This Week’s [in]Security – Issue 85 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: breaches at FIFA, AMEX, Bankers Life, Ontario Cannabis Store/Canada Post, and HSBC,  warning about un-certified payment terminals, SEC has a new set of teeth, Stat's Canada data grab update, Consumer's Reports looks at IoT security, new laws in New Hampshire and Ohio, jailing CEOs, SSD encryption failure, more Magecart and other supply side scripting attacks, election security, and Remembrance Day.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Bulletin on purchasing approved (PTS) devices - it would seem that some terminals were sold that did not match with all PTS approval data https://www.pcisecuritystandards.org/pdfs/BulletinonpurchasingPCIapproveddevices6Nov2018.pdf
• PCI Participating Organizations can vote for the Board of Advisors until Nov. 16th https://blog.pcisecuritystandards.org/vote-now-for-the-2019-2020-pci-ssc-board-of-advisors
• For a detailed analysis of PCI DSS 3.2 to 3.2.1 see https://controlgap.com/blog/pci-dss-v3-2-1-what-you-need-to-know-to-stay-pci-compliant
• Updated index of all the PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/, added new PCI Forensic FAQ #1459 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Where-should-reports-be-sent-when-the-PFI-investigation-has-concluded-there-is-no-evidence-of-a-breach 
• Magecart infiltrates U.K. online retailer Kitronik payment system https://www.scmagazine.com/home/security-news/uk-online-retailer-kitronik/
• Survey on rising card fraud perpetuates the mistake that EMV should fix all card fraud. Notable points include fallback stripes are still a problem, card-not-present fraud on the rise. Notable mistake equating EMV and end-to-end encryption.   https://geminiadvisory.io/card-fraud-on-the-rise/
• Ingenico Sacks Its CEO As It Considers ‘Strategic Options’ http://www.digitaltransactions.net/ingenico-sacks-its-ceo-as-it-considers-strategic-options/

Breaches / Leaks

• FIFA has been hacked again for 70M documents  comprising 3.4TB of data https://nakedsecurity.sophos.com/2018/11/05/fifa-hacked-again-is-leaking-like-a-sieve/
• Data of nearly 700,000 Amex India customers exposed via unsecured MongoDB server https://www.zdnet.com/google-amp/article/data-of-nearly-700000-amex-india-customers-exposed-via-unsecured-mongodb-server/
• Half a Million People Potentially Affected by Data Breach at Bankers Life https://www.tripwire.com/state-of-security/security-data-protection/half-a-million-people-potentially-affected-by-data-breach-at-bankers-life/
• Geo News: Over 19,000 card details from 22 Pakistani banks stolen in cyber-security breach. https://www.geo.tv/latest/217471-cyber-attack-on-pakistani-banks-what-we-know-so-far
• PII for 4500 Ontario Cannabis Store customers breached via Canada Post order tracking system discovered November 1.  This occurred 2 weeks after OCS's go-live and the same day as new Canadian Breach Notification goes into effect. Implications to other Canada Post customers are unclear. https://globalnews.ca/news/4639742/ocs-canada-post-hacked/
• HSBC suffers breach via credential stuffing attack https://www.theregister.co.uk/2018/11/06/hsbcsecuritybroken/ and https://www.infosecurity-magazine.com/news/hsbc-accounts-breached/
• Hong Kong privacy watchdog to investigate Cathay Pacific over massive data breach https://www.cnbc.com/2018/11/06/hong-kong-watchdog-to-investigate-cathay-pacific-over-data-breach.html
• Breach penalty include restriction on doing business in New Jersey https://www.databreachtoday.com/breach-settlement-has-unusual-penalty-a-11669

Laws & Regulations / Standards

• CRTC chair suggest weakening of Canadian net neutrality http://www.michaelgeist.ca/2018/11/crtc-chair-opens-the-door-to-weakening-canadian-net-neutrality-rules/
• Why Canadian copyright law doesn't need new Internet injunctions http://www.michaelgeist.ca/2018/11/no-need-for-new-internet-injunctions-why-canadian-copyright-law-already-provides-rights-holders-with-the-legal-tools-they-need/
• Supreme Court rejects industry challenge of 2015 net neutrality rules - lawsuits may proceed https://arstechnica.com/tech-policy/2018/11/supreme-court-wont-rule-on-legality-of-obama-era-net-neutrality-rules/
• New Hampshire voters approved a ballot measure that guarantees a constitutional right to information privacy in the state https://epic.org/2018/11/new-hampshire-voters-establish.html
• Ohio bill lets companies avoid compensating breach victims https://www.privacyrights.org/blog/new-ohio-bill-leaves-residents-unprotected
• Proposed bill would require transparency reports and would see CEOs jailed for falsifying them https://www.cnet.com/news/senator-introduces-privacy-law-draft-that-could-put-ceos-in-jail-for-data-breaches/
• Voya Financial Advisors fined $1M for violating the SEC identity theft red flag rule https://www.investmentnews.com/article/20180928/FREE/180929916/sec-adds-cybersecurity-bite-to-its-bark
• $2.7M fine for operators of Airbnb ‘illicit hotel’ scheme in San Francisco https://www.washingtonpost.com/nation/2018/11/06/how-eight-identical-apartments-ended-an-airbnb-illicit-hotel-scheme-san-francisco/
• NIST releases draft Internal Report (NISTIR) 8219, “Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection” for public comment until December 6, 2018. Details: https://csrc.nist.gov/publications/detail/nistir/8219/draft and homepage: https://www.nccoe.nist.gov/projects/use-cases/capabilities-assessment-securing-manufacturing-industrial-control-systems

Privacy

• British watchdog finds Cambridge Analytica and Brexit financier misused private data https://www.nytimes.com/2018/11/06/technology/cambridge-analytica-arron-banks.html

• Statistics Canada

  • Failed to disclose key info about project to harvest bank data https://globalnews.ca/news/4644041/statistics-canada-failed-to-disclose-key-info-about-project-to-harvest-bank-data/
  • Plan to harvest Canadians' private banking info on hold https://www.ctvnews.ca/politics/statcan-s-plan-to-harvest-canadians-private-banking-info-on-hold-1.4169020
• Paper on the Privacy and Security of Data at Universities https://www.schneier.com/blog/archives/2018/11/privacyandsec.html
• Smart TV's are collecting tracking data on everything you watch, play and use your screen for https://www.nytimes.com/2018/07/05/business/media/tv-viewer-tracking.html/

Bugs / Design Flaws / Vulnerabilities / Defense

• Flaws found in SSD encryption mechanisms, in some cases Bitlocker relies upon the hardware  https://medium.com/asecuritysite-when-bob-met-alice/doh-what-my-encrypted-drive-can-be-unlocked-by-anyone-a495f6653581
• Consumer Reports reviews wireless home-security cameras - including their security https://www.schneier.com/blog/archives/2018/11/consumerreport1.html
• Exploit developer discovers security vulnerability in VirtualBox and publishes a full guide to exploiting it https://betanews.com/2018/11/07/virtualbox-exploit/
• Georgia patches disclosure bug in voter website https://www.databreachtoday.com/georgia-patches-voter-website-but-hacking-accusation-stands-a-11679
• FDA ramps up medical device cybersecurity after critisims https://www.databreachtoday.com/fda-reacts-to-critique-medical-device-security-strategy-a-11689
• IBM Watson will be used by NIST to assign CVSS scores to vulnerabilities https://securityaffairs.co/wordpress/77710/security/nist-ai-cvss-scores.html
• iOS 12.1 Facetime exploit exposes contact information https://www.schneier.com/blog/archives/2018/11/ios121vulnera.html
• Users with bad password practices must share blame for "hacks" https://www.troyhunt.com/when-accounts-are-hacked-victims-must-share-the-blame/
• US Cyber-command is now sending nation state malware to Virus Total  https://threatpost.com/pentagon-draws-back-the-veil-on-apt-malware-with-sudden-embrace-of-virustotal/138954/
• Another Microsoft update bug, this one invalidates your activation license https://www.forbes.com/sites/gordonkelly/2018/11/08/microsoft-windows-10-update-problem-crash-windows-10-home-pro-downgrade/

Hacking / Malware / Cybercrime / Offense

• 95% of IT security professionals underestimate phishing risks https://betanews.com/2018/11/08/95-percent-of-it-security-professionals-underestimate-phishing-risks/
• Bug bounty researcher was exploiting his own findings for criminal profit https://krebsonsecurity.com/2018/11/bug-bounty-hunter-ran-isp-doxing-service/
• Krebs talks to California Cybercops going after SIM swappers https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/
• US Postal Service Informed Delivery being abused by criminals https://krebsonsecurity.com/2018/11/u-s-secret-service-warns-id-thieves-are-abusing-uspss-mail-scanning-service/
• Meaner, more violent Stuxnet variant reportedly hits Iran https://www.csoonline.com/article/3318565/security/meaner-more-violent-stuxnet-variant-reportedly-hits-iran.html
• Criminals breach StatCounter to hijack Bitcoin transactions on Gate.io exchange https://www.zdnet.com/article/hackers-breach-statcounter-to-hijack-bitcoin-transactions-on-gate-io-exchange/
• EPIC seeks report on Russian Election Interference https://epic.org/2018/11/epic-seeks-special-counsel-rep.html
• Cisco accidentally released Dirty CoW exploit code in software https://threatpost.com/cisco-accidentally-released-dirty-cow-exploit-code-in-software/138888/

Other Security / Risk

• Troy Hunt on why the utility of passwords hasn't been swept aside by new tech https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/
• Demand for Cybersecurity professionals accelerating https://content.govdelivery.com/accounts/USNIST/bulletins/21a17c6
• More on Verizon's throttling firefighters https://www.eff.org/deeplinks/2018/11/unresolved-issue-verizon-throttling-santa-claras-fire-department-shows-why-isps
• Some hidden risks of ride sharing https://www.economist.com/finance-and-economics/2018/11/03/the-social-costs-of-ride-hailing-may-be-larger-than-previously-thought
• Article on cheating with paper ballots https://freedom-to-tinker.com/2018/11/01/cheating-with-paper-ballots/
• Article on verifiable elections https://freedom-to-tinker.com/2018/11/05/end-to-end-verifiable-elections/
• Deepfake-busting apps can spot even a single pixel out of place https://www.technologyreview.com/s/612357/deepfake-busting-apps-can-spot-even-a-single-pixel-out-of-place/
• Dogs as medical diagnosticians? https://www.theguardian.com/technology/2018/nov/04/five-diseases-that-dogs-can-detect

Off-Topic / Science & Tech / Lighter Side

• NASA shoots first 8K video of Earth https://www.cnn.com/videos/world/2018/11/06/nasa-8k-resolution-iss-orig.cnn
• Art meets "hacked" street signs https://www.bbc.com/news/uk-scotland-edinburgh-east-fife-46139025
• Good news on the environmental front, the Earth's Ozone layer is recovering https://www.bbc.com/news/newsbeat-46107843
• After Vimy, Canada's army was ferocious in the last 100 days of World War I engaging 1/4 of the German army and making huge gains https://nationalpost.com/news/canada/canada-at-its-deadliest-the-epic-war-winning-battle-youve-never-heard-of