This Week’s [in]Security – Issue 91 | insecurity | Control Gap

Welcome to This Week’s [in]Security. T'was the night before Christmas, this week: Facebook tops the naughty list again, vulnerable MPOS readers, a look back at two notable payment card breaches, more e-commerce breaches, the Drones of Gatwick, US Senate releases two reports on Russian social media interference, security and good system/software inventories, CSO & CISOs still lacking corporate visibility, possible Twitter breach, creepy gifts, fake faces move beyond the uncanny valley, video conferencing vulnerabilities, planet tipping, really really far out, and revenge with side of glitter.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• Tests of Bluetooth enabled payment devices used by Square, PayPal, Zettle, and SumUp finds lots of vulnerabilities https://www.forbes.com/sites/thomasbrewster/2018/08/09/these-bluetooth-hacks-can-steal-your-credit-card-pin/
• PCI 2018 year end reminders https://blog.pcisecuritystandards.org/pci-dss-reminders-and-resources
• Remote and card-not-present payments are growing http://www.digitaltransactions.net/growth-in-remote-card-payments-far-outpaces-point-of-sale-payment-growth-the-fed-reports/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Click2Gov payment application for municipalities involved in 47 breaches of 300K payment cards http://www.digitaltransactions.net/click2gov-payment-application-for-municipalities-cited-in-48-data-breaches/ and https://geminiadvisory.io/hacked-click2gov-exposed-payment-data/

  • Breach in parking payment system in Saint John might have exposed personal information https://www.cbc.ca/news/canada/new-brunswick/saint-john-parking-data-breach-1.4957310
• Caribou Cofeee just announced a 3 month long breach of 40% of their stores POS systems, no word on how many payment cards are impacted yet  https://www.zdnet.com/article/caribou-coffee-chain-announces-card-breach-impacting-239-stores/
• Twitter is reporting some kind of data leak - signs suggest it's state sponsored  https://gizmodo.com/twitter-alerts-some-users-to-unusual-data-leak-1831158698, http://www.bbc.co.uk/news/technology-46597366, and https://www.bankinfosecurity.com/twitter-sees-signs-state-sponsored-attack-a-11869
• NASA work data hacked https://www.theregister.co.uk/2018/12/18/nasaserverhack/
• Blue Cross and Blue Shield of North had a breech of paper/film records Carolina https://www.privacyrights.org/data-breaches?title=Blue%20Cross%20and%20Blue%20Shield%20of%20North%20Carolina%20(Blue%20Cross%20NC)
• Vermont & Dallas medical breaches https://www.scmagazine.com/home/security-news/vermont-dallas-medical-facilities-suffer-email-account-breaches/
• In Canada, cybersecurity breaches will soon reverberate all the way up to the board level https://www.theglobeandmail.com/business/commentary/article-cybersecurity-breaches-will-soon-reverberate-all-the-way-up-to-the/
• Marriot and the question of GDPR https://www.databreachtoday.com/blogs/marriott-mega-breach-will-gdpr-apply-p-2688
• Medical pot company plugs web security flaw but privacy concerns persist https://nationalpost.com/pmn/news-pmn/canada-news-pmn/medical-pot-company-plugs-web-security-flaw-but-privacy-concerns-persist

• Reflections on two notable breaches in payment card history

  • Target was 5 years ago https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/
  • 18 years ago, successful online e-tailer Egghead.com was breached https://apnews.com/7b11ab7142b5202df3481abaac2491d8  (They eventually closed down and sold off the name. And 6 months later Visa and MasterCard's announced security programs that were precursors to PCI).

Privacy

Articles about privacy related news, risks, and trends.

• Facebook caught with everyone's hands massively in the cookie jar - AGAIN - over 150 companies with access to data from hundreds of millions of users a month, and the ability to read, write & delete user's private messages - without consent - some going back to 2010 - citing Yahoo, Sony, Apple, Amazon, Netflix, Spotify, Bing, Pandora (music, not jewelry), Rotten Tomatoes, the Royal Bank of Canada, the NY Times (wait - they called themselves out), and Russia's Yandex with alleged ties to the Kremlin https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html

  • RBC disputes the extent of access in the NYT report https://www.msn.com/en-ca/money/topstories/rbc-disputes-report-that-it-had-access-to-users-facebook-messages/ar-BBRaUZs
  • How much access and how bad is it https://arstechnica.com/information-technology/2018/12/facebook-partner-arrangements-are-they-as-bad-as-they-look/
  • How to delete Facebook https://www.nytimes.com/2018/12/19/business/delete-facebook-account.html
  • Huge numbers of Facebook users say they'll drop the platform immeadiately, history suggests they won't https://threatpost.com/facebooks-rough-history-of-failed-user-revolts/140138/
• Facebook lawsuit by Washington DC under CPPA over Cambridge Analytica triggers $22B stock sell-off https://markets.businessinsider.com/news/stocks/facebook-stock-slides-netflix-spotify-access-user-messages-2018-12-1027822541
• It seems impossible to completely turn off Facebook's location tracking https://gizmodo.com/turning-off-facebook-location-tracking-doesnt-stop-it-f-1831149148
• London's metropolitan police roll out facial recognition https://www.theregister.co.uk/2018/12/17/metpolicefacialrecognitiondecember_rollout/
• NIST privacy workshop at Georgia Tech February 27-28 https://www.nist.gov/news-events/events/2019/02/outlining-nist-privacy-framework-workshop-2
• Is a consumer backlash coming https://www.darkreading.com/perimeter/privacy-futures-fed-up-consumers-take-their-data-back/a/d-id/1333499
• Amazon accidentally exposed 1700 Alexa voice recordings by sending them along with a GDPR information request to the wrong person. What's really scary is that reports easily found the right person.  https://threatpost.com/amazon-1700-alexa-voice-recordings/140201/
• The previous incident shows Alex is listening far more than we thought - even when the light is off https://www.securityweek.com/alexa-may-be-recording-more-you-realize
• Alberta information commissioner says her office at 'breaking point' https://www.cbc.ca/news/canada/edmonton/alberta-information-commissioner-says-her-office-at-breaking-point-1.4954627

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Canada signs new copyright law updating notice-on-notice. Settlement demands for infrigment are now illegal http://www.michaelgeist.ca/2018/12/no-more-settlement-demands-new-rules-for-copyright-notice-and-notice-system-receives-royal-assent/
• Canadian freedom of the press paradox in R. v. Vice Media https://www.airdberlis.com/insights/blogs/thespotlight/post/ts-item/the-press-freedom-paradox-in-r.-v.-vice-media-the-supreme-court-of-canada-s-review-of-press-freedoms-versus-the-investigative-powers-of-police
• US citizen suing border services over phone search incident  https://www.theregister.co.uk/2018/12/18/americancitizenbordersmartphonesearch/
• NIST is still looking for feedback on their Privacy Framework until January 14, 2019. See https://www.nist.gov/privacy-framework/rfi. Recorded webinar https://www.nist.gov/news-events/events/2018/11/nist-privacy-framework-qa-webinar
• EU-US Privacy Shield renewed https://epic.org/2018/12/eu-us-privacy-shield-renewed-p.html
• EU sets deadline for US privacy ombudsperson  https://www.theregister.co.uk/2018/12/19/eupleadswithustonameapermanentprivacyshieldombudsperson/
• Facebook's string of privacy scandals show why we need better privacy laws https://www.eff.org/deeplinks/2018/12/facebooks-latest-scandal-shows-we-need-stronger-privacy-laws and https://www.mobilepaymentstoday.com/articles/facebook-facing-new-regulatory-scrutiny-after-data-sharing-allegations/
• NIST (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy updated https://csrc.nist.gov/news/2018/rmf-update-nist-publishes-sp-800-37-rev-2 and details https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
• Cambridge, MA Joins Growing Ranks of Cities Requiring Civilian Control of Police Surveillance Tech https://www.eff.org/deeplinks/2018/12/cambridge-ma-joins-growing-ranks-cities-requiring-civilian-control-police

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Only 5% of top 100 companies list their CSO or CISO, and only 1/3 list their CTO https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/
• System and software inventory - dull, boring, un-sexy, and absolutely critical to good security and compliance https://danielmiessler.com/blog/continuous-asset-management-security/
• Auditors found problems with the US DoD software inventories http://www.cybersecurity-review.com/news-december-2018/dod-doesnt-keep-track-of-duplicate-or-obsolete-software/
• Monitoring Internet for security insights 'noise' https://motherboard.vice.com/en_us/article/8xpbva/greynoise-internet-scanning-noise
• Understanding SQL injection https://www.packetlabs.net/sql-injection/
• Thoughts about disclosure processes with cryptographic vulnerability (CVE-2018-8319) as the example https://www.linkedin.com/pulse/thoughts-from-disclosure-process-cryptographic-ryan-speers
• Managing risks from open source software https://www.databreachtoday.com/open-source-components-managing-risks-a-11895
• Over 5B robocalls were placed into the US in 2018, here's some ways to limit them https://www.businessinsider.com/how-to-stop-robocalls-to-cell-phone-explained-2018-5
• Using Behavioral Analytics to Protect Against Threats https://www.bankinfosecurity.com/interviews/using-behavioral-analytics-to-protect-against-threats-i-4204

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Fortune 500 companies exposed through the Internet https://www.darkreading.com/perimeter/lax-controls-leave-fortune-500-overexposed-on-the-net/d/d-id/1333497
• ASUS & GIGABYTE drivers code execution vulnerabilities house party https://www.bleepingcomputer.com/news/security/asus-gigabyte-drivers-contain-code-execution-vulnerabilities-pocs-galore/
• Remote firmware attack bricks computers https://www.bleepingcomputer.com/news/security/remote-firmware-attack-renders-servers-unbootable/
• Huawei routers have a bug that advertises the fact that they are using default credentials or not https://threatpost.com/huawei-router-default-credential/140234/

• Google's project zero has a series on video conferencing vulnerabilities

  • WebRTC https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-1.html
  • Facetime https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-2.html
  • WhatsApp https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html and https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-4.html
  • Next steps https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-5.html
• Logitech fixed security vulnerabilities in 'Options' app that allowed command and keystroke injection after report goes public https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystroke-injection-attacks/
• SQLite remote code execution https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Another Windows Zero Day dropped on Twitter https://thehackernews.com/2018/12/windows-zero-day-exploit.html
• You can now take entire countries offline: 'it's a matter of time because it's really easy' https://www.businessinsider.com/can-hackers-take-entire-countries-offline-2018-12

• China hacked at least 9 managed service providers including HPE, IBM and then attacked their clients in an operation known as "Cloudhopper" https://www.reuters.com/article/us-china-cyber-hpe-ibm-exclusive/exclusive-china-hacked-hpe-ibm-and-then-attacked-clients-sources-idUSKCN1OJ2OY and https://www.zdnet.com/article/at-least-nine-global-msps-hit-in-apt10-attacks-acsc/

  • US charges Chinese APT intelligence service hackers over commercial cyber-spying  https://www.bbc.com/news/world-us-canada-46638323 and https://www.cbc.ca/news/world/us-doj-charges-chinese-hackers-1.4953931
  • China will keep attacking https://www.pymnts.com/news/security-and-risk/2018/china-cyberattacks-spying-intellectual-property/
• Malware communication using Twitter meme stenography https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/
• EU diplomatic traffic was intercepted for 3 years https://www.databreachtoday.com/hackers-intercepted-eu-diplomatic-cables-for-3-years-a-11872
• Exposing diplomatic interception is unusual https://www.wired.com/story/eu-diplomatic-cable-hacks-area-one/
• Competitor sabotage and dirty dealing in the $175 billion Amazon Marketplace https://www.theverge.com/2018/12/19/18140799/amazon-marketplace-scams-seller-court-appeal-reinstatement
• Emergency fix for Microsoft's IE due to active exploitation in the wild https://arstechnica.com/information-technology/2018/12/microsoft-issues-emergency-update-to-fix-critical-ie-flaw-under-active-exploit/
• Feds shutdown several DDoS for hire services and charge 3 https://krebsonsecurity.com/2018/12/feds-charge-three-in-mass-seizure-of-attack-for-hire-services/
• Serial Swatter and Stalker Mir Islam Arrested for Allegedly Dumping Body in River https://krebsonsecurity.com/2018/12/serial-swatter-and-stalker-mir-islam-arrested-for-allegedly-dumping-body-in-river/

Other Security / Risk

Articles covering other types of risks.

• 2019 Security and privacy predictions https://www.bankinfosecurity.com/blogs/looking-ahead-to-2019-ics-regulation-steganography-p-2694
• Are DNA testing kits a good present? https://www.chicagotribune.com/business/ct-biz-genetic-tests-for-christmas-1216-story.html
• Privacy invading gifts https://www.theguardian.com/technology/2018/dec/14/drones-dna-and-data-please-dont-give-the-gift-of-privacy-invasion
• EFF on creepy gifts https://www.eff.org/deeplinks/2018/12/eff-gift-guide-whats-creeping-us-out
• Fake faces move beyond creepy to realistic with scary implications https://www.technologyreview.com/s/612612/these-incredibly-real-fake-faces-show-how-algorithms-can-now-mess-with-us/

• The evolving story of the Drones of Gatwick

  • Drones forced extended airport shutdown disrupting air traffic world-wide  https://www.theregister.co.uk/2018/12/20/londongatwickairport_drones/
  • How bad it could be https://www.bbc.com/news/technology-46632892
  • Two suspects arrested  https://www.bbc.com/news/uk-england-46665615, then cleared and released https://www.bbc.com/news/uk-england-46665615
  • Reports of possibility of no drones was communication error https://www.bbc.com/news/uk-england-46670714

• The Senate releases two reports on Russian social media interference. Article  https://www.nytimes.com/2018/12/17/us/politics/russia-2016-influence-campaign.html (report links follow):

  • https://int.nyt.com/data/documenthelper/533-read-report-internet-research-agency/7871ea6d5b7bedafbf19/optimized/full.pdf
  • https://int.nyt.com/data/documenthelper/534-oxford-russia-internet-research-agency/c6588b4a7b940c551c38/optimized/full.pdf
• The case of a whistleblower and vulnerable android apps being used in war zones https://www.zdnet.com/article/two-android-apps-used-in-combat-by-us-troops-contained-severe-vulnerabilities/
• FedEx outlook yet another suggestion of global recession https://www.zerohedge.com/news/2018-12-19/jarring-fedex-outlook-cut-suggests-severe-global-recession

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Revenge of the rocket scientist - cloud-gps enabled-glitter-stink bomb for the naughty list (with amazing video) https://www.bbc.com/news/technology-46604625 (The only things missing are glue spray and blockchain. )
• Newly found solar system object, named "Farout", is furthest yet discovered https://www.cbc.ca/news/technology/farout-minor-planet-1.4949616
• And even further out, astronomers have discovered extra-galactic exoplanets 3.8B ly away! https://www.sciencealert.com/for-the-first-time-ever-astronomers-detected-planets-outside-our-galaxy-this-year
• Naked eye Christmas comet won't be brighter than Rudolph's nose but should be a nice sight https://www.cbc.ca/news/canada/calgary/christmas-comet-1.4948186
• Uranus was clobbered by a large rocky planet about 3-4B years ago and tilted https://www.thestar.com/news/world/2018/12/21/why-uranus-is-a-lopsided-oddity.html
• Honey, I shrunk the tech - MIT invents method to shrink objects to nanoscale https://www.cnn.com/2018/12/17/us/mit-nanosize-technology-trnd/index.html
• 1/3 of rare Scotch whiskies tested found to be fake http://www.bbc.co.uk/news/uk-scotland-scotland-business-46566703