This Week’s [in]Security – Issue 84 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: cashing out card-less ATMs, more evil shopping carts, breaches at Radisson, Jersey Islands, and Moscow. Big pre-GDPR fines, Stats Can, Facebook, friction-less captch, anniversary of the first "worm", BGP espionage, CRA scam arrests, voting machines, fake videos, and IoT.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Bank of America gets a patent on a device that stores cryptographic keys. It will be interesting to see what makes this special and non-obvious enough to patent https://bittmint.com/bank-america-wins-patent-device-stores-cryptographic-keys/1578/
• Criminals are exploiting card less ATMs and mobile phone phishing for profits https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/
• More examples of e-commerce supply chain JavaScript malware https://krebsonsecurity.com/2018/11/whos-in-your-online-shopping-cart/

Breaches / Leaks

• Breach of 80K Jersey islanders driver info https://jerseyeveningpost.com/news/2018/10/30/breach-affected-the-dvs-data-of-80000-islanders/
• Radisson Hotel Group suffers data breach, Radisson Rewards customer info leaked https://www.zdnet.com/article/radisson-hotel-group-chain-suffers-data-breach/
• Girl Scouts issues data breach warning to 2,800 members https://threatpost.com/girl-scouts-issues-data-breach-warning-to-2800-members/138640/
• Data breach affecting wealthy Moscow residents https://themoscowtimes.com/news/data-leak-affects-thousands-of-wealthy-moscow-residents-63399
• 20% of US consumers never return to breached brands https://www.infosecurity-magazine.com/news/fifth-consumers-never-return/
• 2018 health care breach trends https://www.databreachtoday.com/satori-botnets-alleged-developer-rearrested-a-11651
• 2018 so far: 8 companies fined nearly #280M under pre-GDPR rules!  https://www.csoonline.com/article/3316569/data-breach/biggest-data-breach-penalties-for-2018.html

Laws & Regulations / Standards

• DMCA exemptions for security researchers https://motherboard.vice.com/en_us/article/pa9jbg/feds-expand-security-researchers-ability-to-hack-without-going-to-jail

• Canada is reforming copyright act:

  • Rejecting statutory damages http://www.michaelgeist.ca/2018/10/copyrightboardreform/
  • Fixing abuses with the copyright notice on notice system http://www.michaelgeist.ca/2018/10/noticesystemfix/
  • Taking on patent trolls http://www.michaelgeist.ca/2018/10/takingonthetrolls/
• The death of a patent troll https://www.eff.org/deeplinks/2018/10/stupid-patent-month-how-34-patents-worth-1-led-hundreds-lawsuits

Privacy

• New privacy rules will force Canadian companies to disclose data breaches https://www.cbc.ca/news/business/pipeda-privacy-data-1.4886061
• Stats Canada secretly requesting banking information of 500K Canadians https://globalnews.ca/news/4599953/exclusive-stats-canada-requesting-banking-information-of-500000-canadians-without-their-knowledge/
• Personal data scooping by StatCan could threaten trade with Europe under tough new privacy rules https://globalnews.ca/news/4624369/statistics-canada-financial-data-scooping/
• Privacy watchdog to investigate StatsCan research into the banking habits of 500,000 Canadians https://www.thestar.com/amp/politics/provincial/2018/10/31/privacy-watchdog-to-investigate-statscan-research-into-the-banking-habits-of-500000-canadians.html
• Facebook's Zuckerberg summoned to appear before session of U.K., Canadian politicians https://www.cbc.ca/news/politics/canada-britain-zuckerberg-summons-1.4885397

Bugs / Design Flaws / Vulnerabilities / Defense

• Many Content Management System plugins are dangerously disabling TLS certificate validation https://www.zdnet.com/article/many-cms-plugins-are-disabling-tls-certificate-validation-and-thats-very-bad/
• More supply chain attacks in browser add-ons https://www.packetlabs.net/browser-addon-security/
• "Bleeding bit" attack affecting multiple enterprise access points with Bluetooth LE can compromise networks https://techcrunch.com/2018/11/01/bleedingbit-security-flaws-bluetooth-wireless-networks/
• New PortSmash hyper-threading side channel vulnerability can steal decryption keys if running on same CPU https://www.bleepingcomputer.com/news/security/new-portsmash-hyper-threading-cpu-vuln-can-steal-decryption-keys/
• Children’s toys and baby monitors can be taken over by hackers, security services warn https://www.independent.co.uk/news/uk/home-news/smart-toys-baby-monitors-internet-connected-hackers-cyber-attacks-guidance-ncsc-a8605346.html
• Facebook bug allowed anyone to be added as business account administrator  https://nakedsecurity.sophos.com/2018/10/31/how-one-man-could-have-taken-over-any-business-on-facebook/
• Insecure RF comms allow hijacking of construction cranes https://www.schneier.com/blog/archives/2018/10/securityvulner18.html
• Bug in systemd's IPv6 DHCP handling allows remote code execution https://www.theregister.co.uk/2018/10/26/systemddhcpv6rce/
• Google has a frictionless captcha https://security.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html
• Microsoft is now testing sandboxing Windows Defender, here's how to enable it sooner https://www.onmsft.com/news/microsoft-is-now-testing-sandboxing-windows-defender-heres-how-to-enable-it-sooner
• New hardware tech for better unclonable randomness boosts cryptography https://phys.org/news/2018-11-highly-physically-unclonable-cryptographic-primitives.html
• Six steps to reduce your breach risk https://www.forbes.com/sites/forbestechcouncil/2018/10/29/six-fixes-to-avoid-major-security-breaches-in-your-company/
• The CIA clandestine communications system breach started in Iran but it's root cause may be use beyond it's design purpose https://www.yahoo.com/amphtml/tech/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html
• On Nov 2, 1988 the "Morris Worm" replicated out of control.  While it had no malicious payload, it still managed to take down 10% of the Internet,  degraded much of the rest, and resulted in the creation of CERT. And it had no malicious payload.  https://www.zdnet.com/article/the-day-computer-security-turned-real-the-morris-worm-turns-30/

Hacking / Malware / Cybercrime / Offense

• China Telecom diverted internet traffic in U.S. and Canada for espionage https://www.theglobeandmail.com/politics/article-china-telecom-hijacked-internet-traffic-in-us-and-canada-report/
• Criminals reportedly put up private messages from 81,000 hacked Facebook accounts for sale http://www.bbc.co.uk/news/technology-46065796 and https://threatpost.com/facebook-blames-malicious-extensions-in-breach-of-81k-private-messages/138770/
• If terrorists launch a major cyberattack, we won’t see it coming https://www.theatlantic.com/international/archive/2018/11/terrorist-cyberattack-midterm-elections/574504/
• Cell phone security and prominent people https://www.schneier.com/blog/archives/2018/10/cellphonesecu_1.html
• Porn watching employee infects government network https://www.nextgov.com/cio-briefing/2018/10/porn-watching-employee-infected-government-networks-russian-malware-ig-says/152307/
• Paper argues the need for a comprehensive approach to cybercrime and punishment https://www.schneier.com/blog/archives/2018/11/howtopunish_c.html
• Police raid Indian call-centres linked to 'CRA phone scam' that has victimized Canadians https://www.cbc.ca/news/world/national-cra-india-rcmp-scam-1.4883796
• Satori botnet author re-arrested after botnet reawakens after his release  https://www.databreachtoday.com/satori-botnets-alleged-developer-rearrested-a-11651
• The Triton malware that attacked Saudia Arabia, thought to have been Iranian may have been Russian https://www.schneier.com/blog/archives/2018/10/wasthetriton_.html
• Mirai coauthor sentenced https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks/
• Spammers are using more file types in their email compromise attempts https://blog.trendmicro.com/trendlabs-security-intelligence/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments/
• Canadian crypto exchange closes shop overnight - either hacked or an exit scam https://finance.yahoo.com/news/exit-scam-hack-canadian-crypto-exchange-appears-close-shop-overnight-181209067.html
• Canadian class action, courts approve $49.8M payout in CRT settlement https://www.ctvnews.ca/business/crt-settlement-courts-approve-49-8m-payout-in-electronics-class-action-1.4160613

Other Security / Risk

• More doubters on the Supermicro story - article and discussion https://www.schneier.com/blog/archives/2018/10/moreonthe_sup.html
• Bulletproof TLS Newsletter #46: update on the death of early TLS, explaining the TLS handshake in detail, and more https://www.feistyduck.com/bulletproof-tls-newsletter/issue46theendoftls10and11
• Using deep neural networks to hunt malicious TLS certificates https://techxplore.com/news/2018-10-deep-neural-networks-malicious-tls.html
• Detecting fake videos https://www.schneier.com/blog/archives/2018/10/detectingfake\.html
• Voting machine cheating https://freedom-to-tinker.com/2018/10/25/ten-ways-to-make-voting-machines-cheat-with-plausible-deniability/
• Buying used voting machines on eBay https://www.schneier.com/blog/archives/2018/11/buyingusedvot.html
• Survey of US state ID systems and discussion https://www.schneier.com/blog/archives/2018/10/idsystemsthro.html
• Facebook approved new political ads falsely attributed as 'paid for' by Cambridge Analytica https://www.businessinsider.com/facebook-approved-political-ads-paid-for-by-cambridge-analytica-2018-10
• IBM reportedly near deal to acquire Red Hat for $34B https://www.businessinsider.com/ibm-is-reportedly-nearing-a-deal-to-acquire-redhat-the-software-company-valued-at-20-billion-2018-10
• Windows 10’s Next Update Lets You Unpin Crapware Tiles  https://www.howtogeek.com/fyi/windows-10%e2%80%99s-next-update-lets-you-unpin-crapware-tiles-in-6-clicks/
• Bitcoin mining alone could raise global temperatures above critical limit by 2033 https://motherboard.vice.com/en_us/article/neganb/bitcoin-mining-could-raise-global-temperatures-by-2-c
• Don't be taken in by anti-vaccine myths on social media' https://www.bbc.com/news/health-45990874

Off-Topic / Science & Tech / Lighter Side

• Astronomy photographer of the year 2018 and runner up photos http://www.bbc.co.uk/news/in-pictures-45978380
• Video showing the scale of stars using a tennis ball size Earth and New York city https://www.syfy.com/syfywire/a-sense-of-scale-vfx-artist-shows-you-how-big-the-biggest-stars-are