This Week’s [in]Security – Issue 78 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Newegg joins the British Airways and Ticketmaster ecommerce breach club. Why EV certificates are dead. Malware that went unnoticed for 6 years. Cybercrime as a Service. Low disk space will cause Window's October update to fail. And breach by bankruptcy.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Updated PCI FAQ #1453 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-a-PFI-Company-provide-QSA-services-to-an-entity-after-performing-a-PFI-investigation-for-that-entity
• Visa and MasterCard settle 13 year old anti-trust class action suit with retailers for $6.2B https://money.cnn.com/2018/09/18/news/companies/visa-mastercard-lawsuit-settlement/index.html

Breaches / Leaks

• Newegg's e-commerce site breached for a month by Magecart malware (like British Airways and Ticket Master)  https://techcrunch.com/2018/09/19/newegg-credit-card-data-breach/
• NCIX breach by bankruptcy https://www.theregister.co.uk/2018/09/21/ncixserverssold/
• Government Payment Service Inc leaks 14M+ (non-PCI) records https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/
• Trends in retail breaches https://www.packetlabs.net/examining-retail-breach-trends/
• List of 2018 breaches https://www.datex.ca/blog/privacy-shield-should-i-stay-or-should-i-go-0
• Equifax faces £500,000 fine in the UK over massive pre-GDPR data breach https://www.engadget.com/2018/09/20/equifax-uk-fine/

Laws & Regulations / Standards

• NIST draft: IoT Trust Concerns report release for comment update: https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8222-for-comment and details: https://csrc.nist.gov/publications/detail/nistir/8222/draft
• Supreme Court of Canada rules ISPs can charge rights holders for access to notice on notice information http://www.michaelgeist.ca/2018/09/notice-the-difference-supreme-court-rules-isps-can-be-compensated-for-copyright-costs/
• Supreme Court of Canada rule IP address not conclusive of guilt http://www.michaelgeist.ca/2018/09/scccopyrightnotices/
• It's hard to sue a robot - what happens when AI goes wrong https://www.canadianlawyermag.com/author/lisa-r-lifshitz/its-hard-to-sue-a-robot-product-liability-considerations-and-ai-in-canada-16207/
• Ofcom to press UK government to regulate social media https://www.theguardian.com/media/2018/sep/17/ofcom-to-push-for-regulation-of-social-media-platforms

Privacy

• EFF calls out congress for having a consumer privacy hearing with no consumer privacy advocates https://www.eff.org/deeplinks/2018/09/game-rigged-congress-invites-no-consumer-privacy-advocates-its-consumer-privacy
• Billions of call records in "Hemisphere" program disclosed to government without judicial review https://epic.org/2018/09/epic-foia-docs-show-fbi-and-cb.html

Bugs / Design Flaws / Vulnerabilities / Defense

• Troy Hunt thinks extended validation (EV) certificates are dead - and he's right https://www.troyhunt.com/extended-validation-certificates-are-dead/
• Microsoft warns that overstuffed hard drives could stall the Windows 10 October 2018 update https://www.pcworld.com/article/3307184/windows/windows-10-october-2018-update-cannot-detect-full-drives.html
• Western Digital ignores simple password bypass bug in My Cloud drives https://techcrunch.com/2018/09/19/password-bypass-flaw-western-digital-my-cloud-drives/
• Intel releases firmware update for ME flaw https://nakedsecurity.sophos.com/2018/09/18/intel-releases-firmware-update-for-me-flaw/
• Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw https://freedom-to-tinker.com/2018/09/14/serious-design-flaw-in-ess-expressvote-touchscreen-permission-to-cheat/
• Equifax IT staff had to rerun hackers' database queries to work out what was nicked https://www.theregister.co.uk/2018/09/17/gaoreportequifaxmegabreach/
• Critical infrastructure will have to operate if there's malware on it or not https://www.zdnet.com/article/critical-infrastructure-will-have-to-operate-if-theres-malware-on-it-or-not/

Hacking / Malware / Cybercrime / Offense

• Cybercrime as a service is now a thing https://www.databreachtoday.com/cybercrime-markets-sell-access-to-hacked-sites-databases-a-11536
• Criminals phishing attacks replacing banking information https://www.darkreading.com/threat-intelligence/fbi-phishing-attacks-aim-to-swap-payroll-information/d/d-id/1332845
• Airline reward miles for sale on dark web https://www.zdnet.com/article/hackers-peddle-thousands-of-air-miles-on-the-dark-web-for-pocket-money/
• Malware on Nova Scotia Business Inc.’s website went unnoticed for up to 6 years https://globalnews.ca/news/4440761/malware-on-nsbi-website/
• Toronto Police Services are warning businesses about thieves stealing wireless payment terminals and using these for bank fraud http://www.torontopolice.on.ca/newsreleases/42129
• Amazon staff said to be taking bribes to leak data https://www.grahamcluley.com/amazon-staff-said-to-be-taking-bribes-to-leak-data/
• Students blamed for university and college cyber-attacks http://www.bbc.co.uk/news/education-45496714
• Mirai botnet authors cooperate in plea bargin to avoid jail https://krebsonsecurity.com/2018/09/mirai-botnet-authors-avoid-jail-time/

Other Security / Risk

• Excellent article on the implications of quantum computing to cryptography and what cryptography may look like in the future https://www.schneier.com/blog/archives/2018/09/quantumcomputi2.html
• The Deep Web vs the Dark Web https://www.cloudwards.net/the-deep-web/
• The WEF thinks that robots 'will create more jobs than they displace' http://www.bbc.co.uk/news/business-45545228
• Ottawa launches probe of cyber security https://www.theglobeandmail.com/politics/article-ottawa-launches-probe-of-cyber-security/
• Women CyberSecurity Society is a non-profit organization which provides support, information and resources to women with a vested interest in the field of cybersecurity  that can be found at https://www.linkedin.com/groups/8686540/
• Microsoft reveals train of mistakes that killed Azure in the South Central US 'incident' https://www.theregister.co.uk/2018/09/17/azureoutagereport/
• Opinion article on the balance of machine vs human decision making in cybersercurity https://www.csoonline.com/article/3305789/data-protection/cybersecurity-decisions-that-cant-be-automated.html
• Opinion article on big changes/disruption in outsourcing deals https://www.horsesforsources.com/third-deals-safe_091318
• Microsoft backs off from Windows 10 ‘warning’ about Chrome and Firefox https://www.theverge.com/2018/9/17/17868946/microsoft-windows-10-warning-prompt-chrome-firefox-test
• Apple is deleting purchased films from iTunes accounts https://www.forbes.com/sites/johnarcher/2018/09/13/apple-is-deleting-bought-films-from-itunes-accounts-and-dont-expect-a-refund/
• Deloitte sounds alarm about Canada’s ‘zombie’ companies https://business.financialpost.com/news/economy/deloitte-sounds-alarm-about-canadas-zombie-companies
• Canada's trans fat ban comes into effect https://www.ctvnews.ca/health/canada-s-trans-fat-ban-comes-into-effect-1.4096175
• With October 17th fast approaching, Canadians who smoke marijuana legally, or work or invest in the industry can be barred from the U.S. for life https://www.thestar.com/news/cannabis/2018/09/13/canadians-who-smoke-marijuana-legally-or-work-or-invest-in-the-industry-will-be-barred-from-the-us-customs-and-border-protection-official.html
• In related news, US Border officials may have access to your credit card history and cannabis purchases https://globalnews.ca/news/4461315/will-your-cannabis-credit-card-purchases-be-visible-to-u-s-border-officials-some-might-some-wont/
• Photos of a vanishing glacier https://www.businessinsider.com/photos-show-how-quickly-ice-is-disappearing-on-swiss-glaciers-2018-9
• Live demo of bombe breaking an enigma message started last friday https://www.theregister.co.uk/2018/09/19/tnmocbombeenigmacodebreaking_demo/ succeed in breaking the message https://www.theregister.co.uk/2018/09/21/enigmalivecrackhonourspoles/

Off-Topic / Science & Tech / Lighter Side

• Astronomers have found the universes missing (regular matter) using an interesting image stacking technique https://www.wired.com/story/astronomers-have-found-the-universes-missing-matt
• The closest exo-planet to us may yet have an atmosphere and oceans and we may be able to tell soon https://www.universetoday.com/139996/the-closest-planet-ever-discovered-outside-the-solar-system-could-be-habitable-with-a-dayside-ocean/
• The RemoveDebris project - a UK tests a satellite that captures space junk in a net http://www.bbc.co.uk/news/science-environment-45565815
• Fans of Star Trek may be interested in a recent exo-planet find https://www.syfy.com/syfywire/exoplanet-news-astronomers-have-found-vulcan