-com/
• UniCredit Suffers Third Breach Despite Investing Billions in Cybersecurity https://threatpost.com/unicredit-suffers-third-breach/149617/
• Data Breach at St. Louis Health Center Impacts up to 152K https://www.securityweek.com/data-breach-st-louis-health-center-impacts-152000
• Bed Bath & Beyond Discloses Customer Login Credentials Breach https://www.bleepingcomputer.com/news/security/bed-bath-and-beyond-discloses-customer-login-credentials-breach/ and https://threatpost.com/murky-details-bed-bath-beyond-breach/149691/
• Ontario Science Center mailing list (names and emails) breached at third-party Campaigner https://www.cbc.ca/news/canada/toronto/science-centre-data-breach-1.5338334
• More than 28 million Canadians impacted by a data breach in past 12 months: privacy watchdog https://globalnews.ca/news/6116444/canadians-affected-by-data-breach-privacy-commissioner/
• Followup on recent breach - Avast, NordVPN Breaches Tied to Phantom User Accounts https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-user-accounts/
• NordVPN users’ passwords exposed in mass credential-stuffing attacks https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/
• Vedantu - 686,899 breached accounts added to HIBP https://haveibeenpwned.com/PwnedWebsites#Vedantu
• Desjardins now says data breach affected 4.2 million members https://globalnews.ca/news/6112862/desjardins-says-data-breach-affected-4-2-million-members/
• Facebook agrees to pay fine over Cambridge Analytica scandal https://www.theguardian.com/technology/2019/oct/30/facebook-agrees-to-pay-fine-over-cambridge-analytica-scandal and https://www.bankinfosecurity.com/facebook-agrees-to-pay-uk-fine-in-cambridge-analytica-case-a-13320

Privacy

Articles about privacy related news, risks, and trends.

• What? Um … NO! Shame, Shame. Privacy experts slam National Bank asking customers for their password at OTHER banks https://www.cbc.ca/news/canada/nova-scotia/national-bank-canada-customer-banking-privacy-1.5334059
• Ralph Nader, Color of Change Endorse US Data Protection Agency http://epic.org/2019/11/ralph-nader-color-of-change-en.html
• UK Privacy Agency Raises Concerns About Facial Recognition http://epic.org/2019/10/uk-privacy-agency-raises-conce.html
• Curious, did FB just torpedo their own efforts - New Facebook AI fools facial recognition https://nakedsecurity.sophos.com/2019/10/29/new-facebook-ai-fools-facial-recognition/
• Gradient “celebrity matching” photo app sparks privacy fears https://nakedsecurity.sophos.com/2019/10/29/gradient-celebrity-matching-photo-app-sparks-privacy-fears/
• Toronto lawyer pushing province to bring in 'Textalyzers' to catch texting drivers https://www.cbc.ca/news/canada/toronto/textalyzer-toronto-1.5343303
• Aussie Consumer Watchdog Sues Google Over Location Data Use https://www.securityweek.com/aussie-consumer-watchdog-sues-google-over-location-data-use
• GDPR Fines Haven't Rocked the Data Privacy World—Yet  https://www.wired.co.uk/article/gdpr-fines
• How safe browsing fails to protect user privacy https://blog.trailofbits.com/2019/10/30/how-safe-browsing-fails-to-protect-user-privacy/
• Facebook employees 'strongly object' to policy allowing false claims in political ads https://www.theguardian.com/technology/2019/oct/28/facebook-employees-strongly-object-to-policy-allowing-false-claims-in-political-ads
• Toronto’s City of Tomorrow Is Scaled Back Amid Privacy Concerns https://www.nytimes.com/2019/10/31/world/canada/toronto-google-sidewalk.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Proposed Law Calls For Search Engine Transparency https://www.pymnts.com/news/regulation/2019/proposed-law-calls-for-search-engine-transparency/
• Australia Proposes Facial Recognition for Adult Sites https://threatpost.com/australia-acial-recognition-porn/149671/ and https://www.nytimes.com/2019/10/29/world/australia/pornography-facial-recognition.html
• DNS over HTTPS Will Give You Back Privacy that Big ISPs Fought to Take Away https://www.eff.org/deeplinks/2019/10/dns-over-https-will-give-you-back-privacy-congress-big-isp-backing-took-away
• NIST/FIPS ECC and Digital Signature standard draft for comment until Jan 29, 2020 https://www.federalregister.gov/a/2019-23742, https://csrc.nist.gov/publications/detail/fips/186/5/draft, and https://csrc.nist.gov/publications/detail/sp/800-186/draft
• NIST release draft report (NISTIR)8269, A Taxonomy and Terminology of Adversarial Machine Learning for comment until December 16, 2019 https://csrc.nist.gov/publications/detail/nistir/8269/draft
• ISPs lied to Congress to spread confusion about encrypted DNS, Mozilla says https://arstechnica.com/tech-policy/2019/11/isps-lied-to-congress-to-spread-confusion-about-encrypted-dns-mozilla-says/
• Former FBI General Counsel Jim Baker Chooses Encryption Over Backdoors https://www.schneier.com/blog/archives/2019/10/formerfbigene.html
• Google Answers AG Probe With Lawsuit https://www.pymnts.com/google/2019/google-answers-ag-probe-with-lawsuit/
• Watchdog Sues FBI Over Facial Recognition Secrecy https://www.securityweek.com/watchdog-sues-fbi-over-facial-recognition-secrecy
• NGOs Object to U.S.-U.K. CLOUD Agreement, Urge Congressional Action http://epic.org/2019/10/ngos-object-to-us-uk-cloud-agr.html
• Cybersecurity Ethics: How Far Is Too Far? https://blog.isc2.org/isc2blog/2019/10/congress2019cybersecurity-ethics-how-far-is-too-far.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google says goodbye to Flash, will stop indexing Flash content in search https://www.zdnet.com/article/google-says-goodbye-to-flash-will-stop-indexing-flash-content-in-search/
• DNS Encryption Explained - DoT and DoH https://blog.cloudflare.com/dns-encryption-explained/
• Scientists Have Made a Quantum Key Distribution Encryptor 1,000 Times Smaller Than What Came Before http://www.sciencealert.com/scientists-have-made-a-quantum-chip-that-s-1-000-times-smaller-than-before
• The results of a TLS post-quantum experiment are in and the ostrich outperformed the turkey https://blog.cloudflare.com/the-tls-post-quantum-experiment/
• Delegated Credentials for TLS https://blog.cloudflare.com/keyless-delegation/
• Validating Delegated Credentials for TLS in Firefox https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/
• Resources for Measuring Cybersecurity https://www.schneier.com/blog/archives/2019/11/resourcesform.html
• Pwn2Own Contest to Focus on Industrial Control Systems https://www.bankinfosecurity.com/pwn2own-contest-to-focus-on-industrial-control-systems-a-13322 and https://threatpost.com/pwn2own-expands-industrial-control-systems/149594/
• Input Validation on Client-side or Server-side? https://www.packetlabs.net/input-validation/
• WhatsApp update finally makes Android version as secure as iOS https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-update-latest-feature-version-android-ios-security-a9180856.html
• Cyber Insurance: The Myths and Realities https://www.bankinfosecurity.com/cyber-insurance-myths-realities-a-13325

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Bulletproof TLS #58 - Elliptic curve implementations vulnerable to Minerva timing attack https://www.feistyduck.com/bulletproof-tls-newsletter/issue58ellipticcurveimplementationsvulnerabletominervatiming_attack
• Google Discloses Chrome Flaw Exploited in the Wild https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/
• Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/
• Why Adding Client-Side Scanning (for exploitive images) Breaks End-To-End Encryption https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption
• Not so random numbers from chips - How a months-old AMD microcode bug destroyed my weekend https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ and https://threatpost.com/pwn2own-expands-industrial-control-systems/149594/
• Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer https://www.theregister.co.uk/2019/10/29/inteldisablehyperthreadinglinuxkernelmaintainer/
• Really this seems like short notice - Your old iPhone might stop working if you don't upgrade by Sunday (too late) https://www.ctvnews.ca/sci-tech/your-old-iphone-might-stop-working-if-you-don-t-upgrade-by-sunday-1.4658976

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Chinese Hackers Compromise Telecom Servers to Spy on SMS Messages https://thehackernews.com/2019/10/sms-spying-malware.html
• Government Officials Spied On Through WhatsApp https://www.reuters.com/article/us-facebook-cyber-whatsapp-nsogroup-excl-idUSKBN1XA27H
• MESSAGETAP: Who’s Reading Your Text Messages? https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html
• The count of managed service providers getting hit with ransomware mounts https://arstechnica.com/information-technology/2019/10/the-count-of-managed-service-providers-getting-hit-with-ransomware-mounts/
• 2,000 Georgia Websites Hit by Cyber Attacks https://www.securityweek.com/2000-georgia-websites-hit-cyber-attacks
• Largest cyber-attack in (country of) Georgia's history linked to hacked web hosting provider https://www.zdnet.com/article/largest-cyber-attack-in-georgias-history-linked-to-hacked-web-hosting-provider/
• Facebook permanently deletes the accounts of NSO workers https://arstechnica.com/information-technology/2019/10/facebook-permanently-deletes-the-accounts-of-nso-workers/
• NSO Group / Q Cyber Technologies: Over One Hundred New Abuse Cases https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/
• Facebook Sues Israeli NSO Group Over Alleged WhatsApp Hack https://threatpost.com/facebook-sues-nso-whatsapp-hack/149661/ and https://thehackernews.com/2019/10/whatsapp-nso-group-malware.html
• New 'unremovable' xHelper malware has infected 45,000 Android devices https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/
• Non-wormable malware widespread exploitation of BlueKeep Remote Code Execution Bug in RDP https://www.bleepingcomputer.com/news/security/bluekeep-remote-code-execution-bug-in-rdp-exploited-en-masse/
• McAfee: Malicious Voicemails Target Office365 Users https://www.bankinfosecurity.com/mcafee-malicious-voicemails-target-office365-users-a-13327
• Phony HTTPS Everywhere Extension Used in Fake Tor Browser https://www.eff.org/deeplinks/2019/10/phony-https-everywhere-extension-used-fake-tor-browser
• Indian nuke plant’s network reportedly hit by malware tied to N. Korea https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/
• Clinics Serving Uninsured Hit by Ransomware https://www.bankinfosecurity.com/clinics-serving-uninsured-hit-by-ransomware-a-13300
• Fancy Bear Targets Sporting, Anti-Doping Orgs As 2020 Olympics Loom https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/
• Unusual Activity with Double Base64 Encoding https://isc.sans.edu/diary/Unusual+Activity+with+Double+Base64+Encoding/25458
• Hackers Plead Guilty For Charging Uber To Delete Stolen Data https://www.pymnts.com/news/security-and-risk/2019/hackers-plead-guilty-for-charging-uber-to-delete-stolen-data/
• How money laundering works https://www.bbc.co.uk/news/stories-50123587
• Locally, Toronto Police on how fast theives can max out your credit cards on high end goods - hours https://toronto.ctvnews.ca/police-reveal-how-thieves-are-quickly-spending-thousands-off-stolen-credit-cards-1.4613807

Other Security / Risk

Articles covering other types of risks.

• A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months https://www.theregister.co.uk/2019/10/31/amazonaccounthacking/
• Scientists Demonstrate Direct Brain-to-Brain Communication in Humans https://www.scientificamerican.com/article/scientists-demonstrate-direct-brain-to-brain-communication-in-humans/
• Remember that competition for non-hoodie hacker pics? Here's their best entries https://www.theregister.co.uk/2019/10/28/cybersecuritystockimage_challenge/
• How does an RCMP officer lose a handgun and tactical equipment in a shopping mall? https://www.cp24.com/news/rcmp-officer-s-handgun-magazines-radio-stolen-at-sherway-gardens-mall-1.4665801
• Apparently hundreds of guns go missing from the Mounties, military and other departments https://torontosun.com/opinion/columnists/lilley-hundreds-of-guns-go-missing-from-the-mounties-military-and-other-departments
• We're Incentivizing Bad Science https://blogs.scientificamerican.com/observations/were-incentivizing-bad-science/
• Update on the two arrested penetration testers vs Iowa - charges reduced to misdemeanors - CEO will fight https://www.desmoinesregister.com/story/news/crime-and-courts/2019/10/30/courthouse-break-in-ceo-cyber-security-coalfire-charges-dropped/4097354002/
• Coalfire CEO Wants Criminal Charges Against His Employees Dropped https://www.darkreading.com/attacks-breaches/coalfire-ceo-wants-criminal-charges-against-his-employees-dropped/d/d-id/1336232
• Sleep expert says B.C. should stay on Standard Time rather than switch to Daylight Saving https://globalnews.ca/news/6105945/bc-daylight-saving-time-reaction/
• Opinion: Turn back the clock on Daylight Savings: Why Standard Time all year round is the healthy choice https://www.theglobeandmail.com/opinion/article-turn-back-the-clock-on-daylight-savings-why-standard-time-all-year/
• Record 176 people stung by stingrays at popular California beach in one day https://www.cnn.com/2019/10/29/us/stingray-stings-huntington-beach-trnd/index.html
• Video shows a massive sinkhole in Pittsburgh swallowing a bus during rush hour https://www.businessinsider.com/video-sinkhole-pittsburgh-swallows-bus-during-rush-hour-2019-10
• Flood-proofing for Canada's national building code gets U.S. expert's advice https://www.cbc.ca/news/canada/nova-scotia/flood-proofing-national-building-code-expert-1.5330584

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Chasing Unlimited Energy With the World’s Largest Fusion Reactor https://www.bloomberg.com/features/2019-iter-nuclear-fusion/
• U.S. Navy Patents Compact Fusion Reactor https://www.forbes.com/sites/arielcohen/2019/10/30/a-breakthrough-in-american-energy-dominance-us-navy-patents-compact-fusion-reactor/
• Hydrogen cars are superior to electric, but it doesn't matter at all https://www.digitaltrends.com/cars/hydrogen-cars/
• Engineer Has a Bold Plan to Help Stop Arctic Melting Using Millions of Glass Beads http://www.sciencealert.com/this-engineer-thinks-millions-of-glass-beads-could-help-stop-the-arctic-from-melting
• Canadian-made 'invisibility shield' could hide people, spacecraft https://www.ctvnews.ca/sci-tech/canadian-made-invisibility-shield-could-hide-people-spacecraft-1.4658738 and http://torontopolice.on.ca/newsreleases/45710
• Man shatters record for scaling world's 14 highest peaks https://www.cbc.ca/news/world/man-shatters-record-for-scaling-world-s-highest-peaks-1.5339112
• The Internet turns 50 - in the beginning was ARPANET https://arstechnica.com/information-technology/2019/10/50-years-ago-today-the-internet-was-born-sort-of/
• This is the Machine Astronauts Trained on to Land on the Moon https://www.universetoday.com/143889/this-is-the-machine-astronauts-trained-on-to-land-on-the-moon/
• Mysterious X-37B Lands After 780 Days in Orbit Doing ??? https://www.universetoday.com/143870/x-37b-lands-after-780-days-in-orbit-doing/
• A collision liquefied the 4th-largest asteroid, turning it into a dwarf planet https://arstechnica.com/science/2019/10/collision-liquified-the-4th-largest-astroid-turning-it-into-a-dwarf-planet/
• Iceland livestreams 10-year-old McDonald's cheeseburger and fries (yummy?) https://www.bbc.com/news/blogs-trending-50262547