This Week’s [in]Security – Issue 136 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Expiring HSMs, Contactless on COTS, more on Key Blocks, updated FAQ list, more Magecart and e-com-fraud. Insider and third-party breaches at Facebook, Twitter, Trend Micro. Better breach notification. Breach excuses. Encrypted DNS. NIST Privacy. DNA and law enforcement. Snowden on GDPR. The CLOUD Act bites back. Quantum safety. Protecting apps. More secure chips. Smart speakers and lasers. Healthcare breaches and fatalities. Social media and surveillance. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Update: PCI SSC's Enhanced Contactless Payment Standard https://www.bankinfosecurity.com/interviews/update-pci-sscs-enhanced-contactless-payment-standard-i-4503
• How do PCI PTS-approved HSM expiry dates affect a PCI-listed P2PE Solution or Component? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-do-PCI-PTS-approved-HSM-expiry-dates-affect-a-PCI-listed-P2PE-Solution-or-Component
• Key Blocks 104 https://blog.pcisecuritystandards.org/key-blocks-104
• Updated list of all PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• PCI DSS in Practice Case Study: FIS https://blog.pcisecuritystandards.org/pci-dss-in-practice-case-study-fis
• Don’t Skip Data Discovery During Your Compliance Program https://www.imperva.com/blog/dont-skip-data-discovery-during-your-compliance-program/
• Visa issues aler over new JavaScript Skimmer 'Pipka' http://click.broadcasts.visa.com/xfm/?29609/0/c0b23c9f0a57b0ad7eeb8876ca7fa713/lonew
• The Changing Landscape Of eCommerce Fraud https://www.pymnts.com/today-in-data/2019/the-changing-landscape-of-ecommerce-fraud/
• Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/
• Having Absorbed First Data, Fiserv Looks To Cut Costs While Staying Competitive http://www.digitaltransactions.net/having-absorbed-first-data-fiserv-looks-to-cut-costs-while-staying-competitive/
• TD Canada Trust customers lose hundreds of dollars not once, but twice in e-transfer nightmare https://globalnews.ca/news/6126894/a-couple-who-banks-with-td-canada-trust-loses-hundreds-of-dollars-during-e-transfer-not-once-but-twice/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Facebook Privacy Breach: 100 Developers Improperly Accessed Data https://threatpost.com/facebook-privacy-breach-developers-group-data/149930/
• Two former Twitter employees accused of spying for Saudi Arabia https://www.cnn.com/2019/11/06/tech/twitter-employees-saudi-arabia-spying/index.html
• Trend Micro: Our super-duper security software will keep you safe from everyone – except our staff who go rogue https://www.theregister.co.uk/2019/11/06/trendmicroleak/
• Huge Data Leak Doxes Members of Notorious Neo-Nazi Forum https://www.wired.com/story/ironmarch-dox-security-roundup/
• Eye Clinic Breach Reveals Data of 20,000 Patients https://threatpost.com/eye-clinic-breach-reveals-data-of-20000-patients/149878/
• Three UK does it again: Random folk on network website are still seeing others' account data https://www.theregister.co.uk/2019/11/05/threeukdatabreachhomepage_again/
• Enhancing the Security of Data Breach Notifications and Settlement Notices https://freedom-to-tinker.com/2019/11/08/enhancing-the-security-of-data-breach-notifications-and-settlement-notices/
• APRA received 36 infosec breach notifications from financial services boards https://www.zdnet.com/article/apra-received-36-infosec-breach-notifications-from-financial-services-boards/
• Following Massive Breach, Capital One Replacing CISO: Report https://www.bankinfosecurity.com/following-massive-breach-capital-one-replacing-ciso-report-a-13385
• Understanding the Ripple Effect: Large Enterprise Data Breaches Threaten Everyone https://threatpost.com/ripple-effect-large-enterprise-data-breaches/150041/
• The debate over data breach fines: Are They Working to Boost Consumer Safety? https://threatpost.com/data-breach-fines-consumer-safety/149956/
• This Is The Impact Of A Data Breach On Enterprise Share Prices https://www.zdnet.com/article/this-is-how-a-data-breach-at-your-company-can-hit-share-prices/
• Parody site generates breach excuses every time you hit the Equifax already used that one button (slightly NSFW language) https://whythe%66uckwasibreached.com/

Privacy

Articles about privacy related news, risks, and trends.

• California Sues Facebook for Documents in Privacy Investigation https://www.nytimes.com/2019/11/06/technology/facebook-california-investigation.html
• Obfuscation as a Privacy Tool? https://www.schneier.com/blog/archives/2019/11/obfuscationas\.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• GDPR is missing the point, says Edward Snowden https://www.zdnet.com/article/gdpr-is-missing-the-point-says-edward-snowden/
• Anti-Deepfake Law in California Is Far Too Feeble https://www.wired.com/story/opinion-californias-anti-deepfake-law-is-far-too-feeble/
• IBM: Face Recognition Tech Should be Regulated, Not Banned https://www.securityweek.com/ibm-face-recognition-tech-should-be-regulated-not-banned
• Getting Ready for the NIST Privacy Framework https://www.bankinfosecurity.com/interviews/getting-ready-for-nist-privacy-framework-i-4497
• DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/
• DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers https://www.theregister.co.uk/2019/11/04/mozilladohcongress/
• Judge Rules Law Enforcement Can Plunder DNA Database https://www.zdnet.com/article/law-enforcement-can-plunder-dna-profile-database-judge-rules/
• European Parliament Issues Report on Law Enforcement Data Access Proposal http://epic.org/2019/11/european-parliament-issues-rep.html
• The Project Jengo Saga: How Cloudflare Stood up to a Patent Troll – and Won! https://blog.cloudflare.com/the-project-jengo-saga-how-cloudflare-stood-up-to-a-patent-troll-and-won/
• Secret Gerrymandering Files Can Now Be Made Public, Court Rules https://theintercept.com/2019/11/05/gerrymandering-files-thomas-hofeller-public/
• Congress, Remember the 4th Amendment? It’s Time to Stop the U.S.-UK Agreement https://www.eff.org/deeplinks/2019/11/congress-remember-4th-amendment-its-time-stop-us-uk-agreement
• FTC Takes Action Against Stalkerware Company Retina-X https://www.eff.org/deeplinks/2019/11/ftc-takes-action-against-stalkerware-company-retina-x

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much https://www.theregister.co.uk/2019/11/06/androidsecurityposse/
• Google Is Helping Design an Open Source, Ultra-Secure Chip https://www.wired.com/story/open-titan-open-source-secure-enclave/
• Detecting Account Takeover Botnets https://www.imperva.com/blog/detecting-account-takeover-botnets/
• Whitepaper “5 Steps to a Modern Mainframe Security Strategy.” https://www.krisecurity.com/thank-you-for-your-interest-in-five-steps-to-modern-mainframe-security/
• Towards Quantum-Safe VPNs and Internet https://eprint.iacr.org/2019/1277

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Alexa, Siri, Google Smart Speakers Hacked Via Laser Beam https://threatpost.com/alexa-siri-google-smart-speakers-hacked-via-laser-beam/149860/
• Amazon Fixes Ring Video Doorbell Flaw That Leaked Wi-Fi Credentials https://threatpost.com/amazon-fixes-ring-video-doorbell-flaw-that-leaked-wi-fi-credentials/150029/
• Actively exploited bug in fully updated Firefox is sending users into a tizzy https://arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/
• PSA: Turning off silent macros in Office for Mac leaves users wide open to silent macro attacks https://www.theregister.co.uk/2019/11/05/officemacmacro_bug/
• Full-Round Differential Attack on DoT Block Cipher (Research on lightweight encryption design with a small block) https://eprint.iacr.org/2019/1285
• Homemade TEMPEST Receiver https://www.schneier.com/blog/archives/2019/11/homemade_tempes.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• WordPress sites hit by malvertising https://nakedsecurity.sophos.com/2019/11/07/malvertising-malware-sweeps-wordpress-sites/
• Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/
• Kaspersky identifies mysterious APT mentioned in 2017 Shadow Brokers leak https://www.zdnet.com/article/kaspersky-identifies-mysterious-apt-mentioned-in-2017-shadow-brokers-leak/
• Newly discovered Titanium backdoor employs clever ways to go undetected https://arstechnica.com/information-technology/2019/11/newly-discovered-titanium-backdoor-employs-clever-ways-to-go-undetected/
• Spanish companies’ networks shut down as result of ransomware https://arstechnica.com/information-technology/2019/11/spanish-companies-networks-shut-down-as-result-of-ransomware/
• BEC Scam Costs Media Giant Nikkei $29 Million https://threatpost.com/bec-scam-nikkei-29-million/149834/
• NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm https://krebsonsecurity.com/2019/11/ncr-barred-mint-quickbooks-from-banking-platform-during-account-takeover-storm/
• Google Analytics Emerges as a Phishing Tool https://threatpost.com/google-analytics-phishing-tool/149917/
• Phishing Attacks Are Booming Even as They Are Getting Harder to Detect http://www.digitaltransactions.net/phishing-attacks-are-booming-even-as-they-are-getting-harder-to-detect/
• What a mess': McDonald's customers frustrated as 'Hamburglar' hacks more app accounts https://www.cbc.ca/news/business/mcdonald-s-hamburglar-app-account-hack-1.5345024
• Hang up': RCMP intelligence officer weighs in on scam calls frustrating Canadians https://www.ctvnews.ca/canada/hang-up-rcmp-intelligence-officer-weighs-in-on-scam-calls-frustrating-canadians-1.4674945
• IT project manager hacked former client’s CEO's email https://nakedsecurity.sophos.com/2019/11/08/it-services-pro-hacked-former-clients-email/
• This woman is a 'professional' and 'prolific' identity thief, say police https://www.cbc.ca/news/canada/toronto/meet-deborah-oguntoyinbo-accused-of-being-a-professional-and-prolific-identity-thief-1.5348438

Other Security / Risk

Articles covering other types of risks.

• EPIC, Coalition Issue Declaration on Harms of Social Media Surveillance http://epic.org/2019/11/epic-coalition-underscore-the-.html
• RCMP launches review of its social media monitoring operation https://www.cbc.ca/news/politics/rcmp-social-media-review-1.5346741
• ‘Fake news’ isn’t easy to spot on Facebook, according to new study https://scienmag.com/fake-news-isnt-easy-to-spot-on-facebook-according-to-new-study/
• Google and Facebook 'considering ban on micro-targeted political ads' https://www.theguardian.com/media/2019/nov/07/google-facebook-considering-ban-micro-targeted-political-ads
• A real blast from the past - bizarre wave of 'weird texts' hit American cell phones overnight https://www.cp24.com/world/bizarre-wave-of-weird-texts-hit-american-cell-phones-overnight-1.4675868 and https://www.cbc.ca/news/technology/text-messages-1.5248137
• Why 168,149 Valentine’s day text messages arrived in November https://arstechnica.com/information-technology/2019/11/why-168149-valentines-day-text-messages-arrived-in-november/
• Charges: Chinese Surveillance Goods Illegally Sold to US https://www.securityweek.com/charges-chinese-surveillance-goods-illegally-sold-us
• EPIC Files Complaint with FTC about Employment Screening Firm HireVue http://epic.org/2019/11/epic-files-complaint-with-ftc.html
• Hawaii man dies after falling down lava tube hidden in his backyard http://globalnews.ca/news/6145121/man-falls-lava-tube-hawaii/
• Century-old ship dislodged above Niagara Falls https://www.bbc.co.uk/news/world-us-canada-50294318
• The woman tracking 'dark' Instagram accounts https://www.bbc.co.uk/news/stories-50261937
• New transmission model for Ebola predicted Uganda cases https://scienmag.com/new-transmission-model-for-ebola-predicted-uganda-cases/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• New 'Artificial Leaf' Uses Sunlight to Turn Carbon Dioxide Into Fuel http://www.sciencealert.com/scientists-use-red-powder-and-sunlight-turning-co2-into-fuel-like-an-artificial-leaf
• MIT's robotic ball playing mini-cheetahs https://www.cnn.com/videos/business/2019/11/08/mit-mini-cheetah-robots-orig.cnn-business
• Mercury Transit 2019: Here's Why This Celestial Event Is So Rare (too bad it was snowed in)|https://www.space.com/mercury-transit-2019-why-its-rare.html
• Researchers claim data from Planck space observatory suggests universe is a sphere https://phys.org/news/2019-11-planck-space-observatory-universe-sphere.html
• Could TESS have already seen Planet Nine? https://www.syfy.com/syfywire/could-tess-have-already-seen-planet-nine
• The A12 and SR-71 Cold War spy planes that are still the world's fastest aircraft https://www.cnn.com/style/article/sr-71-blackbird-spy-plane-design/index.html