This Week’s [in]Security – Issue 90 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: UK has experienced 41 breaches a day, Google+ (again), Facebook photo faux-pas, a medical record dump, Equifax breach report, and follow-on for Starwood and TicketMaster.  Canadian payment study out, a massive bomb hoax, wrong thinking, cyber-security scores, another country fines Facebook, more on encryption back-doors, half of cloud db's are not encrypted, and criminals building their own guns.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Payments Canada's annual report on the Canadian payment industry is out. Whether you're interested in credit, debit, loyalty, digital, cash, or cheques, it's all here http://www.paiements.ca/sites/default/files/10-Dec-18/paymentscanadatrendsreport201812_1.pdf

• PCI Updates

  • The new software security framework is coming in January https://blog.pcisecuritystandards.org/update-on-pci-software-security-framework
  • Minor revision to 3DS SDK security standard https://blog.pcisecuritystandards.org/whats-new-in-pci-3ds-sdk-security-standard-version-1.1 and detail https://www.pcisecuritystandards.org/documents/PCI-3DS-SDK-Security-Standard-v1.1.pdf

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Another Google+ exposure affecting 52.5M users means Google will shut down Google+ four months earlier than planned https://www.theverge.com/2018/12/10/18134541/google-plus-privacy-api-data-leak-developers
• Facebook bug accidentally shared private photos of 6.8M users with 1500 apps https://www.businessinsider.com/facebook-bug-exposed-millions-private-photos-to-third-party-apps-2018-12
• Online trove of credentials for 40K accounts in 30 governments found online https://www.zdnet.com/article/over-40000-credentials-for-government-portals-found-online/

• More on the Starwood/Marriott breach:

  • More class actions are piling up https://www.theglobeandmail.com/business/article-marriott-facing-class-action-lawsuits-following-starwood-data-breach/
  • Breach notification emails are now arriving in inboxes across the planet. The impact to companies that have people travel on business is impressive (just as an example more than 40% of our staff have received one).  The information is also available https://info.starwoodhotels.com (which redirects to https://answers.kroll.com/)).
• Texas hospital breached for 47K patients through third-party credit card processor https://www.infosecurity-magazine.com/news/texas-hospital-discloses-third/
• 8,000 GDPR breaches so far in the UK https://www.databreachtoday.com/gdpr-8000-data-breach-reports-filed-so-far-in-uk-a-11828
• Hundreds of N.W.T. health records found at Fort Simpson dump https://www.cbc.ca/news/canada/north/health-record-nwt-fort-simpson-dump-1.4945734
• TicketMaster breach followup - merchant still blaming third-party not owning up to including third-party code https://www.theregister.co.uk/2018/12/12/ticketmasterdeniesfaultwebsitemagecart_infection/

• Congress report on Equifax breach finds multiple control failures (not just patching) and "breach was entirely preventable". Article https://www.databreachtoday.com/equifax-breach-entirely-preventable-house-report-finds-a-11832 and link to report https://oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf

  • As of August 2017 Equifax was listed as being PCI Compliant with a due date of August 31, 2017 (per archives of card brand compliance registries)
  • Their 2016 assessor company left the business sometime in 2017 and so they were presumably working with another company (per archives of PCI approved QSA company lists)
  • The breach was announced in early September 2017 (per report)
  • Stunningly, the government breach report contains the following on page 80: "Equifax was in the process of making the ACIS application Payment Card Industry (PCI) Data Security Standard (DSS) compliant when the data breach occurred"
• Equifax, Priceline, Western Union, and others settle with NY's AG over insecure mobile apps https://www.mobilepaymentstoday.com/news/nys-ag-settles-with-western-union-priceline-equifax-others-on-mobile-app-security/
• Other jurisdictions are laying charges in the wake of the Panama and Paradise paper leaks, Canada is still investigating  https://www.cbc.ca/news/politics/tax-evasion-paradise-papers-1.4941931

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Australia's Assistance and Access Act backlash includes GDPR concerns  https://threatpost.com/australia-anti-encryption-law-triggers-sweeping-backlash/139697/
• Schneier almost didn't way in on the issue (actually he was just busy) https://www.schneier.com/blog/archives/2018/12/newaustralian\.html
• Canada passes updated election law to take first steps at dealing with foreign social media influence but doesn't address accountability or potential absentee ballot abuses https://www.msn.com/en-ca/news/canada/election-bill-passed-in-time-for-fall-vote/ar-BBQMIx3
• EU's new copyright directive under protest https://www.eff.org/deeplinks/2018/12/four-million-europeans-signatures-opposing-article-13-have-been-delivered-european

Privacy

Articles about privacy related news, risks, and trends.

• Canadian Privacy Commission isn't using all the tools at their disposal http://www.michaelgeist.ca/2018/12/privacyenforcement/
• Windows 10 sends your application activity history to Microsoft, even if you tell it not to https://www.howtogeek.com/fyi/windows-10-sends-your-activity-history-to-microsoft-even-if-you-tell-it-not-to/
• Italy fines Facebook $11M for privacy violations https://threatpost.com/facebook-fined-privacy/139824/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Reverse or Wrong Thinking can yield results https://getpocket.com/explore/item/to-come-up-with-a-good-idea-start-by-imagining-the-worst-idea-possible-1858230246
• More useful safe e-commerce shopping tips https://www.washingtonpost.com/technology/2018/12/13/eight-simple-tricks-keep-hackers-ruining-christmas-shopping/
• December 19, webinar aiming to increase youth and mid-career professional interest and exploration of cybersecurity careers nist.gov/nice/webinars
• When to involve the Board and Public Relations in breach response (summary and video) https://www.databreachtoday.com/breach-response-when-to-involve-board-pr-a-11849
• Microsoft is investigating the use of AI to predict malware infection and drive preemptive actions https://www.zdnet.com/article/microsoft-wants-ai-to-predict-if-your-windows-pcs-will-get-malware/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Facial ID authentication defeated by 3D printed head https://www.tripwire.com/state-of-security/featured/unlocking-android-phones-with-a-3d-printed-head/
• Microsoft inexplicably adds security questions to Windows 10 and unsurprisingly they're ripe for abuse and exploitation https://arstechnica.com/information-technology/2018/12/what-was-the-name-of-your-first-exploit-win-10-security-questions-open-backdoor/
• Weak encryption used in Philips HealthSuite Health Android app https://www.databreachtoday.com/weak-encryption-leaves-mobile-health-app-at-risk-for-hacking-a-11833
• 49% of cloud db's left in the clear https://www.darkreading.com/perimeter/49--of-cloud-databases-left-unencrypted/d/d-id/1333462
• Paper on problems with smart home security from William & Mary University https://www.wm.edu/news/stories/2018/smart-home-security-devices-may-be-vulnerable-to-smart-hackers.php
• Security Scorecard has published a report on cyber-security in the education industry https://securityscorecard.com/resources/2018-education-report
• Kreb's looks at the idea of rating companies for cyber-security based on scanning as a means of due diligence. Also covered in the same article are some faux-pas with an Experian website and a report that outed ExxonMobil's score.  https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/
• List of the worst password offenders of the year - and, yes, Kanye West is top of the list https://blog.dashlane.com/password-offenders-2018/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Bypassing one-time password type multi-factor authentication using real-time man-in-the-middle attacks https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/

• Last Thursday there was an epidemic of email bomb hoax / Bitcoin extortion affecting cities in Canada, the US, Australia, and New Zealand

  • https://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/
  • https://www.cbc.ca/news/canada/bomb-threat-hoax-canada-cities-1.4945170
  • https://www.cnn.com/2018/12/14/us/email-bomb-threats-search/index.html
• These bomb hoaxes appear to related to recent sextortion scam and are running in parallel with an acid assault threat https://blog.talosintelligence.com/2018/12/bitcoin-bomb-scare-associated-with.html
• Companies in the middle east are being hit by a variant of the Shamoon malware https://www.forbes.com/sites/thomasbrewster/2018/12/13/warnings-as-destructive-shamoon-cyber-attacks-hit-middle-east-energy-industry/amp/
• Beware of holiday pump skimmers https://www.privacyrights.org/blog/watch-out-pumps-holiday-season
• The scams that keep on taking - non-bills https://krebsonsecurity.com/2018/12/how-internet-savvy-are-your-leaders/
• Save the Children scammed for $1M https://www.zdnet.com/article/save-the-children-foundation-duped-by-hackers-into-paying-out-1-million/
• Really wierd DIY machine used in UK bank fraud https://www.theregister.co.uk/2018/12/13/bankingfraudarrest/
• FBI is investigating false submissions to FCC in net neutrality comment period https://arstechnica.com/tech-policy/2018/12/fbi-investigating-identity-theft-in-net-neutrality-comments-report-says/
• McAfee calls out nation state actors in 'Operation Sharpshooter' attack on government and defense firms https://www.cnbc.com/2018/12/12/mcafee-operation-sharpshooter-hack-hit-government-defense-firms.html
• Ships infected with ransomware https://www.zdnet.com/article/ships-infected-with-ransomware-usb-malware-worms/
• Cyber-crime is not just a growth industry, it's a leading growth-industry https://www.darkreading.com/threat-intelligence/cybercrime-is-worlds-biggest-criminal-growth-industry/d/d-id/1333485

Other Security / Risk

Articles covering other types of risks.

• An audit of SuperMicro's equipment turned up no Chinese implant hardware https://arstechnica.com/information-technology/2018/12/supermicro-refutes-report-of-malicious-implants-with-audit/
• AI Now's annual report summarizes security challenges https://www.schneier.com/blog/archives/2018/12/2018annualrep.html
• 25% of UK National Health Service trust have no cybersecurity staff https://www.theregister.co.uk/2018/12/11/nhsdatasecuritytrainingfoi/
• Concerns over sensitive US military data in commercial cloud http://www.bbc.co.uk/news/world-us-canada-46489689
• White-hat hacking school blacklisted by AI, demonstrates the very human problem of discerning intent https://www.theregister.co.uk/2018/12/13/taloshackerhouse/
• Google competitor claims Google's use of location data puts areas inside political filter bubbles https://www.businessinsider.com/duckduckgo-ceo-on-google-search-bias-2018-12
• How to audit elections https://freedom-to-tinker.com/2018/12/10/pilots-of-risk-limiting-election-audits-in-california-and-virginia/
• North Carolina county embroiled in election fraud scandal leaked data and edges closer to a new election https://www.nytimes.com/2018/12/11/us/politics/north-carolina-election-leak-.html
• Toronto has seen a spike in shootings during 2018. Police noticed a pattern and bust illegal firearm manufacturing ring in the GTA and arrest 23 https://www.680news.com/2018/12/11/arrests-illegal-firearms-opp/
• Not something you see everyday, a German town had a chocolate spill https://www.cnn.com/2018/12/12/europe/chocolate-covered-street-grm-scli-intl/index.html fortunately no one was hurt (unlike almost 100 years ago, on January 15, 1919, when 21 residents of Boston met a sticky fate https://en.wikipedia.org/wiki/GreatMolassesFlood))
• Is the US heading for recession, the bond market may be an indicator (or a contributor) https://www.bbc.com/news/business-46530860

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Possible new transistor technology tested https://scienmag.com/topological-matters-toward-a-new-kind-of-transistor/
• Meteor flash and northern lights in Norway https://apod.nasa.gov/apod/ap181209.html
• Mercury probe firing up most powerful Ion Engines https://www.universetoday.com/140821/mercury-bound-bepicolombo-is-about-to-start-using-the-most-powerful-ion-engines-ever-sent-to-space/
• Why we haven't found Earth 2.0 yet. Hint, if an identical Earth 2.0 were looking for us - they wouldn't have found us yet. https://www.forbes.com/sites/startswithabang/2018/12/10/why-havent-scientists-found-earth-2-0-yet/
• Decoding ancient languages with the help of AI http://www.bbc.com/future/story/20181207-how-ai-could-help-us-with-ancient-languages-like-sumerian
• The great die-off, climate change in the fossil record https://www.universetoday.com/140825/a-rapid-rise-in-temperature-led-to-the-worst-extinction-in-our-planets-history/