This Week’s [in]Security – Issue 81 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: a £120K USB stick, Google+ shuts down after breach, a very rare public admission of non-compliance with PCI, Facebook's troubles continue, outlawing weak passwords, controversial and conflicting stories about Chinese spy chips,  shaming bad IoT, distrusting AIs, and creepy elevators.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• A very rare public admission of organizations failing PCI DSS https://www.cbc.ca/news/politics/security-data-shared-services-it-1.4848688

  • While there aren't public records of compliant merchants, both Visa and MasterCard do keep public registries of compliant service providers to assist organizations with due diligence: https://www.visa.com/splisting/searchGrsp.do and https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/service-providers-need-to-know.html

Breaches / Leaks

• Google+ social site being shut down after data on 500K users exposed https://www.reuters.com/article/us-google-data/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-wsj-idUSKCN1MI1WM
• Experian leaks credit freeze account recovery PINs https://www.theregister.co.uk/2018/10/10/experiancreditpins/
• The Apollo breach announced last week exposed 126M email addresses and associate PII https://haveibeenpwned.com/PwnedWebsites#Apollo

• Facebook updates:

  • Are Facebook's breach, privacy troubles, and fix attempts to blame for loosing 30% of its value since July https://www.cnn.com/2018/10/11/tech/facebook-stock-dip/index.html
  • Hackers accessed personal information of 30 million Facebook users https://www.cnn.com/2018/10/12/tech/facebook-hack-personal-information-accessed/index.html
  • Facebook hack victims will not get ID theft protection http://www.bbc.co.uk/news/technology-45845431
• Heathrow fined £120K for 2017 USB stick data breach http://www.bbc.co.uk/news/business-45785227
• Breach Level Index report on 2018H1 shows fewer but worse breaches over 2017 945 incidents for 4.5B records https://breachlevelindex.com/ and report https://breachlevelindex.com/request-report, archive available at https://breachlevelindex.com/data-breach-library

Laws & Regulations / Standards

• California to outlaw weak passwords in 2020 http://www.bbc.co.uk/news/technology-45757528

Privacy

• Google iPhone data privacy case blocked by High Court http://www.bbc.co.uk/news/technology-45784852
• Google restricts which Android apps can request Call Log and SMS permissions https://www.zdnet.com/article/google-restricts-which-android-apps-can-request-call-log-and-sms-permissions/
• Google Chrome now forcing logins raises privacy concerns https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/
• Creepy elevators use cameras to target ads https://www.680news.com/2018/10/11/riding-the-elevator-with-big-brother-how-digital-displays-in-your-condo-are-targeting-you-with-ads/
• Seriously? Facebook wants to put cameras in your home https://motherboard.vice.com/en_us/article/8xjke5/facebook-knows-you-dont-want-to-trust-its-portal-camera

Bugs / Design Flaws / Vulnerabilities / Defense

• Microsoft pulls Windows 10 October 2018 Update after reports of documents being deleted https://www.theverge.com/platform/amp/2018/10/6/17944966/microsoft-windows-10-october-2018-update-documents-deleted-issues-windows-update-paused
• Microsoft’s explanation of what went wrong https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders
• 8 year old Exchange vulnerability patched https://www.theregister.co.uk/2018/10/09/octoberpatchtuesday/
• Privacy commissioner calling on wireless networks to plug security gap due to SS7 flaw https://www.cbc.ca/news/politics/therrien-cellphone-hacking-ss7-1.4843097
• Preventing the weaponizing of your HR process https://www.packetlabs.net/job-application-security/

• World's largest CCTV maker leaves at least 9 million cameras open to public viewing https://www.theregister.co.uk/2018/10/09/xiongmaicctvfail/

  • Naming and shaming Xiongmai’s bad IoT devices and their resellers https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/
• Major WhatsApp bug patched https://www.theregister.co.uk/2018/10/09/whatsapppatchessecurity_bug/
• Report on 2017 vulnerability (CWE) analysis of thousands of .Net and Java EE business applications by language and industry https://content.castsoftware.com/cast-research-2017-trend-on-application-software-security

Hacking / Malware / Cybercrime / Offense

• Magecart ecommerce skimmer injected into the “Shopper Approved” plugin https://www.theregister.co.uk/2018/10/09/magecartpaymentcard_malware/

  • Magecart using evasion tricks https://gwillem.gitlab.io/2018/10/04/magecart-tripwire/

• Last week’s story about Chinese hardware implants story has generated a lot of follow-on and controversy

  • Apple's response to Bloomberg Businessweek https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
  • China wasn’t just attacking hardware https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attack
  • New evidence of modified Supermicro hardware found in U.S. Telecom https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom
  • Security researcher source in Supermicro chip hack report casts doubt on original story https://www.zdnet.com/article/security-researcher-cited-in-supermicro-chip-hack-investigation-casts-doubt-on-story/
  • First Amazon and Apple, now US and UK Governments deny Supermicro story https://www.infosecurity-magazine.com/news/us-uk-governments-back-denial/
  • Active debate ongoing over Bloomberg’s Chinese microchip stories https://motherboard.vice.com/en_us/article/qv9npv/bloomberg-china-supermicro-apple-hack
  • Krebs on this and other supply chain attacks https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/
  • An analysis of the available information suggests the attack is plausible https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
  • Congress investigates https://thehill.com/policy/technology/410656-a-top-senate-republican-wants-apple-amazon-super-micro-to-give-briefing-on
  • Two congressmen have 8 questions for SuperMicro https://9to5mac.com/2018/10/10/spy-chip-story/
  • Schneier on this story including a lively discussion of the plausibility and accuracy of the story as well as the reliability of the journalists https://www.schneier.com/blog/archives/2018/10/another_bloombe.html
  • Supermicro's boards were so vulnerability ridden, why would hackers ever need implants? https://arstechnica.com/information-technology/2018/10/supermicro-boards-were-so-bug-ridden-why-would-hackers-ever-need-implants/
• Russian spies caught in the act and exposed by Dutch government https://www.washingtonpost.com/opinions/global-opinions/russian-hackers-were-caught-in-the-act--and-the-results-are-devastating/2018/10/05/5e72495a-c8b5-11e8-b1ed-1d2d65b86d0c_story.html
• Business Email Compromise is getting easier and cheaper https://www.bankinfosecurity.com/ceo-fraud-barriers-to-entry-falling-security-firm-warns-a-11585
• Most malware arrives by email - article and link to study https://www.darkreading.com/attacks-breaches/most-malware-arrives-via-email/d/d-id/1333023
• Prolific SIM swapper suspected of stealing $14M in crypto currency arrested https://motherboard.vice.com/en_us/article/7x3may/cops-arrest-sim-swapper-14-million-cryptocurrency
• Last year’s theft of $11.8M from MacEwan University started with a simple forged email and poor controls https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html
• Canadian teen charged in U.S. swatting incident https://www.cbc.ca/news/canada/ottawa/picton-teen-charged-swatting-u-s-1.4850374

Other Security / Risk

• Cybersecurity isn't being taken seriously enough: MIT professor https://www.cnbc.com/amp/2018/10/09/cybersecurity-isnt-being-taken-seriously-enough-mit-professor.html
• New head of Canadian Centre for Cyber Security warns many countries prepared to take advantage of cyber as a tool both to steal secrets and to manipulate societies https://globalnews.ca/news/4521690/canadian-cyber-threat-russia-interference/
• Schneier on the new US cyber strategy https://www.schneier.com/blog/archives/2018/10/theusnational.html
• Article and discussion on the GAO report on security vulnerabilities in US weapons systems https://www.schneier.com/blog/archives/2018/10/securityvulner17.html
• Even the best AI for spotting fake news is still terrible https://www.technologyreview.com/s/612236/even-the-best-ai-for-spotting-fake-news-is-still-terrible/
• Troy Hunt on cloud coding and breaking Azure https://www.troyhunt.com/breaking-azure-functions-with-too-many-connections/
• Amazon built an AI to hire people and ultimately killed it because they couldn't trust it not to discriminate  http://www.businessinsider.com/amazon-built-ai-to-hire-people-discriminated-against-women-2018-10
• A deep dive on the Wireless Emergency Alert system (WEA) https://freedom-to-tinker.com/2018/10/09/disaster-information-flows-a-privacy-disaster/ (for Canadians the linked SNL skit can be found at https://www.globaltv.com/saturdaynightlive/video/webisode/emergency-alert/video.html?v=1338731587686 )
• IMF cuts forecast for global growth for first time in two years as trade war takes toll https://business.financialpost.com/news/economy/imf-cuts-forecast-for-global-growth-as-trade-war-takes-toll
• The cryptocurrency Industry may be on ‘Brink of an Implosion, https://www.bloomberg.com/news/articles/2018-10-09/bitcoin-on-the-brink-of-an-implosion-researcher-juniper-says
• Interesting article about college essays, helicopter parents, periods with two spaces, style, and detecting cheating https://www.nytimes.com/2018/10/03/well/family/how-i-know-you-wrote-your-kids-college-essay.html
• Microsoft Releases MS-DOS Source Code on GitHub https://news.softpedia.com/news/microsoft-releases-ms-dos-source-code-on-github-522998.shtml

Off-Topic / Science & Tech / Lighter Side

• More free courses https://medium.freecodecamp.org/190-universities-just-launched-600-free-online-courses-heres-the-full-list-3d9ad7895f57
• Soyuz escape system works after booster malfunctions 90 seconds into launch https://www.bbc.com/news/world-europe-45822845
• Evidence mounts for an exo-moon orbiting a planet in a star system 8000 ly away https://www.syfy.com/syfywire/more-evidence-piles-up-that-were-seeing-an-exomoon-orbiting-an-alien-world
• There’s been a rash of recent articles claiming scientists will accidentally make a black hole that will devour the Earth, they’re rubbish and here’s why https://www.forbes.com/sites/startswithabang/2018/10/08/for-the-last-time-the-lhc-will-not-make-an-earth-swallowing-black-hole/
• Possible breakthrough in fusion reactor design https://scienmag.com/a-new-path-to-solving-a-longstanding-fusion-challenge/
• The solving of the quantum verification problem https://www.quantamagazine.org/graduate-student-solves-quantum-verification-problem-20181008/