This Week’s [in]Security – Issue 77 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Visa's October mandates for merchants taking cards by mail or phone https://controlgap.com/blog/if-you-take-credit-cards-by-phone-or-mail-you-need-to-read-about-visas-october-mandate/
• Police warning about ATM PIN (shoulder surfing) and card thefts in Sudbury https://www.thesudburystar.com/news/local-news/police-warning-people-about-this-atm-scam
• Upcoming talk at SecTor on smart contracts https://sector.ca/when-smart-contracts-arent-so-smart/

Breaches / Leaks

• Backup and data recovery company Veeam leaves 200 GB db of customer data exposed estimated at 440M email addresses https://techcrunch.com/2018/09/11/veeam-security-lapse-leaked-over-440-million-email-addresses/
• Possible small breach of information on hundreds of civicl servants after "device" stolen from Public Services and Procurement Canada https://globalnews.ca/news/4446600/federal-civil-servants-privacy-breach/
• The Have I Been Pwned db gets a new addition of 42M userids and passwords from an unknown breach https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/

• Equifax follow-ups:

  • A year later little has changed https://techcrunch.com/2018/09/08/equifax-one-year-later-unscathed/
  • GAO releases report on breach and response https://www.zdnet.com/article/us-government-releases-post-mortem-report-on-equifax-hack/

• British Airways breach follow-ups:

  • BA was considering outsourcing security before breach https://www.theregister.co.uk/2018/09/07/basecurityoutsurcingconsultationmemo/
  • Article on BA breachhttps://www.theregister.co.uk/2018/09/11/britishairwayswebsite_scripts/
  • One analysis of BA breach https://www.wired.com/story/british-airways-hack-detaeils

Laws & Regulations / Standards

• Analysis: Australia's anti-encryption law will merely relocate the backdoors https://www.zdnet.com/article/australias-anti-encryption-law-will-merely-relocate-the-backdoors-expert/
• NIST published “IT Asset Management” details: https://csrc.nist.gov/publications/detail/sp/1800-5/final update: https://csrc.nist.gov/news/2018/nist-releases-special-publication-1800-5
• EFF argues the EU's proposed copyright filters will get abused https://www.eff.org/deeplinks/2018/09/how-eus-copyright-filters-will-make-it-trivial-anyone-censor-internet
• Where Sony claimed they owned Bach performance, yet another example of why copyright take-down processes are horribly flawed https://www.eff.org/takedowns/sony-finally-admits-it-doesnt-own-bach-and-it-only-took-public-pressure
• EU's pushing right to be forgotten on the world will be abused https://www.theguardian.com/technology/2018/sep/09/right-to-be-forgotten-could-threaten-global-free-speech-say-ngos
• More on EU proposal requiring 1-hour take down of extremist social media postings or fines for th e likes of Twitter, Facebook, and Google http://www.bbc.co.uk/news/technology-45495544
• EU court rules on GCHQ and NSA mass surveillance privacy case https://arstechnica.com/tech-policy/2018/09/bulk-interception-by-gchq-and-nsa-violated-human-rights-charter-european-court-rules/

Privacy

• Mozilla on why we need better tracking protection https://blog.mozilla.org/security/2018/09/05/why-we-need-better-tracking-protection/
• Mozilla announcement of new anti-tracking features includes blocking slow loading tracking pages, cross-site tracking, fingerprinting, and crypto-mining https://blog.mozilla.org/futurereleases/2018/08/30/changing-our-approach-to-anti-tracking/

Bugs / Design Flaws / Vulnerabilities / Defense

• If your phones weren't target enough, the mobile telcos want to be authenticate your identity https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-your-online-identity/
• What to do bother BEFORE and AFTER you loose your phone https://www.wired.com/story/lost-stolen-phone-what-to-do
• US Credit Freezes will shortly be free https://krebsonsecurity.com/2018/09/in-a-few-days-credit-freezes-will-be-fee-free/
• US government online insider threat course https://www.theregister.co.uk/2018/09/13/nittfinsiderthreatselfanalysis/
• State Department shamed for low multi-factor authentication adoption https://www.zdnet.com/article/state-department-shamed-for-poor-adoption-of-multi-factor-authentication/
• Intel patches management engine again for leaking encryption keys https://www.databreachtoday.com/intel-patches-firmware-flaw-that-leaks-me-encryption-keys-a-11513
• National Academies report on securing the vote https://freedom-to-tinker.com/2018/09/11/securing-the-vote-national-academies-report/
• Google hacked all their electronic doors open https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/
• Tesla model S key fobs easily cloned, set your PIN or replace your fob https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
• A look into DARPA’s Cyber Fault-Tolerant Attack Recovery program https://blog.trailofbits.com/2018/09/10/protecting-software-against-exploitation-with-darpas-cfar/
• Capital One shamed over web site policy that blocks use of password managers https://www.theregister.co.uk/2018/09/13/capitalonepasswords_website/

Hacking / Malware / Cybercrime / Offense

• 1% of emails are malicious and 90% of these are phishing https://www.zdnet.com/article/phishing-warning-one-in-every-one-hundred-emails-is-now-a-hacking-attempt/
• New and improved cold boot attack bypasses disk encryption  -still safe: bitlocker with PIN and MacOS with T2 chip  https://thehackernews.com/2018/09/cold-boot-attack-encryption.html
• Russian charged with 83M customer JP Morgan data heist of extradited to US https://www.databreachtoday.com/russian-charged-in-jpmorgan-chase-hack-extradited-to-us-a-11476 and https://www.bbc.co.uk/news/technology-45472766
• "Guccifer" to be extradited to US from Romania https://www.databreachtoday.com/romanian-hacker-guccifer-to-be-extradited-to-us-a-11489
• 32 California street gang members arrested in crackdown on crimes involving payment terminals https://patch.com/california/concord-ca/32-gang-members-arrested-1m-northern-california-fraud-scheme
• Attacking Android through USB (detailed) https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html
• "Juice Jacking" where fake charging stations can hack your smartphone with some recommendations https://www.fightingidentitycrimes.com/fake-charging-stations-hack-smartphone/
• Apple store adware removal tool “Adware Doctor” has been stealing browser history https://thehackernews.com/2018/09/mac-adware-removal-tool.html and https://www.theregister.co.uk/2018/09/07/adwaredoctorremoved_apple/
• Town of Midland set to pay ransom to unlock systems encrypted in cyberattack https://globalnews.ca/news/4433389/town-midland-pay-ransom-cyberattack/
• More problems with India's Aadhaar system compromised by back level patches allowing registration fraud https://gizmodo.com/simple-hack-turns-indias-massive-biometric-database-int-1828972521

Other Security / Risk

• Google thinks it’s time for something better than URLs https://www.wired.com/story/google-wants-to-kill-the-url
• Article and discussion about government hacking https://www.schneier.com/blog/archives/2018/09/securityrisks14.html
• Web security myths https://blog.cloudflare.com/website-security-myths/
• Troy Hunt uses the "Shame Nun" to illustrate security and discusses effective shaming  https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/
• More on identifying deepfakes - how to shake the fakes out of politics - http://www.bbc.co.uk/news/technology-44397484
• Stripe study claims developers are wasting time debugging and fixing bad code - but there's no mention of how to avoid bad code in the first place  https://www.pymnts.com/news/b2b-payments/2018/stripe-developer-workforce/
• On the future of smart homes https://www.theverge.com/2018/9/10/17832708/home-of-future-grant-imahara-smart-assistant-google-alexa
• Microsoft's Windows 10 October update warns users not to install "less safe" browsers https://www.theverge.com/2018/9/12/17850146/microsoft-windows-10-chrome-firefox-warning
• Cameras, surveillance, AI, and behaviour prediction in a cashier-less store https://www.nytimes.com/2018/09/13/technology/standard-market-retail-automation-behavioral-data.html

Off-Topic / Science & Tech / Lighter Side

• Funny ad that exposes the risk  of too much tech and makes the point of simplicity https://www.adsoftheworld.com/media/film/rema1000smart_house
• It’s taken years to figure out the mystery of why we couldn’t find water on Jupiter https://science.howstuffworks.com/great-red-spot-may-expose-jupiters-watery-secret.htm
• Pluto may be a planet after all and so might another 101 solar system objects https://www.universetoday.com/139956/new-reasons-why-pluto-should-be-considered-a-planet-after-all/
• Article with images of Hurricane Florence from the International Space Station https://www.universetoday.com/139981/stare-down-from-space-into-the-churning-maw-of-hurricane-florence/