This Week’s [in]Security – Issue 86 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI compliance rates falling, DNA site breach of credentials, Jira AWS leak, IoT security regulation, problems with corporate auditing, DHS creates CISA, more Facebook fallout continues, new FACEbook security bug, ironic GPDR plugin compromised, Meltdown and Spectre-palooza, ATM hacking, a plague of  Magecart compromises,  new AWS security controls, browser add-ons and content security policies (CSP), swatter gets over 20 years, and ballot design issues.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI DSS compliance rates are falling off https://www.computerweekly.com/news/252449280/PCI-DSS-compliance-falls-despite-security-benefit
• Russian banks get ready for contact-less ATMs; MIR cards go international https://www.finextra.com/newsarticle/32957/russian-banks-get-ready-for-contactless-atms-mir-cards-go-international-with-ingenico

Breaches / Leaks

• File containing 92M email addresses and encrypted passwords belonging to DNA website MyHeritage found in the wild https://www.bloomberg.com/news/articles/2018-06-05/hack-of-dna-website-exposes-data-from-92-million-user-accounts
• Fitness app PumpUp leaked health data, private messages https://www.zdnet.com/article/fitness-app-pumpup-leaked-health-data-private-messages/
• Update on Healthcare.gov breach provides more details on stolen information https://www.databreachtoday.com/update-healthcaregov-breach-exposed-extensive-data-a-11698
• Update on Nordstrom employee data breach blames contractor https://www.databreachtoday.com/nordstrom-blames-breach-employee-data-on-contractor-a-11701
• Reported breaches in the first 9 months of 2018 exposed 3.6 billion records https://www.helpnetsecurity.com/2018/11/12/publicly-reported-breaches/
• Massive data leaks keep happening because big companies can afford to lose your data https://motherboard.vice.com/en_us/article/bje8na/massive-data-leaks-keep-happening-because-big-companies-can-afford-to-lose-your-data

Laws & Regulations / Standards

• Schneier on new IoT Security Regulations https://www.schneier.com/blog/archives/2018/11/newiotsecurit.html
• Citizen Lab at the 13th Internet Governance Forum on Content Blocking and Filtering, and Combatting Fake News and Dangerous Content https://citizenlab.ca/2018/11/citizen-lab-at-igf/
• UK parliamentary probe looks at problems in the corporate auditing market https://www.pymnts.com/news/b2b-payments/2018/uk-auditing-parliment-inquiry-banking-frc/
• Anti-counterfeiting group want to use copyright as basis for border seizures without oversight to enforce trademarks and patents http://www.michaelgeist.ca/2018/11/cacnindu/
• HTTP/3 - HTTP over QUIC a UDP protocl is coming https://nakedsecurity.sophos.com/2018/11/14/http-3-come-for-the-speed-stay-for-the-security/
• Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency. A clearer name and better funding for this function of DHS https://www.zdnet.com/article/trump-signs-bill-that-creates-the-cybersecurity-and-infrastructure-security-agency/
• NIST extends comment period for glossary of key information security terms until December 21, 2018.  Online Glossary: https://csrc.nist.gov/glossary,  Details: https://csrc.nist.gov/publications/detail/nistir/7298/rev-3/draft, and Update:  https://csrc.nist.gov/News/2018/nist-releases-draft-nistir-7298-rev-3-for-comment
• NIST requesting input for the Privacy Framework: An Enterprise Risk Management Tool https://www.nist.gov/privacy-framework/rfi

Privacy

• Controversy over proposal to implant chips in employees https://www.theguardian.com/technology/2018/nov/11/alarm-over-talks-to-implant-uk-employees-with-microchips
• Facebook failed to police how its partners handled user data https://www.nytimes.com/2018/11/12/technology/facebook-data-privacy-users.html
• Facebook bug combines iframe insecurity with search to extract information about you and your friends https://www.imperva.com/blog/facebook-privacy-bug/
• Article and Infographic about data collection by large social media companies https://securitybaron.com/blog/the-data-big-tech-companies-have-on-you-or-at-least-what-they-admit-to/
• EFF submission to US Department of Commerce on Consumer Privacy https://www.eff.org/deeplinks/2018/11/eff-us-department-commerce-protect-consumer-data-privacy
• EFF’s annual report https://www.eff.org/deeplinks/2018/11/effs-newest-annual-report

Bugs / Design Flaws / Vulnerabilities / Defense

• Zero-day vulnerability in WordPress GDPR plugin is being exploited in the wild https://www.zdnet.com/article/zero-day-in-popular-wordpress-plugin-exploited-in-the-wild-to-take-over-sites/
• Oracle VirtualBox zero-day published by researcher https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/
• Microsoft's troubled October update adds to the list of known Windows 10 1809 bugs https://wccftech.com/microsoft-known-windows-10-1809-bugs/
• Side channel attacks on NVIDA GPU's can expose credentials https://www.tomshardware.com/news/researchers-publish-side-channel-attacks-nvidia-gpu,38055.html
• Schneier on responsible disclosure and the Oracle zero-day https://www.schneier.com/blog/archives/2018/11/oracleandresp.html
• Researchers discover seven new Meltdown and Spectre attacks https://www.zdnet.com/article/researchers-discover-seven-new-meltdown-and-spectre-attacks/
• Connected watches allow spying and stalking https://threatpost.com/connected-wristwatch-allows-hackers-to-stalk-spy-on-children/139118/
• Jira bug exposes AWS server keys https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/jira-bug-exposes-organizations-aws-server-keys/
• AWS rolls out new security feature to prevent accidental S3 data leaks https://www.zdnet.com/article/aws-rolls-out-new-security-feature-to-prevent-accidental-s3-data-leaks/
• Languages like C and C++ aren't memory safe and cause many fundamental vulnerabilities https://motherboard.vice.com/en_us/article/a3mgxb/the-internet-has-a-huge-cc-problem-and-developers-dont-want-to-deal-with-it
• Hacking an ATM is shockingly easy https://www.tomsguide.com/us/atm-hack-attack,news-28531.html
• AIX vulnerability key to ATM FASTCash cashout attacks https://www.databreachtoday.com/lazarus-fastcash-bank-hackers-wield-aix-trojan-a-11694
• Article on Continuous Adaptive Risk and Trust Assessment (CARTA) https://www.darkreading.com/risk/carta-a-new-tool-in-the-breach-prevention-toolbox/a/d-id/1333244
• Mozilla adds website breach notifications to Firefox https://techcrunch.com/2018/11/15/mozilla-adds-website-breach-notifications-to-firefox/
• Browser add-ons and extensions cause Content Security Policy violations https://www.troyhunt.com/add-ons-extensions-and-csp-violations-playing-nice-with-content-security-policies/
• Taking a Closer Look at Mainframe Security http://www.eweek.com/security/taking-a-closer-look-at-mainframe-security

Hacking / Malware / Cybercrime / Offense

• “Magecart” - over 100K e-commerce sites hit by 7 criminal groups using web-skimming malware https://www.databreachtoday.com/magecart-cybercrime-groups-mass-harvest-payment-card-data-a-11700
• Inside "Magecart" https://www.riskiq.com/research/inside-magecart/
• Official Google and Target twitter accounts hacked in Bitcoin scam https://nakedsecurity.sophos.com/2018/11/15/official-google-twitter-account-hacked-in-bitcoin-scam/
• Google hit by IP hijacking via BGP https://www.syfy.com/syfywire/blowing-square-smoke-rings
• Card skimmers buying up expired domains https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/
• Dutch Police break 250K IronChat/IronPhone messages and make arrests in multiple cases https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/
• Man pleads guilty in fatal swatting case, faces over 20 years in prison https://krebsonsecurity.com/2018/11/calif-man-pleads-guilty-in-fatal-swatting-case-faces-20-years-in-prison/
• China has escalated cyber-attacks on US https://www.databreachtoday.com/chinese-cyber-threat-nsa-confirms-attacks-have-escalated-a-11696
• Researchers created fake 'Master' fingerprints to unlock smartphones https://motherboard.vice.com/amp/en_us/article/bjenyd/researchers-created-fake-master-fingerprints-to-unlock-smartphones
• CitizenLab update https://mailchi.mp/citizenlab/nso-spyware-found-in-45-countries-the-canadian-connection-to-khashoggi-and-the-dangers-of-ai-in-immigration

Other Security / Risk

• Talk on why it’s so hard to get security right: “When you add people to the mix, things get squishier and more difficult to deal with” https://sector.ca/are-we-setup-to-fail/
• How do you get students to think like criminals https://www.nytimes.com/2018/11/14/opinion/cybersecurity-education-skills.html
• With Canada’s new privacy-breach laws comes the real risk of ‘oversharing’ https://www.theglobeandmail.com/business/commentary/article-with-canadas-new-privacy-breach-laws-comes-the-real-risk-of/
• Japan's cybersecurity chief admits no computer experience https://globalnews.ca/news/4665405/japan-cybersecurity-computer-olympics/
• Interesting opinion piece on harms arising from the successes of social media and large Internet retailers http://www.gregorybufithis.com/2018/11/16/facebook-its-like-a-teenager-with-launch-codes-frivolous-and-deadly/
• The US now has the two fastest supercomputers in the world https://www.theverge.com/circuitbreaker/2018/11/12/18087470/ibm-summit-sierra-supercomputer-us-fastest
• 3D printers spew toxic particles https://gizmodo.com/new-study-details-all-the-toxic-shit-spewed-out-by-3d-p-1830379464/
• Despite the salacious headline, self-driving cards will have unforeseen risks https://driving.ca/toyota/auto-news/news/motor-mouth-self-driving-cars-brothels-of-the-future
• Risks of large complex ballots https://freedom-to-tinker.com/2018/11/12/two-cheers-for-limited-democracy-in-new-jersey/
• The risks of badly designed ballots are playing out in the Florida recount (again) https://freedom-to-tinker.com/2018/11/14/florida-is-the-florida-of-ballot-design-mistakes/

Off-Topic / Science & Tech / Lighter Side

• Apparently square smoke rings are a real thing https://www.syfy.com/syfywire/blowing-square-smoke-rings
• Sometime in the last 3M years a 1/2 mile wide asteroid hit Greenland. Geologists have only just discovered the 16 mile wide crater, one of the top 25 in the world, hiding under almost 2 miles of ice sheet https://www.businessinsider.com/asteroid-impact-crater-found-under-greenland-ice-2018-11
• Astronomers directly image a planet orbiting a star 63-light-years away https://www.universetoday.com/140491/direct-observations-of-a-planet-orbiting-a-star-63-light-years-away/
• And astronomers discover super-Earth around Barnard's star, now 2nd closest exoplanet https://phys.org/news/2018-11-astronomers-super-earth-barnard-star.html