This Week’s [in]Security – Issue 33 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI blog guidance on 3DES https://blog.pcisecuritystandards.org/pci-ssc-cryptography-expert-on-triple-dea (see also our article https://controlgap.com/blog/nist-moves-on-sweet32/)
• Visa delays compliance action on Stored Credential Framework https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html
• A recent self-checkout scam https://www.pymnts.com/news/retail/2017/walmart-busts-florida-self-checkout-scam/

Breaches / Leaks

• VerticalScope breached again via malware https://krebsonsecurity.com/2017/11/2nd-breach-at-verticalscope-impacts/
• Paradise Papers was an external hack https://www.darkreading.com/external-attacker-leaked-paradise-papers-law-firm-reports/d/d-id/1330329

• Equifax

  • Chief Legal Officer now under internal investigation https://www.pymnts.com/news/security-and-risk/2017/equifax-chief-legal-officer-investigated-for-post-data-breach-shares/
  • Schneier testifies to Congress https://www.schneier.com/blog/archives/2017/11/meonthe_equif.html
  • EFF on what Congress should do about Equifax https://www.eff.org/deeplinks/2017/11/heres-how-congress-should-respond-equifax-breach
  • Cost of breach for 3Q2017 $87.5M http://www.zdnet.com/article/equifax-spends-87-5-million-on-data-breach-more-expenses-on-deck/
• Breaches up 300+% over 2016 https://www.darkreading.com/vulnerabilities--- threats/data-breach-record-exposure-up-305--from-2016/d/d-id/1330359
• Yahoo, Equifax, and Verizon testify before Senate on breaches https://epic.org/2017/11/equifax-yahoo-testify-before-s.html

Laws & Regulations / Standards

• SEC plans to refresh breach reporting guidance https://www.databreachtoday.com/report-sec-plans-breach-reporting-guidance-refresh-a-10447
• Opinion on Australia's war on encryption http://www.zdnet.com/article/australias-war-on-encryption-potentially-reckless-former-us-cyber-advisor/
• First amendment challenge to Trump blocking users from his Twitter https://www.eff.org/press/releases/trumps-blocking-people-his-twitter-account-violates-first-amendment-eff-tells-court
• Requiring warrants for law enforcement access to section 702 data https://www.eff.org/deeplinks/2017/11/sen-feinstein-supports-back-door-warrants-so-why-dont-reps-nunes-and-schiff
• Analysis of Quebec Digital Sales Tax bill http://www.michaelgeist.ca/2017/11/quebec-digital-sales-tax-bill-demonstrates-complications-come-implementing-netflix-tax/
• IETF draft proposal for application layer TLS https://www.theregister.co.uk/2017/11/08/ietfdraftsmiddleboxsecurityworkaround/
• Consumer grade high security Windows 10 Standard from Microsoft https://www.bleepingcomputer.com/news/security/microsoft-releases-standards-for-highly-secure-windows-10-devices/

Bugs / Design Flaws

• Enterprises and individuals at risk from "Eavesdroppper" vulnerability due to developer credentials hard coded in iOS and Android apps  https://www.darkreading.com/mobile/eavesdropper-exposes-millions-of-mobile-conversations/d/d-id/1330377
• The Intel Management Engine is USB exploitable https://www.theregister.co.uk/2017/11/09/chipzillacomeclosercloserlistendumpime/
• November is a big patch for Android including KRACK  https://www.theregister.co.uk/2017/11/07/androidnovembersecurity_update/
• IEEE P1735 standard for protecting intellectual property based on flawed crypto https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/

• CCS17 wrapped up and the papers are available at https://acmccs.github.io/papers/ including

  • ROCA -  the Infineon TPM RSA flaw https://acmccs.github.io/papers/p1631-nemecA.pdf
  • KRACK - the WPA2 key reinstallation attack https://acmccs.github.io/papers/p1313-vanhoefA.pdf
  • Dolphin - the inaudible voice commands attack https://acmccs.github.io/papers/p103-zhangAemb.pdf

Privacy

• Thinking of gifting a new gadget, checkout Mozilla's Privacy Not Included guide first. Article https://www.csoonline.com/article/3236471/security/mozillas-privacy-not-included-guide-reveals-if-holiday-gifts-will-spy-on-you.html and guide https://advocacy.mozilla.org/en-US/privacynotincluded

• Controversy over Facebook revenge porn protection pilot project

  • Overview https://www.theguardian.com/technology/2017/nov/07/facebook-revenge-porn-nude-photos
  • Likely exploits the PhotoDNA "hash" http://www.wired.co.uk/article/iwf-hash-lists-child-abuse-images
  • Popular Mechanics thinks is a good idea albeit a bit creepy http://www.popularmechanics.com/technology/security/news/a28955/facebook-revenge-porn-abuse-prevention-image-hashing/
  • Human filters make it seem creepier http://www.bbc.co.uk/news/41928848
  • Discussion on Schneier's blog https://www.schneier.com/blog/archives/2017/11/facebook_finger

Hacking / Malware / Cybercrime

• Hijacking high value transactions by e-mail https://www.schneier.com/blog/archives/2017/11/cybercriminals_.html
• Another SWIFT attack https://www.databreachtoday.com/report-attackers-hacked-nepalese-banks-swift-server-a-10437
• Ghostwriter a  stored MitM attack against unsecure AWS S3 buckets https://www.bleepingcomputer.com/news/security/misconfigured-amazon-s3-buckets-expose-users-companies-to-stealthy-mitm-attacks/
• Interesting RDP data exfiltration attack  http://www.theregister.co.uk/2017/11/09/evilpixelsresearcherdemosdatatheftoverscreenshare_protocols/
• Hacking campaign goes after diplomatic secrets http://www.zdnet.com/article/this-stealthy-cat-and-mouse-hacking-campaign-aims-to-steal-diplomatic-secrets/
• Fancy Bear APT exploiting MS DDE vulnerability https://www.wired.com/story/russia-fancy-bear-hackers-microsoft-office-flaw-and-nyc-terrorism-fears/
• Not a vulnerability says Microsoft and guidance on blocking DDE exploit https://threatpost.com/microsoft-provides-guidance-on-mitigating-dde-attacks/128833/
• Trump Organization's DNS provider account hacked in 2013 and used subdomains to spread malware http://www.motherjones.com/politics/2017/11/hackers-compromised-the-trump-organization-4-years-ago-and-the-company-never-noticed/
• Fake WhatsApp fools 1M+ users https://www.technologyreview.com/s/609337/is-technology-about-to-decimate-white-collar-work/
• Netphish a successful phishing campaign https://www.wired.com/story/netflix-phishing-scam/
• CADIA study finds 1/3 of Internet came under DDoS attack in last 2 years (and seriously why is CHARGEN even turned on anymore) http://www.theregister.co.uk/2017/11/05/caidastudyfindsonethirdoftheinternetsuffereddenialofserviceattacksbetween2015and2017/
• On the modern attack surface https://www.tenable.com/blog/the-year-of-the-modern-attack-surface
• Former UofIowa student charged over use of keylogger to change grades https://www.bleepingcomputer.com/news/security/student-arrested-for-using-keylogger-to-change-grades-over-90-times/
• Coinhive facilitates drive-by-mining https://www.theregister.co.uk/2017/11/09/cryptominingsitrep/
• A pair of DDoS for hire articles from Krebs https://krebsonsecurity.com/2017/11/hack-of-attack-for-hire-service-vdos-snares-new-mexico-man/ and https://krebsonsecurity.com/2017/11/ddos-for-hire-service-launches-mobile-app/

Other Security / Risk

• IBM announces 50 qubit quantum computer https://www.technologyreview.com/s/609451/ibm-raises-the-bar-with-a-50-qubit-quantum-computer/
• NIST webinar (November 15th) focusing on gaining cyber-workforce experience  https://www.nist.gov/news-events/events/2017/11/path-obtaining-cybersecurity-work-experience-internships-cooperative
• Google research on account takeover from CCS17 and action they took https://security.googleblog.com/2017/11/new-research-understanding-root-cause.html
• WhatsApp security being tested in investigation of journalists murder https://www.schneier.com/blog/archives/2017/11/daphnecaruana\.html
• Banks using verbal passwords https://krebsonsecurity.com/2017/11/simple-banking-security-tip-verbal-passwords/
• ManisTek Gaming Keyboard Cloud Driver collects keystroke data and phones home https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html
• Fooling AI, see this picture of a turtle rifle  https://www.theguardian.com/technology/2017/nov/03/googles-ai-turtle-rifle-mit-research-artificial-intelligence
• Last week, a BGP error took large parts of US Internet offline https://www.wired.com/story/how-a-tiny-error-shut-off-the-internet-for-parts-of-the-us/
• Predicting the death of white collar jobs https://www.technologyreview.com/s/609337/is-technology-about-to-decimate-white-collar-work/
• The Carbon Footprint of mining Bitcoin https://motherboard.vice.com/en_us/article/ywbbpm/bitcoin-mining-electricity-consumption-ethereum-energy-climate-change
• Another Etherium smart contract accident locks up nearly 1M units https://www.itnews.com.au/news/bug-freezes-hundreds-of-millions-of-ethereum-477160
• Audit fatigue cited as partially to blame for OPM audit failings https://www.databreachtoday.com/opm-contends-audit-fatigue-hampers-infosec-compliance-a-10439
• Chrome to enhance blocking of 3rd party pop-ups and other unwanted behaviour https://www.wired.com/story/chrome-stop-sketchy-sites-from-redirects/
• Self-drive 1 : Human 0 on car safety https://www.theguardian.com/technology/2017/nov/09/self-driving-bus-crashes-two-hours-after-las-vegas-launch-truck-autonomous-vehicle

Off-Topic

• 100M pixel moon photo http://www.syfy.com/syfywire/the-100-megapixel-moon
• Astronomy mystery from 1917, now confirmed as evidence of first exoplanets  http://www.syfy.com/syfywire/the-first-evidence-of-planets-around-another-star-was-found-in%E2%80%A6-1917
• It turns out that even supernovas can have a "Groundhog Day" experience https://scienmag.com/astronomers-discover-a-star-that-would-not-die/
• Man sets speed record for "Ironman" like jet suit https://news.sky.com/story/richard-browning-sets-world-record-in-jet-engine-iron-man-suit-11119148
• This is a test, do not adjust your telescope https://www.universetoday.com/137789/astronomers-practice-responding-killer-asteroid/
• New faster, cheaper 3D metal printing coming https://www.theregister.co.uk/2017/11/10/metal3dprintingatdesktop_metal/