This Week’s [in]Security – Issue 43 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• The PCI Associate QSA Program (AQSA) is now up and running https://blog.pcisecuritystandards.org/now-accepting-applications-for-new-associate-qsa-program
• Moneris and Kount collaborating to fight card-not-present fraud https://www.pymnts.com/news/b2b-payments/2018/moneris-kount-anti-fraud-technology/

Breaches / Leaks

• OnePlus may have suffered a card breach https://www.theregister.co.uk/2018/01/15/oneplususersreportcreditcard_fraud/
• Troy Hunt is looking to streamline Have I Been Powned's breach disclosure process https://www.troyhunt.com/streamlining-data-breach-disclosures-a-step-by-step-process/
• The need to fight breach fatigue https://sector.ca/why-we-must-fight-breach-fatigue/
• Study showing breaches don't hurt companies https://www.schneier.com/blog/archives/2018/01/security_breach.html
• Norway breached for healthcare data on half of population https://www.bleepingcomputer.com/news/security/hacker-might-have-stolen-the-healthcare-data-for-half-of-norway-s-population/

Laws & Regulations / Standards

• The EU's ePrivacy regulations are coming https://www.datex.ca/blog/have-you-forgotten-about-the-cookie-law
• The EFF, DRM, DCMA and Copyright Week https://www.eff.org/deeplinks/2018/01/drm-puts-brakes-innovation

Bugs / Design Flaws

• More on Meltdown and Spectre

  • Google's "Retpoline" software only fix for variant 2 has minimal performance hit http://www.zdnet.com/article/google-our-brilliant-spectre-fix-dodges-performance-hit-so-you-should-all-use-it/
  • Industrial Control Systems impacted by patches http://www.zdnet.com/article/meltdown-spectre-more-businesses-warned-off-patching-over-stability-issues/ and http://www.theregister.co.uk/2018/01/18/icscertmeltdown_responses/
  • Several major storage vendors claiming they don't need to patch https://www.theregister.co.uk/2018/01/17/swdefinedstorageneedsspectremeltdownpatchingsaysdsvendors/
  • Stability issues with patches on some processors https://www.bankinfosecurity.com/intel-confirms-fresh-spectre-meltdown-patch-problems-a-10596
  • Windows patches for AMD resume https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-meltdown-and-spectre-updates-for-amd-devices/
  • Apple joins the Spectre/Meltdown lawsuit club https://www.theregister.co.uk/2018/01/18/applespectreclassactionlawsuit/
• More on the new Intel AMT vulnerability https://threatpost.com/intel-amt-loophole-allows-hackers-to-gain-control-of-some-pcs-in-under-a-minute/129408/
• DNS (BIND) servers supporting DNSSEC are vulnerable to a DoS attack https://www.theregister.co.uk/2018/01/17/bindpatchcatches_crashes/
• Record payout for chain of exploits https://threatpost.com/google-awards-record-112500-bounty-for-android-exploit-chain/129519/

Privacy

• Organizations unaware of privacy violations on their web sites, followup on web-replay software,  https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-about-privacy-violations-by-third-party-scripts/
• Maryland looking at smart meter privacy. EPIC comments on privacy and warrant-less law enforcement requests https://epic.org/2018/01/epic-comments-on-maryland-smar.html
• US vs. Microsoft extraterritorial warrants  goes to Supreme Court over conflicts with EU and Irish laws https://www.theregister.co.uk/2018/01/19/microsoftdatacentreprivacyinternational/
• Explanation of new US border rules on device searches https://www.ctvnews.ca/canada/can-u-s-border-guards-search-your-phone-yes-and-here-s-how-1.3765602

Hacking / Malware / Cybercrime

• Fancy Bear is phishing the Senate https://www.databreachtoday.com/fancy-bear-targets-us-senate-security-researchers-warn-a-10586
• Toronto man charges in trafficking identity information (3B records up for sale on Leakedsource) https://www.thestar.com/news/world/2018/01/15/thornhill-man-charged-with-selling-3-billion-pieces-of-stolen-digital-info-making-court-appearance-monday.html
• Krebs article on Leakedsource https://krebsonsecurity.com/2018/01/canadian-police-charge-operator-of-hacked-password-service-leakedsource-com/
• Serial swatter charged in death of Witchita man https://krebsonsecurity.com/2018/01/serial-swatter-tyler-swautistic-barriss-charged-with-involuntary-manslaughter/
• NotPetya attributed to Russian military https://www.databreachtoday.com/notpetya-from-russian-intelligence-love-a-10589
• US Treasury looking at money laundering via cryptocurrency  https://www.pymnts.com/news/regulation/2018/us-treasury-cryptocurrency-regulation-money-laundering-bitcoin/
• Another APT hacking group identified, this one in Lebanon https://thehackernews.com/2018/01/dark-caracal-android-malware.htm
• On the impact of being hacked, cleaning up, and proactive steps  https://www.packetlabs.net/hacked/

Other Security / Risk

• Krebs on securing your IoT https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/
• Thinking like a hacker https://www.darkreading.com/threat-intelligence/mental-models-and-security-thinking-like-a-hacker/a/d-id/1330780
• The war on intrusive pop-up ads https://www.wired.com/story/pop-up-mobile-ads-surge-as-sites-scramble-to-stop-them
• Study of a common algorithm used to predict criminal likelihood to reoffend finds it ineffective https://www.wired.com/story/crime-predicting-algorithms-may-not-outperform-untrained-humans
• Long story on the case of James Risen reporting on NSA warrentless wiretaps and the battle between DoJ and press https://theintercept.com/2018/01/03/my-life-as-a-new-york-times-reporter-in-the-shadow-of-the-war-on-terror/
• 3 cryptocurrenct operators sued https://www.pymnts.com/blockchain/bitcoin/2018/commodity-trading-cftc-cryptocurrency-ponzi-scheme/
• BitCoin mining set to top 42TWh of electric power = 20 megatonnes of CO2 emissions https://www.theguardian.com/technology/2018/jan/17/bitcoin-electricity-usage-huge-climate-cryptocurrency
• Revenge-porn victims suing social media https://www.theguardian.com/technology/2018/jan/12/facebook-faces-legal-action-from-victims-of-revenge-porn
• Blackberry going after vehicle security market https://www.thestar.com/business/2018/01/15/blackberry-steers-toward-vehicle-security-as-it-unveils-tool-at-detroit-auto-show.html
• Verizon drop Huawei's new smartphone, possibly over Chinese espionage worries https://www.nytimes.com/2018/01/09/business/att-huawei-mate-smartphone.html
• Government is automating inequalities https://freedom-to-tinker.com/2018/01/18/automating-inequality-virginia-eubanks-book-launch-at-data-society/

Off-Topic

• China's Tiangong-1 space station is expected to re-enter and burn up this March https://www.universetoday.com/138246/china-says-still-control-tiangong-1-can-decide-itll-crash/
• Plague that decimated 80% of Mexico in the 1500's linked to Typhoid fever by new DNA matching program  https://www.washingtonpost.com/news/morning-mix/wp/2018/01/16/scientists-find-possible-cause-for-mystery-epidemic-that-wiped-out-mexico-500-years-ago/