This Week’s [in]Security – Issue 143 | insecurity | Control Gap

Welcome to This Week’s [in]Security. A slow week in payments. Incidents at Wyze, Factual, Honda, Bank of England, and Synoptek. Wawa and LifeLabs sued. Top security screwups and threats of 2019. Bypassing 2FA. Disinformation and your brain. When is data publlic? Did location tracking just get worse? Government back-doors. Taxes and social media. Facial recognition and surveillance. Holiday phishing and scams. ToTok spyware. Cyberinsurance pull-back. Revenge porn law challenged. AI. Huawei and Google. Risks of DNA kits. Mushroom identification. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Deutsche, Mastercard Launch Spain’s First Dynamic Code Card https://www.pymnts.com/news/security-and-risk/2019/deutsche-mastercard-launch-dynamic-code-card-in-spain/
• Mastercard Acquires RiskRecon to Enhance Cybersecurity Capabilities https://www.businesswire.com/news/home/20191223005324/en/Mastercard-Acquires-RiskRecon-Enhance-Cybersecurity-Capabilities

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• IoT vendor Wyze exposed data on 2.4M users in an unsecured Elasticsearch test db containing copies of production data https://www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/ and https://www.forbes.com/sites/leemathews/2020/12/29/wyze-database-leak-exposes-24-million-smart-device-users/
• Factual - 2,461,696 breached accounts now in HIBP https://haveibeenpwned.com/PwnedWebsites#Factual
• Honda Exposes 26,000 Records of North American Customers https://www.bleepingcomputer.com/news/security/honda-exposes-26-000-records-of-north-american-customers/
• Bank of England audio leak followed loss of key cybersecurity staff https://www.theguardian.com/business/2019/dec/21/bank-of-england-audio-leak-followed-loss-of-key-cybersecurity-staff
• Ransomware Attackers May Lurk for Months, FBI Warns https://www.bankinfosecurity.com/blogs/ransomware-attackers-may-lurk-for-months-fbi-warns-p-2844
• rEvil Ransomware hits IT Services Provider Synoptek https://krebsonsecurity.com/2019/12/ransomware-at-it-services-provider-synoptek/
• Maze Ransomware Gang Names More Alleged Victims https://www.bankinfosecurity.com/maze-ransomware-gang-names-more-alleged-victims-a-13539
• Wawa sued over breach https://www.zdnet.com/article/these-are-the-worst-hacks-cyberattacks-and-data-breaches-of-2019/ and https://www.pymnts.com/legal/2019/multiple-lawsuits-filed-over-wawa-data-breach/
• LifeLabs data breach prompts proposed class action lawsuit (Ontario) https://globalnews.ca/news/6346015/lifelabs-proposed-class-action-lawsuit/

• Top breaches and security screwups of 2019 from several sources :

  • ttps://threatpost.com/top-10-breaches-leaky-server-2019/151386/
  • ttps://www.securitymagazine.com/articles/91366-the-top-12-data-breaches-of-2019
  • ttps://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/
  • ttps://securityboulevard.com/2019/12/biggest-2019-data-breaches-some-of-the-worst-of-the-worst/
  • ttps://www.komando.com/security-privacy/biggest-data-breaches-of-2019/695647/
  • ttps://www.zdnet.com/article/these-are-the-worst-hacks-cyberattacks-and-data-breaches-of-2019/
• Facebook's 2019 Security Debacles https://threatpost.com/facebook-security-debacles-2019-year-in-review/151306/

Privacy

Articles about privacy related news, risks, and trends.

• When Is Data "Public"? (And 2.5M Public Factual Records in HIBP) https://www.troyhunt.com/when-is-data-public-and-2-5m-public-factual-records/
• (Location tracking is already out of hand, now things will be worse) Every move you make, I’ll be watching you: Privacy implications of the Apple U1 chip and ultra-wideband https://freedom-to-tinker.com/2019/12/21/every-move-you-make-ill-be-watching-you-privacy-implications-of-the-apple-u1-chip-and-ultra-wideband/
• Fighting Back Against Face Surveillance in the Skies: 2019 Year in Review https://www.eff.org/deeplinks/2019/12/fighting-back-against-face-surveillance-skies-year-review-2019
• Foreign Police Want to Bypass Privacy Laws—and Courts—to Get Data from Abroad: Year in Review 2019 https://www.eff.org/deeplinks/2019/12/foreign-police-want-bypass-privacy-laws-and-courts-get-data-abroad

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Jewel v. NSA: On to the Ninth Circuit: 2019 Year in Review https://www.eff.org/deeplinks/2019/12/jewel-v-nsa-ninth-circuit-2019-year-review
• Fancy New Terms, Same Old Backdoors: The Encryption Debate in 2019 https://www.eff.org/deeplinks/2019/12/fancy-new-terms-same-old-backdoors-encryption-debate-2019
• Italy Will Tax Big Tech https://www.pymnts.com/news/international/2019/italy-will-tax-big-tech/
• French government to scan social media for tax cheats https://www.bbc.co.uk/news/world-europe-50930094
• Opinion: The Internet as we knew it is dead https://vividcomm.com/2019/12/30/the-internet-is-dead/
• Russia Cuts Off Its Internet, With Mixed Results https://www.forbes.com/sites/emmawoollacott/2019/12/24/russia-cuts-off-its-internet-with-mixed-results/
• The US Supreme Court may be asked to wipe laws banning revenge porn off the books https://www.businessinsider.com/bethany-austin-revenge-porn-case-supreme-court-2019-12

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• US Cybercom Considers Bold Election Security Moves - including limited offensive operations against individuals https://www.bankinfosecurity.com/us-cybercom-considers-bold-election-security-moves-report-a-13560
• How Organizations Can Defend Against Advanced Persistent Threats https://thehackernews.com/2019/12/apt-cyber-attacks.html
• How NIST Tested Facial-Recognition Algorithms for Racial Bias https://www.scientificamerican.com/article/how-nist-tested-facial-recognition-algorithms-for-racial-bias/
• How to stop your Google Home from listening to you and storing your audio data https://www.businessinsider.com/how-to-stop-google-home-from-listening-to-me

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Critical Citrix Bug Puts 80,000 Corporate LANs at Risk https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/
• Cryptanalysis of two recently proposed Physical Unclonable Functions (PUF) based authentication protocols for IoT: PHEMAP and Salted PHEMAP https://eprint.iacr.org/2019/1461
• Open Source Security measures are insufficient to solve trust issues with hardware supply chains https://hackaday.com/2019/12/29/36c3-open-source-is-insufficient-to-solve-trust-problems-in-hardware/
• Ring sued by man who claims camera was hacked and used to harass his kids https://www.theguardian.com/technology/2019/dec/27/ring-camera-lawsuit-hackers-alabama

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Chinese hacker group caught bypassing 2FA https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
• (We've noticed a rise lately) Hackers Go Phishing For The Holidays https://www.datex.ca/blog/hackers-go-phishing-for-the-holidays
• ToTok Is an Emirati Spying Tool https://www.schneier.com/blog/archives/2019/12/totokisan_emi.html
• Phishing Scams Target Canadian Bank Customers https://www.bankinfosecurity.com/phishing-scams-target-canadian-bank-customers-a-13551

Other Security / Risk

Articles covering other types of risks.

• How Disinformation Hacks Your Brain https://blogs.scientificamerican.com/observations/how-disinformation-hacks-your-brain/
• UK Insurance Firms Slash Technology Coverage https://www.pymnts.com/news/international/2019/united-kingdom-insurance-firms-slash-technology-coverage/
• The Ethics of ML and AI https://www.cybered.io/webinars/ethics-ml-ai-w-2274
• Artificial Intelligence Is Rushing Into Patient Care - And Could Raise Risks https://www.scientificamerican.com/article/artificial-intelligence-is-rushing-into-patient-care-and-could-raise-risks/
• The Case for Cyber-Risk Prospectuses https://threatpost.com/cyber-risk-prospectuses/151365/
• (Creepy) AI Christmas Carols https://aiweirdness.com/post/189845472982/the-ais-carol
• Why The Pentagon Is Warning US Military Not To Use Recreational Genetic Test Kits https://www.forbes.com/sites/ellenmatloff/2019/12/27/why-the-pentagon-is-warning-us-military-not-to-use-recreational-genetic-test-kits/ and https://www.nytimes.com/2019/12/24/us/military-dna-tests.html
• Which of these mushrooms could kill you? (video) https://scienmag.com/which-of-these-mushrooms-could-kill-you-video/
• Mass killings in the U.S. rose to a new high in 2019 — most of them were shootings https://globalnews.ca/news/6343117/us-mass-shootings-murders-2019/
• High BMI may improve cancer survival https://scienmag.com/high-bmi-may-improve-cancer-survival/
• Vancouver island hit by 48 earthquakes, the largest being magnitude 6.2 https://globalnews.ca/news/6336756/seventh-earthquake-in-48-hours-strikes-off-coast-of-vancouver-island/
• Huawei Warns Google: We Are Almost Ready To Replace You https://www.forbes.com/sites/zakdoffman/2019/12/24/huawei-warns-google-we-are-almost-ready-to-replace-you-new-report/
• The SEC taking aim at 'contribution margin' and other non-GAAP accounting methods https://www.businessinsider.com/wework-peloton-contribution-margin-sec-non-gaap-measures-2019-12
• EFF Threatlab - 2019 in review https://www.eff.org/deeplinks/2019/12/threat-lab-year-review-2019
• Man Who Claims He Invented Bitcoin Says He Can’t Access Fortune https://www.pymnts.com/blockchain/bitcoin/2019/man-who-claims-he-invented-bitcoin-says-cant-access-fortune/
• Risks of brand marketing in the world of memes (makes sense up until the last sentence which appears to have trolled a number of reactions) https://www.cbc.ca/news/opinion/opinion-baby-yoda-meme-1.5400626

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Here Are 6 Reasons Climate Scientists Are Hopeful https://www.sciencealert.com/climate-scientists-have-not-given-up-hope-here-s-why-you-shouldn-t-either
• Scientists Have 'Cleared' Alzheimer's Plaque From Mice Using Only Light And Sound https://www.sciencealert.com/scientists-have-cleared-alzheimer-s-plaque-from-mice-using-only-light-and-sound
• Simple way to solve quadratic equations requires less math https://www.sciencealert.com/math-genius-finally-discovers-easy-way-to-solve-quadratic-equations-after-4-000-years
• Quantum Teleportation Reported in a Qutrit For The First Time https://www.sciencealert.com/quantum-teleportation-reported-in-a-qutrit-for-the-first-time
• Mysterious swarms of giant drones have started to appear in the Colorado and Nebraska night sky https://www.businessinsider.com/giant-drone-swarm-mystery-in-colorado-nebraska-skies-2019-12
• Christmas Eve at the Moon: Apollo 8's Historic Message Beamed to Earth Today in 1968 https://www.space.com/apollo-8-christmas-eve-message-revisited.html
• Astronomers worry about too many satellites https://www.cbc.ca/news/thenational/astronomers-worry-about-too-many-satellites-1.5409742
• New engine tech that could get us to Mars faster https://www.bbc.com/news/science-environment-48912458
• Don’t panic! Betelgeuse is (almost certainly) not about to explode https://www.syfy.com/syfywire/dont-panic-betelgeuse-is-almost-certainly-not-about-to-explode
• Physicist Proposes Radical New 'Stellar Engine' That Could Move Our Entire Solar System https://www.sciencealert.com/what-is-a-stellar-engine-and-could-it-help-us-escape-a-supernova