This Week’s [in]Security – Issue 44 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• There's an SSL countdown clock on the PCI site https://www.pcisecuritystandards.org/
• Stripe drops Bitcoin https://www.pymnts.com/blockchain/bitcoin/2018/stripe-cryptocurrency-payment-method/

• PCI releases PIN on COTS (aka PIN on glass) standard for mobile payments

  • Announcement https://blog.pcisecuritystandards.org/new-pci-software-pin-entry-on-cots-standard
  • Requirements https://www.pcisecuritystandards.org/documents/SPoCSecurity\_Requirements_v1.0.pdf

Breaches / Leaks

• Bell Canada breached (2nd time in under a year). This time for 100K of customer records breached https://www.thestar.com/business/2018/01/23/100000-bell-canada-customers-could-be-affected-by-data-breach.html
• UK's "Top 500 Law Firms" breached for 1.2M emails and passwords http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/ and https://www.privacyrights.org/data-breaches?title=Top%20500%20UK%20Legal%20Firms
• Kansas officials continue to deny that the Crosscheck  voter fraud detection system has been breached https://gizmodo.com/crosscheck-voter-fraud-program-hasn-t-suffered-any-data-1822305818
• HBO leaks info via AWS S3 buckets https://mackeepersecurity.com/post/hbo-database-exposure

Laws & Regulations / Standards

• States stepping in to fight FCC net neutrality rollback https://arstechnica.com/tech-policy/2018/01/net-neutrality-will-be-enforced-in-new-york-under-orders-from-governor/
• FCC trying to stifle community led broadband https://arstechnica.com/tech-policy/2018/01/fcc-broadband-committee-wants-to-restrict-publicly-owned-networks/
• UK's war on encryption https://www.theguardian.com/technology/2018/jan/25/theresa-may-calls-tech-firms-act-encrypted-messaging
• US Senator calls on FBI to explain "lawful access" https://gizmodo.com/senator-demands-fbi-director-explain-his-encryption-bac-1822400040
• NIST whitepaper on code signing https://csrc.nist.gov/publications/detail/white-paper/2018/01/26/security-considerations-for-code-signing/final
• NIST security recommendations for hypervisors http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125A.pdf
• NIST draft on Blockchain and Crypto-currency https://csrc.nist.gov/publications/detail/nistir/8202/draft

Bugs / Design Flaws

• More fallout from Meltdown/Spectre

  • Schneier on the effects of these bugs https://www.schneier.com/blog/archives/2018/01/theeffectsof_3.html
  • Linus Torvalds' a bit miffed at Intel's vulnerable by default position https://www.theregister.co.uk/2018/01/22/intelspectrefix_linux/
  • Intel advising not to patch until better patches are available http://www.bbc.com/news/technology-42788169 and https://www.databreachtoday.com/intel-stop-installing-patches-due-to-reboot-problems-a-10603
  • US House of Representatives investigating how the bug embargo broke down https://www.theregister.co.uk/2018/01/25/houserepsintelmeltdownspectre/
  • Computer manufactures in the dark for months https://www.theregister.co.uk/2018/01/25/intelspectredisclosedflawsnovember/
• More details on exploiting the Intel management engine vulnerabilities
• Bumper crop of Firefox bugs http://www.theregister.co.uk/2018/01/24/mozillafirefoxsecurity_updates/
• Critical Electron JS framework bug affecting Windows https://thehackernews.com/2018/01/electron-js-hacking.html
• Flaws found in Signal / Whatsapp group chat https://www.schneier.com/blog/archives/2018/01/whatsapp_vulner.html

Privacy

• Tinder doesn't encrypt your swipes https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes
• Is your car a snitch? http://driving.ca/auto-news/news/lorraine-4
• PCI offers free privacy awareness training https://blog.pcisecuritystandards.org/pci-council-supports-data-privacy-day-with-free-training
• Yahoo secretly scanned incoming email for US intelligence https://www.reuters.com/article/us-yahoo-nsa-exclusive/exclusive-yahoo-secretly-scanned-customer-emails-for-u-s-intelligence-sources-idUSKCN1241YT

Hacking / Malware / Cybercrime

• US Secret Service warning of first US ATM jackpotting attacks https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/
• Another Doh! Oman's stock exchange network protected by admin/admin https://www.v3.co.uk/v3-uk/news/3024798/omans-stock-exchange-left-wide-open-to-hackers-because-it-staff-used-admin-admin-to-log-in
• North Korea attacked Metrolinx http://www.cbc.ca/news/canada/toronto/north-korean-cyber-attack-metrolinx-1.4500918
• Twitter emailing informational notifications to US people who followed/liked/retweeted Russian trolls https://arstechnica.com/information-technology/2018/01/twitter-begins-emailing-the-677775-americans-who-took-russian-election-bait/
• Behind 2017's explosion of malicious ads https://arstechnica.com/information-technology/2018/01/malvertising-factory-with-28-fake-agencies-delivered-1-billion-ads-in-2017/
• Russian gas pump fraud https://threatpost.com/hacker-infects-gas-pumps-with-code-to-cheat-customers/129599/
• ICO's leak about $400M between 2015-2017 http://www.zdnet.com/article/hackers-steal-almost-400-million-from-cryptocurrency-icos/
• Krebs interview on Bot Nets https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/
• Japanese exchange looses $534M in the NEM crypto-currency, lasrgest ever http://www.bbc.co.uk/news/world-asia-42845505
• Only in Canada? Thieves try to hold-up a Bitcoin exchange! https://thehackernews.com/2018/01/cryptocurrency-exchange-robbery.html

Other Security / Risk

• The Federation of Security Professionals has a call for papers http://fspgroup.ca/docs/CallForPapers2018.pdf
• Chronicle  - Google parent tool to help with threat intelligence https://krebsonsecurity.com/2018/01/chronicle-a-meteor-aimed-at-planet-threat-intel/
• Kaspersky seeks injunction on US government ban https://www.darkreading.com/vulnerabilities--- threats/kaspersky-lab-seeks-injunction-against-us-government-ban/d/d-id/1330860
• Unprotected industrial control systems on the Internet https://arstechnica.com/information-technology/2018/01/the-internet-of-omg-vulnerable-factory-and-power-grid-controls-on-internet/
• Man tests iPhone battery by biting it - ends poorly https://www.cnet.com/news/man-bites-phone-battery/
• Flaws in FCC comment process included not validating submitter email addresses http://www.theregister.co.uk/2018/01/22/smutsitefingeredforfraudafteramillionnetneutralitycommentsgetsent/
• Apple rejects app that tests for net neutrality https://arstechnica.com/information-technology/2018/01/apple-rejects-app-that-claims-to-detect-net-neutrality-violations/
• The small town that turned out to be a Fake News factory http://www.bbc.co.uk/news/blogs-trending-42724320
• Challenges sourcing voting machines for vulnerability testing.  Also some unexpected finds like voting seals https://www.theregister.co.uk/2018/01/23/electronicvotingmachine_update/
• Another Tesla on "Autopilot" crashes https://www.mercurynews.com/2018/01/22/tesla-on-autopilot-slams-into-parked-fire-truck-on-freeway/
• GM sued over autonomous vehicle collision https://www.theguardian.com/technology/2018/jan/24/general-motors-sued-motorcyclist-first-lawsuit-involve-autonomous-vehicle
• Fake videos are getting easier, machine learning now used to graft celeb faces into porn videos  https://www.theguardian.com/technology/2018/jan/25/ai-face-swap-pornography-emma-watson-scarlett-johansson-taylor-swift-daisy-ridley-sophie-turner-maisie-williams
• The Doomsday clock moves closer to midnight http://www.bbc.co.uk/news/world-42823734

Off-Topic

• And you think the weather is bad this year! Check out this photo from Michigan in 1938 (aka Snowmagedon) https://apod.nasa.gov/apod/ap180121.html
• Exo-topography is coming to a space telescope near you soon https://www.universetoday.com/138308/upcoming-telescopes-able-detect-mountains-landscapes-extrasolar-planets/
• Impressive Titanium 3D printing https://www.bugatti.com/media/news/2018/world-premiere-brake-caliper-from-3-d-printer/
• Rockets from New Zealand http://www.bbc.co.uk/news/science-environment-42780872
• Scramjet successor to SR-71 http://www.businessinsider.com/sr-72-lockheed-martin-hinted-may-already-exist-2018-1
• Toronto-Montreal in final for first hyperloop http://dailyhive.com/toronto/montreal-toronto-hyperloop-one-route-finalists