This Week’s [in]Security – Issue 139 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: New PCI FAQs, POS and restaurant breaches, Magecart. Breaches at Adobe, Palo Alto, and Vistaprint. Smartwatch exposure. Privacy laws and the future. Facebook and Twitter SDKs. Right to be forgotten. IoT encryption debate. RCS (SMS replacement) vulnerabilities, more ransomware, national security and Chinese tech. What is AI? Nukes and climate. DeepFake example . Electric seaplanes. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• New PCI FAQ's:

  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Are-PFIs-required-to-fill-out-all-the-fields-in-the-Final-PFI-Report
  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-does-Servicing-Markets-on-the-QSA-listing-mean
  • https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-can-I-determine-whether-a-QSA-is-authorized-to-perform-PCI-DSS-assessments-in-all-countries-that-are-in-scope-for-my-company-s-PCI-DSS-assessment
• We updated our list of every known PCI FAQ https://controlgap.com/index-pci-frequently-asked-questions/
• Young Australians Ready to Embrace Secure Commerce at the Pump https://www.mobilepaymentstoday.com/whitepapers/young-australians-ready-to-embrace-secure-commerce-at-the-pump-i-payments-i-petrol-i-pay-at-the-pump-i-retail-i-servos/
• Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains https://krebsonsecurity.com/2019/11/sale-of-4-million-stolen-cards-tied-to-breaches-at-4-restaurant-chains/
• Hidden Cam Above Bluetooth Pump Skimmer https://krebsonsecurity.com/2019/11/hidden-cam-above-bluetooth-pump-skimmer/
• PoS Malware Exposes Customer Data of Catch Restaurants https://threatpost.com/pos-malware-customer-data-catch-restaurants/150581/
• Magecart Group Switches Up Tactics with MiTM, Phishing https://threatpost.com/magecart-variant-tactics-mitm-phishing/150628/
• On the Border Warns of Data Breach https://www.darkreading.com/attacks-breaches/on-the-border-warns-of-data-breach/d/d-id/1336467

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Adobe discloses security breach impacting Magento Marketplace users https://www.zdnet.com/article/adobe-discloses-security-breach-impacting-magento-marketplace-users/
• Unencrypted Vistaprint Database Exposed Personal Customer Data https://www.pymnts.com/news/security-and-risk/2019/unencrypted-vistaprint-database-exposed-personal-customer-data/
• Cybersecurity giant Palo Alto Networks was hit by a data breach which saw social security numbers of its own employees shared online https://www.businessinsider.com/cybersecurity-firm-palo-alto-networks-employee-data-breach-2019-11
• Facebook Breach Victims Can Sue For 'Reasonable' Security https://www.bankinfosecurity.com/facebook-breach-victims-sue-for-reasonable-security-a-13455

Privacy

Articles about privacy related news, risks, and trends.

• IoT Smartwatch Exposes Kids' Personal, GPS Data https://threatpost.com/iot-smartwatch-childrens-personal-gps-data/150656/
• Data Privacy Will Be The Most Important Issue In The Next Decade https://www.datex.ca/blog/data-privacy-will-be-the-most-important-issue-in-the-next-decade
• PIPEDA: One Year After Mandatory Reporting https://www.packetlabs.net/pipeda-one-year-later/
• Federal Data Privacy Bill Takes Aim at Tech Giants https://threatpost.com/federal-data-privacy-bill-tech-giants/150663/
• DEEP DIVE: EFF to DHS: Stop Mass Collection of Social Media Information https://www.eff.org/deeplinks/2019/11/deep-dive-eff-dhs-stop-mass-collection-social-media-information
• What to Consider Before Trading Your Health Data for Cash https://www.nytimes.com/2019/11/27/smarter-living/wirecutter/what-to-consider-before-trading-your-health-data-for-cash.html
• AggregateIQ, implicated in the Cambridge Analytica/Facebook scandal broke privacy laws but won't be punished https://www.theglobeandmail.com/canada/british-columbia/article-aggregate-iq-will-not-face-financial-penalties-in-canada-after/ and https://vancouverisland.ctvnews.ca/privacy-watchdogs-say-victoria-firm-broke-rules-for-political-ads-on-facebook-1.4703390
• Twitter, Facebook User Data Improperly Accessed via Malicious SDKs https://www.securityweek.com/twitter-facebook-user-data-improperly-accessed-malicious-sdks AND https://www.theregister.co.uk/2019/11/26/facebooktwitterdata_loss/
• German murderer wins 'right to be forgotten' https://www.bbc.co.uk/news/world-europe-50579297

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• NIST Releases SP 800-160 Vol. 2: Developing Cyber Resilient Systems https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final
• The LawBytes Podcast, Episode 33: “Canadian Patenting is Not Going to Drive Anything” http://www.michaelgeist.ca/2019/11/lawbytes-podcast-episode-33/
• Canadian Copyright Website Blocking Underway As TekSavvy Appeals Federal Court Ruling http://www.michaelgeist.ca/2019/11/canadian-copyright-website-blocking-underway-as-teksavvy-appeals-federal-court-ruling/
• Ontario court fight with Facebook over private messages comes to an end https://www.cbc.ca/news/canada/london/facebook-canada-legal-battle-windsor-london-ontario-1.5377047
• DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy https://www.schneier.com/blog/archives/2019/11/dhsmandatesfe.html
• Researchers reach milestone in quantum standardization https://scienmag.com/researchers-reach-milestone-in-quantum-standardization/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• An agenda for multidisciplinary cyber risk research https://scienmag.com/an-agenda-for-multidisciplinary-cyber-risk-research/
• The Debate Over How to Encrypt the Internet of Things https://www.wired.com/story/lightweight-encryption-internet-of-things/
• This is Tim Berners-Lee's grand plan to save the web from digital dystopia https://www.zdnet.com/article/this-is-tim-berners-lees-grand-plan-to-save-the-web-from-digital-dystopia/
• Cyber Insurance Upsurge Fueled By Breaches, Fines https://www.pymnts.com/news/security-and-risk/2019/cyber-insurance-upsurge-fueled-by-breaches-fines/
• NYPD Fingerprint Database Taken Offline to Thwart Ransomware https://threatpost.com/nypd-fingerprint-database-ransomware/150592/
• Welcoming the Swiss Government to Have I Been Pwned https://www.troyhunt.com/welcoming-the-swiss-government-to-have-i-been-pwned/
• You can and should be using spaces in your passwords https://www.businessinsider.com/can-you-use-spaces-in-passwords-online-security-tips-2019-11
• (Trust me it's just Windows. Nothing going on here. ….) Kali Linux 2019.4 includes new undercover mode for pentesters doing work in public places https://www.helpnetsecurity.com/2019/11/27/kali-linux-2019-4/
• Sweden Cybersecurity Firm Raises $23M To Enhance ‘Ethical Hacker’ Network https://www.pymnts.com/news/security-and-risk/2019/sweden-cybersecurity-firm-raises-23m-for-ethical-hacker-network/
• What is the OWASP Top 10 Project? https://www.packetlabs.net/owasp-top-10-security/
• (Analysis of Brute Force) 64 Bits ought to be enough for anybody! https://blog.trailofbits.com/2019/11/27/64-bits-ought-to-be-enough-for-anybody/
• Underwater telecom cables make superb seismic network https://scienmag.com/underwater-telecom-cables-make-superb-seismic-network/
• Structurally designed DNA star creates ultra-sensitive test for dengue virus https://scienmag.com/structurally-designed-dna-star-creates-ultra-sensitive-test-for-dengue-virus/
• Breeding a Non-allergenic Peanut https://blogs.scientificamerican.com/observations/breeding-a-nonallergenic-peanut/
• ACMA (Austrailia) proposes three-point action plan to crack down on phone scams https://www.zdnet.com/article/acma-proposes-three-point-action-plan-to-crack-down-on-phone-scams/
• NASA rockets study why tech goes haywire near poles https://phys.org/news/2019-11-nasa-rockets-tech-haywire-poles.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Outlook for Android Spoofing Vulnerability https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1460
• Shame: FortiGuard Used Hardcoded Key and XOR to Encrypt Communications https://www.bleepingcomputer.com/news/security/fortiguard-used-hardcoded-key-xor-to-encrypt-communications/
• HPE tells users to patch SSDs to prevent failure after 32,768 hours of operation https://www.zdnet.com/article/hpe-tells-users-to-patch-ssds-to-prevent-failure-after-32768-hours-of-operation/
• New Android Text Messaging Update (RCS) ‘Exposes Most Users To Hacking’ https://www.forbes.com/sites/zakdoffman/2019/11/30/new-android-security-threat-text-messaging-update-puts-most-mobile-users-at-risk/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Google caught a Russian state hacker crew uploading badness to the Play Store https://www.theregister.co.uk/2019/11/28/google12000warningsphishingsandworm/
• Over 12,000 Google Users Hit by Government Hackers in 3rd Quarter of 2019 https://www.forbes.com/sites/thomasbrewster/2019/11/27/google-warns-12000-they-were-hit-by-government-hackers---heres-what-to-do-if-youre-a-target/, https://thehackernews.com/2019/11/google-government-hacking.html and https://www.securityweek.com/google-shares-data-state-sponsored-hacking-attempts
• Livingston School District in New Jersey Hit With Ransomware https://www.bleepingcomputer.com/news/security/livingston-school-district-in-new-jersey-hit-with-ransomware/
• Significant' malware attack hits Waterloo Catholic District School Board https://www.waterloochronicle.ca/news-story/9741300--significant-malware-attack-hits-waterloo-catholic-district-school-board/
• Brock orders password resets after cyberattack https://www.stcatharinesstandard.ca/news-story/9738556-brock-orders-password-resets-after-cyberattack/
• Attackers Demand $14 Million Ransom From IT Services Firm https://www.bankinfosecurity.com/attackers-demand-14-million-ransom-from-services-firm-a-13444
• Multiple hotels hit by targeted malware attacks https://www.itproportal.com/news/multiple-hotels-hit-by-targeted-malware-attacks/
• A hacking group is hijacking Docker systems with exposed API endpoints https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/
• Hackers Steal $49 Million in Ethereum From Cryptocurrency Exchange Upbit https://www.securityweek.com/hackers-steal-49-million-ethereum-cryptocurrency-exchange-upbit
• Ransomware: Big paydays and little chance of getting caught means boom time for crooks https://www.zdnet.com/article/ransomware-big-paydays-and-little-chance-of-getting-caught-means-boom-time-for-crooks/
• TrickBot Evolves to Go After SSH Keys https://threatpost.com/trickbot-evolves-ssh-keys/150617/
• New 'Ginp' Android Trojan Targets Credentials, Payment Card Data https://www.securityweek.com/new-ginp-android-trojan-targets-credentials-payment-card-data
• Rental scams https://www.lightbluetouchpaper.org/2019/11/28/rental-scams/
• FBI Probing Hack Of US Electricity Providers https://www.pymnts.com/news/security-and-risk/2019/fbi-probing-hack-of-us-electricity-providers/
• Waterloo region police warn of debit card theft by phony pizza delivery https://globalnews.ca/news/6213898/debit-card-stolen-during-phony-pizza-delivery-in-waterloo-region-police/
• Kitchener man arrested in connection to string of delivery driver robberies https://globalnews.ca/news/6215240/kitchener-man-arrested-in-connection-to-string-of-delivery-driver-robberies-police/

Other Security / Risk

Articles covering other types of risks.

• From CNN: China can shut off the Philippines' power grid at any time, leaked report warns https://www.cnn.com/2019/11/25/asia/philippines-china-power-grid-intl-hnk/index.html
• FCC Takes Steps Toward Squeezing Out Huawei, ZTE https://www.bankinfosecurity.com/fcc-takes-steps-toward-squeezing-out-huawei-zte-a-13443
• Bulletproof TLS Newsletter #59 is out - delegated credentials, vulnerabilities, killing off browser ftp support, openSSL v3.0, failures of cryptographic proofs https://www.feistyduck.com/bulletproof-tls-newsletter/issue59testingofdelegatedcredentialsbegins
• U.S., Russia And Israel Show Little Appetite For Cyber Destruction https://www.forbes.com/sites/seanlawson/2019/11/26/us-russia-and-israel-show-little-appetite-for-cyber-destruction/
• It’s Way Too Easy to Get a .gov Domain Name https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/
• IBM's AI debating machine debated itself on whether AI is good or evil. Its creators say that could help human learning. https://www.businessinsider.com/ibm-ai-debated-itself-cambridge-university-human-learning-2019
• South Korean Go master retires, saying AI, machines ‘cannot be defeated’ https://globalnews.ca/news/6226072/south-korean-go-master-retires-ai/
• Tainted Data Can Teach Algorithms the Wrong Lessons https://www.wired.com/story/tainted-data-teach-algorithms-wrong-lessons/
• Is Machine Learning Really AI https://www.forbes.com/sites/cognitiveworld/2019/11/21/is-machine-learning-really-ai/ and https://www.forbes.com/sites/cognitiveworld/2019/11/29/is-machine-learning-really-ai-part-2/
• Why Our Intuition About Sea-Level Rise Is Wrong https://getpocket.com/explore/item/why-our-intuition-about-sea-level-rise-is-wrong
• Nuclear Power Does Slow Climate Change https://www.forbes.com/sites/jamesconca/2019/11/25/nuclear-power-does-slow-climate-change/
• Three premiers plan to fight climate change by investing in small nuclear reactors https://www.ctvnews.ca/politics/three-premiers-plan-to-fight-climate-change-by-investing-in-small-nuclear-reactors-1.4709865
• Meet Kilos, a New Search Engine for the Dark Web https://www.securityweek.com/meet-kilos-new-search-engine-dark-web
• Dell Considering Selling RSA https://www.bankinfosecurity.com/dell-considering-selling-rsa-report-a-13447
• The Frightening Rise In Low-Quality, Low-Paying Jobs: Is This Really A Strong Job Market? https://www.forbes.com/sites/jackkelly/2019/11/25/the-frightening-rise-in-low-quality-low-paying-jobs-is-this-really-a-strong-job-market/
• Quebec imposes breathalyzers for life for repeat impaired driving offenders https://globalnews.ca/news/6214669/quebec-imposes-breathalyzers-for-life-for-repeat-impaired-driving-offenders/
• Is cyberbullying common among adults? https://scienmag.com/is-cyberbullying-common-among-adults/
• Here’s a Deepfake of Nixon Giving a Eulogy for the Apollo 11 Astronauts if Their Mission Failed https://www.universetoday.com/144156/heres-a-deepfake-of-nixon-giving-a-eulogy-for-the-apollo-11-astronauts-if-their-mission-failed/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Vancouver seaplane company to test world’s first all-electric commercial aircraft https://globalnews.ca/news/6236692/harbour-air-electric-aircraft-test/
• (Okay, IKEA doesn't make anything this small but still …) Self-assembling system uses magnets to mimic specific binding in DNA https://scienmag.com/self-assembling-system-uses-magnets-to-mimic-specific-binding-in-dna/
• There is no permanent dark side of the moon, and this simple animation by a former NASA scientist explains why https://www.businessinsider.com/former-nasa-scientist-video-shows-moon-has-no-dark-side-2019-11
• Apollo 12 lunar selfie https://apod.nasa.gov/apod/ap191124.html
• NASA astronaut rates space movies based on how realistic they are https://www.businessinsider.com/nasa-astronaut-rates-space-movies-based-on-realism-2019-11
• Man Built Entire Car Out of Snow. It Was So Good Cops Wrote it a "Ticket" https://tribunist.com/news/man-built-entire-car-out-of-snow-it-was-so-good-cops-wrote-it-a-ticket/