This Week’s [in]Security – Issue 87 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: Uses for cash in cashless society. Breaches at USPS, Adapt, Amazon, Vision Direct, Instagram, FIESP, and Knuddles. Legal cannabis risks.  IoT creepiness ratings.  Free book. More Facebook. MFA. Broadband router security standards. Mainframes. Outed hackers. Snowden's legacy. Voting machines. Law firms. Deep fryer [un]safety. Linguistic lie detectors.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Sweden, the most cashless society, is considering slowing their digitization and reevaluating their need to keep cash around https://www.nytimes.com/2018/11/21/business/sweden-cashless-society.html

Breaches / Leaks

• USPS exposed data on 60M and took a year to fix it https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/
• FIESP, Brazil's largest professional association leaks over 34M records https://www.zdnet.com/article/brazils-largest-professional-association-suffers-massive-data-leak/
• Adapt exposes data on 9.3M users https://haveibeenpwned.com/PwnedWebsites#Adapt
• Amazon breached an unknown number of customer names and emails days before Black Friday https://www.theguardian.com/technology/2018/nov/21/amazon-hit-with-major-data-breach-days-before-black-friday
• Vision Direct breached by Magecart fake google-analytics script https://www.databreachtoday.com/magecart-spies-payment-cards-from-retailer-vision-direct-a-11709
• German based Knuddles ("Cuddles") fined under GDPR for breach of 800K userids and plain-text passwords https://www.theregister.co.uk/2018/11/23/knuddelsfinedforplaintext_passwords/
• Instagram accidentally exposed some users' passwords in plaintext through feature meant to support GDPR https://thehackernews.com/2018/11/instagram-password-hack.html
• UK Breach reports up almost 500% since GDPR suggests that more companies are coming clean https://www.infosecurity-magazine.com/news/ico-breach-reports-continue-to/
• How to securely wipe your devices so you can recycle or resell them https://motherboard.vice.com/en_us/article/bjex48/how-to-securely-get-rid-of-your-devices

Laws & Regulations / Standards

• 'Alexa, who did it?' What happens when a judge in a murder trial wants data from a smart home speaker https://www.cbc.ca/radio/day6/episode-417-alexa-as-murder-witness-k-tel-s-legacy-brexit-and-gibraltar-havana-s-mystery-hater-and-more-1.4916536/alexa-who-did-it-what-happens-when-a-judge-in-a-murder-trial-wants-data-from-a-smart-home-speaker-1.4916556
• Judge rules first amendment can’t be used to defend harassment https://www.nytimes.com/2018/11/15/us/daily-stormer-anti-semitic-lawsuit.html
• Michael Geist has a new series of articles on attempts to overturn copyright reform http://www.michaelgeist.ca/2018/11/misleading-on-fair-dealing-part-1/, http://www.michaelgeist.ca/2018/11/misleading-on-fair-dealing-part-2-why-access-copyrights-claim-of-600-million-uncompensated-copies-doesnt-add-up/
• Canadian cannabis investor gets lifetime U.S. entry ban as conference goers face scrutiny at border https://business.financialpost.com/cannabis/cannabis-business/cannabis-investing/canadian-cannabis-investor-gets-lifetime-ban-from-u-s-as-vegas-conference-goers-face-scrutiny-at-border
• Lawyer bracing for more Canadian pot smokers ‘getting banned’ from entering U.S https://globalnews.ca/news/4680099/lawyer-canadian-pot-smokers-banner-u-s-border/
• NIST invites public comments on a second draft of SP-800-57 Part 2 Rev. 1, Recommendation for Key Management Part 2: Best Practices for Key Management Organizations. Detail: https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/draft and update: https://csrc.nist.gov/news/2018/nist-releases-2nd-draft-sp-800-57-part-2-rev-1

Privacy

• Mozilla  IoT gifts  buyers guide for IoT gifts complete with a creepiness poll and rating.  Teddy bears that connect to the internet. Smart speakers that listen to commands. Great gifts - unless they spy on you https://foundation.mozilla.org/en/privacynotincluded/
• Free book download - "The End of Trust" https://www.eff.org/deeplinks/2018/11/end-trust-sale-bookstores-and-free-download-now
• Now eight parliaments are demanding Zuckerberg answers for Facebook scandals https://techcrunch.com/2018/11/19/now-eight-parliaments-are-demanding-zuckerberg-answers-for-facebook-scandals/
• UK Parliament seizes cache of Facebook internal papers https://www.theguardian.com/technology/2018/nov/24/mps-seize-cache-facebook-internal-papers
• Privacy concerns over credit card use for legal online pot purchases https://www.680news.com/2018/11/18/privacy-concerns-over-credit-card-use-for-legal-online-pot-purchases/
• Cloudflare weighs in on US privacy policy https://blog.cloudflare.com/cloudflares-response-to-a-privacy-framework/
• Nova Scotia must toughen protection over medical databases, says privacy commissioner https://www.itworldcanada.com/article/nova-scotia-must-toughen-protection-over-medical-databases-says-privacy-commissoner/411826
• Facebook appealing UK fines over Cambridge Analytica breach https://www.businessinsider.com/facebook-appeals-ico-fine-for-cambridge-analytica-data-breach-2018-11

Bugs / Design Flaws / Vulnerabilities / Defense

• Troy Hunt talks about passwords, 2FA, 2-step authentication, MFA, U2F, and variations https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/
• Article on banks using ethical hackers for defense https://www.cbc.ca/news/business/canadian-banks-cybersecurity-1.4916219
• Former FBI chief says US hacking back is the only effective deterrent against nation state based cyber-attacks https://www.afr.com/news/policy/foreign-affairs/retaliatory-cyber-attacks-are-only-way-to-stop-china-says-former-fbi-director-20181120-h183rc
• Germany’s BSI floats recommendations for minimum security standards for broadband routers https://www.theregister.co.uk/2018/11/20/germanyversusopenwrt_ccc/
• Dropbox security testing uncovers 3 Apple zero-day vulnerabilities https://www.bleepingcomputer.com/news/security/how-a-security-test-for-dropbox-revealed-3-apple-zero-day-vulnerabilities/
• Privilege escalation bug in WordPress Accelerated Mobile Pages (AMP) plugin https://www.tenable.com/blog/popular-wordpress-amp-for-wp-plugin-vulnerable-to-privilege-escalation-attacks

• Mainframe vulnerabilities

  • Taxonomy https://www.linkedin.com/pulse/what-categories-mainframe-vulnerabilities-ray-overby/
  • Integrity and the reality of zero-days https://www.linkedin.com/pulse/clearing-up-myths-mainframe-integrity-code-based-ray-overby/

Hacking / Malware / Cybercrime / Offense

• Article, discussion, and paper on Information Attacks against Democracies https://www.schneier.com/blog/archives/2018/11/information_att.html
• Scammers edit Google Maps bank listings to trick and defraud people http://www.businessinsider.com/scammers-edit-google-maps-bank-listings-fraud-2018-11
• Man charged with 21 criminal counts in SIM swapping and crypto-currency thefts https://www.cnbc.com/2018/11/21/hacker-lifts-1-million-in-cryptocurrency-using-mans-phone-number.html
• Cyber-security firm doxxes hacker who sold MySpace and Dropbox databases in 2016 https://www.zdnet.com/article/cyber-security-firm-doxxes-hacker-who-sold-myspace-and-dropbox-databases-in-2016/
• Real identity of hacker who sold LinkedIn, DropBox databases revealed https://thehackernews.com/2018/11/tessa88-russian-hacker.html
• “Guccifer” (the original Romanian, not the Russian 2.0) has now been surrendered to US authorities to serve a 52 month sentence for cybercrimes https://www.bankinfosecurity.com/romanian-hacker-guccifer-extradited-to-us-a-11705
• Pair sentenced in 2015 TalkTalk breach https://www.databreachtoday.com/two-friends-who-hacked-talktalk-receive-prison-sentences-a-11712
• Indian police file charges against masterminds of $60M Bitcoin pyramid scam https://www.ccn.com/indian-police-file-charges-against-masterminds-of-60-million-bitcoin-scam/

Other Security / Risk

• On the absence of a Cyber-9/11 https://www.schneier.com/blog/archives/2018/11/whathappenedt.html
• The legacies of Snowden's disclosures https://arstechnica.com/tech-policy/2018/11/the-snowden-legacy-part-one-whats-changed-really/
• Security agencies warn industry of foreign espionage threat to networks https://www.ctvnews.ca/canada/security-agencies-warn-industry-of-foreign-espionage-threat-to-networks-1.4191682
• Expert opinions on voting machines and vote by mail https://freedom-to-tinker.com/2018/11/20/expert-opinions-on-in-person-voting-machines-and-vote-by-mail/
• The inconvenient reality of law firm security challenges https://securityintelligence.com/the-inconvenient-reality-of-law-firm-security-challenges/
• How to securely wipe your devices so you can recycle or resell them https://motherboard.vice.com/amp/en_us/article/bjex48/how-to-securely-get-rid-of-your-devices
• Blackberry enterprise storage will now be able to protect and roll-back ransomware attacks https://www.pcmag.com/news/362920/blackberry-can-now-reverse-ransomware-attacks
• US DEA and ICE are hiding surveillance cameras in street lights https://www.schneier.com/blog/archives/2018/11/hiddencameras\.html
• Canada’s brain-injured Cuba diplomats speak out about Ottawa’s silence https://www.theglobeandmail.com/world/article-canadas-brain-injured-cuba-diplomats-speak-out-about-ottawas-silence/
• An example of fear and lack of critical thinking overriding common sense https://www.schneier.com/blog/archives/2018/11/worst-casethin1.html
• Man mails pipe bombs to tech support team https://www.schneier.com/blog/archives/2018/11/mailingtechsu.html
• Securing your vehicle's remote entry and key fob http://www.safebee.com/tech/securing-your-vehicle-how-prevent-keyless-entry-thefts-and-other-key-fob-hacks
• UL demonstrates why Turkey deep fryers are unsafe https://www.youtube.com/watch?v=yObDuYTfudY
• The appalling situation at St. Michael’s College in Toronto, may very well have been made worse by overzealous media and outraged citizens https://www.theglobeandmail.com/canada/toronto/article-a-st-mikes-mom-blamed-the-media-maybe-she-had-a-point/
• Anti-vaccine stronghold in North Carolina hit with big Chicken-pox outbreak https://www.washingtonpost.com/nation/2018/11/19/anti-vaccination-stronghold-nc-hit-with-states-worst-chickenpox-outbreak-decades/
• This is a bit weird, Dutch researchers pilot linguistic lie detector using Trumps tweets, putting aside their training dataset there are lessons to be learned from this https://www.theregister.co.uk/2018/11/21/trumptweetslies/

Off-Topic / Science & Tech / Lighter Side

• An electric plane with no moving parts has made its first flight https://www.technologyreview.com/s/612451/an-electric-plane-with-no-moving-parts-has-made-its-first-flight/
• Chinese experimental fusion reactor achieves 100M degree milestone https://www.universetoday.com/140540/chinese-fusion-experiment-reaches-100-million-degrees/
• Astronomers find our Sun’s wandering twin 184 light years away http://astronomy.com/news/2018/11/astronomers-find-a-solar-twin--a-star-that-looks-almost-exactly-like-our-sun
• NASA's Lucy will study Jupiter's Trojan asteroids https://phys.org/news/2018-11-nasa-lucy-sky-asteroids.html