This Week’s [in]Security – Issue 146

Welcome to This Week’s [in]Security. Magecart, SHA-1, bad compliance culture. Visa Contactless on Android. Breached: PlanetDrugsDirect, P&N Bank, Formations House, Peekaboo Moments, 500K IoT devices, More ransomware. WeLeakInfo seized. Breach lawsuits. Equifax settlement. Dating sites violate GDPR. Facial surveillance. DNA privacy. No-tracking search. CCPA disclosure. Limiting CFAA.NIST conference and drafts. Free source analyzer. Exploit Proof of Concepts. Windows bad week. Oracle. Wordpress. Beware the patching hacker. Conversation hijacking. New Malware. Disruption for profit. Geo-fence warrants. Snowmageddon Newfoundland, 5G Security. Artificial Personas. AI liability? And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud.

• Online Skimming and Payment Security https://blog.pcisecuritystandards.org/online-skimming-and-payment-security
• Card Skimmer Hits Australian Bushfire Donation Site https://threatpost.com/card-skimmer-australian-bushfire-donation-site/151841/
• (Following up on last weeks news and this has PCI impact) Powerful GPG collision attack spells the end for SHA-1 https://nakedsecurity.sophos.com/2020/01/13/powerful-gpg-collision-attack-spells-the-end-for-sha-1/
• (This has broader implications than just aircraft) The slippery slope of a bad compliance culture (as shown in leaked Boeing emails) https://fcpablog.com/2020/01/15/leaked-boeing-emails-show-slippery-slope-of-a-bad-compliance-culture/
• Visa to let merchants accept contactless payments on Android NFC phones https://www.nfcw.com/2020/01/13/365424/visa-to-let-merchants-accept-contactless-payments-on-android-nfc-phones/

Breaches / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• PlanetDrugsDirect reveals security breach, warns customers their data may have been exposed https://www.tripwire.com/state-of-security/featured/planetdrugsdirect-reveals-security-breach-warns-customers-their-data-may-have-been-exposed/
• P&N Bank discloses data breach, customer account information, balances exposed https://www.zdnet.com/article/p-n-bank-discloses-data-breach-customer-pii-account-information-stolen/
• New data leak exposes owners of 400,000 anonymous companies https://fcpablog.com/2020/01/13/london-new-data-leak-exposes-owners-of-400000-anonymous-companies/
• Baby's First Data Breach: App Elasticsearch db Exposes Baby Photos, Videos https://www.bankinfosecurity.com/babys-first-breach-app-exposes-baby-photos-videos-a-13603
• Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/
• europa.jobs - 226,095 breached accounts added to HIBP https://haveibeenpwned.com/PwnedWebsites#EuropaJobs
• Ransomware attack on eHealth forces 31 cancer patients to re-schedule radiation treatment https://www.cbc.ca/news/canada/saskatoon/ransomware-attack-ehealth-cancer-patients-1.5428346
• Sask. NDP asks for government security review following ransomware attack https://www.cbc.ca/news/canada/saskatchewan/sask-ndp-security-ransomware-1.5420895
• Hackers attack City of Dawson Creek's computer systems https://www.cbc.ca/news/canada/british-columbia/dawson-creek-hacking-malware-1.5423118
• Albany Airport Pays Off Sodinokibi Ransomware Gang https://www.bankinfosecurity.com/albany-airport-pays-off-sodinokibi-ransomware-gang-report-a-13602
• FBI seizes WeLeakInfo, a website that sold access breached data https://www.zdnet.com/article/fbi-seizes-weleakinfo-a-website-that-sold-access-breached-data/
• Class Action Breach Lawsuits: The Impact of Data for Sale https://www.databreachtoday.com/interviews/class-action-breach-lawsuits-impact-data-for-sale-i-4572
• Equifax Breach Settlement Could Cost Firm Billions https://www.infosecurity-magazine.com/news/equifax-breach-settlement-could/
• Equifax Settles Class-Action Breach Lawsuit for $380.5M https://threatpost.com/equifax-settles-class-action-lawsuit/151873/
• Equifax Settles Mega-Breach Lawsuit for $1.38 Billion https://www.bankinfosecurity.com/equifaxs-class-action-done-dusted-a-13608
• 650 days after leak, province says Nova Scotians will be able to file FOI requests online again https://globalnews.ca/news/6415343/nova-scotia-foi-requests-back-online/

Privacy

Articles about privacy related news, risks, and trends.

• Study says Grindr, OkCupid, and Tinder breach GDPR https://www.zdnet.com/article/study-says-grindr-okcupid-and-tinder-breach-gdpr/ and https://www.nytimes.com/2020/01/13/business/grindr-apps-dating-data-tracking.html
• Privacy experts slam UK’s ‘disastrous’ failure to tackle unlawful adtech https://techcrunch.com/2020/01/17/privacy-experts-slam-uks-disastrous-failure-to-tackle-unlawful-adtech/
• The Secretive Company That Might End Privacy as We Know It scrapped Facial images from Facebook, Youtube, Venmo and more https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html and https://www.businessinsider.com/law-enforcement-using-unknown-facial-recognition-technology-facebook-photos-2020-1
• DNA testing kits: What are the privacy risks? https://www.comparitech.com/blog/information-security/dna-testing-kits-privacy-risks/
• DNA from detained immigrants will change the nature of the FBI’s genetic database https://www.theverge.com/2020/1/14/21063627/dna-detained-immigrants-fbi-codis-bias-crime-database
• Google plans to drop Chrome support for tracking cookies by 2022 https://arstechnica.com/information-technology/2020/01/google-plans-to-drop-chrome-support-for-tracking-cookies-by-2022/
• Verizon offers no-tracking search engine, promises to protect your privacy https://arstechnica.com/information-technology/2020/01/verizon-offers-no-tracking-search-engine-promises-to-protect-your-privacy/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Now Stores Must Tell You How They're Tracking Your Every Move https://www.wired.com/story/stores-must-tell-you-how-theyre-tracking/
• Ottawa considering 'significant and meaningful' compensation for privacy breach victims https://www.cbc.ca/news/politics/privacy-breach-compensation-mandate-letter-1.5417467
• EU Leaders to Consider Ban on Face Surveillance https://epic.org/2020/01/eu-leaders-to-consider-ban-on-.html
• Internet Censorship 2020: A Global Map of Internet Restrictions https://www.comparitech.com/blog/vpn-privacy/internet-censorship-map/
• Government-imposed internet blackouts cost the global economy $8 billion in 2019, and 2020 could be even worse https://www.businessinsider.com/internet-shutdowns-cost-the-global-economy-8-billion-in-2019-2020-1
• Microsoft CEO says encryption backdoors are a ‘terrible idea’ https://www.theverge.com/2020/1/13/21064267/microsoft-encryption-backdoor-apple-ceo-nadella-pensacola-privacy
• Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption https://www.theregister.co.uk/2020/01/17/scottishcopscellebrite_kiosks/
• (Ongoing) Statistics Canada is planning to move its data over to the cloud — and is bracing for public outcry https://ottawacitizen.com/news/economy/statistics-canada-expects-move-to-the-digital-cloud-will-prompt-some-rumbling/
• EFF Asks the Supreme Court to Put a Stop to Dangerously Broad Interpretations of the Computer Fraud and Abuse Act https://www.eff.org/deeplinks/2020/01/eff-asks-supreme-court-put-stop-dangerously-broad-interpretations-computer-fraud
• NIST’s Advancing Cybersecurity Risk Management Conference - May 27-28, 2020 in Gaithersburg MD https://content.govdelivery.com/accounts/USNIST/bulletins/275e42e
• NIST Webcast conference Iidentity Management and Access Control in Multi-clouds https://www.nist.gov/news-events/events/2020/01/identity-management-access-control-multiclouds-workshop-and-conference
• NIST (SP) 800-204A Draft: Building Secure Microservices-based Applications Using Service-Mesh Architecturefor public comment until February 14, 2020 https://csrc.nist.gov/publications/detail/sp/800-204a/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• FBI Plans to Notify States About Local Election Breaches https://www.securityweek.com/fbi-plans-notify-states-about-local-election-breaches
• Truly Secure Voting Is on the Way https://www.scientificamerican.com/article/truly-secure-voting-is-on-the-way/
• Microsoft Introduces Free Source Code Analyzer https://www.securityweek.com/microsoft-introduces-free-source-code-analyzer
• Canadian Medical Association Journal lifts online paywall to combat fake news https://globalnews.ca/news/6416915/canadian-medical-journal-paywall-fake-news/
• Don't Ignore Chrome's New Password Checkup Feature https://www.wired.com/story/chrome-password-popups/
• Modern Browsers and protocols support Perfect Forward Secrecy - Here's what that is A Guide for 2020 https://www.cloudwards.net/perfect-forward-secrecy/
• Danish Governmentusing Have I Been Pwned https://www.troyhunt.com/welcoming-the-danish-government-to-have-i-been-pwned/
• Province promises $550K for new Manitoba centre focused on cybersecurity https://www.cbc.ca/news/canada/manitoba/cybersecurity-technical-centre-funding-1.5400080
• How to verify that quantum chips are computing correctly https://phys.org/news/2020-01-quantum-chips-correctly.html
• Tesla Offers US$1 Million and a Car as Bug Bounty Reward https://www.cisomag.com/tesla-offers-us1-million-and-a-car-as-bug-bounty-reward/
• Low-Latency Hardware Masking with Application to AES https://eprint.iacr.org/2020/051
• NortonLifeLock to Sell ID Analytics Business to LexisNexis Risk Solutions https://www.securityweek.com/nortonlifelock-sell-id-analytics-business-lexisnexis-risk-solutions

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Are Published PoC Exploits a Good or Bad Idea? https://threatpost.com/poll-published-poc-exploits-good-bad/151966/

• A bad week for Windows users:

  • As Windows 7 support ends, these are your four options https://www.zdnet.com/article/what-is-your-companys-windows-7-exit-strategy/
  • Windows 7: “I’m not dead yet!” - 53% of businesses haven't upgraded https://arstechnica.com/information-technology/2020/01/windows-7-im-not-dead-yet/
  • Many ATMs running Windows 7 https://www.digitaltransactions.net/many-atm-operators-will-blow-tomorrows-upgrade-deadline-but-will-that-matter-much/
  • NSA Discloses Serious Windows Vulnerability to Microsoft https://www.securityweek.com/nsa-discloses-serious-windows-vulnerability-microsoft
  • Microsoft Patches Major Crypto Spoofing Bug discovered by the NSA https://threatpost.com/microsoft-patches-crypto-bug/151842/
  • U.S. Government Confirms Critical Browser Zero-Day Security Warning For Windows Users https://www.forbes.com/sites/daveywinder/2020/01/18/us-government-confirms-critical-zero-day-security-warning-for-windows-users/
  • Critical Windows Vulnerability Discovered by NSA https://www.schneier.com/blog/archives/2020/01/critical_window.html
  • Windows 7 ‘Crazy High’ Security Risk As Crypto-mining Exploit Found In Audio Files https://www.forbes.com/sites/daveywinder/2020/01/14/windows-7-crazy-high-security-risk-as-crypto-exploit-found-in-audio-files/
  • January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs https://blog.trendmicro.com/trendlabs-security-intelligence/january-patch-tuesday-update-list-includes-fixes-for-internet-explorer-remote-desktop-cryptographic-bugs/
• 320K Wordpresssites vulnerable to auth-bypassing plugins https://www.theregister.co.uk/2020/01/15/updatewordpressplugins/
• Oracle Ties Previous All-Time Patch High with January Updates (300+) https://threatpost.com/oracle-cpu-all-time-patch-high-january/151861/
• Researchers find serious flaws in WordPress plugins used on 400k sites https://arstechnica.com/information-technology/2020/01/researchers-find-serious-flaws-in-wordpress-plugins-used-on-400k-sites/
• Critical Cisco DCNM flaws: Patch right now as PoC exploits are released https://www.zdnet.com/article/critical-cisco-dcnm-flaws-patch-right-now-as-poc-exploits-are-released/S

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• A hacker is patching Citrix servers to maintain exclusive access https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/
• Conversation hijacking - Beware of this sneaky phishing technique now being used in more attacks https://www.zdnet.com/article/beware-of-this-sneaky-phishing-technique-now-being-used-in-more-attacks/
• Oski Data-Stealing Malware Emerges to Target North America, China https://threatpost.com/oski-data-stealing-malware-north-america-china/151856/
• Attackers Increasingly Focus on Business Disruption https://www.darkreading.com/threat-intelligence/attackers-increasingly-focus-on-business-disruption/d/d-id/1336800
• To catch a thief, go to Google with a geofence warrant – and it will give you all the details https://www.theregister.co.uk/2020/01/18/googlegeofencewarrant/
• Russians Breached Burisma During Trump Impeachment Probe https://www.wsj.com/articles/russians-breached-burisma-during-trump-impeachment-probe-report-says-11578963252
• Turkish Hackers Conduct Multiple Cyber-Attacks on Greek State Websites https://greece.greekreporter.com/2020/01/18/turkish-hackers-conduct-multiple-cyber-attacks-on-greek-state-websites/
• Cyber attack sees Picanol shares suspended https://www.brusselstimes.com/news-contents/economic/89253/cyber-attack-sees-picanol-shares-suspended/
• Alberta government website domain hijacked by porn hacker https://www.msn.com/en-ca/news/canada/alberta-government-website-domain-hijacked-by-porn-hacker/ar-BBYZBFn
• Scammers Dupe Texas School District Out of $2.3M https://threatpost.com/scammers-dupe-texas-school-district-out-of-2-3m/151773/
• New Orleans Hack Causes Vendor Payment Delays https://www.pymnts.com/news/b2b-payments/2020/new-orleans-hack-causes-vendor-payment-delays/
• Report: Chinese hacking group APT40 hides behind network of front companies https://www.zdnet.com/article/report-chinese-hacking-group-apt40-hides-behind-network-of-front-companies/
• Attempted Check Fraud Spiked 43 Pct. In Two Years https://www.pymnts.com/news/security-and-risk/2020/attempted-check-fraud-spiked-43-pct-in-two-years/
• New York Fed warns that a cyberattack on a major US financial institution would affect more than a third of bank assets https://markets.businessinsider.com/news/stocks/cyberattack-cripple-us-banking-system-assets-ny-fed-affect-impact-2020-1-1028816940

Other Security / Risk

Articles covering other types of risks.

• Snowmageddon - Extreme winter storm: Photos from eastern Newfoundland's monster blizzard that dumped 93cm of snow wih more on the way https://www.cbc.ca/news/canada/newfoundland-labrador/newfoundland-blizzard-photos-1.5432138 and https://globalnews.ca/news/6434019/newfoundland-snow-environment-canada/
• U.S. Government Grounds Drone Fleet, Cites Surveillance Concerns https://epic.org/2020/01/us-government-grounds-drone-fl.html
• How China Obtains American Trade Secrets https://www.nytimes.com/2020/01/15/business/china-technology-transfer.html
• AI expert says job recruiting sites promote employment discrimination https://www.businessinsider.com/ai-expert-job-sites-must-prove-not-exacerbating-inequality-2020-1
• Schneier essay on 5G Security https://www.schneier.com/blog/archives/2020/01/chinaisnt_the.html
• Artificial Personas and Public Discourse https://www.schneier.com/blog/archives/2020/01/artificial_pers.html
• Who’s liable? The autonomous vehicle or the human driver? https://scienmag.com/whos-liable-the-av-or-the-human-driver/
• Evidence Shows Whooping Cough Is Evolving Into a 'Superbug' https://www.sciencealert.com/whooping-cough-may-evolve-into-a-superbug-if-we-don-t-do-something-scientists-warn
• Is Algebra Useful? https://www.forbes.com/sites/johnewing/2020/01/13/is-algebra-useful/
• New cheaper smartphones on the way? https://www.businessinsider.com/apple-google-samsung-cheap-smartphone-rumors-suggest-industry-changing-2020-1
• Accenture buys Symantec's Cyber Security Services business https://www.itproportal.com/news/accenture-buys-symantecs-cyber-security-services-business/
• Camo for space - really? US Space Force mocked for unveiling camouflage uniforms https://www.bbc.com/news/world-us-canada-51160547

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Scientists Create a Strange 'Living Concrete' That Heals Itself When Damaged https://www.sciencealert.com/this-concrete-is-packed-with-bacteria-that-help-it-heal-when-damaged
• McMaster chemists close to breaking down old tires to make new ones https://globalnews.ca/news/6409887/mcmaster-hamilton-chemists-tires/
• AlphaZero learns to rule the quantum world https://phys.org/news/2020-01-alphazero-quantum-world.html
• SpaceX successfully test launch abort system by blowing up rocket https://www.nytimes.com/2020/01/19/science/spacex-launch.html
• Who Invented The Mouse? Are You Sure? https://hackaday.com/2020/01/17/who-invented-the-mouse-are-you-sure/
• An Asteroid has been Found that Orbits the Sun Closer than Venus https://www.universetoday.com/144609/an-asteroid-has-been-found-that-orbits-the-sun-closer-than-venus/
• A Second Planet May Have been Found Orbiting Proxima Centauri! And it’s a Super Earth https://www.universetoday.com/144618/a-second-planet-may-have-been-found-orbiting-proxima-centauri-and-its-a-super-earth/ and https://www.scientificamerican.com/article/astronomers-just-found-another-potentially-habitable-exoplanet-what-happens-next/