This Week’s [in]Security - Issue 145 | insecurity | Control Gap

Welcome to This Week’s [in]Security. Online Skimming and PCI. CheckPeople.com breach. Ransomware and Password Theft. DNA collection. Apple vs. FBI Round 2, NIST IoT, Password blocking. Correcting misinformation. Practical SHA-1 attack, Critical Firefox, Citrix ADC, WebEx, and CableHaunt. An ancient AV archive bug. ToTok controversy. Ontario Healthcare risks. Iranian malware and powergrids. Supply chain DoS. Tricky Phishing. Hacking laws with SQL. Ask Why! Another nuclear false alarm. Deepfakes and lies. Australian wildfires. Emoji liabilities. Measles deaths. Gaining Trust. Disturbing AI. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Online Skimming and Payment Security https://blog.pcisecuritystandards.org/online-skimming-and-payment-security
• MyPinPad Gets Added PCI Certification and other Digital Transactions News briefs from 1/7/20 https://www.digitaltransactions.net/mypinpad-gets-added-pci-certification-and-other-digital-transactions-news-briefs-from-1-7-20/
• NY Man Gets Jail Time For $390K Card Skimming Scheme https://www.pymnts.com/news/security-and-risk/2020/ny-man-jail-time-card-skimming-scheme/, https://www.zdnet.com/article/atm-skimmer-sentenced-for-fleecing-400000-out-of-new-jersey-banks/
• The Unknown History of Digital Cash https://freedom-to-tinker.com/2020/01/07/the-unknown-history-of-digital-cash/

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• 22GB db on 56M US people from CheckPeople.com exposed on Chinese IP https://www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/
• A Facebook Bug Exposed Anonymous Admins of Pages https://www.wired.com/story/facebook-bug-page-admins-edit-history-doxxing/
• The Hidden Cost of Ransomware: Wholesale Password Theft https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/
• Sodinokibi ransomware publishes stolen data for the First Time for alleged victims Artech Information Systems and threats to several others https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
• Dixons Carphone hit with £500,000 (pre-GDPR) fine after data breach affecting 14 million people https://www.zdnet.com/article/dixons-carphone-hit-with-500000-fine-after-data-breach-affecting-14-million-people/

• More breached credentials added to Have I Been Pwned:

  • BtoBet - 444,241 breached accounts https://haveibeenpwned.com/PwnedWebsites#BtoBet
  • Planet Calypso - 62,261 breached accounts https://haveibeenpwned.com/PwnedWebsites#PlanetCalypso
  • Go Games - 3,430,083 breached accounts https://haveibeenpwned.com/PwnedWebsites#GoGames

Privacy

Articles about privacy related news, risks, and trends.

• U.S. collection of DNA at Canada, Mexico borders ‘hugely problematic’ https://globalnews.ca/news/6377010/us-canada-border-dna-collection/
• Facebook Says Encrypting Messenger by Default Will Take Years https://www.wired.com/story/facebook-messenger-end-to-end-encryption-default/
• (Creepy) Linksys Wi-Fi will soon monitor your breathing as well as movement https://www.theverge.com/2020/1/8/21056418/linksys-wellness-pods-aware-health-date

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Senator seeks ban from sharing US intelligence with countries that use Huawei 5G https://www.businessinsider.com/us-senator-bill-huawei-ban-sharing-intelligence-huawei-5g-2020-1
• Statistics Canada expects moving its data to the cloud could raise security questions (e.g. regulations, residency) https://beta.ctvnews.ca/national/politics/2020/1/12/1_4763721.html
• Lawmakers Prod FCC to Act on SIM Swapping https://krebsonsecurity.com/2020/01/senators-prod-fcc-to-act-on-sim-swapping/
• European Privacy Experts to Assess GDPR Compliance https://epic.org/2020/01/european-privacy-experts-to-as.html
• Apple vs. FBI round 2 - The FBI has asked Apple to unlock another shooter’s iPhone https://www.theverge.com/2020/1/7/21054836/fbi-iphone-unlock-apple-encryption-debate-pensacola-ios-security, https://www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html
• Which governments impose SIM-card registration laws to collect data on their citizens? https://www.comparitech.com/blog/vpn-privacy/sim-card-registration-laws/
• Trump Administration Presents New AI Regulations For Federal Agencies https://www.pymnts.com/news/regulation/2020/trump-administration-presents-new-ai-regulations-for-federal-agencies/
• FBI Tightening Up Wiretap Protocols After Watchdog Report https://www.securityweek.com/fbi-tightening-wiretap-protocols-after-watchdog-report
• NIST has release the 2nd draft of NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline for comment until Feb 7th. See the project https://csrc.nist.gov/publications/detail/nistir/8228/final and the draft https://csrc.nist.gov/publications/detail/nistir/8259/draft
• NIST 800-171 & Why Organizations Need Password Similarity Blocking in Active Directory https://www.bankinfosecurity.com/blogs/enzoic-blog-6-p-2838
• NY Lawmakers Push For Public eBanking System https://www.pymnts.com/news/digital-banking/2020/ny-lawmakers-push-for-public-ebanking-system/
• (Right to repair) DMCA-Locked Tractors Make Decades-Old Machines the New Hotness https://hackaday.com/2020/01/07/dmca-locked-tractors-make-decades-old-machines-the-new-hotness/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Firefox 72 blocks third-party fingerprinting resources https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/
• Firefox 74 will drop support for TLS 1.0 and TLS 1.1 https://www.ghacks.net/2020/01/10/firefox-74-will-drop-support-for-tls-1-0-and-tls-1-1/
• Preventing Data From Becoming A Liability https://www.datex.ca/blog/preventing-data-from-becoming-a-liability
• Fingerprint ID Dominates Authentication, But Facial Recognition Is Growing Fast https://www.digitaltransactions.net/fingerprint-id-dominates-authentication-but-facial-recognition-is-growing-fast/
• “Regularly Assess” Security Has Different Meanings to Different People https://it.toolbox.com/blogs/kevinbeaver/regularly-assess-security-has-different-meanings-to-different-people-070819
• Facebook, Samsung, Ring Unveil New Privacy, Security Tools at CES 2020 https://www.securityweek.com/facebook-samsung-ring-unveil-new-privacy-security-tools-ces-2020
• NIST/Tetrate workshop and conference on “Identify Management and Access Control in Multi-Cloud” January 23-24 (registration close January 15th) https://www.nist.gov/news-events/events/2020/01/identity-management-access-control-multiclouds-workshop-and-conference
• NIST 'NICE' Cybersecurity Framework Webinar Jan 29th https://www.nist.gov/news-events/events/2020/01/nice-webinar-learning-principles-cybersecurity-practice
• Biometric-Authenticated Searchable Encryption https://eprint.iacr.org/2020/017
• What is the random oracle model and why should you care? Hashing and cryptography: https://blog.cryptographyengineering.com/2020/01/05/what-is-the-random-oracle-model-and-why-should-you-care-part-5/
• USB Cable Kill Switch for Laptops (previously reported but some options seem unwise) https://www.schneier.com/blog/archives/2020/01/usbcable_kill.html
• New imaging system and artificial intelligence algorithm accurately identify brain tumors https://scienmag.com/new-imaging-system-and-artificial-intelligence-algorithm-accurately-identify-brain-tumors/
• Where Machine Learning meets Cryptography - an example https://towardsdatascience.com/where-machine-learning-meets-cryptography-b4a23ef54c9e
• Correcting vaccine misinformation is a difficult process https://scienmag.com/correcting-vaccine-misinformation-is-a-difficult-process-study-shows/
• $500M invested in carbon-capture tech https://www.businessinsider.com/meet-the-5-buzziest-startups-turning-carbon-emissions-into-profit-2020-1

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• New Attack leaves SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-(Practical) https://eprint.iacr.org/2020/014 and https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html
• PGP keys, software security, and much more threatened by new SHA1 exploit https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit/
• U.S. Government(DHS) Confirms Critical Security Warning For Firefox Users https://www.forbes.com/sites/daveywinder/2020/01/09/us-government-confirms-critical-security-warning-for-firefox-users/
• Firefox gets patch for critical zeroday that’s being actively exploited https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited/
• Attackers exploiting critical Citrix ADC, Gateway flaw, company yet to release fixes https://www.helpnetsecurity.com/2020/01/09/cve-2019-19781/
• Proof-of-concept code published for Citrix bug as attacks intensify https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/
• Cisco Webex Bug Allows Remote Code Execution https://threatpost.com/cisco-webex-bug-allows-remote-code-execution/151724/
• Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability https://www.zdnet.com/article/hundreds-of-millions-of-cable-modems-are-vulnerable-to-new-cable-haunt-vulnerability/
• Four AV vendors patch 10 year old archive bug https://www.securityweek.com/antivirus-vendors-patch-bugs-first-discovered-10-years-ago
• Mailbox Master Keys - bad idea not easily fixed https://www.schneier.com/blog/archives/2020/01/mailboxmaster.html
• Google Fixes Critical Android RCE Flaw https://threatpost.com/google-fixes-critical-android-rce-flaw/151605/
• First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
• Major TikTok Security Flaws Found https://www.nytimes.com/2020/01/08/technology/tiktok-security-flaws.html

• Controversy and dilema over ToTok 'spyware' removal and return:

  • ToTok Returned to Google Play Despite ‘Spy Tool’ Claims https://threatpost.com/totok-returned-to-google-play-spy-tool/151576/
  • Alleged Spy App ToTok Puts Apple in a Bind https://www.wired.com/story/totok-google-play-apple-app-store-uae-surveillance/
  • Analysis: 'Orwellian' Surveillance in 2020 https://www.bankinfosecurity.com/interviews/analysis-orwellian-surveillance-in-2020-i-4570
• Ontario’s healthcare shakeup attracting cyberattacks – larger attack surface more victims bigger payoff https://www.itworldcanada.com/article/ontarios-healthcare-shakeup-attracting-cyberattacks-says-security-expert/425534
• Google’s Project Zero is now being more considerate with how it discloses security vulnerabilities https://www.theverge.com/2020/1/8/21056476/google-project-zero-90-day-disclosure-policy-vulnerability-early-cybersecurity
• Profitable 51% blockchain attack https://eprint.iacr.org/2020/019

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• New Iranian data wiper malware hits Bapco, Bahrain's national oil company https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/
• Iranian Hackers Have Been ‘Password-Spraying’ the US Grid https://www.wired.com/story/iran-apt33-us-electric-grid/
• Chinese Cyber-Espionage Group Targeted NGOs for Years https://www.securityweek.com/chinese-cyber-espionage-group-targeted-ngos-years
• The Troubling Ripple Effects Of The Travelex FX Hack https://www.pymnts.com/news/security-and-risk/2020/ripple-effects-of-travelex-fx-hack/
• Tricky Phish Angles for Persistence, Not Passwords targets Office 365 corporate users https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not-passwords/
• I'm the queen of Gibraltar and will never get a traffic ticket... just two of the things anyone could have written into country's laws thanks to unsanitised SQL input vuln https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/
• Google details its three-year fight against the Bread (Joker) malware operation https://www.zdnet.com/article/google-details-its-fight-against-the-bread-joker-malware-operation/
• Car Hacking Hits the Streets https://www.darkreading.com/edge/theedge/car-hacking-hits-the-streets/b/d-id/1336730
• Unremovable malware found preinstalled on low-end smartphone sold and subsidized in the US https://www.zdnet.com/article/unremovable-malware-found-preinstalled-on-low-end-smartphone-sold-in-the-us/ and https://arstechnica.com/information-technology/2020/01/us-government-funded-android-phones-come-preinstalled-with-unremovable-malware/
• FBI Investigating How Town Defrauded of $1 Million https://www.bankinfosecurity.com/fbi-investigating-how-town-defrauded-1-million-report-a-13580
• Barneys Employees Told Paychecks Stalled Due To Ransom Hacker https://www.pymnts.com/news/b2b-payments/2020/barneys-employees-told-paychecks-stalled-due-to-ransom-hacker/
• Alleged Member of Neo-Nazi Swatting Group Charged https://krebsonsecurity.com/2020/01/alleged-member-of-neo-nazi-swatting-group-charged/
• Man jailed for using data breach info leaks to claim over $12 million in IRS tax refunds https://www.zdnet.com/article/man-jailed-for-using-data-breach-info-leaks-to-claim-over-12-million-in-irs-tax-refunds/

Other Security / Risk

Articles covering other types of risks.

• In 2020, Resolve To Ask “Why?” https://www.forbes.com/sites/brycehoffman/2020/01/07/in-2020-resolve-to-ask-why/
• The FAA banned US airlines from flying over Iran and Iraq after a missile attack on US troops https://www.businessinsider.com/faa-bans-us-airlines-from-flying-over-iran-iraq-2020-1
• Demystifying The Iranian Navy’s Submarine-Launched Hoot Super Weapon https://www.forbes.com/sites/hisutton/2020/01/08/iranian-navys-submarine-launched-hoot-super-weapon-demystified/
• How Close Is Iran to a Nuclear Weapon? https://www.wired.com/story/how-close-is-iran-to-a-nuclear-weapon-heres-what-we-know/
• (Not as bad as the Hawaii missle false alarm but still) Ontario residents demand answers after OPG says emergency alert sent ‘in error’ https://globalnews.ca/news/6400754/residents-demand-answers-opg-false-alert/
• Facebook Says It Won’t Back Down From Allowing Lies in Political Ads https://www.nytimes.com/2020/01/09/technology/facebook-political-ads-lies.html
• Facebook bans deepfake videos ahead of 2020 US election but allows misinformation https://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-deepfake-videos-2020-election-trump-biden-a9273311.html and https://www.nytimes.com/2020/01/07/technology/facebook-says-it-will-ban-deepfakes.html
• Facebook’s deepfake ban isn’t winning over critics https://www.theverge.com/2020/1/7/21055283/facebook-deepfake-ban-political-ads-shallowfakes-rules-moderation
• Terrifying Images Show The Overwhelming Scale of Australia's Bushfires From Space https://www.sciencealert.com/stunning-images-from-space-reveal-the-extent-of-australia-s-bushfire-crisis
• Be careful what you emoji- it could land you in court https://abc30.com/business/be-careful-what-you-emoji--it-could-land-you-in-court-/3126470/
• DR Congo measles: More than 6,000 dead in world's worst outbreak https://www.bbc.co.uk/news/world-africa-51028791
• When Opioids Backfire https://blogs.scientificamerican.com/observations/when-opioids-backfire/
• 23andMe sold the rights to a drug it developed from its genetic database https://www.theverge.com/2020/1/10/21060456/23andme-licensed-drug-developed-genetic-database-autoimmune-psoriasis-almirall
• Stretched Too Thin by Social Media https://blogs.scientificamerican.com/observations/stretched-too-thin-by-social-media/
• Opinion on happiness, well-being, stressm anxiety, and societies "Being Special Isn’t So Special" https://getpocket.com/explore/item/being-special-isn-t-so-special
• How to use an old trick from psychiatrists to get people to trust you at work https://www.businessinsider.com/how-to-get-people-to-trust-you-2015-9
• Meet The Linux Desktop That Wants To Be An Ideal Upgrade For Windows 7 Users https://www.forbes.com/sites/jasonevangelho/2020/01/08/meet-the-linux-desktop-aiming-to-be-the-perfect-upgrade-for-windows-7-users/
• Airbnb has patented software that digs through social media to root out people who display 'narcissism or psychopathy' https://www.businessinsider.com/airbnb-software-predicts-if-guests-are-psychopaths-patent-2020-1
• Toilet paper delivery robot (it's a concept and we can only imaging the privacy you'd be giving up if it were comercialized) https://www.businessinsider.com/toilet-paper-bathroom-delivery-robot-charmin-2020-1
• Robot Tax https://markets.businessinsider.com/news/stocks/robot-tax-gains-steam-job-killing-automation-work-economy-2020-1-1028807242
• Bedbugs 'deliberately released' at Walmart in Pennsylvania (ouch nasty attack difficult to defend) https://www.bbc.co.uk/news/world-us-canada-51012938

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Quantum Slits Open New Doors (Quantum version of the double-slit experiment has computing implications) https://www.scientificamerican.com/article/quantum-slits-open-new-doors/
• Researchers simulate quantum computer with up to 61 quantum bits using a supercomputer with data compression https://phys.org/news/2020-01-simulate-quantum-bits-supercomputer-compression.html
• Avro Arrow blueprints on display after sitting in Sask. man's home for decades https://www.cbc.ca/news/canada/saskatoon/saved-avro-arrow-blueprints-ordered-destroyed-1.5416554
• How a mysterious seismic hum led scientists to the birth of an enormous undersea volcano https://www.washingtonpost.com/nation/2020/01/09/earthquake-creates-underwater-volcano/
• Earth's Magnetic Field Just Hit a Phantom Speed Bump https://astroengine.com/2020/01/07/earths-magnetic-field-just-hit-a-phantom-speed-bump/
• First Earth sized habitable zone exoplanet found (it only took 24 years and around 6000 prior discoveries) https://www.scientificamerican.com/article/nasas-tess-planet-hunter-finds-its-first-earth-size-world-in-habitable-zone/
• Forget Betelgeuse, the Star V Sagittae Should Go Nova Within this Century https://www.universetoday.com/144529/forget-betelgeuse-the-star-v-sagittae-should-go-nova-within-this-century/
• Thuban, the north star of ancient times, newly found to be an eclipsing binaryand why we missed it before https://www.businessinsider.com/nasa-finds-ancient-north-star-undergoes-eclipses-2020-1
• Astronomers Have Tracked a Repeating Radio Signal Across Space to an Unexpected Origin https://www.sciencealert.com/that-newly-discovered-repeating-frb-has-been-tracked-to-a-really-puzzling-origin
• New Research Casts A Shadow On The Existence Of Dark Energy https://www.universetoday.com/144531/new-research-casts-a-shadow-on-the-existence-of-dark-energy/