This Week’s [in]Security – Issue 62 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Visa Europe's payment network suffered and extended outage Friday evening https://www.theguardian.com/money/2018/jun/01/visa-card-network-crashes-and-sparks-payment-chaos
• Brandon Manitoba hit by wave of skimmers https://www.brandonsun.com/local/debit-card-skimming-scam-hits-brandon-484130103.html

Breaches / Leaks

• Canadian banks hacked:

  • BMO hit as well http://business.financialpost.com/news/fp-street/cibcs-simplii-says-fraudsters-may-have-accessed-data-of-40000-clients
  • CIBC announced that account information for 40K customers of Simplii Financial may have their data electronically accessed https://www.cp24.com/news/cibc-s-simplii-says-fraudsters-may-have-accessed-data-of-40-000-clients-1.3948138
  • Both BMO and CIBC’s Simplii are investigating customer data breaches (under 50K and 40K respectively) after being contacted by third parties http://business.financialpost.com/news/fp-street/cibcs-simplii-says-fraudsters-may-have-accessed-data-of-40000-clients
  • Canadian banks Simplii(CIBC) and BMO hit by hackers demanding ransom https://www.databreachtoday.com/hackers-demand-770000-ransom-from-canadian-banks-a-11050
• Ticketfly web hacked, 26M customer records stolen https://motherboard.vice.com/en_us/article/mbk3nx/ticketfly-website-database-hacked-data-breach and https://haveibeenpwned.com/PwnedWebsites#Ticketfly
• Honda India exposed data on 50K customers via an unsecured AWS S3 bucket https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/
• 'TeenSafe' leaked accounts of parents and children via an insecure AWS server https://www.theregister.co.uk/2018/06/01/wydenss7stingrayfcchomeland_security/
• T-Mobile exposed an internal tool giving access to PII over the Internet, unknown if it was exploited https://www.techrepublic.com/article/t-mobile-data-breach-shows-importance-of-securing-internal-tools/
• Under Armour sued over MyFitnessPal breach https://www.bankinfosecurity.com/lawsuit-filed-in-wake-under-armour-data-breach-a-11051
• Do breaches permanently affect companies, https://www.databreachtoday.com/do-data-breaches-permanently-affect-business-reputations-a-11048

Laws & Regulations / Standards

• Another case of DNA unmasking a felon https://www.washingtonpost.com/news/morning-mix/wp/2018/05/31/decades-ago-he-abandoned-his-family-and-assumed-a-new-identity-an-ancestry-com-search-unraveled-his-lies/
• All US states now have breach laws, Arizona expands their definition of personal information https://www.lexology.com/library/detail.aspx?g=d173ae91-42ca-4b3b-a642-defe26b116c9
• California expands ability to sue after a breach https://www.fastcompany.com/40579322/californias-strict-data-breach-law-moves-forward
• The SEC created a fake ICO to teach investors  https://www.theverge.com/tldr/2018/5/16/17361750/sec-cryptocurrency-ico-investors

Privacy

• Week two of GDPR:

  • The recent scramble by companies to address GDPR issues exposes the unprepared http://www.davidfroud.com/gdpr-now-we-know-who-the-muppets-are/
  • How GDPR will go wrong for some https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898
  • Even more screw-ups rushing into GDR https://www.theregister.co.uk/2018/05/29/bccishardokayorganisationsblabemailaddressesingdprmailouts/

Bugs / Design Flaws

• Improved approach to fixing Spectre bugs https://www.theregister.co.uk/2018/06/02/security_roundup/
• The SEVered attack, researchers Bypass AMD’s SEV Virtual Machine Encryption https://www.bleepingcomputer.com/news/security/researchers-bypass-amd-s-sev-virtual-machine-encryption/
• Steam, the popular gaming client, has had a log standing remote code execution bug https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

Hacking / Malware / Cybercrime

• "Blue Note" is an ultrasonic acoustic attack on computer hard drives https://thehackernews.com/2018/05/hard-drive-failure-hack.html . It's an advance on attack published last year https://gizmodo.com/study-hackers-could-disrupt-or-crash-hdds-using-only-s-1821611653.
• Acoustic damage is a very real threat that has caused major outages at two data centers in the past https://www.bleepingcomputer.com/news/technology/loud-sound-from-fire-alarm-system-shuts-down-nasdaqs-scandinavian-data-center/ and https://www.zdnet.com/article/how-a-loud-noise-brought-a-data-center-to-its-knees/.
• Gas stations increasingly at risk of hacking and credit card theft https://www.bleepingcomputer.com/news/security/hackers-increasingly-targeting-gas-stations-and-credit-cards-at-the-pump/
• Article on fake copycat carders https://krebsonsecurity.com/2018/05/will-the-real-jokers-stash-come-forward/
• Mexico foiled an attempt to steal $110M via SWIFT https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

Other Security / Risk

• Companies leaking information via Google Groups https://krebsonsecurity.com/2018/06/is-your-google-groups-leaking-data/
• Ontario election concerns over new vote scanning machines (but they do keep the paper ballots) http://www.cbc.ca/news/canada/toronto/pc-concerns-ontario-voting-machines-1.4686946
• DHS detected Stingray's in use near The White House https://www.theregister.co.uk/2018/06/01/wydenss7stingrayfcchomeland_security/
• Another issue of bulletboof TLS https://www.feistyduck.com/bulletproof-tls-newsletter/issue41domainfrontingcloudprovidersstopcensorshipcircumvention_tool.html
• Microsoft is tackling the problem of detecting bias in a variety of AI systems https://www.technologyreview.com/s/611138/microsoft-is-creating-an-oracle-for-catching-biased-ai-algorithms/
• Article on the "Number Stations" spewing random seeming numbers over radio https://warontherocks.com/2018/05/explaining-the-mystery-of-numbers-stations/ and discussion https://www.schneier.com/blog/archives/2018/05/numbers_station.html
• Article and discussion on the first cyber-attack, in 1834 telegraph messages were exploited for profit https://www.schneier.com/blog/archives/2018/05/1834thefirst_.html

Off-Topic

• Why we just can give up QWERTY http://www.bbc.com/capital/story/20180521-why-we-cant-give-up-this-odd-way-of-typing
• Scientists testing cannibal rocket engine to reduce weight and launch costs https://www.universetoday.com/139362/engineers-propose-a-rocket-that-consumes-itself-as-it-flies-to-space/
• When the Sun dies it will leave behind a glowing nebula http://www.syfy.com/syfywire/good-news-the-sun-will-form-a-planetary-nebula-when-it-dies-after-all
• Finding planet 9 and beyond https://www.universetoday.com/139289/what-are-the-chances-that-the-next-generation-lsst-could-find-new-planets-in-the-solar-system/