This Week’s [in]Security – Issue 59 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Update on PCI's Software Security (S3) Framework https://blog.pcisecuritystandards.org/3-things-to-know-about-the-pci-software-security-framework-in-2018
• Mastercard’s remote enrollment solution for biometric payment cards  https://www.biometricupdate.com/201805/mastercards-remote-enrollment-solution-for-biometric-payment-cards-developed-with-idex

Breaches / Leaks

• Equifax breach update more details on compromised data but numbers remain unchanged https://www.databreachtoday.com/equifax-us-breach-victim-tally-stands-at-1466-million-a-10985
• 4iQ’s 2018 Identify Breach Reports looked at 8.7B raw records affecting 3B people. Article https://www.darkreading.com/threat-intelligence/87b-identity-records-on-surface-deep-dark-webs-in-2017/d/d-id/1331744 and report https://4iq.com/wp-content/uploads/2018/05/2018_IdentityBreachReport_4iQ.pdf
• iVideon exposes emails, userids and hasheds credentials of real users through a test instance https://mackeepersecurity.com/post/russian-based-video-surveillance-solution-leaked-data

Laws & Regulations / Standards

• NIST

  • Special Publication 800-193, Platform Firmware Resiliency Guidelines provides technical guidelines and recommendations supporting resiliency of platform hardware/firmware attacks. Update: https://csrc.nist.gov/News/2018/NIST-Releases-SP-80-193 and details: https://csrc.nist.gov/publications/detail/sp/800-193/final
  • Special Publication 800-202, a Guide to Help Digital Forensics Investigators Place Data on Mobile Devices. Update: https://csrc.nist.gov/News/2018/NIST-Published-SP-800-202 and details: https://csrc.nist.gov/publications/detail/sp/800-202/final
• Criticism of Ray Ozzie’s key escrow and crypto backdoor idea https://www.schneier.com/blog/archives/2018/05/ray_ozzies_encr.html and https://arstechnica.com/information-technology/2018/05/op-ed-ray-ozzies-crypto-proposal-a-dose-of-technical-reality/
• US Secure Data Act would stop encryption backdoors https://www.eff.org/deeplinks/2018/05/secure-data-act-would-stop-backdoors
• Office of Civil Rights: Gap analysis improves risk analysis, but isn't enough for HIPAA compliance http://www.healthcareitnews.com/news/gap-analysis-improves-risk-analysis-isnt-enough-hipaa-compliance-ocr-says
• Police close investigation into Nova Scotia data breach - no charges against 19-year-old https://globalnews.ca/news/4191414/halifax-police-data-breach/
• House of Commons Ethics Committee recommends against Bell’s website blocking proposal http://www.michaelgeist.ca/2018/05/ethionfairplay/

Privacy

• Suspicionless forensic searches of electronic devices at the border ruled unconstitutional https://www.eff.org/deeplinks/2018/05/fourth-circuit-rules-suspicionless-forensic-searches-electronic-devices-border-are
• Follow-up article on the risks of DNA services https://www.thestar.com/edmonton/2018/05/07/ancestry-dna-testing-poses-privacy-risks-health-expert-warns.html
• Transparency and disclosure of Affiliate Marketing programs https://freedom-to-tinker.com/2018/05/11/when-terms-of-service-limit-disclosure-of-affiliate-marketing/
• Private unisex washrooms solve a problem for organizations trying to respect gender identity but may increase other risks. Hidden motion activated camera discovered in downtown Toronto Starbucks washroom https://globalnews.ca/news/4199049/hidden-camera-starbucks-washroom/

Bugs / Design Flaws

• Meltdown and Spectre update, it turns out that Intel and AMD documentation was unclear or misread by most of the OS vendors https://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/
• Software bug led to cyclists death in self-drive Uber crash https://arstechnica.com/tech-policy/2018/05/report-software-bug-led-to-death-in-ubers-self-driving-crash/
• Half a million pacemakers need a security patch https://nakedsecurity.sophos.com/2018/05/04/half-a-million-pacemakers-need-a-security-patch/
• Krebs on this patch Tuesday https://krebsonsecurity.com/2018/05/microsoft-patch-tuesday-may-2018-edition/
• Zero-day Word/RTF OLE bug https://www.databreachtoday.com/zero-day-attack-exploits-windows-via-malicious-word-doc-a-10993
• Welsh police deployed facial recognition tech with a 92% false positive rate https://boingboing.net/2018/05/08/cachu-hwch.html
• Signal’s ephemeral self-destructing messages and MacOS notification history don’t play nice together https://arstechnica.com/information-technology/2018/05/signals-disappearing-messages-live-on-in-macos-notifications/
• 17 Zero-Days Found & Fixed in OPC-UA Industrial Protocol Implementations https://www.darkreading.com/endpoint/17-zero-days-found-and-fixed-in-opc-ua-industrial-protocol-implementations/d/d-id/1331775

Hacking / Malware / Cybercrime

• Source code for TreasureHunter PoS malware released https://www.darkreading.com/vulnerabilities--- threats/author-of-treasurehunter-pos-malware-releases-its-source-code-/d/d-id/1331778
• Will cyberattacks increase after cancellation of IRAN nuclear deal? https://www.wired.com/story/iran-nuclear-deal-cyberattacks/
• Krebs – credit freezes and cell phone carriers yet another out-of-the-loop credit agency being exploited by scammers https://krebsonsecurity.com/2018/05/think-youve-got-your-credit-freezes-covered-think-again/
• City of Wasaga Beach hit by ransomware https://barrie.ctvnews.ca/mobile/town-of-wasaga-beach-hit-by-cyber-attack-1.3915494
• Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers https://401trg.pw/burning-umbrella/
• The cost of a large DDOS attack on IoT owners - $323K https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/
• A look at airline ticket fraud https://link.springer.com/article/10.1007/s10611-018-9777-8
• There is justice! Florida salesman fined $120M for 96M robocalls with spoofed caller ID http://www.bbc.com/news/technology-44083073

Other Security / Risk

• Schneier essay on supply-chain security https://www.schneier.com/blog/archives/2018/05/supply-chain_se.html
• MFA/2FA can be hijacked by social engineering/phishing a user to a fake site https://blog.knowbe4.com/heads-up-new-exploit-hacks-linkedin-2-factor-auth.-see-this-kevin-mitnick-video
• Remember “look for the padlock”, Troy Hunt on why visual clues to security are loosing impact https://www.troyhunt.com/the-decreasing-usefulness-of-positive-visual-security-indicators-and-the-importance-of-negative-ones/
• IBM banning all removable storage https://www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/
• Your attack surface just grew, Microsoft Excel to support Javascript https://www.wired.com/story/microsoft-excel-javascript
• Mainframe security threats https://www.helpnetsecurity.com/2018/04/24/mainframe-threats/
• EFF on the impact of algorithms on peoples lives https://www.eff.org/deeplinks/2018/05/math-cant-solve-everything-questions-we-need-be-asking-deciding-algorithm-answer
• Link and discussion to survey and report on US 2018 election hacking preparedness https://www.schneier.com/blog/archives/2018/05/the_us_is_unpre.html
• Opinion on Blockchain hype: looking at the business problems that it is attempted to solve https://medium.com/@kaistinchcombe/decentralized-and-trustless-crypto-paradise-is-actually-a-medieval-hellhole-c1ca122efdec
• Hiding Metasploit Shellcode to Evade Windows Defender https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
• Building a Pi based remote access tool disguised as a power brick https://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remote-ssh-tunnel/
• Test of Canada’s emergency cell-phone alert system delivered mixed results https://www.ctvnews.ca/sci-tech/didn-t-get-a-mobile-emergency-test-alert-this-might-be-why-1.3923607
• Encryption backdoor debate over police request for encrypted radios, but more to the point shouldn’t modern police forces already have these? https://www.schneier.com/blog/archives/2018/05/virginia_beach_.html

Off-Topic

• Infographic: A World of Languages http://www.visualcapitalist.com/a-world-of-languages/
• Beating the house https://www.bloomberg.com/news/features/2018-05-03/the-gambler-who-cracked-the-horse-racing-code
• A possible explanation for why the Earth doesn’t have other moons https://www.universetoday.com/139170/how-many-of-earths-moons-crashed-back-into-the-planet/
• Jupiter and Venus change Earth's orbit in a 405K year cycle https://www.universetoday.com/139198/jupiter-and-venus-change-earths-orbit-every-405000-years/
• AI generates new game levels in Doom for humans to play https://www.technologyreview.com/s/611072/ai-generates-new-doom-levels-for-humans-to-play/
• Review of MEI report on Canada's wrireless industry finds bias and misrepresentation http://www.michaelgeist.ca/2018/05/slowermeireport/