This Week’s [in]Security – Issue 39

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Updates

  • Council names new executive director https://www.pcisecuritystandards.org/pdfs/PCISSCFinalLanceJJohnsonNamedNewExecutiveDirectorofPCISecurityStandardsCouncil.pdf
  • PTS Standrad enters request for comments phase of update process https://blog.pcisecuritystandards.org/request-for-comments-pts-poi-standard
  • 3DS Core reporting template and attestations available https://www.pcisecuritystandards.org/documents/PCI-3DS-Core-v1-ROC-Reporting-Template.pdf and https://www.pcisecuritystandards.org/documents/PCI-3DS-Core-Security-Standard-v1-AOC.docx
  • PIN on Glass standard coming soon https://blog.pcisecuritystandards.org/coming-soon-new-pci-software-pin-entry-on-cots-standard
• Changes coming to QIR program https://blog.pcisecuritystandards.org/changes-coming-to-the-qir-program
• Tampered gift cards https://krebsonsecurity.com/2017/12/buyers-beware-of-tampered-gift-cards/

Breaches / Leaks

• Anothe AWS S3 breach Alteryx exposes data (linked to Experian) on 123 Million American Households http://www.huffingtonpost.ca/entry/alteryx-data-breach-123-million-householdsus5a39316ae4b0860bf4ab4e24
• Nissan Canada's finance arm breached for records on 1.1M customers http://www.cbc.ca/news/business/nissan-canada-breach-1.4460553
• Troy Hunt articles  on fixing data breaches https://www.troyhunt.com/fixing-data-breaches-part-1-education/, https://www.troyhunt.com/fixing-data-breaches-part-2-data-ownership-minimisation/, https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/, and https://www.troyhunt.com/fixing-data-breaches-part-4-bug-bounties/
• Summary of 2017 healthcare breaches https://www.databreachtoday.com/2017-health-data-breach-tally-analysis-a-10545
• New research tool (confusingly named TripWire) finds breaches in account registration web sites https://www.bleepingcomputer.com/news/security/data-breach-at-website-with-45-million-users-discovered-during-academic-research/

Laws & Regulations / Standards

• EFF requests relief from DMCA for https://www.eff.org/press/releases/eff-asks-copyright-office-improve-exemptions-digital-millennium-copyright-act
• France to block WhatsApp / Facebook data transfers https://epic.org/2017/12/french-privacy-agency-to-block.html
• Australia updates data breach notification rules https://oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
• Ars Technica sued over article on "Keeper" vulnerabilities http://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/
• New York City looking at algorithm transparency and accountability https://epic.org/2017/12/nyc-establishes-algorithm-acco.html

Bugs / Design Flaws

• Windows 10 Anniversary Update Content Delivery Manager silently installs apps including a flawed password manager https://thehackernews.com/2017/12/windows-10-password-manager.html
• Windows 10 facial recognition is broken https://www.theregister.co.uk/2017/12/20/windows10hellofacerecognitioncanbefooledwith_photos/
• Severe vulnerability in Web Proxy Auto Discovery Protocol leads to local LAN compromise of Windows 10 machines https://googleprojectzero.blogspot.ca/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
• Security problems with Apple HomeKit https://medium.com/@khaost/your-home-was-not-so-secure-after-all-af52fbd6777c
• Firefox criticism after Mr Robot extension installed without permission https://www.theverge.com/2017/12/16/16784628/mozilla-mr-robot-arg-plugin-firefox-looking-glass

Privacy

• Article on research warning that anonymisation of individual data will fail https://www.theregister.co.uk/2017/12/18/nohackneededanonymisationbeatenwithadashof_sql/
• Digital Forensics & the Illusion of Privacy https://www.darkreading.com/threat-intelligence/digital-forensics-and-the-illusion-of-privacy/a/d-id/1330696
• Setback for privacy vs connected-car makers https://epic.org/2017/12/federal-appeals-court-dismisse.html

Hacking / Malware / Cybercrime

• Crypto-currency mining malware can destroy phone batteries https://www.theregister.co.uk/2017/12/19/androidtrojanhasminersoaggressiveitcanborkyourbattery/
• Youbit cryptocurrency exchange to file for bankrupcy after 2nd hack https://www.pymnts.com/blockchain/bitcoin/2017/youbit-cryptocurrency-bankruptcy-south-korea/
• US blames DPRK for WannaCry[pt] https://threatpost.com/u-s-government-blames-north-korea-for-wannacry/129201/
• DPRK focus of investigation into Youbit cryptocurecny exchange hack https://www.databreachtoday.com/report-investigators-eye-north-koreans-for-exchange-hack-a-10544
• Another cryptocurrency miner this found in facebook messager http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/
• Coin exchange DNS hijacked https://www.bleepingcomputer.com/news/security/hackers-hijack-dns-server-of-crypto-to-crypto-exchange-etherdelta/
• Security firm sites was hijacked via DNS used to obtain fraudulent SSL certificates https://www.bleepingcomputer.com/news/security/top-security-firm-admits-to-mitm-security-incident/
• Cryptocurrency insider trading at Coinbase https://www.theverge.com/2017/12/20/16800940/coinbase-bitcoin-cash-fork-insider-trading-probe

Other Security / Risk

• 2017 Cybersecurity summary https://www.datex.ca/blog/year-in-review-how-did-the-cyberthreat-landscape-change-in-2017
• Princeton to reprise and update U of Washington's 2007 study on in flight web page modifications (ads, caches, malware, etc.) https://freedom-to-tinker.com/2017/12/19/how-have-in-flight-web-page-modification-practices-changed-over-the-past-ten-years/ their "web tripwire" can be found at http://stormship.cs.princeton.edu
• Krebs on the market for stolen credentials https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/
• Lessons learned from the Estonian digital ID card security flaw https://www.schneier.com/blog/archives/2017/12/lessons_learned.html
• Approach to scaling branch firewalls https://thehackernews.com/2017/12/firewall-bursting-new-approach.html
• What a worst case cyberattack might look like http://www.zdnet.com/article/nsa-chief-this-is-what-a-worst-case-cyber-attack-scenario-looks-like/
• Apple deliberately slows older phones over battery issues https://www.theguardian.com/technology/2017/dec/21/apple-admits-slowing-older-iphones-because-of-flagging-batteries
• Another example of  adversarial images confusing an AI  https://www.wired.com/story/researcher-fooled-a-google-ai-into-thinking-a-rifle-was-a-helicopter/
• Firefox to mark unencrypted web sites as insecure https://www.bleepingcomputer.com/news/software/firefox-prepares-to-mark-all-http-sites-not-secure-after-https-adoption-rises/
• Schneier on Amazon's Key and "lock-in" on your life https://www.schneier.com/blog/archives/2017/12/amazonsdoorlo.html
• Opera adding crypto-jacking blocker http://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/
• MORPHEUS is a U-Michican project to build computer hardware resistant to 7 classes of software vulnerabilities http://ns.umich.edu/new/releases/25336-unhackable-computer-under-development-with-3-6m-darpa-grant

Off-Topic

• Non-invasive method to detect Alzheimer's https://scienmag.com/a-non-invasive-method-to-detect-alzheimers-disease/
• How to wash your hair in space (3 miniute video) https://apod.nasa.gov/apod/ap171220.html
• In WWI in 1914 there was the miracle of the Christmas truce (as explained by Extra History 11 minute video animation) https://www.youtube.com/watch?v=WUlPNWDvk-c