This Week’s [in]Security – Issue 36 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• New guidance on mult-factor authentication article https://blog.pcisecuritystandards.org/guidance-multi-factor-authentication and information supplement https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf

• PCI Publishes 3DS standard supplemental documents

  • https://www.pcisecuritystandards.org/documents/FAQsforPCI3DSCoreSecurityStandard.pdf
  • https://www.pcisecuritystandards.org/documents/3DSCoreQualificationRequirementsv1.0.pdf
  • https://www.pcisecuritystandards.org/documents/3DSCoreAssessorProgramGuide_v1.0.pdf
• Bitcoin woes as exchanges crash and price falls http://www.businessinsider.com/bitcoin-price-gemini-exchange-coinbase-login-issues

Breaches / Leaks

• Troy Hunt's message to Congress on data breaches https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/?
• Double breach, the NSA leaks information from Amazon AWS S3 servers and it included classified data as well https://www.bleepingcomputer.com/news/security/top-secret-us-army-and-nsa-files-left-exposed-online-on-amazon-s3-server/
• DHS breach, home PC leaks personal information of nearly 1/4M employees  https://www.usatoday.com/story/news/politics/2017/11/28/sensitive-personal-information-246-000-dhs-employees-found-home-computer/901654001/
• Another AWS S3 breach http://www.zdnet.com/article/national-credit-federation-leaked-us-citizen-data-through-unsecured-aws-bucket/

• More on the Uber breach

  • Discussion @ Schneier https://www.schneier.com/blog/archives/2017/11/uberdatahack.html
  • Uber's obstruction team https://www.theguardian.com/technology/2017/nov/28/uber-court-waymo-trade-secrets-trial
  • EU weighs in https://www.theregister.co.uk/2017/11/30/uberhackeudataprotectionbodslaunch_taskforce/
  • US lawsuits grow https://www.darkreading.com/attacks-breaches/lawsuits-pile-up-on-uber/d/d-id/1330530

Laws & Regulations / Standards

• Canada bringing new cybersecurity ruls https://globalnews.ca/news/3889309/new-cybersecurity-rules-coming-this-winter-ralph-goodale/
• New bill for US breach notification includes jail for executives who conceal braches https://gizmodo.com/new-senate-bill-includes-jail-time-for-executives-who-c-1820897003
• Michael Geist on CBC about Net Neutrality http://www.michaelgeist.ca/2017/11/abandoning-net-neutrality-u-s-matters-canada/
• Analysis of FCC maneuvering on Net Neutrality https://www.wired.com/story/net-neutrality-fiber-optic-internet/
• EFF on the W3C and DRM https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next
• Schneier on cellphone data collection  https://www.schneier.com/blog/archives/2017/11/warrant_protect.html
• Wired article on cellphone data collection  https://www.wired.com/story/supreme-court-must-understand-cell-phones-arent-optional/
• IRS wins a round, Crypto-currency and the taxman https://motherboard.vice.com/en_us/article/ywnmkk/coinbase-irs-14000-bitcoin-tax

Bugs / Design Flaws

• Rooting MacOS "Sierra" is a trivial https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/
• Android crypto-currecny apps riddled with vulnerabilities https://www.bleepingcomputer.com/news/security/android-cryptocurrency-wallet-apps-are-a-security-disaster-waiting-to-happen/
• Descripion of OWASP XXE (XML External Entity) vulnerability https://www.owasp.org/index.php/XMLExternalEntity_(XXE)_Processing and a prevention cheat sheet https://www.owasp.org/index.php/XMLExternalEntity_(XXE)_PreventionCheatSheet
• Widely used Exim mail transfer agent remote code execution bug https://www.bleepingcomputer.com/news/security/no-patch-available-for-rce-bug-affecting-half-of-the-internets-email-servers/
• Dirty Cow Linux patch was flawed https://threatpost.com/flaw-found-in-dirty-cow-patch/129064/

Privacy

• US Government getting into tattoo recognition https://www.eff.org/press/releases/eff-demands-information-about-secretive-government-tattoo-recognition-technology

Hacking / Malware / Cybercrime

• Investigating Fancy Bear http://www.bbc.com/news/technology-42056555
• CoinPouch Verge wallets hacked https://www.bleepingcomputer.com/news/security/mystery-surrounds-recent-crypto-currency-wallet-hack/
• Internet being scanned for cryptocurrency wallets https://www.bleepingcomputer.com/news/security/theres-some-intense-web-scans-going-on-for-bitcoin-and-ethereum-wallets/
• US charges 3 Chinese APT3 hackers https://www.bleepingcomputer.com/news/security/us-charges-three-members-of-elite-chinese-cyber-espionage-unit/
• Persistent "pop-under" crypto-miner https://www.theregister.co.uk/2017/11/30/cryptominingpersistent/
• Yahoo hacker pleads guilty https://www.darkreading.com/attacks-breaches/suspect-in-yahoo-breach-case-pleads-guilty/d/d-id/1330512
• More jail time for convicted Russian carder https://thehackernews.com/2017/12/russian-hacker-prison.html and https://krebsonsecurity.com/2017/12/carding-kingpin-sentenced-again-yahoo-hacker-pleads-guilty/
• ex-NSA TAO employee pleads guilty https://krebsonsecurity.com/2017/12/former-nsa-employee-pleads-guilty-to-taking-classified-data/

Other Security / Risk

• Some free sources of threat intelligence [https://www.darkreading.com/threat-intelligence/8-low-or-no-cost-sources-of-threat-intelligence---

---

-/d/d-id/1330447](https://www.darkreading.com/threat-intelligence/8-low-or-no-cost-sources-of-threat-intelligence---

-/d/d-id/1330447)

• Behind the NSA "Shadow Broker"  leaks https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/
• Wireless relay attack used to steal Mercedes Benz https://www.schneier.com/blog/archives/2017/11/man-in-the-midd_8.html
• Bulletproof TLS Newsletter #34: more on CA distrust, DNS over TLS, TLS 1.3 update, certificate transparency,  https://www.feistyduck.com/bulletproof-tls-newsletter/issue34comodogetscontroversialnewowner
• Google to ban third party code in browser beginning 2018  https://thehackernews.com/2017/11/code-injection-chrome.html
• UK cyber security chief warns against using Kaspersky https://www.theguardian.com/technology/2017/dec/02/dont-use-antivirus-firms-linked-to-russia-cyber-security-chief-tells-whitehall

Off-Topic

• 2017 Hurricane season animation by NASA https://apod.nasa.gov/apod/ap171127.html
• DNA based storage (from 2016), music video encoded in DNA https://www.theverge.com/2016/7/7/12114480/dna-storage-ok-go-microsoft-university-washington-twist-bioscience