This Week’s [in]Security – Issue 23

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Assessors (check your email or the PCI Assessor portal): The August Assessor Newsletter is out with a reminder that for unlisted P2PE, NESA is just guidance and in the absence of listed P2PE and NESA the assessor should follow the council's existing guidance (e.g. https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-does-encrypted-cardholder-data-impact-PCI-DSS-scope) and contact the Acquirer or Card Brands.
• The 2017 Verizon Breach Report http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2017/
• PCI CTO on the 2017 Verizon Breach report https://blog.pcisecuritystandards.org/council-cto-on-vpsr

Hurricane Harvey, Flooding

• Donating? Be on the lookout for Hurricane relief scams https://krebsonsecurity.com/2017/08/beware-of-hurricane-harvey-relief-scams/and http://www.cnn.com/2017/08/25/health/iyw-harvey-how-to-help/index.html
• Hurricane response lessons from Katrina and Harvey http://www.bbc.co.uk/news/world-us-canada-41073878
• Could Holland's risk based approach to flooding work in the US? http://www.cnn.com/2017/08/29/opinions/dutch-america-storms-opinion-ghitis/index.html
• Other major (non-Harvey) flooding in Windsor http://www.cbc.ca/news/canada/windsor/more-rain-possible-for-windsor-essex-following-flooding-1.4268037, South-east Asia http://www.cbc.ca/news/canada/toronto/as-devastating-floods-roll-through-south-asia-canadians-reach-out-to-help-1.4270503, and Europe http://floodlist.com/europe
• The worst in people continues to emerge with scam robo-calls https://www.theregister.co.uk/2017/08/31/robocallerstargethurricane_victims/

Breaches / Leaks

• Instagram (unconfirmed) breach of 6M accounts http://thehackernews.com/2017/09/instagram-hack-doxagram.html
• Native Canada Footware 2-year ecommerce breach https://www.privacyrights.org/data-breaches?title=Native%20Canada%20Footwear
• Swedish hosting company Loopia hacked http://www.theregister.co.uk/2017/08/29/loopiahackedcustomerdatarevealed/
• Another spambot breach 711M email addresses https://thehackernews.com/2017/08/spambot-email-addresses.html
• Successful appeal in SuperValu card breach class action hinged on legal confusion of "injury-in fact" and "actual damages" https://epic.org/2017/08/federal-appeals-court-rules-da.html
• China's new cybersecurity may require companies to surrender source code and other intellectual property https://www.theregister.co.uk/2017/09/01/chinacybersecuritylaw_analysis/

Lawful Access / Back-doors / Laws & Regulations

• New US law allows warrant-less searches of homes around DC http://www.csoonline.com/article/3219840/security/trump-signed-bill-into-law-allowing-warrantless-searches-in-parts-of-va-md-and-dc.html
• Linkedin case and legal update on abusing the Computer Fraud and Abuse Act https://www.eff.org/deeplinks/2017/08/judge-cracks-down-linkedins-shameful-abuse-computer-break-law

Bugs

• Implantable medical device in voluntary recall for Cyber-Vulnerabilities https://www.databreachtoday.com/fda-first-cyber-recall-for-implantable-device-a-10238
• Health Canada reviewing implantable medical device recall http://www.cbc.ca/news/health/pacemaker-hacking-fix-needs-health-canada-approval-1.4270970
• More hard-coded credentials, this time in AT&T modems http://www.tenable.com/blog/hardcoded-credentials-expose-customers-of-att-u-verse

Privacy

• Princeton researchers find traffic shaping can protect ISP and upstream spying on smart devices http://www.csoonline.com/article/3219859/security/researchers-find-a-way-to-stop-isps-from-spying-on-you-via-your-smart-devices.html

Hacking / Malware / Cybercrime

• US .gov site hosting ransom-ware https://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-downloader/127767/
• NSA likely new about Intel's Management Engine vulnerabilities and could opt out http://www.zdnet.com/article/researchers-say-intels-management-engine-feature-can-be-switched-off/
• Edmonton's MacEwan University defrauded for $11.8M through phisihng and fake supplier web sites http://www.ctvnews.ca/canada/phishing-attack-lures-12m-from-alberta-university-s-pockets-1.3570640
• Russian "White Bear" hacking tool https://www.schneier.com/blog/archives/2017/09/russian_hacking.html
• 5-wire eMMC flash hack leveraged to find 22 zero-day vulnerabilities in IoT and smartphones https://www.wired.com/story/sd-card-hack-iot-zero-days/
• Hacking smartphones through replacement screens https://www.schneier.com/blog/archives/2017/08/hackingaphone.html
• A look at phishing https://sector.ca/a-look-inside-the-phishing-business/
• Dreamhost (recently in the news for DoJ overreach) comes under DDoS attack https://www.theregister.co.uk/2017/08/24/dreamhostmassiveddos/
• Summary of a recent honeypot experiment http://www.bbc.co.uk/news/technology-40850174

Other Security / Risk

• Krebs shines light on fake news and Twitter bot-nets https://krebsonsecurity.com/2017/08/twitter-bots-use-likes-rts-for-intimidation/
• Japan's CERT publishes paper on detecting lateral movement in event logs with details of event IDs https://www.jpcert.or.jp/english/pub/sr/ir_research.html
• Fiesty Duck #31, more CA distrust, faster factoring, new DES cracker, FIPS 140 compliant OpenSSL variant, and problems with TLS interception technologies  https://www.feistyduck.com/bulletproof-tls-newsletter/issue31symantecsellscertificatebusinessto_digicert.html
• Google will be marking HTTP pages with forms insecure in October https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/
• Article discussing problems with HTTP Public Key Pinning (HPKP) https://www.theregister.co.uk/2017/08/25/hpkpcryptocriticism/
• The sad state of passwords and their alternatives  http://www.pymnts.com/news/b2b-payments/2017/intercede-finds-security-passwords-fail-during-cyberattacks/
• IoT Honeypot https://www.darkreading.com/iot/iotcandyjar-a-honeypot-for-any-iot-device/v/d-id/1329751
• SANS: users and endpoints are key targets https://blog.qualys.com/news/2017/08/29/sans-institute-hackers-paint-a-bullseye-on-your-employees-and-endpoints
• Discussion of identity theft / impersonation risks and shifting liability from banks to individuals https://www.lightbluetouchpaper.org/2017/08/26/is-the-city-force-corrupt-or-just-clueless/
• Why your smartphone carrier is a security risk, more on SMS 2FA risks https://krebsonsecurity.com/2017/08/is-your-mobile-carrier-your-weakest-link/
• Efforts to patch voting machines in 2016 were blocked  http://www.startribune.com/cybersecurity-experts-were-blocked-in-their-push-to-patch-voting-systems-in-2016/442172573/

Off-Topic

• Brief double eclipse of the Sun!  https://apod.nasa.gov/apod/ap170828.html
• Ex-astronaut Chris Hadfield on why a base on the Moon before Mars makes sense https://www.universetoday.com/136983/settle-moon-mars-says-astronaut-chris-hadfield/
• Tomatina! The world's largest food fight. http://www.dailymail.co.uk/news/article-4836742/Spanish-festival-20-000-revellers-throw-tomatoes.html