This Week’s [in]Security – Issue 42 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Our 17 predictions for PCI DSS 3.3 in 2018  https://controlgap.com/blog/predictions-next-version-pci-dss/
• PCI updates vendor release agreement for PTS, PA-DSS and P2PE https://www.pcisecuritystandards.org/documents/VendorReleaseAgreement_-January2018.docx
• As China prepares to limit Bitcoin mining power utilization, miners start exodus to ... Canada https://www.zerohedge.com/news/2018-01-05/bitcoin-miners-migrate-china-canada-pboc-cracks-down-mining
• Are people jumping the shark over "crypto-currencies"? https://www.pymnts.com/blockchain/2018/eastman-kodak-kodakcoin-cryptocurrency-photographers/
• Overstock.com / CoinBase glitch highlights merchant risks https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
• Unsure if this is a new ASV mandated failure or just Qualys enforcing a long standing DSS requirement https://blog.qualys.com/technology/2018/01/08/pci-dss-v3-2-private-ip-address-disclosure
• Visa to move away from signatures http://www.digitaltransactions.net/visa-says-it-too-will-make-signatures-optional-for-north-american-emv-pos/
• Facial recognition and retailers http://www.slate.com/blogs/futuretense/2017/12/22/facialrecognitionsoftwareiscomingtoindustrieslikefastfoodandluxury.html and discussion https://www.schneier.com/blog/archives/2018/01/facialrecognit2.html

Breaches / Leaks

• Florida Medicaid phishing breach of 30K individuals records https://www.databreachtoday.com/phishing-exposed-medicaid-details-for-30000-floridians-a-10563
• UK base Carphone Warehouse fined over 2015 breach of 3M customer records https://in.reuters.com/article/britain-carphonewarehouse-fine/britain-fines-carphone-warehouse-400000-stg-over-data-breach-idINKBN1EZ10T

Laws & Regulations / Standards

• WPA3 is coming https://www.theregister.co.uk/2018/01/09/wifiwpa3/
• House passes Cyber Vulnerability Disclosure Reporting Act https://www.eff.org/deeplinks/2018/01/step-right-direction-house-passes-cyber-vulnerability-disclosure-reporting-act
• Data Breach Prevention and Compensation Act introduced https://epic.org/2018/01/senators-warren-and-warner-int-1.html and NY Times OpEd comapring todays Cyber Security to pre-Enron accounting https://www.nytimes.com/2018/01/08/opinion/cybersecurity-breach-spectre-meltdown.html
• HHS offers voluntary secure data exchange framework https://www.databreachtoday.com/analysis-security-elements-trusted-exchange-framework-a-10562
• New York states Right to Know Act affects policing https://www.eff.org/deeplinks/2018/01/new-york-city-adopts-historic-policing-reform
• FBI locked out of 7K devices in 2017 http://www.zdnet.com/article/fbi-director-locked-out-encrypted-devices/, debate on another FBI proposed remedy https://www.schneier.com/blog/archives/2018/01/yetanotherfbi.html, and an FBI forensic investigator complains about how long it takes to break into an iPhone https://motherboard.vice.com/en_us/article/59wkkk/fbi-hacker-says-apple-are-jerks-and-evil-geniuses-for-encrypting-iphones))
• EFF weighs in on patent troll case https://www.eff.org/deeplinks/2018/01/eff-court-dont-let-trolls-get-away-asserting-stupid-software-patents
• India bans PWC for 2 years https://www.wsj.com/articles/india-bans-pricewaterhousecoopers-from-auditing-listed-firms-for-two-years-1515656186

Bugs / Design Flaws

• More Meltdown/Spectre fallout

  • Qualcomm joins the club https://www.theregister.co.uk/2018/01/06/qualcommprocessorsecurity_vulnerabilities/
  • Expect ongoing patches touching many products and applications https://www.databreachtoday.com/meltdown-spectre-forecast-patch-now-keep-patching-a-10568
  • Windows patch bricking some AMD CPUs https://www.theregister.co.uk/2018/01/08/microsoftsspectrefixerbrickssomeamdpowered_pcs/ so MS pauses AMD patching https://www.databreachtoday.com/microsoft-pauses-windows-security-updates-to-amd-devices-a-10567
  • More software products breaks under meltdown patches https://www.theregister.co.uk/2018/01/08/meltdownfixsecurity_problems/
  • AV products using unsupported kernel calls break https://www.theregister.co.uk/2018/01/09/meltdownpatchantimalwareconflict/
  • Intel faces class action lawsuit https://www.theguardian.com/technology/2018/jan/05/intel-class-action-lawsuits-meltdown-spectre-bugs-computer
  • Microsoft confirms performance hit https://www.darkreading.com/endpoint/microsoft-confirms-windows-performance-hits-with-meltdown-spectre-patches/d/d-id/1330778
  • Game vendors blame Meltdown for performance issues https://www.theguardian.com/technology/2018/jan/08/meltdown-spectre-slowdowns-fix-processor-flaws-fortnite-epic-games
• AMD chip flaw (not Meltdown, more like Management Engine) in Trusted Platform Module, patch is on the way https://www.theregister.co.uk/2018/01/06/amdcpupsp_flaw/
• Looks like yet another AMT bug with default credentials that need changing https://www.databreachtoday.com/backdoored-in-30-seconds-attack-exploits-intel-amt-feature-a-10583
• WesternDigital MyCloud has unpatched backdoor https://thehackernews.com/2018/01/western-digital-mycloud.html
• Microsoft kills old equation editor over newfound flaws https://securityboulevard.com/2018/01/microsoft-kills-old-office-equation-editor-due-to-new-flaw/
• January's MS patches 16 critical of 56 https://krebsonsecurity.com/2018/01/microsofts-jan-2018-patch-tuesday-lowdown/
• Let's Encrypt disables certificate verification protocol after bug report http://www.zdnet.com/article/lets-encrypt-disables-tls-sni-01-validation/

Privacy

• US Boarder searches of laptops and phones on the rise http://www.zdnet.com/article/warrantless-phone-laptop-searches-at-the-us-border-hit-record-levels/
• Privacy breaches in Alberta increased last year http://www.cbc.ca/news/canada/calgary/privacy-hacking-information-1.4476084
• VTech settles privacy compliant https://www.theregister.co.uk/2018/01/08/vtechftcsettlement_hacking/

Hacking / Malware / Cybercrime

• Winter Olympics brings a new crop of malware http://www.zdnet.com/article/hackers-target-winter-olympics-with-new-custom-built-fileless-malware/
• Article describing stealing data from web forms using code dependencies (note the hackers perspective is fictional, the problem it illustrates isn't) https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
• Microsoft 2018 security predicitions https://www.darkreading.com/endpoint/microsoft-how-the-threat-landscape-will-shift-this-year/d/d-id/1330782
• Arrest in "Fruitfly" malware indicates decade long snooping http://www.bbc.co.uk/news/technology-42648211
• Unusal snail-mail scam involving bit BitCoin https://krebsonsecurity.com/2018/01/bitcoin-blackmail-by-snail-mail-preys-on-those-with-guilty-conscience/

Other Security / Risk

• Mobile apps for industrial control systems aren't secure http://www.slate.com/blogs/futuretense/2017/12/22/facialrecognitionsoftwareiscomingtoindustrieslikefastfoodandluxury.html
• 2017 was most expensive for US disasters http://www.bbc.co.uk/news/science-environment-42608161
• More on the AI Singularity https://freedom-to-tinker.com/2018/01/08/singularity-skepticism-3-how-to-measure-ai-performance/ and https://freedom-to-tinker.com/2018/01/10/singularity-skepticism-4-the-value-of-avoiding-errors/
• Apple ITP hits ad company bottom lines https://www.theguardian.com/technology/2018/jan/09/apple-tracking-block-costs-advertising-companies-millions-dollars-criteo-web-browser-safari
• Potentially interesting solution using traffic analysis and AI (machine learning) to identify threats in encrypted traffic https://betanews.com/2018/01/10/cisco-encrypted-traffic-analytics/
• Debate on IoT vs. security https://www.schneier.com/blog/archives/2018/01/daniel_miessler.html
• Discussion of techniques for fingerprinting documents https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html
• Debunking claims that India's UIDAI is unhackable https://www.troyhunt.com/is-indias-aadhaar-system-really-hack-proof-assessing-a-publicly-observable-security-posture/
• Fancy Bear "leaks" IOC emails in advance of Olymics https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails
• Russian propaganda network going after Muller https://www.wired.com/story/pro-russia-twitter-trolls-target-robert-mueller
• Anti-drone technology sees what drone is viewing https://www.wired.com/story/a-clever-radio-trick-can-tell-if-a-drone-is-watching-you (similar to a previous privacy problem of fingerprinting netflix https://controlgap.com/blog/this-weeks-insecurity-issue-3/))
• Using cyber security to improve your bottom line https://www.packetlabs.net/cyber-security-improve-bottom-line/
• Simple math behind Gerrymandering and defending against it https://www.wired.com/story/the-math-behind-gerrymandering-and-wasted-votes/
• List of scams on tourists http://www.relativelyinteresting.com/40-tourist-scams-avoid-travels/ and discussions https://www.schneier.com/blog/archives/2018/01/touristscams1.html
• Amphibious house retrofits, interesting idea, administrative hurdles https://www.newyorker.com/tech/elements/a-floating-house-to-resist-the-floods-of-climate-change

Off-Topic

• The hunt for flight MH370 resumes with much improved robot submarines https://www.economist.com/news/science-and-technology/21733399-swarm-submarine-drones-will-scour-depths-plane-fantastical-ship
• Something seems to be off with different measurements of the cosmic expansion rate http://www.bbc.co.uk/news/science-environment-42630399