This Week’s [in]Security – Issue 79 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week:  Facebook's terrible week - 1 tiny step forward and 3 major leaps backwards, highlights from the annual PCI meeting, the 2018 Verizon Payment Security Report,  welcome to the twice breached club, GDPR and British Airways, Uber fined, California's IoT law, 762 bit number factored, and Visa's Certificate Authority is in trouble.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• News from the North American PCI Community Meeting last week in Las Vegas

  • Update on the state of the Council https://blog.pcisecuritystandards.org/state-of-the-pci-security-standards-council
  • How Innovation is Changing Payment Security (and Standards) https://blog.pcisecuritystandards.org/how-innovation-is-changing-payment-security-and-standards
  • How Industry Collaboration and Feedback Shapes PCI SSC Programs https://blog.pcisecuritystandards.org/how-industry-collaboration-and-feedback-shapes-pci-ssc-programs
  • Next steps for the P2PE Standard include v3.0 update in 2019Q4 https://blog.pcisecuritystandards.org/whats-next-for-the-pci-p2pe-standard
  • Reflection on the 2018 Payment Security Report https://blog.pcisecuritystandards.org/council-cto-on-verizons-2018-payment-security-report
• Verizon's 2018 Payment Security Report looks at PCI compliance, control maturity, resilience, and lifecycle. It finds that a large percentage of organizations fail in maintaining compliance and still treat PCI as an annual project http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2018/

Breaches / Leaks

• Facebook breach

  • "Access Tokens" exposed for 53M users  via flawed "view as" feature and impacts a further 40M user accounts https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
  • Krebs on the breach https://krebsonsecurity.com/2018/09/facebook-security-bug-affects-90m-users/
  • Facebook hack exploited multiple bugs and put many other applications that use Facebook logins at risk https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/
• A penny in the air - what will British Airways GDPR breach costs be? https://www.pymnts.com/news/security-and-risk/2018/gdpr-fines-british-airways-lawsuits-compliance/
• Uber pays $148m over data breach cover-up http://www.bbc.co.uk/news/technology-45666280
• State Department confirms data breach exposed employee data on unclassified email systems believed to be Office 365 https://techcrunch.com/2018/09/18/state-department-confirms-data-breach-exposing-employee-data/
• Twitter bug results in 3M+ users' direct messages being sent to unintended recipients for 16 months https://www.databreachtoday.com/twitter-bug-sent-direct-messages-to-external-developers-a-11545
• UnityPoint suffers 2nd phishing breach this year adding 1.4M records including payment data https://www.packetlabs.net/unitypoint-health-breach/
• UN mis-configures Jira and Google Docs and exposes passwords and other sensitive information https://theintercept.com/2018/09/24/united-nations-trello-jira-google-docs-passwords/
• Breach investigations from a Police Detectives point of view https://www.databreachtoday.com/breach-investigations-detectives-view-a-11550

Laws & Regulations / Standards

• Why hacking back is a colossally bad idea https://www.darkreading.com/threat-intelligence/hacking-back-simply-a-bad-idea/a/d-id/1332856
• Credit freezes are now free in the US https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
• Vermont's nrew data privacy law https://www.eff.org/deeplinks/2018/09/vermonts-new-data-privacy-law
• Article about research on PKCS#1 v1.5 Signature Schemes https://www.schneier.com/blog/archives/2018/09/evidenceforth.html
• The major tech companies are endorsing a federal privacy law possibly hoping to stave off California's stricter law https://www.schneier.com/blog/archives/2018/09/majortechcomp.html

• NIST releases several documents/tools this week:

  • Draft Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks - update: https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8221-for-comment and details: https://csrc.nist.gov/publications/detail/nistir/8221/draft
  • Draft Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks - update:  and ttps://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8228-for-comment details: https://csrc.nist.gov/publications/detail/nistir/8228/draft
  • An easily accessible online glossary https://csrc.nist.gov/glossary to users understand terminology, recognize when and where multiple definitions may exist, and identify a definition that they can use - details https://csrc.nist.gov/publications/detail/nistir/7298/rev-3/draft and upate https://csrc.nist.gov/News/2018/nist-releases-draft-nistir-7298-rev-3-for-comment

Privacy

• Facebook had a big week even without the breach

  • Users security phone number was tapped to push ads https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads
  • The “custom audience" feature relies on shadow contact information about you - the problem is you can't see it or even find out if they have it https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051
  • A GDPR notice from July came to light last week over the previous Facebook/AIQ related events https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/
  • Warnings issued to police over the use of fake accounts was largely overshadowed https://www.eff.org/deeplinks/2018/09/facebook-warns-memphis-police-no-more-fake-bob-smith-accounts
• B.C. privacy officials look into last week's data breach involving bankrupt computer retailer NCIX https://www.theglobeandmail.com/canada/british-columbia/article-bc-privacy-officials-look-into-data-breach-involving-bankrupt/
• A glaring whole in Internet Privacy is fixed by TLS 1.3 Encrypted Server Name Indication. And it's now supported by CloudFlare https://blog.cloudflare.com/encrypted-sni/ and https://blog.cloudflare.com/encrypted-sni/
• Privacy experts say choosing life insurance tied to fitness tracking could have unintended consequences https://www.cbc.ca/news/business/privacy-life-insurance-john-hancock-1.4833193
• Google says it continues to allow apps to scan Gmail account data https://www.wsj.com/articles/google-says-it-continues-to-allow-apps-to-scan-data-from-gmail-accounts-1537459989
• Tech giants data sharing shouldn't be called a privacy policy https://www.nytimes.com/2018/09/22/sunday-review/privacy-hearing-amazon-google.html
• Watchdog slams government's 'slow to non-existent' action to protect Canadians' privacy https://www.cbc.ca/news/politics/privacy-commissioner-therrien-report-2018-1.4840544
• A window into your life': Why smart home devices might be putting your privacy at risk https://www.cbc.ca/news/technology/smart-home-hack-marketplace-1.4837963
• California just became the first state with an Internet of Things cyber-security https://www.theverge.com/platform/amp/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law
• Analysis of California's connected device privacy bill https://freedom-to-tinker.com/2018/09/21/thoughts-on-californias-proposed-connected-device-privacy-bill-sb-327/

Bugs / Design Flaws / Vulnerabilities / Defense

• Schneier on recent cold boot attacks https://www.schneier.com/blog/archives/2018/09/newvariantsof.html
• Microsoft updates have been disabling BitLocker https://www.theregister.co.uk/2018/09/25/bitlockersuspensionpatching_mystery/

Hacking / Malware / Cybercrime / Offense

• Secret Service warns of attacks on ATMs - look for evidence of a concealed hole cut in the front https://krebsonsecurity.com/2018/09/secret-service-warns-of-surge-in-atm-wiretapping-attacks/
• Where there are disasters, the scammers will come https://krebsonsecurity.com/2018/09/beware-of-hurricane-florence-relief-scams/
• Security researcher fined for hacking hotel Wi-Fi and putting passwords on the internet didn't get permission and is lucky not to be in prison https://www.zdnet.com/article/security-researcher-fined-for-hacking-hotel-wifi-and-putting-passwords-on-the-internet/
• WordPress site hijacking campaign selling backdoor access to thousands of sites https://www.zdnet.com/article/thousands-of-wordpress-sites-backdoored-with-malicious-code/
• RCMP and privacy commissioner probe last weeks' alleged NCIX data breach https://www.cbc.ca/news/canada/british-columbia/ncix-breach-probe-1.4833976
• A single account compromise at an unnamed "major university" in the UK led to a large-scale phishing attack https://www.theregister.co.uk/2018/09/24/unsophisticatedemailtakeovers/
• LoJack hijacked by Russia's Fancy Bear to make a UEFI (modern BIOS) rootkit that evades software defenses https://www.theregister.co.uk/2018/09/28/uefirootkitapt28/
• Port of San Diego suffers cyber-attack, second port in a week after Barcelona https://www.zdnet.com/article/port-of-san-diego-suffers-cyber-attack-second-port-in-a-week-after-barcelona/
• Thieves caught hours after stealing GPS tracking devices from tech company https://www.nbc4i.com/news/u-s-world/thieves-caught-hours-after-stealing-gps-tracking-devices-from-tech-company/1064820202

Other Security / Risk

• DefCon Voting Village report: Bug in one system could “flip Electoral College” https://arstechnica.com/information-technology/2018/09/e-voting-researchers-warn-of-hack-that-could-flip-the-electoral-college/
• Bulletproof TLS #45 Visa's Certificate Authority is in trouble over irregularities, 762 bit RSA Challenge number factored, and more   https://www.feistyduck.com/bulletproof-tls-newsletter/issue45visacertificateauthorityintrouble
• NICE is having a conference and expo about "Innovations In Cybersecurity Education, Training, And Workforce Development" in Miami, Florida on November 6-7, 2018 https://www.niceconference.org/conference
• NIST's 2018 Cybersecurity Risk Management Conference will be held in Baltimore, MD on November 7-9 https://www.nist.gov/news-events/events/2018/11/nist-cybersecurity-risk-management-conference
• The risk of not-having a US cyber-czar https://www.theregister.co.uk/2018/09/27/usgoveyesoffthecybersecurity_prize/
• Federal workers cited 3,075 times for lapses in document security https://www.cbc.ca/news/politics/security-sweep-pspc-privacy-1.4833551
• Poor personal cyber hygiene is putting your fellow Canadians at risk https://ipolitics.ca/article/poor-personal-cyber-hygiene-is-putting-your-fellow-canadians-at-risk/
• Troy Hunt talks about using a Pi-Hole for blocking unwanted content https://www.troyhunt.com/mmm-pi-hole/
• Article and discussion on NIST study claiming a $250B benefit from AES https://www.schneier.com/blog/archives/2018/09/aesresultedin.html
• Using Wi-Fi to count people behind walls https://www.schneier.com/blog/archives/2018/09/counting_people.html
• How can smart contracts be scaled https://freedom-to-tinker.com/2018/09/24/how-can-we-scale-private-smart-contracts-ed-felten-on-arbitrum/
• Gene editing wipes out malaria mosquitoes in the lab https://www.bbc.com/news/science-environment-45628905

Off-Topic / Science & Tech / Lighter Side

• Hopping robots on an asteroid https://www.syfy.com/syfywire/robots-are-now-hopping-around-on-the-surface-of-an-asteroid